Under the Linux environment the hacker commonly used sniffer analyzes |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analyzesunder the >>Linux 
                  environment the hacker commonly used sniffer analysis  
Printing

            Under Linux environment hacker commonly used sniffer analysis
            Www.cshu.net  2002-9-22  fog rain village 

              Abstract
              This article several kind of sniffers which the hacker frequently 
              uses for the Linux environment under carry on the detailed 
              analysis, these sniffers are often completed by the intruder the 
              invasion later to plant in the middle of the victim server. These 
              sniffers respectively have the different characteristic, some only 
              is simple uses for the capture user name and the password, some 
              then is extremely formidable may record all networks data stream. 
              This article will carry on the analysis to several kind of 
              sniffers. (2002-09-16 13:41:20) 
              ----------------------------------------------------------------------

              1. Outline
              This article several kind of sniffers which the hacker frequently 
              uses for the Linux environment under carry on the detailed 
              analysis, these sniffers are often completed by the intruder the 
              invasion later to plant in the middle of the victim server. These 
              sniffers respectively have the different characteristic, some only 
              is simple uses for the capture user name and the password, some 
              then is extremely formidable may record all networks data stream. 
              This article will carry on the analysis to following several kind 
              of sniffers:
              Linsniffer 
              Linuxsniffer 
              Hunt 
              Sniffit 
              2.linsniffer
              Linsniffer is a simple practical sniffer. Its main function 
              characteristic is uses for to catch the user name and the 
              password, it is extremely splendid in this aspect.
              author: Mike Edulla
              condition: C and IP document
              disposition document: Does not have
              position: 
              Http://agape.trilidun.org/hack/network-sniffers/linsnifferc
              security history: Does not have
              Note: Easy to use. But lnsniffer needs the integrity a IP 
              document, including frequently saves in /usr/include/net and the 
              /usr/include/netinet head document, guarantees the PATH variable 
              before the translation to contain /usr/include.
              Under the use order translates lnsniffer:
              linsniffer.c -o linsniffer
              Must move linsniffer, under the use order:
               Nsniffer
              The start later linsniffer will found a spatial document: Tcp.log 
              saves smells searches the result.
              I found named hapless in the test the user, the password am 
              unaware. Then uses this user to register the Linux server, and 
              carries on some common user operations. Under is a ftp process 
              which carries on:
              GNSS $ ftp 192.168.0.2
              Connected to 192.168.0.2.
              220 linux.test.net FTP server Wed Aug 19 02:55:52 MST 1,998) 
              ready.
              Name (192.168.0.2:root): Hapless
              331 Password required for hapless.
              Password:
              230 User hapless logged in.
              Remote system type is UNIX.
              Using binary mode to transfer files.
              ftp> ls -al
              200 PORT command successful.
              150 Opening ASCII mode data connection for /bin/ls.
              total 14
              drwxrwxr-x 4 hapless hapless 1,024 May 20 19:35.
              drwxr-xr-x 6 root root 1,024 May 20 19:28..
              -rw-rw-r-- 1 hapless hapless 96 May 20 19:56 bash_history
              -rw-r--r-- 1 hapless hapless 49 Nov 251,997 bash_logout
              -rw-r--r-- 1 hapless hapless 913 Nov 241,997 bashrc
              -rw-r--r-- 1 hapless hapless 650 Nov 241,997 cshrc
              -rw-r--r-- 1 hapless hapless 111 Nov 31,997 inputrc
              -rwxr-xr-x 1 hapless hapless 186 Sep 11,998 kshrc
              -rw-r--r-- 1 hapless hapless 392 Jan 71,998 login
              -rw-r--r-- 1 hapless hapless 51 Nov 251,997 logout
              -rw-r--r-- 1 hapless hapless 341 Oct 131,997 profile
              -rwxr-xr-x 1 hapless hapless 182 Sep 11,998 profile.ksh
              drwxr-xr-x 2 hapless hapless 1,024 May 14 12:16 seyon
              drwxr-xr-x 3 hapless hapless 1,024 May 14 12:15 lg
              226 Transfer complete.
              ftp> ls
              200 PORT command successful.
              150 Opening ASCII mode data connection for /bin/ls.
              total 14
              drwxrwxr-x 4 hapless hapless 1,024 May 20 19:35.
              drwxr-xr-x 6 root root 1,024 May 20 19:28..
              -rw-rw-r-- 1 hapless hapless 96 May 20 19:56 bash_history
              -rw-r--r-- 1 hapless hapless 49 Nov 251,997 bash_logout
              -rw-r--r-- 1 hapless hapless 913 Nov 241,997 bashrc
              -rw-r--r-- 1 hapless hapless 650 Nov 241,997 cshrc
              -rw-r--r-- 1 hapless hapless 111 Nov 31,997 inputrc
              -rwxr-xr-x 1 hapless hapless 186 Sep 11,998 kshrc
              -rw-r--r-- 1 hapless hapless 392 Jan 71,998 login
              -rw-r--r-- 1 hapless hapless 51 Nov 251,997 logout
              -rw-r--r-- 1 hapless hapless 341 Oct 131,997 profile
              -rwxr-xr-x 1 hapless hapless 182 Sep 11,998 profile.ksh
              drwxr-xr-x 2 hapless hapless 1,024 May 14 12:16 seyon
              drwxr-xr-x 3 hapless hapless 1,024 May 14 12:15 lg
              226 Transfer complete.
              ftp> ls -F
              200 PORT command successful.
              150 Opening ASCII mode data connection for /bin/ls.
              total 14
              drwxrwxr-x 4 hapless hapless 1,024 May 20 19:35./
              drwxr-xr-x 6 root root 1,024 May 20 19:28../
              rw-rw-r-- 1 hapless hapless 96 May 20 19:56 bash_history
              -rw-r--r-- 1 hapless hapless 49 Nov 251,997 bash_logout
              -rw-r--r-- 1 hapless hapless 913 Nov 241,997 bashrc
              -rw-r--r-- 1 hapless hapless 650 Nov 241,997 cshrc
              -rw-r--r-- 1 hapless hapless 111 Nov 31,997 inputrc
              -rwxr-xr-x 1 hapless hapless 186 Sep 11,998 kshrc*
              -rw-r--r-- 1 hapless hapless 392 Jan 71,998 login
              -rw-r--r-- 1 hapless hapless 51 Nov 251,997 logout
              -rw-r--r-- 1 hapless hapless 341 Oct 131,997 profile
              -rwxr-xr-x 1 hapless hapless 182 Sep 11,998 profile.ksh*
              drwxr-xr-x 2 hapless hapless 1,024 May 14 12:16 seyon/
              drwxr-xr-x 3 hapless hapless 1,024 May 14 12:15 lg/
              226 Transfer complete.
              ftp> cd lg
              250 CWD command successful.
              ftp> ls -F
              200 PORT command successful.
              150 Opening ASCII mode data connection for /bin/ls.
              total 8
              drwxr-xr-x 3 hapless hapless 1,024 May 14 12:15./
              drwxrwxr-x 4 hapless hapless 1,024 May 20 19:35../
              rw-r--r-- 1 hapless hapless 70 Aug 221,998 lg3_colors
              -rw-r--r-- 1 hapless hapless 629 Aug 221,998 lg3_prefs
              -rw-r--r-- 1 hapless hapless 728 Aug 221,998 lg3_soundPref
              -rw-r--r-- 1 hapless hapless 2,024 Aug 221,998 lg3_startup
              drwxr-xr-x 2 hapless hapless 1,024 May 14 12:15 lg_layouts/
              226 Transfer complete.
              ftp> cd lg_layouts
              250 CWD command successful.
              This is a typical user operating process. Now we have a look 
              linsniffer to produce smell search the result:
              gnss => linux.test.net [ 21 ]
              USER hapless
              PASS unaware
              SYST
              PORT 172,16,0,1,4,192
              LIST -al
              PORT 172,16,0,1,4,193
              LIST
              PORT 172,16,0,1,4,194
              LIST -F
              CWD lg
              PORT 172,16,0,1,4,195
              LIST -F
              The output content is very direct-viewing. First it records this 
              is from GNSS to Linux the main engine FTP connection:
              gnss => linux.test.net [ 21 ]
              Then, linsniffer caught the hapless user name and the password.
              USER hapless
              PASS unaware
              Finally, linsniffer recorded hapless use each to order:
              SYST
              PORT 172,16,0,1,4,192
              LIST -al
              PORT 172,16,0,1,4,193
              LIST
              PORT 172,16,0,1,4,194
              LIST -F
              CWD lg
              PORT 172,16,0,1,4,195
              LIST -F
              The output result extremely introduces and extremely is suitable 
              for to intercept the password and the record common activity. But 
              does not suit to carries on a more complex analysis. This time 
              perhaps you can need linux_sniffe.
              3.linux_sniffer
              Linux_sniffer provides the relative more complex survey result.
              author: Loq
              request: C and IP document
              disposition document: Does not have
              downloads the position: 
              Http://www.ryanspc.com/sniffers/linux_sniffer.c.
              security history: Does not have
              Attention: Linux_sniffer is easy to use, but needs a complete IP 
              document.
              Under the use orders to translate linux_sniffer:
              linux_sniffer.c -o linuxsniff
              Under is a telnet conversation process, simultaneously by 
              linux_sniffer recording:
              GNSS 2# telnet 192.168.0.1
              Connected to 192.168.0.1.
              login: Hapless
              password:
              [ hapless@linux2 hapless ] $ w
              19:55:29 up 58 min, 4 users, load average: 0.00, 0.00, 0.00
              USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
              root tty1 7:44pm 27.00s 0.17s 0.06s -bash
              root tty2 7:46pm 1:56 0.24s 0.01s linuxsniff
              root tty3 7:44pm 10:43 0.17s 0.07s -bash
              hapless ttyp0 gnss 7:55pm 1.00s 0.26s 0.04s w
              [ hapless@linux2 hapless ] $ who
              root tty1 May 20 19:44
              root tty2 May 20 19:46
              root tty3 May 20 19:44
              hapless ttyp0 May 20 19:55 (gnss)
              [ hapless@linux2 hapless ] $ finger -l
              Login: Root Name: Root
              Directory: /root Shell: /bin/bash
              On since Thu May 20 19:44 (PDT) on tty1 35 seconds idle
              On since Thu May 20 19:46 (PDT) on tty2 2 minutes 4 seconds idle
              On since Thu May 20 19:44 (PDT) on tty3 10 minutes 51 seconds 
              idle
              No mail.
              No Plan.
              Login: Hapless Name: Caldera OpenLinux User
              Directory: /home/hapless Shell: /bin/bash
              On since Thu May 20 19:55 (PDT) on ttyp0 from gnss
              No mail.
              No Plan.
              Same this is typical registers the process: Does the user 
              register, which users examines to register and so on. 
              Linux_sniffer records the extra address data, but similarly has 
              recorded some important data. First it has recorded the 
connection:
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 ff fc 27 -..'
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 ff fa 1f 00.500028 million ff - f0... P. (..
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 ff fa 200.03338343 billion - 30 2c 3.33834303 billion ff
              .. 38400,38400.
              0,010 f0 ff fa 230,047 4e 53 - 53 3a 30 2e 30 ff f0 ff
              ... # GNSS:0.0...
              0,020 fa 180.049524953 billion 2d - 41 4e 5,349 2d 4e 4,554
              .. Iris-ansi-net
              0,030 ff f0 -..
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 ff fc 01 -...
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 ff fd 01 -...
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Afterwards, linux_sniffer recorded has registered the process, 
              under indicated with the blackbody:
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,068 - h
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,061 - a
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,070 - p
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 6c - l
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,065 - e
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,073 - s
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,073 - s
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 0d 00 -..
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,075 - u
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 6e - n
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,061 - a
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,077 - w
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,061 - a
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,072 - r
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,065 - e
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Finally, linux_sniffer has recorded all orders:
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,077 - w
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 0d 00 -..
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,077 - w
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,068 - h
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 6f - o
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 0d 00 -..
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,066 - f
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,069 - i
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              0,000 6e - n
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,067 - g
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,065 - e
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              000,072 - r
              Eth
              Proto: 080008:00:69:07:3e:db->00:e0:29:19:4a:68 192.168.0.1 [ 
              1,239 ] ->192.168.0.2 [ 23 ]
              May see, linux_sniffer has provided the relative more detailed 
              content.

              4.hunt
              Hunt needs to be easy the result room other one kind of choice in 
              you which reads takes. It has the direct-viewing order to trace 
              and converses the jail to record the function.
              author: Pavel Krauz
              condition: C, the IP head, Linux 2.0.35+, supports LinuxThreads 
              GlibC 2.0.7
              disposition document: Does not have
              position: Http://www.cri.cz/kra/index.html
              security history: Does not have
              Note: The author provides has the dynamic link and the static 
              connection binary issue.
              Hunt is by the tar.gz form issue, document named hunt-1_3bin.tgz. 
              First needs to solve the compression:
              xvfz hunt-1_3bin.tgz
              Then hunt is solved compresses to the new foundation table of 
              contents hunt - 1.3 kinds, including following content:
              -rw-r--r-- 1,206 users 1,616 Apr 2 03:54 CHANGES
              -rw-r--r-- 1,206 users 17,983 Oct 251,998 COPYING
              -rw-r--r-- 1,206 users 312 Jan 16 04:54 INSTALL
              -rw-r--r-- 1,206 users 727 Feb 21 11:22 Makefile
              -rw-r--r-- 1,206 users 27,373 Feb 15 12:44 README
              -rw-r--r-- 1,206 users 167 Dec 4 14:29 TODO
              -rw-r--r-- 1,206 users 5,067 Feb 13 04:23 addpolicy.c
              -rw-r--r-- 1,206 users 7,141 Feb 21 23:44 arphijack.c
              -rw-r--r-- 1,206 users 25,029 Apr 2 03:26 arpspoof.c
              drwxr-xr-x 2,206 users 1,024 Apr 9 02:03 c
              -rw-r--r-- 1,206 users 7,857 Nov 91,998 hijack.c
              -rw-r--r-- 1,206 users 5,066 Dec 2 12:55 hostup.c
              -rwxr-xr-x 1,206 users 84,572 Apr 9 02:03 hunt
              -rw-r--r-- 1,206 users 24,435 Apr 2 03:26 hunt.c
              -rw-r--r-- 1,206 users 16,342 Mar 30 01:56 hunt.h
              -rwxr-xr-x 1,206 users 316,040 Apr 9 02:03 hunt_static
              -rw-r--r-- 1 root root 265 May 20 22:22 huntdir.txt
              -rw-r--r-- 1 root root 2,517 May 20 22:19 huntlog.txt
              -rw-r--r-- 1,206 users 6,249 Feb 21 11:21 macdisc.c
              -rw-r--r-- 1,206 users 12,105 Feb 21 11:35 main.c
              -rw-r--r-- 1,206 users 12,000 Feb 6 02:27 menu.c
              -rw-r--r-- 1,206 users 7,432 Apr 2 03:53 net.c
              -rw-r--r-- 1,206 users 5,799 Feb 11 04:21 options.c
              -rw-r--r-- 1,206 users 11,986 Feb 14 04:59 resolv.c
              -rw-r--r-- 1,206 users 1,948 Oct 251,998 rst.c
              -rw-r--r-- 1,206 users 9,545 Mar 30 01:48 rstd.c
              -rw-r--r-- 1,206 users 21,590 Apr 2 03:58 sniff.c
              -rw-r--r-- 1,206 users 14,466 Feb 21 12:04 synchijack.c
              -rw-r--r-- 1,206 users 2,692 Feb 19 00:10 tap.c
              -rw-r--r-- 1,206 users 4,078 Feb 15 05:31 timer.c
              -rw-r--r-- 1,206 users 2,023 Oct 251,998 tty.c
              -rw-r--r-- 1,206 users 7,871 Feb 11 02:58 util.c
              The static binary system issue is hunt_static, the recommendation 
              uses this edition, because some times possibly can appear from the 
              source code translation lack some storehouses the mistake. Under 
              the use orders to carry out hunt:
              
              Will move hunt you surprisedly to discover hunt will be based on 
              curse, therefore will have the extremely friendly interactive 
              contact surface. The start later the menu as follows will show:
              --- Main Menu --- rcvpkt 0, free/alloc 63,/64 ------
              l/w/r) list/watch/reset connections
              u) host up tests
              a) arp/simple hijack (avoids ack storm if arp used)
              s) simple hijack
              d) daemons rst/arp/sniff/mac
              o) options
              x) exit
              * >
              In the entire example, I will register in linux.test.net from GNSS 
              to carry on the test.
              GNSS 3% telnet 192.168.0.2
              Trying 192.168.0.2...
              Connected to 192.168.0.2.
              Escape character is '^ ] '.
              
              Caldera OpenLinux (TM)
              Version 1.3
              Copyright 1996-1998 Caldera Systems, Inc.
              
              login:
              [ hapless@linux hapless ] $ finger root
              Login: Root Name: Root
              Directory: /root Shell: /bin/bash
              On since Thu May 20 21:57 (PDT) on tty1 1 minute idle
              On since Thu May 20 22:02 (PDT) on tty2 7 minutes 19 seconds 
idle
              On since Thu May 20 21:59 (PDT) on tty3 15 seconds idle
              No mail.
              No Plan.
              [ hapless@linux hapless ] $ last root
              root tty2 Thu May 20 22:02 still logged in
              root tty3 Thu May 20 21:59 still logged in
              root tty1 Thu May 20 21:57 still logged in
              root tty2 Thu May 20 19:46 - down (00:26)
              root tty1 Thu May 20 19:44 - 20:12 (00:27)
              root tty3 Thu May 20 19:44 - down (00:28)
              root tty3 Thu May 20 19:42 - 19:44 (00:01)
              root tty1 Thu May 20 19:41 - 19:42 (00:00)
              root tty3 Thu May 20 19:28 - 19:41 (00:12)
              root tty2 Thu May 20 19:11 - 19:42 (00:31)
              root tty1 Thu May 20 19:07 - 19:40 (00:32)
              root tty1 Thu May 20 18:57 - 19:07 (00:09)
              root tty1 Mon May 17 22:32 - down (00:29)
              Finally has inspected /etc/passwd, all moves in the entire process 
              has hunt to carry on smells searches:
              --- Main Menu --- rcvpkt 0, free/alloc 63,/64 ------
              l/w/r) list/watch/reset connections
              u) host up tests
              a) arp/simple hijack (avoids ack storm if arp used)
              s) simple hijack
              d) daemons rst/arp/sniff/mac
              o) options
              x) exit
              *> w
              0) 192.168.0.1 [ 1,049 ] --> 192.168.0.2 [ 23 ]
              choose conn> 0
              dump [ s ] rc/ [ d ] st/ [ b ] oth [ b ] > b
              Note: The above input (black typeface are partial) instructed hunt 
              records 0 connections, and output source and goal information.
              Then hunt will demonstrate hapless all active information to the 
              terminal screen on:
              22:18:43 up 21 min, 4 users, load average: 0.00, 0.01, 0.00
              Trl-c to break
              hhaapplleessss
              Password: Unaware
              [ hapless@linux2 hapless ] $ cclleeaarr
              [ hapless@linux2 hapless ] $ wwhhoo
              root tty1 May 20 21:57
              ww
              22:18:43 up 21 min, 4 users, load average: 0.00, 0.01, 0.00
              
              [ hapless@linux2 hapless ] $ mmoorree //eettcc//ppaasssswwdd
              root:x:0:0:root:/root:/bin/bash
              bin:x:1:1:bin:/bin:
              daemon:x:2:2:daemon:/sbin:
              adm:x:3:4:adm:/var/adm:
              lp:x:4:7:lp:/var/spool/lpd:
              sync:x:5:0:sync:/sbin:/bin/sync
              shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
              halt:x:7:0:halt:/sbin:/sbin/halt
              mail:x:8:12:mail:/var/spool/mail:
              news:x:9:13:news:/var/spool/news:
              uucp:x:10:14:uucp:/var/spool/uucp:
              operator:x:11:0:operator:/root:
              games:x:12:100:games:/usr/games:
              gopher:x:13:30:gopher:/usr/lib/gopher-data:
              ftp:x:14:50:FTP User:/home/ftp:
              man:x:15:15:Manuals Owner:/:
              majordom:x:16:16:Majordomo:/:/bin/false
              postgres:x:17:17:Postgres User:/home/postgres:/bin/bash
              nobody:x:65534:65534:Nobody:/:/bin/false
              anon:x:100:100:Anonymous:/home/anon:/bin/bash
              hapless:x:500:500:Caldera OpenLinux User:/home/hapless:/bin/bash
              [ hapless@linux2 hapless ] $
              May saw, hunt output extremely direct-viewing bright, is easy to 
              read. Below however hunt also provides has the tool:
              The permission assigns wilfully to be interested the connection, 
              but is not recording all things. 
              The permission assigns wilfully a connection, but not merely was 
              the connection which just started by SYN. It offers spoofing 
              tools. 
              Provides the active conversation to kidnap. 
              Its unique characteristic function and is easy the contact surface 
              which uses, causes it regarding linux crossing the threshold is an 
              extremely good choice. 
              5.sniffit
              Sniffit is a person which which need understanding more 
              information aims at.
              author: Brecht Claerhout
              condition: C, IP document
              disposition document: Behind sees the discussion
              security history: Does not have
              Note: Sniffit function extremely formidable, but is not easy to 
              study the use.
              xvfz sniffit_0_3_7.tar.gz
              $. /configure (disposition order will examine system whether 
              will conform to requirement)
              (translation source code)
              strip sniffit (simplifies binary code size)
              Now was allowed to use sniffit (sniffit to dispose us finally to 
              discuss).
              Grammar:
              sniffit [ -xdabvnN ] [ -P proto ] [ -A char ] [ -p port ] [ (-r 
               -R) recordfile ] [ -l sniflen ] [ -L logparam ] [ -F snifdevice 
              ] [ -D tty ] [ -M plugin ] [ (-t Target-IP  -s Source-IP)  (-i  
              -I)  -c config-file ]
              Sniffit is a TCP/IP/ICMP agreement data newspaper monitor, its can 
              produce about these agreement data newspaper extremely detailed 
              technical informations (SEQ, ACK, TTL, Windows....) The amine  
              gathers the monitor condition data newspaper each kind of 
              different form (hex or plain text)
              Sniffit lacks the province to be allowed to process the ether and 
              the PPP equipment. But also may use on other equipment (sees also 
              README.FIRST and sn_config.h). Sniffit may carry on the 
              convenience the disposition realization to the data newspaper 
              which turns on to carry on filters. But the disposition document 
              permission extremely definite assigns the data newspaper which 
              needs to process. Sniffit similarly has an interactive contact 
              surface.
              Option:
              -v
              demonstration edition information
              -t goal address
              Only processes the destination address is "the goal address" data, 
              option is incompatible with '-s' '-c' the '-v'
              source address
              Only processes the transmission address is "the source address" 
              data, option is incompatible with '-t' '-c' the '-v'
              -c disposition document
              Filters the rule in the disposition document to the package to 
              carry on the definition, is incompatible with -t' '-s' '-v'
              -R document
              Will output the result to record "in document" (and '-v' is 
              incompatible)
              -n
              Closes the IP data newspaper verification, enables the forge data 
              also to be allowed to demonstrate
              -x
              Prints the TCP data newspaper the expansion information to the 
              standard output in ((SEQ, ACK, Flags and so on), often uses for to 
              track the deceit, the package loses and realizes other network 
              debugging test duties. Is incompatible with '-i' 'I' '-v'
              -d
              Outputs lacks the province in the document, common document named 
              source destination address combination for example: 
              192.168.0.232.1120-192.168.0.231.80
              -a
              Outputs the ascII code form, cannot be printed the character uses 
              "." Expression
              -P agreement
              Assigns data agreement type which needs to process, IP, TCP, ICMP, 
              UDP and so on.
              -p port
              Only processes the goal port is "the port" data.
              -l sniflen
              Under the normal pattern, the recording data sum total (lacks 
              province is 300 bytes), an each time connection front sniflen byte 
              is recorded.
              -F device
              Assigns to monitor some equipment data like eth0, eth1 and so on
              -D tty
              All records information is all output tty which assigns
              Gives an example:
              Must monitor from 192.168.0.233 sends out 192.168.0.231 visits WWW 
              request data:
              [ root@lix /tmp ] #/usr/sbin/sniffit -p 80 -P TCP -s 
              192.168.0.233 -d ttyp1
              Packet ID (from_IP.port-to_IP.port): 
              192.168.0.233.1060-192.168.0.231.80
              450,000 2C 6D 0B 40.008006 million 0A A0 C0 A8 00 E9 C0 A8 00 
              E7 0.424005 billion 4E
              89 2A 000000006002200067190000020405 B4
              Note: 192.168.0.231 is moves the linux server
              If will hope will output the direction detection to a document, 
              then
              [ root@lix /tmp ] # /usr/sbin/sniffit -p 80 -P TCP -s 
              192.168.0.233 -R /tmp/wwwlog
              If the hope examination from 192.168.0.231 returns for 
              192.168.0.225 www page data, and data storage in document 
              /tmp/wwwlog:
              [ root@lix /tmp ] # /usr/sbin/sniffit -P TCP -t 192.168.0.225 -R 
              /tmp/wwwlog
              Note: Do not have to open on 225 other to 231 connections, if 
              telnet otherwise the data returns to the combination in the same 
              place.
              If the hope examination from 192.168.0.233 issues 192.168.0.231 
              ICMP data, and demonstrates it in the control bench:
              [ root@lix /tmp ] # /usr/sbin/sniffit -P ICMP -t 192.168.0.233 
              -d ttyp1
              The sniffit support disposition document, may provide formidable 
              through the disposition document smells searches the control. The 
              disposition document format contains five different fields, the 
              significance distinction as follows:
              Field 1 select or deselect. Instructed behind the sniffit capture 
              the condition assigns the data or does not catch.
              Field 2 from, to, or both. H instructed sniffit catches from the 
              main engine data which, sends out or bidirectional assigns.
              Field 3 host, port, or mhost. Assigns or many goals main engines. 
              Mhost may use for to assign many main engines, like 192.168.0.
              Field 4 hostname, port number, or multiple-host tabulates.
              Field 5 ends slogans.
              For example:
              select from host 192.168.0.1
              select from host 192.168.0.180
              select both port 23
              Sniffit will catch from two main engines telnet and www all 
              information.
              select both mhosts 100.100.12.
              deselect both port 80
              select both host 100.100.12.2
              Sniffit will catch 100.100.12. * correlations besides www all 
              data, but will demonstrate 100.100.12.2 www data.


              Original author: N/a 
              Origin: Is unclear 
              Altogether has 48 readers to read this article 

              [Tells friend] 
            Previous article:The backdoor research - uses the injectso method 
            note inlet regulation 

            Next article:James installs the use simple guide 

            - this week popular article - related article 
            Under Linux environment hacker commonly used sniffer analysis



      CSHU 
