BruteSharkCLI will fail on pcap files when running on Ubuntu 22.04 LTS

Question

BruteSharkCLI will fail on pcap files when running on Ubuntu 22.04 LTS

Limpem opened this issue 2 years ago · comments

BruteSharkCLI will fail on processing pcap files when running on the 22.04 LTS release on Ubuntu (20.04 seems to work fine):

./BruteSharkCli -i Pcap_Examples/Ftp.pcap -m Credentials -o Example
[+] Start analyzing 1 files
[+] Start processing file : Ftp.pcap
ERROR: Failed to process file : Ftp.pcap
[+] Successfully exported extracted files to: Demo/Files
[+] BruteShark finished processing

Oded Shimon · Answer 1 · Sat Jul 02 2022 04:22:55 GMT+0800 (China Standard Time)

@Limpem
Thank you for reporting this.

Are you sure you have read privileges for this file?
Can you run it at debug mot (e.g. using VS Code) and share the exception?

Limpem · Answer 2 · Mon Jul 04 2022 17:19:19 GMT+0800 (China Standard Time)

Thank you for looking into this. To answer your questions:

Yes (I am using the Ftp.pcap found in the examples folder)
When I use debug-mode (./BruteSharkCli --debug) on 20.04:
Brute-Shark > add-file Ftp.pcap
Brute-Shark > start
[+] Packets Analyzed: 38, TCP: 38 UDP: 0
[+] TCP Sessions Analyzed: 3 UDP Streams Analyzed: 0
[+] Passwords Found: 1
[+] Hashes Found: 0
[+] Network Connections Found: 6
Brute-Shark > show-passwords
NetworkPassword:
┌──────────┬──────────┬──────────┬───────────────┬───────────────┐
│ Username │ Password │ Protocol │ Source │ Destination │
├──────────┼──────────┼──────────┼───────────────┼───────────────┤
│ csanders │ echo │ FTP │ 192.168.0.114 │ 192.168.0.193 │
└──────────┴──────────┴──────────┴───────────────┴───────────────┘

When I do the same thing on 22.04:
Brute-Shark > add-file Ftp.pcap
Brute-Shark > start
Brute-Shark > show-passwords
NetworkPassword:
┌──────────┬──────────┬──────────┬────────┬─────────────┐
│ Username │ Password │ Protocol │ Source │ Destination │
├──────────┼──────────┼──────────┼────────┼─────────────┤
└──────────┴──────────┴──────────┴────────┴─────────────┘

So it doesn't seem to do anything after running the start command.
libpcap is installed on both, but is seems 22.04 is using a newer version.

libpcap on 20.04:
libpcap-dev/focal,now 1.9.1-3 amd64 [installed]
libpcap0.8-dev/focal,now 1.9.1-3 amd64 [installed]
libpcap0.8/focal,now 1.9.1-3 amd64 [installed]

libpcap on 22.04:
libpcap-dev/jammy,now 1.10.1-4build1 amd64 [installed]
libpcap0.8-dev/jammy,now 1.10.1-4build1 amd64 [installed]
libpcap0.8/jammy,now 1.10.1-4build1 amd64 [installed]

Sophie Brun · Answer 3 · Mon Sep 19 2022 17:57:12 GMT+0800 (China Standard Time)

Hello
We have the same issue in Kali / Debian. It appeared with the latest version of the libc in Debian. I ran the command with strace to debug the issue.
Here is the relevant part I think:

openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
futex(0x7f51fb7971f0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
mprotect(0x7f518233e000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f518234f000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a0000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a0000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x7f518233f000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51823d0000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51823d1000, 4096, PROT_READ|PROT_WRITE) = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698)           = 0
mprotect(0x7f51822a1000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a1000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
write(1, "\33[39;49m", 8)               = 8
write(1, "\33[91m", 5)                  = 5
write(41, "ERROR: Failed to process file : "..., 41ERROR: Failed to process file : Ftp.pcap
) = 41

brutesharkcli is looking for libdl.so but it does not exist anymore, the libdl has been merged in the libc:
https://sourceware.org/glibc/wiki/Release/2.34#Libraries_merged_into_libc

I fixed the issue in Kali with a symlink: /usr/lib/brutesharkcli/libdl.so -> /lib/x86_64-linux-gnu/libdl.so.2

Oded Shimon · Answer 4 · Fri Sep 23 2022 12:27:46 GMT+0800 (China Standard Time)

Thank you @sbrun, @Limpem
This is very helpful.
That might be a change needed in SharpPcap - a major framework BruteShark is using.
I'm currently on a vacation until mid November, I will try to investigate it when I will be back.

Eris · Answer 5 · Sun Feb 18 2024 04:54:19 GMT+0800 (China Standard Time)

Any updates on this? Still seems to be an issue on the latest version

Matthes · Answer 6 · Fri Mar 01 2024 16:54:41 GMT+0800 (China Standard Time)

As @odedshimon suggested, an update in SharpPcap might be necessary. Therefore, I updated the following solution files:

BruteShark/PcapProcessor/PcapProcessor.csproj
BruteShark/PcapProcessorTest/PcapProcessorTest.csproj

What I updated was the package reference from SharpPcap 6.0.0 to SharpPcap 6.3.0:
<PackageReference Include="SharpPcap" Version="6.3.0" />

Under Linux, I was able to build the BruteSharkCli. First, I removed the BruteSharkDesktop solution (it's a Windows app) and then I ran:
dotnet publish -c Release -r linux-x64

That resulted in a successful build on the latest Arch Linux. The BruteSharkCli is not quitting with an error anymore:

➜  /tmp ~/Software/bruteshark/BruteSharkCli -m Credentials -i ./test-dump.pcapng
[+] Start analyzing 1 files
[+] Start processing file : test-dump.pcapng
[+] Finished processing file : test-dump.pcapng
[+] BruteShark finished processing

How could we further test my "fix" to implement it later into BruteShark?

Oded Shimon · Answer 7 · Thu Mar 14 2024 05:53:48 GMT+0800 (China Standard Time)

@Affenselfie
Thank you for validating the hypothesis about the SharpPcap version! Nice work!

I need to bump the version at the source code, compile a new version and publish it as a new release.
Hopefuly I will get to it soon.