So Jeremy Rauch of Matasano has released a wicked cool piece of kit for network protocol (and vuln dev) geeks like myself called PDB. Follow that link and you can also find the pdf of his blackhat talk. I was quite chuffed to have a tarball in my hands after eager anticipation at the announcement of the talk... I ran into a little problem.
We always hope that upon downloading and unpacking a new tool we can just do
./configure && make && make install(or even just make) and it will just fscking build. That isn't what happened with PDB, this is:
~/proj/rb/pdb-0.0.1.bleeding-edge$make
cc -I/usr/local/include -Icii/include -g -c iledit.c
iledit.c: In function `main':\r\niledit.c:220: error: `SIGINT' undeclared (first use in this function)
iledit.c:220: error: (Each undeclared identifier is reported only once
iledit.c:220: error: for each function it appears in.)
iledit.c:221: error: `IPPROTO_DIVERT' undeclared (first use in this function)
*** Error code 1
Stop in /home/meltzer/proj/rb/pdb-0.0.1.bleeding-edge.
Ok, fine. We obviously need to include signal.h to get SIGINT, but we have a serious problem with IPPROTO_DIVERT; OpenBSD doesn't do divert sockets. I believe that there are patches to add divert sockets to the Linux kernel (may be stock now too) and there is a nice mini-HOWTO; OS X and FreeBSD also do them, see divert(4).
I have a powerbook, but am somewhat sorry to say it is currently my 'everything aside from hackery' machine so this has to work on OpenBSD. Don't even suggest running Linux.
So, how can we make this work? From my brief research there seems to be two alternatives short of a little, or lot, of kernel kacking and both involve virtual interfaces: pflog0 and tun0. Mikle Frantzen gives the rundown on pflog0 and pcap along with little pseudocode here.
In the context of divert sockets in general, doing something like:
mysocket = socket(PF_INET, SOCK_RAW, IPPROTO_DIVERT)
would be much nicer than messing with pseudo-devives. I'm going to have to a bit more investigation to see how I want to approach this. Stay tuned."
0 comments:
Post a Comment