Saturday, November 28, 2009

Ngrep

Ngrep is a basic packet sniffer with its main feature being the ability to filter through network packets, searching(grep) for certain strings in the packets being sent over a network and display the matching string's packet content in a readable format. Think of it like unix's grep but done over network streams. Ngrep uses standard tcpdump filters, host 192.168.1.1, port 80, etc.

Examples:

# ngrep -d eth0 port 80 // displays all port 80 traffic on interface eth0

# ngrep -d eth0 "google.ca" port 80 // parses through port 80 traffic data for string google.ca

# ngrep -d eth0 "*.google.ca" port 80 // parses through port 80 traffic for *.google.ca, where the * can be anything.

For better visual output add "-W byline" option

# ngrep -d eth0 -W byline "msn.com" port 80

To search for more than one string

# ngrep -d eth0 -W byline -i "pass|USER" -n 2 port 80 // searches for string 'pass' or 'USER'. "-i" ignores the case of pass or USER. "-n 2" will match only 2(any number can be specified) packets total, then exit.

# ngrep -n 2 -q -d eth0 -W byline -wi "pass|USER" port 80 // searches for string 'pass' or 'USER'. "-i" ignores the case of pass or USER. The "-w" tells ngrep to match the string as a word. "-q", quiet mode; don't output any information other than packet headers and their payloads (if relevant).

The following can parse for logins to gain passwords:

# ngrep -d eth0 -W byline -i "pass|USER" port 80 |grep pass

More examples mimiced from: http://www.brandonhutchinson.com/ngrep.html

Usage examples:
ngrep '' udp (print all UDP packets)
ngrep '' icmp (print all ICMP packets)
ngrep '' port 53 (print TCP or UDP port 53 packets)
ngrep '' tcp port 23 (print TCP port 23 packets)
ngrep 'LILWORD' port 138 (print Microsoft browsing traffic for NT domain LILWORLD)
ngrep -iq 'rcpt to|mail from' tcp port 25 (monitor current delivery and print sender and recipients)
ngrep 'user' port 110 (monitor POP3)
ngrep -q 'abcd' icmp (Microsoft operating systems fill the ICMP payload with the alphabet; is the "pinging" host running a Microsoft operating system?)
ngrep -iq 'user-agent' tcp port 80 (determine client application that client host is running)
ngrep '220' port 21 (determine version of FTP server)
ngrep 'SSH' port 22 (investigate Secure Shell)
ngrep -v '' port 23 (see all traffic but telnet)

Resources/Good reading:
http://ngrep.sourceforge.net/usage.html
http://www.linux.com/archive/articles/46268
http://www.security-freak.net/tools/ngrep/ngrep.html
http://www.brandonhutchinson.com/ngrep.html

No comments:

Post a Comment