Friday, July 16, 2004

Netwox, the Network Toolbox

Packet Storm posted word of a new release of Laurent Constanin's Netwox. I had never tried it before, but was aware of the project from articles like Linux Security and elsewhere.

The Network Toolbox consists of three components: Netwib, a network library; Netwox, the collection of 150+ tools, and Netwag, a Tcl/Tk interface. Given that Sguil is also written in Tcl/Tk, I was interested in trying out this tool.

If you just run Netwox, you'll be presented by a series of menus which help you select the proper command line switches to use various tools. In the following example I use the menus to eventually see how Netwox recognizes the NICs in my workstation:

drury:/usr/local/src/netw-ib-ox-ag-5.19.0/src/netwag-src/src$ sudo netwox
Netwox toolbox version 5.19.0. Netwib library version 5.19.0.

######################## MAIN MENU #########################
0 - leave netwox
3 - search tools' title
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + information
b + network protocol
c + application protocol
d + sniff
e + spoof
f + record
g + client
h + server
i + tools not related to network
j + administrators' tools
k + attack tools
Select a node (key in 03456abcdefghijk): a


####################### information ########################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools' title
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a + information on local computer
b + information on remote computer
c + information on netw
Select a node (key in 0123456abc): a

############## information on local computer ###############
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools' title
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a - 1:Display network configuration
Select a node (key in 0123456a): a

################## help for tool number 1 ##################
Title: Display network configuration
Note: If no option is set, they are all displayed
Usage: netwox 1 [-d] [-i] [-a] [-r]
name type description {example}
-d|--devices|+d|--no-devices display devices {0}
-i|--ip|+i|--no-ip display ip addresses {0}
-a|--arpcache|+a|--no-arpcache display arp cache and neighbors {0}
-r|--routes|+r|--no-routes display routes {0}
Example: netwox 1
Press 'r' or 'k' to run this tool, or any other key to continue

################## running tool number 1 ###################
Enter optional tool parameters and press Return key.
netwox 1
################################### Devices ###################################
nu dev ethernet_hwtype mtu real_device_name
1 Eth0 00:50:BA:AC:D7:43 1500 rl0
2 Eth1 02:00:4C:00:00:00 1500 fwe0
3 Eth2 00:30:48:41:F9:56 1500 fxp0
4 Pli0 plip 1500 plip0
5 Lo0 loopback 16384 lo0
6 Eth3 00:BD:CA:09:00:01 1500 vmnet1
7 Eth4 00:BD:DC:E3:57:00 1500 vmnet0
##################################### IP ######################################
nu ip /netmask ppp point_to_point_with
3 10.200.211.99 /255.255.255.0 0
5 127.0.0.1 /255.0.0.0 0
6 192.168.0.1 /255.255.255.0 0
############################## ArpCache/Neighbor #############################
nu ethernet ip
3 00:0A:41:C7:BA:80 10.200.211.1
3 00:30:48:41:F9:56 10.200.211.99
3 00:C0:4F:61:3F:72 10.200.211.52
6 00:BD:CA:09:00:01 192.168.0.1
#################################### Routes ###################################
nu destination /netmask source gateway metric
3 10.200.211.99 /255.255.255.255 local 0
5 127.0.0.1 /255.255.255.255 local 0
6 192.168.0.1 /255.255.255.255 local 0
3 10.200.211.0 /255.255.255.0 10.200.211.99 0
6 192.168.0.0 /255.255.255.0 192.168.0.1 0
5 127.0.0.0 /255.0.0.0 127.0.0.1 0
Command returned 0 (OK)
Press 'r' or 'k' to run again this tool, or any other key to continue

I know fxp0 is my main interface, and see Netwox calls it "Eth2". I can use this information to sniff with Netwox once I return to the main menu:

Select a node (key in 03456abcdefghijk): d

########################## sniff ###########################
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools' title
4 - display help of one tool
5 - run a tool selecting parameters on command line
6 - run a tool selecting parameters from keyboard
a - 7:Sniff
b - 10:Sniff and display network statistics
c - 11:Sniff and verify checksums
d - 13:Obtain DLT type for sniff and spoof for each device
e - 110:Ethernet bridge limiting flow
Select a node (key in 0123456abcde): a

################## help for tool number 7 ##################
Title: Sniff
Usage: netwox 7 [-d device] [-f filter] [-p] [-H encode] [-D encode] [-r] [-x]
[-i] [-t] [-s] [-o file] [-R recordencode] [-c uint32] [-C uint32]
name type description {example}
-d|--device device device name {Eth0}
-f|--filter filter pcap filter
-p|--pause|+p|--no-pause can pause {0}
-H|--hdrencode encode header encoding type for screen {array}
-D|--dataencode encode data encoding type for screen {dump}
-r|--rawip|+r|--no-rawip sniff at IP level {0}
-x|--extended|+x|--no-extended display other protocols (dns) {1}
-i|--ipreas|+i|--no-ipreas reassemble IP packets {0}
-t|--tcpreord|+t|--no-tcpreord reorder TCP packets {0}
-s|--screen|+s|--no-screen display to screen {1}
-o|--outfile file save in record file {dstfile.txt}
-R|--recordencode recordencode encoding type for record file {bin}
-c|--split-size uint32 maximum size of record in kb {0}
-C|--split-age uint32 maximum age of record in seconds {0}
Example: netwox 7
Press 'r' or 'k' to run this tool, or any other key to continue
################## running tool number 7 ###################
Enter optional tool parameters and press Return key.
netwox 7 -d Eth2 -f icmp

I just told network to sniff for ICMP on interface "Eth2". In the future I could simply run "netwox 7 -d Eth2 -f icmp" and dispense with the menus. Here are the results when I generate ICMP by pinging Google:

netwox 7 -d Eth2 -f icmp
Ethernet________________________________________________________.
| 00:30:48:41:F9:56->00:0A:41:C7:BA:80 type:0x0800 |
|_______________________________________________________________|
IP______________________________________________________________.
|version| ihl | tos | totlen |
|___4___|___5___|____0x00=0_____|___________0x0054=84___________|
| id |r|D|M| offsetfrag |
|_________0x3290=12944__________|0|0|0|________0x0000=0_________|
| ttl | protocol | checksum |
|____0x40=64____|____0x01=1_____|____________0x6796_____________|
| source |
|_________________________10.200.211.99_________________________|
| destination |
|________________________216.239.41.104_________________________|
ICMP4_echo request______________________________________________.
| type | code | checksum |
|____0x08=8_____|____0x00=0_____|_________0xA3C9=41929__________|
| id | seqnum |
|_________0xC849=51273__________|___________0x0000=0____________|
| data: 1322f8408e86070008090a0b0c0d0e0f101112131415161718191a1 |
| b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536 |
| 37 |
|_______________________________________________________________|

Ethernet________________________________________________________.
| 00:0A:41:C7:BA:80->00:30:48:41:F9:56 type:0x0800 |
|_______________________________________________________________|
IP______________________________________________________________.
|version| ihl | tos | totlen |
|___4___|___5___|____0x00=0_____|___________0x0054=84___________|
| id |r|D|M| offsetfrag |
|_________0x3290=12944__________|0|0|0|________0x0000=0_________|
| ttl | protocol | checksum |
|___0xF3=243____|____0x01=1_____|____________0xB495_____________|
| source |
|________________________216.239.41.104_________________________|
| destination |
|_________________________10.200.211.99_________________________|
ICMP4_echo reply________________________________________________.
| type | code | checksum |
|____0x00=0_____|____0x00=0_____|_________0xABC9=43977__________|
| id | seqnum |
|_________0xC849=51273__________|___________0x0000=0____________|
| data: 1322f8408e86070008090a0b0c0d0e0f101112131415161718191a1 |
| b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536 |
| 37 |
|_______________________________________________________________|

This unique format is one of the cooler aspects of Netwox.



No comments: