computer ports

[metguru]

I was reading this thread
http://www.antionline.com/showthread...hreadid=271877

The second post read:

5. I do not know about login sessions, but all chats are clear text unless you specifically set up AIM to be encrypted. MSN and Yahoo don't have any first party encryption, but there are 3rd party tools, only problem being both sides of the conversation must be using the software.

I used netstat to get what port AIM was on and was wondering how you would read the information that you get on this port using a program that I wrote.

Also, I got AIM at the address "oam-m15b.blue.aol.com". Is there a way to get the port number returned using this information and an API or anything? But I think that it always uses port 5190 anyway.

If other programs are already using this port (such as a filter program), would that change what is read in the port by the program? (I'm not sure if the filter program sends or recieves any information through that port, it might just be watching or something)

[S3cur|ty4ng31]

I dont know if its just me but your question seems somewhat encrypted itself.

AIM is just a client/server application. The client will always need to know what port to talk to the sever on. In this case 5190. Now on the client side you will bind to any high port that is available. When you iniate the connect the server will have your local ip and port information so it can talk back to you.

If youve already written a program to grab wire information then you should just be able to dump the payload to whatever you wanted to read . As long as its not encrypted. Or if your program sucks just save your self sometime and dont reinvent the wheel. Just get snort and run this

./snort -vde -i <your_interface> port 5190

and that will dump all communication to port 5190.

[metguru]

I'm sorry if my post doesn't seem easy to understand.

I was in the process of writing a program that read the "avaliable high port", but i couldn't seem to get it to work. I used a program that read port 96 (keyboard and mouse) and changed the port number, but i wasn't getting any info from the port.

As you can probably tell, I don't know much about TCP/IP and the use of the ports.

What I wanted to do was use a program to save all of my conversations (both ways) that I had on AIM. When I log the keys of my computer i only get half of the conversation, and I don't want to be key logging the other persons computer.

One of my questions was "how do you find this 'high port' using programming, possibly APIs?" Because this port keeps changing on my computer every time I run AIM.

Once I am able to read what is comming through this port I also was wondering how to make the information into readable english so that I can read it.

I hope this better explains what I need help with.

[moxnix]

What I wanted to do was use a program to save all of my conversations (both ways) that I had on AIM.

Then why not just use the logging feature of your AIM client itself???

[SouthernWolf]

That's right. Most of the chat programs log and archive both sides of a conversation so no need to key log yourself. And if you don't know much about tcp/ip and ports how can you write programs that deals with those? Just curious!

[metguru]

I've written simple programs that use ports, not anything complicated.

[Computernerd22]

Server Used: [ whois.arin.net ]

Code:

64.12.165.94  = [ oam-m15b.blue.aol.com]
  OrgName:    America Online  Inc. 
  OrgID:      AMERIC-158 
  Address:    10600 Infantry Ridge Road 
  City:       Manassas 
  StateProv:  VA 
  PostalCode: 20109 
  Country:    US 
  NetRange:   64.12.0.0 - 64.12.255.255 
  CIDR:       64.12.0.0/16 
  NetName:    AOL-MTC 
  NetHandle:   NET-64-12-0-0-1 
  Parent:     NET-64-0-0-0-0 
  NetType:    Direct Assignment 
  NameServer: DNS-01.NS.AOL.COM 
  NameServer: DNS-02.NS.AOL.COM 
  Comment: 
  RegDate:    1999-12-13 
  Updated:    1999-12-16 
  RTechHandle: AOL-NOC-ARIN 
  RTechName:   America Online  Inc. 
  RTechPhone:  1-703-265-4670 
  RTechEmail:  domains@aol.net

Domain servers:
dns-01.ns.aol.com
152.163.159.232
dns-02.ns.aol.com
205.188.157.232
dns-06.ns.aol.com
149.174.211.8
dns-07.ns.aol.com
64.236.1.107

was wondering how you would read the information that you get on this port using a program that I wrote.

Sounds like you need to install a packet sniffer to capture ALL data running on your system/network.

[sec_ware]

Hi

I understand that the thread starters questions have not all
been answered yet, although I think, S3cur|ty4ng31 made a
very valid statement.


A few of metguru comments confused me, in particular

I was in the process of writing a program that read the "avaliable high port",
but i couldn't seem to get it to work. I used a program that read port 96 (keyboard and mouse)
and changed the port number, but i wasn't getting any info from the port.

I don't understand. There are various kinds of ports[8]: hardware, network, ...
I hope you are not confusing them. In addition, it is rather difficult, due to RING 0/RING 3
separation, to directly access those ports nowadays. Since you are refering to port 96 (keyboard!)
(60 in hex), I assume you are not talking about a network port. Thus, you cannot
use that program to sniff network traffic.





1. Question: How I can I sniff TCP/IP communication?

1. Answer: Use Snort/Ethereal[1]/TcpDump... (or see below)



2. Question: How to detect "available high ports", in the sense of free port?

2. Answer: Create an instance of the System.Net.Sockets.Socket (c# as per your profile)-class
and then the Socket.Bind method to bind a local endpoint. If the binding is possible,
then the port is free



3. Question: How to detect "available high ports", in the sense "available for sniffing"?

3. Answer: In other words, which high ports are used. See Answer 2.



4. Question: How can I determine (via some API) which program has bind a local endpoint,
and which remote endpoint (essentially the "netstat" command)?

4. Answer: Use GetTcpTable in iphlpapi.dll via

Code:

 [DllImport("iphlpapi.dll")]
  private static extern int GetTcpTable(IntPtr pTcpTable,ref int pdwSize,bool bOrder);

A quick search lead to an example program[4].



5. Question: How can I sniff the corresponding traffic?

5. Answer: Either use the Pcap-library[5] (like Ethereal does), or, for example, use raw-sockets with WSAIoctl,
(e.g. SIO_RCVALL promiscuous mode), WSARecv/recv (MSG_PEEK).
c#: System.Net.Sockets.IOControlCode[6]. Example[7].



Cheers

[1] http://www.ethereal.com/download.html
[2] http://msdn.microsoft.com/library/de...classtopic.asp
[3] http://msdn.microsoft.com/library/de...sbindtopic.asp
[4] http://www.csharpfriends.com/Forums/...x?PostID=20989
[5] http://www.gsp.com/cgi-bin/man.cgi?s...=3&topic=pcap, http://www.winpcap.org/
[6] http://msdn2.microsoft.com/en-us/lib...ntrolcode.aspx
[7] http://www.codeproject.com/csharp/HSSniffer.asp
[8] http://en.wikipedia.org/wiki/Port_(computing)

[metguru]

I couldn't seem to find the option in AIM to do this, but I wanted to be able to do it with programming anyway so I could learn more about how this works.

Originally posted here by sec_ware
[B]I don't understand. There are various kinds of ports[8]: hardware, network, ...
I hope you are not confusing them. In addition, it is rather difficult, due to RING 0/RING 3
separation, to directly access those ports nowadays. Since you are refering to port 96 (keyboard!)
(60 in hex), I assume you are not talking about a network port. Thus, you cannot
use that program to sniff network traffic.

Yes, I assumed that there must be different ports when I couldn't get it to work. Sorry that I didn't clarify that.

now I just have a few questions about your answers...

1 What is a "bind a local endpoint" and a "remote endpoint"

2 What would be a normal return of the API? (I'm not too good with C#, but I am learning)

[sec_ware]

Hi

1 What is a "bind a local endpoint" and a "remote endpoint"

I am talking about the Berkeley Sockets Interface[1], which provides
a generic access to interprocess communication. Let us focus on
TCP/IP, and allow me to (over-)simplify: A socket connects two locations:
your PC (on some network port) with another PC (on another network port).
The combination "your PC / port" is called the local endpoint,
while the combination "other PC / other port" is called the remote endpoint.
Read read read

2 What would be a normal return of the API? (I'm not too good with C#, but I am learning)

Since you have a fully functional programm for GetTcpTable in the above link[4],
I took this opportunity to write a simple sniffer in C# (honestly, I misused C# and
did not OO for simplicity). I suggest you to read on msdn.microsoft.com the description
of every method you do not know. You need to read and play around, in order to
understand

Code:

using System;
using System.Net;
using System.Net.Sockets;

public class classMain{
	unsafe public static int Main(string[] args){
		
	        byte [] buff = new byte[65536];
		int rec_bytes;

 // Create the raw socket
                  	Socket rawSock = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
// Find local host name and IP-address
     			String strHostName = Dns.GetHostName();
		   	IPHostEntry iphostentry = Dns.GetHostByName(strHostName);
		  	String IP = "";
		   	foreach(IPAddress ipaddress in iphostentry.AddressList){
		        	IP = ipaddress.ToString();
		   		break;
		   	}
			Console.WriteLine("Sniffing on {0}",IP);
// Bind the raw socket
			rawSock.Bind(new IPEndPoint(IPAddress.Parse(IP), 0));
// Enable promiscuous mode
                        byte []InValue  = new byte[4]{1, 0, 0, 0};
                        byte []OutValue = new byte[4];
                        int SIO_RCVALL = unchecked((int)0x98000001);
                        rawSock.IOControl(SIO_RCVALL, InValue, OutValue);
// Sniffing...
		uint *from;
		uint *to;
		IPAddress from_ip;
		IPAddress to_ip;

   		while(true){
			  rec_bytes=rawSock.Receive(buff);
			  fixed(byte *fixed_buff = buff){
				  from = (uint *)(fixed_buff+12);	
				  to = (uint *)(fixed_buff+16);
			  }	
			  from_ip = new IPAddress(*from );
			  to_ip = new IPAddress(*to );

			if (buff[9]==6)
			  Console.WriteLine("TCP from {0} : {1} \t->\t {2} : {3}",from_ip,buff[20]*256+buff[21],to_ip,buff[22]*256+buff[23]);
			else if (buff[9]==17)
			  Console.WriteLine("UDP from {0} : {1} \t->\t {2} : {3}",from_ip,buff[20]*256+buff[21],to_ip,buff[22]*256+buff[23]);
			else if (buff[9]==1){
			  Console.WriteLine("Ping from {0}  \t->\t {1}",from_ip,to_ip);
			} else
			  Console.WriteLine("Unknown Protocol: {0}",buff[9]);
        	}
		rawSock.Close();
    		return( 0 );
	}
}

Cheers

[1] http://msdn2.microsoft.com/en-us/lib...ts.socket.aspx

/edit: I still have an old compiler c# 7.00 from 2001 Nowadays, you may replace

Code:

while(true){
-> while(Console.KeyAvailable==false){