Jumat, 16 Juli 2004

Netwox, the Network Toolbox

Packet Storm posted word of a new release of Laurent Constanin's Netwox. I had never tried it before, but was aware of the project from articles like Linux Security and elsewhere.

The Network Toolbox consists of three components: Netwib, a network library; Netwox, the collection of 150+ tools, and Netwag, a Tcl/Tk interface. Given that Sguil is also written in Tcl/Tk, I was interested in trying out this tool.

If you just run Netwox, you'll be presented by a series of menus which help you select the proper command line switches to use various tools. In the following example I use the menus to eventually see how Netwox recognizes the NICs in my workstation:



drury:/usr/local/src/netw-ib-ox-ag-5.19.0/src/netwag-src/src$ sudo netwox

Netwox toolbox version 5.19.0. Netwib library version 5.19.0.



######################## MAIN MENU #########################

0 - leave netwox

3 - search tools' title

4 - display help of one tool

5 - run a tool selecting parameters on command line

6 - run a tool selecting parameters from keyboard

a + information

b + network protocol

c + application protocol

d + sniff

e + spoof

f + record

g + client

h + server

i + tools not related to network

j + administrators' tools

k + attack tools

Select a node (key in 03456abcdefghijk): a





####################### information ########################

0 - leave netwox

1 - go to main menu

2 - go to previous menu

3 - search tools' title

4 - display help of one tool

5 - run a tool selecting parameters on command line

6 - run a tool selecting parameters from keyboard

a + information on local computer

b + information on remote computer

c + information on netw

Select a node (key in 0123456abc): a



############## information on local computer ###############

0 - leave netwox

1 - go to main menu

2 - go to previous menu

3 - search tools' title

4 - display help of one tool

5 - run a tool selecting parameters on command line

6 - run a tool selecting parameters from keyboard

a - 1:Display network configuration

Select a node (key in 0123456a): a



################## help for tool number 1 ##################

Title: Display network configuration

Note: If no option is set, they are all displayed

Usage: netwox 1 [-d] [-i] [-a] [-r]

name type description {example}

-d|--devices|+d|--no-devices display devices {0}

-i|--ip|+i|--no-ip display ip addresses {0}

-a|--arpcache|+a|--no-arpcache display arp cache and neighbors {0}

-r|--routes|+r|--no-routes display routes {0}

Example: netwox 1

Press 'r' or 'k' to run this tool, or any other key to continue



################## running tool number 1 ###################

Enter optional tool parameters and press Return key.

netwox 1

################################### Devices ###################################

nu dev ethernet_hwtype mtu real_device_name

1 Eth0 00:50:BA:AC:D7:43 1500 rl0

2 Eth1 02:00:4C:00:00:00 1500 fwe0

3 Eth2 00:30:48:41:F9:56 1500 fxp0

4 Pli0 plip 1500 plip0

5 Lo0 loopback 16384 lo0

6 Eth3 00:BD:CA:09:00:01 1500 vmnet1

7 Eth4 00:BD:DC:E3:57:00 1500 vmnet0

##################################### IP ######################################

nu ip /netmask ppp point_to_point_with

3 10.200.211.99 /255.255.255.0 0

5 127.0.0.1 /255.0.0.0 0

6 192.168.0.1 /255.255.255.0 0

############################## ArpCache/Neighbor #############################

nu ethernet ip

3 00:0A:41:C7:BA:80 10.200.211.1

3 00:30:48:41:F9:56 10.200.211.99

3 00:C0:4F:61:3F:72 10.200.211.52

6 00:BD:CA:09:00:01 192.168.0.1

#################################### Routes ###################################

nu destination /netmask source gateway metric

3 10.200.211.99 /255.255.255.255 local 0

5 127.0.0.1 /255.255.255.255 local 0

6 192.168.0.1 /255.255.255.255 local 0

3 10.200.211.0 /255.255.255.0 10.200.211.99 0

6 192.168.0.0 /255.255.255.0 192.168.0.1 0

5 127.0.0.0 /255.0.0.0 127.0.0.1 0

Command returned 0 (OK)

Press 'r' or 'k' to run again this tool, or any other key to continue


I know fxp0 is my main interface, and see Netwox calls it "Eth2". I can use this information to sniff with Netwox once I return to the main menu:


Select a node (key in 03456abcdefghijk): d



########################## sniff ###########################

0 - leave netwox

1 - go to main menu

2 - go to previous menu

3 - search tools' title

4 - display help of one tool

5 - run a tool selecting parameters on command line

6 - run a tool selecting parameters from keyboard

a - 7:Sniff

b - 10:Sniff and display network statistics

c - 11:Sniff and verify checksums

d - 13:Obtain DLT type for sniff and spoof for each device

e - 110:Ethernet bridge limiting flow

Select a node (key in 0123456abcde): a



################## help for tool number 7 ##################

Title: Sniff

Usage: netwox 7 [-d device] [-f filter] [-p] [-H encode] [-D encode] [-r] [-x]

[-i] [-t] [-s] [-o file] [-R recordencode] [-c uint32] [-C uint32]

name type description {example}

-d|--device device device name {Eth0}

-f|--filter filter pcap filter

-p|--pause|+p|--no-pause can pause {0}

-H|--hdrencode encode header encoding type for screen {array}

-D|--dataencode encode data encoding type for screen {dump}

-r|--rawip|+r|--no-rawip sniff at IP level {0}

-x|--extended|+x|--no-extended display other protocols (dns) {1}

-i|--ipreas|+i|--no-ipreas reassemble IP packets {0}

-t|--tcpreord|+t|--no-tcpreord reorder TCP packets {0}

-s|--screen|+s|--no-screen display to screen {1}

-o|--outfile file save in record file {dstfile.txt}

-R|--recordencode recordencode encoding type for record file {bin}

-c|--split-size uint32 maximum size of record in kb {0}

-C|--split-age uint32 maximum age of record in seconds {0}

Example: netwox 7

Press 'r' or 'k' to run this tool, or any other key to continue

################## running tool number 7 ###################

Enter optional tool parameters and press Return key.

netwox 7 -d Eth2 -f icmp


I just told network to sniff for ICMP on interface "Eth2". In the future I could simply run "netwox 7 -d Eth2 -f icmp" and dispense with the menus. Here are the results when I generate ICMP by pinging Google:


netwox 7 -d Eth2 -f icmp

Ethernet________________________________________________________.

| 00:30:48:41:F9:56->00:0A:41:C7:BA:80 type:0x0800 |

|_______________________________________________________________|

IP______________________________________________________________.

|version| ihl | tos | totlen |

|___4___|___5___|____0x00=0_____|___________0x0054=84___________|

| id |r|D|M| offsetfrag |

|_________0x3290=12944__________|0|0|0|________0x0000=0_________|

| ttl | protocol | checksum |

|____0x40=64____|____0x01=1_____|____________0x6796_____________|

| source |

|_________________________10.200.211.99_________________________|

| destination |

|________________________216.239.41.104_________________________|

ICMP4_echo request______________________________________________.

| type | code | checksum |

|____0x08=8_____|____0x00=0_____|_________0xA3C9=41929__________|

| id | seqnum |

|_________0xC849=51273__________|___________0x0000=0____________|

| data: 1322f8408e86070008090a0b0c0d0e0f101112131415161718191a1 |

| b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536 |

| 37 |

|_______________________________________________________________|



Ethernet________________________________________________________.

| 00:0A:41:C7:BA:80->00:30:48:41:F9:56 type:0x0800 |

|_______________________________________________________________|

IP______________________________________________________________.

|version| ihl | tos | totlen |

|___4___|___5___|____0x00=0_____|___________0x0054=84___________|

| id |r|D|M| offsetfrag |

|_________0x3290=12944__________|0|0|0|________0x0000=0_________|

| ttl | protocol | checksum |

|___0xF3=243____|____0x01=1_____|____________0xB495_____________|

| source |

|________________________216.239.41.104_________________________|

| destination |

|_________________________10.200.211.99_________________________|

ICMP4_echo reply________________________________________________.

| type | code | checksum |

|____0x00=0_____|____0x00=0_____|_________0xABC9=43977__________|

| id | seqnum |

|_________0xC849=51273__________|___________0x0000=0____________|

| data: 1322f8408e86070008090a0b0c0d0e0f101112131415161718191a1 |

| b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536 |

| 37 |

|_______________________________________________________________|


This unique format is one of the cooler aspects of Netwox.



0 komentar:

Posting Komentar