Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Design and implementation of environment sniffer running under Linux     - How to Set Free SSH password on CentOS / RHEL (Linux)

- Linux hard drive failure Case Studies (Linux)

- CentOS 7.0 local address and configure yum source address priority (Linux)

- To configure parameter configuration and software installation and uninstallation under Linux (Linux)

- C # / iOS / Android Universal Encryption and decryption (Programming)

- Oracle 12c detailing the new features (Database)

- To create a full command line Android Build System (Linux)

- To install network scanning and packet sniffer tool Nmap 7.00 under ubuntu (Linux)

- Guide: Trickle restrict application bandwidth usage (Linux)

- Linux yum command Detailed (Linux)

- MongoDB upgrade to 2.6 (Database)

- JavaScript is implemented without new keywords constructor (Programming)

- Repair after installing Ubuntu no boot device error (Linux)

- Bash difference in single quotes and double quotes (Programming)

- Java Foundation - The relationship between abstract classes and interfaces (Programming)

- Linux user directory (Linux)

- Java memory area and memory overflow exception (Programming)

- floating IP in OpenStack neutron (Server)

- Search Linux commands and files - which, whereis, locate, find (Linux)

- PostgreSQL-- run Supervisord on Docker in Ubuntu (Database)

 
         
  Design and implementation of environment sniffer running under Linux
     
  Add Date : 2018-11-21      
         
         
         
  One, Sniffer principle analysis

Before implementing sniffer, we first need to have TCP / IP protocol. TCP and IP protocol used on the Internet refers to two network protocols (or methods of data transmission). They are the Transmission Control Protocol and Internet Protocol. Both belong to a large number of protocols TCP / IP protocol suite part.

TCP / IP protocol suite of protocols to ensure that data transmission on the Internet, providing almost all services now used by the Internet. These services include: transfers, file transfer, e-mail publishing newsgroups and access the World Wide Web.

TCP protocol IP protocol above. And IP protocol provides unreliable transmission of different services, TCP protocol for the application layer provides a reliable transport service. This service features are: reliable, full-duplex, flow and unstructured transmission. TCP transmission principle:

TCP uses a protocol called positive acknowledgment and retransmission (positive acknowledgement with retransmission) technology to achieve reliable transmission. Recipient after receiving the data sent by the sender, and must send a corresponding acknowledgment (ACK) message indicating that it has received data. Save sender sends recording data, a data before sending the next, waiting for the confirmation message data. It sends this data also started a timer. If within a certain time, the confirmation message is not received, the data is considered to be lost during transmission, then it will re-send the data.

This approach also raises the question, is to repeat the package. If the network transmission speed is relatively low, wait until the end of time, only to return a confirmation message to the sender, then, since the transmission method used by the sender, it will duplicate the data. One solution is to give each data a serial number, and the sender need to remember the sequence number of the data which has been confirmed. In order to prevent delays or duplication confirmed that the provisions in the confirmation message also contains the acknowledgment sequence number. So that the sender can know which packages have been identified. TCP protocol there is an important concept: sliding window. Using this method, making the transmission more efficient.

There foregoing description, the sender After sending a packet to wait for confirmation. Until it receives an acknowledgment message this time is idle. If the network delay is longer, this issue will be quite obvious. Sliding window method is before it receives confirmation message, send multiple packets. Imagine moving into a window on a sequence. If, after sending out a packet has not been confirmed, it called unacknowledged packets. The number of packets generally unacknowledged is the size of the window. At the receiving end, there is a sliding window and receiving a confirmation packet.

Using TCP transport is to establish a connection. In a TCP transport connection two end points. In fact, a connection represents a communication between the sending and receiving ends of the application. They can be thought of as the establishment of a circuit. Usually a connection with the following formula: (host, port), host is the host, port is the port. TCP port several applications that can be shared. For the programmer is concerned, it can be understood: An application can provide services for different connections. Unit TCP segment is transmitted, when the connection is established, data transfer, and a confirmation message window size advertised segments are to be exchanged.

TCP protocol uses a three-way handshake to establish a TCP connection. The code bit of the first segment of the handshake is set to SYN, serial number x, it indicates the start of a handshake. After the recipient receives the segment back to the sender to send a segment. Code set to SYN and ACK, the serial number is set to y, acknowledgment sequence number is set to x + 1. Sender by this paragraph, the knowledge can be TCP data transmission, so that the ED receiver sends an ACK segment, it said the connection has been established between the two sides. After completion of the handshake, the official start of the data transmission. Grip means in the above sequence numbers are randomly generated.

Understanding of TCP / IP agreement, but also master network programming. In LINUX network programming, we can say that the socket is a Unix file system operations extended to provide point to point communication. If you want to manipulate files, applications are going to be needed to create a socket application. The operating system returns an integer. Application by referencing the positive number to use this socket. File descriptors and socket descriptors differs from that when the program calls open (), the operating system will be a file descriptor is bound to a file or device, but when you create a socket, it can not be to bind to a target address. You can specify the destination address at any time you want to use this socket. Point to point communication program in the program, we will request data or services is called a client program that provides data or services is called a server software program. Here to explain a basic socket system call function, the sniffer is to be used in the function:


  
socket ()
#include < sys / types.h>
#include < sys / socket.h>
int socket (int family, int type, int protocol);
int family parameter specifies the communication protocol to be used, take the following values:

AF_UNIX Unix internal agreement
AF_INET Internet Protocol
AF_NS Xerox NS protocol
AF_IMPLINK IMP connection layer
int type specified socket type, take the following values:
SOCK_STREAM Stream Sockets
SOCK_DGRAM Datagram Sockets
SOCK_RAW raw socket
SOCK_SEQPACKET Sequenced Packet socket
int protocol parameter is usually set to zero.


socket () system call returns an integer value, called a socket descriptor sockfd, it works with the same file descriptor. Network I / O is usually the first step is to call this function.

Two, Sniffer implementation

Now tell us about the specific implementation of the sniffer. The sniffer is Red Hat LINUX6.2 version, written in C, in order to debug and compile.

Sniffer is a commonly used method of gathering useful data, these data can be a user ID and password may be some commercial confidential data, and so on. Sniffer is a commonly used method of collecting useful data, these data can be a user ID and password may be some commercial confidential data, and so on.

Ethernet sniffing refers to the data packet transmitted on the Ethernet device listens found interesting package. If a match is found the conditions of the package, put it to save a log file. These conditions are usually set packages that contain the word "username" or "password" of. Its purpose is to network layer into promiscuous mode, so do something. Promiscuous mode means that all devices on the network for data transmission on the bus listening, and not just their own data. According to the working principle of Ethernet, you can know: To a certain target device when sending data, it is Ethernet broadcast. A device connected to the Ethernet bus at any time in receiving data. But only to their own data to the application on the computer. Using this, you can set up a computer network connection settings to accept all Ethernet data bus, enabling sniffer.

sniffer usually run in the router, or the host has the router function. This allows for large amounts of data to be monitored. sniffer is a second-level attacks. Usually the attackers have entered the target system, and then use sniffer such attacks, in order to get more information. sniffer addition to obtain a password or user name, but also get more additional information, such as one other important information, financial information transmitted via the internet and so on. sniffer can get almost any packet transmitted over Ethernet. Typically sniffer program look before 200-300 bytes of a packet of data, you can find the password and user name want such information.

Following the realization of the program to make a presentation. Etherpacket structure defines a data packet. Which ethhdr, iphdr, and tcphdr are three structures, used to define the Ethernet frame, IP header and TCP header format.

They are defined in the header file as follows:


struct ethhdr
{
unsigned char h_dest [ETH_ALEN]; / * destination eth addr * /
unsigned char h_source [ETH_ALEN]; / * source ether addr * /
unsigned short h_proto; / * packet type ID field * /
};
struct iphdr
{
#if __BYTE_ORDER == __LITTLE_ENDIAN
u_int8_t ihl: 4;
u_int8_t version: 4;
#elif __BYTE_ORDER == __BIG_ENDIAN
u_int8_t version: 4;
u_int8_t ihl: 4;
#else
#error "Please fix < bytesex.h>"
#endif
u_int8_t tos;
u_int16_t tot_len;
u_int16_t id;
u_int16_t frag_off;
u_int8_t ttl;
u_int8_t protocol;
u_int16_t check;
u_int32_t saddr;
u_int32_t daddr;
/ * The options start here. * /
};
struct tcphdr
{
u_int16_t source;
u_int16_t dest;
u_int32_t seq;
u_int32_t ack_seq;
#if __BYTE_ORDER == __LITTLE_ENDIAN
u_int16_t res1: 4;
u_int16_t doff: 4;
u_int16_t fin: 1;
u_int16_t syn: 1;
u_int16_t rst: 1;
u_int16_t psh: 1;
u_int16_t ack: 1;
u_int16_t urg: 1;
u_int16_t res2: 2;
#elif __BYTE_ORDER == __BIG_ENDIAN
u_int16_t doff: 4;
u_int16_t res1: 4;
u_int16_t res2: 2;
u_int16_t urg: 1;
u_int16_t ack: 1;
u_int16_t psh: 1;
u_int16_t rst: 1;
u_int16_t syn: 1;
u_int16_t fin: 1;
#else
#error "Adjust your < bits / endian.h> defines"
#endif
u_int16_t window;
u_int16_t check;
u_int16_t urg_ptr;
};

Next, we define a structured variable victim. Then, look at the function int openintf (char * d), its role is to open a network interface. In the main is the eth0 as a parameter to call this function. In this function, we use the following structure:


struct ifreq
{
#define IFHWADDRLEN 6
#define IFNAMSIZ 16
union
{
char ifrn_name [IFNAMSIZ]; / * Interface name, e.g. "en0" * /.
} Ifr_ifrn;
union
{
struct sockaddr ifru_addr;
struct sockaddr ifru_dstaddr;
struct sockaddr ifru_broadaddr;
struct sockaddr ifru_netmask;
struct sockaddr ifru_hwaddr;
short int ifru_flags;
int ifru_ivalue;
int ifru_mtu;
struct ifmap ifru_map;
char ifru_slave [IFNAMSIZ]; / * Just fits the size * /
__caddr_t ifru_data;
} Ifr_ifru;
};
  

This structure is called the interface request structure, calling for the use of the I / O input output. All interface I / O output must have an argument, beginning ifr_name to the back of the parameters using a different network interface to another.

If you want to see what your computer has a network interface, you can use the command ifconfig. You will generally see two interfaces lo0 and eth0. Meaning ifconfig output of each domain in ifreq structure is one to one. Here, the program eth0 as ifr_name to use. Next, the function of this network interface is set to promiscuous mode. Remember, sniffer works in this mode.

Look at the function read_tcp, its role is to read the TCP packet pass filter processing. Filter function is the reading of the packet processing. The next procedure is to output data to a file. Clearup function is when the program exits and other events, to make a record in the file, and close the file. Otherwise, you just did not do a record.

Third, the operating results and conclusions

The results of running this program, my computer is in a table of thirty or more hosts on a LAN environment, the LAN all the hosts through a proxy gateway on the Internet. Tested in the evening peak of the Internet, can detect mailbox user name and password of 5 or more different IP addresses within a few minutes, of course, it can also detect other information, such as user with a Web browser to browse web content , telnet login name and password and other useful information. If the program is expected to run on the gateway will intercept more information.
     
         
         
         
  More:      
 
- Monitoring Linux System 7 command-line tool (Linux)
- jQuery plugin dynamic label generation (Linux)
- MySQL5.6.17 compiler installation under CentOS (Database)
- How to make a U disk to install Ubuntu (Linux)
- Easily create RPM packages using the FPM (Linux)
- Use SVN to automatically deploy code under Apache (Server)
- Modify Linux terminal prompt path length (Linux)
- Use Epoll develop high-performance application server on Linux (Server)
- C ++ Const breaking rules (Programming)
- Ubuntu PPA install SMPlayer 14.9 (Linux)
- Linux System Getting Started Learning: On Linux how to convert text files to PDF (Linux)
- Vim useful plugin: vundle (Linux)
- Linux kernel modules related to the management Comments (Linux)
- How to build a container cluster (Server)
- mysql_config_editor encryption and decryption of the new features of MySQL realization (Database)
- Kibana Apache Password Authentication (Server)
- Ubuntu Gitolite management Git Server code base permissions (Server)
- To install MySQL 5.6 binary packages under CentOS 6.4 64bit (Database)
- To teach you how to safely send mail (Linux)
- SSH Filesystem use a secure connection for network file system (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.