Jonathan Wald [email protected] and Jason Zigelbaum [email protected] (A project reportwritten under the guidance of Prof. Raj Jain) DownloadTable of Content:1. Introduction1.1 What is OpenPacketPro2. Design Documentation2.1 Languages and Frameworks2.1.1 Libpcap2.1.2 QT2.1.3 Rainbow Tables2.2 Design Elements2.2.1 Target Detection by Hashing and Reverse DNS2.2.2 Host File and Routing Table Modification2.2.3 Password Sniffing2.2.4 Multithreading3 Using OpenPacketPro3.1 OpenPacketPro Software Authentication Mode3.2 OpenPacketPro Cracking MD5 Hash Encryption Mode4. Conclusion5. Source Code6. References1 Introduction1.1 What is OpenPacketPro?OpenPacketPro is an open source framework that utilizes the libpcap library.We want to give developers a platform to work with packets and the libpcap library in order to perform interesting and useful services.OpenPacketPro is intended to be a hub for fun and exciting experiments that involve packet capturing.In order to demonstrate the power of the libpcap library we have developed two useful services.OpenPacketPro's Demo Services :Stopping outbound communication of a given program.1.Sifting out MD5 encrypted packets and decrypting them in real time.2.In the following sections, you will learn how to perform these tasks. To open the application, locate it in a terminal window and run the applicationin privledged mode (Details will be covered in the "how to use" section).2 Design DocumentationThis section documents the details of the application's design and some of the important decisions that we made. Specifically, we talk about thetechnologies that were leveraged in our implementation, including libpcap for packet capture and Nokia's QT library for the application's userinterface and event handling. Also discussed is our hashing method of target detection, blocking target communication, our method for passworddetection and decryption, and multi-threading.2.1 Languages and FrameworksThe application was implemented in C++ and made significant use of the libpcap and QT libraries. It should also be noted that we leveragedexample code from tcpdump.org (the maintainer of libpcap) and QT tutorials.2.1.1 LibpcapThe application's packet sniffing engine is built using the libpcap library, the same library used for popular tools Wireshark and Tcpdump. Libpcapworks by inspecting packets that are placed in the kernel's packet filter by a network card driver. When a packet comes in, the network cardOpenPacketPro:A libpcap Extension Framework for Sniffing Outgoing Traffic http://www.cse.wustl.edu/~jain/cse571-11/ftp/pktpro/index.html1 of 12checks to see if its own IP address is the destination address, and if so, signals for an interrupt. A signal handler in the form of the network carddriver copies the data from the card to a buffer in kernel space for consumption by higher level protocols. The network card driver also stores acopy of the data in a buffer within the kernel called the packet filter; libpcap provides a framework for interacting with the packets stored in thisbuffer.2.1.2 QTWe selected Nokia's open-source QT framework for the implementation of our user interface and event handling. QT is a popular, professionalquality framework with a wide range of applications ranging from desktop applications, web development, and mobile application. We primarilyused QT's user interface libraries, but also made use of its built-in threading functionality and event handling. QT is portable, meaning that ourapplication and user interface will function on most platforms that support libpcap (we tested on Ubuntu and Mac OSX).2.1.3 Rainbow TablesA Rainbow Table is essentially a lookup table of decrypted MD5 hash values. With the help of a rainbow table, decrypting MD5 Hashes becomesa matter of looking up an entry in this large table. The larger the table the better. In our implementation, we use an API call to a free-to-userainbow table at www.decrypt-md5.com.2.2 Design ElementsThis section outlines critical elements of the design and the decisions that went into them. The topics include our detection of targetcommunication, communication blocking, password sniffing, and multi-threading.2.2.1 Target Detection by Hashing and Reverse DNSOne of the primary services of the application is the ability to detect network communication of interest, without knowing a target's host name orIP address. This is useful, for example, when a user wants to crack the validation mechanism of a piece of software but has no idea with what hostthe software may attempt to communicate. We solved this problem by segmenting our packet sniffing into two phases - a training phase and atarget detection phase.At any given time, a modern computer user may be maintaining dozens of connections with hosts across the world. Many users now employ cloudstorage or updating systems which are continuously communicating with their local machine. We want to filter out the benign packets whosedestinations are not intended to be blocked. These unimportant packets may include current TCP connections, or other applications which mustsend outgoing data constantly and the user does not want blocked.To remove this noise, we require that the user first allow our application toundergo at 15 second training period, which acts as a sieve for network communication. During this period, the target application is turned off andwe place all IP address with which we communicate into a map structure. Ideally this data structure would use hashing to minimize lookup time,we used the C++ Standard Template Library's map structure, which is actually implemented as a binary tree. After the training period, the targetapplication is finally executed, and we ignore all "normal" communication by doing a lookup on each host that we communicate with and seeing ifthere is a collision. After this process, we have most likely narrowed the potential target IP address to a small set of less than a dozen suspects. Wedisplay these addresses, along with any host names that we can find through a reverse DNS lookup, to the user and allow them to select which onesthey want to attack.2.2.2 Host File and Routing Table ModificationThe application offers two methods of blocking a software validation attempt. After a user selects the hosts that it wants to attack, he or she ispresented with a dialog box asking them which of the methods that wish to employ. The first allows a user to block a specific host name bymodifying the machine's host file. A