readme

linux或unix下回话劫持工具

/*
 * hunt
 *
 * Copyright (C) 1998 kra
 * Designed and implemented by kra <kra@cri.cz>
 *
 */


DISCLAIMER
----------
Authors are not responsible of any damages this software can cause.


READ FIRST
----------
Please make sure you KNOW what you are doing before using hunt.
It is recommended that you should test how it behaves on some test
connections and then use it wisely.


OVERVIEW
--------
Hunt is a program for intruding into a connection, watching it and resetting 
it. It has several features, which I didn't find in any product like
Juggernaut or T-sight that inspired me in my development.
I found Juggernaut not flexible enough for further development so I
started from scratch (see FEATURES and DESIGN OVERVIEW).
Note that hunt is operating on Ethernet and is best used for connections
which can be watched through it. However, it is possible to do something
even for hosts on another segments. The hunt doesn't distinguish between
local network connections and connections going to/from Internet. It can
handle all connections it sees.

Connection hijacking is aimed primarily at the telnet traffic but 
it can be used for another traffic too.
The reset, watching, arp, ... features are common to all connections.


FEATURES
--------
- connection management
	* setting what connections you are interested in
	* detecting an ongoing connection (not only SYN started)
	* Normal active hijacking with the detection of the ACK storm
	* ARP spoofed/Normal hijacking with the detection of successful 
	  ARP spoof
	* synchronization of the true client with the server after 
	  hijacking (so that the connection don't have to be reset)
	* resetting connection
	* watching connection

- daemons
	* reset daemon for automatic connection resetting
	* arp spoof/relayer daemon for arp spoofing of hosts with the ability
	  to relay all packets from spoofed hosts. 
	* MAC discovery daemon for collecting MAC addresses
	* sniff daemon for logging TCP traffic with the ability to search for
	  a particular string
	
- host resolving
	* deferred host resolving through dedicated DNS helper servers.

- packet engine
	* extensible packet engine for watching TCP, UDP, ICMP and ARP traffic
	* collecting TCP connections with sequence numbers and the ACK storm
	  detection.
- misc.
	* determining which hosts are up

-------------------------------------------------------------------------------
TECHNICAL EXPLANATION
-------------------------------------------------------------------------------
Let me explain some technical issues which I use in hunt and which are
essential for understanding how it works and what you should expect. 
The important terms are IP spoofing, ARP spoofing and ACK storm.
Even if you are familiar with them, you can get some new information.

	IP spoofing - you set the packet source address to the IP address of 
the host you pretend to be.

	ARP spoofing - you set the packet source hardware address 
(source MAC address) to the address of the host you pretend to be.

	Simple Active Attack against TCP connections - It is a well known type 
of attack in which you send a packet with spoofed IP addresses and possibly
also with spoofed ARP addresses (true MAC addresses of client and server - not 
fake ones as explained further). In this way, you can force a command to the 
stream but you are likely to receive the ACK storm (as explained further) 
unless the original client host of the connection is running Linux.

	ARP spoofing - I use this term also for forcing the remote host 
to think that the host I want to be has a different MAC address so the remote 
host sends replies to that MAC address and the original client host is not 
able to receive them (but hunt is watching carefully and handles all 
consequences) (Explaining how to force a host on the network to think that 
the other host has a different MAC I leave as an exercise - I encourage you 
to read the source code). Please note that I use the term ARP spoofing 
instead of the term ARP forcing or something like that. So don't be confused, 
if I say ARP spoofing, I mean using some MAC address of a host or just some 
fake MAC address. Note that ARP spoofing (with my meaning to force some MAC) 
doesn't work on Solaris2.5 because it has expiration timers on ARP entries
so you can't easily force Solaris to drop an ARP entry. The entry usually 
expires after 20min or less (but you have a chance to force it and hunt 
supports this mode). The expiration timers on Solaris are set by:

ndd -set /dev/ip ip_ire_flush_interval 60000	/* 1 min */
ndd -set /dev/arp arp_cleanup_interval 60	/* 1 min */

and I encourage you to ask your netadmin to set the above values on all
Solaris machines. The Win95/NT4sp3, Linux2.0, OSF1 V4.0, HP-UX10.20 are not 
protected in this way so you can easily use the described technique on them 
(actually, they have timers, but they are not operating like in Solaris; 
in fact, only Solaris is the exception). Actually, hunt uses this technique 
such that it wants to force a fake MAC of the server to the client and a fake 
MAC of the client to the server. Then both the server and the client are 
sending packets to that faked MACs (and hunt can of course handle them). 
However, it is sufficient that only one host has a fake MAC of the other host.
The ACK storm can't occur in this situation either. So you can use this 
technique even if one end is Solaris and the other isn't. You will just 
succeed in the other host and that is enough. So the only problem is when the 
connection is between two Solaris machines. However, if there is any root 
connection ongoing you can easily push the commands suggested above without 
ARP spoofing to the connection and alter the expiration timers of the ARP 
cache.


	ACK Storm - The ACK storm is caused by majority of TCP stacks (!!!
Linux2.0 is an exception !!!). Let's imagine that you send some data to an 
ongoing connection to the server (as if sent by the client - with expected seq.
numbers, ... ). The server responds with the acknowledgment of the data you
sent but this acknowledgment is received by the original client too. But
from the original client point of view, the server has acknowledged data
that doesn't exist on the client. So something strange occurred and the 
original client sends the "right" sequence number with ACK to the server.
But the TCP rules say that it is required to generate an immediate 
acknowledgment when an out-of-order segment is received. This ACK should not 
be delayed. So the server sends the acknowledgment of non-existent data to the
client again. And the client responses, ... 
Only if the source host of the connection is Linux then the ACK storm
doesn't occur. Note that if you use ARP spoofing (forcing) then the ACK
storm can't come because one or both ends will send packets with fake
MACs and those packets are received by hunt rather than by the other host.

	Connection Reset - with a single properly constructed packet
you can reset the connection (RST flag in TCP header). Of course, you have
to know the sequence number but it is not a problem for hunt which is watching
all the time. You can reset server, client, or both. When you reset
only one end the other end is reset when it tries to send data to the
first host which will response with RST because of the connection
reset on it.

	Connection sniffing/watching - the simplest thing you can do is to
silently sit in you chair and watch hunt output about any connection which
you choose from the list.

	Connection Synchronization - well, that's one of the main features of 
hunt. If you put some data to the TCP stream (through simple active attack or
ARP spoofing), you desynchronize the stream from the server/original client 
point of view. After some work done on that connection you can just reset it 
or you can try to synchronize both original ends again. That is not an
easy task. The user on the client is prompted to type some chars and some chars
are sent to the client and server. The main goal of all stuff 
is to synchronize the sequence numbers on both client and server again.

	Switch/Segment traffic rerouting - With ARP spoofing you can
even force switch so that it will send you the traffic for hosts
on another segment/switched port. This is because a switch will think that 
the MAC belongs to your port. Be careful if your switch has some security
policy and MACs have been explicitly set up on a per port basis - but in 
fact I don't ever see such a configuration on "ordinary" network.

Please if you have a switch, test the configuration and let me know how it 
works as what I described is only my theoretical expectation.

	ARP-relay daemon - Don't be confused. I use this term for hunt daemon
which is responsible for inserting packets to the network (rerouting) 
of all data it receives from ARP spoofed hosts.


DESIGN OVERVIEW
---------------
	The development model is based on a packet engine (hunt.c) which runs
in its own thread and captures packets from the network. The packet engine
collects information of TCP connections/starting/termination, sequence 
numbers,  and MAC addresses. It collects the MACs and seq. numbers from the 
server point of view and separate MACs and seq. numbers from the client point 
of view. So it is prepared for hijacking. This information (seq. num., MAC, 
...) is available to modules so they don't have to analyze and collect it. 

Modules can register functions with the packet engine which are then invoked 
when new packets are received. A module function determines if the module is 
interested in a packet or not and can place the packet in a module specific 
list of packets. A module function can also send  some packet to the network 
if it is desirable to do it very fast. The module (usually in some other 
thread so it needs to be scheduled to be run) then gets packets from the list 
and analyzes them. In this way, you can easily develop modules which perform 
various activities.

Packets to be sent as a response to the network are described by structures 
so you don't have to care about some default fields or checksums. At this time,
functions for TCP, ICMP and ARP traffic are already prepared. (UDP is missing
because I don't use it in any module)

A separate set of daemons is used for host resolving (DNS). That is because
the gethostbyname/gethostbyname_r function is protected by mutex 
(As far as I know - it was so two years ago - I didn't try it now) so you 
can't run it truly parallel in a multithreaded environment. Therefore, the
commonly used workaround is to fire up some helper daemons through fork which 
will run gethostbyname.


-----------------------------------------------------------------------------
USER ENVIRONMENT
-----------------------------------------------------------------------------

Command line parameters
-----------------------
-V		print version
-v		verbose (print pids of created threads)
-i interface	listen on this interface. Default is eth0


Well, the user environment isn't graphical but I believe that you will like
it.

In the title of all menus is some status information about hunt.
First, there is an indication with which menu you are working. Second, the 
number of packets received by hunt is shown. Hunt pre-allocates some buffers
for packets; the status of free and allocated buffers is displayed as
the third value. The number of free buffers is low for a high loaded network
or the ACK storm or if you have poor hardware. In my case, for example,
the numbers 63/64 were normally indicated meaning that only one buffer was 
used, but after the ACK storm, I have something like 322/323. Note that the 
buffers once allocated are not freed. The low number of free buffers can also 
mean some bug in hunt but I think I carefully debugged all modules to this 
kind of bug. The last indicator reports which daemons (actually threads)
are running. They are: R - reset daemon, Y - arp relayer, S - sniffer,
M - MAC discoverer.

General interface
-----------------
In all menus the x key works as escape.
The network mask is denoted by the ip_address/mask notation where mask is the 
number of 1's on the left side of the network mask. For example, 0.0.0.0/0 
means everything and 192.168.32.10/32 means only that host.

For most modules is used:
l) list items
a) add item
m) modify item
d) delete item
They will be referred in this text as l) a) m) d)