Some ways to test your keysniffers

[MisterSpock]

Here are some ideas on how you can test the functionality of your keysniffers without launching EQ ...

This method will work with any of the keysniffers on here. Depending on how your code works, you might have to pass your sniffer different parameters. If you've hardcoded everything, then you'll need to make changes in the code to use this method.

1) On your windows box, open up Internet Explorer (only once) and minimize it. I recommend IE because it initializes winsock. Some sniffers (like Maggotboy's hooking version) do not initialize winsock, rather depending on the app to do it.

2) On your Linux box, open up a shell window. Launch tcpdump so that it reads only packets from your windows box and only on the port you want. For example:

tcpdump 'host 1.2.3.4 && port 12345'

(where 1.2.3.4 is replaced with the address of your windows box, and 12345 is replaced with the port you selected for sniffing.)

3) If testing the hooking sniffer, start it, setting the offset to 0x01000000. For example:

rundll32.exe mysniff.dll,InstallHook 192.168.1.1 12345 iexplore.exe 0x01000000

(replace 192.168.1.1 with the address of your seq box, and 12345 with the port of your choice -- must match the port you selected for tcpdump)

4) if testing a 'regular' keysniffer, enter or code the process name to iexplore, and enter/code the offset to 0x01000000. Run the sniffer.

5) watch the tcpdump screen. You should see something like:

08:25:22.123456 a.b.c.d.xxxx > j.k.l.m.yyyyyy: udp 8

a.b.c.d is the address of your windows box.
xxxx is the sending port number. This is an ephemeral port, so the number will vary.
j.k.l.m should be the address of your seq box
yyyyy should be the port you specified to use.
udp 8 indicates there were 8 bytes of data sent in a udp packet.

*******************************

Notes:

This tests only that your sniffer is sending something. It does not verify that it is sending the key correctly.

To verify that what you are ripping from memory is being sent correctly, you need to have a way to look at the key the windows box is getting. You can either launch a sniffer that outputs it to the screen, or run Maggotboy's hook from a debugger.

On the linux box, launch tcpdump with the -X option.

tcpdump -X 'host 1.2.3.4 && port 12345'

When you send the key, you will receive a line similar to the one above. However, you will also receive three lines of Hex + Ascii dump. The dump includes the UDP header info, so the key actually appears starting at offset 0x001C in the dump.

Also note that the 'endian-ness' may be different that what you expect. If you have a keysniffer that displays the key with a printf command like:

printf ("Key = \t0x%016llx\n\n", key);
or
printf ("Key = \t0x%016I64x\n\n", key);

the udp key will appear to be "flipped." For example:

if printf gives: key = 0x12345678abcdefgh (8 bytes, 64 bits)

starting at offset 0x1c in tcpdump you will see:

ghef cdab 7856 3412


*************************************

Once you reach this point successfully, you can be reasonably sure that:

1) your keysniffer is correctly sending udp data
2) your keysniffer is corectly sending what it thinks it found at the offset given.

The only question remaining is: did it get the actual key, or did it get garbage?

There is one way to tell for sure -- fire up EQ, get a key, and see if seq decodes properly.

The other way is to write a program that has known values placed at a certain location and see if you get what is expected in return...

**************************************

I hope this is helpful. I prefer to test my applications with something other than the actual eq executable as much as possible.

[LordCrush]

Hmm thnx Mr. Spock - i have an other idea

setup EQEMU ( www.eqemu.net ) - do it NOW before tuesday´s patch ... and you can use it to test your sniffer ... eqemu servers will not ban you for that

[MisterSpock]

I haven't dinked with the Emu much. I Downloaded it, and made a second install of EQ for use with an emu server.

I can log on okay, etc, but when connected to an emu server, the key is always 0x0000000000000000 and seq never decodes...

[LordCrush]

Hmm before oct 31 SEQ worked fine with the Emu.

I have not running mine yet again - cause my database is from version 0.3.7. and now 0.3.12.

There are about 5 changes to the database since then ...

[Invader_Zim]

My Router is stopping the udp message from my EQ computer to my SEQ computer.

I did what you said .... I installed tcpdump... started up my stealthsniffer, then set it up to use iexplore.exe.

I started tcpdump, and started up iexplore.

no message... using the port option on tcpdump. So i made it general to what was coming out of my EQ computer.

When I started everything up again.. I got....

192.168.0.8.2477 > 192.168.0.1.domain: 99+[|domain]
192.168.0.1.domain > 192.168.0.8.2477: 99 3/6/6[|domain] (DF)



Everything I try keeps doing the same thing. I tried changing the keysniffer to point to my external ip... but says the exact same thing. :\

Anyone have any ideas?

[Elyon]

Originally posted by Invader_Zim
My Router is stopping the udp message from my EQ computer to my SEQ computer.

The Router is your problem. Your SEQ and EQ box should ONLY be connected to a HUB, that is connected to your router.

You CANNOT use a Router or Switch to plug you EQ - SEQ Box into, it doesn't work.

[Invader_Zim]

Originally posted by Elyon


The Router is your problem. Your SEQ and EQ box should ONLY be connected to a HUB, that is connected to your router.

You CANNOT use a Router or Switch to plug you EQ - SEQ Box into, it doesn't work.

Crap, I forgot to post that I already had both my SEQ and EQ computers hooked up to a hub that is then hooked into a router... I knew it would come up.

For some reason... Im getting that error..

I HAVE had seq setup before perfectly.. before All this keysniff need crap.

SO yeah.. Its all hooked up right... just .. for some reason thast the feedback that i get when i try to run a keysniffer.

And before trying to throw this off as something stupid.. maybe you should have realized that I could never have monitored my EQ computers data on my SEQ box ... with a router only.

[foo]

Invader_Zim,

Check your linux firewall. If you're using RH, run SETUP, select firewall configuration and either add the port#:udp to the firewall customize option or try it without firewall.

Foo

[Invader_Zim]

Originally posted by foo
Invader_Zim,

Check your linux firewall. If you're using RH, run SETUP, select firewall configuration and either add the port#:udp to the firewall customize option or try it without firewall.

Foo

When I installed RH 7.3, I Chose not to install a firewall... Since Im already behind a router.

Im a huge linux newbie.. well.. not huge.. :\ I can figure certain things out..

I checked all my network configs and my service configs and not once did I see anything about a firewall.. So im pretty sure one is not installed....

What the tcdump message seems like is that it went RIGHT to my router then got returned to the same computer than sent it... so it was a response of some sort like... cant send or something.

So I thought It would be my DMZ or port forwarding for the router. I put the port im using (10666) to be forwarded to my linux box and just to make sure I made my default DMZ for my router my linux box as well.

Still the message gets returned to my windows box....

Is there any way to get a log of your router messageS?

edit: Im a moron. I didnt fully check my router package. Im going to try to fuck around with the log and see what its saying.


EDIT: Ok... It only logs outbound... So it detected that it was sending... ... Once again.....


2|Sat, 07 Dec 2002 13:26:48 |192.168.0.8 |FORWARD
192.168.0.1

So what its saying is.... Its forwarding ... to itself :\ When it should be forwarding to 192.168.0.5..... any ideas?

[Keev99]

I compiled the code, and tested the udp dump with tcpdump. It is sending the code correctly. I verified this by manually typing the code into ShowEQ and it works! Problem is that it ShowEQ doesn't seem to be picking up the code directly from udp...I checked the port...it's correct. Any suggestions.

btw...I'm running SEQ 4.3.3 with latest libEQ.a and Maggotboy's Super Stealth Sniffer V2 (2.05)

[Dedpoet]

What port number are you using? It has been recommended to be an odd number greater than 10000. Is the port number set up in your sniffer the same as the port number you set in the Decode menu? I recommend setting it there again, then doing File -> Save Preferences.

Here's another one that got me...if you're using DHCP to get an IP address on your Seq box, verify the IP (ifconfig -a) and make sure your sniffer is set up to send to that IP. I made some router changes last weekend and my Seq box got a new IP. It was still seeing the EQ client (GPS mode working), but not receiving the key from the sniffer. After pulling my hair out for 45 minutes, I realized I was sending the key to an IP that was no longer valid.

[Speedy]

Hmm, I have a somewhat similar problem. My setup is a bit different so not sure how exactly to fix it. Basically I have 2 NICs in my linux comp since I don't have a hub available. I have the linux comp connected to my router with 1 NIC while the other NIC goes to my windows comp with a crossover cable. I am using firestarter to setup NAT to connect to EQ on my windows comp.

So anyway SEQ works fine and I can connect to EQ/internet just fine on my windows machine. But I have to enter the key into SEQ manually. The linux machine isn't receiving the key that is sent for some reason no matter what port I use. I've verified using TCPDUMP. I also tried setting my windows comp as a trusted IP and forwarding the ports to the NICs in my linux comp.

I'm using keyring to get the key which does a good job so far anyway. In keyring I've set the IP address to both NICs on my linux comp and to my external IP addy but nothing seems to work.

Anyone have any advice? I wiped redhat completely and reinstalled while selecting "none" for the firewall to see if that helped. It hates me I swear! Atleast I can use showeq I guess but it's a pain typing in a new key everytime I zone.

Anyone have any advice? Thanks!

Edit: Oh and not sure how much it matters but if I set an IP to like 1.1.1.1 or something for keyring to send to it does show up in TCPDUMP, but it doesn't when it's a valid IP on the machine.

[baelang]

SEQ listens for keys on the port you specify, but it dosen't really care what IP you send it to.

I noticed this when doing some development work on SEQ. I had two different linux boxes on my LAN, one with standerd 4.3.3 (or whatever) seq running, with the keysniffer sending to its ip address. the other box had some SEQ test code i was working on, a different IP address, but the same port configured.

Both SEQ boxes would recieve the key and decode just fine.

So, if you want to run two different SEQ sessions on one LAN you do need to specify different ports, or you will have problem.s

However, this also means that you can specify arbitrary IP addresses in your keysniffer and still get decode, provided of course that the address you specify has a route on the same interface as the SEQ box.

If you are using your linux box to do NAT as a router for your EQ client, this could be a problem, because SEQ will listen on the public interface for EQ traffic, but will need to listen on the private interface for the key from the keysniffer.

I think that is what you are running into here.

so your soulution is either to use the file transfer method, or reconfigure your network.

[Speedy]

Thanks for the info. Just decided to go out and buy a cheap hub, works like a charm. Should have just done that in the first place instead of spending hours trying to get my current config to work.

[Retro_Active]

I am a network newb. I have XP EQ Client, and RH8.0 SEQ systme. I have compiled (without issue) keyring. So I found this thread, and followed the directions above.

EQ Client: 192.168.83.129
LINUX: 192.168.83.128
Port: 12345

The tcpdump reports:

192.168.83.129.4109 > 192.168.83.128.11109: udp 8
192.168.83.128 > 192.168.83.129: icmp: 192.168.83.128 udp port 11109 unreachable [tos 0xc0]

Any suggestions on where to look next? It appears the udp is sent, but the linux system says the port can't be reached for whatever reason. I checked into the tos code, and it is too technical for me.