Building.Open.Source.Network.Security.Tools.Components.And.Techniques [Electronic resources] نسخه متنی

Sample Program-Scoop

Scoop, as shown in Figure 8.2, is a small tool that exhibits the packet-sniffing, passive reconnaissance technique. It is a simple Ethernet packet sniffer that understands Ethernet II, ARP, IP, ICMP, UDP, and TCP. It has primitive demultiplexing and decoding capabilities, enabling it to parse a few of the fields in these protocols.

Figure 8.2: Scoop packet sniffer.

By specifying the -h argument, Scoop dumps its usage as follows:

tradecraft: ~# ./scoop -h
Scoop 1.0 [IP packet sniffing tool]
usage ./scoop [options] ["pcap filter"]
-h              this blurb you see right here
-i device       specify a device
-S              streaming packet dump (useless)
-s snaplen      set the snapshot length
-x              print payload data in hex

Like many programs we have seen in this book, the user can specify a specific device for packet sniffing. The -s option enables the user to specify the largest frame that Scoop should capture. The -x option tells Scoop to print everything past the Ethernet header in hex. Finally, the user can specify a libpcap filter to Scoop. A sample invocation of Scoop with no arguments is as follows:

tradecraft: ~# ./scoop
Scoop 1.0 [IP packet sniffing tool]
<ctrl-c> to quit
IP: 192.168.0.118 -> 10.149.0.100 (73) id: 29225 UDP: 11847 -> 53
IP: 10.149.0.100  -> 192.168.0.118 (118) id: 26315 UDP: 53 -> 11847
IP: 192.168.0.118 -> 10.149.0.1004 (73) id: 2481 UDP: 36093 -> 53
IP: 10.149.0.1004 -> 192.168.0.118 (56) id: 44951 ICMP: unreachable port
IP: 192.168.0.118 -> 192.168.0.114 (84) id: 12304 ICMP: echo
IP: 192.168.0.114 -> 192.168.0.118 (84) id: 0 ICMP: echo reply
IP: 192.168.0.118 -> 192.168.0.114 (84) id: 32632 ICMP: echo
IP: 192.168.0.114 -> 192.168.0.118 (84) id: 0 ICMP: echo reply
IP: 192.168.0.118 -> 192.168.0.115 (116) id: 4386 TCP: 443 -> 15925 PA
IP: 192.168.0.115 -> 192.168.0.118 (40) id: 48620 TCP: 15925 -> 443 A
IP: 192.168.0.118 -> 192.168.0.115 (204) id: 31689 TCP: 443 -> 15925 PA
IP: 192.168.0.115 -> 192.168.0.118 (40) id: 48629 TCP: 15925 -> 443 A
IP: 192.168.0.118 -> 192.168.0.115 (204) id: 28551 TCP: 443 -> 15925 PA
ARP: y0 who's got 192.168.0.118 tell 192.168.0.114
ARP: y0 192.168.0.118 is at 0:a0:c9:95:31:af
ARP: y0 who's got 192.168.0.117 tell 192.168.0.118
ARP: y0 who's got 192.168.0.117 tell 192.168.0.118
IP: 192.168.0.118 -> 192.168.22.111 (76) id: 17686 UDP: 123 -> 123
IP: 192.168.22.111 -> 192.168.0.118 (76) id: 9021 UDP: 123 -> 123
^CInterrupt signal caught…
Packets received by libpcap:     956
Packets dropped by libpcap:        0

This code is all pretty standard. We can see ARP, UDP, TCP, and ICMP traffic on the network. Above, we can see a TCP session between 192.168.0.118 and 192.168.0.115 on TCP port 443, which looks pretty interesting. Let's zero in on it a bit with the -x option and a libpcap filter string:

tradecraft: ~# ./scoop -s400 -x "tcp port 15925"
Scoop 1.0 [IP packet sniffing tool]
<ctrl-c> to quit
IP: 192.168.0.118 -> 192.168.0.115 (116) id: 39023 TCP: 443 -> 15925 PA
00     4510 0074 986f 4000 4006 d824 c0a8 0076
10     c0a8 0073 0lbb 3e35 89e4 laea 615b d2c7
20     5018 40b0 a3b3 0000 0000 0044 8a59 6113
30     409d 7ddc 696a decl 2a7a alc8 28dd 5abd
40     0a0f 30b2 21b2 4b50 0022 00df abf5 6cc6
50     95c9 71e6 37b2 4694 7be4 f472 7012 def6
60     83e7 ad68 7fcb 73bf 0686 f7f7 80f5 0e03
70     9ecf 4e2d
IP: 192.168.0.115 -> 192.168.0.118 (40) id: 51272 TCP: 15925 -> 443 A
00     4500 0028 c848 4000 8006 68a7 c0a8 0073
10     c0a8 0076 3e35 0lbb 615b d2c7 89e4 Ib36
20     5010 fa54 d271 0000 0000 0000 0000
IP: 192.168.0.118 -> 192.168.0.115 (332) id: 61251 TCP: 443 -> 15925 PA
00     4510 014c ef43 4000 4006 8078 c0a8 0076
10     c0a8 0073 0lbb 3e35 89e4 Ib36 615b d2c7
20     5018 40b0 8d81 0000 0000 0llc 3fec 0cbc
30     c2c3 db41 f596 0563 4fd0 442b ef86 alf8
40     2589 8905 2e85 7211 b704 4cfl ee71 2818
50     af28 5c6e fd42 4fda f2aa 9c7d bllf b556
60     eala 0522 0eef 86bf 89al 3560 5697 ba09
70     4f6f d44e f5bc ce!8 462b 719c 29ad cedl
80     bcd7 2752 9ce4 2a2a 35bl If4c bd0a 9c61
90     5e3b 5222 fee3 fb44 4eed 5344 d!3d e8dd
a0     842c 44ac 61ed 0125 6e44 0611 d87b efd6
b0     003e 78bb 8890 0bff f2a4 56d5 be0l 79f8
c0     f79a f52a a962 89a0 45d6 7c78 e330 49aa
d0     4361 73c8 83e3 f3c0 5956 e72b 2ac3 c0cd
e0     Ia25 66fb bblc 1774 17a6 3ed6 e0bc bb3b
f0     90d3 3b98 f3f8 dla9 6084 c8f3 e478 2203
100    d7ba 8432 c450 6c7a dd37 af2b 062b dc77
110    51cl 20f8 alb7 c81c 7b71 79be c8bl eadl
120    07fl 5dl4 0983 f3dd e7c6 f298 7afe 9838
130    22ad 5418 cb49 5fl7 23f0 a35b Id90 blfd
140    d4f2 7675 Idc7 199b 8cif 6adb
Packets received by libpcap:     27
Packets dropped by libpcap:       0

It appears that Scoop picked up some SSL traffic on the local network. It is odd, however, that this hex dump of the packet data does not look like SSL traffic. Perhaps this situation is an exercise to the reader to figure out what it really is.