Skip to content

Instantly share code, notes, and snippets.

@vulcan25

vulcan25/tcpdump.md

Created January 22, 2020 20:21
Show Gist options
  • Save vulcan25/2dbc521a2414e8ec743567677d09e3e7 to your computer and use it in GitHub Desktop.
Save vulcan25/2dbc521a2414e8ec743567677d09e3e7 to your computer and use it in GitHub Desktop.
Download ZIP
tcpdump cheatsheet
Raw
tcpdump.md

TCPDUMP

OPTIONS

-i any : Listen on all interfaces just to see if you’re seeing any traffic. -i eth0 : Listen on the eth0 interface. -D : Show the list of available interfaces -n : Don’t resolve hostnames. -nn : Don’t resolve hostnames or port names. -q : Be less verbose (more quiet) with your output. -t : Give human-readable timestamp output. -tttt : Give maximally human-readable timestamp output. -X : Show the packet’s contents in both hex and ASCII. -XX : Same as -X, but also shows the ethernet header. -v, -vv, -vvv : Increase the amount of packet information you get back. -c : Only get x number of packets and then stop. -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less. -S : Print absolute sequence numbers. -e : Get the ethernet header as well. -q : Show less protocol information. -E : Decrypt IPSEC traffic by providing an encryption key.

Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.

tcpdump -ttttnnvvS

tcpdump -ttttnnvvS host 1.2.3.4

tcpdump -nnvXSs 0 -c1 icmp

All traffic from 10.5.2.3 going to any host on port 3389

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

This will show us all traffic going to 192.168.0.2 that is not ICMP.

tcpdump dst 192.168.0.2 and src net and not icmp

Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (incorrect)

tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

Capture RST Flags Using the tcpflags option…

tcpdump 'tcp[tcpflags] == tcp-rst' tcpdump 'tcp[tcpflags] == tcp-syn' tcpdump 'tcp[tcpflags] == tcp-fin'

PACKETS WITH BOTH THE RST AND SYN FLAGS SET (THIS SHOULD NEVER BE THE CASE)

tcpdump 'tcp[13] = 6'

FIND CLEARTEXT HTTP GET REQUEST

tcpdump 'tcp[32:4] = 0x47455420'

TCP Flags

Unskilled Attackers Pester Real Security Folks

Unskilled = URG Attackers = ACK Pester = PSH Real = RST = Immediate Session Teardowns (drop session) Security = SYN = New Connection Request Folks = FIN

U A P R S F 32 16 8 4 2 1

Find All SYN packets

tcpdump 'tcp[13] & 2 != 0'

Find all RST packets

tcpdump 'tcp[13] & 4 != 0'

Find all ACK packets

tcpdump 'tcp[13] & 16 !=0'

Connections: Find Syn and Syn/Ack Packetso It is very useful to see who initiated and responded to a connection request. If there are more Syn’s than Syn/Acks, it usually indicates scan or network problems

  • Show syn packets only Tcpdump -n -r pcap tcp[13] = 0x02o Show Syn/Ack Tcmpdump -r PC P ‘tcp[13=18’ | wc -l
  • Find the count of SYN/ACK packets and source port number (warning slow) Tcp -n -r pcap ‘(tcp[13] & 0x12 == 0x12)’ | awk ‘{print #3’ | sed ‘s/͘*\͘//’ | sort -u -n
  • Wireshark -> tcp.flags == 0x12 Port/Pair Combinationso Find the unique source/port combination, then the port numbers (type ofconversations). The goal being to identify communication patterns and perform datareduction42
  • First generate the syn_ack.txt file: Tcpdump -n -rpcap ‘(tcp[13] & 0x12 == 0x12)’ > syn_acktxt
  • Get the unique sources and source ports: cat syn_ack.txt | cut -f 3 -d ‘ ‘ | sort | uniq -c
  • Get the unique source ports: Cat syn_ack.txt | cut -f 3 -d ‘ ‘ | cut -f 5 -d ‘͘’ | sort | uniq -c *Application Specific Analysis TechniquesoHTTP GET Requests *In Wireshark use display filter "httprequest" It can be worth looking through a URL list for things like “login͘php” and trying to determine if they are obfuscated
  • Then limit the view in Wireshark and run “follow tcp stream” to analyze the dataexchange
  • Finding HTTP redirection with Wireshark
  • Add these columns to show the following values: Tcp.stream, http.location, and http.request.full_url *Then search through data, find a packet, look in the protocol details, rick clickand “apply as column’͘ pply the following display filter: http.response.code == 302 or http.response.code == 301 orhttp.requestoHTTP GET and RESPONSE In Wireshark use filters http.request or http.response
  • The User-Agent string will identify the source browser and os
  • The Server string will identify the web server, which will hint at the underlying OS
  • DNS Traffic Should be investigated for manipulation▪ You want to detect DNS name and IP address changes and short TTL values Tcpdump -n -r pcap ‘udp port 53’ | grep -I CNAME (or grep A for Arecords, or...)
  • Clear Text Credentials Dsniff tool can be used to retrieve usernames and passwords from pcap data.This is used to check credentials are passed in cleartext
  • Dsniff -p pcap▪ Network grep, or ngrep, can also be used. Below the option are quiet, caseinsensitive, and input file of PCAP_FILE
  • Ngrep -q -I password -I PCAP_FILEoTraffic Volume
  • Find traffic by volume to a host͘ This example is for a web server where ‘pcap’ isa packet capture using HTTP, port 80͘ For HTTPS, port 443, change the ‘dst port’frm 80 to 443 Tcpdump -ntr pcap ‘tcp[13] & 0x12 and dst port 80’ | awk ‘{print $4’ |tr ͘ ‘ ‘ | awk ‘{print $1”͘”$2”͘”$3”͘”$4”’ | sort | uniq -c | awk ‘ { print $2“\t” $1 ’ oSMB Find file sharing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment