Scoop, as shown in Figure 8.2, is a small tool that exhibits the packet-sniffing, passive reconnaissance technique. It is a simple Ethernet packet sniffer that understands Ethernet II, ARP, IP, ICMP, UDP, and TCP. It has primitive demultiplexing and decoding capabilities, enabling it to parse a few of the fields in these protocols.
Figure 8.2: Scoop packet sniffer.
By specifying the -h argument, Scoop dumps its usage as follows:
tradecraft: ~# ./scoop -h Scoop 1.0 [IP packet sniffing tool] usage ./scoop [options] ["pcap filter"] -h this blurb you see right here -i device specify a device -S streaming packet dump (useless) -s snaplen set the snapshot length -x print payload data in hex
Like many programs we have seen in this book, the user can specify a specific device for packet sniffing. The -s option enables the user to specify the largest frame that Scoop should capture. The -x option tells Scoop to print everything past the Ethernet header in hex. Finally, the user can specify a libpcap filter to Scoop. A sample invocation of Scoop with no arguments is as follows:
tradecraft: ~# ./scoop Scoop 1.0 [IP packet sniffing tool] <ctrl-c> to quit IP: 192.168.0.118 -> 10.149.0.100 (73) id: 29225 UDP: 11847 -> 53 IP: 10.149.0.100 -> 192.168.0.118 (118) id: 26315 UDP: 53 -> 11847 IP: 192.168.0.118 -> 10.149.0.1004 (73) id: 2481 UDP: 36093 -> 53 IP: 10.149.0.1004 -> 192.168.0.118 (56) id: 44951 ICMP: unreachable port IP: 192.168.0.118 -> 192.168.0.114 (84) id: 12304 ICMP: echo IP: 192.168.0.114 -> 192.168.0.118 (84) id: 0 ICMP: echo reply IP: 192.168.0.118 -> 192.168.0.114 (84) id: 32632 ICMP: echo IP: 192.168.0.114 -> 192.168.0.118 (84) id: 0 ICMP: echo reply IP: 192.168.0.118 -> 192.168.0.115 (116) id: 4386 TCP: 443 -> 15925 PA IP: 192.168.0.115 -> 192.168.0.118 (40) id: 48620 TCP: 15925 -> 443 A IP: 192.168.0.118 -> 192.168.0.115 (204) id: 31689 TCP: 443 -> 15925 PA IP: 192.168.0.115 -> 192.168.0.118 (40) id: 48629 TCP: 15925 -> 443 A IP: 192.168.0.118 -> 192.168.0.115 (204) id: 28551 TCP: 443 -> 15925 PA ARP: y0 who's got 192.168.0.118 tell 192.168.0.114 ARP: y0 192.168.0.118 is at 0:a0:c9:95:31:af ARP: y0 who's got 192.168.0.117 tell 192.168.0.118 ARP: y0 who's got 192.168.0.117 tell 192.168.0.118 IP: 192.168.0.118 -> 192.168.22.111 (76) id: 17686 UDP: 123 -> 123 IP: 192.168.22.111 -> 192.168.0.118 (76) id: 9021 UDP: 123 -> 123 ^CInterrupt signal caught… Packets received by libpcap: 956 Packets dropped by libpcap: 0
This code is all pretty standard. We can see ARP, UDP, TCP, and ICMP traffic on the network. Above, we can see a TCP session between 192.168.0.118 and 192.168.0.115 on TCP port 443, which looks pretty interesting. Let's zero in on it a bit with the -x option and a libpcap filter string:
tradecraft: ~# ./scoop -s400 -x "tcp port 15925" Scoop 1.0 [IP packet sniffing tool] <ctrl-c> to quit IP: 192.168.0.118 -> 192.168.0.115 (116) id: 39023 TCP: 443 -> 15925 PA 00 4510 0074 986f 4000 4006 d824 c0a8 0076 10 c0a8 0073 0lbb 3e35 89e4 laea 615b d2c7 20 5018 40b0 a3b3 0000 0000 0044 8a59 6113 30 409d 7ddc 696a decl 2a7a alc8 28dd 5abd 40 0a0f 30b2 21b2 4b50 0022 00df abf5 6cc6 50 95c9 71e6 37b2 4694 7be4 f472 7012 def6 60 83e7 ad68 7fcb 73bf 0686 f7f7 80f5 0e03 70 9ecf 4e2d IP: 192.168.0.115 -> 192.168.0.118 (40) id: 51272 TCP: 15925 -> 443 A 00 4500 0028 c848 4000 8006 68a7 c0a8 0073 10 c0a8 0076 3e35 0lbb 615b d2c7 89e4 Ib36 20 5010 fa54 d271 0000 0000 0000 0000 IP: 192.168.0.118 -> 192.168.0.115 (332) id: 61251 TCP: 443 -> 15925 PA 00 4510 014c ef43 4000 4006 8078 c0a8 0076 10 c0a8 0073 0lbb 3e35 89e4 Ib36 615b d2c7 20 5018 40b0 8d81 0000 0000 0llc 3fec 0cbc 30 c2c3 db41 f596 0563 4fd0 442b ef86 alf8 40 2589 8905 2e85 7211 b704 4cfl ee71 2818 50 af28 5c6e fd42 4fda f2aa 9c7d bllf b556 60 eala 0522 0eef 86bf 89al 3560 5697 ba09 70 4f6f d44e f5bc ce!8 462b 719c 29ad cedl 80 bcd7 2752 9ce4 2a2a 35bl If4c bd0a 9c61 90 5e3b 5222 fee3 fb44 4eed 5344 d!3d e8dd a0 842c 44ac 61ed 0125 6e44 0611 d87b efd6 b0 003e 78bb 8890 0bff f2a4 56d5 be0l 79f8 c0 f79a f52a a962 89a0 45d6 7c78 e330 49aa d0 4361 73c8 83e3 f3c0 5956 e72b 2ac3 c0cd e0 Ia25 66fb bblc 1774 17a6 3ed6 e0bc bb3b f0 90d3 3b98 f3f8 dla9 6084 c8f3 e478 2203 100 d7ba 8432 c450 6c7a dd37 af2b 062b dc77 110 51cl 20f8 alb7 c81c 7b71 79be c8bl eadl 120 07fl 5dl4 0983 f3dd e7c6 f298 7afe 9838 130 22ad 5418 cb49 5fl7 23f0 a35b Id90 blfd 140 d4f2 7675 Idc7 199b 8cif 6adb Packets received by libpcap: 27 Packets dropped by libpcap: 0
It appears that Scoop picked up some SSL traffic on the local network. It is odd, however, that this hex dump of the packet data does not look like SSL traffic. Perhaps this situation is an exercise to the reader to figure out what it really is.