Using gpackcount you can sniff passwords on your network.
A practical example is shown below (in the transcript we do not show the USER and PASS POP3 commands, because this is a public article); this can be useful to debug problems, or to assert whether someone is trying to break your POP3 accounts. POP3 is a good example, because without SSL support, authentication is made on plain text. If you plan to use a POP3 service for your network server, think twice: instead of local sniffing, someone between your POP3 client and your network server might be running a similar tool
With this example it is assumed you know POP3 (without SSL) protocol runs over TCP, on port 110; you can see the raw output produced by the gpackcount utility.
Transcript:
[root@fuji root]# gpackcount packets -g 0,110,110,0 -v
{TCP/IP} (size=0, str=0) luisa.prized:2503 => 0.0.0.0:110
{TCP/IP} (size=0, str=0) 0.0.0.0:110 => luisa.prized:2503
{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]
{TCP/IP} (size=82, str=94) 0.0.0.0:110 => luisa.prized:2503 +OK Teapop [5B]0.3.7[5D] - Teaspoon stirs around again <1207351688.25c7c716@llywellyn>[0D][0A]
{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]
{TCP/IP} (size=6, str=12) luisa.prized:2503 => 0.0.0.0:110 rset[0D][0A]
{TCP/IP} (size=54, str=60) 0.0.0.0:110 => luisa.prized:2503 -ERR rset? I'm not quite sure what you mean, Master.[0D][0A]
{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]
{TCP/IP} (size=6, str=12) luisa.prized:2503 => 0.0.0.0:110 quit[0D][0A]
{TCP/IP} (size=55, str=61) 0.0.0.0:110 => luisa.prized:2503 +OK I hope you will be back for your mail later, Sir.[0D][0A]
{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]
{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]
Friday, April 4, 2008
Friday, January 4, 2008
netpack-gpack - why this name?
netpack comprises currently gpack.
First release was packaged as netpack-gpack-v0.8.tar.gz; main sources are netpack/gpack/gPackCount-v0.8.
The actual executable is gpackcount, which was primarily built to snif my own intranet traffic.
My original CVS sources were placed at gprog/pNetPack/, where some utilities like gPackServer and gPackClient were stored, together with an AS (Autonomous System) text compiler.
As the time went by, I didn't have time to complete the client / server functionality, and I continued to use gpackcount, making several enhancements.
gpackcount turned out to be quite useful for the purposes, but had initially an anoying tweak: it greatly depended on installed libpcap (known as pcap, refer to www.tcpdump.org).
It turned out fairly easier to integrate libpcap in my own wrapper lib known as libgpcap, needing just one primary source code, instead of a bunch of separate pieces.
There is also a guideline for further development, the include files that can be installed:
That's about it.
Enjoy!
First release was packaged as netpack-gpack-v0.8.tar.gz; main sources are netpack/gpack/gPackCount-v0.8.
The actual executable is gpackcount, which was primarily built to snif my own intranet traffic.
My original CVS sources were placed at gprog/pNetPack/, where some utilities like gPackServer and gPackClient were stored, together with an AS (Autonomous System) text compiler.
As the time went by, I didn't have time to complete the client / server functionality, and I continued to use gpackcount, making several enhancements.
gpackcount turned out to be quite useful for the purposes, but had initially an anoying tweak: it greatly depended on installed libpcap (known as pcap, refer to www.tcpdump.org).
It turned out fairly easier to integrate libpcap in my own wrapper lib known as libgpcap, needing just one primary source code, instead of a bunch of separate pieces.
- netpack/gpack/o_sources/libpcap-0.7.2-orig.tar
- netpack/gpack/o_sources/libpcap-diff.patch
There is also a guideline for further development, the include files that can be installed:
- netpack/gpack/o_sources/libpcap-0.7.2-include.tar
That's about it.
Enjoy!
Sunday, December 23, 2007
netpack-gpack is released
netpack (gpack package) is useful to measure and track traffic through your site, using inherently libpcap and its own wrapped interface named gpcap.
It includes:
* gPackCount - the Packet counter utility
Shows IP packet structure, especially TCP details.
It uses gobj, gobjeio and gpcap libraries, including in this package.
REQUIREMENTS
++++++++++++
* compiles in Linux; requires g++, make, flex and bison
* run gpackcount as root (or otherwise just an interface test mode)
Main site:
http://moreira.dnsalias.org/projects/netpack/
Mirror:
http://millis.org.uk/projects/netpack/
It includes:
* gPackCount - the Packet counter utility
Shows IP packet structure, especially TCP details.
It uses gobj, gobjeio and gpcap libraries, including in this package.
REQUIREMENTS
++++++++++++
* compiles in Linux; requires g++, make, flex and bison
* run gpackcount as root (or otherwise just an interface test mode)
Main site:
http://moreira.dnsalias.org/projects/netpack/
Mirror:
http://millis.org.uk/projects/netpack/
Tuesday, July 3, 2007
A sample of netpack in Debian sarge
For those who cannot wait for an official package of Debian, here goes a nice how-to suited for guys with some experience on Linux.
Requirement: libpcap0.7; your Kernel support (CONFIG_PACKET, for Kernels >= 2.2, according green report below; or attached an interface in promiscuous mode on Kernel < 2.2).
Supose your Debian box is connecting a share in a windowzed host, via Samba-client.
Be sure to have the 'smbfs' package installed, otherwise the mount command will fail (apt-get install smbfs).
The gpackcount will show the file-transfer contents, excluding the mounting.
Requirement: libpcap0.7; your Kernel support (CONFIG_PACKET, for Kernels >= 2.2, according green report below; or attached an interface in promiscuous mode on Kernel < 2.2).
frog:~# grep CONFIG_PACKET=[my] /boot/config-2.6.8-2-386 ; [ $? = 0 ] && echo "Kernel `uname -a`: Supports pcap"Check the installed libpcap0.7:
CONFIG_PACKET=m
Kernel Linux frog 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux: Supports pcap
frog:~# dpkg -l | grep pcapFor compiling netpack package by your own you will need libpcap0.7-dev, but if you download a binary package of netpack you will not need this.
ii libpcap0.7 0.7.2-7 System interface for user-level packet captu
ii libpcap0.7-dev 0.7.2-7 Development library and header files for lib
ii libpcap0.8 0.9.5-1 System interface for user-level packet captu
frog:~# ldconfig -p | grep pcap
libpcap.so.0.8 (libc6) => /usr/lib/libpcap.so.0.8
libpcap.so.0.7 (libc6) => /usr/lib/libpcap.so.0.7
frog:~# file ~guest/gpackcount_static
/home/guest/gpackcount_static: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, dynamically linked (uses shared libs), for GNU/Linux 2.4.1, stripped
Supose your Debian box is connecting a share in a windowzed host, via Samba-client.
frog:~# mount -t smbfsThis indicates a share called huge is mounted locally at /net/luisa/huge. You can sniff the raw-text transfer protocol (NetBIOS, in particular microsoft-ds) using the following command:
//luisa/huge on /net/luisa/huge type smbfs (rw)
~guest/gpackcount_static packets -g 445,0,0,445 -vIn my case the windowzed PC has a replica of my Freesco-box (moreira.dnsalias.org/linux), and I synch information regularly from the Freesco-box to this PC using a Debian guest (named frog). I use rsync (that is actually also installed at the Freesco-box, though this is only a nice-to-have: it improves even more the transfer speed) -- rsync is the Rolls Royce of a synchronization tool. It also allows compressed file-transfer (using '-z'). In the following example you can see a folder named 'linux' transferred to the PC using the Samba share.
frog:~# grep smbfs /etc/fstabThe bold line is the customized Samba client I have configured on the Debian host.
//luisa/huge /net/luisa/huge smbfs rw,noauto,username=henrique,password=your_windowzed_pass 0 0
frog:~# mount /net/luisa/huge
frog:~# cd /net/luisa/huge/pub/public_html/org/linux
frog:/net/luisa/huge/pub/public_html/org/linux# rsync -v -v -t -r --stats root@maxtor:/www/org/linux . 2> /tmp/rep
Be sure to have the 'smbfs' package installed, otherwise the mount command will fail (apt-get install smbfs).
Note: I am currently a little bit skeptic about the 'lfs' option on the Samba client.
The rsync command is shown above.The gpackcount will show the file-transfer contents, excluding the mounting.
Monday, June 11, 2007
History about netpack
How netpack started
Since I have used Freesco (and Kernel provided by it, 2.0.x, doesn't support interface statistics per byte), I started using iptotal. It provided a nice output, by using cgi and rrdtool (a database supporting round-robin data). You can see those graphs on the following link (if my own freesco-box is down by some reason)
Quickly I started to enjoy the way iptotal was able to get the octets the Kernel processed, even without direct Kernel support. I did learn about libpcap, and suddenly started to enjoy immensely all things we could do by using this magic library. Nothing about magic, really: it was just using the Kernel Netlink capabilities (Netlink socket is a special IPC used for transferring information between kernel and user-space processes; comprehensive details at the Linux Journal; an interesting genric idea is also published at Wikipedia). pcap stands for Packet Capture library, and is has a quite generic implementation of a packet sniffer and filter, the latter also known as net/bpf, or just BPF. I put BPF aside, since I was not interested in filtering packets on the Kernel level. That would be too much for my knowledge and out of scope.I become really interested in the ways I could snif data through my own network: that way I could control better the trojans and parasites around -- since wasting money to buy an anti-virus was out of the question.
So I have learn the basic hooks necessary to bring pcap alive: I got amazed by the knowledge required to do such a task. Tricks and adjustments, just to capture a bunch of packets from the Kernel!... [sigh] I thought the best would be to wrap this knowledge in a simple and straight forward interface -- this and a new library (called gpcap) was one step.
The library interfaced libpcap in a simple way for any end-programmer: and I chose C++, to provide an adjusted encapsulation. From gpcap to a small program (called gPackCount) to test it was another step. The README contained the following paragraphs:
There is currently limited functionality provided by *gpackcount*Then gPackCount has grown to comprise more and more services, and includes a self-contained rDNS-cache (with a proprietary caching algorithm). Currently (as of version 0.8) gPackCount has 4932 lines of code, plus three basic libraries:
because this was my start application for testing *gpcap*
...
It uses mainly pcap and gpcap libraries. pcap is GPL (not my own
product), and gpcap is a wrapper for easing the implemented pcap
interfaces. pcap is out of scope in this document, but the basic
idea is to capture packets using either the Kernel CONFIG_PACKET
(PF_PACKET Kernel >=2.2), or attach an interface in promiscuous
mode (Kernel <2.2).
- libgobj (the basic object handling; lists, etc)
- libgobjeio (for the extended generic I/O services)
- libgpcap (pcap eased interface)
Around this utility, the 'NetPack' package was formed as a set of useful services, explained shortly below.
NetPack is a package of the following functionality:
* libgpcap (wrapped pcap functionality, using also libgobj)
DIR: ../.../gprog/gsrc/gpcap
* Autonomous System (AS) tables builder: one .asg and many .ast tables
DIR: gAstCompile
* Packet counter utility
Shows IP packet structure, moreover shows TCP details.
This suits also testing of libgpcap
DIR: gPackCount
The TCP format
TCP Segment Format
This first article is only about the TCP segment format.
The netpack package is all focus on TCP (not UDP).
Subscribe to:
Comments (Atom)
