Hello,
I built a small C helper for remotely generating traffic statistics using the
IP ID field. Well, hping3 does all the interesting stuff. This program will
just, every five minutes, send 20 SYN packets in intervals of 100ms to port 80
of the target machine, then sum up the ID differences and output a line with
the current unix time and the number of packets the remote machine seems to
have sent during the two seconds of measuring.
Basically, this program samples a remote machine's packet sending rate using
short bursts of SYNs. Only if the other machine uses one global incrementing
IP ID counter, of course.
This is meant to be an educational tool, which is also why it just uses SYN
packets, making this seem to the other side as if someone's stealth-scanning
their port 80 over and over again. Not exactly the stealthiest way to do this,
but sufficient for demonstration purposes.
Usage:
- install hping3 (or install hping2 and change hping3 in the source to hping2)
- compile
- run for some period of time (maybe 24h?) like this:
./rg <IP> > traffic_stats
- plot output using gnuplot or so (start gnuplot, then do
plot "traffic_stats" using 1:2
Well, not exactly rocket science and I'm pretty sure most people here already
know
the principle and could write something like this in a few minutes, but I
thought
I'd share it anyway. Probably useful for demonstrating why IP ID flags are
something you might not want to be globally sequential unless you don't care
about
giving your traffic stats to the whole world. Because graphs are good at
demonstrating stuff. :)
The code is attached and also at
<http://git.thejh.net/?p=roguegraph.git;a=tree>.
I'm not responsible for whatever you do with this or whatever effects it has.
// Copyright (C) Jann Horn (2013)
// You can redistribute this code under the terms of the GPLv2 or GPLv3.
// THIS PROGRAM IS FOR EDUCATIONAL PURPOSES ONLY!
// I AM NOT RESPONSIBLE FOR WHAT YOU DO WITH THIS PROGRAM OR THE IMPACT THIS
// PROGRAM MIGHT HAVE ON YOUR SYSTEMS! YOU HAVE BEEN WARNED!
#include <stdlib.h>
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
char *target;
void run(void) {
int pipefds[2];
if (pipe(pipefds)) perror("can't create pipe"), exit(1);
int parent_fd = pipefds[0];
int child_fd = pipefds[1];
pid_t pid = fork();
if (pid < 0) perror("can't fork"), exit(1);
if (pid == 0) {
int nullfd = open("/dev/null", O_RDWR);
dup2(nullfd, 0);
dup2(nullfd, 2);
close(nullfd);
close(parent_fd);
dup2(child_fd, 1);
close(child_fd);
execlp("hping3", "hping3", "-c", "20", "-p", "80", "-i", "u100000",
"--syn", target, NULL);
perror("can't exec"), exit(1);
}
close(child_fd);
char indata[4096];
int indata_written = 0;
int rres;
while ((rres=read(parent_fd, indata+indata_written, 4095-indata_written)) >
0) {
indata_written += rres;
if (indata_written >= 4095) fputs("too much information", stderr), exit(1);
}
if (rres < 0) perror("failure reading from child"), exit(1);
indata[indata_written] = '\0';
close(parent_fd);
char *s = indata;
int last_id = -1;
int sum = 0;
while ((s=strstr(s, " id=")) != NULL) {
s += 4;
int id = atoi(s);
if (last_id != -1) {
int diff = id - last_id;
if (diff < 0) diff += (256*256);
sum += diff;
}
last_id = id;
}
printf("%i %i\n", (int)time(NULL), sum);
}
int main(int argc, char **argv) {
if (argc != 2) fputs("bad invocation\n", stderr), exit(1);
target = argv[1];
setbuf(stdout, NULL);
while (1) {
run();
sleep(300);
}
}
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/