/ Greyhat.dk /

Kim Gert Nielsen

 

The lost art of debugging for admins #part 2 – Basic knowledge of protocols

Protocols

Just a little knowledge about a few protocols can get you a long way when debugging. Often, clients does not give the full feedback from the server or tries to give a user-friendly error message which just makes it worse. Here is how just a handfuld of protocols can be used using telnet/openssl

HTTP/HTTPS

    $ telnet www.example.com 80
    Connected to www.example.com.
    Escape character is '^]'.
    GET / HTTP/1.1
    HOST: www.example.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

    HTTP/1.1 302 Found
    Date: Mon, 18 Nov 2013 19:32:49 GMT
    Server: Apache
    Location: https://www.example.com/
    Content-Length: 206
    Connection: close
    Content-Type: text/html; charset=iso-8859-1302 Found

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>302 Found</title>
    </head><body>
    <h1>Found</h1>
    <p>The document has moved <a href="https://www.example.com/index.htm">here</a>.</p>
    </body></html>
    Connection closed by foreign host.
    $ openssl s_client -connect www.example.com:443
    CONNECTED(00000003)
    ---
    Lots of SSL certificate stuff removed
    ---

    GET / HTTP/1.1
    HOST: www.example.com

    HTTP/1.1 200 OK
    Date: Mon, 18 Nov 2013 19:37:18 GMT
    Server: Apache
    Last-Modified: Tue, 29 Jan 2013 07:51:17 GMT
    ETag: "e83f7c0-1e8-4d468a89c0237"
    Accept-Ranges: bytes
    Content-Length: 488
    Connection: close
    Content-Type: text/html<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta name="Description" content="www.example.com: My private homepage" />Example.com
    <link href="/styles-site.css" rel="stylesheet" type="text/css" /></code></pre>
    <div>

    Example.com test site

    </div>

POP3/POP3S

    $ telnet example.com 110
    Connected to example.com.
    Escape character is '^]'.
    +OK Yes master.
    user user@example.com
    +OK
    pass secret
    +OK Logged in.
    list
    +OK 2 messages:
    1 2001
    2 1863
    stat
    +OK 2 14989176
    retr 2
    +OK 12138 octets

Just like the example with https the openssl client works for POP3

IMAP/IMAPS

    $ telnet example.com 143
    Connected to example.com.
    Escape character is '^]'.
    * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN] Yes master.
    A001 LOGIN user@example.com secret
    A001 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
    A002 LIST "" "*"
    * LIST (\HasChildren) "." "INBOX"
    * LIST (\HasNoChildren) "." "INBOX.Drafts"
    * LIST (\HasNoChildren) "." "INBOX.Junk"
    * LIST (\HasNoChildren) "." "INBOX.Sent"
    * LIST (\HasNoChildren) "." "INBOX.Trash"
    A002 OK List completed.
    A003 EXAMINE INBOX
    * FLAGS (\Answered \Flagged \Deleted \Seen \Draft Junk NonJunk $label1 $label4 $label2 $label3 $label5 $MDNSent $Forwarded $NotJunk $Junk JunkRecorded receipt-handled $MailFlagBit0 $MailFlagBit1)
    * OK [PERMANENTFLAGS ()] Read-only mailbox.
    * 2 EXISTS
    * 0 RECENT
    * OK [UNSEEN 1] First unseen.
    * OK [UIDVALIDITY 1214564994] UIDs valid
    * OK [UIDNEXT 39761] Predicted next UID
    * OK [HIGHESTMODSEQ 35521] Highest
    A003 OK [READ-ONLY] Select completed.
    A004 FETCH 1 BODY[]
    * 1 FETCH (BODY[] {2001}
    ..

SMTP/SMTPS

    $ telnet example.com 25
    Trying 192.168.1.1...
    Connected to example.com.
    Escape character is '^]'.
    220 example.com ESMTP
    ehlo example.com
    250-example.com
    250-PIPELINING
    250-SIZE
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    mail from:<whomever@example.com>
    250 2.1.0 Ok
    rcpt to:<user@example.com>
    250 2.1.5 Ok
    data
    354 End data with <CR><LF>.<CR><LF>
    Subject: Testing
    Test test
    .
    250 2.0.0 Ok: queued as 2DAB5C13D8A
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.

Tips on reading/creating emails

Attached files are added as mime-encoded base64 blocks like so

    Return-Path: <user@example.com>
    X-Original-To: user@example.com
    Delivered-To: user@example.com
    Received: from [192.168.1.1] (example.com [192.168.1.1])
        (using TLSv1 with cipher AES128-SHA (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: user@example.com)
        by example.com (Postfix) with ESMTPSA id 13398C13CE4
        for <user@example.com> Fri,  3 Jan 2014 13:01:22 +0100 (CET)
    From: Example User <user@example.com>
    Content-Type: image/png; x-mac-hide-extension=yes; x-unix-mode=0644; name="dot.png"
    Content-Transfer-Encoding: base64
    Subject: img
    Message-Id: <470CCFDB-8106-4F2A-8BB3-ED4765D45551@example.com>
    Date: Fri, 3 Jan 2014 13:01:25 +0100
    To: Example User <user@example.com>
    Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
    Content-Disposition: inline; filename=dot.png
    X-Mailer: Apple Mail (2.1827)

    iVBORw0KGgoAAAANSUhEUgAAABUAAAAWCAIAAACg4UBvAAAKyGlDQ1BJQ0MgUHJvZmlsZQAASA2t
    lndU08kWx+f3S2+0BASkhN57CyCQ0EOXDqISkkBCiTEQRGyoLK7AWhARAUXRBREFV6WuBbFgQRQb
    9gVZFNR1sWBD5f0AiXveefvfm5yZ+eQ7d+7cmd/MORcAcg9HLE6HFQDIEGVJwv086bFx8XTcYwAB
    GOCBOZDjcDPFrLCwIPCv5f0dxBopNy2mfP2r2f8eUOTxM7kAQGHIcBIvk5uB8PGpyhVLsgBACRBd
    b1mWeIqLEaZJkAAR3jPFKTOM2ANa0gxfnLaJDPdCbB4CgCdzOJIUAEgjiE7P5qYgfsh4hK1FPKEI
    YQbC7lwBh4dwDsLmGRlLpng/wsZJ//CT8g/mcJJkPjmcFBnP7AWZiSzsLcwUp3OWT//5fzYZ6VLk
    vKaLDtKSBRL/cKRXRc6sKm1JoIxFSSGhs7oQ2dEsC6T+UbPMzfRCznJmLo/jHTjL0rQo1ixzJAh9
    txFmsSNnWbIkXOZflB4ydT+mYxDw2TLmZ/pEzOrJQl/2LOcKImNmOVsYHTLLmWkRshhyBV4yXSIN
    l8WcLPGV7TEjE5n5fV0u58daWYJI/1mdx/f2mWW+KEoWjzjLU+ZHnD59v6fj56f7yfTM7AjZ3CxJ
    pExP5QRM3ddpe3FWmOxMgDfwAUHIjw6igC1wAjbADviD4Cx+DnLvAPBaIl4uEaYIsugs5KXw6WwR
    19KcbmttYw/A1LubsgHg7d3p9wSp4H9o2UkAzEO+CeTyQ0tA1m3fAoCC9w9Nnw4A0RqAM01cqSR7
    2h1AT3UYQATygAbUgBbQA8bAAonPEbgCJhJxAAgFkSAOLAJcIAAZQAKWgZVgLSgARWAL2A4qQDXY
    Bw6Aw+AoaAUnwBlwAVwB18Ft8AAMgGHwAoyB92ACgiAcRIGokBqkDRlAZpAtxIDcIR8oCAqH4qBE
    KAUSQVJoJbQeKoJKoApoL1QP/Qa1Q2egS1AfdA8ahEahN9BnGAWTYRqsCRvCVjADZsGBcCS8EE6B
    l8K5cD68CS6Ha+BDcAt8Br4C34YH4BfwOAqgSCgVlA7KAsVAeaFCUfGoZJQEtRpViCpD1aAaUR2o
    btRN1ADqJeoTGoumouloC7Qr2h8dheail6JXo4vRFegD6Bb0OfRN9CB6DP0NQ8FoYMwwLhg2JhaT
    glmGKcCUYWoxzZjzmNuYYcx7LBargjXCOmH9sXHYVOwKbDF2F7YJ24ntww5hx3E4nBrODOeGC8Vx
    cFm4AtxO3CHcadwN3DDuI56E18bb4n3x8XgRfh2+DH8Qfwp/A/8MP0FQIBgQXAihBB5hOWEzYT+h
    g3CNMEyYICoSjYhuxEhiKnEtsZzYSDxPfEh8SyKRdEnOpPkkISmPVE46QrpIGiR9IiuRTcle5ASy
    lLyJXEfuJN8jv6VQKIYUJiWekkXZRKmnnKU8pnyUo8pZyrHleHJr5CrlWuRuyL2SJ8gbyLPkF8nn
    ypfJH5O/Jv9SgaBgqOClwFFYrVCp0K7QrzCuSFW0UQxVzFAsVjyoeElxRAmnZKjko8RTylfap3RW
    aYiKoupRvahc6nrqfup56jANSzOisWmptCLaYVovbUxZSdleOVo5R7lS+aTygApKxVCFrZKuslnl
    qModlc9zNOew5vDnbJzTOOfGnA+qc1WZqnzVQtUm1duqn9Xoaj5qaWpb1VrVHqmj1U3V56svU9+t
    fl795VzaXNe53LmFc4/Ova8Ba5hqhGus0Nin0aMxrqml6acp1typeVbzpZaKFlMrVatU65TWqDZV
    211bqF2qfVr7OV2ZzqKn08vp5+hjOho6/jpSnb06vToTuka6UbrrdJt0H+kR9Rh6yXqlel16Y/ra
    +sH6K/Ub9O8bEAwYBgKDHQbdBh8MjQxjDDcYthqOGKkasY1yjRqMHhpTjD2MlxrXGN8ywZowTNJM
    dplcN4VNHUwFppWm18xgM0czodkusz5zjLmzuci8xrzfgmzBssi2aLAYtFSxDLJcZ9lq+cpK3yre
    aqtVt9U3awfrdOv91g9slGwCbNbZdNi8sTW15dpW2t6yo9j52q2xa7N7bW9mz7ffbX/XgeoQ7LDB
    ocvhq6OTo8Sx0XHUSd8p0anKqZ9BY4QxihkXnTHOns5rnE84f3JxdMlyOeryt6uFa5rrQdeReUbz
    +PP2zxty03XjuO11G3Cnuye673Ef8NDx4HjUeDxh6jF5zFrmM5YJK5V1iPXK09pT4tns+cHLxWuV
    V6c3ytvPu9C710fJJ8qnwuexr65vim+D75ifg98Kv05/jH+g/1b/frYmm8uuZ48FOAWsCjgXSA6M
    CKwIfBJkGiQJ6giGgwOCtwU/DDEIEYW0hoJQdui20EdhRmFLw36fj50fNr9y/tNwm/CV4d0R1IjF
    EQcj3kd6Rm6OfBBlHCWN6oqWj06Iro/+EOMdUxIzEGsVuyr2Spx6nDCuLR4XHx1fGz++wGfB9gXD
    CQ4JBQl3FhotzFl4aZH6ovRFJxfLL+YsPpaISYxJPJj4hRPKqeGMJ7GTqpLGuF7cHdwXPCavlDfK
    d+OX8J8luyWXJI+kuKVsSxkVeAjKBC+FXsIK4etU/9Tq1A9poWl1aZPpMelNGfiMxIx2kZIoTXRu
    idaSnCV9YjNxgXhgqcvS7UvHJIGS2kwoc2FmWxYNSXB6pMbSn6SD2e7Zldkfl0UvO5ajmCPK6Vlu
    unzj8me5vrm/rkCv4K7oWqmzcu3KwVWsVXtXQ6uTVnet0VuTv2Y4zy/vwFri2rS1V9dZrytZ9259
    zPqOfM38vPyhn/x+aiiQK5AU9G9w3VD9M/pn4c+9G+027tz4rZBXeLnIuqis6Esxt/jyLza/lP8y
    uSl5U+9mx827t2C3iLbc2eqx9UCJYkluydC24G0tpfTSwtJ32xdvv1RmX1a9g7hDumOgPKi8baf+
    zi07v1QIKm5XelY2VWlUbaz6sIu368Zu5u7Gas3qourPe4R77u7129tSY1hTtg+7L3vf0/3R+7t/
    ZfxaX6teW1T7tU5UN3Ag/MC5eqf6+oMaBzc3wA3ShtFDCYeuH/Y+3NZo0bi3SaWp6Ag4Ij3y/LfE
    3+4cDTzadYxxrPG4wfGqZmpzYQvUsrxlrFXQOtAW19bXHtDe1eHa0fy75e91J3ROVJ5UPrn5FPFU
    /qnJ07mnxzvFnS/PpJwZ6lrc9eBs7Nlb5+af6z0feP7iBd8LZ7tZ3acvul08ccnlUvtlxuXWK45X
    WnocepqvOlxt7nXsbbnmdK3tuvP1jr55fadueNw4c9P75oVb7FtXbofc7rsTdeduf0L/wF3e3ZF7
    6fde38++P/Eg7yHmYeEjhUdljzUe1/xh8kfTgOPAyUHvwZ4nEU8eDHGHXvyZ+eeX4fynlKdlz7Sf
    1Y/YjpwY9R29/nzB8+EX4hcTLwv+Uvyr6pXxq+N/M//uGYsdG34teT35pvit2tu6d/bvusbDxh+/
    z3g/8aHwo9rHA58Yn7o/x3x+NrHsC+5L+VeTrx3fAr89nMyYnBRzJJzpXACFtHByMgBv6gCgxAFA
    vY7kC3IzefG0BTSTyyMMfa9T8n/xTO48NYDkEKCOCUA0goF5AOzrBMAA6YlIH8YEIJIJYDs7WQUz
    JTPZznaaIFIrkpqUTU6+RfJBnAkAX/snJydaJye/1iL5+30AOt/P5ONT1gqHAGDmsXxDgq4qKs04
    +kf7H19W/ovOQJzqAAABm2lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxu
    czp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJE
    RiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMi
    PgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpl
    eGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVs
    WERpbWVuc2lvbj4yMTwvZXhpZjpQaXhlbFhEaW1lbnNpb24+CiAgICAgICAgIDxleGlmOlBpeGVs
    WURpbWVuc2lvbj4yMjwvZXhpZjpQaXhlbFlEaW1lbnNpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0
    aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgrUWcUnAAAB5ElEQVQ4EWNgGAUDGQKMRFiu
    El8ewfNw+9QVZyGKVdxT0wLNxTgY3j88z0KEfinXAG/lhwwQ/SoBjTPL3bgYfr5/z6CuwEKM/q8/
    fjL8/PMbYpNviD3Xz7sNDjE7wXwW49T+rgjJXSuumER4yHAxf354uCWi7BBIzq5xTq69hgzQBmZm
    hm8gEeOACB05bpa/758JBkSk8rPfPLqQWdU+0stAWcNQjfHZuVNPmVRVtQ3V/yzf/bVt9WQXFYGn
    53btPvNMXEOe4/2NBW+UZtTEKPAwMfHIW9hYGJqYyP25DXX/+6sbvFI6gTYsODBFRU5WJT7fUYb5
    4a7OiPoNQEFtT1tBoPWHOh0sO8uXHPBl2W4TAVQMAkxg8ufB6RA+9x8g/89vKSGg+r9X9gI1QwFI
    HBuA6IfJGBvLsTN8ev8OaAZI6CuIUIkPV2Fn+AtiYgEQ97NIWAS4qyompobxMrxfsmD2VwtzYKjp
    J5TH20nEhVmwMzB8w+EAiH5mi5hyC6DpP9/smtEwFZhMzk4/7NBraxKQYcLw5Mzh51q2kgy/ILZD
    KbhT7AoXHD9+oDHAWMVYBS4IYdi5B9gZo4mhc1kY2IBOYPn97uwdaOpEqDi0ExF+CFFUFsuzm2cv
    Xn125Rmq8IjhAQApUJ8sKnhyuAAAAABJRU5ErkJggg==

Paste the base64 encoded block to a file and decode it

    openssl base64 -d < dot_png.base64 > dot.png

Or manually encode a file/text

    openssl base64 -e > dot.png < dot_png.base64

All of the above is also used for penetration testing since you can test for open relays, test for users, brute force attacks or looking for version numbers (Just automate it with expect or netcat).