Giter Club home page Giter Club logo

wireplay's Introduction

Build Status

Wireplay

A minimalist approach to replay pcap dumped TCP sessions with modification as required.

The aim of this project is to build an usable but simplistic tool which can help in selecting the TCP session to replay. It can play both client as well as the server during a replay session.

Obviously replay attacks doesn't work against protocols which are cryptographically hardened or implements protocol specific replay preventation mechanism like challenge/response etc. Wireplay implements a plugin/hook subsystem mainly for the purpose of working around those replay prevention mechanism and also perform a certain degree of fuzz testing.

It also won't work out of the box for certain non-deterministic sessions like say:

Original

C> GET /abc.tar.gz HTTP/1.1\r\n... S> HTTP 404 Not Found ...

Replay

C> GET /abc.tar.gz HTTP/1.1\r\n.. S> HTTP 200 Found

Getting Started

./wireplay -K --role client --port 80 --target 127.0.0.1 -L -F ./pcap/http.dump

The above runs wireplay with TCP checksum calculation disabled, replaying an HTTP session from ./pcap/http.dump file.

./wireplay --role client -F ./pcap/dcedump.dump --target 172.16.34.129 --port 135

The above example reads a dcedump (Dave Aitel's dcedump) session from the file dcedump.dump (pcap dump file) and replays it.

What to do with it?

  • Fuzzing for Security Bugs * General Software Testing * Being cool..

Dependencies

RHEL/CentOS: - libpcap-devel - libpcap - libnet - libnet-devel

Ubuntu: - sudo apt-get update -qq - sudo apt-get install -y libnet1-dev - sudo apt-get install -y libpcap-dev

Notes

  • libnids-1.23 had does not set certain pointers to NULL during nids_exit() and hence refers to invalid free'd memory during next nids_init() and tcp capture and crashes. The patched version of libnids in the $(pwd) needs to be used until it is fixed upstream.

  • TCP Checksum Offloading: Modern NIC hardwares support TCP/UDP checksum calculation in hardware. So OS Network Stack might write packets to NIC with incorrect/null checksum expecting the NIC to calculate and re-write appropriate checksum before xmit. As a result sniffed TCP packets might have incorrect checksums which won't be picked up by NIDS unless checksumming is disabled.

    For modern hardwares, its safe to run wireplay with -K to disabled NIDS checksuming by default.

wireplay's People

Contributors

pmcgleenon avatar snyk-bot avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

darrentodd sayr777 sergio31 high-fit

wireplay's Issues

Wireplay crashes everytime 

My wireplay crashes every time I run, whether it is in server or client mode 
from the machine that I am running.. and the logs is just empty.
 I tried checking ldd ./wireplay and it is not linked to system libnids library.I checked out the SVN source code yesterday. Please help me to resolve the issue.

I am running the wireplay against a pcap and using the below cmd : 
../wireplay -K --role client --port 80 --target <ip> -L -F 
./pcap/<pcapFileName>.pcap

Following is the o/p from ldd ./wireplay :

ldd ./wireplay
    linux-vdso.so.1 =>  (0x00007fff99bff000)
    libpcap.so.0.8 => /usr/lib/libpcap.so.0.8 (0x00007f8db038f000)
    libnet.so.1 => /usr/lib/libnet.so.1 (0x00007f8db0176000)
    libruby1.8.so.1.8 => /usr/lib/libruby1.8.so.1.8 (0x00007f8dafe75000)
    libc.so.6 => /lib/libc.so.6 (0x00007f8dafaf2000)
    libpthread.so.0 => /lib/libpthread.so.0 (0x00007f8daf8d5000)
    librt.so.1 => /lib/librt.so.1 (0x00007f8daf6cc000)
    libdl.so.2 => /lib/libdl.so.2 (0x00007f8daf4c8000)
    libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f8daf28f000)
    libm.so.6 => /lib/libm.so.6 (0x00007f8daf00b000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f8db05ce000)

Original issue reported on code.google.com by [email protected] on 19 Jan 2012 at 10:34

Inappropriate #elif instead of #else in libnids/killtcp.c 

What steps will reproduce the problem?
  1. cd libnids
  2. ./configure --enable-shared --disable-libglib
  3. make

What is the expected output? What do you see instead?
Expected:
  successful build
Actual:
  gcc -c -g -O2 -D_BSD_SOURCE -W -Wall -DLIBNET_VER=1 -DHAVE_ICMPHDR=1 -DHAVE_TCP_STATES=1 -DHAVE_BSD_UDPHDR=1 -I. -I/usr/include/pcap -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H   killtcp.c
  killtcp.c:121:6: error: #elif with no expression

What version of the product are you using? On what operating system?
  svn/trunk, Debian Wheezy

Please provide any additional information below.
  Probably a forgotten #elif instead of #else. Replaced, appears to work.

Patch:
  * https://github.com/ziman/wireplay/commit/08e8a1db631b36e33348029e20389d9a940eee67
  * attached

Original issue reported on code.google.com by [email protected] on 9 Mar 2011 at 9:54

Attachments:

The ISN cmd line option isn't functional. 

What steps will reproduce the problem?
1. Try to use '-n' or '--isn' command line options.

...

Please provide any additional information below.

I am dubious about the quality of my effort but until I spend time doing it 
better, the attached patch does enable the functionality.

Original issue reported on code.google.com by [email protected] on 12 Jun 2012 at 9:00

Attachments:

Link errors for 64 bit compile on OpenSuse 11.4 

What steps will reproduce the problem?
1. Run make on OpenSuse 11.4 (x86-64)
2.
3.

What is the expected output? What do you see instead?

 Link errors during root make after compiling successfully libnids.

gvelocity@lon3eur20:~/wireplay-read-only> make
gcc -o wireplay src/wireplay.o src/log.o src/msg.o src/whook.o src/whook_rb.o 
-ggdb -L/home/gvelocity/wireplay-read-only/libnids-1.23/src/ -lnids -lpcap 
-lnet -L/usr/lib64 -lruby
/home/gvelocity/wireplay-read-only/libnids-1.23/src//libnids.a(libnids.o): In 
function `cap_queue_process_thread':
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:566: undefined 
reference to `g_async_queue_pop'
/home/gvelocity/wireplay-read-only/libnids-1.23/src//libnids.a(libnids.o): In 
function `nids_pcap_handler':
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:341: undefined 
reference to `g_async_queue_lock'
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:343: undefined 
reference to `g_async_queue_length_unlocked'
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:349: undefined 
reference to `g_async_queue_push_unlocked'
/home/gvelocity/wireplay-read-only/libnids-1.23/src//libnids.a(libnids.o): In 
function `nids_exit':
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:707: undefined 
reference to `g_async_queue_length'
/home/gvelocity/wireplay-read-only/libnids-1.23/src//libnids.a(libnids.o): In 
function `nids_run':
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:688: undefined 
reference to `g_thread_create_full'
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:691: undefined 
reference to `g_async_queue_push'
/home/gvelocity/wireplay-read-only/libnids-1.23/src//libnids.a(libnids.o): In 
function `nids_init':
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:671: undefined 
reference to `g_thread_init'
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:672: undefined 
reference to `g_async_queue_new'
/home/gvelocity/wireplay-read-only/libnids-1.23/src//libnids.a(libnids.o): In 
function `nids_next':
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:747: undefined 
reference to `g_async_queue_push'
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:745: undefined 
reference to `g_thread_create_full'
/home/gvelocity/wireplay-read-only/libnids-1.23/src//libnids.a(libnids.o): In 
function `nids_dispatch':
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:765: undefined 
reference to `g_async_queue_push'
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:759: undefined 
reference to `g_thread_create_full'
/home/gvelocity/wireplay-read-only/libnids-1.23/src//libnids.a(libnids.o): In 
function `cap_queue_process_thread':
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:572: undefined 
reference to `g_thread_exit'
/home/gvelocity/wireplay-read-only/libnids-1.23/src//libnids.a(libnids.o): In 
function `nids_pcap_handler':
/home/gvelocity/wireplay-read-only/libnids-1.23/src/libnids.c:351: undefined 
reference to `g_async_queue_unlock'
collect2: ld returned 1 exit status
make: *** [wireplay] Error 1
gvelocity@lon3eur20:~/wireplay-read-only>
gvelocity@lon3eur20:~/wireplay-read-only>
gvelocity@lon3eur20:~/wireplay-read-only> cat Makefile
ROOT            := $(PWD)
CC                      := gcc
RUBYINC := /usr/lib64/ruby/1.8/x86_64-linux/
CFLAGS  := -DDEBUG -I $(ROOT)/include -I $(RUBYINC) -I 
$(ROOT)/libnids-1.23/src/ -ggdb
LDFLAGS := -ggdb -L$(ROOT)/libnids-1.23/src/ -lnids -lpcap -lnet -L/usr/lib64 
-lruby
PACKAGE := wireplay-$(shell date "+%Y%m%d").tar.gz
DEVPACKAGE      := wireplay-dev-$(shell date "+%Y%m%d").tar.gz
SVNPATH := https://wireplay.googlecode.com/svn/trunk

CORE_OBJ        := src/wireplay.o src/log.o src/msg.o src/whook.o src/whook_rb.o

all: wireplay

wireplay: $(CORE_OBJ)
        $(CC) -o wireplay $(CORE_OBJ) $(LDFLAGS)

.PHONY: clean
clean:
        -rm -rf wireplay
        -rm -rf src/*.o
        -rm -rf core core.*
        -rm -rf a.out

.PHONY: upload
upload:
        -make clean

.PHONY: package
package:
        make clean
        rm -rf /tmp/wireplay
        svn --force export $(SVNPATH) /tmp/wireplay
        cd /tmp/ && tar czvf $(PACKAGE) wireplay
        rm -rf /tmp/wireplay
        mv /tmp/$(PACKAGE) ./releases/

.PHONY: package-dev
package-dev:
        make clean
        rm -rf /tmp/wireplay
        svn checkout $(SVNPATH) /tmp/wireplay
        cd /tmp/ && tar czvf $(DEVPACKAGE) wireplay
        rm -rf /tmp/wireplay
        mv /tmp/$(DEVPACKAGE) ./releases/

.PHONY: install
install:
        mkdir -p /opt/wireplay/bin
        cp wireplay /opt/wireplay/bin/
        cp -r pcap /opt/wireplay/
        cp -r hooks /opt/wireplay/
gvelocity@lon3eur20:~/wireplay-read-only>


What version of the product are you using? On what operating system?

Latest SVN download

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 17 Oct 2012 at 3:12

x86 64bit compilation 

What steps will reproduce the problem?
1. Compiling on x86 64 bit machine.

Actual code will compile with warnings about pointers.
Due to some missing function declarations the generated code will not work and 
crash (conversion from int (32bit) to pointers (64bit) on functions return).

What version of the product are you using? 
Lastest from svn wireplay-readonly:
r18 | abhisek.datta | 2010-03-17 18:57:18 +0900 (Wed, 17 Mar 2010) | 1 line

On what operating system?
Debian Testing x86_64

Please provide any additional information below.
Attached a patch to fix compiler warnings and provide missing function 
definitions.

Note: ran into same pb as issue#1: trailing #elif instead of #else.

Original issue reported on code.google.com by [email protected] on 25 May 2011 at 4:57

Attachments:

Does wireplay support IPV6?. 

 We needed a tcp replay tool to test our product for the traffic that passes through the firewall which has TCP proxy. We would like to know if the Wieplay supports IPV6 also?.

Thanks.

Original issue reported on code.google.com by [email protected] on 19 Jan 2012 at 3:32

Wireplay is not showing a session 

Hi@all,
so Iam new to this. And I try to replay a TCP dumped session. But I fail 
already on the basics.

What steps will reproduce the problem?
1. I have recoreded a dump with wireshark and recorded just a HTTP session.
2. Then I start wireplay:
./wireplay -r server -F mydump.pcap -t 127.0.0.1 -p 80 -L
3. and get only:
 Enter session no. to replay: 1
[-] invalid session selected

What is the expected output? What do you see instead?
I would expect to get at least one session for playback.

What version of the product are you using? On what operating system?
-I use: 
Wireplay - The TCP Replay Tool v0.2

OS:
I use SuSE 11.4
Linux linux-of8w.site 2.6.37.6-24-desktop #1 SMP PREEMPT 2012-10-18 22:36:08 
+0200 i686 i686 i386 GNU/Linux


Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 13 Nov 2012 at 2:36

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.