Category Archives for Networking

ruby network programming

Ruby Network Programming

Do you want to create custom network clients & servers in Ruby? Or just understand how that works?

Then you will have to deal with sockets.

Join me on this tour of ruby network programming to learn the basics, and start talking to other servers and clients using Ruby!

So what are sockets?

Sockets are the end points of the communication channel, both clients and servers use sockets to communicate.

The way they work is very simple:

Once a connection is established you can put data into your socket and it will make its way to the other end, where the receiver will read from the socket to process incoming data.

Socket Types

There are a few types of sockets available to you, the most common — the TCP Socket — will allow you to make connections to TCP-based services like HTTP or FTP.

If you have to use an UDP based protocol then you can use the UDP Socket.

The other types of sockets are a bit more esoterical, Unix sockets allow IPC (Inter-process communication) in Unix systems without the overhead of a full TCP connection.

Using Sockets in Ruby

Now that we know what sockets can do for us it is time to start using them.

First, require the sockets library into your program:

require 'socket'

To create a TCP socket you can use the TCPSocket class, as parameters you will need the destination IP address and port.

This will attempt to establish a connection, if it can’t be established then you will get a Errno::ECONNREFUSED error.

socket = TCPSocket.new('google.com', 80)

You should now be able to send messages through your socket, you will have to follow the protocol you are communicating with for the other end to be able to understand you.

socket.write "GET / HTTP/1.1"
socket.write "\r\n\r\n"

Many of the methods you will be using come from the parent classes of TCPSocket.

ruby network programming

To read the response from the server you can use the recv method.

You need to pass the number of bytes that you want to read from the socket as a parameter:

puts socket.recv(100)

There is a small problem, you might not get any data back and your app will appear to be doing nothing.

The reason is that if there isn’t enough data to read, your program will ‘block’.

This means it will wait until there is some data available or the server closes the connection.

You may want to increase or decrease the amount of data you are reading depending on what protocol you are working with.

If blocking is an issue for you, check out the readpartial and read_nonblock methods from the IO class.

How to Write a TCP Server

Let’s build a server! The process is similar to writing the client, but we will need to tell the socket to bind to an interface, then listen on it, and finally to accept incoming connections.

The TCPServer class already does the first two for us.

Here is an example:

require 'socket'

socket = TCPServer.new('0.0.0.0', 8080)
client = socket.accept

puts "New client! #{client}"

client.write("Hello from server")
client.close

Our example server will be listening on port 8080 and greet a connecting client with a message.

Notice how we can only accept one client and the program will end.

Accepting Multiple Clients

To be able to accept and respond to multiple clients, we will need a loop and some threads.

Example:

require 'socket'

PORT   = 8081
socket = TCPServer.new('0.0.0.0', PORT)

def handle_connection(client)
  puts "New client! #{client}"

  client.write("Hello from server")
  client.close
end

puts "Listening on #{PORT}. Press CTRL+C to cancel."

loop do
  client = socket.accept

  Thread.new { handle_connection(client) }
end

That should start a new server that keeps listening until you stop it.

If you want to learn how to take this to the next level & write a web server in Ruby read this blog post.

Conclusion

You learned what TCP sockets are, how they work & how you can use some Ruby classes like TCPServer & TCPSocket to create Ruby applications that can interact with other machines on the internet.

Playing with ruby network programming is fun!

Now go create something cool and share it with everyone in the comments section 🙂

Also don’t forget to join my newsletter if you want to keep improving your Ruby skills!

Network forensics with tshark

Let’s say we have a packet capture file (.pcap) and we want to get as much information out of it as possible. One option could be wireshark and its command line version tshark. Using the latter we will be able to manipulate and format the output using tools like sed, grep, awk…

Extracting host names with tshark

Since we are dealing with mostly http traffic we may be interested in the sites that have been visited. To obtain this information we can use the http.host field and then a bit of sorting and this will show us the top 10 sites.

tshark -T fields -e http.host -r tor.pcap > dns.txt
cat dns.txt | sort | uniq -c | sort -nr | head

Continue reading

Finding windows host on your network

If you ever wondered if there is a quick way to find all the Windows host in your network with exact version information, you are in the right place! We are going to see a few tools that will aid us in this task by quering the CIFS service (also known as SMB / NetBIOS) which is run by all Windows host.

To get us started let’s see the nbtscan tool, we can give it network range in the form of a CIDR or just with two values separated with a dash. This will give us a nice list of all the Windows host on our network with their netbios names.
Continue reading

Socat: A very powerful networking tool

Welcome to this socat tutorial. Socat is a network utility similar to netcat. Socat supports ipv6 and ssl and is available for both windows and linux. The first thing you will notice with this tool is that it has a different syntax on what you are used to with netcat or other standard unix tools.

socat [options] <address> <address>

You have to provide both addresses in order for it to work, now these addresses look like this:

protocol:ip:port

Let’s get started with some examples. First I want to show you how you can get the same functionality as with netcat.

nc localhost 80
socat - TCP4:localhost:80 OR socat STDIN TCP4:localhost:80
nc -lp localhost 700
socat TCP4-LISTEN:700 STDOUT
nc -lp localhost 700 -e /bin/bash
socat TCP4-LISTEN:700 EXEC:/bin/bash

Now we can go beyond netcat with some ssl examples, but first we need to generate a ssl cert for the server.

Generate a SSL cert

openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.key

socat tutorial

SSL server

socat OPENSSL-LISTEN:443,cert=/cert.pem -

SSL client

socat - OPENSSL:localhost:443

Both addresses don’t have to use the same protocol, so you can do “ssl server -> non-ssl server”. You should also check out the options that you can apply, for example you can use fork to tell socat to listen and handle multiple clients.

socat TCP4-LISTEN:5000,fork OPENSSL:localhost:443

Finally if you are tunneling a connection between servers using socat you can use the -v option to print all the traffic to stdout.

I hope you enjoyed this quick socat tutorial. If you want to learn more, check out the socat man page, section “ADDRESS TYPES” or the online documentation.

Four Ways to Extract Files From Pcaps

It’s time to extract files from pcaps. If you ever played with packet captures you probably thought it would be cool that you could actually get downloaded files so let’s see not only one way to do this, but four!

1. Wireshark: http export

You can find this at File > Export > Objects > Http, you will be presented with a list of files found in all the http requests. The bad thing about this feature is that even with the latest version (1.6.5 at the time of this writing) you still can’t sort by column or apply any filters which makes finding something specific hard.

2. Wireshark: export bytes

To find this you will have to drill down in the packet you want, depending on the protocol.

Right click > Export selected bytes

extract files from pcap

The advantage of doing it this way is that you can actually extract files from other protocols other than http (like ftp or smb) and you can use display filters.

3. Network miner http://sourceforge.net/projects/networkminer/

Network miner is a tool for network analysis but with a focus on forensic analysis. It can load a pcap and extract files and other data, there is both a free and a commercial version available.

networkminer

4. Chaosreader

This tool will analyze and extract session information and files and create an html report you can open in any browser

chaosreader http-data.pcap

It will create a lot of files so you may want to launch it inside an empty dir or make a new one and use the -D option, then you can open index.html

extract data

Conclusion

If the data crossed the network it has to be there somewhere. In this post we have seen a few tools you can use to uncover these files and extract them for your own benefit.