Man Linux: Main Page and Category List

NAME

       hunt - Network security auditing tool.

SYNOPSIS

       hunt [-V]  [-v] [-i interface]

DESCRIPTION

       This  manual page documents briefly the hunt command.  This manual page
       was written for the Debian GNU/Linux distribution because the  original
       program  does not have a manual page.  Instead, it has documentation in
       the GNU Info format; see below.

READ FIRST

       Please make sure you KNOW what you are doing before using hunt.  It  is
       recommended   that  you  should  test  how  it  behaves  on  some  test
       connections and then use it wisely. You may want  to  select  "options"
       and  then "add conn policy entry" as by default only telnet connections
       are monitored.

OVERVIEW

       Hunt is a program for intruding into  a  connection,  watching  it  and
       resetting  it.  It  has  several  features,  which I didn’t find in any
       product like Juggernaut or T-sight that inspired me in my  development.
       I  found  Juggernaut  not  flexible enough for further development so I
       started from scratch (see FEATURES and  DESIGN  OVERVIEW).   Note  that
       hunt  is  operating  on Ethernet and is best used for connections which
       can be watched through it. However, it is possible to do something even
       for hosts on another segments or hosts that are on switched ports.  The
       hunt  doesn’t  distinguish  between  local  network   connections   and
       connections  going  to/from  Internet. It can handle all connections it
       sees.

       Connection hijacking is aimed primarily at the telnet or rlogin traffic
       but  it can be used for another traffic too.  The reset, watching, arp,
       ... features are common to all connections.

FEATURES

       Connection Management
              * Setting what connections you are interested in.
              * Detecting an ongoing connection (not only SYN started).
              * Normal active hijacking with the detection of the ACK storm.
              * ARP spoofed/Normal hijacking with the detection of  successful
              ARP spoof.
              *  Synchronization  of  the  true  client  with the server after
              hijacking (so that the connection don’t have to be reset).
              * Resetting connection.
              * Watching connection.

       Daemons
              * Reset  daemon  for  automatic  connection  resetting.   *  ARP
              spoof/relayer  daemon for ARP spoofing of hosts with the ability
              to relay all packets from spoofed hosts.  * MAC discovery daemon
              for  collecting  MAC  addresses.  * Sniff daemon for logging TCP
              traffic with the ability to search for a particular string.

       Host Resolving
              * Deferred host resolving through dedicated DNS helper  servers.

       Packet Engine
              *  Extensible  packet engine for watching TCP, UDP, ICMP and ARP
              traffic.  * Collecting TCP connections with sequence numbers and
              the ACK storm detection.

       Misc   * Determining which hosts are up.

       Switched Environment
              *  Hosts  on switched ports can be spoofed, sniffed and hijacked
              too.

COMMAND LINE PARAMETERS

       -V Print Version
       -v Verbose (print pids of created threads)
       -i interface Listen on this interface. Default is eth0

TECHNICAL EXPLANATION

       Let me explain some technical issues which I use in hunt and which  are
       essential  for  understanding  how it works and what you should expect.
       The important terms are IP spoofing, ARP spoofing and ACK storm.   Even
       if you are familiar with them, you can get some new information.

       IP spoofing
              You  set the packet source address to the IP address of the host
              you pretend to be.

       ARP spoofing
              You set the packet source hardware address (source MAC  address)
              to the address of the host you pretend to be.

       Simple Active Attack against TCP connections - It is a well known type
              of  attack  in which you send a packet with spoofed IP addresses
              and possibly also with spoofed ARP addresses (true MAC addresses
              of  client  and server - not fake ones as explained further). In
              this way, you can force a command to  the  stream  but  you  are
              likely  to  receive  the ACK storm (as explained further) unless
              the original client host of the connection is running Linux.

       ARP spoofing
              I use this term also for forcing the remote host to  think  that
              the  host I want to be has a different MAC address so the remote
              host sends replies to that MAC address and the  original  client
              host is not able to receive them (but hunt is watching carefully
              and handles all consequences) (Explaining how to force a host on
              the  network  to think that the other host has a different MAC I
              leave as an exercise - I encourage you to read the source code).
              Please note that I use the term ARP spoofing instead of the term
              ARP forcing or something like that. So don’t be confused,  if  I
              say  ARP  spoofing,  I  mean using some MAC address of a host or
              just some fake MAC address. Note  that  ARP  spoofing  (with  my
              meaning to force some MAC) doesn’t work on Solaris2.5 because it
              has expiration timers on ARP entries so you can’t  easily  force
              Solaris  to  drop  an ARP entry. The entry usually expires after
              20min or less (but you have  a  chance  to  force  it  and  hunt
              supports  this  mode).  The expiration timers on Solaris are set
              by:

              ndd -set /dev/ip ip_ire_flush_interval 60000 /* 1 min */
              ndd -set /dev/arp arp_cleanup_interval 60 /* 1 min */

              I encourage you to ask your netadmin to set the above values  on
              all Solaris machines. The Win95/NT4sp3, Linux2.0, OSF1 V4.0, HP-
              UX10.20 are not protected in this way so you can easily use  the
              described  technique  on  them  (actually, they have timers, but
              they are not operating like in Solaris; in fact, only Solaris is
              the  exception). Actually, hunt uses this technique such that it
              wants to force a fake MAC of the server to the client and a fake
              MAC  of  the  client to the server. Then both the server and the
              client are sending packets to that faked MACs (and hunt  can  of
              course  handle  them).   However, it is sufficient that only one
              host has a fake MAC of the other  host.   The  ACK  storm  can’t
              occur  in  this  situation either. So you can use this technique
              even if one end is Solaris and the other isn’t.  You  will  just
              succeed  in  the  other  host  and  that  is enough. So the only
              problem is when the connection is between two Solaris  machines.
              However,  if there is any root connection ongoing you can easily
              push the commands suggested above without ARP  spoofing  to  the
              connection and alter the expiration timers of the ARP cache.

       ACK Storm
              The ACK storm is caused by majority of TCP stacks (!!!  Linux2.0
              is an exception !!!). Let’s imagine that you send some  data  to
              an  ongoing connection to the server (as if sent by the client -
              with expected seq.  numbers, ... ). The server responds with the
              acknowledgment  of  the data you sent but this acknowledgment is
              received by the original  client  too.  But  from  the  original
              client  point  of  view,  the  server has acknowledged data that
              doesn’t exist on the client. So something strange  occurred  and
              the  original  client sends the "right" sequence number with ACK
              to the server.  But the TCP rules say that  it  is  required  to
              generate   an  immediate  acknowledgment  when  an  out-of-order
              segment is received. This ACK should  not  be  delayed.  So  the
              server  sends  the  acknowledgment  of  non-existent data to the
              client again. And the client responses, ...  Only if the  source
              host  of  the  connection  is  Linux  then the ACK storm doesn’t
              occur. Note that if you use ARP spoofing (forcing) then the  ACK
              storm can’t come because one or both ends will send packets with
              fake MACs and those packets are received by hunt rather than  by
              the other host.

       Connection Reset
              With  a  single  properly  constructed  packet you can reset the
              connection (RST flag in TCP header). Of course, you have to know
              the  sequence  number  but it is not a problem for hunt which is
              watching all the time. You can reset server,  client,  or  both.
              When you reset only one end the other end is reset when it tries
              to send data to the first host  which  will  response  with  RST
              because of the connection reset on it.

       Connection sniffing/watching
              The  simplest  thing  you can do is to silently sit in you chair
              and watch hunt output about any connection which you choose from
              the list.

       Connection Synchronization
              Well,  that’s  one of the main features of hunt. If you put some
              data to the TCP stream (through  simple  active  attack  or  ARP
              spoofing), you desynchronize the stream from the server/original
              client point of view. After some work done  on  that  connection
              you  can  just  reset  it  or  you  can  try to synchronize both
              original ends again. That is not an easy task. The user  on  the
              client is prompted to type some chars and some chars are sent to
              the client and  server.  The  main  goal  of  all  stuff  is  to
              synchronize  the  sequence  numbers  on  both  client and server
              again.

       Switch/Segment traffic rerouting
              With ARP spoofing you can even force switch so that it will send
              you the traffic for hosts on another segment/switched port. This
              is because a switch will think that  the  MAC  belongs  to  your
              port.  Be  careful  if  your switch has some security policy and
              MACs have been explicitly set up on a per port basis  -  but  in
              fact  I  don’t  ever  see  such  a  configuration  on "ordinary"
              network.

       ARP-relay daemon
              Don’t be confused. I use this term  for  hunt  daemon  which  is
              responsible  for inserting packets to the network (rerouting) of
              all data it receives from ARP spoofed hosts.

       Switched environment
              Well, the hunt is now capable of watching  and  hijacking  hosts
              that  are on switched ports. In common you can’t watch the hosts
              traffic on switched ports but if you first ARP spoof them  (with
              ARP  spoof  daemon menu) you are able to look at the connections
              that are between that hosts. First you  do  arp  spoof  and  the
              hosts  will send you the traffic and from that time you can list
              the connections between them, then  you  can  watch  and  hijack
              them.  It  is  commonly  accepted that the switches protect your
              connections again inside intruders and spoofers. Well,  that  is
              still true for carefully setuped switches. The switches that are
              plugged to the LAN without any port security  configuration  are
              useless in the job to protect your LAN.

DESIGN OVERVIEW

       The  development  model is based on a packet engine (hunt.c) which runs
       in its own thread and captures packets from  the  network.  The  packet
       engine  collects  information  of TCP connections/starting/termination,
       sequence numbers,  and MAC addresses. It collects  the  MACs  and  seq.
       numbers  from  the  server  point  of  view  and separate MACs and seq.
       numbers from the client point of view. So it is prepared for hijacking.
       This information (seq. num., MAC,

       Modules  can  register  functions with the packet engine which are then
       invoked when new packets are received. A module function determines  if
       the module is interested in a packet or not and can place the packet in
       a module specific list of packets. A  module  function  can  also  send
       some  packet  to the network if it is desirable to do it very fast. The
       module (usually in some other thread so it needs to be scheduled to  be
       run)  then  gets  packets from the list and analyzes them. In this way,
       you can easily develop modules which perform various activities.

       Packets to be sent as a  response  to  the  network  are  described  by
       structures  so  you  don’t  have  to  care about some default fields or
       checksums. At this time, functions for TCP, ICMP and  ARP  traffic  are
       already prepared. (UDP is missing because I don’t use it in any module)

       A separate set of daemons is used for host  resolving  (DNS).  That  is
       because  the  gethostbyname/gethostbyname_r  function  is  protected by
       mutex (As far as I know - it was so two years ago -  I  didn’t  try  it
       now) so you can’t run it truly parallel in a multithreaded environment.
       Therefore, the commonly used workaround  is  to  fire  up  some  helper
       daemons through fork which will run gethostbyname.

USER ENVIRONMENT

       Well,  the user environment isn’t graphical but I believe that you will
       like it.

       In the title of all  menus  is  some  status  information  about  hunt.
       First,  there is an indication with which menu you are working. Second,
       the number of packets received by hunt  is  shown.  Hunt  pre-allocates
       some  buffers  for packets; the status of free and allocated buffers is
       displayed as the third value. The number of free buffers is low  for  a
       high  loaded  network or the ACK storm or if you have poor hardware. In
       my case, for example, the numbers 63/64 were normally indicated meaning
       that  only  one  buffer  was  used,  but  after  the  ACK storm, I have
       something like 322/323. Note that the buffers once  allocated  are  not
       freed.  The  low  number of free buffers can also mean some bug in hunt
       but I think I carefully debugged all modules to this kind of  bug.  The
       last  indicator  reports  which daemons (actually threads) are running.
       They are: R - reset daemon, Y - arp relayer,  S  -  sniffer,  M  -  MAC
       discoverer.  If  you  switch  on  the verbose option you get additional
       information about how many packets were dropped - they  were  fragments
       (see  the bugs) or were malformed, and how many packets belong to other
       protocols than TCP, UDP, ICMP and ARP.  In the prompt for user input is
       indicator  that  will  tell  you  through  ’*’ char that hunt added new
       connection(s) to the connection list since last connection listening.

       General interface
              In all menus the x key works as escape.   The  network  mask  is
              denoted by the ip_address/mask notation where mask is the number
              of 1’s on the left  side  of  the  network  mask.  For  example,
              0.0.0.0/0  means everything and 192.168.32.10/32 means only that
              host.

              For most modules is used:
              l) list items
              a) add item
              m) modify item
              d) delete item
              They will be referred in this text as l) a) m) d)

       List/Watch/Reset connection
              You can obtain the list  of  connections  tracked  by  the  hunt
              packet  engine.   Which  connections are tracked is specified in
              the options menu. You can interactively  watch  or  reset  these
              connections.  You  can  also perform hijacking on them (next two
              menu items).

       ARP/Simple hijack
              ARP/Simple hijack offers you an interactive  interface  for  the
              insertion  of  data  to the selected connection. You can perform
              ARP spoofing for both connection ends, for only one end  or  you
              can  not  to do it at all. If you don’t do ARP spoofing then you
              probably receive the ACK storm  after  typing  the  first  char.
              When  you do ARP spoofing, it is checked if it succeeds. If not,
              you are prompted if you want to wait until it succeeds (you  can
              interrupt   this   waiting  through  CTRL-C  of  course).  After
              inserting some data to the connection you type CTRL-]  and  then
              you  can  synchronize  or  reset  the connection.  If you choose
              synchronization, the user is prompted to  type  some  chars  and
              after  he  does  so  the  connection  will be in the synchronous
              state. You can interrupt the synchronization process with CTRL-C
              and  then you can reset the connection. Note that CTRL-C is used
              widely for interrupting an ongoing  process.  The  CTRL-]  (like
              telnet)  is used for finishing the interactive insertion of data
              to the connection. The ARP/Simple hijack  doesn’t  automatically
              reset  the connection after it detects the ACK storm so you have
              to do it yourself. Note also that ARP/Simple hijack  works  with
              the ARP relayer (as described further) so that other connections
              are not affected. Normally, if you ARP spoof  two  servers  then
              the  ARP/Simple  hijack  handles  only  one  selected connection
              between these two hosts but other connections between these  two
              hosts  look like they freeze. If you start the ARP relayer, then
              these other connections are handled  and  rerouted  through.  So
              other  connections  from  one  spoofed host to the other are not
              affected at all. It is recommended to run ARP relayer if you  do
              ARP  hijacking  of  two  servers.   Note  that  if you ARP spoof
              (force) some client MAC to  the  server  then  only  connections
              going  from  the  server  to  that  client  are  affected. Other
              connections from the server to other machines are untouched.

       Simple hijack
              Simple hijack allows you to insert a command to the data  stream
              of  the  connection. When you insert the command, hunt waits for
              it to complete up to a certain timeout  and  if  the  ACK  storm
              doesn’t  occur,  you  are  prompted  for the next command. After
              that, you can synchronize or reset the  connection.   Note  that
              you  can use the interactive interface to simple hijack when you
              use ARP/simple hijack without ARP spoofing but if you  use  full
              interactive  interface of ARP/simple hijack without ARP spoofing
              you are likely to get the ACK storm immediately after typing the
              first char. So this mode of hijacking is useful when you have to
              deal with the ACK storm  because  it  sends  your  data  to  the
              connection in a single packet. When the ACK storm is in progress
              it is very hard to deliver other packets from hunt to the server
              as the network and server are congested.

DAEMONS

       I  call them daemons but they are actually threads.  All daemons can be
       started and stooped. Don’t be surprised when you insert or modify  some
       rule  in  a daemon and it does nothing. The daemon is not running - you
       have to start it. All daemons are by default stopped  even  though  you
       can alter the configuration. Common commands in the daemons menu are:

              s) start the daemon
              k) stop the daemon
              l) list configuration items
              a) add config. item
              m) modify config. item
              d) delete config. item

       Reset daemon
              This  daemon  can be used to perform automatic resets of ongoing
              connections  that  hunt  can  see.  You   can   describe   which
              connections should be terminated by giving src/dst host/mask and
              src/dst ports.  The  SYN  flag  off  means  that  all  specified
              connections should be terminated (even ongoing). The SYN flag on
              means that only newly started  connections  are  reset.  So  the
              connections  that are in progress are not affected. Don’t forget
              to start the daemon.

       ARP daemon
              Here you can do ARP spoofing of hosts. You  enter  src  and  dst
              addresses  and  desired  srcMAC. The dst is then forced to think
              that src has srcMAC. You can use some fake MAC or better MAC  of
              host  that  is currently down. You just want that the hosts will
              send you all the data (so you can even look at packets that  are
              on  a  different  segment  or  switched  port  that you will not
              normally see) The ARP module looks carefully for  packets  which
              will  break  ARP  spoofing  of hosts and handle them but you can
              even specify the refresh interval for ARP spoofing but it is not
              necessary  to  do  it.  Set the refresh interval only if you are
              experienced with some bad or strange behavior of spoofed  hosts.
              Also  there  is the possibility to test the hosts for successful
              spoof with the ability to force that spoof - it  is  recommended
              to test the ARP spoof if something looks like it is wrong or the
              computer doesn’t send the traffic to the hunt. The force  option
              is  handful  if  the  first  spoofing packets are discarded with
              switch so if you are running  hunt  against  hosts  on  switched
              ports  you  can try to run the force mode by example for 10s and
              then break it with CTRL-C if the spoof continues to  fail.   The
              ARP  relayer  daemon  is  used  to  perform  ARP relaying of ARP
              spoofed connections. When you insert some ARP spoof of hosts the
              ARP  spoofing is performed immediately even if the relayer isn’t
              running!!!. But if the ARP spoofing  succeeds,  the  connections
              will  look  like  they  freeze. For rerouting (not IP routing !)
              these connections through your hunt you need to  start  the  ARP
              relayer.  The  relayer works well with ARP/simple hijack so once
              you have hosts ARP spoofed with ARP relaying you can  easily  do
              ARP/simple  hijack  which will detect that the hosts are already
              ARP spoofed and takes over the connection immediately. With this
              technique  you  can  easily  become  man  in the middle from the
              beginning of the connection even  though  your  host  with  hunt
              isn’t  an IP gateway. I encourage you to write other application
              specific protocol handlers for the man in the middle  attack  as
              it is really simple with this framework.

       Sniff daemon
              The  purpose  of  the  sniff daemon is to log specified packets.
              The sniff daemon can also search for a simple  pattern  (string)
              in the data stream (see the bugs section). You can specify which
              connection you are interested in, where  to  search  (src,  dst,
              both),  what  do  you want to search, how many bytes you want to
              log, from what direction (src,  dst,  both)  and  to  what  file
              should  the  daemon  write.  All  logged files are stored in the
              .sniff directory. The default file name for logging is  composed
              of  the  host and port,0a(as.new-linesporoas hexmnum.).u can set
              how to log new lines (

       MAC discovery daemon
              This daemon is used to collect MAC  addresses  corresponding  to
              the  specified  IP range. You can enter the time after which the
              daemon will try collecting again (default is 5min).

       Host up menu
              The host up module determines which hosts are  up  (with  TCP/IP
              stack).   You  just  specify the IP range and that space is then
              searched for running hosts.  It is capable  to  determine  which
              hosts   have   network   interface   in  promiscuous  mode.  The
              promiscuous mode usually shows that the  host  is  running  some
              kind of sniffer/network analyzer.

       Options menu
              In the options menu you can tune different things:

       l) a) m) d)
              List/Add/Mod/Del Connection Policy Entry
              First of all you can select which connections should be tracked.
              The default setting is to look at telnet  connections  from  all
              hosts  but  you can adjust this behavior by the specification of
              src/dst address/mask src/dst port pairs. With commands: l) a) m)
              d) you set what you are interested in.

       c)     Connection Listening Properties
              You  can  set  whether the  sequence numbers and MACs of ongoing
              connections will be displayed during connection listening.

       h)     Host Resolving
              You can turn on resolving  of  hosts  to  their  names.  As  the
              resolving   is  deferred  you  don’t  get  the  names  of  hosts
              immediately.  Just try to list connections several times and you
              will see the hosts names. (I used this deferred approach because
              I didn’t want any delay of  interface  that  the  resolving  can
              cause).

       r)     Reset ACK Storm Timeout
              This timeout is used in simple hijack to automatically reset the
              connection after the ACK storm is detected. Note  that  you  can
              receive  the  ACK  storm  even  in arp/simple hijack in case you
              don’t perform ACK spoofing of any host.

       s)     Simple Hijack Timeout For Next cmd
              Simple hijack has not an interactive connection interface.  That
              means  you  write  the whole command which will be inserted into
              the connection data stream. If no data  is  transferred  through
              the connection up to this timeout, you are prompted for the next
              command.

       q)     ARP Request/Reply Packets
              Number of request or reply packets hunt will  send  when  it  is
              doing arp spoofing.

       t)     ARP Request Spoof Through Request
              Option  whether  hunt  will  send ARP spoof request or ARP spoof
              reply when it receives broadcasted ARP request which will  break
              ARP spoof.

       w)     Switched Environment
              Some  optimization  for switched environment. It works perfectly
              for non switched environment also.

       y)     ARP Spoof With My MAC
              Set the originating MAC address of sent spoofed ARP to my (hunt)
              ethernet MAC - sometimes helps in switched environment.

       e)     Learn MAC From IP Traffic
              You  can  enable  that MAC addresses will be learned from all IP
              traffic not just from ARP.

       p)     Number Of Printed Lines Per Page In Listening
              Self explanatory

       v)     Verbose On/Off
              Self explanatory

TESTED ENVIRONMENT

       HUNT program requirements:
       * Linux >= 2.2
       * Glibc with linuxthreads
       * Ethernet

       Tested hosts:
       Linux 2.0, Linux 2.1, Linux 2.2, Solaris 2.5.1,  NT4sp3/4,  Win95,  OSF
       V4.0D, HPUX 10.20, IRIX 6.2

       Tested network equipment:
       BayNetworks  28115,  28200,  300 switches 3Com SuperStack II 3000, 1000
       switches

SECURITY NOTES

       Please note the already known truth that telnet  and  similar  programs
       which  send  passwords  in  clear  text are vulnerable to the described
       attacks. Programs using one time passwords are also easily attacked and
       in  fact  they are useless if someone can run a program like hunt. Only
       full encrypted traffic isn’t vulnerable to these attacks but note  that
       you  can  become  a man in the middle if you use ARP spoofing (forcing)
       without  the  ACK  storm  and  you  can  try  to  do  something.   Also
       unconfigured  switch doesn’t protect you from sniffing or hijacking. It
       is necessary to carefully configure port security on  the  switches  in
       order to protect the computers on the switched ports.

       Detecting  attacks isn’t an easy task. For ARP spoofing there are tools
       which can detect it. The ACK storm is detectable by some  sophisticated
       network  analyzers  (you can detect the pattern of the ACK storm or the
       statistics of ACKs without data). If you run hunt on your  network  you
       can  detect  the  ACK  storm  because the hunt can detect the ACK storm
       pattern.

PERFORMANCE NOTE

       Make sure you are running hunt on idle machine with sufficient power (I
       used  PII-233  with  128MB  RAM)  and without any other packet analyzer
       because if you use advanced features like  arp  spoofing  or  hijacking
       hunt  needs  to  reply  fast  with  it’s  own packets inserted into the
       traffic on the network.

DOWNLOAD

       This software can be found at http://www.gncz.cz/kra/index.html
       or at
       ftp://ftp.gncz.cz/pub/linux/hunt/

KNOWN BUGS

       * some structures are poorly locked through mutexes
       * if  you  watch  connection  then  some  escape  sequences  from  that
       connection can influent your terminal. Note that your terminal is named
       "Linux" ("xterm" - if you run it from X, ...) but the escape  sequences
       are  for  the client side terminal which may or may not be Linux so you
       can get some mess.
       * sniff is not capable to search for a pattern which crosses the packet
       boundary.  That  means  it can’t search for a pattern of the user typed
       input as this input is usually transferred with 1B data long packets.
       * hunt doesn’t support defragmentation so the IP fragments have  to  be
       dropped.

BUG FIXES, SUGGESTIONS

       Please  send  bug  descriptions,  patches,  suggestions, new modules or
       successful stories to kra@gncz.cz

ACKNOWLEDGMENTS

       I would  like  to  thank  Sven  Ubik  <  ubik@fsid.cvut.cz  >  for  his
       invaluable input and feedback.

FINAL WORD

       Note that this software was written only for my fun in my free time and
       it was a great exercise of TCP/IP protocols. I  am  now  familiar  with
       seq. numbers, ACKs, timeouts, MACs, checksums, ... to the finest level.
       As I have some pretty good background this  "hunt"  challenge  made  me
       think  that  I  hadn’t  known TCP/IP as great as I had thought. You are
       welcome to read the source code and to try to modify it or  write  your
       own modules.

DEBIAN

       This  manpage was converted from internal documentation by Jon Marler <
       jmarler@debian.org > for the Debian GNU/Linux operating system.