Some Usage of Hunt and sniffit (non-Unix personnel do not enter)

Hunt is another option in the result room that you need to read easily. It provides intuitive command tracing and session monitoring functions.

Author: Pavel Krauz
Condition: C, IP header, Linux 2.0.35 +, glibc 2.0.7 of linuxthreads supported
Configuration File: None
Location: http://www.cri.cz/kra/index.html
Security history: None

Note: The author provides binary release with Dynamic and Static connections.

Huntis published in the format of tar.gz and the file name is the hunt-1_3bin.tgz. First, extract:

$ Tar xvfz hunt-1_3bin.tgz

Then, hunt is extracted to the newly created directory hunt-1.3, including the following:

-RW-r -- 1 206 users 1616 APR 2 Changes
-RW-r -- 1 206 users 17983 Oct 25 1998 copying
-RW-r -- 1 206 users 312 Jan 16 install
-RW-r -- 1 206 users 727 Feb 21 makefile
-RW-r -- 1 206 users 27373 Feb 15 readme
-RW-r -- 1 206 users 167 DEC 4 todo
-RW-r -- 1 206 users 5067 Feb 13 addpolicy. c
-RW-r -- 1 206 users 7141 Feb 21 arphijack. c
-RW-r -- 1 206 users 25029 APR 2 arpspoof. c
Drwxr-XR-x 2 206 users 1024 APR 9 C
-RW-r -- 1 206 users 7857 Nov 9 1998 hijack. c
-RW-r -- 1 206 users 5066 Dec 2 hostup. c
-Rwxr-XR-x 1 206 users 84572 APR 9 hunt
-RW-r -- 1 206 users 24435 APR 2 hunt. c
-RW-r -- 1 206 users 16342 Mar 30 hunt. h
-Rwxr-XR-x 1 206 users 316040 APR 9 hunt_static
-RW-r -- 1 Root 265 May 20 22:22 huntdir.txt
-RW-r -- 1 Root 2517 May 20 22:19 huntlog.txt
-RW-r -- 1 206 users 6249 Feb 21 macdisc. c
-RW-r -- 1 206 users 12105 Feb 21 main. c
-RW-r -- 1 206 users 12000 Feb 6 menu. c
-RW-r -- 1 206 users 7432 APR 2 net. c
-RW-r -- 1 206 users 5799 Feb 11 options. c
-RW-r -- 1 206 users 11986 Feb 14 resolv. c
-RW-r -- 1 206 users 1948 Oct 25 1998 RST. c
-RW-r -- 1 206 users 9545 Mar 30 rstd. c
-RW-r -- 1 206 users 21590 APR 2 sniff. c
-RW-r -- 1 206 users 14466 Feb 21 synchijack. c
-RW-r -- 1 206 users 2692 Feb 19 tap. c
-RW-r -- 1 206 users 4078 Feb 15 timer. c
-RW-r -- 1 206 users 2023 Oct 25 1998 TTY. c
-RW-r -- 1 206 users 7871 Feb 11 util. c

The static binary is released as hunt_static. This version is recommended because sometimes library errors may be missing during source code compilation. Run the following command to run Hunt:

$ Hunt_static

Run hunt and you will be surprised to find that Hunt is based on curse, so it has a very friendly interactive interface. After startup, the menu is as follows:

--- Main Menu --- rcvpkt 0, free/alloc 63/64 ------
L/W/R) list/Watch/Reset connections
U) host up tests
A) arp/simple hijack (avoids ack storm if ARP used)
S) Simple hijack
D) daemons rst/arp/sniff/Mac
O) Options
X) Exit
*>

In this example, I will log on to linux.test.net from the ground up for testing.

GPS 3% Telnet 192.168.0.2
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape Character is '^]'.
　　
Caldera OpenLinux (TM)
Version 1.3:
Copyright 1996-1998 Caldera Systems, Inc.
　　
Login:
[Hapless @ Linux hapless] $ finger root
Login: Root name: Root
Directory:/root shell:/bin/bash
On since Thu May 20 21:57 (PDT) on tty1 1 minute idle
On since Thu May 20 (PDT) on tty2 7 minutes 19 seconds idle
On since Thu May 20 21:59 (PDT) on tty3 15 seconds idle
No mail.
No plan.
[Hapless @ Linux hapless] $ last root
Root tty2 Thu May 20 22:02 still logged in
Root tty3 Thu May 20 21:59 still logged in
Root tty1 Thu May 20 21:57 still logged in
Root tty2 Thu May 20-down)
Root tty1 Thu May 20)
Root tty3 Thu May 20-down (
Root tty3 Thu May 20)
Root tty1 Thu May 20)
Root tty3 Thu May 20)
Root tty2 Thu May 20)
Root tty1 Thu May 20)
Root tty1 Thu May 20)
Root tty1 mon May 17-down)

Finally, check/etc/passwd and run hunt for sniffing throughout the process:

--- Main Menu --- rcvpkt 0, free/alloc 63/64 ------
L/W/R) list/Watch/Reset connections
U) host up tests
A) arp/simple hijack (avoids ack storm if ARP used)
S) Simple hijack
D) daemons rst/arp/sniff/Mac
O) Options
X) Exit
*> W
0) 192.168.0.1 [1049] --> 192.168.0.2 [23]
Choose conn> 0
Dump [s] RC/[d] ST/oth> B

Note: The above input (black font) indicates hunt to record the connection no. 0 and output the source and target information.

Then hunt displays all activity information of hapless to the terminal screen:

22:18:43 up 21 min, 4 Users, load average: 0.00, 0.01, 0.00
TRL-C to break
Hhaapplleessss
Password: unaware
[Hapless @ linux2 hapless] $ cclccllee1_r
[Hapless @ linux2 hapless] $ wwhhoo
Root tty1 May 20 21: 57
WW
22:18:43 up 21 min, 4 Users, load average: 0.00, 0.01, 0.00
　　
[Hapless @ linux2 hapless] $ mmoorree // eettcc // ppaasssswwdd
Root: X: 0: 0: Root:/root:/bin/bash
Bin: X: 1: 1: Bin:/bin:
Daemon: X: 2: 2: daemon:/sbin:
ADM: X: 3: 4: ADM:/var/adm:
LP: X: 4: 7: LP:/var/spool/lpd:
Sync: X: 5: 0: Sync:/sbin:/bin/Sync
Shutdown: X: 6: 11: shutdown:/sbin/Shutdown
Halt: X: 7: 0: Halt:/sbin/halt
Mail: X: 8: 12: Mail:/var/spool/mail:
News: X: 9: 13: News:/var/spool/news:
Uucp: X: 10: 14: uucp:/var/spool/uucp:
Operator: X: 11: 0: Operator:/root:
Games: X: 12: 100: games:/usr/games:
Gopher: X: 13: 30: gopher:/usr/lib/gopher-data:
FTP: X: 14: 50: FTP user:/home/ftp:
MAN: X: 15: 15: manuals owner :/:
Majordom: X: 16: 16: majordomo: // bin/false
S: X: 17: 17: Postgres User:/home/Postgres:/bin/bash
Nobody: X: 65534: 65534: Nobody: // bin/false
Anon: X: 100: 100: Anonymous:/home/Anon:/bin/bash
Hapless: X: 500: 500: Caldera OpenLinux User:/home/hapless:/bin/bash
[Hapless @ linux2 hapless] $

As you can see, the output of Hunt is very intuitive and easy to read. However, Hunt also provides the following tools:

You can specify any connection you are interested in, rather than logging everything.
You can specify any connection, not just the Connection Starting with syn. It offers spoofing tools.
Provides Active session hijacking.
Its unique features and easy-to-use interfaces make it a good choice for Linux beginners.

Sniffit

Sniffit is intended for those who need more information.

Author: Brecht claerhout
Condition: C, IP header file
Configuration File: See the discussion below
Security history: None

Note: sniffit is very powerful but not easy to use.

$ Tar xvfz sniffit_0_3_7.tar.gz
$./Configure (the configuration command will check whether the system meets the requirements)
$ Make (compile source code)
Strip sniffit (simplified binary code size)

Now we can use sniffit (sniffit configuration is discussed at the end ).

Syntax:

Sniffit [-xdabvnn] [-P proto] [-a char] [-P port] [(-r |-R) recordfile] [-l sniflen] [-l logparam] [-F snifdevice] [-D tty] [-M plugin] [(-T target-IP |-S source-IP) | (-I |-I) |-C config-file]

Sniffit is a TCP/IP/ICMP protocol datagram listener that provides very detailed technical information about these protocol datagram (SEQ, ack, TTL, windows ,....) and various formats (hex or plain text) of the datagram that meets the listening conditions)

Sniffit can process Ethernet and PPP devices by default. But it can also be used on other devices (see readme. First and sn_config.h ). Sniffit can be easily configured to filter access datagram. The configuration file allows you to specify the datagram to be processed with certainty. Sniffit also has an interactive interface.

Option:

-V
Show version information
-T target address
Only the data whose destination address is "target address" is processed, which is incompatible with the '-S'-C' option.
Source Address
Only data with the sending Address "Source Address" is processed, and the '-t'-C'-V' option is not compatible.
-C configuration file
The package filtering rule is defined in the configuration file and is not compatible with-t'-S'-V '.
-R File
Record the output result to "file" (incompatible with '-V)
-N
Disable IP datagram verification so that counterfeit data can be displayed.
-X
Print the extended information of TCP datagram to standard output (such as seq, ack, and flags), which is often used to track spoofing, packet loss, and implement other network debugging and testing tasks. Incompatible with '-I'-V'
-D
Output to the default file. Generally, the file name is a combination of source and target addresses, for example, 192.168.0.232.1120-192.168.0.231.80.
-
The output ASCII format. Non-printable characters are represented ".".
-P protocol
Specifies the protocol type, IP address, TCP, ICMP, and UDP of the data to be processed.
-P Port
Only data with the destination port "Port" is processed.
-L sniflen
In normal mode, the total number of records (300 bytes by default) is recorded, and the first sniflen bytes of each connection are recorded.
-F Device
Specifies the data that listens to a device, such as eth0 and eth1.
-D tty
All records are output to the specified tty

Example:

To listen for WWW request data sent from 192.168.0.233 to 192.168.0.231:

[Root @ LIX/tmp] #/usr/sbin/sniffit-P 80-p tcp-s 192.168.0.233-D ttyp1
Packet ID (from_IP.port-to_IP.port): 192.168.0.233.1060-192.168.0.231.80
45 00 00 2C 6D 0b 40 00 80 06 0a A0 C0 A8 00 E9 C0 A8 00 E7 04 24 00 50 00 4E
89 2a 00 00 00 00 60 02 20 00 67 19 00 00 02 04 05 B4

Note: 192.168.0.231 is a Linux-running server.

If you want to direct the output to a file

[Root @ LIX/tmp] #/usr/sbin/sniffit-P 80-p tcp-s 192.168.0.233-R/tmp/wwwlog

If you want to view the WWW page data returned from 192.168.0.231 to 192.168.0.225, and store the data in a file/tmp/wwwlog:

[Root @ LIX/tmp] #/usr/sbin/sniffit-p tcp-T 192.168.0.225-r/tmp/wwwlog

Note: do not enable connections from 225 to 231, such as telnet. Otherwise, data will be mixed together.

If you want to view the ICMP data sent from 192.168.0.233 to 192.168.0.231 and display it on the console:

[Root @ LIX/tmp] #/usr/sbin/sniffit-p icmp-T 192.168.0.233-D ttyp1

Sniffit supports configuration files and provides more powerful sniffing control through configuration files. The configuration file format contains five different fields with the following meanings:

Field 1-select or deselect. Indicates that sniffit captures the data specified by the following conditions or does not capture the data.
Field 2-from, to, or both. H indicates that sniffit captures data from, sent to, or bidirectional specified host.
Field 3-host, port, or mhost. Specify one or more target hosts. Mhost can be used to specify multiple hosts, such as 192.168.0.
Field 4-hostname, port number, or multiple-host list.
Field 5-port number.

For example:

Select from host 192.168.0.1
Select from host 192.168.0.1 80
Select both port 23

Sniffit captures all Telnet and WWW information from two hosts.

Select both mhosts 100.100.12.
Deselect both port 80
Select both host 100.100.12.2

Sniffit captures all data except 100.100.12. * related to www, but displays WWW Data of 100.100.12.2.