WIXLIB

FOREWORDWhen I first met James Forshaw, I worked in what Popular Science described in 2007 asone of the top ten worst jobs in science: a “Microsoft Security Grunt.” This was the broadswath label the magazine used for anyone working in the Microsoft Security ResponseCenter (MSRC). What positioned our jobs as worse than “whale-feces researcher” butsomehow better than “elephant vasectomist” on this list (so famous among those of us whosuffered in Redmond, WA, that we made t-shirts) was the relentless drumbeat of incomingsecurity bug reports in Microsoft products.It was here in MSRC that James, with his keen and creative eye toward the uncommonand overlooked, first caught my attention as a security strategist. James was the author ofsome of the most interesting security bug reports. This was no small feat, considering theMSRC was receiving upwards of 200,000 security bug reports per year from securityresearchers. James was finding not only simple bugs—he had taken a look at the .NETframework and found architecture-level issues. While these architecture-level bugs wereharder to address in a simple patch, they were much more valuable to Microsoft and itscustomers.Fast-forward to the creation of Microsoft’s first bug bounty programs, which I startedat the company in June of 2013. We had three programs in that initial batch of bugbounties—programs that promised to pay security researchers like James cash in exchangefor reporting the most serious bugs to Microsoft. I knew that for these programs to provetheir efficacy, we needed high-quality security bugs to be turned in.If we built it, there was no guarantee that the bug finders would come. We knew wewere competing for some of the most highly skilled bug hunting eyes in the world.Numerous other cash rewards were available, and not all of the bug markets were fordefense. Nation-states and criminals had a well-established offense market for bugs andexploits, and Microsoft was relying on the finders who were already coming forward at therate of 200,000 bug reports per year for free. The bounties were to focus the attention ofthose friendly, altruistic bug hunters on the problems Microsoft needed the most help witheradicating.So of course, I called on James and a handful of others, because I was counting on themto deliver the buggy goods. For these first Microsoft bug bounties, we security grunts inthe MSRC really wanted vulnerabilities for Internet Explorer (IE) 11 beta, and we wantedsomething no software vendor had ever tried to set a bug bounty on before: we wanted toknow about new exploitation techniques. That latter bounty was known as the MitigationBypass Bounty, and worth 100,000 at the time.I remember sitting with James over a beer in London, trying to get him excited aboutlooking for IE bugs, when he explained that he’d never looked at browser security muchbefore and cautioned me not to expect much from him.

James nevertheless turned in four unique sandbox escapes for IE 11 beta.Four.These sandbox escapes were in areas of the IE code that our internal teams and privateexternal penetration testers had all missed. Sandbox escapes are essential to helping otherbugs be more reliably exploitable. James earned bounties for all four bugs, paid for by theIE team itself, plus an extra 5,000 bonus out of my bounty budget. Looking back, Iprobably should have given him an extra 50,000. Because wow. Not bad for a bug hunterwho had never looked at web browser security before.Just a few months later, I was calling James on the phone from outside a Microsoftcafeteria on a brisk autumn day, absolutely breathless, to tell him that he had just madehistory. This particular Microsoft Security Grunt couldn’t have been more thrilled todeliver the news that his entry for one of the other Microsoft bug bounty programs—theMitigation Bypass Bounty for 100,000—had been accepted. James Forshaw had found aunique new way to bypass all the platform defenses using architecture-level flaws in thelatest operating system and won the very first 100,000 bounty from Microsoft.On that phone call, as I recall the conversation, he said he pictured me handing him acomically-huge novelty check onstage at Microsoft’s internal BlueHat conference. I sentthe marketing department a note after that call, and in an instant, “James and the GiantCheck” became part of Microsoft and internet history forever.What I am certain readers will gain in the following pages of this book are pieces ofJames’s unparalleled brilliance—the same brilliance that I saw arching across a bug reportor four so many years ago. There are precious few security researchers who can find bugsin one advanced technology, and fewer still who can find them in more than one with anyconsistency. Then there are people like James Forshaw, who can focus on deeperarchitecture issues with a surgeon’s precision. I hope that those reading this book, and anyfuture book by James, treat it like a practical guide to spark that same brilliance andcreativity in their own work.In a bug bounty meeting at Microsoft, when the IE team members were shaking theirheads, wondering how they could have missed some of the bugs James reported, I stated

simply, “James can see the Lady in the Red Dress, as well as the code that rendered her, inthe Matrix.” All of those around the table accepted this explanation for the kind of mind atwork in James. He could bend any spoon; and by studying his work, if you have an openmind, then so might you.For all the bug finders in the world, here is your bar, and it is high. For all the untoldnumbers of security grunts in the world, may all your bug reports be as interesting andvaluable as those supplied by the one and only James Forshaw.Katie MoussourisFounder and CEO, Luta SecurityOctober 2017

ACKNOWLEDGMENTSI’d like to thank you for reading my book; I hope you find it enlightening and of practicaluse. I’m grateful for the contributions from many different people.I must start by thanking my lovely wife Huayi, who made sure I stuck to writing even ifI really didn’t want to. Through her encouragement, I finished it in only four years;without her maybe it could have been written in two, but it wouldn’t have been as muchfun.Of course, I definitely wouldn’t be here today without my amazing parents. Their loveand encouragement has led me to become a widely recognized computer securityresearcher and published author. They bought the family a computer—an Atari 400—when I was young, and they were instrumental in starting my interest in computers andsoftware development. I can’t thank them enough for giving me all my opportunities.Acting as a great counterpoint to my computer nerdiness was my oldest friend, SamShearon. Always the more confident and outgoing person and an incredible artist, he mademe see a different side to life.Throughout my career, there have been many colleagues and friends who have mademajor contributions to my achievements. I must highlight Richard Neal, a good friend andsometimes line manager who gave me the opportunity to find an interest in computersecurity, a skill set that suited my mindset.I also can’t forget Mike Jordon who convinced me to start working at ContextInformation Security in the UK. Along with owners Alex Church and Mark Raeburn, theygave me the time to do impactful security research, build my skills in network protocolanalysis, and develop tools such as Canape. This experience of attacking real-world, andtypically completely bespoke, network protocols is what much of the content of this bookis based on.I must thank Katie Moussouris for convincing me to go for the Microsoft MitigationBypass Bounty, raising my profile massively in the information security world, and ofcourse for giving me a giant novelty check for 100,000 for my troubles.My increased profile didn’t go amiss when the team for Google Project Zero—a groupof world leading security researchers with the goal of making the platforms that we all relyon more secure—was being set up. Will Harris mentioned me to the current head of theteam, Chris Evans, who convinced me to interview, and soon I was a Googler. Being amember of such an excellent team makes me proud.Finally, I must thank Bill, Laurel, and Liz at No Starch Press for having the patience towait for me to finish this book and for giving me solid advice on how to tackle it. I hopethat they, and you, are happy with the final result.

INTRODUCTIONWhen first introduced, the technology that allowed devices to connect to a network wasexclusive to large companies and governments. Today, most people carry a fully networkedcomputing device in their pocket, and with the rise of the Internet of Things (IoT), youcan add devices such as your fridge and our home’s security system to this interconnectedworld. The security of these connected devices is therefore increasingly important.Although you might not be too concerned about someone disclosing the details of howmany yogurts you buy, if your smartphone is compromised over the same network as yourfridge, you could lose all your personal and financial information to a malicious attacker.This book is named Attacking Network Protocols because to find security vulnerabilitiesin a network-connected device, you need to adopt the mind-set of the attacker who wantsto exploit those weaknesses. Network protocols communicate with other devices on anetwork, and because these protocols must be exposed to a public network and often don’tundergo the same level of scrutiny as other components of a device, they’re an obviousattack target.Why Read This Book?Many books discuss network traffic capture for the purposes of diagnostics and basicnetwork analysis, but they don’t focus on the security aspects of the protocols they capture.What makes this book different is that it focuses on analyzing custom protocols to findsecurity vulnerabilities.This book is for those who are interested in analyzing and attacking network protocolsbut don’t know where to start. The chapters will guide you through learning techniques tocapture network traffic, performing analysis of the protocols, and discovering andexploiting security vulnerabilities. The book provides background information onnetworking and network security, as well as practical examples of protocols to analyze.Whether you want to attack network protocols to report security vulnerabilities to anapplication’s vendor or just want to know how your latest IoT device communicates, you’llfind several topics of interest.What’s in This Book?This book contains a mix of theoretical and practical chapters. For the practical chapters,I’ve developed and made available a networking library called Canape Core, which you canuse to build your own tools for protocol analysis and exploitation. I’ve also provided anexample networked application called SuperFunkyChat, which implements a user-to-user

chat protocol. By following the discussions in the chapters, you can use the exampleapplication to learn the skills of protocol analysis and attack the sample network protocols.Here is a brief breakdown of each chapter:Chapter 1: The Basics of NetworkingThis chapter describes the basics of computer networking with a particular focus onTCP/IP, which forms the basis of application-level network protocols. Subsequentchapters assume that you have a good grasp of the network basics. This chapter alsointroduces the approach I use to model application protocols. The model breaks downthe application protocol into flexible layers and abstracts complex technical detail,allowing you to focus on the bespoke parts of the protocol you’re analyzing.Chapter 2: Capturing Application TrafficThis chapter introduces the concepts of passive and active capture of network traffic,and it’s the first chapter to use the Canape Core network libraries for practical tasks.Chapter 3: Network Protocol StructuresThis chapter contains details of the internal structures that are common across networkprotocols, such as the representation of numbers or human-readable text. When you’reanalyzing captured network traffic, you can use this knowledge to quickly identifycommon structures, speeding up your analysis.Chapter 4: Advanced Application Traffic CaptureThis chapter explores a number of more advanced capture techniques that complementthe examples in Chapter 2. The advanced capture techniques include configuringNetwork Address Translation to redirect traffic of interest and spoofing the addressresolution protocol.Chapter 5: Analysis from the WireThis chapter introduces methods for analyzing captured network traffic using thepassive and active techniques described in Chapter 2. In this chapter, we begin usingthe SuperFunkyChat application to generate example traffic.Chapter 6: Application Reverse EngineeringThis chapter describes techniques for reverse engineering network-connectedprograms. Reverse engineering allows you to analyze a protocol without needing tocapture example traffic. These methods also help to identify how custom encryption orobfuscation is implemented so you can better analyze traffic you’ve captured.Chapter 7: Network Protocol SecurityThis chapter provides background information on techniques and cryptographicalgorithms used to secure network protocols. Protecting the contents of network traffic

from disclosure or tampering as it travels over public networks is of the utmostimportance for network protocol security.Chapter 8: Implementing the Network ProtocolThis chapter explains techniques for implementing the application network protocol inyour own code so you can test the protocol’s behavior to find security weaknesses.Chapter 9: The Root Causes of VulnerabilitiesThis chapter describes common security vulnerabilities you’ll encounter in a networkprotocol. When you understand the root causes of vulnerabilities, you can more easilyidentify them during analysis.Chapter 10: Finding and Exploiting Security VulnerabilitiesThis chapter describes processes for finding security vulnerabilities based on the rootcauses in Chapter 9 and demonstrates a number of ways of exploiting them, includingdeveloping your own shell code and bypassing exploit mitigations through returnoriented programming.Appendix: Network Protocol Analysis ToolkitIn the appendix, you’ll find descriptions of some of the tools I commonly use whenperforming network protocol analysis. Many of the tools are described briefly in themain body of the text as well.How to Use This BookIf you want to start with a refresher on the basics of networking, read Chapter 1 first.When you’re familiar with the basics, proceed to Chapters 2, 3, and 5 for practicalexperience in capturing network traffic and learning the network protocol analysis process.With the knowledge of the principles of network traffic capture and analysis, you canthen move on to Chapters 7 through 10 for practical information on how to find andexploit security vulnerabilities in these protocols. Chapters 4 and 6 contain more advancedinformation about additional capture techniques and application reverse engineering, soyou can read them after you’ve read the other chapters if you ll.NETCore(https://www.microsoft.com/net/core/), which is a cross-platform version of the .NET runtimefrom Microsoft that works on Windows, Linux, and macOS. You can then downloadreleases for Canape Core from https://github.com/tyranid/CANAPE.Core/releases/ andSuperFunkyChat from releases/; both use.NET Core as the runtime. Links to each site are available with the book’s resources athttps://www.nostarch.com/networkprotocols/.

To execute the example Canape Core scripts, you’ll need to use the CANAPE.Cliapplication, which will be in the release package downloaded from the Canape CoreGithub repository. Execute the script with the following command line, replacing script.csxwith the name of the script you want to execute.dotnet exec CANAPE.Cli.dll script.csxAll example listings for the practical chapters as well as packet captures are available onthe book’s page at https://www.nostarch.com/networkprotocols/. It’s best to download theseexample listings before you begin so you can follow the practical chapters without havingto enter a large amount of source code manually.Contact MeI’m always interested in receiving feedback, both positive and negative, on my work, andthis book is no exception. You can email me at attacking.network.protocols@gmail.com. Youcan also follow me on Twitter @tiraniddo or subscribe to my blog athttps://tyranidslair.blogspot.com/ where I post some of my latest advanced security research.

1THE BASICS OF NETWORKINGTo attack network protocols, you need to understand the basics of computer networking.The more you understand how common networks are built and function, the easier it willbe to apply that knowledge to capturing, analyzing, and exploiting new protocols.Throughout this chapter, I’ll introduce basic network concepts you’ll encounter everyday when you’re analyzing network protocols. I’ll also lay the groundwork for a way tothink about network protocols, making it easier to find previously unknown security issuesduring your analysis.Network Architecture and ProtocolsLet’s start by reviewing some basic networking terminology and asking the fundamentalquestion: what is a network? A network is a set of two or more computers connectedtogether to share information. It’s common to refer to each connected device as a node onthe network to make the description applicable to a wider range of devices. Figure 1-1shows a very simple example.Figure 1-1: A simple network of three nodesThe figure shows three nodes connected with a common network. Each node mighthave a different operating system or hardware. But as long as each node follows a set ofrules, or network protocol, it can communicate with the other nodes on the network. Tocommunicate correctly, all nodes on a network must understand the same networkprotocol.

A network protocol serves many functions, including one or more of the following:Maintaining session state Protocols typically implement mechanisms to create newconnections and terminate existing connections.Identifying nodes through addressing Data must be transmitted to the correct nodeon a network. Some protocols implement an addressing mechanism to identify specificnodes or groups of nodes.Controlling flow The amount of data transferred across a network is limited.Protocols can implement ways of managing data flow to increase throughput andreduce latency.Guaranteeing the order of transmitted data Many networks do not guarantee thatthe order in which the data is sent will match the order in which it’s received. Aprotocol can reorder the data to ensure it’s delivered in the correct order.Detecting and correcting errors Many networks are not 100 percent reliable; datacan become corrupted. It’s important to detect corruption and, ideally, correct it.Formatting and encoding data Data isn’t always in a format suitable for transmittingon the network. A protocol can specify ways of encoding data, such as encodingEnglish text into binary values.The Internet Protocol SuiteTCP/IP is the de facto protocol that modern networks use. Although you can think ofTCP/IP as a single protocol, it’s actually a combination of two protocols: the TransmissionControl Protocol (TCP) and the Internet Protocol (IP). These two protocols form part of theInternet Protocol Suite (IPS), a conceptual model of how network protocols send networktraffic over the internet that breaks down network communication into four layers, asshown in Figure 1-2.

Figure 1-2: Internet Protocol Suite layersThese four layers form a protocol stack. The following list explains each layer of the IPS:Link layer (layer 1) This layer is the lowest level and describes the physicalmechanisms used to transfer information between nodes on a local network. Wellknown examples include Ethernet (both wired and wireless) and P

The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in . Cliff has had the great fortune to work with and learn from some of the best people in the industry, including Mr. Forshaw and the fine people at No Starch during the . A Cra