Re: sniffing X traffic.

From: Mike Craik (bovine@btinternet.com)
Date: 08/13/01


Message-ID: <3B77283D.132D3B04@btinternet.com>
Date: Mon, 13 Aug 2001 02:07:09 +0100
From: Mike Craik <bovine@btinternet.com>
To: Power Steve <steve.power@barclaycard.co.uk>, "'PEN-TEST@securityfocus.com'" <PEN-TEST@securityfocus.com>
Subject: Re: sniffing X traffic.

Power Steve wrote:
>
> Anyone know if you can meaningfully sniff Exceed ( I guess it's the same as
> X) traffic? Im being a bit lame, my personal test lab is down atm, and I
> cant find anything on the net re sniffing and interpreting X traffic.

You can have quite a bit of 'fun' with X11.

i.e.

If someone running an unprotected X server - not using MIT Magic Cookies
or xhost authentication properly for example (they have issued 'xhost +'
...) - then you can easily grab a screenshot of their X display
(remotely).

Grab:

/usr/X/bin/xwd x11user.victum.com:0 -root -out /tmp/i_can_see_you.dmp

(:0 indicates the first X display - this listens on port 6000, :1 would
be port 6001 etc.)

View:

/usr/X/bin/xwud -in /tmp/i_can_see_you.dmp

Out of the box, The Exceed X11 server places no restrictions on remote
connections... :-(

xspy - http://www.acm.vt.edu/~jmaxwell/programs/xspy/xspy.html - can be
used to capture keystrokes from an X server. You don't need much of an
imagination to realize what sort of thing it can be used for :-).

Pretty much any packet sniffer can grab X11 packets. AFAIK dsniff will
sniff MIT Magic cookies.

Cheers,
Mike.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: imagine this please.. please
    ... But here are some points, I'm a cerified engineer, but have no server to ... > then you 'fix' your server and then filter SPAM at the same time. ... > 2) write an open letter to the newsgroups, mailing lists, SecurityFocus ... > everything *except* for the offending word. ...
    (comp.os.linux.security)
  • Re: imagine this please.. please
    ... to go through SecurityFocus. ... write a perl/c/bash/whatever script which acts as a SMTP proxy server. ... then you 'fix' your server and then filter SPAM at the same time. ... everything *except* for the offending word. ...
    (comp.os.linux.security)
  • Re: imagine this please.. please
    ... > the mail server in a production environment yourself and would prefer ... then you 'fix' your server and then filter SPAM at the ... > SecurityFocus and CC a copy to the company in question again ... > everything *except* for the offending word. ...
    (comp.os.linux.security)
  • Re: Hacking Lotus Domino 5.0.5
    ... Subject: Hacking Lotus Domino 5.0.5 ... Function: Server ... NSFRemoteConsole - Issues a console command to a server. ... > This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Web Application Testers.
    ... programmed to remain on the original server. ... Achillesor subwebwhen breaking web apps; ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)