Tag Archives: tcp

Fiddling Around with Skype

As I said last week, I’ve been working with a partner (Mohammad Jalali) on a project for our networks course.

The idea:  given an arbitrary IP and port number, we want to find a way of determining whether or not there is an FTP server, an HTTP server, or a Skype node on the other side.  FTP and HTTP are trivial – those protocols essentially announce themselves to the world.

Skype clients, on the other hand, act a little more strangely.  Skype goes out of its way to hide its traffic – from straight-up encryption, down to making their client executable really hard to reverse engineer.  Because of this, Skype has been an interesting challenge to the hacker community.

Anyhow, my partner and I have learned a few interesting things about Skype – and in particular, we’ve found a reliable way to determine whether or not Skype is running behind an arbitrary IP and port.  Cool.

Fact 1:  Skype pretends to be an HTTP server

I’m serious, it does.  Using Wireshark, we noticed that both UDP and TCP packets were being sent to one particular port.  Pretty funny behavior…so, we took a closer look.  And this is what we found.  Pop open your Skype client, connect to the network, then use nmap to find the ports that Skype is using:


$>nmap localhost -p10000-50000

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-01 20:33 EST
Interesting ports on localhost (127.0.0.1):
Not shown: 39999 closed ports
PORT      STATE SERVICE
48915/tcp open  unknown

Ok, cool – there’s something at 48915, and it looks like it accepts TCP connections.  Pop open Telnet, connect to it, and feed it an HTTP request:


$>telnet localhost 48915
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.1
HTTP/1.0 404 Not Found
Connection closed by foreign host.

Ok, we got an HTTP response – looks like there’s an HTTP server back there, right?

Wrong.  Reconnect, and send it some garbage:


$>telnet localhost 48915
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
thisissomegarbagetextthatisnotanHTTPrequest
��Nun��2�=���1��N$O/(����
���u.)(yy�g��$
ș�oT�b렑�-z#x�&���[P���\��(yVO���

See all of those funny characters down at the bottom?  That’s what I got back.  In the words of Obi-Wan Kenobi…that’s no HTTP server…it’s a space station (Skype node).

So we’ve learned something here – Skype opens a port, and “spoofs” an HTTP server.  We can easily check for this – just write a script that connects to a port, spews some garbage, and check to see if we got binary garbage back.

It’s so easy, that someone else has already done it.  Remember that nmap tool we used earlier?  Somebody over in that camp wrote a script for the Nmap Scripting Engine that runs this exact analysis on some ip/port.  Don’t believe me?  Read the script yourself! We stumbled upon that script while trying to figure out what Skype was doing with the spoofed HTTP server.
And sure enough:

$>nmap localhost -p48915 --script skype.nse
Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-01 20:45 EST
Interesting ports on localhost (127.0.0.1):
PORT      STATE SERVICE
48915/tcp open  skype2

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

Hmph.  So much for cutting edge, never-been-done research.  Go figure.

Fact 2:  Given some UDP packets, Skype echos back a predictable pattern

For this part, we’re pretty sure no one else has tried this.

While connected to Skype, we recorded some packets with tcpdump.  We wrote a script that loaded up those packets, and could “replay” the packet payloads to an arbitrary IP and port.

So, we played some packets against an IP/port with Skype behind it.  Most of the time, we got TCP packets with RST flags (which is TCP’s way of telling us to “shut yer trap”).  But wayyyy down in the middle, there was a section of UDP packets that actually got a response:

From Misc Blog Images

192.168.0.19 was the computer we were playing the packets from, and 192.168.0.14 was the computer with Skype running on it. See those UDP packets that are getting echoed back?  That’s the interesting part…instead of just shutting us down with RST’s, Skype appears to be saying something back.

So, is there a pattern in all of this?  Actually yes.  We isolated 4 of those UDP packets, and repeatedly fired them at the same IP/Port on the computer running Skype, and we found a pattern.

The pattern:  the first two bytes that are sent in our UDP packets are echo’d back to us in the first two bytes of the UDP packets that come back.

So, for example,  one UDP payload we sent looked like this:

92 40 02 a1 66 65 ea 0d 8c 82 c3 0c 27 cd c5 e7
4e 78 fe a1 50 a6

And we got back:

92 40 17 c0 a8 00 13 74 a0 41 f0

See that common 92 40?  Bingo.  😉

And it’s pretty consistent – if we repeat the same UDP packet, we get (almost) the same response.


92 40 67 c0 a8 00 13 11 00 10 4f

And if we repeat again…


92 40 37 c0 a8 00 13 68 08 43 3a

92, 40, and c0, a8, 00, 13. Nice!  Looks like a fingerprint to me!

Except…

Except, remember, we already found a way of determining whether or not Skype was running behind a given IP/port.  This last finding was just bonus.  My partner and I aren’t sure if our instructor is going to let us stay with this topic, seeing as how it’s pretty much been solved by other people before.  We’ve only got 2 weeks before this project is due, so…if we get another project, let’s hope it’s relatively simple.  Push come to shove, we could always try to fingerprint a different protocol…maybe BitTorrent clients.

Either way, working on this stuff has been pretty cool…and it let me try out some pretty neat tools that are usually reserved for the people with coloured hats (and no, I didn’t mean Red Hat):

  • nmap: port scanner that can also do service/os fingerprinting
  • Scapy: sculpt, gut, spoof, manipulate, and send packets – the power of C, with the simplicity of Python!  We used Scapy as a library while writing our scripts.  Lots of potential with this tool.  Feel like poisoning an ARP cache?  Scapy is for you!
  • Wireshark: a network student’s best friend.

Click here to check out Mohammad’s blog post about this project.

Playing Around with FTP

I’m taking a Computer Networks course this semester, and for my final project, my partner and I are trying to create signatures for FTP, HTTP, and Skype packets.

The big idea:  we want to create some signatures, and then “replay” those signatures against some arbitrary IP and port.  If we get a response, we analyze the response to see if it matches what we expect from the signature.  If it matches, chances are we’ve determined what kind of server is behind that IP/Port.

FTP and HTTP are the trivial ones.  Skype is going to be quite a bit harder.

Anyhow, here is what I’ve found out about FTP…

FTP

FTP runs over a TCP connection, so if you’ve got Telnet, then you’ve got a basic FTP client.  Traditionally, FTP servers run on port 21 – but really you could put one on whichever port you feel like.

So, I’m going to try to futz around with the Mozilla public FTP server, and show you what I get.

First, I’ll connect to the FTP server with Telnet, like so:


mike@faceplant-linux:~$ telnet ftp.mozilla.org 21

Here’s what comes back:


Trying 63.245.208.138...
Connected to dm-ftp01.mozilla.org.
Escape character is '^]'.
220-
220-   ftp.mozilla.org / archive.mozilla.org - files are in /pub/mozilla.org
220-
220-   Notice: This server is the only place to obtain nightly builds and needs to
220-   remain available to developers and testers. High bandwidth servers that
220-   contain the public release files are available at ftp://releases.mozilla.org/
220-   If you need to link to a public release, please link to the release server,
220-   not here. Thanks!
220-
220-   Attempts to download high traffic release files from this server will get a
220-   "550 Permission denied." response.
220

If I type in anything and press RETURN, the server responds with:
530 Please login with USER and PASS.
Since I don’t have an account, I’ll just use the basic anonymous one:

USER anonymous

The server responds back with:

331 Please specify the password.

I don’t have a password, so I’ll just try a blank one…

PASS

and blam, I get a ton of stuff back:

230-
230-   ftp.mozilla.org / archive.mozilla.org - files are in /pub/mozilla.org
230-
230-   Notice: This server is the only place to obtain nightly builds and needs to
230-   remain available to developers and testers. High bandwidth servers that
230-   contain the public release files are available at ftp://releases.mozilla.org/
230-   If you need to link to a public release, please link to the release server,
230-   not here. Thanks!
230-
230-   Attempts to download high traffic release files from this server will get a
230-   "550 Permission denied." response.
230 Login successful.

Hey alright, I’m in!  Er…where exactly am I, though?  I type in PWD, and the server responds with “/”.  So I’m in the root.  Nice.

So what’s in the root directory, anyhow?  I type in LIST.  Here’s what I get back:

425 Use PORT or PASV first.

And here’s where it gets interesting.  This Telnet session I’ve got here is like a control window.  But if I want any actual data from the server, I’m going to need to either open up one of my ports (and do some port-forwarding on my router) to receive it (PORT), or connect to another port that the FTP server can pipe data through (with PASV).

I’d rather not go through all of the trouble of port-forwarding, so I’m going to choose the latter.  I type in PASV.  The server responds with:

227 Entering Passive Mode (63,245,208,138,225,55)

So what does that big string of numbers mean?  The first 4 are the IP address I’m to connect to (63.245.208.138).  The last two tell me what PORT to connect to.  The formula to determine the port number is N1*256 + N2.  N1, in this case, is 225.  N2 is 55.  So 225*256 + 55 is 57655.

So I open another Telnet in a separate window, connect to 63.245.208.138 on port 57655, and get….

nothing.

Yep, just a blank.  I’ve made the connection, but I haven’t asked for any data, so there’s nothing for the connection to say.

However, if I type LIST again in the command window, I get

150 Here comes the directory listing.
226 Directory send OK.

sent into the control window, and

-rw-r--r--    1 ftp      ftp           528 Nov 01  2007 README
-rw-r--r--    1 ftp      ftp           560 Sep 28  2007 index.html
drwxr-xr-x   34 ftp      ftp          4096 Nov 24 23:32 pub
Connection closed by foreign host.

pumped into my data window.  Notice that the connection closed in the data window.  That means that, for every bit of data I want, I either need to redo the whole PASV thing, or supply a PORT that the server can connect to.  Bleh.

Let’s see what else I can do.  I type in “CWD pub” to change to the pub directory.  Using PASV and LIST, I get the following from another data window:

drwxrwxr-x    3 ftp      ftp          4096 Jun 05  2002 OJI
-rw-rw-r--    1 ftp      ftp          1144 Jul 03  2001 README
drwxr-xr-x 5561 ftp      ftp        430080 Nov 24 22:14 addons
drwxr-xr-x    2 ftp      ftp          4096 Jul 05  2005 artwork
drwxr-xr-x    2 ftp      ftp          4096 Jun 13  2008 bouncer
drwxrwxr-x    5 ftp      ftp          4096 Apr 20  2009 calendar
drwxrwxr-x    6 ftp      ftp          4096 Aug 11  2008 camino
drwxr-xr-x   16 ftp      ftp          4096 Oct 16  2006 cck
drwxrwxr-x    3 ftp      ftp          4096 Jul 10  2004 chimera
drwxrwxr-x   12 ftp      ftp          4096 Aug 31  2001 data
drwxrwxr-x    8 ftp      ftp          4096 Jun 19  2007 directory
drwxr-xr-x    4 ftp      ftp          4096 May 17  2005 diskimages
drwxrwxr-x    4 ftp      ftp          4096 Jul 26  2008 extensions
drwxrwxr-x    4 ftp      ftp          4096 May 16  2003 firebird
drwxrwxr-x    5 ftp      ftp          4096 Aug 12  2008 firefox
drwxrwxr-x    3 ftp      ftp          4096 Aug 07  1999 grendel
drwxrwxr-x    5 ftp      ftp          4096 Mar 22  2009 js
drwxrwxr-x    4 ftp      ftp          4096 Oct 22  2004 l10n-kits
drwxrwxr-x    2 ftp      ftp          4096 Nov 24 20:28 labs
-rw-r--r--    1 ftp      ftp       1868178 Sep 17  2003 ls-lR
-rw-rw-r--    1 ftp      ftp        169159 Sep 17  2003 ls-lR.gz
drwxr-sr-x    4 ftp      ftp          4096 Sep 15  2005 minimo
drwxrwsr-x   12 ftp      ftp          4096 Nov 11 06:09 mobile
drwxrwxr-x   15 ftp      ftp          4096 Jan 04  2008 mozilla
lrwxrwxrwx    1 ftp      ftp             1 Sep 15  2006 mozilla.org -> .
drwxrwxr-x    2 ftp      ftp          4096 Aug 25  1998 msgsdk
drwxrwxr-x    5 ftp      ftp          4096 Jul 09  2002 nspr
drwxrwxr-x    4 ftp      ftp          4096 Sep 23  2002 phoenix
drwxrwxr-x    3 ftp      ftp          4096 Aug 03  2000 profiles
drwxrwxr-x    6 ftp      ftp          4096 Aug 12  2008 seamonkey
drwxrwxr-x    5 ftp      ftp          4096 May 04  2006 security
drwxr-xr-x    5 ftp      ftp          4096 Aug 13  2008 static-analysis
drwxrwxr-x    8 ftp      ftp          4096 Sep 24 19:03 thunderbird
drwxrwsr-x    4 ftp      ftp         20480 Nov 19 02:26 webtools
drwxrwxr-x    6 ftp      ftp          4096 Aug 11  2008 xulrunner
drwxr-xr-x    2 ftp      ftp          4096 Sep 12 05:51 zz
Connection closed by foreign host.

Nice.  Alright, now let’s see if I can download one of those files.  I’m going to try to download README.  Using PASV, I create a new data window, and then I type:

RETR README

And, after a little wait, my data window gets:

Welcome to ftp.mozilla.org!
This is the main distribution point of software and developer tools
related to the Mozilla project.  For more information, see our home
page (http://www.mozilla.org/) Go here to download Netscape Communicator:
http://home.netscape.com/download/
A list of ftp.mozilla.org's mirror sites can be found at:
http://www.mozilla.org/mirrors.html
This site contains source code that is subject to the U.S. Export
Administration Regulations and other U.S. law, and may not be exported
or re-exported to certain countries (currently Afghanistan (Taliban
controlled areas), Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria) or to persons or entities prohibited from receiving U.S.
exports (including Denied Parties, entities on the Bureau of Export
Administration Entity List, and Specially Designated Nationals).
If you plan to mirror our site read our crypto FAQ. Send mail to
mirrors@mozilla.org to be added to our mirrors list.
http://www.mozilla.org/crypto-faq.html#2-1
We do not guarantee that any source code or executable code
available from the mozilla.org domain is Year 2000 compliant.
Connection closed by foreign host.

Awesome! I think I have enough information to come up with some kind of signature.

Resources

What, you think I figured all this stuff out alone?  No way – I had some help: