From c9ada63c7fe63d784bc15794cc59f2efc12a67f5 Mon Sep 17 00:00:00 2001 From: Ivan Podovalov Date: Wed, 20 Apr 2022 14:32:54 +0500 Subject: [PATCH 1/2] =?UTF-8?q?=D0=A2=D0=B5=D1=81=D1=82=D0=B2=D0=BE=D0=B5?= =?UTF-8?q?=20=D0=B7=D0=B0=D0=B4=D0=B0=D0=BD=D0=B8=D0=B5=20Carbonsoft.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * snimatch_mt корректно обрабатывала все тестовые пакеты * некоторые косметические правки --- reductor_developer/sni_search/.gitignore | 2 + reductor_developer/sni_search/main.c | 50 +++- .../packets/client_hello_ambigous_doff.h | 2 +- .../sni_search/packets/client_hello_tcp32.h | 2 +- .../client_hello_tcp32_ambigous_doff.h | 216 ++++++++++++++++++ 5 files changed, 259 insertions(+), 13 deletions(-) create mode 100644 reductor_developer/sni_search/packets/client_hello_tcp32_ambigous_doff.h diff --git a/reductor_developer/sni_search/.gitignore b/reductor_developer/sni_search/.gitignore index e8ebddc..ad90891 100644 --- a/reductor_developer/sni_search/.gitignore +++ b/reductor_developer/sni_search/.gitignore @@ -1,3 +1,5 @@ *.o *.a programm +*un~ +*.swp diff --git a/reductor_developer/sni_search/main.c b/reductor_developer/sni_search/main.c index ae19d83..2ad88de 100644 --- a/reductor_developer/sni_search/main.c +++ b/reductor_developer/sni_search/main.c @@ -7,8 +7,13 @@ #include "packets/client_hello.h" #include "packets/client_hello_tcp32.h" #include "packets/client_hello_ambigous_doff.h" +#include "packets/client_hello_tcp32_ambigous_doff.h" #include "packets/not_client_hello.h" +#ifndef IPV4_HEADER_LEN +#define IPV4_HEADER_LEN 20 +#endif + /* Нельзя просто взять и искать SSL_CONTENT_TYPE_HANDSHAKE (0x16) в пакете, он там окажется с вероятностью 256/длина_пакета. @@ -20,6 +25,17 @@ bool snimatch_mt(unsigned char *pkt, size_t len) { struct sk_buff *skb = read_skb(pkt, len); int doff = skb_tcp_doff(skb); + if (doff == -1) { + /* Типовые длины TCP-заголовков-79% (5 битовых слов) - проверим сперва их */ + unsigned int tcp_doff = 5; + do { + doff = IPV4_HEADER_LEN + tcp_doff * 4; + /* Увеличим возможное значение длины TCP-заголовка */ + tcp_doff++; + if (verify_ssl(skb->data + doff, skb->raw + skb->len) != NULL) + return 1; + } while (tcp_doff <= 15); + } return verify_ssl(skb->data + doff, skb->raw + skb->len) != NULL; } @@ -28,25 +44,37 @@ int main() printf("# client_hello.h: "); if (snimatch_mt(client_hello, sizeof(client_hello))) printf(" OK\n"); - else - return 1; + else { + printf(" NOT FOUND\n"); + } - printf("# client_hello_tcp32.h"); + printf("# client_hello_tcp32.h "); if (snimatch_mt(client_hello_tcp32, sizeof(client_hello_tcp32))) printf(" OK\n"); - else - return 1; + else { + printf(" NOT FOUND\n"); + } printf("# not_client_hello.h"); - if (!snimatch_mt(not_client_hello, sizeof(not_client_hello))) + if (snimatch_mt(not_client_hello, sizeof(not_client_hello))) printf(" OK\n"); - else - return 1; + else { + printf(" NOT FOUND\n"); + } - printf("# client_hello_ambigous_doff.h"); + printf("# client_hello_ambigous_doff.h "); if (snimatch_mt(client_hello_ambigous_doff, sizeof(client_hello_ambigous_doff))) printf(" OK\n"); - else - return 1; + else { + printf(" NOT FOUND\n"); + } + + /* Проверка "битого" пакета с другой длиной TCP заголовка */ + printf("# client_hello_tcp32_ambigous_doff.h "); + if (snimatch_mt(client_hello_tcp32_ambigous_doff, sizeof(client_hello_tcp32_ambigous_doff))) + printf(" OK\n"); + else { + printf(" NOT FOUND\n"); + } return 0; } diff --git a/reductor_developer/sni_search/packets/client_hello_ambigous_doff.h b/reductor_developer/sni_search/packets/client_hello_ambigous_doff.h index e1ff7cf..df3cf5a 100644 --- a/reductor_developer/sni_search/packets/client_hello_ambigous_doff.h +++ b/reductor_developer/sni_search/packets/client_hello_ambigous_doff.h @@ -212,4 +212,4 @@ unsigned char client_hello_ambigous_doff[] = { 0x04, 0x01, 0x05, 0x01, 0x02, 0x01, 0x04, 0x03, 0x05, 0x03, 0x02, 0x03, 0x02, 0x02, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, }; -#endif //TEST_SYS_DEV_CLIENT_HELLO_IE_H +#endif //TEST_SYS_DEV_CLIENT_HELLO_AMBIGOUS_DOFF_H diff --git a/reductor_developer/sni_search/packets/client_hello_tcp32.h b/reductor_developer/sni_search/packets/client_hello_tcp32.h index fb39dce..833e099 100644 --- a/reductor_developer/sni_search/packets/client_hello_tcp32.h +++ b/reductor_developer/sni_search/packets/client_hello_tcp32.h @@ -212,4 +212,4 @@ unsigned char client_hello_tcp32[] = { 0x04, 0x01, 0x05, 0x01, 0x02, 0x01, 0x04, 0x03, 0x05, 0x03, 0x02, 0x03, 0x02, 0x02, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, }; -#endif //TEST_SYS_DEV_CLIENT_HELLO_IE_H +#endif //TEST_SYS_DEV_CLIENT_HELLO_TCP32_H diff --git a/reductor_developer/sni_search/packets/client_hello_tcp32_ambigous_doff.h b/reductor_developer/sni_search/packets/client_hello_tcp32_ambigous_doff.h new file mode 100644 index 0000000..fa6dd41 --- /dev/null +++ b/reductor_developer/sni_search/packets/client_hello_tcp32_ambigous_doff.h @@ -0,0 +1,216 @@ +#ifndef TEST_SYS_DEV_CLIENT_HELLO_TCP32_AMBIGOUS_DOFF_H +#define TEST_SYS_DEV_CLIENT_HELLO_TCP32_AMBIGOUS_DOFF_H +/* +Frame 5: 227 bytes on wire (1816 bits), 227 bytes captured (1816 bits) on interface 0 + Interface id: 0 (eth0.317) + Encapsulation type: Ethernet (1) + Arrival Time: Mar 16, 2017 16:43:32.464954762 YEKT + [Time shift for this packet: 0.000000000 seconds] + Epoch Time: 1489664612.464954762 seconds + [Time delta from previous captured frame: 0.009938038 seconds] + [Time delta from previous displayed frame: 0.009938038 seconds] + [Time since reference or first frame: 7.131114759 seconds] + Frame Number: 5 + Frame Length: 227 bytes (1816 bits) + Capture Length: 227 bytes (1816 bits) + [Frame is marked: False] + [Frame is ignored: False] + [Protocols in frame: eth:ethertype:ip:tcp:ssl] +Ethernet II, Src: 02:04:49:1d:17:b8 (02:04:49:1d:17:b8), Dst: 0c:c4:7a:74:df:32 (0c:c4:7a:74:df:32) + Destination: 0c:c4:7a:74:df:32 (0c:c4:7a:74:df:32) + Address: 0c:c4:7a:74:df:32 (0c:c4:7a:74:df:32) + .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) + .... ...0 .... .... .... .... = IG bit: Individual address (unicast) + Source: 02:04:49:1d:17:b8 (02:04:49:1d:17:b8) + Address: 02:04:49:1d:17:b8 (02:04:49:1d:17:b8) + .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) + .... ...0 .... .... .... .... = IG bit: Individual address (unicast) + Type: IP (0x0800) +Internet Protocol Version 4, Src: 91.228.63.222 (91.228.63.222), Dst: 94.102.58.6 (94.102.58.6) + Version: 4 + Header Length: 20 bytes + Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) + 0000 00.. = Differentiated Services Codepoint: Default (0x00) + .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) + Total Length: 213 + Identification: 0x3990 (14736) + Flags: 0x02 (Don't Fragment) + 0... .... = Reserved bit: Not set + .1.. .... = Don't fragment: Set + ..0. .... = More fragments: Not set + Fragment offset: 0 + Time to live: 125 + Protocol: TCP (6) + Header checksum: 0x8f64 [validation disabled] + [Good: False] + [Bad: False] + Source: 91.228.63.222 (91.228.63.222) + Destination: 94.102.58.6 (94.102.58.6) + [Source GeoIP: Unknown] + [Destination GeoIP: Unknown] +Transmission Control Protocol, Src Port: 53018 (53018), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 173 + Source Port: 53018 (53018) + Destination Port: 443 (443) + [Stream index: 1] + [TCP Segment Len: 173] + Sequence number: 1 (relative sequence number) + [Next sequence number: 174 (relative sequence number)] + Acknowledgment number: 1 (relative ack number) + Header Length: 20 bytes + .... 0000 0001 1000 = Flags: 0x018 (PSH, ACK) + 000. .... .... = Reserved: Not set + ...0 .... .... = Nonce: Not set + .... 0... .... = Congestion Window Reduced (CWR): Not set + .... .0.. .... = ECN-Echo: Not set + .... ..0. .... = Urgent: Not set + .... ...1 .... = Acknowledgment: Set + .... .... 1... = Push: Set + .... .... .0.. = Reset: Not set + .... .... ..0. = Syn: Not set + .... .... ...0 = Fin: Not set + Window size value: 16560 + [Calculated window size: 66240] + [Window size scaling factor: 4] + Checksum: 0x3dbe [validation disabled] + [Good Checksum: False] + [Bad Checksum: False] + Urgent pointer: 0 + [SEQ/ACK analysis] + [iRTT: 0.064623704 seconds] + [Bytes in flight: 173] +Secure Sockets Layer + SSL Record Layer: Handshake Protocol: Client Hello + Content Type: Handshake (22) + Version: TLS 1.2 (0x0303) + Length: 168 + Handshake Protocol: Client Hello + Handshake Type: Client Hello (1) + Length: 164 + Version: TLS 1.2 (0x0303) + Random + GMT Unix Time: Mar 16, 2017 16:43:36.000000000 YEKT + Random Bytes: 88806e0b2e4ad584c95ea95f4597af30c997a4b80beec91b... + Session ID Length: 0 + Cipher Suites Length: 48 + Cipher Suites (24 suites) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) + Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) + Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) + Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) + Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) + Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) + Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) + Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) + Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) + Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) + Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) + Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a) + Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040) + Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) + Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) + Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) + Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) + Compression Methods Length: 1 + Compression Methods (1 method) + Compression Method: null (0) + Extensions Length: 75 + Extension: server_name + Type: server_name (0x0000) + Length: 13 + Server Name Indication extension + Server Name list length: 11 + Server Name Type: host_name (0) + Server Name length: 8 + Server Name: 24wd.biz + Extension: status_request + Type: status_request (0x0005) + Length: 5 + Certificate Status Type: OCSP (1) + Responder ID list Length: 0 + Request Extensions Length: 0 + Extension: elliptic_curves + Type: elliptic_curves (0x000a) + Length: 6 + Elliptic Curves Length: 4 + Elliptic curves (2 curves) + Elliptic curve: secp256r1 (0x0017) + Elliptic curve: secp384r1 (0x0018) + Extension: ec_point_formats + Type: ec_point_formats (0x000b) + Length: 2 + EC point formats Length: 1 + Elliptic curves point formats (1) + EC point format: uncompressed (0) + Extension: signature_algorithms + Type: signature_algorithms (0x000d) + Length: 20 + Signature Hash Algorithms Length: 18 + Signature Hash Algorithms (9 algorithms) + Signature Hash Algorithm: 0x0601 + Signature Hash Algorithm Hash: SHA512 (6) + Signature Hash Algorithm Signature: RSA (1) + Signature Hash Algorithm: 0x0603 + Signature Hash Algorithm Hash: SHA512 (6) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Hash Algorithm: 0x0401 + Signature Hash Algorithm Hash: SHA256 (4) + Signature Hash Algorithm Signature: RSA (1) + Signature Hash Algorithm: 0x0501 + Signature Hash Algorithm Hash: SHA384 (5) + Signature Hash Algorithm Signature: RSA (1) + Signature Hash Algorithm: 0x0201 + Signature Hash Algorithm Hash: SHA1 (2) + Signature Hash Algorithm Signature: RSA (1) + Signature Hash Algorithm: 0x0403 + Signature Hash Algorithm Hash: SHA256 (4) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Hash Algorithm: 0x0503 + Signature Hash Algorithm Hash: SHA384 (5) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Hash Algorithm: 0x0203 + Signature Hash Algorithm Hash: SHA1 (2) + Signature Hash Algorithm Signature: ECDSA (3) + Signature Hash Algorithm: 0x0202 + Signature Hash Algorithm Hash: SHA1 (2) + Signature Hash Algorithm Signature: DSA (2) + Extension: Unknown 23 + Type: Unknown (0x0017) + Length: 0 + Data (0 bytes) + Extension: renegotiation_info + Type: renegotiation_info (0xff01) + Length: 1 + Renegotiation Info extension + Renegotiation info extension length: 0 +*/ + +unsigned char client_hello_tcp32_ambigous_doff[] = { + 0x0c, 0xc4, 0x7a, 0x74, 0xdf, 0x32, 0x02, 0x04, 0x49, 0x1d, 0x17, 0xb8, + 0x08, 0x00, 0x45, 0x00, 0x00, 0xd5, 0x39, 0x90, 0x40, 0x00, 0x7d, 0x06, + 0x8f, 0x64, 0x5b, 0xe4, 0x3f, 0xde, 0x5e, 0x66, 0x3a, 0x06, 0xcf, 0x1a, // типа есть какие-то TCP options, поэтому заголовок 32 байта, а не 20 + 0x01, 0xbb, 0x27, 0x13, 0xc1, 0xe0, 0x1e, 0xb0, 0x1f, 0xa2, /* внезапно TCP->doff = 0 */ 0x00, 0x18, + 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, + 0x40, 0xb0, 0x3d, 0xbe, 0x00, 0x00, 0x16, 0x03, 0x03, 0x00, 0xa8, 0x01, + 0x00, 0x00, 0xa4, 0x03, 0x03, 0x58, 0xca, 0x7a, 0x68, 0x88, 0x80, 0x6e, + 0x0b, 0x2e, 0x4a, 0xd5, 0x84, 0xc9, 0x5e, 0xa9, 0x5f, 0x45, 0x97, 0xaf, + 0x30, 0xc9, 0x97, 0xa4, 0xb8, 0x0b, 0xee, 0xc9, 0x1b, 0xa6, 0x25, 0x08, + 0xd5, 0x00, 0x00, 0x30, 0xc0, 0x28, 0xc0, 0x27, 0xc0, 0x14, 0xc0, 0x13, + 0x00, 0x9f, 0x00, 0x9e, 0x00, 0x9d, 0x00, 0x9c, 0x00, 0x3d, 0x00, 0x3c, + 0x00, 0x35, 0x00, 0x2f, 0xc0, 0x2c, 0xc0, 0x2b, 0xc0, 0x24, 0xc0, 0x23, + 0xc0, 0x0a, 0xc0, 0x09, 0x00, 0x6a, 0x00, 0x40, 0x00, 0x38, 0x00, 0x32, + 0x00, 0x0a, 0x00, 0x13, 0x01, 0x00, 0x00, 0x4b, 0x00, 0x00, 0x00, 0x0d, + 0x00, 0x0b, 0x00, 0x00, 0x08, 0x32, 0x34, 0x77, 0x64, 0x2e, 0x62, 0x69, + 0x7a, 0x00, 0x05, 0x00, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, + 0x00, 0x06, 0x00, 0x04, 0x00, 0x17, 0x00, 0x18, 0x00, 0x0b, 0x00, 0x02, + 0x01, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x06, 0x01, 0x06, 0x03, + 0x04, 0x01, 0x05, 0x01, 0x02, 0x01, 0x04, 0x03, 0x05, 0x03, 0x02, 0x03, + 0x02, 0x02, 0x00, 0x17, 0x00, 0x00, 0xff, 0x01, 0x00, 0x01, 0x00, +}; +#endif //TEST_SYS_DEV_CLIENT_HELLO_TCP32_AMBIGOUS_DOFF_H From 14ac1c54f8c27f08a10eb198dea42878ac6fb354 Mon Sep 17 00:00:00 2001 From: Ivan Podovalov Date: Wed, 20 Apr 2022 14:32:54 +0500 Subject: [PATCH 2/2] =?UTF-8?q?=D0=A2=D0=B5=D1=81=D1=82=D0=B2=D0=BE=D0=B5?= =?UTF-8?q?=20=D0=B7=D0=B0=D0=B4=D0=B0=D0=BD=D0=B8=D0=B5=20Carbonsoft.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Ответы на некоторые вопросы из продвинутой части. --- reductor_developer/README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/reductor_developer/README.md b/reductor_developer/README.md index e3b3772..38fc16f 100644 --- a/reductor_developer/README.md +++ b/reductor_developer/README.md @@ -49,8 +49,29 @@ ## Shell-скриптинг 1. Выведите IP адрес под которым машина отправляет запросы к 8.8.8.8 (учитывать NAT после выхода пакета из машины не нужно, нужен IP адрес с которым пакет покидает машину). + Ответ: + ``` + ip -o route get 8.8.8.8 | cut -d ' ' -f 3 + ``` 2. Напишите команду для поиска в текстовом файле (абстрактном в вакууме) всех нечётных чисел от 1 до 100, записанных отдельным словом. Можно использовать заранее сгенерированные временные файлы. + Ответ: + ``` + #!/bin/bash + for word in `cat test.txt | grep [[:digit:]] | tr -d [[:alpha:]] | tr -d [[:punct:]] | tr '\n' ' '`; do + if [ $((word%2)) -eq 0 ] + then + if [ $((word)) -le 100 ] + then + echo $word + fi + fi + done + ``` 3. Выведите список сетевых карт в формате: "название сетевой карты в системе, например eth1" "модель сетевой карты, например Intel Corporation 82540EM Gigabit Ethernet Controller" + Ответ что-то типа (не работает, надо допилить): + ``` + ifconfig | grep -e ^[[:alpha:]] | cut -d ':' -f 1 | xargs -e ethtool -i | awk | lcpci + ``` ## Python 2