Rewriting a tcp stream on the fly: how difficult is it? How about taking a dump of said stream?

views:

404

answers:

Rewriting a tcp stream on the fly: how difficult is it? How about taking a dump of said stream?

I'm trying to write a tcp stream 'tunnel' (similar to the ones SSH handles by default) but with one exception, I have to rewrite certain information as it flows through.

I'm certain there's something similar out there but I have not been able to find it. I have three main questions:

Is there an easy way to save a tcp stream for observation? (ie using netcat, or a ssh -r/-l/-D, or using some other utility alltogether)
how hard is it to rewrite the stream on the fly?

Edit: The information being rewritten would be just the initial authentication.

+2 A:

Pretty sure Ettercap supports rewriting of TCP streams.

tcpdump can write out packet captures, which you could then later analyze using Wireshark

If you want to do it programmatically, you could inspect their respective sources to get ideas of where to start.

Steven Schlansker 2010-01-30 01:54:48

I'm not sure if this is what you are asking, but ...

You cannot rewrite an SSL stream on the fly unless you have the private key for the server's SSL cert ... or you can intercept it at some point (in the client or server address space) where it is not SSL protected. If you could, SSL would be a waste of time.

Similarly, if you capture the entire contents of an SSL stream (in both directions), it will do you no good, unless you have the relevant private keys.

Stephen C 2010-01-30 01:54:50

You can do this, if you also control the client - because you can tell the client to accept *your* certificate.

caf 2010-01-30 04:36:06

Ah yes ... but what about the fact that the stream is encrypted? Don't you need the server's private key to figure out what session key the client is using to encrypt the stuff it sends?

Stephen C 2010-01-30 04:54:00

Imagine `socat ssl-l:4443 ssl:host:443`; or equivalently, a `stunnel` daemon wrapping a `stunnel` client; or equivalently, an `openssl s_server` joined to an `openssl s_client`. This is two completely independent SSL streams, one from client to proxy and one from proxy to server.

ephemient 2010-01-30 05:09:40

Hmmm ... I see.

Stephen C 2010-01-30 05:26:52

Not to toot my own horn, but I wrote some code to do exactly this in a framework I wrote a long time ago for asynchronous IO. There are a lot of things about the code that are kind of dated now, but it does work. Here's a link to the web page on it:

The StreamModule System

The thing I wrote that does the tunnel thing you want is called PortForward, and there's also something there that will dump out a TCP stream, but I forgot what I called it. They can be easily combined because of how the framework works.

I have to run off to see a movie now, but I'll come back if you want help using it to accomplish that goal. As others have pointed out, it is impossible to re-write an SSL stream on the fly. So if your connection is using encryption and/or MACs (one way this would be true is if it were SSL) you're out of luck.

Omnifarious 2010-01-30 01:55:37

+3 A:

ephemient 2010-01-30 02:07:45

Oh wow Thanks. I'm always impressed by the level of quality of answers here.

Achille 2010-01-30 04:03:34

Thanks for the pointer to socat.

Omnifarious 2010-01-30 05:27:28

More versatile than the venerable "network swiss army knife" netcat: socat has replaced most of my usages of netcat, telnet, proxytunnel, rlwrap, and many other little utilities. I'm glad to share excellent tools :-)

ephemient 2010-01-30 06:08:57

ansaurus

tags:

views:

answers:

Rewriting a tcp stream on the fly: how difficult is it? How about taking a dump of said stream?

related questions