Anti-Hacker Tool Kit, Third Edition

A port redirection tool passes TCP/IP traffic received by the tool on one port to another port to which the tool points. Aside from handling IP addresses and port numbers, port redirection is protocol ignorant—the tool does not care whether you pass encrypted Secure Shell (SSH) traffic or plain-text e-mail through it. A port redirection tool is neither a client nor a server. It functions as a conduit for TCP/IP connections, not an end point. For example, you could place a datapipe between a web browser and a web server. The web browser would point to the port redirection tool, but all requests would be passed on to the web server.

Datapipe is a Unix-based port redirection tool written by Todd Vierling. It uses standard system and network libraries, which enable it to run on the alphabet of Unix platforms.

Implementation

Most simple tools in the Unix world are easy to distribute in source code. This enables users to adapt a program to a variety of hardware platforms and Unix versions. Datapipe is no different.

Compiling from Source

You must compile datapipe for your platform. Often, it is useful for you to have precompiled binaries for several types of Unix: Solaris, AIX, Linux, FreeBSD, OSX, and so on. Use gcc to compile for Linux distributions and the BSD family:

$ gcc -o datapipe datapipe.c datapipe.c: In function 'main': datapipe.c:86: warning: passing arg 1 of 'gethostbyaddr' from incompatible pointer type datapipe.c:98: warning: passing arg 2 of 'bind' from incompatible pointer type datapipe.c:113: warning: passing arg 2 of 'accept' from incompatible pointer type datapipe.c:136: warning: passing arg 2 of 'connect' from incompatible pointer type

The binary has compiled successfully at this point. The warnings for the bind, accept, and connect functions can be avoided by casting the second argument to (struct sockaddr *) as seen next, but the program still works:

if (bind(lsock, (struct sockaddr *) &laddr, sizeof(laddr))) {

Depending on your system’s compatibility libraries, you may also need to remove line 48:

#include <linux/time.h>

Remove this line with impunity.

Datapipe also compiles under Cygwin, but you must modify one more line (line 96 in the original source):

laddr.sin_family = htons(AF_INET); Remove the htons function call: laddr.sin_family = AF_INET;

Remember that the cygwin1.dll must be present for datapipe to execute on Windows; however, you do not need to register the DLL. Note that Windows does not require that you have root (Administrator) privileges to open a port below 1024, whereas root privileges are required in a Unix environment.

Other Compile Options   When compiling datapipe for some Unix variants, build shared and static versions of the binary. A shared library version is built with the default gcc options mentioned. This produces the smallest binary file, but it might run on only the physical host on which it was compiled. The alternative is to build a static version that contains all the necessary support functions for the program to execute:

$ gcc –o datapipe_static –static datapipe.c

This produces a much larger binary file, but it should run on any peer operating system. A static version of datapipe makes it easy to drop the tool onto a system that might not have a compiler. You can also specify the –s option to gcc to strip some of the unused symbol information:

$ gcc –o datapipe_static_stripped –static –s datapipe.c

Here’s an example of the different file sizes on an OpenBSD system. The asterisk (*) indicates that the file is executable:

-rwxr-xr-x 1 root wheel 29420 Mar 9 20:05 datapipe* rw-r--r-- 1 root wheel 4556 Mar 9 20:05 datapipe.c rwxr-xr-x 1 root wheel 175139 Mar 10 01:45 datapipe_static* rwxr-xr-x 1 root wheel 143360 Mar 10 01:45 datapipe_static_stripped*

Redirecting Traffic

Using datapipe is straightforward in spite of the complicated port redirection tunnels that you can create with it:

$ ./datapipe usage: ./datapipe <localport> <remoteport> <remotehost>

• The <localport> value represents the listening port on the local system; connections will be made to this port number. On Unix systems, you must have root access to open a listening port below 1024. If you receive an error similar to "bind: Permission denied," your account may not have privileges to open a reserved port.

• The <remoteport> value represents the port to which data is to be forwarded. For example, in most cases if the target is a web server, the <remoteport> value will be 80.

• The <remotehost> value represents the hostname or IP address of the target.

The easiest conceptual example of port redirection is forwarding HTTP traffic. Here we set up a datapipe to listen on a high port, 9080 in this example, that redirects to a web site of your choice:

$ ./datapipe 9080 80 www.google.com

Now, we enter this URL into a web browser:

http://localhost:9080/

You should see Google’s home page. By design, datapipe places itself in the background. So we’ll have to use the ps and kill commands to find the process ID to stop it:

$ ps auxww | grep datapipe oot 21570 0.0 0.1 44 132 ?? Is 8:45PM 0:00.00 ./datapipe 9080 80 www.google.com kill -9 21570

Datapipe performs a basic function, but with a little creativity you can make it a powerful tool. Check out “Case Study: Port Hopping” later in this chapter for suggestions on when to use port redirection.