WinPcap Brings Unix Network Tools to Windows
by Stefan Norberg12/05/2000
I work as a network security consultant, and for the last couple of years I've been dual-booting Windows NT/2000 and Linux on my laptop. The reason for this is that many of the tools I've been using to trouble-shoot problems and gather information ran only on Unix systems. Now this has changed: Linux is still on my laptop, but I don't use it as often anymore. This article introduces some of the Win32-based tools I use and where you can get them. All the software described in this article is free and open source.
WinPcap
Many popular Unix network tools are based on a programming library called libpcap, which in turn relies on a set of Unix kernel functions known as BPF or Berkeley Packet Filter. Recently, this functionality has been made available on the Win32 platform. WinPcap is a Win32 port of libpcap (a widely used network programming API for capturing and sending network packets).
WinPcap consists of two main components:
- A kernel-level packet-filter driver based on the Berkeley Packet Filter (BPF) functionality provided by most Unix kernels
- A high-level programming library, libpcap, for Windows
|
Related Reading 
Securing Windows NT/2000 Servers for the Internet
Table of Contents
Index Sample Chapter Author's Article Read Online--Safari Search this book on Safari: |
The packet-capture driver is a device driver that adds the ability to capture and send raw network packets to Windows 9x, Windows NT, and Windows 2000 in a way similar to the Berkeley Packet Filter of Unix kernels. Packet.dll, a component of WinPcap, provides an API that can be used to access the functions of the BPF driver directly. WinPcap also exports a set of functions that are compatible with libpcap, thereby offering a set of high-level functions to capture packets in a way that is independent from the underlying network hardware and operating system.
The fact that the libpcap API is now available on Win32 means that a number of useful Unix network utilities have been ported to Windows. All the tools described in this article use WinPcap.
WinDump
WinDump is a Win32 port of tcpdump, a popular network tool for Unix. WinDump is fully compatible with tcpdump. Like tcpdump, WinDump prints the headers of packets that match a regular expression. I use WinDump on a daily basis for just about everything. I measure application response times. And I use it to trouble-shoot network problems to pinpoint errors. It's probably the only piece of software I use as often as Microsoft Word!
WinDump puts the network interface in promiscuous mode (it will grab all the packets it sees; not just the ones destined for it). You will need to be on a shared-access network, such as a non-switched Ethernet, to see traffic to and from hosts other than yours.
WinDump Example 1: Print all UDP traffic between two hosts.
C:\> windump host bamse and host cartman and udp
windump: listening on\Device\Packet_
{8422BFF6-2771-4842-8B11-327ED5524F23}
22:17:04.946666 cartman.norberg.org.2830 >
bamse.norberg.org.53: 1+ (39)
22:17:04.947233 bamse.norberg.org.53 >
cartman.norberg.org.2830: 1* 1/0/0 (70)
22:17:04.980131 cartman.norberg.org.2831 >
bamse.norberg.org.53: 2+ (35)
22:17:04.980494 bamse.norberg.org.53 >
cartman.norberg.org.2831: 2* 1/0/0 (51)
22:17:05.029427 cartman.norberg.org.2832 >
bamse.norberg.org.53: 217+ (39)
22:17:05.029794 bamse.norberg.org.53 >
cartman.norberg.org.2832: 217* 1/0/0 (70)
22:17:26.080344 cartman.norberg.org.137 >
bamse.norberg.org.137: udp 62
22:17:26.080418 bamse.norberg.org.137 >
cartman.norberg.org.137: udp 62
22:17:26.080468 cartman.norberg.org.138 >
bamse.norberg.org.138: udp 174
22:17:26.080676 bamse.norberg.org.138 >
cartman.norberg.org.138: udp 180
22:17:26.080868 bamse.norberg.org.138 >
cartman.norberg.org.138: udp 180
22:17:30.764228 cartman.norberg.org.2833 >
bamse.norberg.org.88:
22:17:30.769905 bamse.norberg.org.88 >
cartman.norberg.org.2833:
WinDump Example 2: Print only ICMP echo requests (ICMP type 8) and echo reply (ICMP type 0) messages. WinDump can also be configured to match packets based on fine-grained properties, like a field in the datagram header:
C:\> windump -v -n "icmp[0]=8 or icmp[0]=0"
windump: listening on\Device\Packet_
{8422BFF6-2771-4842-8B11-327ED5524F23}
19:29:45.432743 10.0.0.150 > 10.0.0.1:
icmp: echo request (ttl 128, id 4749)
19:29:45.433131 10.0.0.1 > 10.0.0.150:
icmp: echo reply (ttl 128, id 42083)
19:29:46.436796 10.0.0.150 > 10.0.0.1:
icmp: echo request (ttl 128, id 4750)
19:29:46.437087 10.0.0.1 > 10.0.0.150:
icmp: echo reply (ttl 128, id 42084)
Flags used:
-v verbose
(prints the time-to-live (TTL) value and the
ICMP identifier field in this case)
-n Don't resolve IP-addresses to namesRegular expression syntax (Regex):
icmp[0] Offset 0 in the ICMP header (the ICMP type field)
Please refer to the tcpdump man page for a full description of flags and regular expression syntax.
Nmap
Nmap is a tool designed to allow system administrators to scan large networks to determine which hosts are up and what services they are providing. Nmap is an excellent tool for scanning networks and can be used in numerous ways:
Nmap Example 1: Detect hosts and services on a particular network. Nmap can be used to scan a network for active hosts and optionally active services on any hosts it finds. This is useful for system administrators who want to periodically scan the network for unauthorized clients or for backdoors like Back Orifice and Netbus.
If you want to scan a network (in this example, 192.168.6.0/29) for Netbus (tcp/12345) and Back Orifice 2k (tcp/54320) trojans, use the following command:
C:\> nmapnt -sS -p 12345,54320 192.168.6.0/29
Starting nmapNT V. 2.53 by ryan@eEye.com
eEye Digital Security ( http://www.eEye.com )
based on nmap by fyodor@insecure.org
( www.insecure.org/nmap/ )
All 2 scanned ports on beretta.foo.com
(192.168.6.1) are: closed
All 2 scanned ports on obelix.foo.com
(192.168.6.2) are: closed
All 2 scanned ports on legolas.foo.com
(192.168.6.5) are: closed
All 2 scanned ports on swekim.foo.com
(192.168.6.6) are: closed
All 2 scanned ports on swegun.foo.com
(192.168.6.7) are: closed
Nmap run completed -- 8 IP addresses
(5 hosts up) scanned in 3 seconds
-sS TCP stealth SYN scan
-p ports to scan
Nmap Example 2: Nmap operating system fingerprinting. Once you've found some interesting hosts, you can have Nmap guess what kind of operating system these hosts are running. This is done using a fingerprint of the hosts' IP-stacks. It's actually possible to determine what kind of system it is just by looking at the TCP/IP datagrams. The way the system increments TCP sequence numbers is a part of this fingerprint.
Use Nmap's -O flag to have it fingerprint the remote hosts. Note that this is just a best guess:
C:\> nmapnt -O -p 130-140 10.0.0.1
Starting nmapNT V. 2.53 by ryan@eEye.com
eEye Digital Security ( http://www.eEye.com )
based on nmap by fyodor@insecure.org
( www.insecure.org/nmap/ )
Interesting ports on bamse.norberg.org
(10.0.0.1):
(The 9 ports scanned but not shown
below are in state: closed)
Port State Service
135/tcp open unknown
139/tcp open unknown
TCP Sequence Prediction:
Class=random positive increments
Difficulty=14168 (Worthy challenge)
Remote operating system guess:
Windows 2000 RC1 through final release
Nmap run completed -- 1 IP address
(1 host up) scanned in 10 seconds
C:\>nmapnt -O -p 1-100 foo.norberg.org
Starting nmapNT V. 2.53 by ryan@eEye.com
eEye Digital Security ( http://www.eEye.com )
based on nmap by fyodor@insecure.org
( www.insecure.org/nmap/ )
Interesting ports on foo.norberg.org
(192.168.5.1):
(The 95 ports scanned but not shown
below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
TCP Sequence Prediction:
Class=64K rule
Difficulty=1 (Trivial joke)
Remote operating system guess:
HP-UX 10.20 E 9000/777
or A 712/60 with tcp_random_seq = 0
Nmap run completed -- 1 IP address (1 host up)
scanned in 17 seconds
Ngrep
Grep is a GNU utility that searches one or more input files for lines containing a match to a specified pattern. By default, grep prints the matching lines. Network grep (Ngrep) is a tool that works like the original grep, but instead of using text files and input, it uses live network data. Ngrep is very useful for trouble-shooting clear-text connections. You will need to be on a shared-access network, such as a non-switched Ethernet, to see traffic to and from hosts other than yours.
Ngrep Example 1: Displaying FTP login information. The following example looks for USER and PASS commands in FTP-command channels:
C:\> ngrep -wq "USER|PASS" tcp port 21
T 10.0.0.150:1682 -> 192.168.6.26:21 [AP]
USER anonymous..
T 10.0.0.150:1682 -> 192.168.6.26:21 [AP]
PASS leech@nowhere.org..
T 10.0.0.152:1044 -> 192.168.6.122:21 [AP]
USER stnor..
T 10.0.0.152:1044 -> 192.168.6.122:21 [AP]
PASS fooqaz1..
Flags used:
-w is word-regex (expression must match as a word)
-q is be quiet
Ngrep Example 2: Troubleshooting LDAP. The following Ngrep displays all data from LDAP connections (port tcp/389):
The data above is part of a response from a Windows 2000 domain controller. This information was transmitted in clear-text over the network when someone brought up the properties dialog box for a user in the Active Directory database (using the Start ->Search ->For People dialog box).
Dsniff
Dsniff is a password sniffer that can handle an impressive amount of applications, including FTP, Telnet, POP, Napster, HTTP, pcAnywhere, and SMB. Obviously, this tool can be used by malicious users to harvest passwords off the wire, but Dsniff also can be used to assess the overall security of your network. Get permission from management to run Dsniff on a network segment and you'll get that new security policy approved in no time! You will need to be on a shared-access network, such as a non-switched Ethernet, to see traffic to and from hosts other than yours.
Dsniff Example: The following Dsniff session captures a telnet session where a user enters the root (superuser) password on a Unix system. It also captures one username/password over FTP and another one over HTTP.
c:\> dsniff -n
-----------------
09/27/00 00:09:06 10.0.0.150 ->
192.168.6.26 (telnet)
stnor
secret1
ls
su
r00tpw
exit
exit
-----------------
09/27/00 00:11:04 10.0.0.150 ->
192.168.6.122 (ftp)
USER anonymous
PASS leech@nowhere.org
-----------------
09/27/00 00:17:41 10.0.0.150 ->
10.0.0.55 (http)
GET /personal/ HTTP/1.1
Host: foo.norberg.org
Authorization: Basic c3RlZmFuX25vcmJlcmc6c3lnMWdoMTE=
[stefan_norberg:secret123]
Flags used:
-n Don't resolve IP-addresses to names
Usernames and passwords in clear-text over the network is a bad idea--it's not very safe. Needless to say, many organizations realize they need to deploy encryption technology, like IPsec, on their networks.
Stefan Norberg is an independent network security consultant based in Stockholm, Sweden. He has built everything from large firewalls to highly available Unix clusters. He has designed and implemented Internet firewalls using building blocks like Cisco IOS, HP-UX, Linux, and Windows NT/2000. When he finds spare time, Stefan enjoys spending it with his wife Marianne and daughter Matilda.
|
Related Reading Securing Windows NT/2000 Servers for the Internet
Table of Contents
Index Sample Chapter Author's Article Read Online--Safari Search this book on Safari: |
