2

I've got a time clock with proprietary software that polls swipe punches from it, the software sits on a server and connects to the time clock over ethernet. I want to try and write my own script that polls this clock as the software can't do it more then once an hour.

I installed wireshark on the server and polled a time clock, I then followed the tcp stream so I could see all the data that was sent back and forth, I see it issues: .00P. on port 3001 of the time clock, the time clock then replies with all of the punches.

I tried using putty and connecting on port 3001 and copying and pasting that command however nothing was returned, I then realized the periods in the command are because my editor can't display the actual data, which in notepad looks like backwards L's.

Any how, what's the best process for attempting to send that command as it is in the binary file I saved from wireshark, is there a way to send a packet containing the data from a file to the timeclock and somehow record the results?

user177916
  • 33
  • 6
  • I've tried everything I can think of using nc (netcat) to capture the data and send it back to the time clock, it just doesn't respond with ANYTHING when I sent data to it (see comments below for more info). Any other ideas? – user177916 Jun 15 '13 at 17:32

2 Answers2

1

It's hard to tell anything from 1 single packet - a rather fast-forward way might be:

... to replace the clock once at night-time:

e.g. setup Linux with the same IP as the clock (while taking the clock temporary down),

Then just run netcat, let it listen to :3001, piped to file - and wait until the poll happens.

(I use it for TCP polling, so I'd assume one can capture with it in listening mode)

Also, you could connect the clock with it - once knowing how the server polls.

Martin Zeitler
  • 171
  • 1
  • 6
  • Funny you mention this, I was just playing around with nc on linux trying to send part of my binary capture, but that's a great idea, try polling the linux box and see what data is being sent, then just send that same data to the time clock...thanks! I'll report back once I try this (likely tomorrow morning as it's pretty late here now). – user177916 Jun 15 '13 at 02:34
  • like this one can see the actual console log, instead of a hexdump. ... because one need to know how the request/response format looks like, e.g. to preg_match() the returned lines and convert them into SQL. Good luck! – Martin Zeitler Jun 15 '13 at 02:40
  • Couldn't wait, just tried it. On my server I ran: nc -l 3001 > /root/timeclock Then polled the server with the timeclock software, I got the expected codes sent over and saved in /root/timeclock I then ran: cat /root/timeclock | nc 10.5.9.9 3001 to send it over to the timeclock, while also listening on the server for any replies by running: nc -l 3001 > /root/response However /root/response is still empty, seems like the timeclock didn't reply back with any data :( – user177916 Jun 15 '13 at 02:46
  • option -l means listening (for incoming connections). I'd assume the clock need to be connected in active mode. It also could be, that the clock only answers one single IP (so that nobody can cheat on time that easily). MAC filters are rather unlikely. – Martin Zeitler Jun 15 '13 at 02:49
  • Should I not use -l ? I know it's not IP restricted, I can copy the timeclock polling exe to my laptop and run it and poll the clocks (the software is ancient, which is why I want to write my own). Thanks again! – user177916 Jun 15 '13 at 02:51
  • The more I think about it.. by active mode you mean I have to maintain an active TCP connection with it? ie. use something that supports sockets? (I'm no expert in this stuff, just muddling my way through) – user177916 Jun 15 '13 at 02:54
  • Yes, if you are connecting to the timeclock and dumping data, chances are the response will be contained within that session. By dumping the data, and listening on port 3001, you are expecting the timeclock to establish a new session which probably does not happen. Netcat host port will establish a 3 way handshake, and should output the response to STDOUT - use something like: cat /root/timeclock | nc 10.5.9.9 > /root/response – David Houde Jun 15 '13 at 02:59
  • That makes sense, I feel like we're getting closer! I ran: cat /root/timeclock | nc 10.5.9.9 3001 > /root/timeclockresponse but the timeclockresponse file was still empty...I'm getting pretty excited though, because this is the closest I've come so far, must just be one or two more things I'm missing. – user177916 Jun 15 '13 at 03:08
  • you only need option -l when capturing the server's poll (which is ordinary being accepted by the clock's listening TCP socket) - when connecting to the clock, there's no need to listen (except there is some kind of bi-directional communication going on, which I doubt). – Martin Zeitler Jun 15 '13 at 04:16
  • Some more progress, it seems if I send the command over port 3001 to the timeclock it DOES sent data back, but not on port 3001, it seems to be a randomly picked port, using tcpdump I see it responded over port 49657, I see some random characters in the packet, without somehow knowing the port ahead of time so netcat can listen for it, I'm not sure how to get the reply. – user177916 Jun 15 '13 at 19:16
  • you maybe could cause the clock to respond by actively connecting it... while having another instance of netcat listening to a range of ports (which will capture the response). it's probably required to detach netcat from the console, so one can have several instances per shell prompt. – Martin Zeitler Jun 17 '13 at 07:20
  • hint: google for "netcat cheatsheet" – Martin Zeitler Jun 17 '13 at 07:26
0

If you've saved the binary file from the WireShark capture, a good next step would be to look more closely at that file. As you've discovered, notepad probably won't do the job. Use a hex editor such as frhed to understand exactly what bytes are being sent.

Having identified the command, you can then write a script to make a TCP connection and send the command accurately. You could use PowerShell or Python for this purpose.

Mox
  • 415
  • 1
  • 3
  • 8
  • Thanks for the reply! I downloaded that and opened my binary file !Picture here(http://i43.tinypic.com/2qaqtep.jpg) I'm definitely not experienced with Hex Editors, but is it safe to say the beginning .00P. is the data that was sent? (In wireshark the .00P. is highlighted as the first transmission), or am I completely missing the obvious? Thanks again for taking the time to reply! – user177916 Jun 15 '13 at 02:16
  • Looking more, if I change the character set I then see a character instead of period..maybe I'm asking the wrong question here, I'm guessing you meant find out the hex codes, then send them in powershell or python over that port. – user177916 Jun 15 '13 at 02:21
  • Right. Your image shows that what's being sent is (hex) 04 30 30 50 03, which is control-D 0 0 P control-C. In a Python string, you can include characters by their hex byte value with backslash x. So your string would be "\x0400P\x03" (because \x04 is control-D and \x03 is control-C). – Mox Jun 17 '13 at 03:08