The Netsed command-line tool lets you directly manipulate unencrypted data streams, allowing data integrity tests and black-box protocol auditing. It needs very little in terms of resources and is available for installation in all the major distributions. If your distribution only offers a legacy version, rather than the current v1.2, you can download the source code [1] and build the software manually with:

make && sudo make install

Netsed naturally only works on computers that route packages (i.e., routers, e.g., under OpenWrt) or on servers that provide this service. Like a proxy, the software sniffs the data stream from a defined connection and then manipulates it in-line according to rules you define.

You can either launch the program manually or add it to a shell script. If you use local port numbers higher than 1023, you can make do with normal user privileges; otherwise, you need to be root.

Syntax

Netsed syntax is as follows:

$ netsed {<protocol>} {<local port>} {<remote computer>} {<remote port>}\
  {<Search>/<Replace>}

The <protocol> is either tcp or udp, and you can address the <remote computer> by either its hostname or its IP address. The <Search>/<Replace> pattern looks like this:

's/<Search>/<Replace>'

If you omit <Replace>, you delete the specified search term from the data stream. If so desired, the software will also process multiple statements of this kind at the same time. By adding a numeric parameter to the search/replace instruction, you can restrict the number of change actions per transmission. If you want the program to perform a change exactly once, you would use:

's/<old>/<new>/1'

Even if the term exists multiple times, the tool will only replace it once in this case.

Hands On

Assuming the command-line syntax is valid, Netsed shows all the actions related to the connection in the first part of the output, including the number of search and replace rules you pass in. The test setup then manipulates the output of a web server on port 8080 and redirects it to port 9000:

$ netsed tcp 9000 192.168.0.35 8080 's/test/trial/'

After this, Netsed outputs notices on packet forwarding and handling. Figure 1, for example, shows a successful search and replace action (Applying rule outlined in red), and Figure 2 shows the result.

Figure 1: The initial messages and program output from Netsed give you a good idea of the current status and successful replacements (outlined in red).

Figure 2: Top: The original page, as served up by the web server. Bottom: The variant manipulated by Netsed.

As mentioned before, Netsed lets you modify multiple content instances. This command shows a configuration that issues four search and replace commands:

$ netsed tcp 9000 ze5 8080 's/Test/Trial/1' \
  's/http:%2f%2fwww.startpage.com%2f/Search engine locked/''s/192.168.0.35/192.168.0.36/''s/ZE5/ZE6/'

The first task is to replace the string Test once only with Trial. The second instruction removes the link to a search engine and replaces it with the message Search engine locked. The last two instructions replace the server's IP address and hostname (Figure 3).

Figure 3: Netsed also supports more complex manipulations of the output.

You need to quote any forward slash (/) that is part of the Netsed command by using a percent character and the hexadecimal equivalent of a slash (%2f) from the ASCII table.

Conclusions

Netsed provides a relatively simple approach for manipulating unencrypted data transported by a network. The test setup shown in this article is basically intended as a proof of concept to show how easily cleartext can be manipulated. For this reason, it always makes sense to check your websites and hide the imprint in graphical elements instead of using cleartext HTML. This makes it more difficult for attackers to produce spurious website copies.