TCPDUMP
OPTIONS
-i any : Listen on all interfaces just to see if you’re seeing any traffic. -i eth0 : Listen on the eth0 interface. -D : Show the list of available interfaces -n : Don’t resolve hostnames. -nn : Don’t resolve hostnames or port names. -q : Be less verbose (more quiet) with your output. -t : Give human-readable timestamp output. -tttt : Give maximally human-readable timestamp output. -X : Show the packet’s contents in both hex and ASCII. -XX : Same as -X, but also shows the ethernet header. -v, -vv, -vvv : Increase the amount of packet information you get back. -c : Only get x number of packets and then stop. -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less. -S : Print absolute sequence numbers. -e : Get the ethernet header as well. -q : Show less protocol information. -E : Decrypt IPSEC traffic by providing an encryption key.
Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.
tcpdump -ttttnnvvS
tcpdump -ttttnnvvS host 1.2.3.4
tcpdump -nnvXSs 0 -c1 icmp
tcpdump -nnvvS src 10.5.2.3 and dst port 3389
tcpdump dst 192.168.0.2 and src net and not icmp
tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
tcpdump 'tcp[tcpflags] == tcp-rst' tcpdump 'tcp[tcpflags] == tcp-syn' tcpdump 'tcp[tcpflags] == tcp-fin'
tcpdump 'tcp[13] = 6'
tcpdump 'tcp[32:4] = 0x47455420'
Unskilled Attackers Pester Real Security Folks
Unskilled = URG Attackers = ACK Pester = PSH Real = RST = Immediate Session Teardowns (drop session) Security = SYN = New Connection Request Folks = FIN
U A P R S F 32 16 8 4 2 1
tcpdump 'tcp[13] & 2 != 0'
tcpdump 'tcp[13] & 4 != 0'
tcpdump 'tcp[13] & 16 !=0'
Connections: Find Syn and Syn/Ack Packetso It is very useful to see who initiated and responded to a connection request. If there are more Syn’s than Syn/Acks, it usually indicates scan or network problems
- Show syn packets only Tcpdump -n -r pcap tcp[13] = 0x02o Show Syn/Ack Tcmpdump -r PC P ‘tcp[13=18’ | wc -l
- Find the count of SYN/ACK packets and source port number (warning slow) Tcp -n -r pcap ‘(tcp[13] & 0x12 == 0x12)’ | awk ‘{print #3’ | sed ‘s/͘*\͘//’ | sort -u -n
- Wireshark -> tcp.flags == 0x12 Port/Pair Combinationso Find the unique source/port combination, then the port numbers (type ofconversations). The goal being to identify communication patterns and perform datareduction42
- First generate the syn_ack.txt file: Tcpdump -n -rpcap ‘(tcp[13] & 0x12 == 0x12)’ > syn_acktxt
- Get the unique sources and source ports: cat syn_ack.txt | cut -f 3 -d ‘ ‘ | sort | uniq -c
- Get the unique source ports: Cat syn_ack.txt | cut -f 3 -d ‘ ‘ | cut -f 5 -d ‘͘’ | sort | uniq -c *Application Specific Analysis TechniquesoHTTP GET Requests *In Wireshark use display filter "httprequest" It can be worth looking through a URL list for things like “login͘php” and trying to determine if they are obfuscated
- Then limit the view in Wireshark and run “follow tcp stream” to analyze the dataexchange
- Finding HTTP redirection with Wireshark
- Add these columns to show the following values: Tcp.stream, http.location, and http.request.full_url *Then search through data, find a packet, look in the protocol details, rick clickand “apply as column’͘ pply the following display filter: http.response.code == 302 or http.response.code == 301 orhttp.requestoHTTP GET and RESPONSE In Wireshark use filters http.request or http.response
- The User-Agent string will identify the source browser and os
- The Server string will identify the web server, which will hint at the underlying OS
- DNS Traffic Should be investigated for manipulation▪ You want to detect DNS name and IP address changes and short TTL values Tcpdump -n -r pcap ‘udp port 53’ | grep -I CNAME (or grep A for Arecords, or...)
- Clear Text Credentials Dsniff tool can be used to retrieve usernames and passwords from pcap data.This is used to check credentials are passed in cleartext
- Dsniff -p pcap▪ Network grep, or ngrep, can also be used. Below the option are quiet, caseinsensitive, and input file of PCAP_FILE
- Ngrep -q -I password -I PCAP_FILEoTraffic Volume
- Find traffic by volume to a host͘ This example is for a web server where ‘pcap’ isa packet capture using HTTP, port 80͘ For HTTPS, port 443, change the ‘dst port’frm 80 to 443 Tcpdump -ntr pcap ‘tcp[13] & 0x12 and dst port 80’ | awk ‘{print $4’ |tr ͘ ‘ ‘ | awk ‘{print $1”͘”$2”͘”$3”͘”$4”’ | sort | uniq -c | awk ‘ { print $2“\t” $1 ’ oSMB Find file sharing