_______________________________________________________________________________ Readdressing_by Jobbe Introduction: With "sniffing of a readdressing" we intend the chance to readdress the output of an application in execution,through a local port of our system, to net server so that to sniff data traffic transferred between 2 systems connected through our readdressing. Theory: Just look @this example:: Session Start: Tue Nov 13 10:40:41 2001 (Jobbe) Hy (Jobbe) Hy, how are you doing with the girl? (Jobbe) I'm jokin':) (XYZ) I don't know you (Jobbe) no (XYZ) well.. (XYZ) Did we meet somewhere? (Jobbe) no (Jobbe) =) (XYZ) How do you know about the girl? (Jobbe) eheh (XYZ) I still don't understand (Jobbe) it doesn't matter (Jobbe) it's better (XYZ) Are you Clark that is enjoying in jokin' (Jobbe) no... (Jobbe) it was enough reading the QUERY:) (XYZ) Reading the QUERY? (XYZ) What the f*** (XYZ) I think you're a bad boy (Jobbe) :) (Jobbe) i was just trying (Jobbe) now i can say it works (XYZ) good for you (XYZ) i don't even know what you're talking about (Jobbe) bye (XYZ) bye ::: Jobbe has left IRC (QUIT: byez all) Session Close: Tue Nov 13 10:50:19 2001 This log is just an example about one of the many applications for this tecnique. It has been possible reading the query between XYZ and Clark (you will see below) because this last was connected to IRC server through a readdressing, i.e. the outgoing traffic from his pc passed through a port on my pc where it was sniffed and then it was readdressed to server in a stealthy way (to him of course:). In this way I could sniff all the traffic on the port on which i readdressed his connection, obtaining in this way the content of messages received and sent by XYZ, retrieving informations regarding himself and others who he was talking about. For example they were talking about a girl, so, let's pretend that this below is a the conversation between them (the sniffing of messages received by Clark from XYZ with which i retrieved all the informations: :XYZ!@=kzx.unifi.com PRIVMSG Clark :Hy Clark :XYZ!@=kzx.unifi.com PRIVMSG Clark :do you remember the :XYZ!@=kzx.unifi.com PRIVMSG Clark :site i told you before? :XYZ!@=kzx.unifi.com PRIVMSG Clark :i was chatting with a girl :irc.site.com 421 Clark getlag :Unknown command :XYZ!@=kzx.unifi.com PRIVMSG Clark :the problem was :XYZ!@=kzx.unifi.com PRIVMSG Clark :that she was talking in german:( :irc.site.com 421 Clark getlag :Unknown command :XYZ!@=kzx.unifi.com PRIVMSG Clark :and i don't know even a word :XYZ!@=kzx.unifi.com PRIVMSG Clark :in this language :irc.site.com 421 Clark getlag :Unknown command :XYZ!@=kzx.unifi.com PRIVMSG Clark :it's really a pity :XYZ!@=kzx.unifi.com PRIVMSG Clark :but she was really happy :XYZ!@=kzx.unifi.com PRIVMSG Clark :to talk with me :XYZ!@=kzx.unifi.com PRIVMSG Clark :blah blah blah blah :irc.site.com 421 Clark getlag :Unknown command :XYZ!@=kzx.unifi.com PRIVMSG Clark :blah blah blah blah :irc.site.com 421 Clark getlag :Unknown command :Clark!~oo@62.98.80.bg994= PART #H@ck|n'T|m3 :XYZ!@=kzx.unifi.com PRIVMSG Clark :blah blah blah blah :irc.site.com 421 Clark getlag :Unknown command :XYZ!@=kzx.unifi.com PRIVMSG Clark :blah blah blah blah :XYZ!@=kzx.unifi.com PRIVMSG Clark :blah blah blah blah :XYZ!@=kzx.unifi.com PRIVMSG Clark :blah blah blah blah :irc.site.com 421 Clark getlag :Unknown command :irc.site.com 421 Clark getlag :Unknown command :XYZ!@=kzx.unifi.com PRIVMSG Clark :blah blah blah blah :irc.site.com 421 Clark getlag :Unknown command :XYZ!@=kzx.unifi.com PRIVMSG Clark :blah blah blah blah :irc.site.com 421 Clark getlag :Unknown command :XYZ!@=kzx.unifi.com PRIVMSG Clark :blah blah blah blah :irc.site.com 421 Clark getlag :Unknown command :irc.site.com 421 Clark getlag :Unknown command :XYZ!@=kzx.unifi.com PRIVMSG Clark :blah blah blah blah :irc.site.com 421 Clark getlag :Unknown command :irc.site.com 421 Clark getlag :Unknown command :XYZ!@=kzx.unifi.com PRIVMSG Clark :pk, let's close the query ERROR :QUIT: 12Fate 14X In the same way it's possible to sniff outgoing messages, from the victim to the readdressing Practice: First of all you need a program to readdress incoming traffic on a port in your machine to a remote system on a predefined port and viceversa. To move in this direction you need a port listener and a program to monitorize incoming and outgoing traffic on a predefined port. I think you know where to find such a progra, i've been using for a long time a program on http://skd.box.sk/, but i think the site is down @the moment (try@http://the-hack.net/utilities/uti11.html) Just set the port that you want to put in listening (the port to which the victim will connect), ip address or hostname of the server to which we want to readdress the the traffic incoming on local port and the set the port too, files in which input and output traffic will be logged. Now the question is: How can make the victim to connect through my pc? Have you ever heard of social engineering? In this you must be creative, smart enough to find the best way: you can say it's one of the best server for example, the smarter is the victim the better must be your indications:) Just find a victim and through social engineering "push" him to use a connection with your ip on the local port set in listening from the program, now wait for the victim. For example: 1) IRC sniffing local port:6667 connect: port: 6667 where for i mean ip address or hostname of irc server to which we want to readdress the victim. In this way you can sniff chat session of victim and persons who are chatting with him. 2) Pop3 sniffing local port: 110 connect: port: 110 where for i mean ip address or hostname of pop3 server (incoming mail) to which we want to readdress the victim, possibly pop3 server of the victim's account, so that the victim can login to it and we can have user/pass. Once you have this, you know what you can do: you can know city, street, phone number, login his provider's homepage in the members area and so on Advice for the young @heart: If you wanna do some social engineering, use a sock, so the victim won't see your real ip address Then, if you want to sniff a query, it's not necessary that you readdress his connection, but you can use someone else; for example readdressing the connection of a dude that is always talking with our victim, in this way you receive messages sent to this last. Like in the example, we can sniff messages from XYZ, even if he was actually not our victim. End of transmission _______________________________________________________________________________