Friday, October 09, 2009

Installing httpry in Backtrack 4

httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.

What can you do with it? Here's a few ideas:
* See what users on your network are requesting online
* Check for proper server configuration (or improper, as the case may be)
* Research patterns in HTTP usage
* Watch for dangerous downloaded files
* Verify the enforcement of HTTP policy on your network
* Extract HTTP statistics out of saved capture files
* It's just plain fun to watch in realtime


Download httpry from this site:
root@zaha-desktop:~# wget http://dumpsterventures.com/jason/httpry/httpry-0.1.5.tar.gz
--2009-10-09 22:45:48-- http://dumpsterventures.com/jason/httpry/httpry-0.1.5.tar.gz
Resolving dumpsterventures.com... 198.107.5.17
Connecting to dumpsterventures.com|198.107.5.17|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44995 (44K) [application/x-tgz]
Saving to: `httpry-0.1.5.tar.gz'

100%[===================================================>] 44,995 39.3K/s in 1.1s

2009-10-09 22:45:50 (39.3 KB/s) - `httpry-0.1.5.tar.gz' saved [44995/44995]


After you download, you extract it:
root@zaha-desktop:~#
root@zaha-desktop:~# tar -xzvf httpry-0.1.5.tar.gz
httpry-0.1.5/
httpry-0.1.5/format.h
httpry-0.1.5/format.c
httpry-0.1.5/error.h
httpry-0.1.5/utility.c
httpry-0.1.5/Makefile
httpry-0.1.5/build/
httpry-0.1.5/build/httpry.spec
httpry-0.1.5/scripts/
httpry-0.1.5/scripts/parse_log.pl
httpry-0.1.5/scripts/perl-tools
httpry-0.1.5/scripts/plugins/
httpry-0.1.5/scripts/plugins/db_dump.mysql
httpry-0.1.5/scripts/plugins/find_proxies.pm
httpry-0.1.5/scripts/plugins/db_dump.cfg
httpry-0.1.5/scripts/plugins/content_analysis.pm
httpry-0.1.5/scripts/plugins/hostnames.pm
httpry-0.1.5/scripts/plugins/tokenize.pm
httpry-0.1.5/scripts/plugins/search_terms.pm
httpry-0.1.5/scripts/plugins/find_proxies.cfg
httpry-0.1.5/scripts/plugins/log_summary.pm
httpry-0.1.5/scripts/plugins/xml_output.css
httpry-0.1.5/scripts/plugins/hostnames.cfg
httpry-0.1.5/scripts/plugins/xml_output.pm
httpry-0.1.5/scripts/plugins/common_log.pm
httpry-0.1.5/scripts/plugins/xml_output.cfg
httpry-0.1.5/scripts/plugins/db_dump.pm
httpry-0.1.5/scripts/plugins/content_analysis.cfg
httpry-0.1.5/scripts/plugins/tokenize.cfg
httpry-0.1.5/scripts/plugins/search_terms.cfg
httpry-0.1.5/scripts/plugins/common_log.cfg
httpry-0.1.5/scripts/plugins/sample_plugin.pm
httpry-0.1.5/scripts/plugins/log_summary.cfg
httpry-0.1.5/methods.h
httpry-0.1.5/tcp.h
httpry-0.1.5/doc/
httpry-0.1.5/doc/ChangeLog
httpry-0.1.5/doc/method-string
httpry-0.1.5/doc/README
httpry-0.1.5/doc/COPYING
httpry-0.1.5/doc/format-string
httpry-0.1.5/doc/perl-tools
httpry-0.1.5/httpry.c
httpry-0.1.5/rc.httpry
httpry-0.1.5/README
httpry-0.1.5/httpry.1
httpry-0.1.5/config.h
httpry-0.1.5/utility.h
httpry-0.1.5/methods.c
httpry-0.1.5/test/
httpry-0.1.5/test/callgrind
httpry-0.1.5/test/massif
httpry-0.1.5/test/valgrind
httpry-0.1.5/test/format-names
root@zaha-desktop:~# cd httpry-0.1.5
root@zaha-desktop:~/httpry-0.1.5# ls
build doc format.c httpry.1 Makefile methods.h README tcp.h utility.c
config.h error.h format.h httpry.c methods.c rc.httpry scripts test utility.h
root@zaha-desktop:~/httpry-0.1.5#


After you download, read the manual about installing and using httpry:
root@zaha-desktop:~/httpry-0.1.5# less README
root@zaha-desktop:~/httpry-0.1.5#

After reading documentation, you can install it:
root@zaha-desktop:~/httpry-0.1.5# make
gcc -Wall -O3 -funroll-loops -I/usr/include/pcap -I/usr/local/include/pcap -o httpry httpry.c format.c methods.c utility.c -lpcap
root@zaha-desktop:~/httpry-0.1.5# make install
--------------------------------------------------
Installing httpry into /usr/sbin/
You can move the Perl scripts and other tools to
a location of your choosing manually
--------------------------------------------------
cp -f httpry /usr/sbin/
cp -f httpry.1 /usr/man/man1/ || cp -f httpry.1 /usr/local/man/man1/
root@zaha-desktop:~/httpry-0.1.5#


Running httpry (httpry -h show you how to use it)
root@zaha-desktop:~# httpry -i eth0 -o /home/zahar/zahar.txt
httpry version 0.1.5 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2009 Jason Bittel
Starting capture on eth0 interface
Writing output to file: /home/zahar/zahar.txt
^CCaught SIGINT, shutting down...
216 packets received, 0 packets dropped, 40 http packets parsed
563.5 packets/min, 104.3 http packets/min
root@zaha-desktop:~#


When you open that file, you can see http traffic of website that you have visited:
root@zaha-desktop:~# cd /home/zahar/
root@zaha-desktop:/home/zahar# ls
zahar.txt
root@zaha-desktop:/home/zahar# cat zahar.txt
# httpry version 0.1.5
# Fields: timestamp,source-ip,dest-ip,direction,method,host,request-uri,http-version,status-code,reason-phrase
2009-10-09 23:07:07 69.63.176.193 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:07 192.168.1.2 69.63.176.193 > GET 0.channel33.facebook.com /x/2319999860/false/p_1560360253=1 HTTP/1.1 --
2009-10-09 23:07:16 192.168.1.2 74.125.153.95 > GET ajax.googleapis.com /ajax/services/search/web?v=1.0&rsz=large&q=http%3A%2F%2Fwww.lifedork.net%2F HTTP/1.1 - -
2009-10-09 23:07:16 74.125.153.95 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:17 192.168.1.2 174.120.81.182 > GET www.lifedork.net / HTTP/1.1 - -
2009-10-09 23:07:17 174.120.81.182 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:18 192.168.1.2 72.21.91.20 > GET resources.infolinks.com /js/infolinks_main.js HTTP/1.1 - -
2009-10-09 23:07:19 72.21.91.20 192.168.1.2 < - - -HTTP/1.1 304 Not Modified
2009-10-09 23:07:19 192.168.1.2 72.14.203.101 > GET www.google-analytics.com /__utm.gif?utmwv=4.5.7&utmn=84770406&utmhn=www.lifedork.net&utmcs=UTF-8&utmsr=1024x768&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=10.0%20r32&utmdt=Lifedork%20-%20still%20geeX%20%3F%20still%20suX%20!&utmhid=1381620066&utmr=-&utmp=%2F&utmac=UA-2655140-3&utmcc=__utma%3D41342143.642009118.1255096268.1255096268.1255099260.2%3B%2B__utmz%3D41342143.1255096273.1.1.utmcsr%3Dgoogle%7Cutmccn%3D(organic)%7Cutmcmd%3Dorganic%7Cutmctr%3Dusing%2520Backtrack%25204%2520SQL%2520injection%3B HTTP/1.1 - -
2009-10-09 23:07:19 72.14.203.101 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:19 192.168.1.2 76.74.254.120 > GET stats.wordpress.com /g.gif?host=www.lifedork.net&rand=0.41899971236858347&blog=1730697&v=ext&post=0&ref= HTTP/1.1 - -
2009-10-09 23:07:19 192.168.1.2 174.120.81.182 > GET www.lifedork.net /page/2 HTTP/1.1 - -
2009-10-09 23:07:19 192.168.1.2 67.202.0.15 > GET router.infolinks.com /gsd/1255100950684?callback=resourcesCallback&pid=15399&wsid=0&pdom=www.lifedork.net HTTP/1.1 - -
2009-10-09 23:07:19 76.74.254.120 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:20 67.202.0.15 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:20 192.168.1.2 72.21.91.20 > GET resources.infolinks.com /flash/request_manager_i18n.swf HTTP/1.1 - -
2009-10-09 23:07:20 192.168.1.2 58.27.186.106 > GET b.scorecardresearch.com /b?c1=8&c2=6416591&rn=0.4555189644582066&c7=http%3A%2F%2Fwww.lifedork.net%2F&c3=3113409433781933211&c4=&c5=&c6=&c15=&c16=&c8=Lifedork%20-%20still%20geeX%20%3F%20still%20suX%20!&c9=&cv=1.6 HTTP/1.1 - -
2009-10-09 23:07:20 174.120.81.182 192.168.1.2 < - - -HTTP/1.1 200 OK
2009-10-09 23:07:20 58.27.186.106 192.168.1.2 < - - -HTTP/1.1 204 No Content


Im not expert in analysis, hope you all can test this tool.
Posted by Johncrackernet at 7:51 AM
Labels:

2 comments:

namesnaw said...

I would say Wireshark/tcpdump is still the best tools for preserving the logs (since when u're dealing with the law thiggy)

--semey

9:30 AM
Johncrackernet said...

Yup boss....mmg dokleh lawan tcpdump/wireshark ah...

4:47 AM

Post a Comment

Subscribe to: Post Comments (Atom)