ettercap-gg - Gadu-Gadu IM ettercap dissector

ABOUT

ettercap-gg is a Gadu-Gadu IM ettercap dissector.

It is a patch for ettercap sniffer that adds the ability to intercept Gadu-Gadu logins, passwords and messages.

Gadu-Gadu (www.gadu-gadu.pl) is the most widely used IM network in Poland with ~6mln users.

Protocol description taken from http://ekg.chmurka.net/docs/protocol.html + own research (7.x).

The newest version can be found at http://ettercap-gg.sourceforge.net/

You can find the ettercap source tarball at http://ettercap.sourceforge.net/

Copyright (C) Michal Szymanski michal.szymanski.pl(at)gmail.com

DOWNLOAD

The current version is 0.2, which has been released on 2007/06/15. You can download it from here.

FEATURES

- supports following gadu-gadu protocols: 4.x, 5.x, 6.x, 7.x
- intercepts sent/received messages
- intercepts gg numbers, password hashes and seeds (can be bruteforced by ggbrute)
- intercepts status descriptions
- notifies about status changes
- intercepts gg server/client ip addresses
- intercepts gg user's local/remote ip addresses
- intercepts gg connections to port 8074 and 443
- determines Gadu-Gadu version

EXAMPLE SESSION - version 0.2

ARP poisoning victims:

 GROUP 1 : 10.10.10.11 00:01:20:02:34:21

 GROUP 2 : 10.10.10.1 00:0A:84:D8:28:F5

Starting Unified sniffing...

Text only Interface activated...
Hit 'h' for inline help

GG : 217.17.45.143:443 -> 10.10.10.11:1696 - WELCOME  SEED: 0xAD130562 (2903704930)
GG7 : 10.10.10.11:1696 -> 217.17.45.143:443 - LOGIN  UIN: 5114529  PWD_HASH: 0x21D13E38992A341DD33BB52DDFA2382A173A5361  STATUS:  (invisible + private)  VERS
ION: 7.7  LIP: 10.10.10.11:1550  RIP: 0.0.0.0:0
GG : 10.10.10.11:1706 -> 217.17.45.143:443 - SEND_MSG  RECIPIENT: 7244283  MESSAGE: "wiadomosc testowa"
GG : 217.17.45.143:443 -> 10.10.10.11:1706 - RECV_MSG  SENDER: 7244283  MESSAGE: "dzieki za wiadomosc"
GG7 : 217.17.45.143:443 -> 10.10.10.11:1706 - STATUS CHANGED  UIN: 7244283  STATUS: a swistak siedzi i zawija (busy + descr)  VERSION: 7.6  RIP: 207.46.19.19
0:1550

GG : 217.17.41.85:8074 -> 10.10.10.11:1685 - WELCOME  SEED: 0x1D66B45F (493270111)
GG4/5 : 10.10.10.11:1685 -> 217.17.41.85:8074 - LOGIN  UIN: 5114529  PWD_HASH: 0x1B85493D (461719869)  STATUS: zaraz weekend (invisible + descr + private)  V
ERSION: 4.8 + has audio  LIP: 10.10.10.11:1550
GG : 217.17.41.85:8074 -> 10.10.10.11:1685 - STATUS CHANGED  UIN: 2688291  STATUS: i co ja bede robil przez te 4 dni ... (not available + descr)
GG : 10.10.10.11:1685 -> 217.17.41.85:8074 - NEW STATUS  STATUS: goraaaaaaaaaaaaaco!!!!!!!!! (busy + descr + private)

INSTALLATION & CONFIGURATION

Apply Gadu-Gadu dissector patch and compile ettercap as you used to do before:

patch -p0 < ettercap-NG-0.7.3-gg_dissector_02.patch
cd ettercap-NG-0.7.3
./configure
make
make install

Alternatively you can install fedora core 6 rpm package (it requires libpcap, libnet, zlib, libtool, pcre, openssl, ncurses, gtk+, pkgconfig, glib, atk, pango installed):

rpm -Uhv ettercap-NG-0.7.3-gg_dissector_02.i386.rpm

All the files you can find at http://sourceforge.net/project/showfiles.php?group_id=198405

Normally Gadu-Gadu dissector is installed on port number 8074 (appropriate entry is added to etter.conf file). If you want to enable dissector to intercept traffic on port 443 as well - just turn off https dissector (there can be only one dissector on the same port at the same time) by editing etter.conf file and changing following line:

https = 443              # tcp    443

to

https = 0                # tcp    443

After that all you need to do is to add 443 port to gg dissector:

gg = 8074,443            # tcp    8074

If you want to see all contacts status changes you should uncomment GG_CONTACTS_STATUS_CHANGES define before compilation - but be careful using this option in really big networks - it could mess up your whole screen !

That's all. Play wisely.

CHANGELOG

v0.2:

- added interception of sent/received messages
- added interception of status descriptions
- added notification about status changes
- added interception of gg server/client ip addresses
- added interception of gg user's local/remote ip addresses
- added determination of Gadu-Gadu version
- tiny bugfixes

v0.1 (initial release):

- added support for following gadu-gadu protocols: 4.x, 5.x, 6.x, 7.x 
- added interception of gg numbers, password hashes and seeds
- added interception of gg connections to port 8074 and 443 

TODO

- wpkontakt support (sessions management needed)
- std_gg/kadu/ekg/wpkontakt fingerprinting (additional research needed)
- sms sniffing? (already implemented through http dissector)
- nat detection

USEFUL LINKS

ettercap-gg - http://ettercap-gg.sourceforge.net/

ettercap - http://ettercap.sourceforge.net/

ggsniff - http://ggsniff.sourceforge.net

dsniff - http://monkey.org/~dugsong/dsniff/

GGNiuf - http://www.linuxstorm.org/modules/newbb/viewtopic.php?topic_id=9&forum=10

GGSpy - http://ggspy.one.pl/

Gadu-Gadu protocol description - http://ekg.chmurka.net/docs/protocol.html

Gadu-Gadu official website - http://www.gadu-gadu.pl/