BruteSharkCLI will fail on pcap files when running on Ubuntu 22.04 LTS
Limpem opened this issue · comments
BruteSharkCLI will fail on processing pcap files when running on the 22.04 LTS release on Ubuntu (20.04 seems to work fine):
./BruteSharkCli -i Pcap_Examples/Ftp.pcap -m Credentials -o Example
[+] Start analyzing 1 files
[+] Start processing file : Ftp.pcap
ERROR: Failed to process file : Ftp.pcap
[+] Successfully exported extracted files to: Demo/Files
[+] BruteShark finished processing
@Limpem
Thank you for reporting this.
- Are you sure you have read privileges for this file?
- Can you run it at debug mot (e.g. using VS Code) and share the exception?
Thank you for looking into this. To answer your questions:
- Yes (I am using the Ftp.pcap found in the examples folder)
- When I use debug-mode (./BruteSharkCli --debug) on 20.04:
Brute-Shark > add-file Ftp.pcap
Brute-Shark > start
[+] Packets Analyzed: 38, TCP: 38 UDP: 0
[+] TCP Sessions Analyzed: 3 UDP Streams Analyzed: 0
[+] Passwords Found: 1
[+] Hashes Found: 0
[+] Network Connections Found: 6
Brute-Shark > show-passwords
NetworkPassword:
┌──────────┬──────────┬──────────┬───────────────┬───────────────┐
│ Username │ Password │ Protocol │ Source │ Destination │
├──────────┼──────────┼──────────┼───────────────┼───────────────┤
│ csanders │ echo │ FTP │ 192.168.0.114 │ 192.168.0.193 │
└──────────┴──────────┴──────────┴───────────────┴───────────────┘
When I do the same thing on 22.04:
Brute-Shark > add-file Ftp.pcap
Brute-Shark > start
Brute-Shark > show-passwords
NetworkPassword:
┌──────────┬──────────┬──────────┬────────┬─────────────┐
│ Username │ Password │ Protocol │ Source │ Destination │
├──────────┼──────────┼──────────┼────────┼─────────────┤
└──────────┴──────────┴──────────┴────────┴─────────────┘
So it doesn't seem to do anything after running the start command.
libpcap is installed on both, but is seems 22.04 is using a newer version.
libpcap on 20.04:
libpcap-dev/focal,now 1.9.1-3 amd64 [installed]
libpcap0.8-dev/focal,now 1.9.1-3 amd64 [installed]
libpcap0.8/focal,now 1.9.1-3 amd64 [installed]
libpcap on 22.04:
libpcap-dev/jammy,now 1.10.1-4build1 amd64 [installed]
libpcap0.8-dev/jammy,now 1.10.1-4build1 amd64 [installed]
libpcap0.8/jammy,now 1.10.1-4build1 amd64 [installed]
Hello
We have the same issue in Kali / Debian. It appeared with the latest version of the libc in Debian. I ran the command with strace to debug the issue.
Here is the relevant part I think:
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698) = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698) = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698) = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698) = 0
futex(0x7f51fb7971f0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
mprotect(0x7f518233e000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f518234f000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a0000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a0000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x7f518233f000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51823d0000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51823d1000, 4096, PROT_READ|PROT_WRITE) = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698) = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698) = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/libdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698) = 0
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/brutesharkcli/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 53
newfstatat(53, "", {st_mode=S_IFREG|0644, st_size=38698, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 38698, PROT_READ, MAP_PRIVATE, 53, 0) = 0x7f51f6610000
close(53) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
openat(AT_FDCWD, "/usr/lib/liblibdl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (Aucun fichier ou dossier de ce type)
munmap(0x7f51f6610000, 38698) = 0
mprotect(0x7f51822a1000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x7f51822a1000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
write(1, "\33[39;49m", 8) = 8
write(1, "\33[91m", 5) = 5
write(41, "ERROR: Failed to process file : "..., 41ERROR: Failed to process file : Ftp.pcap
) = 41
brutesharkcli is looking for libdl.so but it does not exist anymore, the libdl has been merged in the libc:
https://sourceware.org/glibc/wiki/Release/2.34#Libraries_merged_into_libc
I fixed the issue in Kali with a symlink: /usr/lib/brutesharkcli/libdl.so -> /lib/x86_64-linux-gnu/libdl.so.2
Any updates on this? Still seems to be an issue on the latest version
As @odedshimon suggested, an update in SharpPcap might be necessary. Therefore, I updated the following solution files:
- BruteShark/PcapProcessor/PcapProcessor.csproj
- BruteShark/PcapProcessorTest/PcapProcessorTest.csproj
What I updated was the package reference from SharpPcap 6.0.0 to SharpPcap 6.3.0:
<PackageReference Include="SharpPcap" Version="6.3.0" />
Under Linux, I was able to build the BruteSharkCli. First, I removed the BruteSharkDesktop solution (it's a Windows app) and then I ran:
dotnet publish -c Release -r linux-x64
That resulted in a successful build on the latest Arch Linux. The BruteSharkCli is not quitting with an error anymore:
➜ /tmp ~/Software/bruteshark/BruteSharkCli -m Credentials -i ./test-dump.pcapng
[+] Start analyzing 1 files
[+] Start processing file : test-dump.pcapng
[+] Finished processing file : test-dump.pcapng
[+] BruteShark finished processing
How could we further test my "fix" to implement it later into BruteShark?
@Affenselfie
Thank you for validating the hypothesis about the SharpPcap version! Nice work!
I need to bump the version at the source code, compile a new version and publish it as a new release.
Hopefuly I will get to it soon.