BitTorrent Protocol (a.k.a. Peer Protocol) examples

Here I present some examples of BitTorrent protocol interactions.

Wireshark can be used to analyze BitTorrent protocol interactions in TCP/IP.

Remember that BitTorrent’s peer protocol operates over TCP or uTP. At the time of writing, Wireshark could identify correctly a uTP connection, but unfortunately would not decode its contents as a BitTorrent protocol session. It decodes it fine for TCP/IP connections.

Message flow/sequence

screen-shot-10-21-16-at-04-34-pm

Handshake example

The Handshake message flows in both directions, this means that each peer sends an handshake message to the other.

screen-shot-10-25-16-at-03-54-pm

“Extended” message examples

In these messages we can see which extensions are supported by a peer / downloader.

uTorrent

d
1:m
d1
1:upload_only
i3e
11:lt_donthave
i7e
12:ut_holepunch
i4e
11:ut_metadata
i2e
6:ut_pex
i1e
10:ut_comment
i6e
e
13:metadata_size
i401e
1:p
i20111e
4:reqq
i255e
1:v
15:Torrent 3.4.8
2:yp
i6881e
6:yourip4:
e

qbittorent

d
1:m
d1
1:lt_donthave
i5e
11:upload_only
i2e1
1:ut_metadata
i15e
6:ut_pex
i1e
e
13:metadata_sizei401e
4:reqq
i250e
1:v
18:qBittorrent v2.9.8
6:yourip
4:
e

 

Port, Interested, Unchoke example

Screen Shot 10-12-17 at 11.34 AM

Request+Piece example

A request for a piece of a file:

Screen Shot 10-12-17 at 11.36 AM

The reply with the piece’s data contents:

Screen Shot 10-12-17 at 11.37 AM

Not Interested example

Screen Shot 10-12-17 at 11.37 AM 001

 

Downloader Peers screenshots

Usually, when a peer is connected to another one, the remote peer appears in the “Peers” tab for a torrent.

Example

screen-shot-10-19-16-at-12-18-pm

Downloader Ports configuration

uTorrent

screen-shot-10-19-16-at-12-25-pmscreen-shot-10-19-16-at-12-23-pm

 

screen-shot-10-20-16-at-07-26-pm

References

 

 

 

Advertisements

My new e-book “Deep VMware™ Guest Tools and Guest-Hypervisor communication” at Amazon

Just published my new e-book “Deep VMware™ Guest Tools and Guest-Hypervisor communication” at Amazon.

Check it out.

Most virtualization platforms provide some sort of mechanism of communication between the the hypervisor and its guest virtual machines. “Open VM Tools” is a set of tools that implements such communication mechanisms for VMware™ virtual machines and hypervisors. In this book we analyze each of these these tools and APIs, from high-level usage to low-level communication details, between the guest and the host. This information can be used for a better understating of what actually happens when using a guest machine with these tools. It can also be used as inspiration for using and extending guest-hypervisor communication and penetration testing.

Screen Shot 10-05-17 at 12.44 PM

cover.jpg

VMware hypervisor fingerprinting Tool ( & Paper)

Just published a new tool vmhost_report.rb (and a paper about it) for VMware hypervisor fingerprinting. The tool is released with an open source license (GPL), you can use it freely.

In the paper, I show you how to determine hypervisor properties (such as hypervisor version or virtual CPU Limits) by running commands in the guest operating system, without any special privileges in the host machine running the hypervisor.

This can be useful for penetration testing, information gathering, determining the best software configuration for virtualization-sensitive and virtualization-aware software.

I have developed a reporting tool vmhost_report.rb that unifies all the presented methods, by running them all in sequence and gathering the information in a useful report that can be run from any guest system. Currently, Linux and Nested ESXi are supported.

You can run it as “ruby vmhost_report.rb“. It will return a lot of useful information in the vmhost_report.log file.

These reports can be used to learn a lot about VMware internals or a particular guest system or network. You can find report examples in the Paper’s “Annex A”.

Some of the described methods can be used even if the VMware Tools are disabled or not installed, or if some of the methods are disabled by host configuration. Some of the methods require “root” privileges, while others do not need it.

Downloads

Screenshots