Network Fun

Thomas Uphill / @uphillian

Fun

Fun with tools
Fun with protocols

Interactive Protocols

SMTP,IMAP,HTTP all have conversations in a natural language
Conversation

SMTP

  • email communication on port 25.
    • EHLO yourdomain
    • MAIL FROM: youremail@address
    • RCPT TO: whoyouwant@tosend
    • DATA
    • Body of the message
    • .

HTTP

  • CERN
  • html documents on port 80 (443 for crypto)
  • lame protocol, GET POST
  • PUT DELETE TRACE
    • GET path HTTP/1.1
    • CR-LF CR-LF

IMAP

  • Local!
  • mail spool files on port 143 (993 for crypto)
  • had concurrency built in from day 1
    • one LOGIN username password
    • two EXAMINE mailbox
    • three FETCH msgnum BODY
    • four FETCH msgnum BODY[header.fields (subject)]
    • final LOGOUT

NSA lite or regular

SMTPS,IMAPS,HTTPS offer encrypted forms of these protocols, can you still interact with them?.
...yes

tools

  • netcat unencrypted
  • gnutls-cli encrypted

netcat (nc)

  • Swiss Army Knife of TCP/IP
  • Use like Telnet (but better)
  • Use to listen to a port
  • tcp/udp/unix
  • Use to proxy

telnet like use

  • nc -v localhost 80
  • nc localhost 25
    • ehlo sasag.org
    • mail from: thomas@narrabilis.com
    • rcpt to: members@lists.sasag.org
    • data
    • Subject: Hi! This is a message. Control-D at the end
    • nc -v www.google.com 80
    • GET /sasag HTTP/1.1
    • \n\n

listening on a port

  • top: /bin/uptime
  • top: nc -l -p 8080 -e /bin/uptime
  • bottom: nc localhost 8080
  • Now, the first nc is done so it quits
  • You can do the same thing with udp just adding the -u
  • top: nc -l -p 8080 -e /bin/uptime -u
  • bottom: nc localhost 8080 -u
  • there are a bunch of great examples on the wiki page for it.
  • example where we listen and echo what we see.
  • top: nc -l 8080
  • bottom: elinks http://localhost:8080
  • change language LANG=something elinks http://localhost:8080

unix sockets

  • top: nc -l -U /tmp/socket
  • bottom: file /tmp/socket
  • bottom: nc -U /tmp/socket

sitting in the middle

(http proxy)

  • start up an http proxy
  • top: nc -k -l 8080 --proxy-type=http &
  • top: nc -k -l 8888 -c "tee -a /tmp/proxy - | nc localhost 8080" &
  • top: tail -F /tmp/proxy
  • bottom: HTTP_PROXY=localhost:8888 elinks www.sasag.org

what if everything is encrypted?

gnutls-cli

  • SSL, TLS and DTLS
  • Great for STARTTLS

gnutls-cli

  • gnutls-cli imap.mail.yahoo.com -p 993
  • a1 LOGIN sasagtest gnutls-cli4Fun
  • a2 EXAMINE INBOX
  • a3 FETCH 2 BODY[header.fields (subject)]
  • a4 FETCH 3 BODY[header.fields (subject)]
  • a5 LOGOUT
  • So that entire conversation was encrypted, only you and the NSA saw that.
  • how about https?
  • gnutls-cli google.com -p 443
  • GET /doesnotexist HTTP/1.1
  • Host: yahoo.com

Other fun tools

  • ipcalc
    ipcalc -b -n -m 172.24.168.15/15 BROADCAST=172.25.255.255
    NETMASK=255.254.0.0
    NETWORK=172.24.0.0
  • mtr
    mtr www.google.com
    1. 172.24.168.3 0.0% 19 0.5 0.5 0.4 1.2 0.2 2. 172.24.8.97 0.0% 19 0.7 0.8 0.7 0.9 0.1 3. 172.23.0.59 0.0% 19 0.8 0.8 0.7 1.4 0.2 4. 172.22.0.10 0.0% 19 5.4 5.4 5.3 5.8 0.1 5. 172.20.252.50 0.0% 19 5.2 5.2 5.1 5.5 0.1 6. 172.20.252.1 0.0% 19 6.2 6.0 5.8 6.2 0.1 7. ???

Questions?

thomas@narrabilis.com @uphillian