Attacking Network Protocols. No Starch Press

A Hacker’s Guide to Capture, Analysis, and Exploitation

by James Forshaw


Foreword by Katie Moussouris
The Basics of Networking
Capturing Application Traffic
Network Protocol Structures
Advanced Application Traffic Capture
Analysis from the Wire
Application Reverse Engineering
Network Protocol Security
Implementing the Network Protocol
The Root Causes of Vulnerabilities
Finding and Exploiting Security Vulnerabilities
Appendix: Network Protocol Analysis Toolkit

e-books shop
Attacking Network Protocols:
A Hacker’s Guide to Capture, Analysis, and Exploitation

Purchase Now !
Just with Paypal

Book Details
 3.00 USD
 380 p
 File Size
 7,304 KB
 File Type
 PDF format
 2018 by James Forshaw  

About the Author
James Forshaw is a renowned computer security researcher at Google Project Zero, with
more than ten years of experience in analyzing and exploiting application network
protocols. His skills range from cracking game consoles to exposing complex design issues
in operating systems, especially Microsoft Windows, which earned him the top bug bounty
of $100,000 and placed him as the #1 researcher on Microsoft Security Response Center’s
(MSRC) published list. He’s the creator of the network protocol analysis tool, Canape,
which was developed from his years of experience. He’s been invited to present his novel
security research at global security conferences such as BlackHat, CanSecWest and Chaos
Computer Congress.

About the Technical Reviewer
Since the early days of Commodore PET and VIC-20, technology has been a constant
companion (and sometimes an obsession!) to Cliff Janzen. Cliff discovered his career
passion when he moved to information security in 2008 after a decade of IT operations.
Since then, Cliff has had the great fortune to work with and learn from some of the best
people in the industry, including Mr. Forshaw and the fine people at No Starch during the
production of this book. He is happily employed as a security consultant, doing everything
from policy review to penetration tests. He feels lucky to have a career that is also his
favorite hobby and a wife who supports him.

FOREWORD by Katie Moussouris
Why Read This Book?
What’s in This Book?
How to Use This Book
Contact Me
Network Architecture and Protocols
The Internet Protocol Suite
Data Encapsulation
Headers, Footers, and Addresses
Data Transmission
Network Routing
My Model for Network Protocol Analysis
Final Words
Passive Network Traffic Capture
Quick Primer for Wireshark
Alternative Passive Capture Techniques
System Call Tracing
The strace Utility on Linux
Monitoring Network Connections with DTrace
Process Monitor on Windows
Advantages and Disadvantages of Passive Capture
Active Network Traffic Capture
Network Proxies
Port-Forwarding Proxy
HTTP Proxies
Forwarding an HTTP Proxy
Reverse HTTP Proxy
Final Words
Binary Protocol Structures
Numeric Data
Bit Flags
Binary Endian
Text and Human-Readable Data
Variable Binary Length Data
Dates and Times
POSIX/Unix Time
Tag, Length, Value Pattern
Multiplexing and Fragmentation
Network Address Information
Structured Binary Formats
Text Protocol Structures
Numeric Data
Text Booleans
Dates and Times
Variable-Length Data
Structured Text Formats
Encoding Binary Data
Hex Encoding
Final Words
Rerouting Traffic
Using Traceroute
Routing Tables
Configuring a Router
Enabling Routing on Windows
Enabling Routing on *nix
Network Address Translation
Enabling SNAT
Configuring SNAT on Linux
Enabling DNAT
Forwarding Traffic to a Gateway
DHCP Spoofing
ARP Poisoning
Final Words
The Traffic-Producing Application: SuperFunkyChat
Starting the Server
Starting Clients
Communicating Between Clients
A Crash Course in Analysis with Wireshark
Generating Network Traffic and Capturing Packets
Basic Analysis
Reading the Contents of a TCP Session
Identifying Packet Structure with Hex Dump
Viewing Individual Packets
Determining the Protocol Structure
Testing Our Assumptions
Dissecting the Protocol with Python
Developing Wireshark Dissectors in Lua
Creating the Dissector
The Lua Dissection
Parsing a Message Packet
Using a Proxy to Actively Analyze Traffic
Setting Up the Proxy
Protocol Analysis Using a Proxy
Adding Basic Protocol Parsing
Changing Protocol Behavior
Final Words
Compilers, Interpreters, and Assemblers
Interpreted Languages
Compiled Languages
Static vs. Dynamic Linking
The x86 Architecture
The Instruction Set Architecture
CPU Registers
Program Flow
Operating System Basics
Executable File Formats
Processes and Threads
Operating System Networking Interface
Application Binary Interface
Static Reverse Engineering
A Quick Guide to Using IDA Pro Free Edition
Analyzing Stack Variables and Arguments
Identifying Key Functionality
Dynamic Reverse Engineering
Setting Breakpoints
Debugger Windows
Where to Set Breakpoints?
Reverse Engineering Managed Languages
.NET Applications
Using ILSpy
Java Applications
Dealing with Obfuscation
Reverse Engineering Resources
Final Words
Encryption Algorithms
Substitution Ciphers
XOR Encryption
Random Number Generators
Symmetric Key Cryptography
Block Ciphers
Block Cipher Modes
Block Cipher Padding
Padding Oracle Attack
Stream Ciphers
Asymmetric Key Cryptography
RSA Algorithm
RSA Padding
Diffie–Hellman Key Exchange
Signature Algorithms
Cryptographic Hashing Algorithms
Asymmetric Signature Algorithms
Message Authentication Codes
Public Key Infrastructure
X.509 Certificates
Verifying a Certificate Chain
Case Study: Transport Layer Security
The TLS Handshake
Initial Negotiation
Endpoint Authentication
Establishing Encryption
Meeting Security Requirements
Final Words
Replaying Existing Captured Network Traffic
Capturing Traffic with Netcat
Using Python to Resend Captured UDP Traffic
Repurposing Our Analysis Proxy
Repurposing Existing Executable Code
Repurposing Code in .NET Applications
Repurposing Code in Java Applications
Unmanaged Executables
Encryption and Dealing with TLS
Learning About the Encryption In Use
Decrypting the TLS Traffic
Final Words
Vulnerability Classes
Remote Code Execution
Information Disclosure
Authentication Bypass
Authorization Bypass
Memory Corruption Vulnerabilities
Memory-Safe vs. Memory-Unsafe Programming Languages
Memory Buffer Overflows
Out-of-Bounds Buffer Indexing
Data Expansion Attack
Dynamic Memory Allocation Failures
Default or Hardcoded Credentials
User Enumeration
Incorrect Resource Access
Verbose Errors
Memory Exhaustion Attacks
Storage Exhaustion Attacks
CPU Exhaustion Attacks
Algorithmic Complexity
Configurable Cryptography
Format String Vulnerabilities
Command Injection
SQL Injection
Text-Encoding Character Replacement
Final Words
Fuzz Testing
The Simplest Fuzz Test
Mutation Fuzzer
Generating Test Cases
Vulnerability Triaging
Debugging Applications
Improving Your Chances of Finding the Root Cause of a Crash
Exploiting Common Vulnerabilities
Exploiting Memory Corruption Vulnerabilities
Arbitrary Memory Write Vulnerability
Writing Shell Code
Getting Started
Simple Debugging Technique
Calling System Calls
Executing the Other Programs
Generating Shell Code with Metasploit
Memory Corruption Exploit Mitigations
Data Execution Prevention
Return-Oriented Programming Counter-Exploit
Address Space Layout Randomization (ASLR)
Detecting Stack Overflows with Memory Canaries
Final Words
Passive Network Protocol Capture and Analysis Tools
Microsoft Message Analyzer
TCPDump and LibPCAP
Active Network Capture and Analysis
Canape Core
Network Connectivity and Protocol Testing
Web Application Testing
Burp Suite
Zed Attack Proxy (ZAP)
Fuzzing, Packet Generation, and Vulnerability Exploitation Frameworks
American Fuzzy Lop (AFL)
Kali Linux
Metasploit Framework
Network Spoofing and Redirection
Executable Reverse Engineering
Java Decompiler (JD)
.NET Reflector

Book Screen
e-books shop

When first introduced, the technology that allowed devices to connect to a network was
exclusive to large companies and governments. Today, most people carry a fully networked
computing device in their pocket, and with the rise of the Internet of Things (IoT), you
can add devices such as your fridge and our home’s security system to this interconnected
world. The security of these connected devices is therefore increasingly important.
Although you might not be too concerned about someone disclosing the details of how
many yogurts you buy, if your smartphone is compromised over the same network as your
fridge, you could lose all your personal and financial information to a malicious attacker.
This book is named Attacking Network Protocols because to find security vulnerabilities
in a network-connected device, you need to adopt the mind-set of the attacker who wants
to exploit those weaknesses. Network protocols communicate with other devices on a
network, and because these protocols must be exposed to a public network and often don’t
undergo the same level of scrutiny as other components of a device, they’re an obvious
attack target.

Why Read This Book?
Many books discuss network traffic capture for the purposes of diagnostics and basic
network analysis, but they don’t focus on the security aspects of the protocols they capture.
What makes this book different is that it focuses on analyzing custom protocols to find
security vulnerabilities.
This book is for those who are interested in analyzing and attacking network protocols
but don’t know where to start. The chapters will guide you through learning techniques to
capture network traffic, performing analysis of the protocols, and discovering and
exploiting security vulnerabilities. The book provides background information on
networking and network security, as well as practical examples of protocols to analyze.
Whether you want to attack network protocols to report security vulnerabilities to an
application’s vendor or just want to know how your latest IoT device communicates, you’ll
find several topics of interest.

What’s in This Book?
This book contains a mix of theoretical and practical chapters. For the practical chapters,
I’ve developed and made available a networking library called Canape Core, which you can
use to build your own tools for protocol analysis and exploitation. I’ve also provided an
example networked application called SuperFunkyChat, which implements a user-to-user
chat protocol. By following the discussions in the chapters, you can use the example
application to learn the skills of protocol analysis and attack the sample network protocols.
Here is a brief breakdown of each chapter:
Chapter 1: The Basics of Networking
This chapter describes the basics of computer networking with a particular focus on
TCP/IP, which forms the basis of application-level network protocols. Subsequent
chapters assume that you have a good grasp of the network basics. This chapter also
introduces the approach I use to model application protocols. The model breaks down
the application protocol into flexible layers and abstracts complex technical detail,
allowing you to focus on the bespoke parts of the protocol you’re analyzing.
Chapter 2: Capturing Application Traffic
This chapter introduces the concepts of passive and active capture of network traffic,
and it’s the first chapter to use the Canape Core network libraries for practical tasks.
Chapter 3: Network Protocol Structures
This chapter contains details of the internal structures that are common across network
protocols, such as the representation of numbers or human-readable text. When you’re
analyzing captured network traffic, you can use this knowledge to quickly identify
common structures, speeding up your analysis.
Chapter 4: Advanced Application Traffic Capture
This chapter explores a number of more advanced capture techniques that complement
the examples in Chapter 2. The advanced capture techniques include configuring
Network Address Translation to redirect traffic of interest and spoofing the address
resolution protocol.
Chapter 5: Analysis from the Wire
This chapter introduces methods for analyzing captured network traffic using the
passive and active techniques described in Chapter 2. In this chapter, we begin using
the SuperFunkyChat application to generate example traffic.
Chapter 6: Application Reverse Engineering
This chapter describes techniques for reverse engineering network-connected
programs. Reverse engineering allows you to analyze a protocol without needing to
capture example traffic. These methods also help to identify how custom encryption or
obfuscation is implemented so you can better analyze traffic you’ve captured.
Chapter 7: Network Protocol Security
This chapter provides background information on techniques and cryptographic
algorithms used to secure network protocols. Protecting the contents of network traffic
from disclosure or tampering as it travels over public networks is of the utmost
importance for network protocol security.
Chapter 8: Implementing the Network Protocol
This chapter explains techniques for implementing the application network protocol in
your own code so you can test the protocol’s behavior to find security weaknesses.
Chapter 9: The Root Causes of Vulnerabilities
This chapter describes common security vulnerabilities you’ll encounter in a network
protocol. When you understand the root causes of vulnerabilities, you can more easily
identify them during analysis.
Chapter 10: Finding and Exploiting Security Vulnerabilities
This chapter describes processes for finding security vulnerabilities based on the root
causes in Chapter 9 and demonstrates a number of ways of exploiting them, including
developing your own shell code and bypassing exploit mitigations through returnoriented
Appendix: Network Protocol Analysis Toolkit
In the appendix, you’ll find descriptions of some of the tools I commonly use when
performing network protocol analysis. Many of the tools are described briefly in the
main body of the text as well.

How to Use This Book
If you want to start with a refresher on the basics of networking, read Chapter 1 first.
When you’re familiar with the basics, proceed to Chapters 2, 3, and 5 for practical
experience in capturing network traffic and learning the network protocol analysis process.
With the knowledge of the principles of network traffic capture and analysis, you can
then move on to Chapters 7 through 10 for practical information on how to find and
exploit security vulnerabilities in these protocols. Chapters 4 and 6 contain more advanced
information about additional capture techniques and application reverse engineering, so
you can read them after you’ve read the other chapters if you prefer.
For the practical examples, you’ll need to install .NET Core
(, which is a cross-platform version of the .NET runtime
from Microsoft that works on Windows, Linux, and macOS. You can then download
releases for Canape Core from and
SuperFunkyChat from; both use
.NET Core as the runtime. Links to each site are available with the book’s resources at
To execute the example Canape Core scripts, you’ll need to use the CANAPE.Cli
application, which will be in the release package downloaded from the Canape Core
Github repository. Execute the script with the following command line, replacing script.csx
with the name of the script you want to execute.
dotnet exec CANAPE.Cli.dll script.csx
All example listings for the practical chapters as well as packet captures are available on
the book’s page at It’s best to download these
example listings before you begin so you can follow the practical chapters without having
to enter a large amount of source code manually.

Loading... Protection Status