Power Hacker 2003

home *** CD-ROM | disk | FTP | other *** search

/ Power Hacker 2003 / Power_Hacker_2003.iso / E-zine / Magazines / crh / freebsd / rootkit / sniffit.0.3.5 / README.FIRST < prev next >

Wrap

Text File | 2002-05-27 | 27.3 KB | 707 lines

#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# * Sniffit V.0.3.5 * * By Brecht Claerhout * # This program is intended to demonstrate the unsafeness of TCP (currently) # * No illegal activities are encouraged! * # Anyway, I'm not responsible for anything you do with it. # * * # Sniffit grew a little upon it's original intentions and is now # * extended for network debugging (UDP, ICMP, netload, etc.) * #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# * Libpcap library * # This product includes software developed by the Computer Systems # * Engineering Group at Lawrence Berkeley Laboratory. * #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# 0. Introduction, and some stuff you should know. crap, credits and compilation notes 1. Programmers notes excuses for my incompetence 2. Use of the program flags and examples 3. Extra info on use 3.1 Running interactive mode 3.2 Forcing network devices (*READ*) 3.3 Format of the config file 3.4 Loglevels 4. The output 4.1 Normal 4.2 Logfile 5. IMPORTANT NOTES, READ! this also! 6. BUGFIXES 7. NEW STUFF to keep track of what's in it ------------------------------------------------------------------------------ 0. Introduction, and some stuff you should know. ------------------------------------------------ 0.3.5... You probably wonder where 0.3.4 has gone to, well that was a beta-release. It was only shipped to the Beta-testers (a big thanks to them for their valuable work.) SO TO MAKE EVERYTHING CLEAR: Official versions jump from 0.3.3 to 0.3.5.... What did I do? Upgraded libpcap, renewed the compilation process, and added some features. The interactive party of sniffit now includes packet generation. All command line options having to do with packet selection now also work with UDP packets. Fixed the external program triggering... (children stayed in memory.. signalling problem) Improved portability of the code.... I use the libpcap library developped at Berkeley Laboratory, for easy porting (Read the licence). Credits go to (in order of apperance on the Sniffit scene): Wim Vandeputte <wvdputte@reptile.rug.ac.be>, best friend and UNIX guru, for support, testing and providing me with a WWW site. Godmar Back, for fixing that kernel 1.2.X bug (Sniffit 0.1.X). Peter Kooiman, of Paradigm Systems Technology for providing the facilities to port Sniffit, and for the endless testing (although he laughs this away with "no big deal, I don't need no credits"). Without him, there would have been no ports at all. Brooke Paul, for providing me with an SGI account. Qing Long, for the bash/zsh libpcap/configure script. Guy Gustavson, for giving me a FreeBSD account. Woju <woju@freebsd.ee.ntu.edu.tw>, for the ncurses SunOS/FreeBSD fixing, and for his other effords. Amlan Saha <eng40607@nus.sg>, for adding Packet Generation to Sniffit, and adding other features (not implemented yet). I'm sure that in the near future you will see more of his work in Sniffit. everybody, who ever mailed me with sugestions help, etc... Also a big thanks to my Beta testers (alphabetically, I hope)... Charles G Stuart <charles.stuart@juno.com> IRIX / RedHat LINUX Patrick Schoppenhorst <pschoppe@thumper.indianapolis.sgi.com> IRIX Shahid Mahmood <smahmood@hns.com> Slackware LINUX / SunOS Stephen Hillier <shillier@tuns.ca> RedHat LINUX And many others who wish to be anonymous.... (you still can get your name in here if you not longer wish to stay anonymous ;) This is free software, spread it if you want, but keep the package complete and unmodified. Do not use any code from this package without mentioning the source in your docs and advertisement. Do not use any of this code in Commercial Software/Commercial Packages. Sugestions and comments can be sent to: coder@reptile.rug.ac.be Brecht Claerhout Meulebeeksestw. 51 8700 Tielt Belgium The original distribution program can be optained from (my site): http://reptile.rug.ac.be/~coder/sniffit/sniffit.html MIND YOU: this program is ran as root, and thus could easily contain dangerous trojans. If you get it from the above site you can safely compile and use it. (no trojan versions are discovered yet.. it's just a warning) Compiling: Sniffit now uses autoconfig. So you just type 'configure' and then 'make' (if configure made it without errors). Mind you, you can still modify some things in the 'sn_config.h' file, but by default all sections that can be added on your system are added. IMPORTANT NOTES: 1. This source code has only been tested with GNU versions of make/C compiler. 2. curses DOES NOT equal ncurses. (ncurses is available at your local sunsite mirror.) Other stuff.... make clean : cleans all directories for a compiling from scratch STANDARD DISCLAIMER: I am not responsible for any damage (hardware, software, emotional, physical, economical, sexual, ...) caused by this program, or by any part of this package. By using this package you fully agree to these terms, if you don't then remove it at once. The author however states that he has done everything within his effort to make this program as functional and safe as possible. 1. Programmers notes -------------------- No more excuses ..... I think I used the easiest solution, probably somewhere some guru is now laughing with my lack of programming skill, but the hell with it, it works (most of the time, here.... ;) Still I note the use of shared memory, with Linux you should take extra care when recompiling your kernel! Answer YES to 'System V IPC (CONFIG_SYSVIPC) [y]'. 2. Use of the program --------------------- (The man pages have detailed info on what parameters you can mix) (* indicates New Features) Options: ONE of these is required! -v Show version and exit (just added because it's such a wide spread option) -t <IP nr/name> tells the sniffer to check out packets GOING TO <IP> * -s <IP nr/name> tells the sniffer to check out packets COMMING FROM <IP> * You can use the '@' wildcard (only IP NUMBERS of course). * e.g. -t 199.145.@ * -t 199.14@ * mind you -t @ is also a valid option. -i Interactive mode, overrides all other options -c <file> Use <file> as a config file for Sniffit See 3.3 for format of the config file. * NOTE: -t or -s only apply to TCP and UDP packages, ICMP, IP packages * are ALL interpreted. * Also, any selection on ports, -p only applies to TCP, UDP packages. Parameters for all modes: -F <device> force sniffit to use a network device (READ 3.2 ON THIS SUBJECT, IMPORTANT) -n Turn of IP checksum checking. This can show you bogus packets. (mind you ARP, RARP, other non-IP packets will show up bogus too) (compatible with ALL options) * -N Disables all functions that Sniffit has build in, usefull * for wanting to run ONLY a plugin Parameters for not running in -i: -b does both -t and -s, doesn't mather what function you used (-t or -s) -d Dump mode, shows the packets on the screen in bytes (not like tcpdump). For test purposes. (numbers are hex) -a same of '-d' but outputs ASCII. -x Prints extended info on TCP packets (SEQ numbers, ACK, Flags) Like SEQ, ACK, the flags, etc... (works wit '-a', '-d', '-s', '-t', '-b' or on its own.) (Mind you it is always shown on stdout, so not logged when using '-t', '-s', '-b' without another parameter) -A <char> When in logging mode, all non-printable chars will be replaced by <char>. (see note below 4.The output) -P protocol specify the protocols examined (default TCP) possible options currently are: IP, TCP, ICMP, UDP They can be combined. -p <port> Logs connections on port <port>, 0 means all ports, default is 0 (all), look out with that on loaded nets! -l <length> Ammount of information to log (default 300 bytes). Length 0 logs everything. (look out with diskspace when logging everything!) * -M <Plugin> Activate Plugin nr. <Plugin>, for a list on all plugins * compiled in your version, just type 'sniffit'. * Read all about Plugins in the PLUGIN-HOWTO (READ IT!) Parameters with -i: -D <device> All logging output will be send to that device. It's cool to get the same IRC screen as the guy y'r sniffing upon ;-) Parameters with -c: -L <loglevel> enable logging with <loglevel> as loglevel currenly the following loglevels are supported: 1 : Raw level 10,12 : Normal level (see '2. The Output' for more info) Some examples: Imagine the following setup: 2 hosts on a subnet, one is running the sniffer (sniffit.com), the otherone is 66.66.66.7 (target.com). 1. You want to test if the sniffer is working: sniffit:~/# sniffit -d -p 7 -t 66.66.66.7 and in another window: sniffit:~/$ telnet target.com 7 you should see the sniffer giving you packets as you telnet to the 'echo' service. 2. I want to log some passwords from people on 66.66.66.7: sniffit:~/# sniffit -p 23 -t 66.66.66.7 3. Root of target.com tells me he gets strange ftp connections and wants to find out the commands typed: sniffit:~/# sniffit -p 21 -l 0 -t 66.66.66.7 4. You want to read all incomming and outgoing mail on target.com: sniffit:~/# sniffit -p 25 -l 0 -b -t 66.66.66.7 & or sniffit:~/# sniffit -p 25 -l 0 -b -s 66.66.66.7 & 5. You want to use the menu based interface. sniffit:~/# sniffit -i 6. Something is really wrong and you want to see the Control Messages with error codes. sniffit:~/# sniffit -P icmp -b -s 66.66.66.7 7. Go wild on scrolling the screen. sniffit:~/# sniffit -P ip -P icmp -P tcp -p 0 -b -a -d -x -s 66.66.66.7 witch is the same as sniffit:~/# sniffit -P ipicmptcp -p 0 -b -a -d -x -s 66.66.66.7 8. Log passwords in that way you can read them with 'more 66*' sniffit:~/# sniffit -p 23 -A . -t 66.66.66.7 or sniffit:~/# sniffit -p 23 -A ^ -t dummy.net 9. This could go on for ever.............. 3. Extra info on use -------------------- 3.1 Running interactive mode ---------------------------- When running in interactive mode: UP or 'k' : self explanatory DOWN or j': self explanatory F1 or '1' : Enter a host (enter 'all' for no mask) for packet filtering (host that sends the packets) F2 or '2' : Enter a host (enter 'all' for no mask) for packet filtering. (host that receives the packets) F3 or '3' : Enter a port (enter '0' for no mask) for packet filtering. (host that sends the packets) F4 or '4' : Enter a port (enter '0' for no mask) for packet filtering. (host that receives the packets) F5 or '5' : Start a program 'sniffit_key5' with arguments <from IP> <from port> <to IP> <to port> If the program doesn't exist, nothing is done. Sniffit should be in the same path as sniffit was STARTED FROM (not necessarely the path sniffit is stored in) This is usefull for interactive connection killing or extra monitoring. A little shell script can always transform the arguments given and pass them on to other programs. F6 or '6' : Same as F5 or '5', but with program 'sniffit_key6' F7 or '7' : Same as F5 or '5', but with program 'sniffit_key7' F8 or '8' : Same as F5 or '5', but with program 'sniffit_key8' ENTER : a window will pop up and log the connection, or the connection output will be send at a chosen device if you used the '-D' option. 'q' : When in logging mode, stop logging. Otherwise, quit. 'n' : Toggle netstatistics. These are sampled at 3 secs, look in the config.h file to change this (could be needed if y'r computer is slow). * 'g' : Generate Packets! * Sniffit is now able to generate some trafic load. Currently * this is a 'underdevelloped' feature with very few options, * but it will be expanded a lot * Currently only UDP packets are generated. When pressing 'G' * you will be asked the source/dest IP/port and how much packets * are needed to be transmitted. * Packets contain the line: "This Packet was fired with Sniffit!" 'r' : Reset.. clears all current connections from memory and restarts. 3.2 Forcing network devices (*READ*) -------------------------------------- NOTE: the correct name (for sniffit) of a device can be found by running 'ifconfig' When forcing network devices, sniffit tries to find out what device it is. If sniffit recognises the name, everything is okay. If it does not recognise the name it will set the variable FORCED_HEAD_LENGHTH to the ethernet headlength. The ethernet headlength is the length in bytes of an ethernet packet hearder. So if you have to force a non-ethernet device, that is not recognised by sniffit, make sure you change that headlength correctly in the 'config.h' file. The -F option was added, because I noticed devicenames can differ from system to system, and because some ppl have multiple devices present. When having problems with this option, please think twice before you mail me. * e.g: sniffit -F eth1 -t foobar.com -dx * * Notice you don't have to add /dev/ (some ppl mentioned me this was not * completely clear). 3.3 Format of the config file ----------------------------- The configfile should have lines with the following format: <field1> <field2> <field3> <field4> [<field5>] (seperators are spaces (any number of), NO TABS!!!) Lines that don't match this pattern are discarded, so standard unix comments '#' can be used in this file... (this also means that if you have a typo there, Sniffit won't report it but just discard the line) (read this list, even if you don't get it at first, it will become clear in the examples) <field1> can be: select : Sniffit will look for packets that match the following description (other fields) deselect : Sniffit will ignore packets that match the description logfile : change the logfile name to <field2> instead of the default 'sniffit.log' <field2> can be: from : Packets FROM the host matching the following desc. are considered to : similar, Packets TO the.... both : similar, Packets FROM or TO the.... a filename : as an argument of 'logfile' in <field1> <field3> can be: host : The (de)selection criteria involves a hostname. port : similar, ... a portnumber mhosts : The (de)selection criteria involves multiple-hosts, like with the wildcars in 0.3.0, but without the 'x' <field4> can be: either a hostname, a portnumber or a numbet-dot partial notatiion indicating multiple hosts depending on <field3> <field5> can be: a portnumber, if <field3> was 'host' or 'mhosts' Maybe it would have been wise to mention explicitely, that the config-file currently only works with TCP packets. examples: 1. Look at this configuration file: select from host 100.100.12.2 select from host 100.100.12.3 1400 select to host coder.sniffit.com select both port 23 This file would cause Sniffit to give you the packets: a) Send by host 100.100.12.2 b) Send by host 100.100.12.3 from port 1400 c) Send to coder.sniffit.com d) All packets on our subnet going to or comming from a telnet port. 2. another example: select both mhosts 100.100.12. deselect both port 80 select both host enemy.sniffit.com This file would cause Sniffit to give you the packets: a) Send by hosts '100.100.12.*' b) EXCEPT the WWW packets c) BUT showing the WWW packets concerning enemy.sniffit.com The config file in interpreted SEQUENTIAL, so mixing up those lines could have unwanted results e.g.: select both mhosts 100.100.12. select both host enemy.sniffit.org deselect both port 80 This will give you the packets: a) Send by hosts '100.100.12.*' b) Send from/to enemy.sniffit.org c) deselecting all WWW packets on the subnet So if someone on enemy.sniffit.org is netscaping (assuming his 'target' has his httpd installed on port 80), you would see the packets with the first config file, BUT NOT with the second file, and that could spoil y'r fun when he's surfing to some kinky page. 3. Last usefull example: select both mhosts 1 select both mhosts 2 deselect both mhosts 1 80 deselect both mhosts 2 80 This would show you all subnet trafic excluding WWW trafic (concerning port 80.) NOTE: Everything is DESELECTED by default, so an empty config file will get you nothing. 3.4 Loglevels ------------- Levels are divided into groups (1-9, 10-29, ..??) and within each group, they 'add' features to the logging mode. e.g. loglevel 13, will do everything loglevel 12 does, and some additional stuff... (this for future development) Raw (levels 1-9) 1 : Log all SYN, FIN, RST packets. This will give you an overview of all network (TCP) trafic in a 'RAW' way (a connection starting could gives you at least 2 SYN packets, etc...). Messages are: Connection initiated. (SYN) Connection ending. (FIN) Connection reset. (RST) Normal (levels 10-29) 10: Same as Raw level 1, but a bit more intelligent. Unless packets are transmitted multiple times because of packet loss, you will only get 1 notice of a connection starting or ending. (the packet id will state the host that initiated the connection first) Messages are: Connection initiated. Connection closed. 12: This option will spy on trafic concerning ports 21 and 23 on the subnet. Yes indeed, FTP and TELNET. Sniffit will try to catch login and passwords for these applications. FTP Easy catching. Even multiple tries are registered. TELNET A bit harder. We only try to catch the first attempt, so if someone fails the first login, you will miss his password. A '~' in the login and passwords fields can be a nonprintable character (if in the beginning of a field, probably due to an early start of registration) or a '~'. This all makes it sound a little messy, but I 'testdrived' a lot and was pleased with the results after adding some funky shit (if y'r interested have a look at in function 'packethandler' in sniffit.0.3.2.c) 4. The output ------------- 4.1 Normal ---------- - IP header info (not logged, displayed): Examples: from 100.100.60.80 to 100.100.69.63 IP Packet precedence: Routine (-T-) FLAGS: -- -- Time to live (secs): 59 Protocol (6): TCP from 100.100.69.31 to 100.100.69.63 IP Packet precedence: Routine (---) FLAGS: -- -- Time to live (secs): 60 Protocol (17): UDP from 100.100.69.51 to 100.100.69.63 IP Packet precedence: Routine (---) FLAGS: -- -- Time to live (secs): 255 Protocol (1): ICMP explanation: Precedence can be: Routine, Priority, Immediate, Flash, Flash override, Critical, Internetwork Control, Network control The Flags between brackets: (DTR) Delay-Throughput-reliability FLAGS: DF MF DF=Don't Fragment MF=More Fragments - TCP Packets (logged or displayed): The sniffer logs the data in ascii format. So when logging telnet connections, you will need to use 'joe' or something else that can support control chars (look for '-A <char>' below). Telnet 'negotiates' (binary) in the beginning of every connection, and 'catting' a output file, will most of the time show nothing (due to control chars). Of course when logging mail, there are no problems. The new '-A <char>' takes care of the control characters, that way you will be able to read the logfiles with 'more', 'vi', etc... -a and -d give you raw packets i.e. not unwrapped, on the screen (nothing is logged), -x gives you more info on the TCP package (everything is still logged unless using -a or -d mode), The flags are: U: Urgent pointer significant A: Acknowledgement is signif (will be shown) P: Push function R: Reset the connection S: Synchronizes sequence numbers F: No more data from sender (end connection) Filenames Created: Imagine a subnet with the hosts 66.66.66.66 and 66.66.66.7, and we run a sniffer on the first. The sniffer creates the following files: When logging packets TO host 66.66.66.7 (-t 66.66.66.7) files like 77.77.7.7.15000-66.66.66.7.23 are created, when the data CAME FROM host 77.77.7.7-15000 (with 15000 port used on 77.77.7.7 for that connection, and received on port 23 of 66.66.66.7) When logging packets FROM host 66.66.66.7 (-s 66.66.66.7) files like 66.66.66.7.15000-77.77.7.7-23 are created, when the data GOES TO host 77.77.7.7 (with 15000 port used on 66.66.66.7 for that connection) - ICMP Packets (not logged, displayed): On host 100.100.69.63 someone tried 'telnet 100.100.23.23' Suppose this host is unreachable, this could be a possible output: ICMP message id: 100.100.69.254 > 100.100.69.63 ICMP type: Destination unreachable Error: Host unreachable ICMP message concerned following IP packet: from 100.100.69.63 to 100.100.23.23 IP Packet precedence: Routine (---) FLAGS: -- -- Time to live (secs): 63 Protocol (6): TCP - UDP Packets (not logged, displayed) You get the package id. When using -d, -a you get the contence of the package. (pretty basic) 4.2 Logfile ----------- If you use a configfile (-c) and enable the Logging option a logfile is created. Unless you set 'logfile' in the config file, that file will be named 'sniffit.log'. It will contain lines with the following FIXED format: 1) Date - Connection id.: message e.g. [Mon Aug 19 22:38:56 1996] - 100.100.10.10.1046-110.110.11.11.23: Connection initiated. (conn. init. on the same line as the rest) 2) Except the starting line and the ending line of each session, they are: [Mon Aug 19 22:38:51 1996] - Sniffit session started. [Mon Aug 19 22:39:44 1996] - Sniffit session ended. 3) Lines containing other data (future versions), will NOT begin with '[' and will have also easily interpretable formats. Other data is e.g. packet contence I do this because I can imagine (when this is more expanded) that people will use their own parsers for these logfiles. Well, if you respect those 3 rules, your parser will work on all future versions of Sniffit. 5. IMPORTANT NOTES, READ! ------------------------- First of all, some stuff people who use this program should already know, if you don't, well here ya got it: Some other notes: - Sniffers can only be run by ROOT - Sniffers can only log packets that 'travel' on THEIR ethernetcable. So there has to be some host on your subnet involved (either as sender or receiver). - Working with '-d' or '-a' give you raw packets, they are still packed in IP, when logging to files, only send data is logged, the packets are 'unwrapped'. - Sniffers can not be detected from the outside (look below for note on harddisk). Some people pretend that tcp wrappers and stuff can detect sniffers, well that's bullshit. Sniffers are just 'sitting' on the line and reading what is passing anyway, they don't DO anything, they just watch. They can be detected: - In the processlist (ps -augwx) - When the harddisklight flashes a lot, people can suspect something Also harddisks can make a lot of noice, but these sympthomes are only payed attention to in hostile environments. - (LINUX) Your KERNEL should support System V IPC. If you will use '-i' 6. BUGFIXES ----------- (PRIOR TO 0.2.0 - some are LINUX only) - Kernel 1.2.(some) incompatibility should be fixed. (like 1.2.5) (all credit for that to Godmar Back) - logging connections with lots of data is okay too now. 'the integer that needed to be a long'-bug. It was an overflow prob. - off course there are always minor ameliorations not worth mentioning (SINCE 0.2.0) - MAXCOUNT bug - interactive part lock-up bugs - output format (SINCE 0.3.0) - a wildcard bug - a Makefile bug (nothing important) (SINCE 0.3.1) - a typo caused the screwing up of the wildcard option (0.3.1) - 'select from host' didn't work... (SINCE 0.3.2) - a functions that had a parameter missing. - all interactive mode problems. (SINCE 0.3.3) - Interactive mode, with non-color-modes. - External program firing... (SINCE 0.3.4) - Interactive mode NON-IP packet detection. - errorhandeling starting of external programs from interface - various improvements for the porting (thx, beta-testers) 7. NEW STUFF ------------ V.0.1.0 - First test of the ncurses interface (never use this version, it's megaslow) V.0.1.1 - Added '-x' for extra information on TCP packets - Added '-A <char>' for you 'password-horny-dudes' ;) - beginning of ICMP support ('-P <protocol>') - First 'real' test for the interface V.0.1.2 - IP debugging info - UDP support - extended ICMP info (almost complete....) - logging on another terminal V.0.2.0 - SUN port (I now hate SPARC's ;) V.0.2.1 - SGI port V.0.2.2 - Netload statistics (interactive part) - Massive debugging of interactive part V.0.3.0 - Wildcards in non-interactive mode - time-out in non interactive mode, so you won't stuff memory by connections that weren't closed like they're supposed to be. - Forcing the use of a snif device - MTU changeble in config.h - ppp use V.0.3.1 - Flexible network trafic selection with config file. V.0.3.2 - IP checksum check - First introduction of a logfile for monitoring - Adding of loglevel: 1, 10, 12 V.0.3.3 - rewrite of some parts (big clean-up of interactive part) - Auto adjusting to screen of interface - Starting of external programs from interface V.0.3.4 (Beta)/V.0.3.5 - Use of Autoconf - Upgrade of Libpcap to 0.3 - Added Packet generation - Added UDP selectivity - Added "plugins" ------------------------ Thx for using Sniffit(tm) ---------------------------