Telnet
Introduction
Telnet is an unencrypted bidirectional interactive text-oriented communication program creating a virtual terminal being widely used in the admin area. It is now substituted by SSH, hopefully…
This tutorial discusses the plugin telnetDecode and its features.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates telnetDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: telnet-per-char-mode.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing Telnet traffic!
telnetDecode
Let’s look at the plugin configuration first. It looks like the other Data Carving plugins.
telnetDecode
vi src/telnetDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define TEL_SAVE 0 // Save content to TEL_F_PATH
#define TEL_SAVE_SPLIT 1 // Save requests (A) and responses (B): (TEL_SAVE=1)
// 0: in the same file
// 1: in separate files
#define TEL_SEQPOS 0 // 0: no file position control,
// 1: seq number file position control (TEL_SAVE=1)
#define TEL_BTFLD 1 // Enable bitfields output
#define TEL_CMDOPTS 1 // Commands/options format:
// 0: Output commands/options,
// 1: Output commands/options names
#define TEL_CMD_AGGR 1 // Aggregate commands
#define TEL_OPT_AGGR 1 // Aggregate options
#define TELUPLN 25 // Maximal length user/password
#define TELCMDN 25 // Maximal command / flow
#define TELOPTN 25 // Maximal options / flow
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define TEL_RMDIR 1 // empty TEL_F_PATH before starting (TEL_SAVE=1)
#define TEL_F_PATH "/tmp/TELFILES/" // Path for extracted content
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...This plugin is data carving capable, so it extracts the content of the flows including
user names and passwords. The latter are also printed in the flow file.
If TEL_SAVE=1 all the content including commands, up and downloads are extracted
under the path TEL_F_PATH.
Note that TEL_RMDIR=1 defines that the file directory is deleted for each new t2 execution.
So if you want to keep earlier files, switch it to 0.
If TEL_SAVE_SPLIT is enabled content form the A/B flow are stored separately otherwise
everything is dumped into the same file. TEL_SEQPOS controls the TCP sequence number
controlled writing of the content files. As the echoing of password is switched off or
might include positioning characters, it might not appear in the file. So it is switched off
by default.
The lengths of the extracted usernames and PWs and the number of command and options can be configured as well as the form of the flow output type; here aggregated.
For the time being we leave everything as default.
So execute t2 on the supplied pcap including packet mode.
t2 -r ~/data/telnet-per-char-mode.pcap -w ~/results/ -s
telStat currently has only one bit which states that there is telnet, fine.
The whole pcap consists of telnet traffic.
The telStat column with value 0x01 is to be interpreted as follows:
bit | telStat | Description
=============================================================================
0 | 0x01 | TELNET port found
In the flow file aggregated commands and options are listed including login names and passwords.
tcol ~/results/telnet-per-char-mode_flows.txt
The packet mode supplies the status, commands and options, the string based content can be seen in l7Content.
You can see the char by char entry of the login and password. The password is not echoed, for obvious reasons.
tcol ~/results/telnet-per-char-mode_packets.txt
71 1 0x0400900000004000 944192103.088602 1.260001 0.012202 14.833071 3 eth:ipv4:tcp 00:a0:cc:3b:bf:fa 00:00:c0:9f:a0:97 0x0800 192.168.0.2 07 Private network 1254 192.168.0.1 07 Private network 23 6 0x00
...If you are interested to see all telnet communication in an extra file, the Data Carving mode must be enabled.
Data carving with telnetDecode
In order to enable the Data Carving mode TEL_SAVE has to be switched on.
Use t2conf and t2build to reconfigure, recompile telnetDecode and rerun
t2 on the pcap.
t2conf telnetDecode -D TEL_SAVE=1 && t2build telnetDecode
t2 -r ~/test_data/data/telnet-per-char-mode.pcap -w ~/results... -------------------------------------------------------------------------------- telnetDecode: Aggregated telStat=0x03 telnetDecode: Number of Telnet packets: 272 [100.00%] telnetDecode: Number of files extracted: 2 -------------------------------------------------------------------------------- ...
The status confirms that files were successfully extracted.
tawk -V telStat=0x03
The telStat column with value 0x03 is to be interpreted as follows:
bit | telStat | Description
=============================================================================
0 | 0x01 | TELNET port found
1 | 0x02 | Successful files extraction
Move to the TEL_F_PATH and look into it. As configured two files
are generated for the A and the B flow separately. The A flow may
contain non printable characters, so try the command strings
to look at the direct keyboard entries of the user. Oups the
login and the password.
The B file contains all server replies and the echo of the user input. So you see the login but not the password.
cd /tmp/TELFILES/
ls
telnet_flow_1_A telnet_flow_1_B
strings telnet_flow_1_A
fake
user
ls -a
/sbin/ping www.yahoo.com
exitstrings telnet_flow_1_B
OpenBSD/i386 (oof) (ttyp1)
login: fake
Password:
Last login: Thu Dec 2 21:32:59 on ttyp1 from bam.zing.org
Warning: no Kerberos tickets issued.
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
$ ls
$ ls -a
. .. .cshrc .login .mailrc .profile .rhosts
/sbin/ping www.yahoo.com
PING www.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from 204.71.200.74: icmp_seq=0 ttl=239 time=73.569 ms
64 bytes from 204.71.200.74: icmp_seq=1 ttl=239 time=71.099 ms
64 bytes from 204.71.200.74: icmp_seq=2 ttl=239 time=68.728 ms
64 bytes from 204.71.200.74: icmp_seq=3 ttl=239 time=73.122 ms
64 bytes from 204.71.200.74: icmp_seq=4 ttl=239 time=71.276 ms
64 bytes from 204.71.200.74: icmp_seq=5 ttl=239 time=75.831 ms
64 bytes from 204.71.200.74: icmp_seq=6 ttl=239 time=70.101 ms
64 bytes from 204.71.200.74: icmp_seq=7 ttl=239 time=74.528 ms
64 bytes from 204.71.200.74: icmp_seq=9 ttl=239 time=74.514 ms
64 bytes from 204.71.200.74: icmp_seq=10 ttl=239 time=75.188 ms
64 bytes from 204.71.200.74: icmp_seq=11 ttl=239 time=72.925 ms
--- www.yahoo.com ping statistics ---
13 packets transmitted, 11 packets received, 15% packet loss
round-trip min/avg/max = 68.728/72.807/75.831 ms
exitIf you prefer to merge both flows into one file switch TEL_SAVE_SPLIT off,
recompile the plugin and rerun t2.
t2conf telnetDecode -D TEL_SAVE_SPLIT=0 && t2build telnetDecode
t2 -r ~/test_data/data/telnet-per-char-mode.pcap -w ~/results
Now there is only one file and you see the command and the echo sequentially, therefore all user commands are echoed, which can be annoying.
cd /tmp/TELFILES/
ls
telnet_flow_1_AB
cat /tmp/TELFILES/telnet_flow_1_AB
OpenBSD/i386 (oof) (ttyp1)
login: ffaakkee
Password:user
Last login: Thu Dec 2 21:32:59 on ttyp1 from bam.zing.org
Warning: no Kerberos tickets issued.
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
$ llss
$ llss --aa
. .. .cshrc .login .mailrc .profile .rhosts
$ //ssbbiinn//ppiinngg wwwwww..yyaahhoooo..ccoomm
PING www.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from 204.71.200.74: icmp_seq=0 ttl=239 time=73.569 ms
64 bytes from 204.71.200.74: icmp_seq=1 ttl=239 time=71.099 ms
64 bytes from 204.71.200.74: icmp_seq=2 ttl=239 time=68.728 ms
64 bytes from 204.71.200.74: icmp_seq=3 ttl=239 time=73.122 ms
64 bytes from 204.71.200.74: icmp_seq=4 ttl=239 time=71.276 ms
64 bytes from 204.71.200.74: icmp_seq=5 ttl=239 time=75.831 ms
64 bytes from 204.71.200.74: icmp_seq=6 ttl=239 time=70.101 ms
64 bytes from 204.71.200.74: icmp_seq=7 ttl=239 time=74.528 ms
64 bytes from 204.71.200.74: icmp_seq=9 ttl=239 time=74.514 ms
64 bytes from 204.71.200.74: icmp_seq=10 ttl=239 time=75.188 ms
64 bytes from 204.71.200.74: icmp_seq=11 ttl=239 time=72.925 ms
--- www.yahoo.com ping statistics ---
13 packets transmitted, 11 packets received, 15% packet loss
round-trip min/avg/max = 68.728/72.807/75.831 ms
$ eexxiittIn order to remove the unnerving issue, switch on sequence number positioning:
t2conf telnetDecode -D TEL_SEQPOS=1 && t2build telnetDecode
t2 -r ~/test_data/data/telnet-per-char-mode.pcap -w ~/results
Now all the echos are gone, including the password, as chars
are now written to the same position and the last one is overwritten
with a \r.
cat /tmp/TELFILES/telnet_flow_1_AB
OpenBSD/i386 (oof) (ttyp1)
login:
fake
Password:
Last login: Thu Dec 2 21:32:59 on ttyp1 from bam.zinls
ls -a
/sbin/ping www.yahoo.com
exit
OpenBSD 2.6-beta (OOF) #4: Tue Oct 12 20:42:32 CDT 1999
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
$ ls
$ ls -a
. .. .cshrc .login .mailrc .profile .rhosts
$ /sbin/ping www.yahoo.com
PING www.yahoo.com (204.71.200.74): 56 data bytes
64 bytes from 204.71.200.74: icmp_seq=0 ttl=239 time=73.569 ms
64 bytes from 204.71.200.74: icmp_seq=1 ttl=239 time=71.099 ms
64 bytes from 204.71.200.74: icmp_seq=2 ttl=239 time=68.728 ms
64 bytes from 204.71.200.74: icmp_seq=3 ttl=239 time=73.122 ms
64 bytes from 204.71.200.74: icmp_seq=4 ttl=239 time=71.276 ms
64 bytes from 204.71.200.74: icmp_seq=5 ttl=239 time=75.831 ms
64 bytes from 204.71.200.74: icmp_seq=6 ttl=239 time=70.101 ms
64 bytes from 204.71.200.74: icmp_seq=7 ttl=239 time=74.528 ms
64 bytes from 204.71.200.74: icmp_seq=9 ttl=239 time=74.514 ms
64 bytes from 204.71.200.74: icmp_seq=10 ttl=239 time=75.188 ms
64 bytes from 204.71.200.74: icmp_seq=11 ttl=239 time=72.925 ms
--- www.yahoo.com ping statistics ---
13 packets transmitted, 11 packets received, 15% packet loss
round-trip min/avg/max = 68.728/72.807/75.831 ms
$ exitConclusion
Experiment a bit with your own traffic.
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf telnetDecode --reset && t2build telnetDecode
Have fun analyzing.