Tutorial: Telnet
data carving layer 7 TelnetIntroduction
Telnet is an unencrypted bidirectional interactive text-oriented communication program creating a virtual terminal being widely used in the admin area. It is now substituted by SSH, hopefully…
This tutorial discusses the plugin telnetDecode and its features.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates telnetDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: telnet-per-char-mode.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing Telnet traffic!
telnetDecode
Let’s look at the plugin configuration first. It looks like the other Data Carving plugins.
telnetDecode
vi src/telnetDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define TEL_SAVE 0 // Save content to TEL_F_PATH
#define TEL_RMDIR 1 // empty TEL_F_PATH before starting (TEL_SAVE=1)
#define TEL_SAVE_SPLIT 1 // Save requests (A) and responses (B): (TEL_SAVE=1)
// 0: in the same file
// 1: in separate files
#define TEL_SEQPOS 0 // 0: no file position control,
// 1: seq number file position control (TEL_SAVE=1)
#define TEL_BTFLD 1 // Enable bitfields output
#define TEL_CMDOPTS 1 // Commands/options format:
// 0: Output commands/options,
// 1: Output commands/options names
#define TEL_CMD_AGGR 1 // Aggregate commands
#define TEL_OPT_AGGR 1 // Aggregate options
#define TELUPLN 25 // Maximal length user/password
#define TELCMDN 25 // Maximal command / flow
#define TELOPTN 25 // Maximal options / flow
#define TEL_F_PATH "/tmp/TELFILES/" // Path for extracted content
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...
This plugin is data carving capable, so it extracts the content of the flows including user names and passwords. The latter are also printed in the flow file. If TEL_SAVE=1
all the content including commands, up and downloads are extracted under the path TEL_F_PATH
.
Note that TEL_RMDIR=1
defines that the file directory is deleted for each new t2 execution. So if you want to keep earlier files, switch it to 0
.
If TEL_SAVE_SPLIT
is enabled content form the A/B flow are stored separately otherwise everything is dumped into the same file. TEL_SEQPOS
controls the TCP sequence number controlled writing of the content files. As the echoing of password is switched off or might include positioning characters, it might not appear in the file. So it is switched off by default.
The lengths of the extracted usernames and PWs and the number of command and options can be configured as well as the form of the flow output type; here aggregated.
For the time being we leave everything as default. So execute t2
on the supplied pcap including packet mode.
================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 2966 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: tcpStates, 0.8.14 03: telnetDecode, 0.8.14 04: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/telnet-per-char-mode.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 944192088.255531 sec (Fri 03 Dec 1999 03:34:48 GMT) Dump stop : 944192142.668467 sec (Fri 03 Dec 1999 03:35:42 GMT) Total dump duration: 54.412936 sec Finished processing. Elapsed time: 0.002719 sec Finished unloading flow memory. Time: 0.002800 sec Percentage completed: 100.00% Number of processed packets: 272 Number of processed bytes: 19969 (19.97 K) Number of raw bytes: 19969 (19.97 K) Number of pcap bytes: 24345 (24.34 K) Number of IPv4 packets: 272 [100.00%] Number of A packets: 159 [58.46%] Number of B packets: 113 [41.54%] Number of A bytes: 10761 (10.76 K) [53.89%] Number of B bytes: 9208 (9.21 K) [46.11%] Average A packet load: 67.68 Average B packet load: 81.49 -------------------------------------------------------------------------------- telnetDecode: Aggregated telStat=0x01 telnetDecode: Number of Telnet packets: 272 [100.00%] -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, average: 3.00 Number of TCP packets: 272 [100.00%] Number of TCP bytes: 19969 (19.97 K) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 2 Number of processed A flows: 1 [50.00%] Number of processed B flows: 1 [50.00%] Number of request flows: 1 [50.00%] Number of reply flows: 1 [50.00%] Total A/B flow asymmetry: 0.00 Total req/rply flow asymmetry: 0.00 Number of processed packets/flows: 136.00 Number of processed A packets/flows: 159.00 Number of processed B packets/flows: 113.00 Number of processed total packets/s: 5.00 Number of processed A+B packets/s: 5.00 Number of processed A packets/s: 2.92 Number of processed B packets/s: 2.08 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.04 Average full raw bandwidth: 2936 b/s (2.94 Kb/s) Average full bandwidth : 2936 b/s (2.94 Kb/s) Max number of flows in memory: 2 [0.00%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0400900000004000 [WRN] Consecutive duplicate IP ID [WRN] IPv4/6 payload length > framing length [INF] IPv4 flows
telStat
currently has only one bit which states that there is telnet, fine. The whole pcap consists of telnet traffic.
The telStat column with value 0x01 is to be interpreted as follows:
bit | telStat | Description
=============================================================================
0 | 0x01 | TELNET port found
In the flow file aggregated commands and options are listed including login names and passwords.
tcol ~/results/telnet-per-char-mode_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags telStat telCmdBF telOptBF telUsr telPW telCCnt telCmdS telOCnt telOptS
A 1 0x0400900000004000 944192088.255531 944192142.667102 54.411571 1 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 "Private network" 1254 192.168.0.1 07 "Private network" 23 6 0x00 0x01 0x7c00 0x810000ff fake user 5 "DO";"WILL";"WONT";"SB";"DONT" 13 "Suppr GA";"Term Type";"Window Size";"Term Speed";"Remote Flow";"Linemode";"New Env";"Opt Stat";"X Disp loc";"Auth";"Encryp opt";"Env";"Echo Data"
B 1 0x0400000000004001 944192088.257221 944192142.668467 54.411246 1 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 "Private network" 23 192.168.0.2 07 "Private network" 1254 6 0x00 0x01 0x6c00 0x810000ff 4 "DO";"WILL";"SB";"DONT" 13 "Auth";"Suppr GA";"Term Type";"Window Size";"Term Speed";"Remote Flow";"Linemode";"New Env";"Opt Stat";"X Disp loc";"Encryp opt";"Env";"Echo Data"
The packet mode supplies the status, commands and options, the string based content can be seen in l7Content
. You can see the char by char entry of the login and password. The password is not echoed, for obvious reasons.
tcol ~/results/telnet-per-char-mode_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags telStat telCmdS telSubCmdS l7Content
1 1 0x0400000000004000 944192088.255531 0.000000 0.000000 0.000000 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
2 1 0x0400000000004001 944192088.257221 0.000000 0.001690 0.000000 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
3 1 0x0400000000004000 944192088.257272 0.001741 0.000051 0.001741 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
4 1 0x0400000000004000 944192088.268704 0.011432 0.011483 0.013173 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x01 WILL X Disp loc ........... ..!.."..'.....#
5 1 0x0400000000004001 944192088.405814 0.148593 0.137110 0.148593 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 DO Auth ..%
6 1 0x0400000000004000 944192088.405882 0.137178 0.000068 0.150351 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
7 1 0x0400000000004000 944192088.406059 0.000177 0.000245 0.150528 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x01 WONT Auth ..%
8 1 0x0400000000004001 944192088.407439 0.001625 0.001380 0.150218 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
9 1 0x0400000000004001 944192088.409133 0.001694 0.003074 0.151912 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SB Linemode ........... ..!..".."....
10 1 0x0400000000004000 944192088.409347 0.003288 0.000214 0.153816 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x01 SB Window Size ....P. ....".....b........b....\tB.\n........................"....
11 1 0x0400000000004001 944192088.410435 0.001302 0.001088 0.153214 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
12 1 0x0400000000004001 944192088.410949 0.000514 0.001602 0.153728 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 DO Env ..'.....#..&..&..$
13 1 0x0400000000004000 944192088.411027 0.001680 0.000078 0.155496 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x01 WONT Env ..&..&..$
14 1 0x0400000000004001 944192088.412005 0.001056 0.000978 0.154784 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
15 1 0x0400000000004001 944192088.414289 0.002284 0.003262 0.157068 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SB Term Speed .. .....#.....'.........
16 1 0x0400000000004000 944192088.415029 0.004002 0.000740 0.159498 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x01 SB Term Speed .. .9600,9600....#.bam.zing.org:0.0....'..DISPLAY.bam.zing.org:0.0......xterm-color..
17 1 0x0400000000004001 944192088.416185 0.001896 0.001156 0.158964 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
18 1 0x0400000000004001 944192088.436701 0.020516 0.021672 0.179480 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 DO Echo Data ...
19 1 0x0400000000004000 944192088.436781 0.021752 0.000080 0.181250 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x01 WONT Echo Data ...
20 1 0x0400000000004001 944192088.437976 0.001275 0.001195 0.180755 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
21 1 0x0400000000004001 944192088.451623 0.013647 0.014842 0.194402 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SB Remote Flow .....!......
22 1 0x0400000000004000 944192088.451736 0.014955 0.000113 0.196205 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x01 DONT Echo Data ......
23 1 0x0400000000004001 944192088.452921 0.001298 0.001185 0.195700 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
24 1 0x0400000000004001 944192088.453777 0.000856 0.002041 0.196556 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SB Linemode .."............
25 1 0x0400000000004000 944192088.468570 0.016834 0.014793 0.213039 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
26 1 0x0400000000004001 944192088.469885 0.016108 0.001315 0.212664 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SE Bin Xmit \r\nOpenBSD/i386 (oof) (ttyp1)\r\n\r\n
27 1 0x0400000000004000 944192088.488594 0.020024 0.018709 0.233063 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
28 1 0x0400000000004001 944192089.563538 1.093653 1.074944 1.306317 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SE Bin Xmit login:
29 1 0x0400000000004000 944192089.578585 1.089991 0.015047 1.323054 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
30 1 0x0400000000004000 944192095.853357 6.274772 6.289819 7.597826 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x05 DO Echo Data .."...
31 1 0x0400000000004001 944192095.854967 6.291429 0.001610 7.597746 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
32 1 0x0400000000004001 944192095.856305 0.001338 0.002948 7.599084 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 WILL Echo Data ...
33 1 0x0400000000004000 944192095.868575 0.015218 0.012270 7.613044 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
34 1 0x0400000000004001 944192095.869634 0.013329 0.001059 7.612413 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 DONT Linemode .."
35 1 0x0400000000004000 944192095.888568 0.019993 0.018934 7.633037 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
36 1 0x0400000000004000 944192096.967298 1.078730 1.097664 8.711767 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x05 SE Bin Xmit f
37 1 0x0400900000004000 944192096.968624 0.001326 1.098990 8.713093 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
38 1 0x0400000000004001 944192096.970411 1.100777 0.001787 8.713190 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SE Bin Xmit f
39 1 0x0400900000004000 944192096.988580 0.019956 0.018169 8.733049 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
40 1 0x0400900000004000 944192097.189619 0.201039 0.219208 8.934088 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x05 SE Bin Xmit a
41 1 0x0400900000004000 944192097.190838 0.001219 0.220427 8.935307 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
42 1 0x0400000000004001 944192097.192133 0.221722 0.001295 8.934912 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SE Bin Xmit a
43 1 0x0400900000004000 944192097.208580 0.017742 0.016447 8.953049 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
44 1 0x0400900000004000 944192097.376353 0.167773 0.184220 9.120822 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x05 SE Bin Xmit k
45 1 0x0400900000004000 944192097.377633 0.001280 0.185500 9.122102 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
46 1 0x0400000000004001 944192097.378946 0.186813 0.001313 9.121725 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SE Bin Xmit k
47 1 0x0400900000004000 944192097.398584 0.020951 0.019638 9.143053 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
48 1 0x0400900000004000 944192097.473184 0.074600 0.094238 9.217653 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x05 SE Bin Xmit e
49 1 0x0400900000004000 944192097.474450 0.001266 0.095504 9.218919 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
50 1 0x0400000000004001 944192097.475838 0.096892 0.001388 9.218617 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SE Bin Xmit e
51 1 0x0400900000004000 944192097.488584 0.014134 0.012746 9.233053 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
52 1 0x0400900000004000 944192097.688646 0.200062 0.212808 9.433115 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x01 SE Bin Xmit \r.
53 1 0x0400000000004001 944192097.689935 0.214097 0.001289 9.432714 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
54 1 0x0400000000004001 944192097.702068 0.012133 0.013422 9.444847 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SE Bin Xmit \r\n
55 1 0x0400900000004000 944192097.718590 0.029944 0.016522 9.463059 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
56 1 0x0400000000004001 944192097.719739 0.017671 0.001149 9.462518 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SE Bin Xmit Password:
57 1 0x0400900000004000 944192097.738580 0.019990 0.018841 9.483049 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
58 1 0x0400900000004000 944192098.959909 1.221329 1.240170 10.704378 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x09 SE Bin Xmit u
59 1 0x0400000000004001 944192098.961247 1.241508 0.001338 10.704026 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
60 1 0x0400900000004000 944192099.399585 0.439676 0.438338 11.144054 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x09 SE Bin Xmit s
61 1 0x0400000000004001 944192099.400803 0.439556 0.001218 11.143582 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
62 1 0x0400900000004000 944192099.881157 0.481572 0.480354 11.625626 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x09 SE Bin Xmit e
63 1 0x0400000000004001 944192099.882702 0.481899 0.001545 11.625481 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
64 1 0x0400900000004000 944192100.186851 0.305694 0.304149 11.931320 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x09 SE Bin Xmit r
65 1 0x0400000000004001 944192100.188091 0.305389 0.001240 11.930870 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
66 1 0x0400900000004000 944192101.541494 1.354643 1.353403 13.285963 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00 0x01 SE Bin Xmit \r.
67 1 0x0400000000004001 944192101.542747 1.354656 0.001253 13.285526 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00
68 1 0x0400000000004001 944192101.815604 0.272857 0.274110 13.558383 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SE Bin Xmit \r\n
69 1 0x0400900000004000 944192101.828601 0.287107 0.012997 13.573070 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
70 1 0x0400000000004001 944192103.076400 1.260796 1.247799 14.819179 3 eth:ipv4:tcp 00:00:c0:9f:a0:97 00:a0:cc:3b:bf:fa 0x0800 192.168.0.1 07 Private network 23 192.168.0.2 07 Private network 1254 6 0x00 0x01 SE Bin Xmit Last login: Thu Dec 2 21:32:59 on ttyp1 from bam.zing.org\r\n
71 1 0x0400900000004000 944192103.088602 1.260001 0.012202 14.833071 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
...
If you are interested to see all telnet communication in an extra file, the Data Carving mode must be enabled.
Data Carving with telnetDecode
In order to enable the Data Carving mode TEL_SAVE
has to be switched on. Use t2conf
and t2build
to reconfigure, recompile telnetDecode and rerun t2
on the pcap.
t2conf telnetDecode -D TEL_SAVE=1 && t2build telnetDecode
t2 -r ~/test_data/data/telnet-per-char-mode.pcap -w ~/results... -------------------------------------------------------------------------------- telnetDecode: Aggregated telStat=0x03 telnetDecode: Number of Telnet packets: 272 [100.00%] telnetDecode: Number of files extracted: 2 -------------------------------------------------------------------------------- ...
The status confirms that files were successfully extracted.
tawk -V telStat=0x03 The telStat column with value 0x03 is to be interpreted as follows:
bit | telStat | Description ============================================================================= 0 | 0x01 | TELNET port found 1 | 0x02 | Successful files extractionMove to the TEL_F_PATH
and look into it. As configured two files are generated for the A and the B flow separately. The A flow may contain non printable characters, so try the command strings
to look at the direct keyboard entries of the user. Oups the login and the password.
The B file contains all server replies and the echo of the user input. So you see the login but not the password.
cd /tmp/TELFILES/
ls
telnet_flow_1_A telnet_flow_1_B
strings telnet_flow_1_A
fake
user
ls -a
/sbin/ping www.yahoo.com
exit
strings telnet_flow_1_B
OpenBSD/i386 (oof) (ttyp1)
login: fake
Password:
Last login: Thu Dec 2 21:32:59 on ttyp1 from bam.zing.org
Warning: no Kerberos tickets issued.
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
$ ls
$ ls -a
. .. .cshrc .login .mailrc .profile .rhosts
/sbin/ping www.yahoo.com
PING www.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from 204.71.200.74: icmp_seq=0 ttl=239 time=73.569 ms
64 bytes from 204.71.200.74: icmp_seq=1 ttl=239 time=71.099 ms
64 bytes from 204.71.200.74: icmp_seq=2 ttl=239 time=68.728 ms
64 bytes from 204.71.200.74: icmp_seq=3 ttl=239 time=73.122 ms
64 bytes from 204.71.200.74: icmp_seq=4 ttl=239 time=71.276 ms
64 bytes from 204.71.200.74: icmp_seq=5 ttl=239 time=75.831 ms
64 bytes from 204.71.200.74: icmp_seq=6 ttl=239 time=70.101 ms
64 bytes from 204.71.200.74: icmp_seq=7 ttl=239 time=74.528 ms
64 bytes from 204.71.200.74: icmp_seq=9 ttl=239 time=74.514 ms
64 bytes from 204.71.200.74: icmp_seq=10 ttl=239 time=75.188 ms
64 bytes from 204.71.200.74: icmp_seq=11 ttl=239 time=72.925 ms
--- www.yahoo.com ping statistics ---
13 packets transmitted, 11 packets received, 15% packet loss
round-trip min/avg/max = 68.728/72.807/75.831 ms
exit
If you prefer to merge both flows into one file switch TEL_SAVE_SPLIT
off, recompile the plugin and rerun t2
.
t2conf telnetDecode -D TEL_SAVE_SPLIT=0 && t2build telnetDecode
t2 -r ~/test_data/data/telnet-per-char-mode.pcap -w ~/results
Now there is only one file and you see the command and the echo sequentially, therefore all user commands are echoed, which can be annoying.
cd /tmp/TELFILES/
ls
telnet_flow_1_AB
cat /tmp/TELFILES/telnet_flow_1_AB
OpenBSD/i386 (oof) (ttyp1)
login: ffaakkee
Password:user
Last login: Thu Dec 2 21:32:59 on ttyp1 from bam.zing.org
Warning: no Kerberos tickets issued.
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
$ llss
$ llss --aa
. .. .cshrc .login .mailrc .profile .rhosts
$ //ssbbiinn//ppiinngg wwwwww..yyaahhoooo..ccoomm
PING www.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from 204.71.200.74: icmp_seq=0 ttl=239 time=73.569 ms
64 bytes from 204.71.200.74: icmp_seq=1 ttl=239 time=71.099 ms
64 bytes from 204.71.200.74: icmp_seq=2 ttl=239 time=68.728 ms
64 bytes from 204.71.200.74: icmp_seq=3 ttl=239 time=73.122 ms
64 bytes from 204.71.200.74: icmp_seq=4 ttl=239 time=71.276 ms
64 bytes from 204.71.200.74: icmp_seq=5 ttl=239 time=75.831 ms
64 bytes from 204.71.200.74: icmp_seq=6 ttl=239 time=70.101 ms
64 bytes from 204.71.200.74: icmp_seq=7 ttl=239 time=74.528 ms
64 bytes from 204.71.200.74: icmp_seq=9 ttl=239 time=74.514 ms
64 bytes from 204.71.200.74: icmp_seq=10 ttl=239 time=75.188 ms
64 bytes from 204.71.200.74: icmp_seq=11 ttl=239 time=72.925 ms
--- www.yahoo.com ping statistics ---
13 packets transmitted, 11 packets received, 15% packet loss
round-trip min/avg/max = 68.728/72.807/75.831 ms
$ eexxiitt
In order to remove the unnerving issue, switch on sequence number positioning:
t2conf telnetDecode -D TEL_SEQPOS=1 && t2build telnetDecode
t2 -r ~/test_data/data/telnet-per-char-mode.pcap -w ~/results
Now all the echos are gone, including the password, as chars are now written to the same position and the last one is overwritten with a \r
.
cat /tmp/TELFILES/telnet_flow_1_AB
OpenBSD/i386 (oof) (ttyp1)
login:
fake
Password:
Last login: Thu Dec 2 21:32:59 on ttyp1 from bam.zinls
ls -a
/sbin/ping www.yahoo.com
exit
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
$ ls
$ ls -a
. .. .cshrc .login .mailrc .profile .rhosts
$ /sbin/ping www.yahoo.com
PING www.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from 204.71.200.74: icmp_seq=0 ttl=239 time=73.569 ms
64 bytes from 204.71.200.74: icmp_seq=1 ttl=239 time=71.099 ms
64 bytes from 204.71.200.74: icmp_seq=2 ttl=239 time=68.728 ms
64 bytes from 204.71.200.74: icmp_seq=3 ttl=239 time=73.122 ms
64 bytes from 204.71.200.74: icmp_seq=4 ttl=239 time=71.276 ms
64 bytes from 204.71.200.74: icmp_seq=5 ttl=239 time=75.831 ms
64 bytes from 204.71.200.74: icmp_seq=6 ttl=239 time=70.101 ms
64 bytes from 204.71.200.74: icmp_seq=7 ttl=239 time=74.528 ms
64 bytes from 204.71.200.74: icmp_seq=9 ttl=239 time=74.514 ms
64 bytes from 204.71.200.74: icmp_seq=10 ttl=239 time=75.188 ms
64 bytes from 204.71.200.74: icmp_seq=11 ttl=239 time=72.925 ms
--- www.yahoo.com ping statistics ---
13 packets transmitted, 11 packets received, 15% packet loss
round-trip min/avg/max = 68.728/72.807/75.831 ms
$ exit
Conclusion
Experiment a bit with your own traffic.
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf telnetDecode --reset && t2build telnetDecode
Have fun analyzing.