-
November 11th, 2005, 02:00 AM
#1
computer ports
I was reading this thread
http://www.antionline.com/showthread...hreadid=271877
The second post read:
5. I do not know about login sessions, but all chats are clear text unless you specifically set up AIM to be encrypted. MSN and Yahoo don't have any first party encryption, but there are 3rd party tools, only problem being both sides of the conversation must be using the software.
I used netstat to get what port AIM was on and was wondering how you would read the information that you get on this port using a program that I wrote.
Also, I got AIM at the address "oam-m15b.blue.aol.com". Is there a way to get the port number returned using this information and an API or anything? But I think that it always uses port 5190 anyway.
If other programs are already using this port (such as a filter program), would that change what is read in the port by the program? (I'm not sure if the filter program sends or recieves any information through that port, it might just be watching or something)
-
November 11th, 2005, 02:13 AM
#2
I dont know if its just me but your question seems somewhat encrypted itself.
AIM is just a client/server application. The client will always need to know what port to talk to the sever on. In this case 5190. Now on the client side you will bind to any high port that is available. When you iniate the connect the server will have your local ip and port information so it can talk back to you.
If youve already written a program to grab wire information then you should just be able to dump the payload to whatever you wanted to read . As long as its not encrypted. Or if your program sucks just save your self sometime and dont reinvent the wheel. Just get snort and run this
./snort -vde -i <your_interface> port 5190
and that will dump all communication to port 5190.
That which does not kill me makes me stronger -- Friedrich Nietzche
-
November 11th, 2005, 02:47 AM
#3
I'm sorry if my post doesn't seem easy to understand.
I was in the process of writing a program that read the "avaliable high port", but i couldn't seem to get it to work. I used a program that read port 96 (keyboard and mouse) and changed the port number, but i wasn't getting any info from the port.
As you can probably tell, I don't know much about TCP/IP and the use of the ports.
What I wanted to do was use a program to save all of my conversations (both ways) that I had on AIM. When I log the keys of my computer i only get half of the conversation, and I don't want to be key logging the other persons computer.
One of my questions was "how do you find this 'high port' using programming, possibly APIs?" Because this port keeps changing on my computer every time I run AIM.
Once I am able to read what is comming through this port I also was wondering how to make the information into readable english so that I can read it.
I hope this better explains what I need help with.
-
November 11th, 2005, 03:25 AM
#4
What I wanted to do was use a program to save all of my conversations (both ways) that I had on AIM.
Then why not just use the logging feature of your AIM client itself???
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
Author Unknown
-
November 11th, 2005, 04:47 AM
#5
Junior Member
That's right. Most of the chat programs log and archive both sides of a conversation so no need to key log yourself. And if you don't know much about tcp/ip and ports how can you write programs that deals with those? Just curious!
-
November 11th, 2005, 08:52 PM
#6
I've written simple programs that use ports, not anything complicated.
-
November 11th, 2005, 09:40 PM
#7
Server Used: [ whois.arin.net ]
Code:
64.12.165.94 = [ oam-m15b.blue.aol.com]
OrgName: America Online Inc.
OrgID: AMERIC-158
Address: 10600 Infantry Ridge Road
City: Manassas
StateProv: VA
PostalCode: 20109
Country: US
NetRange: 64.12.0.0 - 64.12.255.255
CIDR: 64.12.0.0/16
NetName: AOL-MTC
NetHandle: NET-64-12-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
NameServer: DNS-01.NS.AOL.COM
NameServer: DNS-02.NS.AOL.COM
Comment:
RegDate: 1999-12-13
Updated: 1999-12-16
RTechHandle: AOL-NOC-ARIN
RTechName: America Online Inc.
RTechPhone: 1-703-265-4670
RTechEmail: domains@aol.net
Domain servers:
dns-01.ns.aol.com
152.163.159.232
dns-02.ns.aol.com
205.188.157.232
dns-06.ns.aol.com
149.174.211.8
dns-07.ns.aol.com
64.236.1.107
was wondering how you would read the information that you get on this port using a program that I wrote.
Sounds like you need to install a packet sniffer to capture ALL data running on your system/network.
-
November 12th, 2005, 04:10 PM
#8
Hi
I understand that the thread starters questions have not all
been answered yet, although I think, S3cur|ty4ng31 made a
very valid statement.
A few of metguru comments confused me, in particular
I was in the process of writing a program that read the "avaliable high port",
but i couldn't seem to get it to work. I used a program that read port 96 (keyboard and mouse)
and changed the port number, but i wasn't getting any info from the port.
I don't understand. There are various kinds of ports[8]: hardware, network, ...
I hope you are not confusing them. In addition, it is rather difficult, due to RING 0/RING 3
separation, to directly access those ports nowadays. Since you are refering to port 96 (keyboard!)
(60 in hex), I assume you are not talking about a network port. Thus, you cannot
use that program to sniff network traffic.
1. Question: How I can I sniff TCP/IP communication?
1. Answer: Use Snort/Ethereal[1]/TcpDump... (or see below)
2. Question: How to detect "available high ports", in the sense of free port?
2. Answer: Create an instance of the System.Net.Sockets.Socket (c# as per your profile)-class
and then the Socket.Bind method to bind a local endpoint. If the binding is possible,
then the port is free
3. Question: How to detect "available high ports", in the sense "available for sniffing"?
3. Answer: In other words, which high ports are used. See Answer 2.
4. Question: How can I determine (via some API) which program has bind a local endpoint,
and which remote endpoint (essentially the "netstat" command)?
4. Answer: Use GetTcpTable in iphlpapi.dll via
Code:
[DllImport("iphlpapi.dll")]
private static extern int GetTcpTable(IntPtr pTcpTable,ref int pdwSize,bool bOrder);
A quick search lead to an example program[4].
5. Question: How can I sniff the corresponding traffic?
5. Answer: Either use the Pcap-library[5] (like Ethereal does), or, for example, use raw-sockets with WSAIoctl,
(e.g. SIO_RCVALL promiscuous mode), WSARecv/recv (MSG_PEEK).
c#: System.Net.Sockets.IOControlCode[6]. Example[7].
Cheers
[1] http://www.ethereal.com/download.html
[2] http://msdn.microsoft.com/library/de...classtopic.asp
[3] http://msdn.microsoft.com/library/de...sbindtopic.asp
[4] http://www.csharpfriends.com/Forums/...x?PostID=20989
[5] http://www.gsp.com/cgi-bin/man.cgi?s...=3&topic=pcap, http://www.winpcap.org/
[6] http://msdn2.microsoft.com/en-us/lib...ntrolcode.aspx
[7] http://www.codeproject.com/csharp/HSSniffer.asp
[8] http://en.wikipedia.org/wiki/Port_(computing)
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
November 13th, 2005, 04:17 PM
#9
I couldn't seem to find the option in AIM to do this, but I wanted to be able to do it with programming anyway so I could learn more about how this works.
Originally posted here by sec_ware
[B]I don't understand. There are various kinds of ports[8]: hardware, network, ...
I hope you are not confusing them. In addition, it is rather difficult, due to RING 0/RING 3
separation, to directly access those ports nowadays. Since you are refering to port 96 (keyboard!)
(60 in hex), I assume you are not talking about a network port. Thus, you cannot
use that program to sniff network traffic.
Yes, I assumed that there must be different ports when I couldn't get it to work. Sorry that I didn't clarify that.
now I just have a few questions about your answers...
1 What is a "bind a local endpoint" and a "remote endpoint"
2 What would be a normal return of the API? (I'm not too good with C#, but I am learning)
-
November 18th, 2005, 12:07 AM
#10
Hi
1 What is a "bind a local endpoint" and a "remote endpoint"
I am talking about the Berkeley Sockets Interface[1], which provides
a generic access to interprocess communication. Let us focus on
TCP/IP, and allow me to (over-)simplify: A socket connects two locations:
your PC (on some network port) with another PC (on another network port).
The combination "your PC / port" is called the local endpoint,
while the combination "other PC / other port" is called the remote endpoint.
Read read read
2 What would be a normal return of the API? (I'm not too good with C#, but I am learning)
Since you have a fully functional programm for GetTcpTable in the above link[4],
I took this opportunity to write a simple sniffer in C# (honestly, I misused C# and
did not OO for simplicity). I suggest you to read on msdn.microsoft.com the description
of every method you do not know. You need to read and play around, in order to
understand
Code:
using System;
using System.Net;
using System.Net.Sockets;
public class classMain{
unsafe public static int Main(string[] args){
byte [] buff = new byte[65536];
int rec_bytes;
// Create the raw socket
Socket rawSock = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
// Find local host name and IP-address
String strHostName = Dns.GetHostName();
IPHostEntry iphostentry = Dns.GetHostByName(strHostName);
String IP = "";
foreach(IPAddress ipaddress in iphostentry.AddressList){
IP = ipaddress.ToString();
break;
}
Console.WriteLine("Sniffing on {0}",IP);
// Bind the raw socket
rawSock.Bind(new IPEndPoint(IPAddress.Parse(IP), 0));
// Enable promiscuous mode
byte []InValue = new byte[4]{1, 0, 0, 0};
byte []OutValue = new byte[4];
int SIO_RCVALL = unchecked((int)0x98000001);
rawSock.IOControl(SIO_RCVALL, InValue, OutValue);
// Sniffing...
uint *from;
uint *to;
IPAddress from_ip;
IPAddress to_ip;
while(true){
rec_bytes=rawSock.Receive(buff);
fixed(byte *fixed_buff = buff){
from = (uint *)(fixed_buff+12);
to = (uint *)(fixed_buff+16);
}
from_ip = new IPAddress(*from );
to_ip = new IPAddress(*to );
if (buff[9]==6)
Console.WriteLine("TCP from {0} : {1} \t->\t {2} : {3}",from_ip,buff[20]*256+buff[21],to_ip,buff[22]*256+buff[23]);
else if (buff[9]==17)
Console.WriteLine("UDP from {0} : {1} \t->\t {2} : {3}",from_ip,buff[20]*256+buff[21],to_ip,buff[22]*256+buff[23]);
else if (buff[9]==1){
Console.WriteLine("Ping from {0} \t->\t {1}",from_ip,to_ip);
} else
Console.WriteLine("Unknown Protocol: {0}",buff[9]);
}
rawSock.Close();
return( 0 );
}
}
Cheers
[1] http://msdn2.microsoft.com/en-us/lib...ts.socket.aspx
/edit: I still have an old compiler c# 7.00 from 2001 Nowadays, you may replace
Code:
while(true){
-> while(Console.KeyAvailable==false){
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|