Use of etherpeek NX

Author: Jeffrey. Zhu

Blog:Http://blog.csdn.net/gueter/ 

 

 

 

I. Preface

This article aims to recommend the use of etherpeek NX, and explore some characteristics of QQ private protocol by analyzing the intercepted QQ protocol package.

 

 

Ii. etherpeek NX Overview

Not long ago, due to work needs, the madwifi Code was modified to analyze the Wireless Receiving package, but the package could not be obtained. It was too complicated to start the analysis from the source code, so I used the packet capture software etherpeek NX under Win, based on the OSI 7-layer architecture, etherpeek NX can resolve each packet and monitor the various statuses of the network in real time. It can provide instructions and solutions for automatic problem identification, at the same time, it can provide latency and throughput resolution for various network conditions, and display the communication status of all nodes on the network in a graphical manner. The human-computer interaction interface is very friendly. Of course, similar to other packet capture software, etherpeek NX also requires Winpcap support. For more information about Winpcap, see http://www.winpcap.org /.

 

 

Iii. etherpeek NX 2.0 interface

 

 

 

Iv. Package Analysis

The following takes the first packet sent by the client (that is, the Local Machine) during QQ logon as an example to discuss:

 

Packet info <br/> flags: 0x00 <br/> Status: 0x00 <br/> Packet Length: 122 <br/> timestamp: 13:44:35. 513435 12/16/2009 <br/> Ethernet header // frame header <br/> destination: 00: 14: 78: 06: BF: 32 [0-5] // wireless routing Mac <br/> Source: 00: 0b: C0: 02: 96: 59 [6-11] // client Mac <br/> protocol type: 0x0800 IP [12-13] // Ethernet Type: IP Network <br/> IP header-Internet Protocol datasync // IP header <br/> Version: 4 [14 mask 0xf0] // IPv4 <br/> header Leng TH: 5 (20 bytes) [14 mask 0x0f] <br/> type of service: % 00000000 [15] <br/> 000 ..... precedence: Routine <br/>... 0 .... normal delay <br/> .... 0... normal throughput <br/> ..... 0 .. normal reliability <br/> ...... 0. ECT bit-Transport Protocol will ignore the Ce BIT <br/> ....... 0 Ce BIT-No congestion </P> <p> total length: 104 [16-17] <br/> identifier: 38691 [18-19] <br/> fragmentation flags: % 000 [20 mask 0xe0] <br/> 0 .. reserved <br/>. 0. may fragment <br/> .. 0 last fragment </P> <p> Fragment offset: 0 (0 bytes) [20-21 mask 0x1fff] <br/> time to live: 128 [22] <br/> Protocol: 17 UDP-user datav Protocol [23] <br/> header checksum: 0x98a4 [24-25] <br/> Source IP Address: 192.168.1.102 [26-29] // Source IP Address: client <br/> DeST. IP Address: 58.60.14.115 [30-33] // Destination IP Address: server <br/> no IP Option S <br/> UDP-user datasync protocol // UDP header <br/> source port: 4000 terabase [34-35] // source port number <br/> Destination Port: 8000 irdmi [36-37] // destination port number <br/> length: 84 [38-39] <br/> checksum: 0x6da0 [40-41] <br/> application layer <br/> data area: // load <br/> ...... 7 ..... I .. 02 19 0f 00 91 1A 37 03 DC ca EE 10 49 E4 F0 20 [42-57] <br/> .. /2... BV. {J.> a. c6 A1 5C 32 CB 1E 7f 42 76 D3 7b 6a A8 3E 41 AD [58-73] <br />. 4-> DV ;..?. -. '. O D4 34 2D 3E 64 56 3B E6 2E 3f 99 2D D4 60 DF 4f [74-89] <br/> .... @ C .... jxm... BF F4 1B dB 40 43 9B ed 18 ad 6a 58 4D 10 C8 F0 [90-105] <br/>. _...;...... 9d 5f 1E CC 83 3B A6 9e DC B3 00 03 [106-117] </P> <p> FCS-frame check sequence // frame verification <br/> FCS (calculated): 0x048e3e9e

 

 

V. QQ protocol features

The QQ Protocol has the following features:

1. UDP is used by default. The default client port is 4000, and the default server port is 8000;

 

2. load truncation is as follows:

02 19 0f 00 91 1A 37 03 DC ca EE 10 49 E4 F0 20 [42-57]
C6 A1 5C 32 CB 1E 7f 42 76 D3 7b 6a A8 3E 41 AD [58-73]
D4 34 2D 3E 64 56 3B E6 2E 3f 99 2D D4 60 DF 4f [74-89]
BF F4 1B dB 40 43 9B ed 18 ad 6a 58 4D 10 C8 F0 [90-105]
9d 5f 1E CC 83 3B A6 9e DC B3 00 03 [106-117]

 

3. Multiple packet capture analyses show that the first four bytes are fixed, indicating the internal Protocol Version: 02 19 0f 00;

4. The fourth byte is the command type Number 91;

5. 6th ~ The package serial number randomly generated by two bytes of 7th (multiple consecutive packages of the same command type are sequentially incrementing): 1A 37 (used to respond to the checksum of the package );

6. 8th ~ The four bytes of 11th are QQ accounts, which are in plaintext format and are automatically supplemented with 0: 03 DC ca EE (converted to decimal: 64801518, author's QQ number );

7. The last 1 byte is the message end code: 03;

 

8. All packages sent from the client (local) to the server contain the above 1 ~ 7. The server-side response client should also contain the corresponding 1 ~ 7;

9. The analysis shows that the QQ message package contains the packet header, packet body, and packet end, and the packet body is fully encrypted, not encrypted, and partially encrypted;

10. The size of the first 12 packages is the same, and the order is the same. The subsequent packages are out of order, or the password authentication process is completed.

 

How to Implement password authentication, the encryption and decryption algorithms used for QQ password transmission, and how to negotiate keys are subject to further experiment and discussion.