ABOUT
ettercap-gg is a Gadu-Gadu IM ettercap dissector.
It is a patch for ettercap sniffer that adds the ability to intercept Gadu-Gadu logins, passwords and messages.
Gadu-Gadu (www.gadu-gadu.pl) is the most widely used IM network in Poland with ~6mln users.
Protocol description taken from http://ekg.chmurka.net/docs/protocol.html + own research (7.x).
The newest version can be found at http://ettercap-gg.sourceforge.net/
You can find the ettercap source tarball at http://ettercap.sourceforge.net/
Copyright (C) Michal Szymanski michal.szymanski.pl(at)gmail.com
DOWNLOAD
The current version is 0.2, which has been released on 2007/06/15. You can download it from here.
FEATURES
- supports following gadu-gadu protocols: 4.x, 5.x, 6.x, 7.x
- intercepts sent/received messages
- intercepts gg numbers, password hashes and seeds (can be bruteforced by ggbrute)
- intercepts status descriptions
- notifies about status changes
- intercepts gg server/client ip addresses
- intercepts gg user's local/remote ip addresses
- intercepts gg connections to port 8074 and 443
- determines Gadu-Gadu version
EXAMPLE SESSION - version 0.2
ARP poisoning victims: GROUP 1 : 10.10.10.11 00:01:20:02:34:21 GROUP 2 : 10.10.10.1 00:0A:84:D8:28:F5 Starting Unified sniffing... Text only Interface activated... Hit 'h' for inline help GG : 217.17.45.143:443 -> 10.10.10.11:1696 - WELCOME SEED: 0xAD130562 (2903704930) GG7 : 10.10.10.11:1696 -> 217.17.45.143:443 - LOGIN UIN: 5114529 PWD_HASH: 0x21D13E38992A341DD33BB52DDFA2382A173A5361 STATUS: (invisible + private) VERS ION: 7.7 LIP: 10.10.10.11:1550 RIP: 0.0.0.0:0 GG : 10.10.10.11:1706 -> 217.17.45.143:443 - SEND_MSG RECIPIENT: 7244283 MESSAGE: "wiadomosc testowa" GG : 217.17.45.143:443 -> 10.10.10.11:1706 - RECV_MSG SENDER: 7244283 MESSAGE: "dzieki za wiadomosc" GG7 : 217.17.45.143:443 -> 10.10.10.11:1706 - STATUS CHANGED UIN: 7244283 STATUS: a swistak siedzi i zawija (busy + descr) VERSION: 7.6 RIP: 207.46.19.19 0:1550 GG : 217.17.41.85:8074 -> 10.10.10.11:1685 - WELCOME SEED: 0x1D66B45F (493270111) GG4/5 : 10.10.10.11:1685 -> 217.17.41.85:8074 - LOGIN UIN: 5114529 PWD_HASH: 0x1B85493D (461719869) STATUS: zaraz weekend (invisible + descr + private) V ERSION: 4.8 + has audio LIP: 10.10.10.11:1550 GG : 217.17.41.85:8074 -> 10.10.10.11:1685 - STATUS CHANGED UIN: 2688291 STATUS: i co ja bede robil przez te 4 dni ... (not available + descr) GG : 10.10.10.11:1685 -> 217.17.41.85:8074 - NEW STATUS STATUS: goraaaaaaaaaaaaaco!!!!!!!!! (busy + descr + private)
INSTALLATION & CONFIGURATION
Apply Gadu-Gadu dissector patch and compile ettercap as you used to do before:
patch -p0 < ettercap-NG-0.7.3-gg_dissector_02.patch
cd ettercap-NG-0.7.3
./configure
make
make install
Alternatively you can install fedora core 6 rpm package (it requires libpcap, libnet, zlib, libtool, pcre, openssl, ncurses, gtk+, pkgconfig, glib, atk, pango installed):
rpm -Uhv ettercap-NG-0.7.3-gg_dissector_02.i386.rpm
All the files you can find at http://sourceforge.net/project/showfiles.php?group_id=198405
Normally Gadu-Gadu dissector is installed on port number 8074 (appropriate entry is added to etter.conf file). If you want to enable dissector to intercept traffic on port 443 as well - just turn off https dissector (there can be only one dissector on the same port at the same time) by editing etter.conf file and changing following line:
https = 443 # tcp 443
to
https = 0 # tcp 443
After that all you need to do is to add 443 port to gg dissector:
gg = 8074,443 # tcp 8074
If you want to see all contacts status changes you should uncomment GG_CONTACTS_STATUS_CHANGES define before compilation - but be careful using this option in really big networks - it could mess up your whole screen !
That's all. Play wisely.
CHANGELOG
v0.2: - added interception of sent/received messages - added interception of status descriptions - added notification about status changes - added interception of gg server/client ip addresses - added interception of gg user's local/remote ip addresses - added determination of Gadu-Gadu version - tiny bugfixes v0.1 (initial release): - added support for following gadu-gadu protocols: 4.x, 5.x, 6.x, 7.x - added interception of gg numbers, password hashes and seeds - added interception of gg connections to port 8074 and 443
TODO
- wpkontakt support (sessions management needed) - std_gg/kadu/ekg/wpkontakt fingerprinting (additional research needed) - sms sniffing? (already implemented through http dissector) - nat detection
USEFUL LINKS
ettercap-gg - http://ettercap-gg.sourceforge.net/
ettercap - http://ettercap.sourceforge.net/
ggsniff - http://ggsniff.sourceforge.net
dsniff - http://monkey.org/~dugsong/dsniff/
GGNiuf - http://www.linuxstorm.org/modules/newbb/viewtopic.php?topic_id=9&forum=10
GGSpy - http://ggspy.one.pl/
Gadu-Gadu protocol description - http://ekg.chmurka.net/docs/protocol.html
Gadu-Gadu official website - http://www.gadu-gadu.pl/