readme

linux或unix下回话劫持工具

List/Watch/Reset connection
---------------------------
You can obtain the list of connections tracked by the hunt packet engine. 
Which connections are tracked is specified in the options menu. You can 
interactively watch or reset these connections. You can also perform 
hijacking on them (next two menu items).

ARP/Simple hijack
-----------------
ARP/Simple hijack offers you an interactive interface for the insertion of data
to the selected connection. You can perform ARP spoofing for both connection 
ends, for only one end or you can not to do it at all. If you don't do ARP 
spoofing then you probably receive the ACK storm after typing the first char. 
When you do ARP spoofing, it is checked if it succeeds. If not, you are 
prompted if you want to wait until it succeeds (you can interrupt this 
waiting through CTRL-C of course). After inserting some data to the connection
you type CTRL-] and then you can synchronize or reset the connection. 
If you choose synchronization, the user is prompted to type some chars and 
after he does so the connection will be in the synchronous state. You can 
interrupt the synchronization process with CTRL-C and then you can reset 
the connection. Note that CTRL-C is used widely for interrupting an ongoing 
process. The CTRL-] (like telnet) is used for finishing the interactive 
insertion of data to the connection. The ARP/Simple hijack doesn't 
automatically reset the connection after it detects the ACK storm so you have 
to do it yourself. Note also that ARP/Simple hijack works with the ARP relayer
(as described further) so that other connections are not affected. Normally, 
if you ARP spoof two servers then the ARP/Simple hijack handles only one 
selected connection between these two hosts but other connections between 
these two hosts look like they freeze. If you start the ARP relayer,
then these other connections are handled and rerouted through. So other
connections from one spoofed host to the other are not affected at all. It is
recommended to run ARP relayer if you do ARP hijacking of two servers.
Note that if you ARP spoof (force) some client MAC to the server
then only connections going from the server to that client are affected. Other
connections from the server to other machines are untouched.

Simple hijack
-------------
Simple hijack allows you to insert a command to the data stream of the 
connection. When you insert the command, hunt waits for it to complete up to 
a certain timeout and if the ACK storm doesn't occur, you are prompted for 
the next command. After that, you can synchronize or reset the connection. 
Note that you can use the interactive interface to simple hijack when you use 
ARP/simple hijack without ARP spoofing but if you use full interactive 
interface of ARP/simple hijack without ARP spoofing you are likely to get the 
ACK storm immediately after typing the first char. So this mode of hijacking 
is useful when you have to deal with the ACK storm because it sends your data 
to the connection in a single packet. When the ACK storm is in progress it is 
very hard to deliver other packets from hunt to the server as the network 
and server are congested.


DAEMONS
-------
I call them daemons but they are actually threads.
All daemons can be started and stooped. Don't be surprised when you
insert or modify some rule in a daemon and it does nothing. The daemon is
not running - you have to start it. All daemons are by default stopped
even though you can alter the configuration. Common commands in the daemons 
menu are:
s)	start the daemon
k)	stop the daemon
l)	list configuration items
a)	add config. item
m)	modify config. item
d)	delete config. item


Reset daemon
------------
This daemon can be used to perform automatic resets of ongoing connections 
that hunt can see. You can describe which connections should be terminated 
by giving src/dst host/mask and src/dst ports. The SYN flag off means that
all specified connections should be terminated (even ongoing). The SYN
flag on means that only newly started connections are reset. So the
connections that are in progress are not affected. Don't forget to start the 
daemon.

ARP daemon
----------
Here you can do ARP spoofing of hosts without hijacking. You enter src and 
dst addresses and desired srcMAC. The dst is then forced to think that src 
has srcMAC. You just want that the hosts will send you all the data (so you 
can even look at packets that are on a different segment or switched port)
The ARP relayer daemon is used to perform ARP relaying of ARP spoofed 
connections. When you insert some ARP spoof of hosts the ARP spoofing is 
performed immediately even if the relayer isn't running!!!. But if the ARP 
spoofing succeeds, the connections will look like they freeze. For rerouting
(not IP routing !) these connections through your hunt you need to start 
the ARP relayer. The relayer works well with ARP/simple hijack so once you 
have hosts ARP spoofed with ARP relaying you can easily do ARP/simple 
hijack which will detect that the hosts are already ARP spoofed and takes 
over the connection immediately. With this technique you can easily become
man in the middle from the beginning of the connection even though your 
host with hunt isn't an IP gateway. I encourage you to write other 
application specific protocol handlers for the man in the middle attack as it 
is really simple with this framework.

Sniff daemon
------------
The purpose of the sniff daemon is to log specified packets.
The sniff daemon can also search for a simple pattern (string) in the data 
stream (see the bugs section). You can specify which connection you are 
interested in, where to search (src, dst, both), what do you want to search, 
how many bytes you want to log, from what direction (src, dst, both) and to 
what file should the daemon write. All logged files are stored in the .sniff 
directory. The default file name for logging is composed of the host and port 
names. In the options submenu you can set how to log new lines (\r,\n)
(as new-lines or as hex num.).

MAC discovery daemon
--------------------
This daemon is used to collect MAC addresses corresponding to the specified 
IP range. You can enter the time after which the daemon will try collecting 
again (default is 5min).


Host up menu
------------
The host up module determines which hosts are up (with TCP/IP stack).
You just specify the IP range and that space is then searched for running 
hosts.

Options menu
------------
In the options menu you can tune different things:

l) a) m) d) list/add/mod/del connection policy entry
	First of all you can select which connections should be tracked. The
	default setting is to look at telnet connections from all hosts but 
	you can adjust this behavior by the specification of src/dst 
	address/mask src/dst port pairs. With commands: l) a) m) d) you set 
	what you are interested in.

c) connection listening properties
	You can set whether the	sequence numbers and MACs of ongoing 
	connections will be displayed during connection listening.

h) host resolving
	You can turn on resolving of hosts to their names. As the resolving
	is deferred you don't get the names of hosts immediately.
	Just try to list connections several times and you will
	see the hosts names. (I used this deferred approach because I 
	didn't want any delay of interface that the resolving can cause).

r) reset ACK storm timeout
	This timeout is used in simple hijack to automatically reset the
	connection after the ACK storm is detected. Note that you can receive
	the ACK storm even in arp/simple hijack in case you don't perform 
	ACK spoofing of any host.

s) simple hijack timeout for next cmd
	Simple hijack has not an interactive connection interface. That
	means you write the whole command which will be inserted into
	the connection data stream. If no data is transferred through the
        connection up to this timeout, you are prompted for the next command.

e) learn MAC from IP traffic
	You can enable that MAC addresses will be learned from all
	IP traffic not just from ARP.

p) number of printed lines per page in listening
	Self explanatory


----------------------------------------------------------------------------
TESTED ENVIRONMENT
----------------------------------------------------------------------------
HUNT program:
- Linux >= 2.0.35
- Glibc with linuxthreads 
- 10Mb Ethernet

Tested hosts:
Linux2.0, Linux.2.1, Solaris.2.5.1, NT4sp3, Win95, OSF V4.0D, HPUX 10.20


SECURITY NOTES
--------------
Please note the already known truth that telnet and similar programs which send
passwords in clear text are vulnerable to the described attacks. Programs 
using one time passwords are also easily attacked and in fact they are useless 
if someone can run a program like hunt. Only full encrypted traffic isn't 
vulnerable to these attacks but note that you can become a man in the middle 
if you use ARP spoofing (forcing) without the ACK storm and you can try to do 
something.

Detecting attacks isn't an easy task. For ARP spoofing there are
tools which can detect it. The ACK storm is detectable by some sophisticated
network analyzers (you can detect the pattern of the ACK storm or the
statistics of ACKs without data). If you run hunt on your network you can 
detect the ACK storm because the hunt can detect the ACK storm pattern.


PERFORMANCE NOTE
----------------
Make sure you are running hunt on idle machine with sufficient power
(I used PII-233 with 128MB RAM) and without any other packet
analyzer because if you use advanced features like arp spoofing or hijacking
hunt needs to reply fast with it's own packets inserted into the traffic on 
the network.


IDEAS for future development (It is open for everybody)
----------------------------
- Graphical user interface (Java based)
- Using arp spoofing for ftp / rcp connection in a way that you can insert 
  something into downloaded file or replace it completely.
- incorporating other application level protocols (HTTP, SMTP, POP).
- denial of service attack through arp spoofing (even though you can do it
  now also - menu arp spoof daemon)


DOWNLOAD
--------
This software can be found at 

http://www.cri.cz/kra/index.html

or at 

ftp://ftp.cri.cz/pub/linux/hunt/


KNOWN BUGS
----------
- some structures are poorly locked through mutexes
- if you watch connection then some escape sequences from that connection
  can influent your terminal. Note that your terminal is named "Linux"
  ("xterm" - if you run it from X, ...) but the escape sequences are
  for the client side terminal which may or may not be Linux so you can get
  some mess.
- sniff is not capable to search for a pattern which crosses the packet 
  boundary. That means it can't search for a pattern of the user typed input as this
  input is usually transferred with 1B data long packets.
  

BUG FIXES, SUGGESTIONS
----------------------
Please send bug descriptions, patches, suggestions, new modules or
successful stories to kra@cri.cz


--------------------------------------------------------------------------
FINAL WORD
--------------------------------------------------------------------------
Note that this software was written only for my fun in my free time and it 
was a great exercise of TCP/IP protocols. I am now familiar with seq. numbers,
ACKs, timeouts, MACs, checksums, ... to the finest level. As I have some
pretty good background this "hunt" challenge made me think that I hadn't
known TCP/IP as great as I had thought. You are welcome to read the source
code and to try to modify it or write your own modules.