Wireshark-dev: Re: [Wireshark-dev] [Full-disclosure] SniffJoke 0.3 release andrequestfor feedba

From: Sébastien Tandel <sebastien@xxxxxxxxx>
Date: Mon, 27 Apr 2009 16:46:45 -0300
Hi Sake,


ok, a (TTL-1) trick. Then if *every* tricks are based on this scheme, it could be verified with an expert item. This way, people knowing about SniffJoke could check this expert item and create a tcp filter based on the "good" ttl and re-assemble the TCP stream.

What do you think?


Regards,
Sebastien Tandel

On Mon, Apr 27, 2009 at 15:54, Sake Blok <sake@xxxxxxxxxx> wrote:
Sebastien,
 
One of the tricks SniffJoke uses is to first determine how many hops there are to the destination and then it sends "bogus" traffic with a TTL that is just 1 lower. This means the receiving OS never gets to see that traffic, while wireshark does (when it's in between the sender and the receiving end).
 
If the trace is made at the receiving end and wireshark is not able to reassemble the stream, then that might be considered a bug. Does anyone use SniffJoke? If so, could you please make a capture at the sending and the receiving end?
 
Since WS does not know which of the packets will not arrive at the receiving end, I'm no fan of incorporating code to handle those bogus frames.
 
Cheers,
    Sake
----- Original Message -----
Sent: Monday, April 27, 2009 7:28 PM
Subject: Re: [Wireshark-dev] [Full-disclosure] SniffJoke 0.3 release andrequestfor feedback (forw)

   SniffJoke has a nice/interesting characteristic : It is *only* used by the sender *not* by the receiver. 

   SniffJoke, thanks to some tricks - which *does not* have impact on the receiver's TCP/IP stack (for all OSes?) -, is able fool sniffers and some others network tools.

   I would expect wireshark seeing the traffic as the OS is able to see it ... IOW, if receiver's OS is able to re-assemble correctly the traffic, wireshark should be able to do so too. Therefore, I would consider this as a bug in wireshark since OSes (all?) would be able to reassemble the traffic without any problem. (Although the next question would be : who will spend time to analyze SniffJoke tricks and fixes the TCP dissector?)

   Also, I'm not convinced people will think that wireshark would consider it as a cracking tool since the receiver's OS is considering this SniffJoke's traffic as valid ...


Regards,
Sebastien

On Mon, Apr 27, 2009 at 11:45, Sake Blok <sake@xxxxxxxxxx> wrote:
As the purpose of Wireshark is to display network traffic to analyse
problems, I see no use in competing in a race to cloak and uncloak traffic
with Sniffjoke. That would put Wireshark in the list of cracking tools which
might have a negative effect on the places where it is allowed to be used.
So I would not consider this a bug and I would *not* consider being able to
reassemble Sniffloke traffic a feature to implement.

Just my $0.02


Sake

----- Original Message -----
From: "Joerg Mayer" <jmayer@xxxxxxxxx>
To: <wireshark-dev@xxxxxxxxxxxxx>
Sent: Monday, April 27, 2009 3:53 PM
Subject: [Wireshark-dev] [Full-disclosure] SniffJoke 0.3 release and
requestfor feedback (forw)


> Should it be considered a bug if WS can be fooled by a tool like Sniffjoke
> to incorrectly reassemble a TCP stream?
> The webpage has two sample traces that seem to be handeled incorrectly by
> HEAD indeed.
>
> Ciao
>   Joerg
> ----- Forwarded message from vecna <vecna@xxxxxxxxxx> -----
>
> Delivered-To: jmayer@xxxxxxxxxxxxxxxxxxxxxxxxx
> Delivered-To: full-disclosure@xxxxxxxxxxxxxxxxx
> Date: Wed, 15 Apr 2009 09:27:39 +0200
> From: vecna <vecna@xxxxxxxxxx>
> Organization: SALVIA & MENTA, azione TOTALE, aiuta a prevenire placca,
> carie
> e disturbi gengivali.
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] SniffJoke 0.3 release and request for feedback
> Errors-To: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>
> Some days ago I've relased this:
>
> SniffJoke is a "connection scrambler" for Linux with the purpose of
> preventing packet sniffers from reassemble network sessions of the user.
> The "sniffer evasion" technology is well known since almost 10 years.
> SniffJoke implements the most efficents techniques. Using a local fake
> tunnel it is able to manage outgoing and ingoing packets without
> disturbing the kernel. With the local web interface the user can easily
> start/stop and configure SniffJoke. At the moment, Wireshark, the most
> famous packet analyzer, is unable to correctly reconstruct TCP flow
> mangled by SniffJoke. I would like to update the list of victim
> sniffers, so please send me a report if you test SniffJoke with other
> network protocol analyzers.
>
> http://www.delirandom.net/20090402/sniffjoke-03/
> http://www.delirandom.net/sniffjoke/
>
>
> Any comments appreciate
>
> Regards,
> vecna
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ----- End forwarded message -----
>
> --
> Joerg Mayer                                           <jmayer@xxxxxxxxx>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe