Examples Sniffers

3/3/13
Examples: Sniffers
Experimenting with Linux ethernet sniffers

IPInvestigator 1.1, Sniffit.0.3.5
Last updated: 21th of March 1999. The vulnerability was analyzed by: Johannes Kleimola, Johannes.Kleimola@hut.fi
IPInvestigator 1.1
Version 1.1 - Written by, Jeff Thompson IPInvestigator consists of two separate programs List and Watch. With the first one you can listen (take a snapshot, not real-time) for current connections on the net and have it printed on stdout with IP-addresses and ports. Let's take a look.
[ r o o t @ p a r i t t a j aI P I ] #. / L i s te t h 01 0 U pa n dr u n n i n g .C o l l e c tt h e mN F O ' Z 0 :s r c : 1 0 . 0 . 0 . 8 12 2d s t : 1 0 . 0 . 0 . 2 5 41 0 1 9 1 :s r c : 1 0 . 0 . 0 . 9 12 3d s t : 1 0 . 0 . 0 . 8 12 6 2 4 1 2 :s r c : 1 0 . 0 . 0 . 8 12 6 2 4 1d s t : 1 0 . 0 . 0 . 9 12 3 3 :s r c : 1 0 . 0 . 0 . 2 5 41 0 1 9d s t : 1 0 . 0 . 0 . 8 12 2 4 :s r c : 1 0 . 0 . 0 . 2 5 41 0 2 0d s t : 1 0 . 0 . 0 . 6 12 2 5 :s r c : 1 0 . 0 . 0 . 6 12 2d s t : 1 0 . 0 . 0 . 2 5 41 0 2 0 F o u n d6u n i q u ec o n n e c t i o n s . [ r o o t @ p a r i t t a j aI P I ] #
As can be seen, there are a couple of ssh-connections (port 22) and one telnet-connection (port 23) going. Since ssh is crypted, we are only interested in the later one. Witch Watch you can pick one of the connections (by specifying source ip, dest ip, source port and dest port in that order and without the dots) and watch it realtime printed on stdout. I'll pick the server-to-host direction, so we'll see everything what's happening.
[ r o o t @ p a r i t t a j aI P I ] #. / W a t c he t h 01 0009 11 0008 12 32 6 2 4 1 U pa n dr u n n i n g .C o l l e c tt h e mN F O ' Z l s ^ M ^ M f i l e s l e t t e r . t x t m a i l ^ M ^ M #l sa l ^ M ^ M t o t a l1 0 ^ M ^ M d r w x r x r x 41 0 1 7 o t h e r 5 1 2M a r2 00 1 : 4 1. ^ M ^ M d r w x r x r x 2 9r o o t o t h e r 5 1 2M a r1 62 1 : 2 0. . ^ M ^ M d r w x r x r x 2r o o t o t h e r 5 1 2M a r2 00 1 : 2 6f i l e s ^ M ^ M r w r r - 1r o o t o t h e r 7 8M a r2 00 1 : 4 1l e t t e r . t x t ^ M ^ M
forum.ouah.org/examples_sniffering.html 1/3
3/3/13
Examples: Sniffers
d r w x r x r x 2r o o t o t h e r 5 1 2M a r2 00 1 : 2 5m a i l ^ M ^ M #p s ^ M ^ M P I DT T Y T I M EC M D ^ M ^ M 1 6 4 4 2p t s / 1 0 : 0 0p s ^ M ^ M 1 6 0 0p t s / 1 0 : 0 1s h ^ M ^ M #c d. . ^ M ^ M #p w d ^ M ^ M / h o m e 2 ^ M ^ M #t e l n e tr i k a s ^ M ^ M r i k a s :U n k n o w nh o s t ^ M ^ M #t e l n e t1 0 . 0 . 0 . 8 1 ^ M ^ M T r y i n g1 0 . 0 . 0 . 8 1 . . . ^ M ^ M C o n n e c t e dt o1 0 . 0 . 0 . 8 1 . ^ M ^ M E s c a p ec h a r a c t e ri s' ^ ] ' . ^ M ^ M ^ M ^ M R e dH a tL i n u xr e l e a s e5 . 2( A p o l l o ) ^ M ^ M K e r n e l2 . 0 . 3 6o na ni 6 8 6 ^ M ^ M l o g i n :j j ^ M ^ M P a s s w o r d :^ M ^ M L a s tl o g i n :S a tM a r2 00 1 : 4 7 : 0 4f r o ml o c a l h o s t ^ M ^ M [ j j @ r i k a s~ ] $e x i t ^ M l o g o u t ^ M ^ M C o n n e c t i o nc l o s e db yf o r e i g nh o s t . ^ M ^ M # [ r o o t @ p a r i t t a j aI P I ] #
This time we saw everything the user did, but not his password (it is not echoed back to the user). For the password we would have had to pick the client-to-server direction of the telnet connection. IPInvestigator compiles fine on an old RedHat4.2 (libc5), but requires changes to compile on newer systems.
Sniffit.0.3.5
by Brecht Claerhout Sniffit is one the most famous and best ethernet sniffers for Linux. You can run it either on the command line (several configuration options with optional filters and plug-ins) or in interactive mode. Below is a short telnetsession we'll track later with sniffit.
#t e l n e t1 0 . 0 . 0 . 8 1 T r y i n g1 0 . 0 . 0 . 8 1 . . . C o n n e c t e dt o1 0 . 0 . 0 . 8 1 . E s c a p ec h a r a c t e ri s' ^ ] ' . R e dH a tL i n u xr e l e a s e5 . 2( A p o l l o ) K e r n e l2 . 0 . 3 6o na ni 6 8 6 l o g i n :j j P a s s w o r d : L a s tl o g i n :S u nM a r2 12 2 : 0 1 : 3 4f r o mr a k a s [ j j @ r i k a s~ ] $l sa l ^ M ^ M t o t a l1 4 d r w x - 4j j j j 1 0 2 4M a r2 12 1 : 5 6. d r w x r x r x 3 7r o o t r o o t 1 0 2 4M a r2 00 2 : 2 7. . r w - 1j j j j 2 1 0M a r2 00 1 : 4 7. X a u t h o r i t y
forum.ouah.org/examples_sniffering.html 2/3
3/3/13
Examples: Sniffers
r w r r - 1j j j j r w - 1j j j j r w r r - 1j j j j r w r r - 1j j j j r w r r - 1j j j j d r w x r x r x 2j j j j r w r w r - 1j j j j d r w x r w x r x 2j j j j [ j j @ r i k a s~ ] $e x i t ^ M ^ M l o g o u t C o n n e c t i o nc l o s e db yf o r e i g nh o s t . #
1 1 5 5M a r1 72 0 : 4 6. X d e f a u l t s 2 9 1 8M a r2 00 1 : 5 1. b a s h _ h i s t o r y 2 4M a r1 72 0 : 4 6. b a s h _ l o g o u t 2 3 0M a r1 72 0 : 4 6. b a s h _ p r o f i l e 1 2 4M a r1 72 0 : 4 6. b a s h r c 1 0 2 4M a r1 80 0 : 4 3. s s h 1 2 1M a r2 12 1 : 5 7d e a d . l e t t e r 1 0 2 4M a r2 12 1 : 5 6m a i l
The interactive (mode) sniffit would give you a nice ncurses window with some configuration options. Those are stripped from the outputs below. The sniffit window shows ongoing real-time connections and you can select one for interactive logging with up-down-arrows and pressing enter. Here's an example of ongoing connections and we'll pick a telnet session again.
1 0 . 0 . 0 . 6 1 2 2 1 0 . 0 . 0 . 8 1 2 2 1 0 . 0 . 0 . 2 5 4 1 0 2 2 1 0 . 0 . 0 . 8 1 1 0 2 3 1 0 . 0 . 0 . 9 13 4 4 8 3 1 0 . 0 . 0 . 8 1 2 3 1 0 . 0 . 0 . 9 1 5 1 3 1 0 . 0 . 0 . 8 1 2 2 1 0 . 0 . 0 . 2 5 4 1 0 1 9 1 0 . 0 . 0 . 8 1 1 0 2 1 > > > > > > > > > > 1 0 . 0 . 0 . 8 1 1 0 2 1 1 0 . 0 . 0 . 2 5 4 1 0 1 9 1 0 . 0 . 0 . 8 1 2 2 1 0 . 0 . 0 . 9 1 5 1 3 1 0 . 0 . 0 . 8 1 2 3 1 0 . 0 . 0 . 9 13 4 4 8 3 1 0 . 0 . 0 . 8 1 1 0 2 3 1 0 . 0 . 0 . 2 5 4 1 0 2 2 1 0 . 0 . 0 . 8 1 2 2 1 0 . 0 . 0 . 6 1 2 2
* L O G G E D *
Logging a connection gives you a real-time view showing every printable character. This time I picked the clientto-server direction, so we only see what the user typed. But that gives us what we want: the username and the password (two first 'words').
j j . . t 0 0 s 1 m p l e . . l sa l . . e x i t 1 0 . 0 . 0 . 9 13 4 4 8 3 > 1 0 . 0 . 0 . 8 1 2 3
Even though the interactive mode is good for getting an overwiev of the connections and maybe for administrative monitoring, the real strength of sniffit is in it's command-line controls/logging. You can specify what is logged and how and even use filters (configuration files) and plug-ins for filtering/printing (a nice dns-plugin follows with sniffit). Sniffit compiles fine on both RedHat4.2 (libc5) and Redhat5.2 (glibc2).
forum.ouah.org/examples_sniffering.html
3/3

Examples Sniffers

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Examples Sniffers

Uploaded by

Copyright:

Available Formats

3/3/13

Experimenting with Linux ethernet sniffers

You might also like