Throughout this book, I’ve demonstrated several tools and libraries you can use in network protocol analysis, but I didn’t discuss many that I use regularly. This appendix describes the tools that I’ve found useful during analysis, investigation, and exploitation. Each tool is categorized based on its primary use, although some tools would fit several categories.
As discussed in Chapter 2, passive network capture refers to listening and capturing packets without disrupting the flow of traffic.
Website http://blogs.technet.com/b/messageanalyzer/
License Commercial; free of charge
Platform Windows
The Microsoft Message Analyzer is an extensible tool for analyzing network traffic on Windows. The tool includes many parsers for different protocols and can be extended with a custom programming language. Many of its features are similar to those of Wireshark except Message Analyzer has added support for Windows events.
Website http://www.tcpdump.org/; http://www.winpcap.org/ for Windows implementation (WinPcap/WinDump)
License BSD License
Platforms BSD, Linux, macOS, Solaris, Windows
The TCPDump utility installed on many operating systems is the grandfather of network packet capture tools. You can use it for basic network data analysis. Its LibPCAP development library allows you to write your own tools to capture traffic and manipulate PCAP files.
Website https://www.wireshark.org/
License GPLv2
Platforms BSD, Linux, macOS, Solaris, Windows
Wireshark is the most popular tool for passive packet capture and analysis. Its GUI and large library of protocol analysis modules make it more robust and easier to use than TCPDump. Wireshark supports almost every well-known capture file format, so even if you capture traffic using a different tool, you can use Wireshark to do the analysis. It even includes support for analyzing nontraditional protocols, such as USB or serial port communication. Most Wireshark distributions also include tshark, a replacement for TCPDump that has most of the features offered in the main Wireshark GUI, such as the protocol dissectors. It allows you to view a wider range of protocols on the command line.
To modify, analyze, and exploit network traffic as discussed in Chapters 2 and 8, you’ll need to use active network capture techniques. I use the following tools on a daily basis when I’m analyzing and testing network protocols.
Website https://github.com/ctxis/canape/
License GPLv3
Platforms Windows (with .NET 4)
I developed the Canape tool as a generic network protocol man-in-the-middle testing, analyzing, and exploitation tool with a usable GUI. Canape contains tools that allow users to develop protocol parsers, C# and IronPython scripted extensions, and different types of man-in-the-middle proxies. It’s open source as of version 1.4, so users can contribute to its development.
Website https://github.com/tyranid/CANAPE.Core/releases/
License GPLv3
Platforms .NET Core 1.1 and 2.0 (Linux, macOS, Windows)
The Canape Core libraries, a stripped-down fork of the original Canape code base, are designed for use from the command line. In the examples throughout this book, I’ve used Canape Core as the library of choice. It has much the same power as the original Canape tool while being usable on any OS supported by .NET Core instead of only on Windows.
Website https://github.com/intrepidusgroup/mallory/
License Python Software Foundation License v2; GPLv3 if using the GUI
Platform Linux
Mallory is an extensible man-in-the-middle tool that acts as a network gateway, which makes the process of capturing, analyzing, and modifying traffic transparent to the application being tested. You can configure Mallory using Python libraries as well as a GUI debugger. You’ll need to configure a separate Linux VM to use it. Some useful instructions are available at https://bitbucket.org/IntrepidusGroup/mallory/wiki/Mallory_Minimal_Guide/.
If you’re trying to test an unknown protocol or network device, basic network testing can be very useful. The tools listed in this section help you discover and connect to exposed network servers on the target device.
Website http://www.hping.org/
License GPLv2
Platforms BSD, Linux, macOS, Windows
The Hping tool is similar to the traditional ping utility, but it supports more than just ICMP echo requests. You can also use it to craft custom network packets, send them to a target, and display any responses. This is a very useful tool to have in your kit.
Website Find the original at http://nc110.sourceforge.net/ and the GNU version at http://netcat.sourceforge.net/
License GPLv2, public domain
Platforms BSD, Linux, macOS, Windows
Netcat is a command line tool that connects to an arbitrary TCP or UDP port and allows you to send and receive data. It supports the creation of sending or listening sockets and is about as simple as it gets for network testing. Netcat has many variants, which, annoyingly, all use different command line options. But they all do pretty much the same thing.
Website https://nmap.org/
License GPLv2
Platforms BSD, Linux, macOS, Windows
If you need to scan the open network interface on a remote system, nothing is better than Nmap. It supports many different ways to elicit responses from TCP and UDP socket servers, as well as different analysis scripts. It’s invaluable when you’re testing an unknown device.
Although this book does not focus heavily on testing web applications, doing so is an important part of network protocol analysis. One of the most widely used protocols on the internet, HTTP is even used to proxy other protocols, such as DCE/RPC, to bypass firewalls. Here are some of the tools I use and recommend.
Website https://portswigger.net/burp/
License Commercial; limited free version is available
Platforms Supported Java platforms (Linux, macOS, Solaris, Windows)
Burp Suite is the gold standard of commercial web application–testing tools. Written in Java for maximum cross-platform capability, it provides all the features you need for testing web applications, including built-in proxies, SSL decryption support, and easy extensibility. The free version has fewer features than the commercial version, so consider buying the commercial version if you plan to use it a lot.
Website https://www.owasp.org/index.php/ZAP
License Apache License v2
Platforms Supported Java platforms (Linux, macOS, Solaris, Windows)
If Burp Suite’s price is beyond reach, ZAP is a great free option. Developed by OWASP, ZAP is written in Java, can be scripted, and can be easily extended because it’s open source.
Website https://mitmproxy.org/
License MIT
Platforms Any Python-supported platform, although the program is somewhat limited on Windows
Mitmproxy is a command line–based web application–testing tool written in Python. Its many standard features include interception, modification, and replay of requests. You can also include it as a separate library within your own applications.
Whenever you’re developing exploits for and finding new vulnerabilities, you’ll usually need to implement a lot of common functionality. The following tools provide a framework, allowing you to reduce the amount of standard code and common functionality you need to implement.
Website http://lcamtuf.coredump.cx/afl/
License Apache License v2
Platforms Linux; some support for other Unix-like platforms
Don’t let its cute name throw you off. American Fuzzy Lop (AFL) may be named after a breed of rabbit, but it’s an amazing tool for fuzz testing, especially on applications that can be recompiled to include special instrumentation. It has an almost magical ability to generate valid inputs for a program from the smallest of examples.
Website https://www.kali.org/
Licenses A range of open source and non-free licenses depending on the packages used
Platforms ARM, Intel x86 and x64
Kali is a Linux distribution designed for penetration testing. It comes pre-installed with Nmap, Wireshark, Burp Suite, and various other tools listed in this appendix. Kali is invaluable for testing and exploiting network protocol vulnerabilities, and you can install it natively or run it as a live distribution.
Website https://github.com/rapid7/metasploit-framework/
License BSD, with some parts under different licenses
Platforms BSD, Linux, macOS, Windows
Metasploit is pretty much the only game in town when you need a generic vulnerability exploitation framework, at least if you don’t want to pay for one. Metasploit is open source, is actively updated with new vulnerabilities, and will run on almost all platforms, making it useful for testing new devices. Metasploit provides many built-in libraries to perform typical exploitation tasks, such as generating and encoding shell code, spawning reverse shells, and gaining elevated privileges, allowing you to concentrate on developing your exploit without having to deal with various implementation details.
Website http://www.secdev.org/projects/scapy/
License GPLv2
Platforms Any Python-supported platform, although it works best on Unix-like platforms
Scapy is a network packet generation and manipulation library for Python. You can use it to build almost any packet type, from Ethernet packets through TCP or HTTP packets. You can replay packets to test what a network server does when it receives them. This functionality makes it a very flexible tool for testing, analysis, or fuzzing of network protocols.
Website https://github.com/OpenRCE/sulley/
License GPLv2
Platforms Any Python-supported platform
Sulley is a Python-based fuzzing library and framework designed to simplify data representation, transmission, and instrumentation. You can use it to fuzz anything from file formats to network protocols.
To capture network traffic, sometimes you have to redirect that traffic to a listening machine. This section lists a few tools that provide ways to implement network spoofing and redirection without needing much configuration.
Website http://www.thekelleys.org.uk/dnsmasq/doc.html
License GPLv2
Platform Linux
The DNSMasq tool is designed to quickly set up basic network services, such as DNS and DHCP, so you don’t have to hassle with complex service configuration. Although DNSMasq isn’t specifically designed for network spoofing, you can repurpose it to redirect a device’s network traffic for capture, analysis, and exploitation.
Website https://ettercap.github.io/ettercap/
License GPLv2
Platforms Linux, macOS
Ettercap (discussed in Chapter 4) is a man-in-the-middle tool designed to listen to network traffic between two devices. It allows you to spoof DHCP or ARP addresses to redirect a network’s traffic.
Reviewing the source code of an application is often the easiest way to determine how a network protocol works. However, when you don’t have access to the source code, or the protocol is complex or proprietary, network traffic–based analysis is difficult. That’s where reverse engineering tools come in. Using these tools, you can disassemble and sometimes decompile an application into a form that you can inspect. This section lists several reverse engineering tools that I use. (See the discussion in Chapter 6 for more details, examples, and explanation.)
Website http://jd.benow.ca/
License GPLv3
Platforms Supported Java platforms (Linux, macOS, Solaris, Windows)
Java uses a bytecode format with rich metadata, which makes it fairly easy to reverse engineer Java bytecode into Java source code using a tool such as the Java Decompiler. The Java Decompiler is available with a stand-alone GUI as well as plug-ins for the Eclipse IDE.
Website https://www.hex-rays.com/
License Commercial; limited free version available
Platforms Linux, macOS, Windows
IDA Pro is the best-known tool for reverse engineering executables. It disassembles and decompiles many different process architectures, and it provides an interactive environment to investigate and analyze the disassembly. Combined with support for custom scripts and plug-ins, IDA Pro is the best tool for reverse engineering executables. Although the full professional version is quite expensive, a free version is available for noncommercial use; however, it is restricted to 32-bit x86 binaries and has other limitations.
Website http://www.hopperapp.com/
License Commercial; a limited free trial version is also available
Platforms Linux, macOS
Hopper is a very capable disassembler and basic decompiler that can more than match many of the features of IDA Pro. Although as of this writing Hopper doesn’t support the range of processor architectures that IDA Pro does, it should prove more than sufficient in most situations due to its support of x86, x64, and ARM processors. The full commercial version is considerably cheaper than IDA Pro, so it’s definitely worth a look.
Website http://ilspy.net/
License MIT
Platform Windows (with .NET4)
ILSpy, with its Visual Studio–like environment, is the best supported of the free .NET decompiler tools.
Website https://www.red-gate.com/products/dotnet-development/reflector/
License Commercial
Platform Windows
Reflector is the original .NET decompiler. It takes a .NET executable or library and converts it into C# or Visual Basic source code. Reflector is very effective at producing readable source code and allowing simple navigation through an executable. It’s a great tool to have in your arsenal.