search

odedshimon / BruteShark

Network Analysis Tool
GNU General Public License v3.0
2.98k stars 324 forks source link

BruteSharkCLI will fail on pcap files when running on Ubuntu 22.04 LTS #124

Open Limpem opened 2 years ago

Limpem commented 2 years ago

BruteSharkCLI will fail on processing pcap files when running on the 22.04 LTS release on Ubuntu (20.04 seems to work fine):

./BruteSharkCli -i Pcap_Examples/Ftp.pcap -m Credentials -o Example [+] Start analyzing 1 files [+] Start processing file : Ftp.pcap ERROR: Failed to process file : Ftp.pcap [+] Successfully exported extracted files to: Demo/Files [+] BruteShark finished processing

odedshimon commented 2 years ago

@Limpem Thank you for reporting this.

  1. Are you sure you have read privileges for this file?
  2. Can you run it at debug mot (e.g. using VS Code) and share the exception?
Limpem commented 2 years ago

Thank you for looking into this. To answer your questions:

  1. Yes (I am using the Ftp.pcap found in the examples folder)
  2. When I use debug-mode (./BruteSharkCli --debug) on 20.04: Brute-Shark > add-file Ftp.pcap Brute-Shark > start [+] Packets Analyzed: 38, TCP: 38 UDP: 0 [+] TCP Sessions Analyzed: 3 UDP Streams Analyzed: 0 [+] Passwords Found: 1 [+] Hashes Found: 0 [+] Network Connections Found: 6 Brute-Shark > show-passwords NetworkPassword: ┌──────────┬──────────┬──────────┬───────────────┬───────────────┐ │ Username │ Password │ Protocol │ Source │ Destination │ ├──────────┼──────────┼──────────┼───────────────┼───────────────┤ │ csanders │ echo │ FTP │ 192.168.0.114 │ 192.168.0.193 │ └──────────┴──────────┴──────────┴───────────────┴───────────────┘

When I do the same thing on 22.04: Brute-Shark > add-file Ftp.pcap Brute-Shark > start Brute-Shark > show-passwords NetworkPassword: ┌──────────┬──────────┬──────────┬────────┬─────────────┐ │ Username │ Password │ Protocol │ Source │ Destination │ ├──────────┼──────────┼──────────┼────────┼─────────────┤ └──────────┴──────────┴──────────┴────────┴─────────────┘

So it doesn't seem to do anything after running the start command. libpcap is installed on both, but is seems 22.04 is using a newer version.

libpcap on 20.04: libpcap-dev/focal,now 1.9.1-3 amd64 [installed] libpcap0.8-dev/focal,now 1.9.1-3 amd64 [installed] libpcap0.8/focal,now 1.9.1-3 amd64 [installed]

libpcap on 22.04: libpcap-dev/jammy,now 1.10.1-4build1 amd64 [installed] libpcap0.8-dev/jammy,now 1.10.1-4build1 amd64 [installed] libpcap0.8/jammy,now 1.10.1-4build1 amd64 [installed]

sbrun commented 1 year ago

Hello We have the same issue in Kali / Debian. It appeared with the latest version of the libc in Debian. I ran the command with strace to debug the issue. Here is the relevant part I think:

openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
futex(0x7f51fb7971f0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
mprotect(0x7f518233e000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f518234f000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a0000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a0000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x7f518233f000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51823d0000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51823d1000, 4096, PROT_READ|PROT_WRITE) = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
mprotect(0x7f51822a1000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a1000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
write(1, "\33[39;49m", 8)               = 8
write(1, "\33[91m", 5)                  = 5
write(41, "ERROR: Failed to process file : "..., 41ERROR: Failed to process file : Ftp.pcap
) = 41

brutesharkcli is looking for libdl.so but it does not exist anymore, the libdl has been merged in the libc: https://sourceware.org/glibc/wiki/Release/2.34#Libraries_merged_into_libc

I fixed the issue in Kali with a symlink: /usr/lib/brutesharkcli/libdl.so -> /lib/x86_64-linux-gnu/libdl.so.2

odedshimon commented 1 year ago

Thank you @sbrun, @Limpem This is very helpful. That might be a change needed in SharpPcap - a major framework BruteShark is using. I'm currently on a vacation until mid November, I will try to investigate it when I will be back.

UnknownSilicon commented 6 months ago

Any updates on this? Still seems to be an issue on the latest version

Affenselfie commented 6 months ago

As @odedshimon suggested, an update in SharpPcap might be necessary. Therefore, I updated the following solution files:

What I updated was the package reference from SharpPcap 6.0.0 to SharpPcap 6.3.0: <PackageReference Include="SharpPcap" Version="6.3.0" />

Under Linux, I was able to build the BruteSharkCli. First, I removed the BruteSharkDesktop solution (it's a Windows app) and then I ran: dotnet publish -c Release -r linux-x64

That resulted in a successful build on the latest Arch Linux. The BruteSharkCli is not quitting with an error anymore:

➜  /tmp ~/Software/bruteshark/BruteSharkCli -m Credentials -i ./test-dump.pcapng
[+] Start analyzing 1 files
[+] Start processing file : test-dump.pcapng
[+] Finished processing file : test-dump.pcapng
[+] BruteShark finished processing

How could we further test my "fix" to implement it later into BruteShark?

odedshimon commented 5 months ago

@Affenselfie Thank you for validating the hypothesis about the SharpPcap version! Nice work!

I need to bump the version at the source code, compile a new version and publish it as a new release. Hopefuly I will get to it soon.