Let's try the password iiiiiih or hiiiiii, as follows:
To understand network traffic, we need to capture some network packets by using tools such as tcpdump. tcpdump is usually pre-installed in Linux distributions. Open another Terminal and use the following command:
sudo tcpdump -i lo 'port 9999' -w captured.pcap Here's a brief explanation of the parameters used:
-i lo uses the loopback network interface. We have used it here since we plan on accessing the server locally.
'port 9999', with the single quotes, filters only packets that are using port 9999.
-w captured.pcap writes data packets to a PCAP file named captured.pcap.
Once tcpdump listens for data, try connecting to the server by visiting 127.0.0.1:9999 from the browser. If you wish to connect from outside the machine which holds the server, then re-run tcpdump without the -i lo parameter. This uses the default network interface instead. And instead of visiting using 127.0.0.1, you'll have to use the IP address used by the default network interface.
To stop tcpdump, just break it using Ctrl + C.
To view the contents of captured.pcap in human readable form, use the following command:
sudo tcpdump -X -r captured.pcap > captured.log
This command should redirect the the tcpdump output to captured.log. The -X parameter shows the packet data in hexadecimal and ASCII. -r captured.pcap means read from the PCAP file captured.pcap. Opening the captured.log file should look something like the following:
Before we proceed, let's examine some basics on the two most popular network
protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is a network transmission in which a communication between a sender and a receiver is established. The communication begins with a 3-way handshake, where the sender sends a SYN flag to the receiver, then the receiver sends back SYN and ACK flags to the sender, and finally, the sender sends an ACK flag to the receiver, opening the start of a
communication. Further exchange of data between the sender and receiver are done in segments. Every segment has a 20-byte TCP header that contains the IP address of the sender and the receiver and any current status flags. This is followed by the size of the data being transmitted and the data itself. UDP uses a shorter header, since it only sends data and doesn't require acknowledgement from the receiver. It is not required, via UDP, to do a 3-way handshake. The primary purpose of UDP is to keep sending data to the receiver.
TCP seems to be more reliable in terms of exchanging data, however. For UDP, sending data is much faster, as there are no overheads required. UDP is commonly used to transmit huge amounts of data via file transmission protocols, while TCP is used to communicate data that requires integrity.
In the preceding screenshot, lines 1 to 15 show a TCP 3-way handshake. The first
connection from the localhost port at 55704 (client) to the localhost port at 9999 (server) is a SYN, denoted in the flags as S. This was responded to by an S. flag, which means SYN and ACK. The last is an ACK denoted by . in the flags. The client port at 55704 is an ephemeral port. An ephemeral port is a system generated port for client connections. The server port at 9999 is fixed in the server program.
In lines 16 to 23, we can see the actual response data from the server to the client. The server sends back a data containing a 55 character data containing the string "You have connected to the Genie. Nothing to see here." and 2 new line (0x0A) characters to the client. The data before the 55 character string is the packet's header containing information about the packet. The packet header, when parsed, is the information described in line 16. The TCP flags are P., which means PUSH and ACK. The information in the packet header structure is
documented in the TCP and UDP specifications. You can start to look for these
specifications at RFC 675, available at https://tools.ietf.org/html/rfc675, and RFC 768, available at https://tools.ietf.org/html/rfc768. To fast-track the process, we can use Wireshark, which will be discussed later, to help us parse through the packet
information.
In lines 24 to 28, FIN and ACK flags, formatted as F., are sent from the server to the client,
A better tool for capturing and viewing this graphically is Wireshark. Previously known as Ethereal, Wireshark has the same capabilities as tcpdump. Wireshark can be manually downloaded and installed from https://www.wireshark.org/. It can also be installed using the following apt command:
sudo apt install wireshark-qt
Capturing network packets requires root privileges in order to access the network interfaces. This is the reason for our use of sudo when running tcpdump. The same goes when using Wireshark. So, to execute Wireshark in Linux, we use the following command:
sudo wireshark
Besides capturing traffic and showing it in real time, you can also open and view PCAP files in Wireshark:
To start capturing, double-click on any from the list of interfaces. This essentially captures from both the default network interface and the loopback interface lo. What you'll see are continuous lines of network traffic packets. Wireshark has a display filter to minimize all the noise we see. For our exercise, in the filter field, enter the following display filter:
tcp.port == 9999
This should only show packets that use the TCP port at 9999. There are more filters you can experiment on. These are documented in Wireshark's manual pages.
Clicking on a packet shows parsed information that gives you a better understanding of the packet fields, as shown in the following screenshot:
Wireshark has a wide-knowledge of standard packets. This makes Wireshark a must-have tool for every analyst.
Summary
In this chapter, our discussions revolved around reverse engineering tools that are already built into Linux systems. Debian-based operating systems, such as Ubuntu, are popular for reverse engineering purposes because of the wide community and tools available. We have focused more on how to analyze Linux' native executable, the ELF file. We started off by using GCC to compile a C program source into an ELF executable. We proceeded to analyze the executable using static info-gathering tools, including ls, file, strings, and objdump. Then we used ltrace and strace to carry out a dynamic analysis. Then we used gdb to debug the program, showing us Intel assembly language syntax.
We also introduced and explored the radare2 toolkit. We used rahash2 and rabin2 to gather static information, and used radare2 for disassembly and debugging in an interactive view. Network analysis tools were not left behind either, as we used tcpdump and Wireshark.
In the information security world, most files to be analyzed are executables based on Microsoft Windows, which we're going to discuss in the next chapter. We may not encounter much analysis of Linux files in the industry, but knowing how to do it will definitely come in handy when the task requires it.
Further reading
The files and sources used in this chapter can be found at https://github.com/
PacktPublishing/Mastering-Reverse-Engineering/tree/master/ch6.
RE for Windows Platforms 7
With Windows being one of the most popular operating systems in the world, most software in the cyber world has been written for it. This includes malware.
This chapter focuses on the analysis of the Windows native executable, the PE file, and evolves directly by doing file analysis, that is, gathering static information and performing dynamic analysis. We will dig deeper into understanding how the PE file behaves with the Windows operating system. The following topics will be covered in this chapter:
Analyzing Windows PE Tools
Static analysis Dynamic analysis
Technical requirements
This chapter requires knowledge of the Windows environment and its administration. The reader should also know how to use commands in Command Prompt. The first portion of this chapter requires the user to have basic knowledge of building and compiling C programs using Visual Studio or similar software.
Hello World
Programs in the Windows environment communicate with the system by using Windows APIs. These APIs are built around the file system, memory management (including
There are many high-level languages used by developers like C, C++, C#, and Visual Basic.
C, C++, and Visual Basic (native) compile to an executable that directly executes
instructions in the x86 language. C# and Visual Basic (p-code) are usually compiled to use interpreters as a layer that turns the p-code into actual x86 instructions. For this chapter, we will focus on executable binaries compiled from C/C++ and assembly language. The goal is to have a better understanding of the behavior of programs that use Windows APIs.
For this chapter, our choice for building C/C++ programs will be the Visual Studio Community edition. Visual Studio is widely used for building Microsoft Windows programs. Given that it is also a product of Microsoft, it already contains the compatible libraries required to compile programs. You can download and install Visual Studio Community edition from https://visualstudio.microsoft.com/downloads/.
These programs are neither harmful nor malicious. The following C programming activities can be done with Visual Studio in a bare metal machine. In case you are planning on
installing Visual Studio in a Windows VM, at the time of writing this book, Visual Studio 2017 Community edition has the following recommended system requirements:
1.8 GHz dual core 4 GB of RAM 130 GB of disk space
These system requirements can be found at https://docs.microsoft.com/en-us/
visualstudio/productinfo/vs2017-system-requirements-vs. You may need to perform some Windows updates and install the .NET framework. This can also be installed from the Windows 7 setup that we previously downloaded from https://developer.microsoft.
com/en-us/microsoft-edge/tools/vms/ . Please visit the Microsoft Visual Studio website for the requirements of newer versions.
There are many Visual Studio alternatives that have minimal requirements like Bloodshed Dev C++, Zeus IDE, and Eclipse. However, some of these IDE may not be up-to-date and/or may need to the compiler and its dependencies to have been properly set up.