hunt - Network security auditing tool.
hunt [-V] [-v] [-i interface]
This manual page documents briefly the hunt command. This manual page
was written for the Debian GNU/Linux distribution because the original
program does not have a manual page. Instead, it has documentation in
the GNU Info format; see below.
Please make sure you KNOW what you are doing before using hunt. It is
recommended that you should test how it behaves on some test
connections and then use it wisely. You may want to select "options"
and then "add conn policy entry" as by default only telnet connections
Hunt is a program for intruding into a connection, watching it and
resetting it. It has several features, which I didn’t find in any
product like Juggernaut or T-sight that inspired me in my development.
I found Juggernaut not flexible enough for further development so I
started from scratch (see FEATURES and DESIGN OVERVIEW). Note that
hunt is operating on Ethernet and is best used for connections which
can be watched through it. However, it is possible to do something even
for hosts on another segments or hosts that are on switched ports. The
hunt doesn’t distinguish between local network connections and
connections going to/from Internet. It can handle all connections it
Connection hijacking is aimed primarily at the telnet or rlogin traffic
but it can be used for another traffic too. The reset, watching, arp,
... features are common to all connections.
* Setting what connections you are interested in.
* Detecting an ongoing connection (not only SYN started).
* Normal active hijacking with the detection of the ACK storm.
* ARP spoofed/Normal hijacking with the detection of successful
* Synchronization of the true client with the server after
hijacking (so that the connection don’t have to be reset).
* Resetting connection.
* Watching connection.
* Reset daemon for automatic connection resetting. * ARP
spoof/relayer daemon for ARP spoofing of hosts with the ability
to relay all packets from spoofed hosts. * MAC discovery daemon
for collecting MAC addresses. * Sniff daemon for logging TCP
traffic with the ability to search for a particular string.
* Deferred host resolving through dedicated DNS helper servers.
* Extensible packet engine for watching TCP, UDP, ICMP and ARP
traffic. * Collecting TCP connections with sequence numbers and
the ACK storm detection.
Misc * Determining which hosts are up.
* Hosts on switched ports can be spoofed, sniffed and hijacked
COMMAND LINE PARAMETERS
-V Print Version
-v Verbose (print pids of created threads)
-i interface Listen on this interface. Default is eth0
Let me explain some technical issues which I use in hunt and which are
essential for understanding how it works and what you should expect.
The important terms are IP spoofing, ARP spoofing and ACK storm. Even
if you are familiar with them, you can get some new information.
You set the packet source address to the IP address of the host
you pretend to be.
You set the packet source hardware address (source MAC address)
to the address of the host you pretend to be.
Simple Active Attack against TCP connections - It is a well known type
of attack in which you send a packet with spoofed IP addresses
and possibly also with spoofed ARP addresses (true MAC addresses
of client and server - not fake ones as explained further). In
this way, you can force a command to the stream but you are
likely to receive the ACK storm (as explained further) unless
the original client host of the connection is running Linux.
I use this term also for forcing the remote host to think that
the host I want to be has a different MAC address so the remote
host sends replies to that MAC address and the original client
host is not able to receive them (but hunt is watching carefully
and handles all consequences) (Explaining how to force a host on
the network to think that the other host has a different MAC I
leave as an exercise - I encourage you to read the source code).
Please note that I use the term ARP spoofing instead of the term
ARP forcing or something like that. So don’t be confused, if I
say ARP spoofing, I mean using some MAC address of a host or
just some fake MAC address. Note that ARP spoofing (with my
meaning to force some MAC) doesn’t work on Solaris2.5 because it
has expiration timers on ARP entries so you can’t easily force
Solaris to drop an ARP entry. The entry usually expires after
20min or less (but you have a chance to force it and hunt
supports this mode). The expiration timers on Solaris are set
ndd -set /dev/ip ip_ire_flush_interval 60000 /* 1 min */
ndd -set /dev/arp arp_cleanup_interval 60 /* 1 min */
I encourage you to ask your netadmin to set the above values on
all Solaris machines. The Win95/NT4sp3, Linux2.0, OSF1 V4.0, HP-
UX10.20 are not protected in this way so you can easily use the
described technique on them (actually, they have timers, but
they are not operating like in Solaris; in fact, only Solaris is
the exception). Actually, hunt uses this technique such that it
wants to force a fake MAC of the server to the client and a fake
MAC of the client to the server. Then both the server and the
client are sending packets to that faked MACs (and hunt can of
course handle them). However, it is sufficient that only one
host has a fake MAC of the other host. The ACK storm can’t
occur in this situation either. So you can use this technique
even if one end is Solaris and the other isn’t. You will just
succeed in the other host and that is enough. So the only
problem is when the connection is between two Solaris machines.
However, if there is any root connection ongoing you can easily
push the commands suggested above without ARP spoofing to the
connection and alter the expiration timers of the ARP cache.
The ACK storm is caused by majority of TCP stacks (!!! Linux2.0
is an exception !!!). Let’s imagine that you send some data to
an ongoing connection to the server (as if sent by the client -
with expected seq. numbers, ... ). The server responds with the
acknowledgment of the data you sent but this acknowledgment is
received by the original client too. But from the original
client point of view, the server has acknowledged data that
doesn’t exist on the client. So something strange occurred and
the original client sends the "right" sequence number with ACK
to the server. But the TCP rules say that it is required to
generate an immediate acknowledgment when an out-of-order
segment is received. This ACK should not be delayed. So the
server sends the acknowledgment of non-existent data to the
client again. And the client responses, ... Only if the source
host of the connection is Linux then the ACK storm doesn’t
occur. Note that if you use ARP spoofing (forcing) then the ACK
storm can’t come because one or both ends will send packets with
fake MACs and those packets are received by hunt rather than by
the other host.
With a single properly constructed packet you can reset the
connection (RST flag in TCP header). Of course, you have to know
the sequence number but it is not a problem for hunt which is
watching all the time. You can reset server, client, or both.
When you reset only one end the other end is reset when it tries
to send data to the first host which will response with RST
because of the connection reset on it.
The simplest thing you can do is to silently sit in you chair
and watch hunt output about any connection which you choose from
Well, that’s one of the main features of hunt. If you put some
data to the TCP stream (through simple active attack or ARP
spoofing), you desynchronize the stream from the server/original
client point of view. After some work done on that connection
you can just reset it or you can try to synchronize both
original ends again. That is not an easy task. The user on the
client is prompted to type some chars and some chars are sent to
the client and server. The main goal of all stuff is to
synchronize the sequence numbers on both client and server
Switch/Segment traffic rerouting
With ARP spoofing you can even force switch so that it will send
you the traffic for hosts on another segment/switched port. This
is because a switch will think that the MAC belongs to your
port. Be careful if your switch has some security policy and
MACs have been explicitly set up on a per port basis - but in
fact I don’t ever see such a configuration on "ordinary"
Don’t be confused. I use this term for hunt daemon which is
responsible for inserting packets to the network (rerouting) of
all data it receives from ARP spoofed hosts.
Well, the hunt is now capable of watching and hijacking hosts
that are on switched ports. In common you can’t watch the hosts
traffic on switched ports but if you first ARP spoof them (with
ARP spoof daemon menu) you are able to look at the connections
that are between that hosts. First you do arp spoof and the
hosts will send you the traffic and from that time you can list
the connections between them, then you can watch and hijack
them. It is commonly accepted that the switches protect your
connections again inside intruders and spoofers. Well, that is
still true for carefully setuped switches. The switches that are
plugged to the LAN without any port security configuration are
useless in the job to protect your LAN.
The development model is based on a packet engine (hunt.c) which runs
in its own thread and captures packets from the network. The packet
engine collects information of TCP connections/starting/termination,
sequence numbers, and MAC addresses. It collects the MACs and seq.
numbers from the server point of view and separate MACs and seq.
numbers from the client point of view. So it is prepared for hijacking.
This information (seq. num., MAC,
Modules can register functions with the packet engine which are then
invoked when new packets are received. A module function determines if
the module is interested in a packet or not and can place the packet in
a module specific list of packets. A module function can also send
some packet to the network if it is desirable to do it very fast. The
module (usually in some other thread so it needs to be scheduled to be
run) then gets packets from the list and analyzes them. In this way,
you can easily develop modules which perform various activities.
Packets to be sent as a response to the network are described by
structures so you don’t have to care about some default fields or
checksums. At this time, functions for TCP, ICMP and ARP traffic are
already prepared. (UDP is missing because I don’t use it in any module)
A separate set of daemons is used for host resolving (DNS). That is
because the gethostbyname/gethostbyname_r function is protected by
mutex (As far as I know - it was so two years ago - I didn’t try it
now) so you can’t run it truly parallel in a multithreaded environment.
Therefore, the commonly used workaround is to fire up some helper
daemons through fork which will run gethostbyname.
Well, the user environment isn’t graphical but I believe that you will
In the title of all menus is some status information about hunt.
First, there is an indication with which menu you are working. Second,
the number of packets received by hunt is shown. Hunt pre-allocates
some buffers for packets; the status of free and allocated buffers is
displayed as the third value. The number of free buffers is low for a
high loaded network or the ACK storm or if you have poor hardware. In
my case, for example, the numbers 63/64 were normally indicated meaning
that only one buffer was used, but after the ACK storm, I have
something like 322/323. Note that the buffers once allocated are not
freed. The low number of free buffers can also mean some bug in hunt
but I think I carefully debugged all modules to this kind of bug. The
last indicator reports which daemons (actually threads) are running.
They are: R - reset daemon, Y - arp relayer, S - sniffer, M - MAC
discoverer. If you switch on the verbose option you get additional
information about how many packets were dropped - they were fragments
(see the bugs) or were malformed, and how many packets belong to other
protocols than TCP, UDP, ICMP and ARP. In the prompt for user input is
indicator that will tell you through ’*’ char that hunt added new
connection(s) to the connection list since last connection listening.
In all menus the x key works as escape. The network mask is
denoted by the ip_address/mask notation where mask is the number
of 1’s on the left side of the network mask. For example,
0.0.0.0/0 means everything and 192.168.32.10/32 means only that
For most modules is used:
l) list items
a) add item
m) modify item
d) delete item
They will be referred in this text as l) a) m) d)
You can obtain the list of connections tracked by the hunt
packet engine. Which connections are tracked is specified in
the options menu. You can interactively watch or reset these
connections. You can also perform hijacking on them (next two
ARP/Simple hijack offers you an interactive interface for the
insertion of data to the selected connection. You can perform
ARP spoofing for both connection ends, for only one end or you
can not to do it at all. If you don’t do ARP spoofing then you
probably receive the ACK storm after typing the first char.
When you do ARP spoofing, it is checked if it succeeds. If not,
you are prompted if you want to wait until it succeeds (you can
interrupt this waiting through CTRL-C of course). After
inserting some data to the connection you type CTRL-] and then
you can synchronize or reset the connection. If you choose
synchronization, the user is prompted to type some chars and
after he does so the connection will be in the synchronous
state. You can interrupt the synchronization process with CTRL-C
and then you can reset the connection. Note that CTRL-C is used
widely for interrupting an ongoing process. The CTRL-] (like
telnet) is used for finishing the interactive insertion of data
to the connection. The ARP/Simple hijack doesn’t automatically
reset the connection after it detects the ACK storm so you have
to do it yourself. Note also that ARP/Simple hijack works with
the ARP relayer (as described further) so that other connections
are not affected. Normally, if you ARP spoof two servers then
the ARP/Simple hijack handles only one selected connection
between these two hosts but other connections between these two
hosts look like they freeze. If you start the ARP relayer, then
these other connections are handled and rerouted through. So
other connections from one spoofed host to the other are not
affected at all. It is recommended to run ARP relayer if you do
ARP hijacking of two servers. Note that if you ARP spoof
(force) some client MAC to the server then only connections
going from the server to that client are affected. Other
connections from the server to other machines are untouched.
Simple hijack allows you to insert a command to the data stream
of the connection. When you insert the command, hunt waits for
it to complete up to a certain timeout and if the ACK storm
doesn’t occur, you are prompted for the next command. After
that, you can synchronize or reset the connection. Note that
you can use the interactive interface to simple hijack when you
use ARP/simple hijack without ARP spoofing but if you use full
interactive interface of ARP/simple hijack without ARP spoofing
you are likely to get the ACK storm immediately after typing the
first char. So this mode of hijacking is useful when you have to
deal with the ACK storm because it sends your data to the
connection in a single packet. When the ACK storm is in progress
it is very hard to deliver other packets from hunt to the server
as the network and server are congested.
I call them daemons but they are actually threads. All daemons can be
started and stooped. Don’t be surprised when you insert or modify some
rule in a daemon and it does nothing. The daemon is not running - you
have to start it. All daemons are by default stopped even though you
can alter the configuration. Common commands in the daemons menu are:
s) start the daemon
k) stop the daemon
l) list configuration items
a) add config. item
m) modify config. item
d) delete config. item
This daemon can be used to perform automatic resets of ongoing
connections that hunt can see. You can describe which
connections should be terminated by giving src/dst host/mask and
src/dst ports. The SYN flag off means that all specified
connections should be terminated (even ongoing). The SYN flag on
means that only newly started connections are reset. So the
connections that are in progress are not affected. Don’t forget
to start the daemon.
Here you can do ARP spoofing of hosts. You enter src and dst
addresses and desired srcMAC. The dst is then forced to think
that src has srcMAC. You can use some fake MAC or better MAC of
host that is currently down. You just want that the hosts will
send you all the data (so you can even look at packets that are
on a different segment or switched port that you will not
normally see) The ARP module looks carefully for packets which
will break ARP spoofing of hosts and handle them but you can
even specify the refresh interval for ARP spoofing but it is not
necessary to do it. Set the refresh interval only if you are
experienced with some bad or strange behavior of spoofed hosts.
Also there is the possibility to test the hosts for successful
spoof with the ability to force that spoof - it is recommended
to test the ARP spoof if something looks like it is wrong or the
computer doesn’t send the traffic to the hunt. The force option
is handful if the first spoofing packets are discarded with
switch so if you are running hunt against hosts on switched
ports you can try to run the force mode by example for 10s and
then break it with CTRL-C if the spoof continues to fail. The
ARP relayer daemon is used to perform ARP relaying of ARP
spoofed connections. When you insert some ARP spoof of hosts the
ARP spoofing is performed immediately even if the relayer isn’t
running!!!. But if the ARP spoofing succeeds, the connections
will look like they freeze. For rerouting (not IP routing !)
these connections through your hunt you need to start the ARP
relayer. The relayer works well with ARP/simple hijack so once
you have hosts ARP spoofed with ARP relaying you can easily do
ARP/simple hijack which will detect that the hosts are already
ARP spoofed and takes over the connection immediately. With this
technique you can easily become man in the middle from the
beginning of the connection even though your host with hunt
isn’t an IP gateway. I encourage you to write other application
specific protocol handlers for the man in the middle attack as
it is really simple with this framework.
The purpose of the sniff daemon is to log specified packets.
The sniff daemon can also search for a simple pattern (string)
in the data stream (see the bugs section). You can specify which
connection you are interested in, where to search (src, dst,
both), what do you want to search, how many bytes you want to
log, from what direction (src, dst, both) and to what file
should the daemon write. All logged files are stored in the
.sniff directory. The default file name for logging is composed
of the host and port,0a(as.new-linesporoas hexmnum.).u can set
how to log new lines (
MAC discovery daemon
This daemon is used to collect MAC addresses corresponding to
the specified IP range. You can enter the time after which the
daemon will try collecting again (default is 5min).
Host up menu
The host up module determines which hosts are up (with TCP/IP
stack). You just specify the IP range and that space is then
searched for running hosts. It is capable to determine which
hosts have network interface in promiscuous mode. The
promiscuous mode usually shows that the host is running some
kind of sniffer/network analyzer.
In the options menu you can tune different things:
l) a) m) d)
List/Add/Mod/Del Connection Policy Entry
First of all you can select which connections should be tracked.
The default setting is to look at telnet connections from all
hosts but you can adjust this behavior by the specification of
src/dst address/mask src/dst port pairs. With commands: l) a) m)
d) you set what you are interested in.
c) Connection Listening Properties
You can set whether the sequence numbers and MACs of ongoing
connections will be displayed during connection listening.
h) Host Resolving
You can turn on resolving of hosts to their names. As the
resolving is deferred you don’t get the names of hosts
immediately. Just try to list connections several times and you
will see the hosts names. (I used this deferred approach because
I didn’t want any delay of interface that the resolving can
r) Reset ACK Storm Timeout
This timeout is used in simple hijack to automatically reset the
connection after the ACK storm is detected. Note that you can
receive the ACK storm even in arp/simple hijack in case you
don’t perform ACK spoofing of any host.
s) Simple Hijack Timeout For Next cmd
Simple hijack has not an interactive connection interface. That
means you write the whole command which will be inserted into
the connection data stream. If no data is transferred through
the connection up to this timeout, you are prompted for the next
q) ARP Request/Reply Packets
Number of request or reply packets hunt will send when it is
doing arp spoofing.
t) ARP Request Spoof Through Request
Option whether hunt will send ARP spoof request or ARP spoof
reply when it receives broadcasted ARP request which will break
w) Switched Environment
Some optimization for switched environment. It works perfectly
for non switched environment also.
y) ARP Spoof With My MAC
Set the originating MAC address of sent spoofed ARP to my (hunt)
ethernet MAC - sometimes helps in switched environment.
e) Learn MAC From IP Traffic
You can enable that MAC addresses will be learned from all IP
traffic not just from ARP.
p) Number Of Printed Lines Per Page In Listening
v) Verbose On/Off
HUNT program requirements:
* Linux >= 2.2
* Glibc with linuxthreads
Linux 2.0, Linux 2.1, Linux 2.2, Solaris 2.5.1, NT4sp3/4, Win95, OSF
V4.0D, HPUX 10.20, IRIX 6.2
Tested network equipment:
BayNetworks 28115, 28200, 300 switches 3Com SuperStack II 3000, 1000
Please note the already known truth that telnet and similar programs
which send passwords in clear text are vulnerable to the described
attacks. Programs using one time passwords are also easily attacked and
in fact they are useless if someone can run a program like hunt. Only
full encrypted traffic isn’t vulnerable to these attacks but note that
you can become a man in the middle if you use ARP spoofing (forcing)
without the ACK storm and you can try to do something. Also
unconfigured switch doesn’t protect you from sniffing or hijacking. It
is necessary to carefully configure port security on the switches in
order to protect the computers on the switched ports.
Detecting attacks isn’t an easy task. For ARP spoofing there are tools
which can detect it. The ACK storm is detectable by some sophisticated
network analyzers (you can detect the pattern of the ACK storm or the
statistics of ACKs without data). If you run hunt on your network you
can detect the ACK storm because the hunt can detect the ACK storm
Make sure you are running hunt on idle machine with sufficient power (I
used PII-233 with 128MB RAM) and without any other packet analyzer
because if you use advanced features like arp spoofing or hijacking
hunt needs to reply fast with it’s own packets inserted into the
traffic on the network.
This software can be found at http://www.gncz.cz/kra/index.html
* some structures are poorly locked through mutexes
* if you watch connection then some escape sequences from that
connection can influent your terminal. Note that your terminal is named
"Linux" ("xterm" - if you run it from X, ...) but the escape sequences
are for the client side terminal which may or may not be Linux so you
can get some mess.
* sniff is not capable to search for a pattern which crosses the packet
boundary. That means it can’t search for a pattern of the user typed
input as this input is usually transferred with 1B data long packets.
* hunt doesn’t support defragmentation so the IP fragments have to be
BUG FIXES, SUGGESTIONS
Please send bug descriptions, patches, suggestions, new modules or
successful stories to email@example.com
I would like to thank Sven Ubik < firstname.lastname@example.org > for his
invaluable input and feedback.
Note that this software was written only for my fun in my free time and
it was a great exercise of TCP/IP protocols. I am now familiar with
seq. numbers, ACKs, timeouts, MACs, checksums, ... to the finest level.
As I have some pretty good background this "hunt" challenge made me
think that I hadn’t known TCP/IP as great as I had thought. You are
welcome to read the source code and to try to modify it or write your
This manpage was converted from internal documentation by Jon Marler <
email@example.com > for the Debian GNU/Linux operating system.