Sniff and decode telnet session

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
I am looking for something that can either take a tcp dump file and read it, or will nativly sniff the wire and tell me what is going on in a telnet session.

before I get flamed for hacking, here is what I am doing: I am working on perl net::telnet scripts to telnet into cisco devices and configure them. Some are not working right, and I am trying to debug them. It works fine if I type it into the telnet window, so I am ALMOST positive that the commands themselves are correct. The perl script is not erroring out, and I am useing strict and warnings. The console shows "configured by blah blah blah and the IP of the script server, but all it takes to get that is a conf term and an end. The script works about 1 in 8 times or so. I am familer with Ethereal, but I'm not sure if it will give me the actual telnet commands being sent. (guess I should try it...gotta dig out the hub tonight).

Any ideas?

If needed I can start posting the actual scripts, but not sure if networking is the place for that (although it is configuring Cisco AP's)
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
with ethreal you can see that pakets and what is contained in them so yes you'll see the commands.

Also you can use the "follow tcp stream" to get a good output of the application layer data (telnet). Its a very simple protocol that just sends characters.
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
guess I should have fired it up and tried it first. I have some experience with Ethereal....8 machines logging 23/7 (one hour to copy all the files off). that lasted 3 weeks, and then I dumped a huge amount of data on HP's file servers, their IT was happy :D
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Ethereal's security record is approaching Microsoftian proportions.
telnet is evil, switch to ssh.
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
yeah, but default config on those AP's is no SSH, but telnet is allowed.

I only run ethereal on a known secured (mostly) network, or tcpdump and analyzed offline.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
ps I just did a test with telnetting to a switch.

highlight a single packet and click Analyze/follow TCP stream and the whole conversation/commands are there.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: spidey07
how is ethereal insecure?

Its just a packet capture.

This is just plain scary. Not to mention you generally have to run it with admin/root privs, with no priv. seperation.

They keep pulling in all sorts of new dissectors, and all sorts of dissectors are coming up with security issues.
 

InlineFive

Diamond Member
Sep 20, 2003
9,599
2
0
Originally posted by: n0cmonkey
Originally posted by: spidey07
how is ethereal insecure?

Its just a packet capture.

This is just plain scary. Not to mention you generally have to run it with admin/root privs, with no priv. seperation.

They keep pulling in all sorts of new dissectors, and all sorts of dissectors are coming up with security issues.

It looks like they need to go back over some code instead of making new code.
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
it worked very well. Since I was to lazy to get my hub out, I just ran tcpdump -w file and then ran the script. Then I just moved the cap file to my other box with ethereal and opened up the capture file. Found some timeing issues that I was able to fix. Thanks guys!
 

Pheran

Diamond Member
Apr 26, 2001
5,740
35
91
Not sure exactly what you are trying to do, but I wrote a Perl script that does essentially this. It's mainly meant to automatically TFTP config backups to a TFTP server, but it has a few other bells and whistles like automatic password changes and ability to execute an arbitrary config command across a bunch of routers. It supports both SSH and telnet. It might need minor modifications to work with a wireless AP, I haven't used it for that yet. But if you're interested PM me and I'll sanitize it and send it over.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
you need some pauses in there for config changes so the device can take them.

The processor on an AP is pretty weak so you can't just blast a bunch of commands at it.

heck I've seen even super duper top of the line routers have to think for a little bit when making a config change.