A.3. Network-Level Tools
You will need a range of network-level tools for your day-to-day activities. These command-line tools are designed to monitor and analyze traffic or allow you to create new traffic (e.g., HTTP requests).
Using a simple Telnet client will work well for most manually executed HTTP requests but it pays off to learn the syntax of Netcat. Netcat is a TCP and UDP client and server combined in a single binary, designed to be scriptable and used from a command line.
Netcat is available in two versions:
To use it as a port scanner, invoke it with the -z switch (to initiate a scan) and -v to tell it to report its findings:
$ nc -v -z www.modsecurity.org 1-1023 Warning: inverse host lookup failed for 22.214.171.124: Host name lookup failure www.modsecurity.org [126.96.36.199] 995 (pop3s) open www.modsecurity.org [188.8.131.52] 993 (imaps) open www.modsecurity.org [184.108.40.206] 443 (https) open www.modsecurity.org [220.127.116.11] 143 (imap) open www.modsecurity.org [18.104.22.168] 110 (pop3) open www.modsecurity.org [22.214.171.124] 80 (http) open www.modsecurity.org [126.96.36.199] 53 (domain) open www.modsecurity.org [188.8.131.52] 25 (smtp) open www.modsecurity.org [184.108.40.206] 23 (telnet) open www.modsecurity.org [220.127.116.11] 22 (ssh) open www.modsecurity.org [18.104.22.168] 21 (ftp) open
To create a TCP server on port 8080 (as specified by the -p switch), use the -l switch:
$ nc -l -p 8080
To create a TCP proxy, forwarding requests from port 8080 to port 80, type the following. (We need the additional pipe to take care of the flow of data back from the web server.)
$ mknod ncpipe p $ nc -l -p 8080 < ncpipe | nc localhost 80 > ncpipe
Stunnel (http://www.stunnel.org) is a universal SSL driver. It can wrap any TCP connection into an SSL channel. This is handy when you want to use your existing, non-SSL tools, to connect to an SSL-enabled server. If you are using Stunnel Versions 3.x and older, all parameters can be specified on the command line. Here is an example:
$ stunnel -c -d 8080 -r www.amazon.com:443
By default, Stunnel stays permanently active in the background. This command line tells Stunnel to go into client mode (-c), listen locally on port 8080 (-d) and connect to the remote server www.amazon.com on port 443 (-r). You can now use any plaintext tool to connect to the SSL server through Stunnel running on port 8080. I will use telnet and perform a HEAD request to ensure it works:
$ telnet localhost 8080 Trying 127.0.0.1... Connected to debian. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 302 Found Date: Mon, 08 Nov 2004 11:45:15 GMT Server: Stronghold/2.4.2 Apache/1.3.6 C2NetEU/2412 (Unix) amarewrite/0.1 mod_fastcgi/2.2.12 Location: http://www.amazon.com/ Connection: close Content-Type: text/html; charset=iso-8859-1 Connection closed by foreign host.
Stunnel Versions 4.x and above require all configuration options to be put in a configuration file. The configuration file equivalent to the pre-4.x syntax is:
# run as a client client = yes # begin new service definition [https_client] # accept plaintext connections on 8080 accept = 8080 # connect to a remote SSL-enabled server connect = www.apachesecurity.net:443
Assuming you have put the configuration into a file called stunnel.conf, run Stunnel with:
$ stunnel stunnel.conf
Curl (http://curl.haxx.se) is a command-line tool that works with the HTTP and HTTPS protocols on a higher level. (It understands many other protocols, but they are not very interesting for what we are doing here.) You will want to use Curl for anything other than the most trivial HTTP requests. Things such as POST and PUT requests or file uploads are much simpler with Curl.
For example, uploading a file archive.tar.gz (assuming the file upload field is named filename) to script upload.php is as simple as:
$ curl -F email@example.com http://www.example.com/upload.php
The following is a brief but informative tutorial on HTTP scripting with Curl:
A.3.4. Network-Sniffing Tools
When HTTP traffic flows over an unprotected channel, network-level traffic monitoring can be used for various purposes. Some of the possible uses are:
It does not matter if the network is switched or not, if data is traveling unprotected, it can be sniffed. Here are the most popular network-monitoring tools:
The combination of Tcpdump plus Ethereal has worked well for me in the past, and I propose you try them first.
There are a few commercial Windows-based network-monitoring tools (designed to work with HTTP) available. They are inexpensive, so you may want to give them a try.
SSLDump (http://www.rtfm.com/ssldump/) is an SSL network protocol analyzer. It can be used where most other network sniffing tools cannot, which is to look into the SSL traffic:
# ssldump port 443
I did say look, but the previous command will only be able to examine the structure of SSL traffic and not display the application data. That would defeat the point of SSL. However, ssldump can display application data, too, but only if it is provided with the private server key:
# ssldump -d -k key.pem host www.apachesecurity.net port 443