Is there a very primitive method or protocol to send messages from two machines not on the same local network? I don't know what is available, but is there a terminal or prompt method for sending plaintext messages over the internet? Is it simple enough to code it from scratch?
Can I send a simple plaintext message from one machine to the next (if I have that machine's information) and then toy around with adding encryption and other crytopgraphy methods as an exercise?
You need netcat or sometimes called nc. It is on most Linux distros and OSX and available for Windows too.
Examples available here.
Documentation here.
On a server, run
$ nc -l 2389 > receivedfile
to listen on port 2389 and write whatever it receives to file "test"
And on the client, send a file to that port
cat yourfile | nc localhost 2389
or send a message
echo Hello | nc localhost 2389
Once you have got straightforward file transfer working, you can send an encrypted file like this:
openssl enc -aes-256-cbc -salt -in yourfile | nc localhost 2389
It sounds like telnet will do the job you're looking for. It's the most primitive protocol I can think of for this use case.
All data octets except 0377 are transmitted over the TCP transport as is. Therefore, a Telnet client application may also be used to establish an interactive raw TCP session[.]
Related
ROB(CLIENT) and BOB(SERVER) is Established with TCP , after some time ROB Linux Machine frequently sending TCP [SYN] to BOB(SERVER). The SYN packet is initiated automatically , which is not triggered by any service from ROB. Due to this BOB is dropping TCP connection .
We have enabled TCP Dump in ROB machine and Identified this issue.
How to Identify who is sending the Unnecessary SYN initiation from ROB to BOB ?
You could consider using the auditctl kernel level auditing framework that has been built into Linux for a while. It won't be pretty, but it will create audit records that you can then work through and tie to users. For example:
sudo auditctl -a exit,always -F arch=b64 -S socket -F success=1
Once that is done (you may need to install auditctl if it isn't there already... Check your package manager...), you can review the audit logs using ausearch
sudo ausearch -sc connect
The records will include the PID, PPID, and UID. You can dig further, but decoding the arguments to the call will take some effort since they are just raw hunks of data and will not be represented as the structures that they actually are.
Also, note that depending on your Linux version, you may find that you need to monitor a different system call. Obviously, the -b64 needs to match your architecture as well.
I need to hit a http server every second for an ack reply once every second repeatedly for various lengths of time, and to output the replies into a textfile with information such as the response time in ms. this is basically to check for latency, but for my purposes i need to do it with a syn/syn-ack.
I've gotten somewhere with
nmap -sS 1.1.1.1 -p 80 -o test.txt -v
this outputs well on screen, but not into the text file -- how do i get all the output that nmap runs into the file?
also, not sure how to run this every second - does nmap have a flag for repeating? or shall i just put it in a bash script?
This command is probably doing more than you want. Each time you run it, Nmap does the following:
Does a reverse-DNS (PTR) lookup of your target
Sends a host-discovery probe to make sure the target is "up." If you are root, this is a set of 4 ICMP and TCP probes. If not, it is 2 TCP connect calls.
Sends a TCP SYN probe to port 80. If you are running as root, the sequence is SYN, SYN/ACK, RST. Otherwise it is SYN, SYN/ACK, ACK, RST/ACK.
So instead, you can use some helpful flags to reduce this overhead and be more specific with what you are asking for.
nmap -n -sn -PS80 1.1.1.1
This command will skip the reverse-DNS lookup (-n) and use the host discovery phase to find the latency. -sn skips the port scan and -PS80 says to use TCP SYN to port 80 to do host discovery. Whether the TCP handshake is completed depends on whether you have root privilege or not.
nmap -n -Pn -p 80 1.1.1.1
This command will send the exact same probes as the previous, but will show the output as a port scan, not just a host discovery scan.
To repeat the scan, you'll have to put it in a shell loop. It would be better to use a dedicated tool for this, but I don't know which one would be best. Nmap comes with a tool called Nping that can send repeated probes and report the round-trip time, but I can't get it to display it per-packet; it just gives a summary at the end. You may have better luck with hping.
I want to write an application layer sniffer (SMTP/ftp/http).
Based on my searchs, first (and perhaps hardest!) step is to reassemble the tcp stream of the sniffed connections.
Indeed, what I need is something like the "follow TCP stream" option of wireshark, but I need a tool which do it on live interface and automatically. As I know, Tshark can extract TCP streams data from the saved pcap files automatically (link) but not from live interfaces. Can Tshark do it on live interfaces???
As I know, TCPflow can do exactly what I want, however, it can not handle IP defragmentation and SSL connections (I want to analyse the SSL content in the case I have the server private key).
Finally, I also try bro network monitor. Although it provides the list of TCP connections (conn.log), I was not able to get TCP connections contents.
Any suggestion about mentioned tools or any other useful tool is welcome.
Thanks in advance, Dan.
perl Net::Inspect library might help you. It also comes with a tcpudpflow which can write tcp and udp flows into separate files, similar to tcpflow. It works on pcap files or can do live captures. The library handles IP fragmenting. It also comes with a httpflow tool to extract HTTP requests and responses (including decompression, chunked encoding..). It does not currently handle SSL.
As the author of this library I don't think that extracting TCP flows is the hardest part, the HTTP parser (exluding decompression, including chunked mode) is nearly twice as big than IP and TCP combined.
This example works for reassembling application data of a single protocol:
tshark -Y "tcp.dstport == 80" -T fields -d tcp.port==80,echo -e echo.data
It captures live http data, reassembles it, and outputs it as raw hex.
I can add a small script to parse the hex into ascii if you like.
I want to analyse the SSL content in the case I have the server private key
TL;DR: This can't be done with a capturing tool alone.
Why not: Because each SSL session generates a new secret conversation key, and you can't decrypt the session without this key. Having the private server key is not enough. The idea behind this is that if someone captures your SSL traffic, saves it, and then a year later he "finds" the private server key, then he still won't be able to decrypt your traffic.
I've just got my hands on a Raspberry Pi and I've set it up to act as the DNS and DHCP server on my home network. This means that all network requests go through it before they are released into the wild... Which offers me a great opportunity to use tcpdump and see what is happening on my network!
I am playing around with the tcpdump arguments to create the perfect network spy. The idea is to capture HTTP GET requests.
This is what I have so far and it's pretty good:
tcpdump -i eth0 'tcp[((tcp[12:1] & 0xf0)>> 2):4] = 0x47455420' -A
The -i eth0 tells it which interface to listen to
The bit in quotes is a nifty bit of hex matching to detect a GET request
The -A means "print the ASCII contents of this packet"
This fires every time anything on my network sends a GET request, which is great. My question, finally, is how can I filter out boring requests like images, JavaScript, favicons etc?
Is this even possible with tcpdump or do I need to move onto something more comprehensive like tshark?
Thanks for any help!
DISCLAIMER: Currently the only person on my network is me... This is not malicious, it's a technical challenge!
Grep is your friend :-) tcpdump ... | grep -vE "^GET +(/.*\.js)|(/favicon.ico)|(.*\.png)|(.*\.jpg)|(.*\.gif)|... +HTTP will hide things like GET /blah/blah/blah.js HTTP 1/.0, GET /favicon.ico HTTP 1/.0, GET /blah/blah/blah.png HTTP 1/.0, etc.
Normally CouchDB communicates with a view server over STDIO via a simple line-based protocol.
What I want to do is, instead of a view server, have it read and write to some sort of pipe or pseudo terminal, to which I then connect, and play the view server.
I think one way to do it is with a lot of complicated use of cat and FIFO's.
But I found out that on my Mac echo "hi" > /dev/ttys000 comes back to my terminal, so I was thinking it should be possible to establish a connection this way, but I can't tell from manpages how to do it for real.
[update] I found write, which sends message from couch to my terminal, but couch is not attached, so I can't send messages in return.
nc -l 12345
And then a regular netcat to connect to it.