Archive for November, 2008

How to geographically trace a remote MSN user using TCPDUMP.

Hi all!

So this is my second post (technically my first post) and on these last days I was wondering about “what could I write at first in my blog?”.

I don’t want this blog to be “just another blog talking about the same things as other tech blogs”, that’s why I will not post here every day.

Alright, at my first post I will talk about something that many of you who works on the networking field already know, but for those of you who don’t, maybe this technic may be useful someday.

I will teach you how to geographically trace a remote MSN user using TCPDUMP for Linux (which works for other unix flavors too, of course).

So, if you are talking to an unknown joe through MSN and he tells you from where he comes from and you, for some reason, don’t believe he’s telling you the truth, there’s a way to trace his IP address and then get his real location.

At first, the MSN protocol isn’t point-to-point, this means that all the messages goes through the microsoft msn server ( *gateway.edge.messenger.live.com at port 1863) to the the other user, differently from skype, which establish a direct connection between the users in a VoIP chat.

If you still didn’t get it, this means that it would be impossible to trace a remote IP address, since we have the microsoft MSN server managing all the chat conversations and it’s true. However, not everyone knows it but the msn file transferring protocol works as point-to-point and this means you can get a remote IP address always when you establish a file transferring connection. So just send him/her a random file or even accept a file which he/she sends you.

Here’s a sample output of a file transferring sniffing using tcpdump:

————————-Start of TCPDUMP output—————————————–

#tcpdump -i ppp0 <– you can change ppp0 to the proper interface.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
00:34:51.460775 IP remote-sample-ip.co.uk.1157 > my_ip_address.com.br.41890: . ack 476838048 win 7072 <nop,nop,timestamp 9337 1977599>
00:34:51.988941 IP remote-sample-ip.co.uk.1157 > my_ip_address.com.br.41890: . ack 1401 win 8472 <nop,nop,timestamp 9342 1977599>
00:34:51.989060 IP my_ip_address.com.br.41890 > remote-sample-ip.co.uk.1157: . 7001:8401(1400) ack 0 win 182 <nop,nop,timestamp 1981186 9342>
00:34:51.989138 IP my_ip_address.com.br.41890 > remote-sample-ip.co.uk.1157: . 8401:9801(1400) ack 0 win 182 <nop,nop,timestamp 1981186 9342>

————————-End of TCPDUMP output—————————————–

You might ask me “why don’t you specify the used port?”, but I don’t do it because the msn file transferring protocol (MSNFTP) use a dynamic range of ports, therefore it’s useless to specify any port, therefore I recommend you to close any other service in the case you want to trace a remote IP through msn.

Good, now we have the IP address of our friend and now we go to the easy part of it. Just go to http://www.ipaddresslocation.org/ip-address-location.php and paste there the remote IP address, then you will find it’s location. You can test it right now using one of the google’s IP address 64.233.187.99, you will see it works, sometimes it’s not 100% precise but when it doesn’t point the exact place, it will at least point the neighbor town where the remote user lives.

If you don’t have tcpdump (this means you use Windows, right?), you can try something like wireshark, this will probably works well, but I will not describe here how to use wireshark, sorry.

This tutorial might work to other IM protocols as well but I can’t promise it, since I haven’t tested with any other instead of msn. So if you have tested it with a different IM protocol, please share with us your experience.

References:

http://www.tcpdump.org/ (tcpdump official website)

http://www.ipaddresslocation.org (IP address location)

http://www.alexandersandler.net/tcpdump-for-dummies (very nice tcpdump tutorial)

http://www.hypothetic.org/docs/msn/client/file_transfer.php (MSNFTP protocol overview)

I hope it will be useful to someone here and see you in the next post!

Advertisements

First post.

Well, my intention with this blog will be mainly as a personal online notepad for tech stuff (problem solutions, tutorials, news, etc.). Although I might eventually post something different than that.

See you!