The vulnerability was analyzed by:
Johannes Kleimola, Johannes.Kleimola@hut.fi
IPInvestigator consists of two separate programs List and Watch. With the first one you can listen (take a snapshot, not real-time) for current connections on the net and have it printed on stdout with IP-addresses and ports. Let's take a look.
[root@parittaja IPI]# ./List eth0 10 Up and running. Collect them NFO'Z 0: src:10.0.0.81 22 dst:10.0.0.254 1019 1: src:10.0.0.91 23 dst:10.0.0.81 26241 2: src:10.0.0.81 26241 dst:10.0.0.91 23 3: src:10.0.0.254 1019 dst:10.0.0.81 22 4: src:10.0.0.254 1020 dst:10.0.0.61 22 5: src:10.0.0.61 22 dst:10.0.0.254 1020 Found 6 unique connections. [root@parittaja IPI]#As can be seen, there are a couple of ssh-connections (port 22) and one telnet-connection (port 23) going. Since ssh is crypted, we are only interested in the later one. Witch Watch you can pick one of the connections (by specifying source ip, dest ip, source port and dest port in that order and without the dots) and watch it real-time printed on stdout. I'll pick the server-to-host direction, so we'll see everything what's happening.
[root@parittaja IPI]# ./Watch eth0 10 0 0 91 10 0 0 81 23 26241 Up and running. Collect them NFO'Z ls^M^M files letter.txt mail^M^M # ls -al^M^M total 10^M^M drwxr-xr-x 4 1017 other 512 Mar 20 01:41 .^M^M drwxr-xr-x 29 root other 512 Mar 16 21:20 ..^M^M drwxr-xr-x 2 root other 512 Mar 20 01:26 files^M^M -rw-r--r-- 1 root other 78 Mar 20 01:41 letter.txt^M^M drwxr-xr-x 2 root other 512 Mar 20 01:25 mail^M^M # ps^M^M PID TTY TIME CMD^M^M 16442 pts/1 0:00 ps^M^M 1600 pts/1 0:01 sh^M^M # cd ..^M^M # pwd^M^M /home2^M^M # telnet rikas^M^M rikas: Unknown host^M^M # telnet 10.0.0.81^M^M Trying 10.0.0.81...^M^M Connected to 10.0.0.81.^M^M Escape character is '^]'.^M^M ^M^M Red Hat Linux release 5.2 (Apollo)^M^M Kernel 2.0.36 on an i686^M^M login: jj^M^M Password: ^M^M Last login: Sat Mar 20 01:47:04 from localhost^M^M [jj@rikas ~]$ exit^M logout^M^M Connection closed by foreign host.^M^M # [root@parittaja IPI]#This time we saw everything the user did, but not his password (it is not echoed back to the user). For the password we would have had to pick the client-to-server direction of the telnet connection.
IPInvestigator compiles fine on an old RedHat4.2 (libc5), but requires changes to compile on newer systems.
Sniffit is one the most famous and best ethernet sniffers for Linux. You can run it either on the command line (several configuration options with optional filters and plug-ins) or in interactive mode. Below is a short telnet-session we'll track later with sniffit.
# telnet 10.0.0.81 Trying 10.0.0.81... Connected to 10.0.0.81. Escape character is '^]'. Red Hat Linux release 5.2 (Apollo) Kernel 2.0.36 on an i686 login: jj Password: Last login: Sun Mar 21 22:01:34 from rakas [jj@rikas ~]$ ls -al^M^M total 14 drwx------ 4 jj jj 1024 Mar 21 21:56 . drwxr-xr-x 37 root root 1024 Mar 20 02:27 .. -rw------- 1 jj jj 210 Mar 20 01:47 .Xauthority -rw-r--r-- 1 jj jj 1155 Mar 17 20:46 .Xdefaults -rw------- 1 jj jj 2918 Mar 20 01:51 .bash_history -rw-r--r-- 1 jj jj 24 Mar 17 20:46 .bash_logout -rw-r--r-- 1 jj jj 230 Mar 17 20:46 .bash_profile -rw-r--r-- 1 jj jj 124 Mar 17 20:46 .bashrc drwxr-xr-x 2 jj jj 1024 Mar 18 00:43 .ssh -rw-rw-r-- 1 jj jj 121 Mar 21 21:57 dead.letter drwxrwxr-x 2 jj jj 1024 Mar 21 21:56 mail [jj@rikas ~]$ exit^M^M logout Connection closed by foreign host. #The interactive (mode) sniffit would give you a nice ncurses window with some configuration options. Those are stripped from the outputs below. The sniffit window shows ongoing real-time connections and you can select one for interactive logging with up-down-arrows and pressing enter. Here's an example of ongoing connections and we'll pick a telnet session again.
10.0.0.61 22 -> 10.0.0.81 1021 10.0.0.81 22 -> 10.0.0.254 1019 10.0.0.254 1022 -> 10.0.0.81 22 10.0.0.81 1023 -> 10.0.0.91 513 10.0.0.91 34483 -> 10.0.0.81 23 *LOGGED* 10.0.0.81 23 -> 10.0.0.91 34483 10.0.0.91 513 -> 10.0.0.81 1023 10.0.0.81 22 -> 10.0.0.254 1022 10.0.0.254 1019 -> 10.0.0.81 22 10.0.0.81 1021 -> 10.0.0.61 22Logging a connection gives you a real-time view showing every printable character. This time I picked the client-to-server direction, so we only see what the user typed. But that gives us what we want: the username and the password (two first 'words').
jj..t00s1mple..ls -al..exit 10.0.0.91 34483 -> 10.0.0.81 23Even though the interactive mode is good for getting an overwiev of the connections and maybe for administrative monitoring, the real strength of sniffit is in it's command-line controls/logging. You can specify what is logged and how and even use filters (configuration files) and plug-ins for filtering/printing (a nice dns-plugin follows with sniffit).
Sniffit compiles fine on both RedHat4.2 (libc5) and Redhat5.2 (glibc2).