Forum Replies Created
-
Posts
-
Thank you Serpent Fly. I had to link to ndisapi.lib and then add ndisapi.dll to my path (I chose inside the projects debug folder). She is running, and that is a relief.
I verified that my computer does have all those libraries. However upon further look, I determined that there were function prototypes for NDisApi functions like “ReadPacket” but not function definitions. I wrote to Serpentfly and he told me that the definitions were in ndisapi.dll. Most of the folders (bin/Cbuilder/kernel) have a ndisapi.dll file in them but the MSVC folder does not. So I copied ndisapi.dll into the MSVC folder (still trying to get the MSVC version to compile) and added an include statement on ndisapi.h to include the ndisapi.dll. Unfortunately this gave me different errors, however the original problem of the “unresolved external symbols” is gone. How should the program link to ndisapi.dll? I’ll review the other folders/files and maybe I can figure it out.
Thanks krisleech, the randomization you are talking about is a little further than even I was looking for. We just want to randomize the initial sequence numbers, not all the sequence numbers. Let me give you some stats from our research to show you what we a looking for. The following is 2 lists of initial sequence numbers seen by a target destination. The first is a list of ISNs (initial sequence numbers) seen from a normal Microsoft windows 2000 host directly connected. Note there is some randomizaiton. The second is with a PIX 525 inline between the source (2 windows 2000 hosts) and the destination (the same target host). The PIX greatly improved the randomization of the ISNs. These should highlight the differences and level of randomization we would like to see:
1.BASELINE (no firewall involved, just Microsoft’s native randomizing)
3821792392
3822536869
3823369052
-1min pause
3834763729
3835673715
3836565869
-1min pause
3848653605
3849412963
3850277338
-1min pause
3862514801 suspicious
3863329333
3863993408
-1min pause
3876307621
3877050874
3877880730
15. PIX firewall – future reference ethereal capture c:temppix2.txtFIREWALL INSIDE INTERFACE SAW: 245852646 (from comp1)
246488339 (from comp1)
247409802 (from comp1)
247997942 (from comp1)
248683549 (from comp1)
3005282343(from comp2)
3005947206(from comp2)
3006637540(from comp2)
3007270429(from comp2)
3007936591(from comp2)
DESTINATION SAW the following ISNs in order, for the above packets:
497976609
698736491
1144843323
1753896461
2045921313
85892628
3876006248
3622132887
489476749
174402616
– no comparison right? The PIX, in it’s state table, runs its own list of sequence numbers which allows it to greatly improve randomization. That is what we are looking for using Winpkfilter. Well that, and the randomization of the IP id field, which is simple compared to ISNs.Does anyone have a copy of a program in which they have manipulated tcp/ip fields that works, that we could get a copy of? Thank you.
I should be working instead of following this thread, but.. Right on SerpentFly, and there is another way to prevent that rare situation where source/destination ip addresses and source/destination ports are the same and conflicting inside NAT. That would be to keep track of what the source ports were that you assigned when you NAT’d them to the outside world. I think this is how the PIX firewall does it, because the PIX definitely does reorganize/obscure the source ports, though most firewalls that I have seen do not.
I may be able help you out with the NAT port issue, for clarification. For any connection from your host to an external server, your source port number will be something above 1024 and it does not matter what that number is. The only port number that is involved in determining what service is talking is the destination port. For example, if you want to use internet explorer to connect to http://www.cowdance.com (one of my favorites) your original packet sent to http://www.cowdance.com will have a destination port of 80 and a source port number over 1024, say 1025 for example. So, getting back to the question, there is some value added in changing the source port numbers during NAT. It helps hide your internal computer(s), but most users don’t need to do that. I wouldn’t bother changing the source port unless there was a particular reason to be sneaky about your internal network. Also, you don’t have to worry about it breaking connections as long as your “state” table translation is working.
