[TOOL] Msndump - MSN Messenger Sniffer

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Msndump - MSN Messenger Sniffer
------------------------------------------------------------------------


SUMMARY



DETAILS

The Perl script presented here parse MSN Messenger message packets or P2P 
traffic and displays their contents. The script uses PCap to capture and 
parse the packets. The tool can be modified to parse other headers like 
'TypingUser:'

Example usage:
To capture live traffic from device eth0 run:
msndump.pl -i eth0

To capture from tcpdump traffic.pcap file run:
msndump.pl -r traffic.pcap

Source Code:
#!/usr/bin/perl -w
# quick dirty msn sniffer
# http://miscname.com/
# $Id: msndump.pl,v 1.3 2004/11/17 10:00:33 meh Exp $

# you need Net::Pcap and Net::Packet
# use cpan or get manually
# http://search.cpan.org/CPAN/authors/id/A/AT/ATRAK/NetPacket-0.04.tar.gz
# http://search.cpan.org/CPAN/authors/id/K/KC/KCARNUT/Net-Pcap-0.05.tar.gz

my $lowuid='1001';
my $lowgid='1001';

my $filter = 'tcp and port 1863';

# no modify below
use Getopt::Std;
use Net::Pcap;
use NetPacket::IP;
use NetPacket::Ethernet qw (:strip);
use Fcntl;
$|=1;
my $flags |= O_NONBLOCK;

my %opts;
getopt("wicr",\%opts);
if ( (!($opts{i})) && (!($opts{r})) ) {
 print "[ msndump - miscname.com ]\n Usage:\n\t-i rl0 || -r 
file.pcap\n\t-c X - capture X packets\n\t-w freshIMz.txt\n\n";
 exit;
}

if ((!$opts{r}) && ($> != '0')) {
 die ("you need uid 0\n");
}

# main loop
my $exitvar = '0';
while ($exitvar == '0') {

 # create pcap
 my $pcap = &cap_pkt;
 if (!($pcap)) {
  die ("cant capture\n");
 }

 # drop privs
 my $GID="$lowgid";
 my $UID="$lowuid";
 my $EGID="$lowgid $lowgid";

 # -w if set
 if ($opts{w}) {
  open (FILEOUT,">$opts{w}") || die ("cant open $opts{w} ($!)\n");
  fcntl(FILEOUT, F_SETFL, $flags) or die ("couldn't set nonblock for 
$opts{w} ($!)\n");
 }

 # capture loop
 if (($opts{c}) && ($opts{c} =~ /(\d+)/)) {
  print "stopping after $1 packets\n";
         Net::Pcap::loop($pcap, $1, \&proc_pkt, 0);
  $exitvar = '1';
 } else {
         Net::Pcap::loop($pcap, -1, \&proc_pkt, 0);
  my %stats;
  Net::Pcap::stats($pcap, \%stats);
  print "saw $stats{ps_recv} packets, dropped $stats{ps_drop}\n";
 }

 # free it
 print "cleaning up\n";
 Net::Pcap::close($pcap);
 # close fh
 if ($opts{w}) {
  print "wrote $opts{w}.\n";
  close FILEOUT;
 }
}

# sub procs below
sub cap_pkt {

 my ($pcap,$dev,$err,$mask,$net,$filter2);
 my $snaplen = 14096; # seen some big im's :(
 my $promisc = 1; # promisc of course
 my $timeout = 0; # timeout

 # file.pcap?
 if ($opts{r}) {
  print "reading from '$opts{r}'\n";
  $pcap = Net::Pcap::open_offline($opts{r}, \$err);
  if (!($pcap)) {
   die("error opening $opts{r} ($err)\n");
      }
 } else {

  # set dev from cmdline
  $dev = $opts{i};
  print "dumping on '$opts{i}'\n";
 
  # get netmask for filter
  if ((Net::Pcap::lookupnet($dev, \$net, \$mask, \$err)) == -1 ) {
          die ("Net::Pcap::lookupnet failed ($err)\n");
      }
    
  # open it
  $pcap = Net::Pcap::open_live($dev, $snaplen, $promisc, $timeout, \$err);
  if (!($pcap)) {
   die ("can't create packet fd ($err)\n");
  }
 }
   
 # sanity check
 if (!($pcap)) {
  die ("sanity check failed - \$pcap null\n");
 } elsif (!($mask)) {
  $mask = '0'; # for open_offline
 }

 # make filter struct
 if (Net::Pcap::compile($pcap, \$filter2, $filter, 1, $mask) != '0') {
   die ("broken filter ($filter)\n");
 }
 # apply
 Net::Pcap::setfilter($pcap, $filter2);

 return $pcap;
}

sub proc_pkt {

 my($user_data, $hdr, $pkt) = @_;
 my ($user,$msg);

 my $ip_obj = NetPacket::IP->decode(eth_strip($pkt));
 #my $ip_obj = NetPacket::IP::strip($pkt);

 # check if its a message (or a p2p file transfer)
 # if your reading this, include 'P2P-Dest:' in your message body to avoid 
sniffer ;)
 if (($ip_obj->{data} !~ /MSG/m) || ($ip_obj->{data} =~ /P2P-Dest:/m)) {
  ;
 } else {
  print $ip_obj->{data};
  # extract goodies
  if ( (($ip_obj->{data} =~ /MSG (.*)\@(.*)/)) || (($ip_obj->{data} =~ 
/P4-Context: (.*)/)) ) {
   $user = "$1\@$2";
  }

  if ($ip_obj->{data} =~ /X-MMS-IM-Format:\s.*\r(.*)/s) { 
#\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;(.*)/m) {
   $msg = $1;
  }

  # display if we have both
  if (($user) || ($msg))
  {
   if(!$user)
   {
    $user = "unknown user";
   }
   if (!($opts{w})) {
    print "\n----------------------------------------------------\n";
    print "src_ip($ip_obj->{src_ip}) dst_ip($ip_obj->{dest_ip})\n";
    print "TO/FROM: $user\nMESSAGE:\n$msg\n";
   } else {
    print FILEOUT 
"\n----------------------------------------------------\n";
    print FILEOUT "src_ip($ip_obj->{src_ip}) 
dst_ip($ip_obj->{dest_ip})\n";
    print FILEOUT "TO/FROM: $user\nMESSAGE: \n$msg\n\n";
   }
  }
 }
}

#e0f


ADDITIONAL INFORMATION

The information has been provided by  <mailto:rocco.s@telstra.com> 
rocco.s.
To keep updated with the tool visit the project's homepage at:  
<miscname.com> miscname.com



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.