Sunday, October 21, 2007

Sniffing the Google Desktop for Linux traffic.

I promised to present how to sniff communication between clients and server of Google Desktop for Linux.

So I'll be using SockSniffer scripts I prepared and wrote about [1], [2].
$ tar xvzf SockSniffer.0.2.tar.gz
$ mkdir jail
$ cd jail
$ $HOME/SockSniffer.0.2/makejail.sh
$ sudo $HOME/SockSniffer.0.2/mountjail.sh
$ sudo chroot $PWD
$ su my_user_name
$ cd
$ gdlinux

No we should have two Google Desktop icons in taskbar.

In chrooted console:
$ cd .google/desktop
$ rm a1_sock
In Another console:
$ mkdir socksniff_logs
$ cd socksniff_logs
$ $HOME/SockSniffer.0.2/socksniff $HOME/.google/desktop/a1_sock $HOME/jail$HOME/.google/desktop/a1_sock

Now use the Google Desktop for a while.
Close it.
Kill the socksniff process (e.g. using ^c).

In socksniff console:
$ $HOME/SockSniffer.0.2/sockmerge

Open $HOME/socksniff_logs/dumps/merge.pcap in wireshark.

That's it. Now we can analyze the traffic.

And here's an example dump.

3 comments:

Anonymous said...

Looks like boring usage statistics. What are you hoping to find?

graag said...

Google Destopt API:
< quote >
Getting the Stored Query URL

The stored query URL has the first part of the URL that you need to perform any Google Desktop query. It looks something like the following:

http://127.0.0.1:4664/search&s=1ftR7c_hVZKYvuYS-RWnFHk91Z0?q=

How you get the stored query URL depends on whether your code is running on Windows or Mac OS X.
Windows

Get the query URL from the registry using the following value name:

HKEY_CURRENT_USER\Software\Google\Google Desktop\API\search_url

Mac OS X

Use CFPreferences to fetch the stored query URL from the user preferences domain com.google.Desktop.WebServer using the key search_url. For example:

CFStringRef val = CFPreferencesCopyValue(
CFSTR("search_url"),
CFSTR("com.google.Desktop.WebServer"),
kCFPreferencesCurrentUser,
kCFPreferencesAnyHost);
if (val) {
// act on the value
CFRelease(val);
}
< /quote >

Nothing like this for linux so far.

Looking in the dump we have:
* Client *
0000
2f 23 25 be 03 00 00 00 21 00 00 00 00 00 00 00
/#%.....!.......
0010
00 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00
................
0020
5c 43 6f 6d 6d 6f 6e 0a 00 00 00 4c 69 73 74 65
\Common....Liste
0030
6e 50 6f 72 74 04 00 00 00
nPort....
* Server *
0000
2f 23 25 be 06 00 00 00 0c 00 00 00 00 00 00 00
/#%.............
0010
00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
................
0020
5e 7b 00 00 ^{..

Key here is: 5e 7b => 94 123
123 + 94*256 = 24187 - and this was port on which Google Desktop was listenning.

Also there is:
* Client *
0000
2f 23 25 be 03 00 00 00 27 00 00 00 00 00 00 00
/#%.....'.......
0010
00 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00
................
0020
5c 43 6f 6d 6d 6f 6e 10 00 00 00 53 65 63 75 72
\Common....Secur
0030
69 74 79 54 6f 6b 65 6e 4b 65 79 08 00 00 00
ityTokenKey....

Which sounds promising as without the security token we cannot make custom queries. But I didn't have time to decode the response.

Άγγελος Παναγιωτάκης said...

what about the linux key ?