• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

test/H06-Jan-2019-854425

LICENSEH A D06-Jan-201917.6 KiB340281

MakefileH A D06-Jan-20191.5 KiB5134

NEWSH A D06-Jan-20192.3 KiB6353

READMEH A D06-Jan-20198.4 KiB203151

TODOH A D06-Jan-2019705 1110

doxygen.confH A D06-Jan-20199.1 KiB263212

netsed.cH A D06-Jan-201930.5 KiB972641

README

1
2  netsed 1.3       (C) 2010-2019  Julien VdG <julien@silicone.homelinux.org>
3  --------------------------------------------------------------------------
4
5  This work is based on the original netsed:
6      netsed 0.01c      (C) 2002  Michal Zalewski <lcamtuf@ids.pl>
7
8  Please contact Julien VdG <julien@silicone.homelinux.org> if you encounter
9  any problems with this version.
10  The changes compared to version 0.01c are related in the NEWS file.
11
12  --------------------------------------------------------------------------
13
14  "When things go well, expect something to explode, erode, collapse or
15  just disappear."  -- anonymous
16
17NetSED is small and handful utility designed to alter the contents of
18packets forwarded thru your network in real time. It is really useful
19for network hackers in following applications:
20
21  * black-box protocol auditing - whenever there are two or more
22    propertiary boxes communicating over undocumented protocol (by enforcing
23    changes in ongoing transmissions, you will be able to test if tested
24    application is secure),
25
26  * fuzz-alike experiments, integrity tests - whenever you want to test
27    stability of the application and see how it ensures data integrity,
28
29  * other common applications - fooling other people, content filtering,
30    etc etc - choose whatever you want to.
31
32It perfectly fits netgrep, netcat and tcpdump tools suite :P
33
34It has been designed because I was suspicious about Lotus Domino carrying
35mailbox path in every packet after authorization. Having no Lotus Domino
36client software under Linux, I needed something to install on my bridging
37firewall to modify this mailbox path and try to read someone's else
38mailbox. Guess what happened?:P
39
40This is release 0.01b, which isn't really effective or stable, and I
41wouldn't suggest you putting it nowhere in your production systems ;)
42But - well - any suggestions, fixes, comments and ideas are welcome. For
43now, only TCP and UDP user-space filtering is possible - no support for
44kernel firewalling / routing, raw packets, ICMP and other things.
45
46I bet it won't compile on platforms other than Linux, as I haven't tested
47it, but it shouldn't be too difficult to run it on *BSD, IRIX, Solaris
48etc.
49
50  Setting up netsed - theory
51  --------------------------
52
53There are two possible ways of using netsed. Basic configuration looks this
54way:
55
56  ( client software ) --->------+
57                                |
58                          < local port >
59                                |
60                         [ netsed engine ]
61                                |
62                                +-------------> ( remote server )
63
64In this solution, client software has to connect specified port on specified
65machine - which is not always possible, and not always expected. So,
66there is a second way - which is completely system-dependent. It is called
67transparent proxy.
68
69NetSED supports kernel-level transparent proxy. This means you can set up
70your gateway machine (firewall, router, ethernet bridge) to transparently
71redirect all traffic coming from client software to remote server without
72touching anything outside this box. On Linux, you can set up transparent
73proxying in pretty easy way:
74
75ipfwadm -I -i accept -S source_ip -D destination_ip port -P protocol -r lport
76
77For example, if you want to redirect all traffic coming from host
781.2.3.4 to network 5.6.0.0/16 with destination port 12345/tcp, and you
79have netsed working on port 10101 on your local machine, you should do
80something like:
81
82ipfwadm -I -i accept -S 1.2.3.4 -D 5.6.0.0/16 12345 -P tcp -r 10101
83
84By setting up netsed properly, content will be transparenly modified and
85forwarded to the destination:
86
87                                 NetSED
88                              ______|______
89  ( client software ) --->---| - - -+- - - |--------> ( server host )
90                             | transparent |
91                             |    proxy    |
92                             |_____________|
93
94For more instructions on rules syntax and transparent proxies in general,
95refer your OS documentation.
96
97Update for linux 2.4 and later with netfilter:
98
99First you need to make sure LINUX_NETFILTER is defined in source code
100before compiling.
101Then the command are as follows:
102iptables -t nat -D PREROUTING -s source_ip -d destination_ip -p protocol --dport port -j REDIRECT --to lport
103
104So the previous example becomes:
105iptables -t nat -D PREROUTING -s 1.2.3.4 -d 5.6.0.0/16 -p tcp --dport 12345 -j REDIRECT --to 10101
106
107  Setting up netsed - practice
108  ----------------------------
109
110Ok, here we are. First of all, you should know how to set up the first
111configuration I've been talking about - static, user-space forwarder.
112NetSED accepts following parameters:
113
114   netsed proto lport rhost rport rule1 [ rule2 ... ]
115
116First parameter, 'proto', means, obviously, the protocol. You might choose
117'tcp' or 'udp'. Then, you have to specify 'lport' - local listening port.
118Next argument, 'rhost', is the remote server address where the connection
119should be forwarded. ONLY IP ADDRESSES ARE SUPPORTED BY NOW. Then, we
120have 'rport' - remote port number, and up to 50 filtering rules.
121
122General replacement rules syntax is:
123
124   s/pat1/pat2[/expire]
125
126This will replace all occurrences of pat1 with pat2 in matching packets.
127An additional parameter (count) can be used to expire rule after 'count'
128successful substitutions for a given connection. Eight-bit characters,
129including NULL and '/', can be passed using HTTP-alike hex escape
130sequences (eg. %0a%0d). Single '%' can be reached by using '%%'.
131Examples:
132
133  's/andrew/mike/1'     - replace 'andrew' with 'mike' (only first time)
134  's/andrew/mike'       - replace all occurrences of 'andrew' with 'mike'
135  's/andrew/mike%00%00' - replace 'andrew' with 'mike\x00\x00'
136                          (manually padding to keep original size)
137  's/%%/%2f/20'         - replace the 20 first occurence of '%' with '/'
138
139Rules are not working on cross-packet boundaries and are evaluated from
140first to last not expired rule.
141
142Per-rule TTLs (time-to-live) are useful if you want to modify eg. only
143the first packet, letting other packets unmodified, or to dynamically
144change NetSED functionality. This rule, for example, will change 'Henry'
145to 'William' in the first packet, and to 'Mariah' in all other packets:
146
147      s/Henry/William/1 s/Henry/Mariah
148
149So, let's try our first command-line example:
150
151  ./netsed tcp 10101 127.0.0.1 25 s/ehlo/badcommand/1
152
153This should be obvious - connection to local port 10101 will be forwarded
154to local smtp service. Take a look:
155
156$ telnet localhost 10101
157220 squirrel.tpi.pl ESMTP Sendmail 8.9.3/8.9.3; Fri, 5 Jan 2001 00:15:18 +0100
158ehlo
159500 Command unrecognized: "badcommand"
160ehlo
161501 ehlo requires domain address
162
163Apparently, it worked :) Try playing a little with different patterns,
164multiple rules etc. Generally, NetSED works by incremental comparsion
165of the rules, and then skipping already replaced data. For example:
166
167    Rules: s/degener/devi/
168           s/generation/%20and%20sausages/
169           s/sausages/chicken/
170
171    Input data: 'degenerationgeneration'
172
173    Init: degenerationgeneration
174          ^ (replace pointer)
175
176    Pass 1: deviationgeneration       [degener -> devi]
177                ^ (replace pointer)
178
179    Pass 2: deviation and sausages    [generation -> and sausages]
180                                  ^
181    No futher replacements made - end of input data (so, 'sausages'
182    won't be replaced with 'chicken').
183
184Now, I suppose you'd like to know how to setup good-working transparent
185configuration. Well - nothing easier :) The configuration described above
186should work just fine - set up transparent packet redirection to port
18710101 in traffic from one remote host to another and watch the results...
188
189Uhm, right. There's one thing. You might want to divert traffic from
190one host to whole network - but you do not know how to configure netcat
191to preserver original destination addresses? So, for example, connecting
192to 5.6.7.1 and to 5.6.7.2 from 1.2.3.4 (example mentioned above) will
193establish working session to existing targets? Nothing easier. Just
194set rhost and/or rport parameters to '0' while invoking NetSED to preserve
195original destination host and port settings while forwarding the connection
196via proxy :)
197
198WARNING: nothing will stop you before setting up forwarding loops - you
199can eg. forward connections to port 100 to port 1000 using netsed, and then,
200using kernel-space transparent proxy, forward connections to local port 1000
201back to port 100. This might lead to ugly DoS attack if you do not have
202per-user resource limits set. Sorry. Not a Microsoft product.
203