Thursday, August 13, 2009

TCPDUMP

TCPDUMP USE
The following will record all raw traffic to a dump file for latter analysis. The -s 0 option specifies that the full packet should be saved without truncation; the -v option will report every 10 seconds the number of packets captured so far.
tcpdump -i eth0 -s 0 -v -w traffic.pcap
The following tcpdump example will dump raw binary Yahoo IM traffic to stdout. Note the '-w -' option to write binary to stdout.
tcpdump -i eth0 -n -l -w - "port mmcc"
This will dump Yahoo IM with filtering of unreadable binary characters. Note the -A, -q, and -s 0 options are used to filter and dump ASCII data. The -l option sets line-buffered output. You may also remove the -t option if you would like to see timestamps on each packet.
tcpdump -i eth0 -l -t -A -q -s 0 "port mmcc"
You may sometimes get a Permission denied error when working with tcpdump. This is probably caused by AppArmor. You can check by running this command:
grep tcpdump /sys/kernel/security/apparmor/profiles
If you see tcpdump in that file then you can set AppArmor to just complain instead of block by running the following:
aa-complain /usr/sbin/tcpdump
The following will dump mail traffic.
tcpdump -i eth0 -l -t -A -q -s 0 "port 25 or port 587 or port 110 or port 143"



To display the Standard TCPdump output:

#tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

21:57:29.004426 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
21:57:31.228013 arp who-has 192.168.1.2 tell 192.168.1.1
21:57:31.228020 arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown)
21:57:38.035382 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
21:57:38.613206 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36

To display the verbose output:

#tcpdump -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1
22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown)
22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53

Network interfaces available for the capture:

#tcpdump -D
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo

To display numerical addresses rather than symbolic (DNS) addresses:

#tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:02:36.111595 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:36.669853 IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36
22:02:41.702977 arp who-has 192.168.1.2 tell 192.168.1.1
22:02:41.702984 arp reply 192.168.1.2 is-at 00:04:11:11:11:11
22:02:45.106515 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:50.392139 IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138)
22:02:54.139658 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:57.866958 IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535

To display the quick output:

#tcpdump -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:03:55.594839 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
22:03:55.698827 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
22:03:56.068088 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
22:03:56.068096 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
22:03:57.362863 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:03:57.964397 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:04:06.406521 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:04:15.393757 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53

Capture the traffic of a particular interface:

tcpdump -i eth0
To capture the UDP traffic:

#tcpdump udp
To capture the TCP port 80 traffic:

#tcpdump port http
To capture the traffic from a filter stored in a file:

#tcpdump -F file_name
To create a file where the filter is configured (here the TCP 80 port)

#vim file_name
port 80
To stop the capture after 20 packets:

#tcpdump -c 20
To send the capture output in a file instead of directly on the screen:

#tcpdump -w capture.log
To read a capture file:

#tcpdump -r capture.log
reading from file capture.log, link-type EN10MB (Ethernet)

09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: P 1548302662:1548303275(613) ack 148796145 win 16527
09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: . ack 613 win 86
09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P 1:511(510) ack 613 win86
09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: . ack 511 win 16527

The captured data isn't stored in plain text so you cannot read it with a text editor, you have to use a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical interface.

The capture.log file is opened with Wireshark.


To display the packets having "www.openmaniak.com" as their source or destination address:

#tcpdump host www.openmaniak.com
To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:

#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp
To display the packets content:

#tcpdump -A
Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent in clear text to the server.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes
20:53:24.872785 IP ubuntu.local.40205 > 192.168.1.2.ftp: S 4155598838:4155598838(0) win 5840
....g....................
............
20:53:24.879473 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183
....g.I@.............
........
20:53:24.881654 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 43 win 183
....g.I@.......8.....
......EN
20:53:26.402046 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183
....g.I@......`$.....
...=..ENUSER teddybear

20:53:26.403802 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 76 win 183
....h.I@.............
...>..E^
20:53:29.169036 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183
....h.I@......#c.....
......E^PASS wakeup

20:53:29.171553 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 96 win 183
....h.I@.,...........
......Ez
20:53:29.171649 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183
....h.I@.,...........
......EzSYST

20:53:29.211607 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 115 win 183
....h.I@.?.....j.....
......Ez
20:53:31.367619 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183
....h.I@.?...........
......EzQUIT

20:53:31.369316 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 155 win 183
....h.I@.g...........
......E.
20:53:31.369759 IP ubuntu.local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183
....h.I@.h.....e.....
......E.

We see in this capture the FTP username (teddybear) and password (wakeup).

===============================
===============================


Tcpdump is the premier network analysis tool for information security and networking enthusiasts and/or professionals. In my own primer I cover tcpdump basics; if you're interested in becoming familiar with the application via an introduction, I suggest you check it out first.

Here I'm simply going to give a number of recipes that you're likely to find useful during your day to day activities. They will range from common, general captures to complex filters designed to look for a number of unique traffic types.

Basics

Below are a few options you can use when invoking tcpdump in order to control the output. The examples given will be in the basic form of tcpdump $recipe, so remember to add your own options as needed.

Basic Communication // See the basics without many options

# tcpdump -nS
Basic Communication (very verbose) // see a good amount of traffic, with verbosity and no name help

# tcpdump -nnvvS
A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet

# tcpdump -nnvvXS
Heavy packet viewing // the final "s" increases the snaplength, grabbing the whole packet

# tcpdump -nnvvXSs 1514

Recipes

1. host // look for traffic based on IP address (also works with hostname if you're not using -n)
# tcpdump host 1.2.3.4

2. src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6

3. net // capture an entire network using CIDR notation
# tcpdump net 1.2.3.0/24

4. proto // works for tcp, udp, and icmp. Note that you don't have to type proto
# tcpdump icmp

5. port // see only traffic to or from a certain port
# tcpdump port 3389

6. src, dst port // filter based on the source or destination port
# tcpdump src port 1025
# tcpdump dst port 3389


Combinations

TCP traffic from 10.5.2.3 destined for port 3389:
# tcpdump tcp and src 10.5.2.3 and dst port 3389

Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
# tcpdump src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:
# tcpdump dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp

Traffic originating from Mars or Pluto that isn't to the SSH port:
# tcpdump -vv src mars or pluto and not dst port 22

Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22:
# tcpdump 'src 10.0.2.4 and \(dst port 3389 or 22\)'

Advanced filters can help with troubleshooting and can reveal anomalous traffic on a network that would normally go unnoticed.

Finding Flags

Hint: Use the following acronym to remember your flags: Unskilled Attackers Pester Real Security Folk

Show me all URG packets:
# tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:
# tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:
# tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:
# tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:
# tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:
# tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:
# tcpdump 'tcp[13] = 18'
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)