I suggest you to read this document and to run each command
in order to understand how to use netwox. Note that you have
to adapt device names, IP addresses and Ethernet addresses for them
to work on your computers.
Preliminary notes
Netwox needs, for some tools, the be run with administrator privileges.
Netwox currently only supports Ethernet/PPP networks for low level actions
(sniff, spoof).
However, every kind of network is supported for high level actions (clients, servers, etc.).
Main usage
The main syntax is :
# netwox toolnumber [parameters ...]
For example :
# netwox 23
# netwox 23 --extended
# netwox 23 -e
To obtain help about tool 23, run :
# netwox 23 --help
To obtain help and full description about tool 23, run :
# netwox 23 --help2
Netwag
This documentation covers netwox, which is a command line utility. Netwag
is a graphical front end to netwox. It has some advantages such as easy
parameter selection (open netwag, double-click on a tool (for example 7),
and a form appears for easy generation of parameters).
Interactive help mode
When using netwox without parameters, it enters interactive help mode.
Netwox interactive help mode allows users to find/run needed tool.
Here is one example of tool selection :
# netwox
########## MAIN MENU
0 - leave netwox
3 - search tools
a + information
b + network protocol
c + application protocol
d + sniff
e + spoof
f + record
g + client
h + server
i + tools not related to network
j + administrators' tools
k + attack tools
Select a node (key in 03abcdefghijk): d
########## sniff
0 - leave netwox
1 - go to main menu
2 - go to previous menu
3 - search tools
a - 7:Sniff
b - 10:Sniff and display network statistics
c - 11:Sniff and verify checksums
d - 13:Obtain DLT type for sniff and spoof for each device
Select a node (key in 0123abcd)> a
Here is how to use this tool:
Title: Sniff
Note:
Usage: netwox 7 [-d device] [-f filter] [-r] [-p] [-i] [-t] [-s] [-H encode] [-D
encode] [-o file_dst] [-R recordencode] [-c uint32] [-C uint32]
Name Description (defaultvalue)
--help display this help
--kbd ask missing parameters from keyboard
--argfile file ask missing parameters from file
-d|--device device device name (Eth0)
-f|--filter filter pcap filter ()
-r|--rawip|+r|--no-rawip sniff at IP level (0)
-p|--pause|+p|--no-pause can pause (0)
-i|--ipreas|+i|--no-ipreas reassemble IP packets (0)
-t|--tcpreord|+t|--no-tcpreord reorder TCP packets (0)
-s|--screen|+s|--no-screen display to screen (1)
-H|--hdrencode encode header encoding type for screen (array)
-D|--dataencode encode data encoding type for screen (dump)
-o|--outfile file_dst save in record file (dstfile.txt)
-R|--recordencode recordencode encoding type for record file (bin)
-c|--split-size uint32 maximum size of record in kb (0)
-C|--split-age uint32 maximum age of record in seconds (0)
Example: netwox 7
Now, some examples are described. If they do not correspond to your needs,
use the interactive help mode (or netwag's search) to find the appropriate
one.
Tool 1 : local configuration
# netwox 1
################################### Devices ###################################
nu dev ethernet_hwtype mtu real_device_name
1 Lo0 loopback 1500 Loopback
2 Eth0 00:01:01:01:01:01 1500 \Device\3COM
##################################### IP ######################################
nu ip /netmask ppp point_to_point_with
1 127.0.0.1 /255.0.0.0 0
2 192.168.1.2 /255.255.254.0 0
############################## ArpCache/Neighbor #############################
nu ethernet ip
2 00:01:01:01:01:01 192.168.1.2
2 00:02:02:02:02:02 192.168.1.254
#################################### Routes ###################################
nu destination /netmask source gateway metric
1 127.0.0.1 /255.255.255.255 local 0
2 192.168.1.2 /255.255.255.255 local 0
2 192.168.1.0 /255.255.255.0 192.168.1.2 0
2 0.0.0.0 /0.0.0.0 192.168.1.2 192.168.1.254 1
In this example, we see the loopback device (Lo0), and network card
Eth0 (whose real name is \Device\3COM).
The arp table contains permanent entries, and the dynamic entry for
the router 192.168.1.254.
The routing table first contains entries to access local devices, then
network connected to the local devices, and finally the default router
192.168.1.254.
Tool 3 : print information about a hostname
# netwox 3 host1
IP address: 192.168.1.1
Hostname: host1
Hostnames: host1
Eth address: 00:01:01:01:01:01
This tool obtains the IP address of host1.
Moreover, if host1 is on the LAN, we obtain its Ethernet address.
Here is another example :
# netwox 3 192.168.1.1
# netwox 3 -q 192.168.1.1
# netwox 3 --query 192.168.1.1
IP address: 192.168.1.1
Hostname: host1
Hostnames: host1
Eth address: 00:01:01:01:01:01
Tool 87 : real tcp client
# netwox 87 192.168.1.2 21
220 host2 FTP server
QUIT
221 Goodbye.
This tool is a tcp client. This commands permits to connect on the
FTP server on port 21 at address 192.168.1.2. This command is equivalent
to "telnet 192.168.1.2 21".
Here is another example downloading a web page (port 80 of www.server.com)
:
# netwox 87 www.server.com 80
GET / HTTP/1.0
_here_enter_one_blank_line_
HTTP/1.1 200 OK
Date: Sat, 12 Jan 2002 08:43:27 GMT
[...]
Data from keyboard or network can also be encoded or decoded :
# netwox 87 192.168.1.2 21 -encode "dump"
32 32 30 20 46 54 50 20 0d 0a # 220 FTP..
QUIT
32 32 31 20 47 6f 6f 64 62 79 65 2e 0d 0a # 221 Goodbye...
Tool 87 : virtual tcp client
When tool 87 is called with a device, a source/destination address,
it will act as a virtual client.
A real client/server uses IP address and Ethernet address
of the current computer (they are classical sockets).
A virtual client/server uses spoofed IP address and
Ethernet address. For example, a virtual tcp client behaves like this :
- spoof a syn packet
- sniff the syn-ack from the server
- spoof a ack packet to terminate the handshake
- then, it behaves exactly like a real client
In order to create a virtual client connecting on a server (for example
connecting on port 25 of 192.168.1.2) located on the LAN, you have to :
- know the local device name to use (can be obtained with
"netwox 1"). For example Eth0.
- choose one false Ethernet address to use. For example
aa:bb:cc:dd:ee:ff.
- know the ethernet address of the computer
(netwox 3 192.168.1.2). For example 00:02:02:02:02:02.
- choose one false IP address (it should not be used by another
computer). For example 192.168.1.3.
- choose a random port. For example 1234.
Here is this example :
# 87 -d "Eth0" -E "aa:bb:cc:dd:ee:ff " -e "00:02:02:02:02:02" -I "192.168.1.3" -i "192.168.1.2" -p "25"
[...]
In order to create a virtual client connecting on a server (for example
connecting on port 25 of 192.168.1.2) not located on the LAN, you have to :
- know the local device name to use (can be obtained with
"netwox 1"). For example eth0.
- choose one false Ethernet address to use. For example
aa:bb:cc:dd:ee:ff.
- know the ethernet address of the router
(netwox 3 192.168.1.254). For example 00:FE:FE:FE:FE:FE.
- choose one false IP address (it should not be used by another
computer). For example 192.168.1.3.
- choose a random port. For example 1234.
Here is this example :
# 87 -d "Eth0" -E "aa:bb:cc:dd:ee:ff " -e "00:FE:FE:FE:FE:FE" -I "192.168.1.3" -i "192.168.1.2" -p "25"
[...]
Two simple modes for virtual clients were presented. Depending on your needs,
they can be adapted.
Tool 89 : real tcp server
This tool creates a listening tcp server. It can be used to communicate
between two computers.
For example, computer host1 can run tool 89, and computer host2 can run
tool 87. In this example, we choose to listen on port 1234 :
On host1 : On host2, then run :
# netwox 89 1234
# netwox 87 host1 1234
_write_ Hello _newline_
Hello
_write_ Hi _newline_
Hi
_write_ Hola _newline_
Hola
[...]
Tool 7 : sniff packets and display them
This tool displays packets of the network. You have to select the
device on which to intercept packets.
# netwox 7
ETH_____________________________________________________________________.
| 00:01:01:01:01:01 vers 00:02:02:02:02:02 type : 0x0800 |
|_______________________________________________________________________|
IP______________________________________________________________________.
|version | ihl | tos | totlen |
|___ 4___|___ 5___|_______ 0_______|____________0054h= 84____________|
| id |xxDfMf fragoffset |
|____________061Dh= 1565____________|0_0_0__________0000h= 0_________|
| ttl | protocol | header checksum |
|_____40h= 64_____|_____01h= 1_____|_______________DF38h_______________|
| source |
|______________________________192.168.1.1______________________________|
| destination |
|______________________________192.168.1.2______________________________|
ICMP_(echo request)_____________________________________________________.
| type | code | checksum |
|_____08h= 8_____|_____00h= 0_____|____________2829h=10281____________|
65 01 01 00 91 04 40 3C AC 91 01 00 08 09 0A 0B # e.....@<........
[...]
Generally, on network with a lot of flow, sniff intercepts too much packets.
If you want to restrict sniffed packet, use a filter.
Basic item of a bpf filter are :
host 1.2.3.4
net 192.168.10
net 192.168.10.0 mask 255.255.255.0
net 192.168.10.0/24
port 21
dst host 1.2.3.4
src port 2345
ether host a:b:c:d:e:f ("ether a:b:c:d:e:f" is not working)
ether src aa:bb:cc:dd:ee:ff
ip
arp
rarp
tcp
icmp
udp
Here are filter examples :
host 1.2.3.4
net 192.168 and icmp
host 1.2.3.4 or dst port 80
(udp or tcp) and not host 1.2.3.4
Now, just an example with a filter :
# netwox 7 -f "host 192.168.1.1"
[...]
Tool 7 : sniff packets and save them in a record
Sometimes, we want to sniff packet and to save them in a file (a "record").
# netwox 7 -p -o thefile -R "mixed_wrap"
Press q to exit. Press p to pause.
Tool 15 : display a record
With tool 7, we've saved Ethernet data in the file 'thefile'. This tool
permits to display its contents.
# netwox 15 -f thefile
[...]
Tool 14 : spoof a record
We can also resend data of a record :
# netwox 15 -f thefile
[...]
Generally, we want to modify data before resending it. So, the file
has to be edited. The procedure is quite simple :
- edit thefile to change the packets
- use tool 15 to ensure packets are correctly modified
- use tool 14 to send new packets
Tool 36 : {Ethernet,IP,TCP} spoof specified by user
This example spoofs a SYN packet :
# netwox 36 -d "Eth0" -a "1:2:3:4:5:6" -b "7:8:9:a:b:c" -l "1.2.3.4" -m "5.6.7.8" -o "1234" -p "80" -C
Ethernet________________________________________________________________.
| 01:02:03:04:05:06->07:08:09:0A:0B:0C type:0x0800 |
|_______________________________________________________________________|
IP______________________________________________________________________.
|version | ihl | tos | totlen |
|___4____|___5____|_____0x00=0______|_____________0x0028=40_____________|
| id | DfMf offsetfrag |
|____________0x095A=2394____________|0_0_0____________0x0000=0__________|
| ttl | protocol | checksum |
|_____0x00=0______|_____0x06=6______|______________0xA163_______________|
| source |
|________________________________1.2.3.4________________________________|
| destination |
|________________________________5.6.7.8________________________________|
TCP_____________________________________________________________________.
| source port | destination port |
|____________0x04D2=1234____________|_____________0x0050=80_____________|
| seqnum |
|_________________________0x40EC052C=1089209644_________________________|
| acknum |
|_____________________________0x00000000=0______________________________|
| doff |reserved CwEcUrAc PsRsSyFi| window |
|___5____|0_0_0_0__0_0_0_0__0_0_1_0_|_____________0x0000=0______________|
| checksum | urgptr |
|___________0x5495=21653____________|_____________0x0000=0______________|
Tool 59 : tcp traceroute
The traceroute tool list routers located on the way to go to a computer.
For example, with the following architecture, computer 192.168.1.1
has to go through two routers before reaching 192.168.30.2 :
,____. ,________. ,________. ,____.
| 192| |192 192| |192 192| |192 |
| 168|____|168 168|____|168 168|____|168 |
| 1| |1 20| |20 30| |30 |
| 1| |254 1| |2 1| |2 |
`----' `--------' `--------' `----'
Tool 59 traces route to reach a computer with an open tcp port. For example,
to reach computer 192.168.30.2 with a web server (port 80), with a limit
of 30 hops :
# netwox 59 192.168.30.2 -p 80 -t 30
1 : 192.168.1.254
2 : 192.168.20.2
3 : 192.168.30.2
Destination reached.
If we use a closed port, we obtain :
# netwox 59 192.168.30.2 -p 81 -t 30
1 : 192.168.1.254
2 : 192.168.20.2
3 : 192.168.30.2
Destination reached.
Note : the TCP port 81 is closed (a reset was received).
If computer is unreachable, we obtain :
# netwox 59 192.168.30.2 -p 80 -t 30
1 : 192.168.1.254
2 : 192.168.20.2
3 : 192.168.20.2 : destination unreachable - host
4 : 192.168.20.2 : destination unreachable - host
If the number of hops is too small, we obtain :
# netwox 59 192.168.30.2 -p 81 -t 2
1 : 192.168.1.254
2 : 192.168.20.2
maxttl(2) was too short to reach the destination
Tool 49 : icmp ping
This tool checks if a computer can be reached.
If the computer is on the LAN, we obtain it's Ethernet address :
# netwox 49 192.168.1.2
[...]
Tool 73 : answer to ARP/ping request for a computer
Tool 73 simulate the presence of a computer.
For example, to simulate the computer 192.168.1.3 with Ethernet address
aa:bb:cc:dd:ee:ff, enter :
# netwox 73 -i 192.168.1.3-e aa:bb:cc:dd:ee:ff
Then, from another computer, enter :
# ping 192.168.1.3
or
# netwox 49 192.168.1.3
Tool 67 : scan of IP range, for TCP port range
Sometimes, we do not know which ports are open on a computer. This tools
scans a computer and lists open TCP ports.
For example, to scan tcp ports between 20 and 25 of 192.168.1.2 :
# netwox 67 -i 192.168.1.2 -p 20-25
192.168.1.2 - 21 : open
192.168.1.2 - 22 : open
192.168.1.2 - 10 : timeout
Tool 30 : convert a file from dos to unix
Then end of line of Windows and Unix are different. Tool 30 is a utility
to convert files :
# netwox 30 filein fileout
# netwox 30 --src-file filein --dst-file fileout
Using Tcl scripting language
Sometimes, we want to use netwox tools in a loop. Under Unix, this can
be done using a Shell or Perl script. Under Windows the Tcl language
is often the only available solution (Tcl is installed if you installed
netwag, which is recommended under Windows).
Here is a sample Tcl script :
#!/usr/bin/wish
for {set i 0} {$i < 3} {incr i} {
puts "\nTesting $i"
set ipad "192.168.0.$i"
if [catch {exec netwox 3 $ipad} data] {
puts "Error during exec : $data"
} else {
puts $data
}
}
exit
Conclusion
Other tools are described here.
If you've carefully read current document, you should be able to use them.
Availability
Toolbox netwox is available at :
http://ntwox.sourceforge.net/