fluffy

Network Archaeology tools for Unix
git clone https://git.woozle.org/neale/fluffy.git
Add bubblebabble
26949ae
Neale Pickett  ·  2024-03-28

README.md

  1The Fluffy Suite
  2============
  3
  4Fluffy was begun in April 2011 in Tennessee,
  5as a replacement for the aging "dirtbags.ip" codebase.
  6It is comprised of multiple small standalone binaries,
  7which are meant to be chained together,
  8either on the command-line or from a shell script,
  9to create a more powerful (and specific) piece of software.
 10
 11Usually, a program expects input on stdin,
 12and produces output on stdout.
 13Flags are sparse by design.
 14
 15Fluffy source code is purposefully spartan and easy to audit.
 16Forks are encouraged,
 17please let me know if you make one.
 18
 19
 20How To Build And Install
 21============
 22
 23Ubuntu
 24-------
 25
 26    sudo apt install build-essential
 27    curl -L https://github.com/dirtbags/fluffy/archive/master.tar.gz | tar xzvf -
 28    cd fluffy-master
 29    make
 30    sudo make DESTDIR=/usr/local install
 31
 32Red Hat
 33-------
 34
 35    yum groupinstall 'Development Tools'
 36    curl -L https://github.com/dirtbags/fluffy/archive/master.tar.gz | tar xzvf -
 37    cd fluffy-master
 38    make
 39    sudo make DESTDIR=/usr/local install
 40
 41
 42How To Uninstall
 43============
 44
 45    make DESTDIR=/usr/local uninstall
 46
 47
 48Forks and Packages
 49==================
 50
 51## Ubuntu
 52
 53pi-rho, a network archaeology instructor,
 54has forked these tools,
 55added command-line options,
 56manual pages,
 57and packaged them for Ubuntu.
 58
 59This fork is mostly compatible with these tools,
 60but there are a few subtle differences.
 61If you are installing these for Cyber Fire,
 62you should probably stick with a source install.
 63
 64[pi-rho's packages](https://launchpad.net/~pi-rho/+archive/ubuntu/security)
 65
 66## Arch Linux
 67
 68The AUR package [`fluffy-git`](https://aur.archlinux.org/packages/fluffy-git/)
 69builds against the latest revision and installs it to `/usr/bin`.
 70This was packaged by Cyber Fire attendee AGausmann.
 71Thanks!
 72
 73
 74Programs
 75========
 76
 77## hd: Hex Dump
 78
 79Like the normal hd,
 80but with unicode characters to represent all 256 octets,
 81instead of using "." for unprintable characters.
 82
 83    $ printf "\0\x01\x02\x03\x30\x52\x9a" | hd
 84    00000000  00 01 02 03 30 52 9a                              ·☺☻♥0RÜ
 85    00000007
 86
 87Also like the normal hd,
 88this one will print an ellipsis if the preceding 16 octets are repeated.
 89Use the offset printed next to determine how many repeats you have.
 90
 91    $ printf '%64s' hello | hd
 92    00000000  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
 93 94    00000030  20 20 20 20 20 20 20 20  20 20 20 68 65 6c 6c 6f             hello
 95    00000040
 96
 97You can disable this with `-v`
 98
 99    $ printf '%64s' hello | hd -v
100    00000000  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
101    00000010  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
102    00000020  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20                  
103    00000030  20 20 20 20 20 20 20 20  20 20 20 68 65 6c 6c 6f             hello
104    00000040
105
106## unhex: unescape hex
107
108Reads octet hex codes on stdin,
109writes those octets to stdout.
110
111    $ echo 68 65 6c 6c 6f 0a | unhex
112    hello
113
114## undec: unescape decimal
115
116Reads octet decimal codes on stdin,
117writes those octets to stdout.
118
119    $ echo 104 101 108 108 111 10 | undec
120    hello
121
122## unoct: unescape octal
123
124Reads octet octal codes on stdin,
125writes those octets to stdout.
126
127    $ echo 150 145 154 154 157 012 | unoct 
128    hello
129
130## xor: xor octets
131
132Applies the given mask as an xor to input.
133The mask will be repeated,
134so for a 1-value mask, every octet is xored against that value.
135For a 16-value mask, the mask is applied to 16-octet chunks at a time.
136
137The "-x" option treats values as hex.
138
139    $ printf 'hello' | xor 22; echo
140    ~szzy
141    $ printf 'hello' | xor 0x16; echo
142    ~szzy
143    $ printf 'hello' | xor -x 16; echo
144    ~szzy
145    $ printf 'bbbbbb' | xor 1 0; echo
146    cbcbcb
147    $ printf 'bbbbbb' | xor -x a b; echo
148    hihihi
149
150
151## slice: slice octet stream
152
153Slices up input octet stream,
154similar to Python's slice operation.
155
156    $ printf '0123456789abcdef' | slice 2; echo
157    23456789abcdef
158    $ printf '0123456789abcdef' | slice 2 6; echo
159    2345
160    $ printf '0123456789abcdef' | slice 2 6 8; echo
161    234589abcdef
162    $ printf '0123456789abcdef' | slice 2 6 8 0xa
163    234589
164
165
166## pcat: print text representation of pcap file
167
168Prints a (lossy) text representation of a pcap file to stdout.
169
170This program is the keystone of the Fluffy Suite.
171By representing everything as text,
172programmers can use any number of standard Unix text processing tools,
173such as sed, awk, cut, grep, or head.
174
175Output is tab-separated, of the format:
176
177    timestamp protocol src dst options payload
178
179Frequently you are only interested in the payload,
180so you can run pcat like:
181
182    $ cat myfile.pcap | pcat | cut -f 6
183
184Remember the `unhex` program,
185which will convert payloads to an octet stream,
186after you have done any maniuplations you want.
187
188
189## pmerge: merge pcap files
190
191Takes a list of pcap files, assuming they are sorted by time
192(you would have to work hard to create any other kind),
193and merges them into a single sorted output.
194
195
196## puniq: omit repeated frames
197
198Removes duplicate frames from input,
199writing to output.
200
201
202## hex: hex-encode input
203
204The opposite of `unhex`:
205encoding all input into a single output line.
206
207This differs from `hexdump` in the following ways:
208
209* All input is encoded into a single line of output
210* Does not output offsets
211* Does not output glyph representations of octets
212
213In other words: you can feed `hex` output into `unhex` with no manipulations.
214
215    $ printf "hello\nworld\n" | hex
216    68 65 6c 6c 6f 0a 77 6f  72 6c 64 0a
217    $ printf A | hex
218    41
219
220
221## entropy: compute shannon entropy
222
223Displays the Shannon entropy of the input.
224
225    $ echo -n a | ./entropy
226    0.000000
227    $ echo -n aaaaaaaaa | ./entropy
228    0.000000
229    $ echo -n aaaaaaaaab | ./entropy
230    0.468996
231    $ echo -n aaaaaaaaabc | ./entropy
232    0.865857
233
234
235## printy: show density of printable octets
236
237Displays the number of printable octets
238divided by the total number of octets.
239
240    $ echo -n abcd | ./printy
241    1.000000
242    $ echo abcd | ./printy   # Newline is not printable
243    0.800000
244    $ echo 00 41 | ./unhex | ./printy
245    0.500000
246
247
248## pyesc: python escape input
249
250Escapes input octets for pasting into a python "print" statement.
251Also suitable for use as a C string,
252a Go string,
253and many other languages' string literals.
254
255    $ printf "hello\nworld\n" | pyesc
256    hello\nworld\n
257
258
259## octets: display all octets
260
261Shows all octets from `00` to `ff` in a hex dump.
262This is occasionally more helpful than `man ascii`.
263
264    $ octets
265    00000000  00 01 02 03 04 05 06 07  08 09 0a 0b 0c 0d 0e 0f  ·☺☻♥♦♣♠•◘○◙♂♀♪♫☼
266    00000010  10 11 12 13 14 15 16 17  18 19 1a 1b 1c 1d 1e 1f  ⏵⏴↕‼¶§‽↨↑↓→←∟↔⏶⏷
267    00000020  20 21 22 23 24 25 26 27  28 29 2a 2b 2c 2d 2e 2f   !"#$%&'()*+,-./
268    00000030  30 31 32 33 34 35 36 37  38 39 3a 3b 3c 3d 3e 3f  0123456789:;<=>?
269    00000040  40 41 42 43 44 45 46 47  48 49 4a 4b 4c 4d 4e 4f  @ABCDEFGHIJKLMNO
270    00000050  50 51 52 53 54 55 56 57  58 59 5a 5b 5c 5d 5e 5f  PQRSTUVWXYZ[\]^_
271    00000060  60 61 62 63 64 65 66 67  68 69 6a 6b 6c 6d 6e 6f  `abcdefghijklmno
272    00000070  70 71 72 73 74 75 76 77  78 79 7a 7b 7c 7d 7e 7f  pqrstuvwxyz{|}~⌂
273    00000080  80 81 82 83 84 85 86 87  88 89 8a 8b 8c 8d 8e 8f  ÇüéâäàåçêëèïîìÄÅ
274    00000090  90 91 92 93 94 95 96 97  98 99 9a 9b 9c 9d 9e 9f  ÉæÆôöòûùÿÖÜ¢£¥₧ƒ
275    000000a0  a0 a1 a2 a3 a4 a5 a6 a7  a8 a9 aa ab ac ad ae af  áíóúñѪº¿⌐¬½¼¡«»
276    000000b0  b0 b1 b2 b3 b4 b5 b6 b7  b8 b9 ba bb bc bd be bf  ░▒▓│┤╡╢╖╕╣║╗╝╜╛┐
277    000000c0  c0 c1 c2 c3 c4 c5 c6 c7  c8 c9 ca cb cc cd ce cf  └┴┬├─┼╞╟╚╔╩╦╠═╬╧
278    000000d0  d0 d1 d2 d3 d4 d5 d6 d7  d8 d9 da db dc dd de df  ╨╤╥╙╘╒╓╫╪┘┌█▄▌▐▀
279    000000e0  e0 e1 e2 e3 e4 e5 e6 e7  e8 e9 ea eb ec ed ee ef  αßΓπΣσµτΦΘΩδ∞φε∩
280    000000f0  f0 f1 f2 f3 f4 f5 f6 f7  f8 f9 fa fb fc fd fe ff  ≡±≥≤⌠⌡÷≈°∞⊻√ⁿ²■¤
281    00000100
282
283## freq: count octet frequencies
284
285For all 256 octets,
286show frequency of each in input.
287
288    $ printf 'hello' | freq
289    1 65 e
290    1 68 h
291    2 6c l
292    1 6f o
293    $ printf 'hello' | freq -a
294    0 00 ·
295    0 01 ☺
296    0 02 ☻
297    0 03 ♥
298    0 04 ♦
299    0 05 ♣
300    0 06 ♠
301    0 07 •
302    0 08 ◘
303    ...
304
305
306## histogram: display histogram for input
307
308Reads the first number of each line, and prints a histogram.
309
310`-d DIVISOR` will divide each bar's width.
311
312    $ echo 'aaaaaaaaAAAAAAAAaaaaaaaa' | freq | histogram
313    0a ◙ # 1
314    41 A ######## 8
315    61 a ################ 16
316    $ echo aaaaaabcccc | freq | histogram
317    0a ◙ # 1
318    61 a ###### 6
319    62 b # 1
320    63 c #### 4
321    $ echo aaaaaabcccc | freq | histogram | sort -nk 4
322    0a ◙ # 1
323    62 b # 1
324    63 c #### 4
325    61 a ###### 6
326
327
328## bubblebabble: print bubblebabble digest of input
329
330Prints a [bubblebabble digest](https://web.mit.edu/kenta/www/one/bubblebabble/spec/jrtrjwzi/draft-huima-01.txt)
331of the input.
332
333This is a *digest*, not a *hash*:
334it can be reversed.
335If you write `unbubblebabble` before I do,
336please send it to me :)
337
338    $ printf '' | bubblebabble
339    xexax
340    $ printf 1234567890 | bubblebabble
341    xesef-disof-gytuf-katof-movif-baxux
342    $ printf Pineapple | bubblebabble
343    xigak-nyryk-humil-bosek-sonax
344
345
346
347Example Recipes
348===============
349
350
351## Brute force single-byte xor
352
353    for i in $(seq 255); do cat data | xor $i; done
354
355
356## Pretty xor brute force
357
358For each attempt, display the value used in the xor, and hexdump the result
359
360    for i in $(seq 255); do printf "=== %02x\n" $i; cat data | xor $i | hd; done
361
362
363## Brute force xor of base64-encoded data
364
365Same pretty-print as before, and also pipe to `less` so we can page through it.
366
367    for i in $(seq 255); do
368      printf "=== %02x\n" $i; cat data.txt | base64 -d | xor $i | hd
369    done | less
370
371 
372## Protocol manipulation
373
374For each ICMP packet, drop the first 5 octets, and base64-decode the remainder, preserving conversation chunks
375
376    cat input.pcap | pcat | grep ICMP | while read ts proto src dst payload; do
377      printf "%s -> %s (%s)\n" $src $dst $ts
378      echo $payload | unhex | slice 5 | base64 -d | hd
379    done
380
381
382## Elementary protocol analysis framework
383
384This merges (by time) `file1.pcap` and `file2.pcap`,
385decoding payloads from each one,
386hex dumping payloads,
387and displaying meta information about each.
388It displays information conversationally,
389sort of like wireshark's "Follow TCP Stream",
390but with more details about meta-information.
391
392    ./pmerge file1.pcap file2.pcap | ./pcat | while read ts proto src dst payload; do
393        when=$(TZ=Z date -d @${ts%.*} "+%Y-%m-%d %H:%M:%S")
394        printf "Packet %s None: None\n" $proto
395        printf "    %s -> %s (%s)\n" ${src%,*} ${dst%,*} "$when"
396        echo $payload | ./unhex | ./hd
397        echo
398    done