'SECURITY/Network'에 해당되는 글 36건
Tcpdump is the premier network analysis tool for information security professionals. Having a solid grasp of this über-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as Wireshark, but I believe this to usually be a mistake.
When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason I strongly advocate using
tcpdump instead of other tools whenever possible.
Below are a few options you can use when configuring
tcpdump. They’re easy to forget and/or confuse with other types of filters, e.g., Wireshark, so hopefully this page can serve as a reference for you, as it does me. here are the main ones I like to keep in mind depending on what I’m looking at.
-i any: Listen on all interfaces just to see if you’re seeing any traffic.
-i eth0: Listen on the eth0 interface.
-D: Show the list of available interfaces
-l: Line-readable output (for viewing as you save, or sending to other commands)
-A: Display output in ASCII.
-n: Don’t resolve hostnames.
-nn: Don’t resolve hostnames or port names.
-q: Be less verbose (more quiet) with your output.
-t: Give human-readable timestamp output.
-tttt: Give maximally human-readable timestamp output.
-X: Show the packet’s contents in both hex and ascii.
-XX: Same as
-X, but also shows the ethernet header.
-v, -vv, -vvv: Increase the amount of packet information you get back.
-c: Only get x number of packets and then stop.
-s: Define the snaplength (size) of the capture in bytes. Use
-s0to get everything, unless you are intentionally capturing less.
-S: Print absolute sequence numbers.
-e: Get the ethernet header as well.
-q: Show less protocol information.
-E: Decrypt IPSEC traffic by providing an encryption key.
The default snaplength as of
tcpdump 4.0 has changed from 68 bytes to 96 bytes. While this will give you more of a packet to see, it still won’t get everything. Use
-s 1514 or
-s 0 to get full coverage.
tcpdump, Expressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with
There are three main types of expression:
- Type options are:
- Direction lets you do
dst, and combinations thereof.
- Proto(col) lets you designate:
ah, and many more.
So, now that we’ve seen what our options are, let’s look at some real-world examples that we’re likely to see in our everyday work.
Just see what’s going on, by looking at all interfaces.
Basic view of what’s happening on a particular interface.
Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.
One of the most common queries, this will show you traffic from 220.127.116.11, whether it’s the source or the destination.
Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny.
It’s quite easy to isolate traffic based on either source or destination using
To find packets going to or from a particular network, use the
netoption. You can combine this with the
dst options as well.
You can find specific port traffic by using the
port option followed by the port number.
If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well.
You can also find all IP6 traffic using the protocol option.
You can also use a range of ports to find traffic.
If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.
It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by
tcpdump itself. Here we’re writing to a file called capture_file using the
You can read PCAP files by using the
-r switch. Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.
Now that we’ve seen what we can do with the basics through some examples, let’s look at some more advanced stuff.
It’s All About the Combinations
Being able to do these various things individually is powerful, but the real magic of
tcpdump comes from the ability to combine options in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied programming at all they’ll be pretty familiar to you.
Here are some examples of combined commands.
Let’s find all traffic from 10.5.2.3 going to any host on port 3389.
Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity.
This will show us all traffic going to 192.168.0.2 that is not ICMP.
This will show us all traffic from a host that isn’t SSH traffic (assuming default port usage).
As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.
Keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell
tcpdump to ignore certain special characters—in this case below the “( )” brackets. This same technique can be used to group using other expressions such as
You can also use filters to isolate packets with specific TCP flags set.
Isolate TCP RST flags.
The filters below find these various packets because
tcp looks at offset 13 in the tcp header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.
Isolate TCP SYN flags.
Isolate packets that have both the SYN and ACK flags set.
Only the PSH, RST, SYN, and FIN flags are displayed in
tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field.
Isolate TCP URG flags.
Isolate TCP ACK flags.
Isolate TCP PSH flags.
Isolate TCP FIN flags.
Because tcpdump can output content in ASCII, you can use it to search for cleartext content using other command-line tools like
Finally, now that we the theory out of the way, here are a number of quick recipes you can use for catching various kinds of traffic.
-l switch lets you see the traffic as you’re capturing it, and helps when sending to commands like
This one works regardless of what port the connection comes in on, because it’s getting the banner response.
There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.
Check out my other tutorialsas well.
Here are the takeaways.
tcpdumpis a valuable tool for anyone looking to get into networking or information security.
- The raw way it interfaces with traffic, combined with the precision it offers in inspecting packets make it the best possible tool for learning TCP/IP.
- Protocol Analyzers like Wireshark are great, but if you want to truly master packet-fu, you must become one with
Well, this primer should get you going strong, but the man pageshould always be handy for the most advanced and one-off usage scenarios. I truly hope this has been useful to you, and feel free to contact me if you have any questions.
- I’m currently (sort of) writing a book on tcpdump for No Starch Press.
- The leading image is from securitywizardry.com.
- Some of the isolation filters borrowed from sébastien wains.
- Thanks to peter at hackertarget.com for inspiration on the new table of contents (simplified), and also for some additional higher-level protocol filters added in July 2018.
- An anagram for the TCP flags is: unskilled attackers pester realsecurity folk.
1. DNS Brute Force
nmap -p 80 --script dns-brute.nse vulnweb.com Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:58 EST Nmap scan report for vulnweb.com (18.104.22.168) Host is up (0.34s latency). rDNS record for 22.214.171.124: rs202995.rs.hosteurope.de PORT STATE SERVICE 80/tcp open http Host script results: | dns-brute: | DNS Brute-force hostnames: | admin.vulnweb.com - 126.96.36.199 | firewall.vulnweb.com - 188.8.131.52 |_ dev.vulnweb.com - 184.108.40.206 Nmap done: 1 IP address (1 host up) scanned in 28.41 seconds
2. Find Hosts on IP
nmap -p 80 --script hostmap-bfk.nse nmap.org Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:47 EST Nmap scan report for nmap.org (220.127.116.11) Host is up (0.19s latency). PORT STATE SERVICE 80/tcp open http Host script results: | hostmap-bfk: | hosts: | www.nmap.org | 18.104.22.168 | seclists.org | sectools.org | svn.nmap.org | nmap.org | hb.insecure.org | insecure.org | images.insecure.org | 22.214.171.124.in-addr.arpa |_ www.insecure.org Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
3. Traceroute Geolocation
sudo nmap --traceroute --script traceroute-geolocation.nse -p 80 hackertarget.com Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 21:03 EST Nmap scan report for hackertarget.com (126.96.36.199) Host is up (0.31s latency). PORT STATE SERVICE 80/tcp open http Host script results: | traceroute-geolocation: | HOP RTT ADDRESS GEOLOCATION | 1 2.09 192.168.1.1 - ,- | 2 25.55 core-xxxxx.grapevine.net.au (203.xxx.32.20) -27,133 Australia (Unknown) | 3 31.61 core-xxxxx.grapevine.net.au (203.xxx.32.25) -27,133 Australia (Unknown) | 4 25.02 xe0-0-0-icr1.cbr2.transact.net.au (188.8.131.52) -27,133 Australia (Unknown) | 5 23.48 xe11-3-0.cr1.cbr2.on.ii.net (184.108.40.206) -27,133 Australia (Unknown) | 6 43.45 ae2.br1.syd4.on.ii.net (220.127.116.11) -27,133 Australia (Unknown) | 7 175.24 te0-0-0-1.br1.lax1.on.ii.net (18.104.22.168) -27,133 Australia (Unknown) | 8 181.29 TenGE13-2.br02.lax04.pccwbtn.net (22.214.171.124) 38,-97 United States (Unknown) | 9 310.46 telecity.ge9-9.br02.ldn01.pccwbtn.net (126.96.36.199) 51,0 United Kingdom (London) | 10 309.63 188.8.131.52 51,0 United Kingdom (Unknown) |_ 11 338.95 hackertarget.com (184.108.40.206) 51,0 United Kingdom (Unknown) TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 2.09 ms 192.168.1.1 2 25.55 ms core-xxxxx.grapevine.net.au (203.xxx.32.20) 3 31.61 ms core-xxxxx.grapevine.net.au (203.xxx.32.25) 4 25.02 ms xe0-0-0-icr1.cbr2.transact.net.au (220.127.116.11) 5 23.48 ms xe11-3-0.cr1.cbr2.on.ii.net (18.104.22.168) 6 43.45 ms ae2.br1.syd4.on.ii.net (22.214.171.124) 7 175.24 ms te0-0-0-1.br1.lax1.on.ii.net (126.96.36.199) 8 181.29 ms TenGE13-2.br02.lax04.pccwbtn.net (188.8.131.52) 9 310.46 ms telecity.ge9-9.br02.ldn01.pccwbtn.net (184.108.40.206) 10 309.63 ms 220.127.116.11 11 338.95 ms hackertarget.com (18.104.22.168)
nmap --script http-enum 192.168.10.55 Nmap scan report for ubuntu-test (192.168.10.55) Host is up (0.024s latency). Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http | http-enum: | /robots.txt: Robots file | /readme.html: WordPress version 3.9.2 | /css/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' | /images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' |_ /js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
nmap --script -http-enum --script-args http-enum.basepath='pub/' 192.168.10.55 Nmap scan report for xbmc (192.168.1.5) Host is up (0.0012s latency). PORT STATE SERVICE 80/tcp open http | http-enum: | /pub/: Root directory w/ listing on 'apache/2.2.22 (ubuntu)' | /pub/images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' |_ /pub/js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)' Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds
5. HTTP Title
nmap --script http-title -sV -p 80 192.168.1.0/24 Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 20:47 EST Nmap scan report for 192.168.1.1 Host is up (0.0018s latency). PORT STATE SERVICE VERSION 80/tcp open http Linksys wireless-G WAP http config (Name RT-N16) |_http-title: 401 Unauthorized Service Info: Device: WAP Nmap scan report for xbmc (192.168.1.115) Host is up (0.0022s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). Nmap scan report for 192.168.1.118 Host is up (0.0035s latency). PORT STATE SERVICE VERSION 80/tcp open upnp Epson WorkForce 630 printer UPnP (UPnP 1.0; Epson UPnP SDK 1.0) |_http-title: WorkForce 630 Service Info: Device: printer; CPE: cpe:/h:epson:workforce_630 Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 256 IP addresses (8 hosts up) scanned in 10.17 seconds
Microsoft Windows Network Recon
nmap -p 445 --script smb-os-discovery 192.168.1.0/24 Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 23:32 EST Nmap scan report for test1 (192.168.1.115) Host is up (0.0035s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-os-discovery: | OS: Unix (Samba 3.6.3) | Computer name: ubuntu003 | NetBIOS computer name: | Domain name: | FQDN: ubuntu003 |_ System time: 2014-09-24T23:34:41+10:00 Nmap scan report for 192.168.1.101 Host is up (0.018s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | OS CPE: cpe:/o:microsoft:windows_xp::- | Computer name: test-xp3 | NetBIOS computer name: TEST-XP3 | Workgroup: WORKGROUP |_ System time: 2014-09-24T23:33:01+01:00
nmap -sV -p 445 --script smb-brute 192.168.1.101 Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 23:47 EST Nmap scan report for 192.168.1.101 Host is up (0.060s latency). PORT STATE SERVICE VERSION 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-brute: |_ No accounts found Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 115.04 seconds
1. 개념 설명 문서
/etc/snmp/snmpd.conf 또는 /etc/snmp/conf/snmpd.conf 설정파일에서
"com2sec notConfigUser default public" 값을 "com2sec notConfigUser default 변경값" 으로 수정해 줌
서비스 재시작 해주고 service snmpd restart or /etc/init.d/snmpd start
snmpwalk -v2c -c 변경값 localhost
pcap 파일을 이용해 악성 트래픽을 분석하는 도구 자세한 내용은 위 링크 참고
git clone으로 설치 후 사용 가능
재밌게 활용할 수 있을것 같다.