--- /dev/null
+
+# 00
+
+```shell
+ ----------------------------------------
+ | bridge |
+ | (NAT) |
+ | 192.168.122.1/24 |
+ --------------|---------------|---------
+ | |
+--------------------------|----- -----|-------------------------
+| router0 | | router1 |
+| (ubuntu24-server VM) | | (ubuntu-24-2 VM) |
+| 192.168.122.204/24 | | 192.168.122.200/24 |
+| | | | |
+| ------------------|------- | | -------------------------- |
+| | network0 | | | | network1 | |
+| | (net1 namespace) | | | | (net1 namespace) | |
+| | 10.0.10.2/24 | | | | 10.0.11.2/24 | |
+-------------------------------- ------------------------------
+
+```
+
+
+# 01
+
+```shell
+thy@ubuntu24-server:~/box$ sudo ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+ link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+ inet 127.0.0.1/8 scope host lo
+ valid_lft forever preferred_lft forever
+ inet6 ::1/128 scope host noprefixroute
+ valid_lft forever preferred_lft forever
+2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+ link/ether 52:54:00:e2:07:25 brd ff:ff:ff:ff:ff:ff
+ inet 192.168.122.204/24 metric 100 brd 192.168.122.255 scope global dynamic enp1s0
+ valid_lft 2074sec preferred_lft 2074sec
+ inet6 fe80::5054:ff:fee2:725/64 scope link
+ valid_lft forever preferred_lft forever
+
+
+```
+
+# 02
+
+```shell
+
+thy@ubuntu-24-2:~/box$ sudo ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+ link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+ inet 127.0.0.1/8 scope host lo
+ valid_lft forever preferred_lft forever
+ inet6 ::1/128 scope host noprefixroute
+ valid_lft forever preferred_lft forever
+2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+ link/ether 52:54:00:e2:07:21 brd ff:ff:ff:ff:ff:ff
+ inet 192.168.122.200/24 metric 100 brd 192.168.122.255 scope global dynamic enp1s0
+ valid_lft 2102sec preferred_lft 2102sec
+ inet6 fe80::5054:ff:fee2:721/64 scope link
+ valid_lft forever preferred_lft forever
+
+```
+# 03
+
+```shell
+
+thy@ubuntu-24-2:~/box$ nc -l 192.168.122.200 9999
+
+```
+
+```shell
+thy@ubuntu24-server:~/box$ nc 192.168.122.200 9999
+qwer
+
+
+```
+
+# 04
+
+```shell
+
+sudo apt update
+sudo apt install bird tshark
+
+sudo systemctl stop bird
+```
+
+# 05
+
+```shell
+
+./on0.sh
+
+```
+
+```shell
+
+./on1.sh
+
+```
+
+# 06
+
+```shell
+
+thy@ubuntu24-server:~/box$ ip a
+...
+4: veth1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
+ link/ether 86:59:90:1a:4a:60 brd ff:ff:ff:ff:ff:ff link-netns net1
+ inet 10.0.10.1/24 scope global veth1
+ valid_lft forever preferred_lft forever
+ inet6 fe80::8459:90ff:fe1a:4a60/64 scope link
+ valid_lft forever preferred_lft forever
+
+```
+
+# 07
+
+```shell
+
+thy@ubuntu24-server:~/box$ sudo ip netns exec net1 ip a
+1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
+ link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+2: veth2@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
+ link/ether 9a:45:f6:36:e8:cb brd ff:ff:ff:ff:ff:ff link-netnsid 0
+ inet 10.0.10.2/24 scope global veth2
+ valid_lft forever preferred_lft forever
+ inet6 fe80::9845:f6ff:fe36:e8cb/64 scope link
+ valid_lft forever preferred_lft forever
+
+
+
+```
+
+
+# 08
+
+```shell
+thy@ubuntu-24-2:~$ sudo tshark -i veth1
+Running as user "root" and group "root". This could be dangerous.
+Capturing on 'veth1'
+
+
+```
+
+# 09
+
+```shell
+thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999
+
+
+```
+```shell
+
+thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999
+
+
+```
+
+# 10
+
+```shell
+thy@ubuntu24-server:~/box$ sudo ip route add 192.168.122.200 dev enp1s0
+thy@ubuntu24-server:~/box$ sudo ip route add 10.0.11.0/24 via 192.168.122.200 dev enp1s0
+```
+
+```shell
+thy@ubuntu-24-2:~/box$ sudo ip route add 192.168.122.204 dev enp1s0
+thy@ubuntu-24-2:~/box$ sudo ip route add 10.0.10.0/24 via 192.168.122.204 dev enp1s0
+```
+
+# 11
+
+```shell
+thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999
+
+```
+
+```shell
+thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999
+asdf
+```
+# 12
+
+```shell
+
+ 7 209.216657001 10.0.10.2 → 10.0.11.2 TCP 74 54346 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2153550491 TSecr=0 WS=128
+ 8 209.216718956 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 54346 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1584711764 TSecr=2153550491 WS=128
+ 9 209.217147388 10.0.10.2 → 10.0.11.2 TCP 66 54346 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2153550492 TSecr=1584711764
+ 10 211.003022696 10.0.10.2 → 10.0.11.2 TCP 71 54346 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=5 TSval=2153552277 TSecr=1584711764
+ 11 211.003087706 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 54346 [ACK] Seq=1 Ack=6 Win=65280 Len=0 TSval=1584713551 TSecr=2153552277
+
+```
+
+# 13
+
+```shell
+thy@ubuntu24-server:~/box$ sudo ip route del 192.168.122.200 dev enp1s0
+thy@ubuntu24-server:~/box$ sudo ip route del 10.0.11.0/24 via 192.168.122.200 dev enp1s0
+
+```
+```shell
+thy@ubuntu-24-2:~/box$ sudo ip route del 192.168.122.204 dev enp1s0
+thy@ubuntu-24-2:~/box$ sudo ip route del 10.0.10.0/24 via 192.168.122.204 dev enp1s0
+
+```
+
+# 14
+
+```shell
+vim /etc/bird/bird.conf
+
+```
+
+
+# 15
+
+```shell
+sudo systemctl restart bird
+```
+
+# 16
+
+```shell
+thy@ubuntu24-server:~/box$ sudo birdc show protocols
+BIRD 1.6.8 ready.
+name proto table state since info
+kernel1 Kernel master up 23:45:55
+device1 Device master up 23:45:55
+direct1 Direct master up 23:45:55
+b0 BGP master up 23:45:59 Established
+
+thy@ubuntu24-server:~/box$ sudo birdc show route
+BIRD 1.6.8 ready.
+10.0.10.0/24 dev veth1 [direct1 23:45:55] * (240)
+10.0.11.0/24 via 192.168.122.200 on enp1s0 [b0 23:45:59] * (100) [AS64521i]
+192.168.122.0/24 dev enp1s0 [direct1 23:45:55] * (240)
+ via 192.168.122.200 on enp1s0 [b0 23:45:59] (100) [AS64521i]
+
+
+```
+```shell
+thy@ubuntu-24-2:~/box$ sudo birdc show protocols
+BIRD 1.6.8 ready.
+name proto table state since info
+kernel1 Kernel master up 23:45:59
+device1 Device master up 23:45:59
+direct1 Direct master up 23:45:59
+b1 BGP master up 23:45:59 Established
+
+thy@ubuntu-24-2:~/box$ sudo birdc show route
+BIRD 1.6.8 ready.
+10.0.10.0/24 via 192.168.122.204 on enp1s0 [b1 23:45:59] * (100) [AS64520i]
+10.0.11.0/24 dev veth1 [direct1 23:45:59] * (240)
+192.168.122.0/24 dev enp1s0 [direct1 23:45:59] * (240)
+ via 192.168.122.204 on enp1s0 [b1 23:45:59] (100) [AS64520i]
+
+
+```
+
+# 17
+
+```shell
+thy@ubuntu24-server:~/box$ sudo ip route
+default via 192.168.122.1 dev enp1s0 proto dhcp src 192.168.122.204 metric 100
+10.0.10.0/24 dev veth1 proto kernel scope link src 10.0.10.1
+10.0.11.0/24 via 192.168.122.200 dev enp1s0 proto bird
+192.168.122.0/24 dev enp1s0 proto kernel scope link src 192.168.122.204 metric 100
+192.168.122.1 dev enp1s0 proto dhcp scope link src 192.168.122.204 metric 100
+```
+```shell
+thy@ubuntu-24-2:~/box$ sudo ip route
+default via 192.168.122.1 dev enp1s0 proto dhcp src 192.168.122.200 metric 100
+10.0.10.0/24 via 192.168.122.204 dev enp1s0 proto bird
+10.0.11.0/24 dev veth1 proto kernel scope link src 10.0.11.1
+192.168.122.0/24 dev enp1s0 proto kernel scope link src 192.168.122.200 metric 100
+192.168.122.1 dev enp1s0 proto dhcp scope link src 192.168.122.200 metric 100
+
+```
+
+# 18
+
+```shell
+thy@ubuntu24-server:~$ sudo tshark -i veth1
+Running as user "root" and group "root". This could be dangerous.
+Capturing on 'veth1'
+
+```
+```shell
+thy@ubuntu-24-2:~$ sudo tshark -i veth1
+Running as user "root" and group "root". This could be dangerous.
+Capturing on 'veth1'
+
+```
+
+# 19
+
+```shell
+
+thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999
+```
+
+```shell
+
+thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999
+bgp helloo!!!!
+
+```
+
+# 20
+
+```shell
+thy@ubuntu24-server:~$ sudo tshark -i veth1
+Running as user "root" and group "root". This could be dangerous.
+Capturing on 'veth1'
+ 1 0.000000000 10.0.10.2 → 10.0.11.2 TCP 74 53488 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2154111861 TSecr=0 WS=128
+ 2 0.000337346 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 53488 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1585273134 TSecr=2154111861 WS=128
+ 3 0.000354149 10.0.10.2 → 10.0.11.2 TCP 66 53488 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2154111861 TSecr=1585273134
+ 4 5.292822389 86:59:90:1a:4a:60 → 9a:45:f6:36:e8:cb ARP 42 Who has 10.0.10.2? Tell 10.0.10.1
+ 5 5.292843243 9a:45:f6:36:e8:cb → 86:59:90:1a:4a:60 ARP 42 Who has 10.0.10.1? Tell 10.0.10.2
+ 6 5.293009682 86:59:90:1a:4a:60 → 9a:45:f6:36:e8:cb ARP 42 10.0.10.1 is at 86:59:90:1a:4a:60
+ 7 5.292981525 9a:45:f6:36:e8:cb → 86:59:90:1a:4a:60 ARP 42 10.0.10.2 is at 9a:45:f6:36:e8:cb
+ 8 8.448817263 10.0.10.2 → 10.0.11.2 TCP 81 53488 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=15 TSval=2154120310 TSecr=1585273134
+ 9 8.449367387 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 53488 [ACK] Seq=1 Ack=16 Win=65152 Len=0 TSval=1585281583 TSecr=2154120310
+
+
+```
+
+```shell
+thy@ubuntu-24-2:~$ sudo tshark -i veth1
+Running as user "root" and group "root". This could be dangerous.
+Capturing on 'veth1'
+ 1 0.000000000 10.0.10.2 → 10.0.11.2 TCP 74 53488 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2154111861 TSecr=0 WS=128
+ 2 0.000056658 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 53488 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1585273134 TSecr=2154111861 WS=128
+ 3 0.000197636 10.0.10.2 → 10.0.11.2 TCP 66 53488 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2154111861 TSecr=1585273134
+ 4 5.093841101 06:63:34:0b:98:ef → 7e:9f:2d:eb:7c:33 ARP 42 Who has 10.0.11.2? Tell 10.0.11.1
+ 5 5.093832531 7e:9f:2d:eb:7c:33 → 06:63:34:0b:98:ef ARP 42 Who has 10.0.11.1? Tell 10.0.11.2
+ 6 5.093891327 06:63:34:0b:98:ef → 7e:9f:2d:eb:7c:33 ARP 42 10.0.11.1 is at 06:63:34:0b:98:ef
+ 7 5.093898882 7e:9f:2d:eb:7c:33 → 06:63:34:0b:98:ef ARP 42 10.0.11.2 is at 7e:9f:2d:eb:7c:33
+ 8 8.448882261 10.0.10.2 → 10.0.11.2 TCP 81 53488 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=15 TSval=2154120310 TSecr=1585273134
+ 9 8.448965966 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 53488 [ACK] Seq=1 Ack=16 Win=65152 Len=0 TSval=1585281583 TSecr=2154120310
+
+```
+
+++ /dev/null
-
-#
-
-```shell
-thy@ubuntu24-server:~/box$ sudo ip a
-1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host noprefixroute
- valid_lft forever preferred_lft forever
-2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- link/ether 52:54:00:e2:07:25 brd ff:ff:ff:ff:ff:ff
- inet 192.168.122.204/24 metric 100 brd 192.168.122.255 scope global dynamic enp1s0
- valid_lft 2074sec preferred_lft 2074sec
- inet6 fe80::5054:ff:fee2:725/64 scope link
- valid_lft forever preferred_lft forever
-
-
-```
-
-#
-
-```shell
-
-thy@ubuntu-24-2:~/box$ sudo ip a
-1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host noprefixroute
- valid_lft forever preferred_lft forever
-2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
- link/ether 52:54:00:e2:07:21 brd ff:ff:ff:ff:ff:ff
- inet 192.168.122.200/24 metric 100 brd 192.168.122.255 scope global dynamic enp1s0
- valid_lft 2102sec preferred_lft 2102sec
- inet6 fe80::5054:ff:fee2:721/64 scope link
- valid_lft forever preferred_lft forever
-
-```
-#
-
-```shell
-
-thy@ubuntu-24-2:~/box$ nc -l 192.168.122.200 9999
-
-```
-
-```shell
-thy@ubuntu24-server:~/box$ nc 192.168.122.200 9999
-qwer
-
-
-```
-
-#
-
-```shell
-
-sudo apt update
-sudo apt install bird tshark
-
-sudo systemctl stop bird
-```
-
-#
-
-```shell
-
-./on0.sh
-
-```
-
-```shell
-
-./on1.sh
-
-```
-
-#
-
-```shell
-
-thy@ubuntu24-server:~/box$ ip a
-...
-4: veth1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- link/ether 86:59:90:1a:4a:60 brd ff:ff:ff:ff:ff:ff link-netns net1
- inet 10.0.10.1/24 scope global veth1
- valid_lft forever preferred_lft forever
- inet6 fe80::8459:90ff:fe1a:4a60/64 scope link
- valid_lft forever preferred_lft forever
-
-```
-
-#
-
-```shell
-
-thy@ubuntu24-server:~/box$ sudo ip netns exec net1 ip a
-1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
-2: veth2@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- link/ether 9a:45:f6:36:e8:cb brd ff:ff:ff:ff:ff:ff link-netnsid 0
- inet 10.0.10.2/24 scope global veth2
- valid_lft forever preferred_lft forever
- inet6 fe80::9845:f6ff:fe36:e8cb/64 scope link
- valid_lft forever preferred_lft forever
-
-
-
-```
-
-
-#
-
-```shell
-thy@ubuntu-24-2:~$ sudo tshark -i veth1
-Running as user "root" and group "root". This could be dangerous.
-Capturing on 'veth1'
-
-
-```
-
-#
-
-```shell
-thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999
-
-
-```
-```shell
-
-thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999
-
-
-```
-
-#
-
-```shell
-thy@ubuntu24-server:~/box$ sudo ip route add 192.168.122.200 dev enp1s0
-thy@ubuntu24-server:~/box$ sudo ip route add 10.0.11.0/24 via 192.168.122.200 dev enp1s0
-```
-
-```shell
-thy@ubuntu-24-2:~/box$ sudo ip route add 192.168.122.204 dev enp1s0
-thy@ubuntu-24-2:~/box$ sudo ip route add 10.0.10.0/24 via 192.168.122.204 dev enp1s0
-```
-
-#
-
-```shell
-thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999
-
-```
-
-```shell
-thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999
-asdf
-```
-#
-
-```shell
-
- 7 209.216657001 10.0.10.2 → 10.0.11.2 TCP 74 54346 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2153550491 TSecr=0 WS=128
- 8 209.216718956 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 54346 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1584711764 TSecr=2153550491 WS=128
- 9 209.217147388 10.0.10.2 → 10.0.11.2 TCP 66 54346 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2153550492 TSecr=1584711764
- 10 211.003022696 10.0.10.2 → 10.0.11.2 TCP 71 54346 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=5 TSval=2153552277 TSecr=1584711764
- 11 211.003087706 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 54346 [ACK] Seq=1 Ack=6 Win=65280 Len=0 TSval=1584713551 TSecr=2153552277
-
-```
-
-#
-
-```shell
-thy@ubuntu24-server:~/box$ sudo ip route del 192.168.122.200 dev enp1s0
-thy@ubuntu24-server:~/box$ sudo ip route del 10.0.11.0/24 via 192.168.122.200 dev enp1s0
-
-```
-```shell
-thy@ubuntu-24-2:~/box$ sudo ip route del 192.168.122.204 dev enp1s0
-thy@ubuntu-24-2:~/box$ sudo ip route del 10.0.10.0/24 via 192.168.122.204 dev enp1s0
-
-```
-
-#
-
-```shell
-vim /etc/bird/bird.conf
-
-```
-
-
-#
-
-```shell
-sudo systemctl restart bird
-```
-
-#
-
-```shell
-thy@ubuntu24-server:~/box$ sudo birdc show protocols
-BIRD 1.6.8 ready.
-name proto table state since info
-kernel1 Kernel master up 23:45:55
-device1 Device master up 23:45:55
-direct1 Direct master up 23:45:55
-b0 BGP master up 23:45:59 Established
-
-thy@ubuntu24-server:~/box$ sudo birdc show route
-BIRD 1.6.8 ready.
-10.0.10.0/24 dev veth1 [direct1 23:45:55] * (240)
-10.0.11.0/24 via 192.168.122.200 on enp1s0 [b0 23:45:59] * (100) [AS64521i]
-192.168.122.0/24 dev enp1s0 [direct1 23:45:55] * (240)
- via 192.168.122.200 on enp1s0 [b0 23:45:59] (100) [AS64521i]
-
-
-```
-```shell
-thy@ubuntu-24-2:~/box$ sudo birdc show protocols
-BIRD 1.6.8 ready.
-name proto table state since info
-kernel1 Kernel master up 23:45:59
-device1 Device master up 23:45:59
-direct1 Direct master up 23:45:59
-b1 BGP master up 23:45:59 Established
-
-thy@ubuntu-24-2:~/box$ sudo birdc show route
-BIRD 1.6.8 ready.
-10.0.10.0/24 via 192.168.122.204 on enp1s0 [b1 23:45:59] * (100) [AS64520i]
-10.0.11.0/24 dev veth1 [direct1 23:45:59] * (240)
-192.168.122.0/24 dev enp1s0 [direct1 23:45:59] * (240)
- via 192.168.122.204 on enp1s0 [b1 23:45:59] (100) [AS64520i]
-
-
-```
-
-#
-
-```shell
-thy@ubuntu24-server:~/box$ sudo ip route
-default via 192.168.122.1 dev enp1s0 proto dhcp src 192.168.122.204 metric 100
-10.0.10.0/24 dev veth1 proto kernel scope link src 10.0.10.1
-10.0.11.0/24 via 192.168.122.200 dev enp1s0 proto bird
-192.168.122.0/24 dev enp1s0 proto kernel scope link src 192.168.122.204 metric 100
-192.168.122.1 dev enp1s0 proto dhcp scope link src 192.168.122.204 metric 100
-```
-```shell
-thy@ubuntu-24-2:~/box$ sudo ip route
-default via 192.168.122.1 dev enp1s0 proto dhcp src 192.168.122.200 metric 100
-10.0.10.0/24 via 192.168.122.204 dev enp1s0 proto bird
-10.0.11.0/24 dev veth1 proto kernel scope link src 10.0.11.1
-192.168.122.0/24 dev enp1s0 proto kernel scope link src 192.168.122.200 metric 100
-192.168.122.1 dev enp1s0 proto dhcp scope link src 192.168.122.200 metric 100
-
-```
-
-#
-
-```shell
-thy@ubuntu24-server:~$ sudo tshark -i veth1
-Running as user "root" and group "root". This could be dangerous.
-Capturing on 'veth1'
-
-```
-```shell
-thy@ubuntu-24-2:~$ sudo tshark -i veth1
-Running as user "root" and group "root". This could be dangerous.
-Capturing on 'veth1'
-
-```
-
-#
-
-```shell
-
-thy@ubuntu-24-2:~/box$ sudo ip netns exec net1 nc -l 10.0.11.2 9999
-```
-
-```shell
-
-thy@ubuntu24-server:~/box$ sudo ip netns exec net1 nc 10.0.11.2 9999
-bgp helloo!!!!
-
-```
-
-#
-
-```shell
-thy@ubuntu24-server:~$ sudo tshark -i veth1
-Running as user "root" and group "root". This could be dangerous.
-Capturing on 'veth1'
- 1 0.000000000 10.0.10.2 → 10.0.11.2 TCP 74 53488 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2154111861 TSecr=0 WS=128
- 2 0.000337346 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 53488 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1585273134 TSecr=2154111861 WS=128
- 3 0.000354149 10.0.10.2 → 10.0.11.2 TCP 66 53488 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2154111861 TSecr=1585273134
- 4 5.292822389 86:59:90:1a:4a:60 → 9a:45:f6:36:e8:cb ARP 42 Who has 10.0.10.2? Tell 10.0.10.1
- 5 5.292843243 9a:45:f6:36:e8:cb → 86:59:90:1a:4a:60 ARP 42 Who has 10.0.10.1? Tell 10.0.10.2
- 6 5.293009682 86:59:90:1a:4a:60 → 9a:45:f6:36:e8:cb ARP 42 10.0.10.1 is at 86:59:90:1a:4a:60
- 7 5.292981525 9a:45:f6:36:e8:cb → 86:59:90:1a:4a:60 ARP 42 10.0.10.2 is at 9a:45:f6:36:e8:cb
- 8 8.448817263 10.0.10.2 → 10.0.11.2 TCP 81 53488 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=15 TSval=2154120310 TSecr=1585273134
- 9 8.449367387 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 53488 [ACK] Seq=1 Ack=16 Win=65152 Len=0 TSval=1585281583 TSecr=2154120310
-
-
-```
-
-```shell
-thy@ubuntu-24-2:~$ sudo tshark -i veth1
-Running as user "root" and group "root". This could be dangerous.
-Capturing on 'veth1'
- 1 0.000000000 10.0.10.2 → 10.0.11.2 TCP 74 53488 → 9999 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2154111861 TSecr=0 WS=128
- 2 0.000056658 10.0.11.2 → 10.0.10.2 TCP 74 9999 → 53488 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1585273134 TSecr=2154111861 WS=128
- 3 0.000197636 10.0.10.2 → 10.0.11.2 TCP 66 53488 → 9999 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2154111861 TSecr=1585273134
- 4 5.093841101 06:63:34:0b:98:ef → 7e:9f:2d:eb:7c:33 ARP 42 Who has 10.0.11.2? Tell 10.0.11.1
- 5 5.093832531 7e:9f:2d:eb:7c:33 → 06:63:34:0b:98:ef ARP 42 Who has 10.0.11.1? Tell 10.0.11.2
- 6 5.093891327 06:63:34:0b:98:ef → 7e:9f:2d:eb:7c:33 ARP 42 10.0.11.1 is at 06:63:34:0b:98:ef
- 7 5.093898882 7e:9f:2d:eb:7c:33 → 06:63:34:0b:98:ef ARP 42 10.0.11.2 is at 7e:9f:2d:eb:7c:33
- 8 8.448882261 10.0.10.2 → 10.0.11.2 TCP 81 53488 → 9999 [PSH, ACK] Seq=1 Ack=1 Win=64256 Len=15 TSval=2154120310 TSecr=1585273134
- 9 8.448965966 10.0.11.2 → 10.0.10.2 TCP 66 9999 → 53488 [ACK] Seq=1 Ack=16 Win=65152 Len=0 TSval=1585281583 TSecr=2154120310
-
-```
-
--- /dev/null
+# 01
+
+```shell
+
+./setup.sh
+
+```
+
+# 02
+
+
+```shell
+
+----------------------------------------------------
+| |
+| hacker's router |
+| |
+| ----------------- ---------------- |
+| | vet11 | | veth21 | |
+| | 192.168.62.5 | | 192.168.64.5 | |
+| | mitm'd 😈 | | | |
+----------------------------------------------------
+ | |
+ | |
+ | |
+ ----------------- ----------------
+ | veth12 | | veth22 |
+ | 192.168.62.6 | | 192.168.64.6 |
+ | client | | server |
+ ----------------- ----------------
+
+
+
+```
+
+# 03
+
+```shell
+
+./certs.sh
+
+```
+
+# 04
+
+```shell
+sudo ip netns exec net2 openssl s_server -port 9999 -cert ./certs/server.pem -key ./certs/server_priv.pem -cipher AES256-SHA256:@SECLEVEL=0 -tls1_2
+
+```
+
+
+```shell
+
+sudo ip netns exec net1 openssl s_client -connect 192.168.64.6:9999 -CAfile ./certs/ca.pem -cipher AES256-SHA256:@SECLEVEL=0 -tls1_2
+```
+
+# 05
+
+```shell
+...
+SSL-Session:
+ Protocol : TLSv1.2
+ Cipher : AES256-SHA256
+...
+```
+
+# 06
+
+```c
+
+int hijack_key();
+
+
+```
+
+# 07
+
+```c
+ int dec_len = RSA_private_decrypt(
+ data_len,
+ (unsigned char*)premaster_raw,
+ dec_msg,
+ rsa_priv_key,
+ RSA_PKCS1_PADDING
+ );
+
+
+```
+
+
+# 08
+
+```shell
+# https://datatracker.ietf.org/doc/html/rfc5246
+
+...
+ To generate the key material, compute
+
+ key_block = PRF(SecurityParameters.master_secret,
+ "key expansion",
+ SecurityParameters.server_random +
+ SecurityParameters.client_random);
+
+ until enough output has been generated. Then, the key_block is
+ partitioned as follows:
+
+ client_write_MAC_key[SecurityParameters.mac_key_length]
+ server_write_MAC_key[SecurityParameters.mac_key_length]
+ client_write_key[SecurityParameters.enc_key_length]
+ server_write_key[SecurityParameters.enc_key_length]
+ client_write_IV[SecurityParameters.fixed_iv_length]
+ server_write_IV[SecurityParameters.fixed_iv_length]
+
+...
+
+
+```
+
+# 09
+
+```c
+/*
+ * steal start
+ * https://github.com/openssl/openssl/blob/master/providers/implementations/kdfs/tls1_prf.c
+ *
+*/
+static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init,
+ const unsigned char *sec, size_t sec_len,
+ const unsigned char *seed, size_t seed_len,
+ unsigned char *out, size_t olen)
+{
+ size_t chunk;
+ EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL;
+ unsigned char Ai[EVP_MAX_MD_SIZE];
+ size_t Ai_len;
+ int ret = 0;
+
+ if (!EVP_MAC_init(ctx_init, sec, sec_len, NULL))
+ goto err;
+ chunk = EVP_MAC_CTX_get_mac_size(ctx_init);
+ if (chunk == 0)
+ goto err;
+ /* A(0) = seed */
+ ctx_Ai = EVP_MAC_CTX_dup(ctx_init);
+ if (ctx_Ai == NULL)
+ goto err;
+ if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len))
+ goto err;
+
+ for (;;) {
+ /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */
+ if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai)))
+ goto err;
+ EVP_MAC_CTX_free(ctx_Ai);
+ ctx_Ai = NULL;
+
+ /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */
+ ctx = EVP_MAC_CTX_dup(ctx_init);
+ if (ctx == NULL)
+ goto err;
+ if (!EVP_MAC_update(ctx, Ai, Ai_len))
+ goto err;
+ /* save state for calculating next A(i) value */
+ if (olen > chunk) {
+ ctx_Ai = EVP_MAC_CTX_dup(ctx);
+ if (ctx_Ai == NULL)
+ goto err;
+ }
+ if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len))
+ goto err;
+ if (olen <= chunk) {
+ /* last chunk - use Ai as temp bounce buffer */
+ if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai)))
+ goto err;
+ memcpy(out, Ai, olen);
+ break;
+ }
+ if (!EVP_MAC_final(ctx, out, NULL, olen))
+ goto err;
+ EVP_MAC_CTX_free(ctx);
+ ctx = NULL;
+ out += chunk;
+ olen -= chunk;
+ }
+ ret = 1;
+
+ err:
+ EVP_MAC_CTX_free(ctx);
+ EVP_MAC_CTX_free(ctx_Ai);
+ OPENSSL_cleanse(Ai, sizeof(Ai));
+ return ret;
+}
+/*
+ * steal end
+*/
+```
+
+# 10
+
+```shell
+
+seclen: 48, seedlen: 54, olen: 48
+sec:
+0303C50E21125FEC8635A168DA82BD7269D18B1AD4D5BEA6818527F55F4C2872AD6E4EBACA83BAC3B36E69E4ED15916F
+seedstr: extended master secretW�SPeK^"�勘�0�U�n^��/��@&r�
+seed:
+657874656E646564206D61737465722073656372657457E5535065064B1F5E2286E58B981EE730E055C96E5EBA0FFA2FB3D0402672D7
+out:
+4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A
+seclen: 48, seedlen: 77, olen: 160
+sec:
+4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A
+seedstr: key expansion���n_ 'B��Ce&Oqb�
+}Oɉ�_H�
+seed:
+6B657920657870616E73696F6EB519C2E76E5F09274282CC43F19A8CA065264F716216D20A7D4FC98907FD5F48840800745893FFE3F025D356EBA71346456907FAB463E830A91CFF28EACF6268
+out:
+ABAD28DAB7B616EB03B55B58E516B9B6A30FBF6283BE3372179C036F5A662D6CA86CAB7F0C17F5AA6C3FFAB275CA475834F024E6143E1B5AED0A58C720A35E9C7E8EC02569BFCCEECF6E7C5E6DA04008BD98803D346317D9D283C2B7BAB56CED237D9845D9C2B963A9D03FC8A39042A5398E9F15D280B8536485DB2093F5296FF5134EAE36A5B49C096A7C6D210A30EDBA2E61D143B965E6B4664C1E3F821EBD
+seclen: 48, seedlen: 47, olen: 12
+sec:
+4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A
+seedstr: client finishedW�SPeK^"�勘�0�U�n^��/��@&r�
+seed:
+636C69656E742066696E697368656457E5535065064B1F5E2286E58B981EE730E055C96E5EBA0FFA2FB3D0402672D7
+out:
+B16679F75903CDDED98F1410
+seclen: 48, seedlen: 47, olen: 12
+sec:
+4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A
+seedstr: server finished}g��+[��˶�
+seed:
+7365727665722066696E69736865647D67F8AA2B5B1799B3CBB6E3A700F587A8920B80D7E1848346DF829D5ADD4FE1
+out:
+9EFC18B4D2A28F38DC3818B6
+
+```
+
+# 11
+```shell
+# https://datatracker.ietf.org/doc/html/rfc7627
+...
+The "session_hash" is intended to encompass all relevant session
+ information, including ciphersuite negotiation, key exchange
+ messages, and client and server identities. The hash is needed to
+ compute the extended master secret and hence must be available before
+ the Finished messages.
+
+ This document sets the "session_hash" to cover all handshake messages
+ up to and including the ClientKeyExchange.
+...
+```
+
+
+# 12
+
+```shell
+# https://datatracker.ietf.org/doc/html/rfc7366
+...
+3. Applying Encrypt-then-MAC
+
+ Once the use of encrypt-then-MAC has been negotiated, processing of
+ TLS/DTLS packets switches from the standard:
+
+ encrypt( data || MAC || pad )
+
+ to the new:
+
+ encrypt( data || pad ) || MAC
+
+ with the MAC covering the entire packet up to the start of the MAC
+ value. In TLS [2] notation, the MAC calculation for TLS 1.0 without
+ the explicit Initialization Vector (IV) is:
+
+ MAC(MAC_write_key, seq_num +
+ TLSCipherText.type +
+ TLSCipherText.version +
+ TLSCipherText.length +
+ ENC(content + padding + padding_length));
+...
+ and for TLS 1.1 and greater with an explicit IV is:
+
+ MAC(MAC_write_key, seq_num +
+ TLSCipherText.type +
+ TLSCipherText.version +
+ TLSCipherText.length +
+ IV +
+ ENC(content + padding + padding_length));
+...
+
+```
+
+# 13-1
+
+```c
+ // do serve listens from PF_PACKET socket
+void do_serve();
+ |
+ | // process rx actually captures the packet
+ |
+void* process_rx(const int fd, char* rx_ring, int* len);
+ |
+ | // sniff packet lets sniff action handles the packet,
+ | // if it's TCP
+ |
+void sniff_packet(void* packet);
+ |
+ | // by examining TLS flag, it gathers data from Client Hello, Server Hello,
+ | // etc untils it hits Client Key Exchange
+ |
+void sniff_action(uint8_t* dataraw);
+ |
+ | // if it's Client Key Exchange, it runs the process of
+ | // hijacking master secret
+ ------> int hijack_key();
+ |
+ | // if it successfully hijacked master secret
+ | // it's time to decrypt the client message!
+ ------> int cbc256_decrypt(uint8_t* enc_msg, int enclen, uint8_t* cbc_key, uint8_t* cbc_iv, uint8_t* plain_msg);
+
+```
+
+
+# 13
+
+```shell
+
+./mitm.out
+
+
+```
+
+# 14
+
+```shell
+
+packet RX: 7
+dst mac: 1a:fe:a2:8e:77:09
+dst address: 192.168.64.6
+handshake: client hello
+slen: 116
+
+packet RX: 8
+dst mac: 8e:ee:03:c8:56:22
+dst address: 192.168.62.6
+
+packet RX: 9
+dst mac: 8e:ee:03:c8:56:22
+dst address: 192.168.62.6
+handshake: server hello
+
+packet RX: 10
+dst mac: 1a:fe:a2:8e:77:09
+dst address: 192.168.64.6
+
+packet RX: 11
+dst mac: 1a:fe:a2:8e:77:09
+dst address: 192.168.64.6
+handshake: client key exchange
+declen: 48
+session info len: 1998
+session_hash: 32
+1D85F4612C17261000958F5AB963D9D6FFE3E361800955246FB31D4B23A6ADB0
+extended master secret: label + seedlen: 54
+master:
+ 454A17BE7F52ACBBFF414EC635D541F0CA9F7054065EEB02D38012CF5703EEDB3B5D0CAD4726C823DFF72D00C50A269C
+key expansion: label + seedlen: 77
+master keymat:
+ 6960D327538039F7E56D2B32D29BBC3E7C4752802E73867511D3AEBD092C1E8A9CA0860FC19CC0AD821C7C917A8695983EE7B42874B65894B8C2835AD03A60EE91D39235A4827881CA7CE057CC11244C78A2DA9DF111EFC53D45FFB3EFEC92182BD69CFAA449183E6BB01B622DF473F25D6F35707BA1923A57333FCEF37BB4FE8056C5E26F57BD043791713C844BCD7D003452E63B3FF51FCB0FA3EDF6A2861D
+
+packet RX: 12
+dst mac: 8e:ee:03:c8:56:22
+dst address: 192.168.62.6
+handshake: new session ticket
+
+```
+
+
+# 15
+
+```shell
+ 0070 - 05 5f 50 8c ee 01 9b ac-31 58 dc c3 d6 a7 05 66 ._P.....1X.....f
+ 0080 - fc 58 3f 9f ac 0f b7 0f-0c 3e 1f e1 9b 8c 80 a6 .X?......>......
+ 0090 - 49 7d 20 57 93 b7 8e 6a-9e 99 47 a6 61 41 f5 7e I} W...j..G.aA.~
+ 00a0 - fb 1d 46 41 06 08 3f 2a-09 8a 70 7a 5d 37 5e 92 ..FA..?*..pz]7^.
+
+ Start Time: 1748389568
+ Timeout : 7200 (sec)
+ Verify return code: 0 (ok)
+ Extended master secret: yes
+---
+i see dead people
+
+
+```
+
+# 16
+```shell
+packet RX: 17
+dst mac: 1a:fe:a2:8e:77:09
+dst address: 192.168.64.6
+message: payloadlen: 80
+ 😈 TLSv1.2 hijacked message 😈
+ i see dead people
+
+
+packet RX: 18
+dst mac: 8e:ee:03:c8:56:22
+dst address: 192.168.62.6
+
+
+```
\ No newline at end of file
+++ /dev/null
-# 01
-
-```shell
-
-./setup.sh
-
-```
-
-# 02
-
-
-```shell
-
-----------------------------------------------------
-| |
-| hacker's router |
-| |
-| ----------------- ---------------- |
-| | vet11 | | veth21 | |
-| | 192.168.62.5 | | 192.168.64.5 | |
-| | mitm'd 😈 | | | |
-----------------------------------------------------
- | |
- | |
- | |
- ----------------- ----------------
- | veth12 | | veth22 |
- | 192.168.62.6 | | 192.168.64.6 |
- | client | | server |
- ----------------- ----------------
-
-
-
-```
-
-# 03
-
-```shell
-
-./certs.sh
-
-```
-
-# 04
-
-```shell
-sudo ip netns exec net2 openssl s_server -port 9999 -cert ./certs/server.pem -key ./certs/server_priv.pem -cipher AES256-SHA256:@SECLEVEL=0 -tls1_2
-
-```
-
-
-```shell
-
-sudo ip netns exec net1 openssl s_client -connect 192.168.64.6:9999 -CAfile ./certs/ca.pem -cipher AES256-SHA256:@SECLEVEL=0 -tls1_2
-```
-
-# 05
-
-```shell
-...
-SSL-Session:
- Protocol : TLSv1.2
- Cipher : AES256-SHA256
-...
-```
-
-# 06
-
-```c
-
-int hijack_key();
-
-
-```
-
-# 07
-
-```c
- int dec_len = RSA_private_decrypt(
- data_len,
- (unsigned char*)premaster_raw,
- dec_msg,
- rsa_priv_key,
- RSA_PKCS1_PADDING
- );
-
-
-```
-
-
-# 08
-
-```shell
-# https://datatracker.ietf.org/doc/html/rfc5246
-
-...
- To generate the key material, compute
-
- key_block = PRF(SecurityParameters.master_secret,
- "key expansion",
- SecurityParameters.server_random +
- SecurityParameters.client_random);
-
- until enough output has been generated. Then, the key_block is
- partitioned as follows:
-
- client_write_MAC_key[SecurityParameters.mac_key_length]
- server_write_MAC_key[SecurityParameters.mac_key_length]
- client_write_key[SecurityParameters.enc_key_length]
- server_write_key[SecurityParameters.enc_key_length]
- client_write_IV[SecurityParameters.fixed_iv_length]
- server_write_IV[SecurityParameters.fixed_iv_length]
-
-...
-
-
-```
-
-# 09
-
-```c
-/*
- * steal start
- * https://github.com/openssl/openssl/blob/master/providers/implementations/kdfs/tls1_prf.c
- *
-*/
-static int tls1_prf_P_hash(EVP_MAC_CTX *ctx_init,
- const unsigned char *sec, size_t sec_len,
- const unsigned char *seed, size_t seed_len,
- unsigned char *out, size_t olen)
-{
- size_t chunk;
- EVP_MAC_CTX *ctx = NULL, *ctx_Ai = NULL;
- unsigned char Ai[EVP_MAX_MD_SIZE];
- size_t Ai_len;
- int ret = 0;
-
- if (!EVP_MAC_init(ctx_init, sec, sec_len, NULL))
- goto err;
- chunk = EVP_MAC_CTX_get_mac_size(ctx_init);
- if (chunk == 0)
- goto err;
- /* A(0) = seed */
- ctx_Ai = EVP_MAC_CTX_dup(ctx_init);
- if (ctx_Ai == NULL)
- goto err;
- if (seed != NULL && !EVP_MAC_update(ctx_Ai, seed, seed_len))
- goto err;
-
- for (;;) {
- /* calc: A(i) = HMAC_<hash>(secret, A(i-1)) */
- if (!EVP_MAC_final(ctx_Ai, Ai, &Ai_len, sizeof(Ai)))
- goto err;
- EVP_MAC_CTX_free(ctx_Ai);
- ctx_Ai = NULL;
-
- /* calc next chunk: HMAC_<hash>(secret, A(i) + seed) */
- ctx = EVP_MAC_CTX_dup(ctx_init);
- if (ctx == NULL)
- goto err;
- if (!EVP_MAC_update(ctx, Ai, Ai_len))
- goto err;
- /* save state for calculating next A(i) value */
- if (olen > chunk) {
- ctx_Ai = EVP_MAC_CTX_dup(ctx);
- if (ctx_Ai == NULL)
- goto err;
- }
- if (seed != NULL && !EVP_MAC_update(ctx, seed, seed_len))
- goto err;
- if (olen <= chunk) {
- /* last chunk - use Ai as temp bounce buffer */
- if (!EVP_MAC_final(ctx, Ai, &Ai_len, sizeof(Ai)))
- goto err;
- memcpy(out, Ai, olen);
- break;
- }
- if (!EVP_MAC_final(ctx, out, NULL, olen))
- goto err;
- EVP_MAC_CTX_free(ctx);
- ctx = NULL;
- out += chunk;
- olen -= chunk;
- }
- ret = 1;
-
- err:
- EVP_MAC_CTX_free(ctx);
- EVP_MAC_CTX_free(ctx_Ai);
- OPENSSL_cleanse(Ai, sizeof(Ai));
- return ret;
-}
-/*
- * steal end
-*/
-```
-
-# 10
-
-```shell
-
-seclen: 48, seedlen: 54, olen: 48
-sec:
-0303C50E21125FEC8635A168DA82BD7269D18B1AD4D5BEA6818527F55F4C2872AD6E4EBACA83BAC3B36E69E4ED15916F
-seedstr: extended master secretW�SPeK^"�勘�0�U�n^��/��@&r�
-seed:
-657874656E646564206D61737465722073656372657457E5535065064B1F5E2286E58B981EE730E055C96E5EBA0FFA2FB3D0402672D7
-out:
-4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A
-seclen: 48, seedlen: 77, olen: 160
-sec:
-4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A
-seedstr: key expansion���n_ 'B��Ce&Oqb�
-}Oɉ�_H�
-seed:
-6B657920657870616E73696F6EB519C2E76E5F09274282CC43F19A8CA065264F716216D20A7D4FC98907FD5F48840800745893FFE3F025D356EBA71346456907FAB463E830A91CFF28EACF6268
-out:
-ABAD28DAB7B616EB03B55B58E516B9B6A30FBF6283BE3372179C036F5A662D6CA86CAB7F0C17F5AA6C3FFAB275CA475834F024E6143E1B5AED0A58C720A35E9C7E8EC02569BFCCEECF6E7C5E6DA04008BD98803D346317D9D283C2B7BAB56CED237D9845D9C2B963A9D03FC8A39042A5398E9F15D280B8536485DB2093F5296FF5134EAE36A5B49C096A7C6D210A30EDBA2E61D143B965E6B4664C1E3F821EBD
-seclen: 48, seedlen: 47, olen: 12
-sec:
-4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A
-seedstr: client finishedW�SPeK^"�勘�0�U�n^��/��@&r�
-seed:
-636C69656E742066696E697368656457E5535065064B1F5E2286E58B981EE730E055C96E5EBA0FFA2FB3D0402672D7
-out:
-B16679F75903CDDED98F1410
-seclen: 48, seedlen: 47, olen: 12
-sec:
-4D35748B193F886FB3193298D08159AE1E94CF77887A2083D6AA164D4E78D734772906F96F336BE5518AF5B6F450EC5A
-seedstr: server finished}g��+[��˶�
-seed:
-7365727665722066696E69736865647D67F8AA2B5B1799B3CBB6E3A700F587A8920B80D7E1848346DF829D5ADD4FE1
-out:
-9EFC18B4D2A28F38DC3818B6
-
-```
-
-# 11
-```shell
-# https://datatracker.ietf.org/doc/html/rfc7627
-...
-The "session_hash" is intended to encompass all relevant session
- information, including ciphersuite negotiation, key exchange
- messages, and client and server identities. The hash is needed to
- compute the extended master secret and hence must be available before
- the Finished messages.
-
- This document sets the "session_hash" to cover all handshake messages
- up to and including the ClientKeyExchange.
-...
-```
-
-
-# 12
-
-```shell
-# https://datatracker.ietf.org/doc/html/rfc7366
-...
-3. Applying Encrypt-then-MAC
-
- Once the use of encrypt-then-MAC has been negotiated, processing of
- TLS/DTLS packets switches from the standard:
-
- encrypt( data || MAC || pad )
-
- to the new:
-
- encrypt( data || pad ) || MAC
-
- with the MAC covering the entire packet up to the start of the MAC
- value. In TLS [2] notation, the MAC calculation for TLS 1.0 without
- the explicit Initialization Vector (IV) is:
-
- MAC(MAC_write_key, seq_num +
- TLSCipherText.type +
- TLSCipherText.version +
- TLSCipherText.length +
- ENC(content + padding + padding_length));
-...
- and for TLS 1.1 and greater with an explicit IV is:
-
- MAC(MAC_write_key, seq_num +
- TLSCipherText.type +
- TLSCipherText.version +
- TLSCipherText.length +
- IV +
- ENC(content + padding + padding_length));
-...
-
-```
-
-# 13-1
-
-```c
- // do serve listens from PF_PACKET socket
-void do_serve();
- |
- | // process rx actually captures the packet
- |
-void* process_rx(const int fd, char* rx_ring, int* len);
- |
- | // sniff packet lets sniff action handles the packet,
- | // if it's TCP
- |
-void sniff_packet(void* packet);
- |
- | // by examining TLS flag, it gathers data from Client Hello, Server Hello,
- | // etc untils it hits Client Key Exchange
- |
-void sniff_action(uint8_t* dataraw);
- |
- | // if it's Client Key Exchange, it runs the process of
- | // hijacking master secret
- ------> int hijack_key();
- |
- | // if it successfully hijacked master secret
- | // it's time to decrypt the client message!
- ------> int cbc256_decrypt(uint8_t* enc_msg, int enclen, uint8_t* cbc_key, uint8_t* cbc_iv, uint8_t* plain_msg);
-
-```
-
-
-# 13
-
-```shell
-
-./mitm.out
-
-
-```
-
-# 14
-
-```shell
-
-packet RX: 7
-dst mac: 1a:fe:a2:8e:77:09
-dst address: 192.168.64.6
-handshake: client hello
-slen: 116
-
-packet RX: 8
-dst mac: 8e:ee:03:c8:56:22
-dst address: 192.168.62.6
-
-packet RX: 9
-dst mac: 8e:ee:03:c8:56:22
-dst address: 192.168.62.6
-handshake: server hello
-
-packet RX: 10
-dst mac: 1a:fe:a2:8e:77:09
-dst address: 192.168.64.6
-
-packet RX: 11
-dst mac: 1a:fe:a2:8e:77:09
-dst address: 192.168.64.6
-handshake: client key exchange
-declen: 48
-session info len: 1998
-session_hash: 32
-1D85F4612C17261000958F5AB963D9D6FFE3E361800955246FB31D4B23A6ADB0
-extended master secret: label + seedlen: 54
-master:
- 454A17BE7F52ACBBFF414EC635D541F0CA9F7054065EEB02D38012CF5703EEDB3B5D0CAD4726C823DFF72D00C50A269C
-key expansion: label + seedlen: 77
-master keymat:
- 6960D327538039F7E56D2B32D29BBC3E7C4752802E73867511D3AEBD092C1E8A9CA0860FC19CC0AD821C7C917A8695983EE7B42874B65894B8C2835AD03A60EE91D39235A4827881CA7CE057CC11244C78A2DA9DF111EFC53D45FFB3EFEC92182BD69CFAA449183E6BB01B622DF473F25D6F35707BA1923A57333FCEF37BB4FE8056C5E26F57BD043791713C844BCD7D003452E63B3FF51FCB0FA3EDF6A2861D
-
-packet RX: 12
-dst mac: 8e:ee:03:c8:56:22
-dst address: 192.168.62.6
-handshake: new session ticket
-
-```
-
-
-# 15
-
-```shell
- 0070 - 05 5f 50 8c ee 01 9b ac-31 58 dc c3 d6 a7 05 66 ._P.....1X.....f
- 0080 - fc 58 3f 9f ac 0f b7 0f-0c 3e 1f e1 9b 8c 80 a6 .X?......>......
- 0090 - 49 7d 20 57 93 b7 8e 6a-9e 99 47 a6 61 41 f5 7e I} W...j..G.aA.~
- 00a0 - fb 1d 46 41 06 08 3f 2a-09 8a 70 7a 5d 37 5e 92 ..FA..?*..pz]7^.
-
- Start Time: 1748389568
- Timeout : 7200 (sec)
- Verify return code: 0 (ok)
- Extended master secret: yes
----
-i see dead people
-
-
-```
-
-# 16
-```shell
-packet RX: 17
-dst mac: 1a:fe:a2:8e:77:09
-dst address: 192.168.64.6
-message: payloadlen: 80
- 😈 TLSv1.2 hijacked message 😈
- i see dead people
-
-
-packet RX: 18
-dst mac: 8e:ee:03:c8:56:22
-dst address: 192.168.62.6
-
-
-```
\ No newline at end of file
projects / linuxyz.git / commitdiff