Fun
Fun with tools
Fun with protocols
Interactive Protocols
SMTP,IMAP,HTTP all have conversations in a natural language
SMTP
- email communication on port 25.
- EHLO yourdomain
- MAIL FROM: youremail@address
- RCPT TO: whoyouwant@tosend
- DATA
- Body of the message
- .
HTTP
- CERN
- html documents on port 80 (443 for crypto)
- lame protocol, GET POST
- PUT DELETE TRACE
- GET path HTTP/1.1
- CR-LF CR-LF
IMAP
- Local!
- mail spool files on port 143 (993 for crypto)
- had concurrency built in from day 1
- one LOGIN username password
- two EXAMINE mailbox
- three FETCH msgnum BODY
- four FETCH msgnum BODY[header.fields (subject)]
- final LOGOUT
NSA lite or regular
SMTPS,IMAPS,HTTPS offer encrypted forms of these protocols, can you still interact with them?.
...yes
tools
- netcat unencrypted
- gnutls-cli encrypted
- Swiss Army Knife of TCP/IP
- Use like Telnet (but better)
- Use to listen to a port
- tcp/udp/unix
- Use to proxy
telnet like use
- nc -v localhost 80
- nc localhost 25
- ehlo sasag.org
- mail from: thomas@narrabilis.com
- rcpt to: members@lists.sasag.org
- data
- Subject: Hi! This is a message. Control-D at the end
- nc -v www.google.com 80
- GET /sasag HTTP/1.1
- \n\n
listening on a port
- top: /bin/uptime
- top: nc -l -p 8080 -e /bin/uptime
- bottom: nc localhost 8080
- Now, the first nc is done so it quits
- You can do the same thing with udp just adding the -u
- top: nc -l -p 8080 -e /bin/uptime -u
- bottom: nc localhost 8080 -u
- there are a bunch of great examples on the wiki page for it.
- example where we listen and echo what we see.
- top: nc -l 8080
- bottom: elinks http://localhost:8080
- change language LANG=something elinks http://localhost:8080
unix sockets
- top: nc -l -U /tmp/socket
- bottom: file /tmp/socket
- bottom: nc -U /tmp/socket
sitting in the middle
(http proxy)
- start up an http proxy
- top: nc -k -l 8080 --proxy-type=http &
- top: nc -k -l 8888 -c "tee -a /tmp/proxy - | nc localhost 8080" &
- top: tail -F /tmp/proxy
- bottom: HTTP_PROXY=localhost:8888 elinks www.sasag.org
what if everything is encrypted?
- SSL, TLS and DTLS
- Great for STARTTLS
gnutls-cli
- gnutls-cli imap.mail.yahoo.com -p 993
- a1 LOGIN sasagtest gnutls-cli4Fun
- a2 EXAMINE INBOX
- a3 FETCH 2 BODY[header.fields (subject)]
- a4 FETCH 3 BODY[header.fields (subject)]
- a5 LOGOUT
- So that entire conversation was encrypted, only you and the NSA saw that.
- how about https?
- gnutls-cli google.com -p 443
- GET /doesnotexist HTTP/1.1
- Host: yahoo.com
Other fun tools
- ipcalc
ipcalc -b -n -m 172.24.168.15/15
BROADCAST=172.25.255.255
NETMASK=255.254.0.0
NETWORK=172.24.0.0
- mtr
mtr www.google.com
1. 172.24.168.3 0.0% 19 0.5 0.5 0.4 1.2 0.2
2. 172.24.8.97 0.0% 19 0.7 0.8 0.7 0.9 0.1
3. 172.23.0.59 0.0% 19 0.8 0.8 0.7 1.4 0.2
4. 172.22.0.10 0.0% 19 5.4 5.4 5.3 5.8 0.1
5. 172.20.252.50 0.0% 19 5.2 5.2 5.1 5.5 0.1
6. 172.20.252.1 0.0% 19 6.2 6.0 5.8 6.2 0.1
7. ???
Questions?
thomas@narrabilis.com @uphillian