'SECURITY/Network'에 해당되는 글 36건

  1. [Tool] 와이어샤크 플러그인
  2. [자료] TCP dump
  3. [자료] Capture a Network Trace without installing anything
  4. [자료] TCP dump
  5. [자료] NSE
  6. [자료] SSL 패킷 디크립트
  7. [정리] SNMP community string
  8. [자료] TCP TIME_WAIT 관련 글
  9. [Tool] CapTipper
  10. [자료] Nmap 자세한 정리

[Tool] 와이어샤크 플러그인

https://github.com/pentesteracademy/patoolkit?fbclid=IwAR1Jn1pIb8LgqcHHc1YsRNG2lBcRpzwS3v7fJ5BoWjEv-N2nOVHBJngBcPg



PA Toolkit (Pentester Academy Wireshark Toolkit)

PA Toolkit is a collection of traffic analysis plugins to extend the functionality of Wireshark from a micro-analysis tool and protocol dissector to the macro analyzer and threat hunter. PA Toolkit contains plugins (both dissectors and taps) covering various scenarios for multiple protocols, including:

  • WiFi (WiFi network summary, Detecting beacon, deauth floods etc.)
  • HTTP (Listing all visited websites, downloaded files)
  • HTTPS (Listing all websites opened on HTTPS)
  • ARP (MAC-IP table, Detect MAC spoofing and ARP poisoning)
  • DNS (Listing DNS servers used and DNS resolution, Detecting DNS Tunnels)

The project is under active development and more plugins will be added in near future.

This material was created while working on "Traffic Analysis: TSHARK Unleashed" course. Those interested can check the course here: https://www.pentesteracademy.com/course?id=42

Terms of Use

  • This is licensed under GPL just as Wireshark.

Installation

Steps:

  1. Copy the "plugins" directory to Wireshark plugins directory.
  2. Start wireshark. :)

One can get the location of wireshark plugins directory by checking Help > About Wireshark > Folders

https://user-images.githubusercontent.com/743886/43845711-72426d36-9ae1-11e8-9945-0bbe8e078e2a.png

Tool featured at

Author

Under the guidance of Mr. Vivek Ramachandran, CEO, Pentester Academy

Documentation

For more details refer to the "PA-Toolkit.pdf" PDF file. This file contains the slide deck used for presentations.

Screenshots

PA Toolkit after installation

https://user-images.githubusercontent.com/743886/44320933-e4772d80-a3f9-11e8-86c6-82b614221700.png

List of websites visited over HTTP

https://user-images.githubusercontent.com/743886/44320940-e8a34b00-a3f9-11e8-98e9-ab003107d15c.png

Search functionality

https://user-images.githubusercontent.com/743886/44320950-f48f0d00-a3f9-11e8-897a-d84d5e20e2e0.png

Domain to IP mappings

https://user-images.githubusercontent.com/743886/44320953-f8bb2a80-a3f9-11e8-8530-70d36b0a1bff.png

License

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License v2 as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.

'SECURITY > Network' 카테고리의 다른 글

[Tool] 와이어샤크 플러그인  (0) 2018.12.28
[자료] TCP dump  (0) 2018.08.22
[자료] Capture a Network Trace without installing anything  (0) 2018.06.06
[자료] TCP dump  (0) 2018.06.02
[자료] NSE  (0) 2018.04.21
[자료] SSL 패킷 디크립트  (0) 2017.04.20

[자료] TCP dump

https://danielmiessler.com/study/tcpdump/


A tcpdump Tutorial and Primer with Examples

tcpdump-primer-examples

Why tcpdump?

Tcpdump is the premier network analysis tool for information security professionals. Having a solid grasp of this über-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as Wireshark, but I believe this to usually be a mistake.

When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason I strongly advocate using tcpdump instead of other tools whenever possible.

Basics

Below are a few options you can use when configuring tcpdump. They’re easy to forget and/or confuse with other types of filters, e.g., Wireshark, so hopefully this page can serve as a reference for you, as it does me. here are the main ones I like to keep in mind depending on what I’m looking at.

Options

  • -i any : Listen on all interfaces just to see if you’re seeing any traffic.
  • -i eth0 : Listen on the eth0 interface.
  • -D : Show the list of available interfaces
  • -l : Line-readable output (for viewing as you save, or sending to other commands)
  • -A : Display output in ASCII.
  • -n : Don’t resolve hostnames.
  • -nn : Don’t resolve hostnames or port names.
  • -q : Be less verbose (more quiet) with your output.
  • -t : Give human-readable timestamp output.
  • -tttt : Give maximally human-readable timestamp output.
  • -X : Show the packet’s contents in both hex and ascii.
  • -XX : Same as -X, but also shows the ethernet header.
  • -v, -vv, -vvv : Increase the amount of packet information you get back.
  • -c : Only get x number of packets and then stop.
  • -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  • -S : Print absolute sequence numbers.
  • -e : Get the ethernet header as well.
  • -q : Show less protocol information.
  • -E : Decrypt IPSEC traffic by providing an encryption key.

The default snaplength as of tcpdump 4.0 has changed from 68 bytes to 96 bytes. While this will give you more of a packet to see, it still won’t get everything. Use -s 1514 or -s 0 to get full coverage.

Expressions

In tcpdumpExpressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump.

There are three main types of expression: typedir, and proto.

  • Type options are: hostnet, and port.
  • Direction lets you do srcdst, and combinations thereof.
  • Proto(col) lets you designate: tcpudpicmpah, and many more.

Examples

So, now that we’ve seen what our options are, let’s look at some real-world examples that we’re likely to see in our everyday work.

basic communication

Just see what’s going on, by looking at all interfaces.

tcpdump -i any

specific interface

Basic view of what’s happening on a particular interface.

tcpdump -i eth0

raw output view

Verbose output, with no resolution of hostnames or port numbers, absolute sequence numbers, and human-readable timestamps.

tcpdump -ttttnnvvS

find traffic by ip

One of the most common queries, this will show you traffic from 1.2.3.4, whether it’s the source or the destination.

tcpdump host 1.2.3.4

seeing more of the packet with hex output

Hex output is useful when you want to see the content of the packets in question, and it’s often best used when you’re isolating a few candidates for closer scrutiny.

tcpdump -nnvXSs 0 -c1 icmp

filtering by source and destination

It’s quite easy to isolate traffic based on either source or destination using src and dst.

tcpdump src 2.3.4.5 
tcpdump dst 3.4.5.6

finding packets by network

To find packets going to or from a particular network, use the netoption. You can combine this with the src or dst options as well.

tcpdump net 1.2.3.0/24

show traffic related to a specific port

You can find specific port traffic by using the port option followed by the port number.

tcpdump port 3389 

tcpdump src port 1025

show traffic of one protocol

If you’re looking for one particular kind of traffic, you can use tcp, udp, icmp, and many others as well.

tcpdump icmp

show only ip6 traffic

You can also find all IP6 traffic using the protocol option.

tcpdump ip6

find traffic using port ranges

You can also use a range of ports to find traffic.

tcpdump portrange 21-23

find traffic based on packet size

If you’re looking for packets of a particular size you can use these options. You can use less, greater, or their associated symbols that you would expect from mathematics.

tcpdump less 32 

tcpdump greater 64 

tcpdump <= 128

reading / writing captures to a file

It’s often useful to save packet captures into a file for analysis in the future. These files are known as PCAP (PEE-cap) files, and they can be processed by hundreds of different applications, including network analyzers, intrusion detection systems, and of course by tcpdump itself. Here we’re writing to a file called capture_file using the -w switch.

tcpdump port 80 -w capture_file

You can read PCAP files by using the -r switch. Note that you can use all the regular commands within tcpdump while reading in a file; you’re only limited by the fact that you can’t capture and process what doesn’t exist in the file already.

tcpdump -r capture_file

Advanced

Now that we’ve seen what we can do with the basics through some examples, let’s look at some more advanced stuff.

It’s All About the Combinations

Being able to do these various things individually is powerful, but the real magic of tcpdump comes from the ability to combine options in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied programming at all they’ll be pretty familiar to you.

  1. AND 
    and or &&
  2. OR 
    or or ||
  3. EXCEPT 
    not or !

Here are some examples of combined commands.

from specific ip and destined for a specific port

Let’s find all traffic from 10.5.2.3 going to any host on port 3389.

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

from one network to another

Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity.

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or172.16.0.0/16

non icmp traffic going to a specific ip

This will show us all traffic going to 192.168.0.2 that is not ICMP.

tcpdump dst 192.168.0.2 and src net and not icmp

traffic from a host that isn’t on a specific port

This will show us all traffic from a host that isn’t SSH traffic (assuming default port usage).

tcpdump -vv src mars and not dst port 22

As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.

Keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters—in this case below the “( )” brackets. This same technique can be used to group using other expressions such as hostportnet, etc.

tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

isolate tcp flags

You can also use filters to isolate packets with specific TCP flags set.

Isolate TCP RST flags.

The filters below find these various packets because tcp[13] looks at offset 13 in the tcp header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.

tcpdump 'tcp[13] & 4!=0'
# tcpdump 'tcp[tcpflags] == tcp-rst'

Isolate TCP SYN flags.

tcpdump 'tcp[13] & 2!=0'
# tcpdump 'tcp[tcpflags] == tcp-syn'

Isolate packets that have both the SYN and ACK flags set.

tcpdump 'tcp[13]=18'

Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field.

Isolate TCP URG flags.

tcpdump 'tcp[13] & 32!=0'
# tcpdump 'tcp[tcpflags] == tcp-urg'

Isolate TCP ACK flags.

tcpdump 'tcp[13] & 16!=0'
# tcpdump 'tcp[tcpflags] == tcp-ack'

Isolate TCP PSH flags.

tcpdump 'tcp[13] & 8!=0'
# tcpdump 'tcp[tcpflags] == tcp-psh'

Isolate TCP FIN flags.

tcpdump 'tcp[13] & 1!=0'
# tcpdump 'tcp[tcpflags] == tcp-fin'

Everyday Recipe Examples

Because tcpdump can output content in ASCII, you can use it to search for cleartext content using other command-line tools like grep.

Finally, now that we the theory out of the way, here are a number of quick recipes you can use for catching various kinds of traffic.

both syn and rst set

tcpdump 'tcp[13] = 6'

find http user agents

The -l switch lets you see the traffic as you’re capturing it, and helps when sending to commands like grep.

tcpdump -vvAls0 | grep 'User-Agent:'

cleartext get requests

tcpdump -vvAls0 | grep 'GET'

find http host headers

tcpdump -vvAls0 | grep 'Host:'

find http cookies

tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

find ssh connections

This one works regardless of what port the connection comes in on, because it’s getting the banner response.

tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

find dns traffic

tcpdump -vvAs0 port 53

find ftp traffic

tcpdump -vvAs0 port ftp or ftp-data

find ntp traffic

tcpdump -vvAs0 port 123

find cleartext passwords

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

find traffic with evil bit

There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled.

tcpdump 'ip[6] & 128 != 0'


Check out my other tutorialsas well.

Summary

Here are the takeaways.

  1. tcpdump is a valuable tool for anyone looking to get into networking or information security.
  2. The raw way it interfaces with traffic, combined with the precision it offers in inspecting packets make it the best possible tool for learning TCP/IP.
  3. Protocol Analyzers like Wireshark are great, but if you want to truly master packet-fu, you must become one with tcpdumpfirst.

Well, this primer should get you going strong, but the man pageshould always be handy for the most advanced and one-off usage scenarios. I truly hope this has been useful to you, and feel free to contact me if you have any questions.

Notes

  1. I’m currently (sort of) writing a book on tcpdump for No Starch Press.
  2. The leading image is from securitywizardry.com.
  3. Some of the isolation filters borrowed from sébastien wains.
  4. Thanks to peter at hackertarget.com for inspiration on the new table of contents (simplified), and also for some additional higher-level protocol filters added in July 2018.
  5. An anagram for the TCP flags is: unskilled attackers pester realsecurity folk.


'SECURITY > Network' 카테고리의 다른 글

[Tool] 와이어샤크 플러그인  (0) 2018.12.28
[자료] TCP dump  (0) 2018.08.22
[자료] Capture a Network Trace without installing anything  (0) 2018.06.06
[자료] TCP dump  (0) 2018.06.02
[자료] NSE  (0) 2018.04.21
[자료] SSL 패킷 디크립트  (0) 2017.04.20

[자료] Capture a Network Trace without installing anything

https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/



If you need to capture a network trace of a client or server without installing Wireshark or Netmon this might be helpful for you. (This feature works on Windows 7/2008 R2 and above).

The short version:

1. Open an elevated command prompt and run: "netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace-boot.etl" (make sure you have a \temp directory or choose another location).

2. Reproduce the issue or do a reboot if you are tracing a slow boot scenario.

 

3. Open an elevated command prompt and run: "netsh trace stop"

 

Your trace will be stored in c:\temp\nettrace-boot.etl**or where ever you saved it. You can view the trace on another machine using netmon.

 

The longer version:

 

Since im working with the slow boot, slow logon team this week i will do this trace for a slow boot scenario - it works fine for non reboot scenarios too, just reproduce the issue and then stop the trace.

 

1. Open an elevated command prompt and run: "netsh trace start persistent=yes capture=yes tracefile=c:\temp\nettrace-boot.etl" (make sure you have a \temp directory or choose another location).

 

 

2. Reboot the client machine.

 

3. Log on and stop the trace using: "netsh trace stop" (from an elevated prompt).

 

 

If you forget to elevate the prompt you will get this:

 

 

Now that you have the trace, you can take it to a machine where installing netmon is more appropriate to view the data. For customers, I capture using the netsh switch then get permission to view the data on my machine where I have netmon installed. Netmon allows us to choose .etl as a file to open as if it was an .cap file from a traditional trace.

 

When you open the file you might find that it looks a bit rubbish at first:

 

 

All you need to do is go to the tools > options tab so that you can tell netmon which parsers to use to convert the trace:

 

 

Choose the Windows parsers and dont forget to click "set as active" before you click OK or nothing will happen.

 

Now the output is ready for you to analyse:

 

 

I can see above, the DHCP discover packets have been parsed correctly (and... that we arnt getting a response from a DHCP server 😉 ).

 

That's about all there is to it. Hope this is useful for you. 


'SECURITY > Network' 카테고리의 다른 글

[Tool] 와이어샤크 플러그인  (0) 2018.12.28
[자료] TCP dump  (0) 2018.08.22
[자료] Capture a Network Trace without installing anything  (0) 2018.06.06
[자료] TCP dump  (0) 2018.06.02
[자료] NSE  (0) 2018.04.21
[자료] SSL 패킷 디크립트  (0) 2017.04.20

[자료] TCP dump

https://hackertarget.com/tcpdump-examples/



Tcpdump Examples

tcpdump examples needle in haystackPractical tcpdump examples to lift your network troubleshootingand security testing game. Commands and tips to not only use tcpdump but master ways to know your network.

Knowing tcpdump is an essential skill that will come in handy for any system adminstratornetwork engineer or security professional.

First The Basics

Breaking down the Tcpdump Command Line

The following command uses common parameters often seen when wielding the tcpdump scalpel.

:~$ sudo tcpdump -i eth0 -nn -s0 -v port 80

-i : Select interface that the capture is to take place on, this will often be an ethernet card or wireless adapter but could also be a vlan or something more unusual. Not always required if there is only one network adapter.
-nn : A single (n) will not resolve hostnames. A double (nn) will not resolve hostnames or ports. This is handy for not only viewing the IP / port numbers but also when capturing a large amount of data, as the name resolution will slow down the capture.
-s0 : Snap length, is the size of the packet to capture. -s0 will set the size to unlimited - use this if you want to capture all the traffic. Needed if you want to pull binaries / files from network traffic.
-v : Verbose, using (-v) or (-vv) increases the amount of detail shown in the output, often showing more protocol specific information.
port 80 : this is a common port filter to capture only traffic on port 80, that is of course usually HTTP.

Display ASCII text

Adding -A to the command line will have the output include the ascii strings from the capture. This allows easy reading and the ability to parse the output using grep or other commands. Another option that shows both hexadecimal output and ASCII is the -X option.

:~$ sudo tcpdump -A -s0 port 80

Capture on Protocol

Filter on UDP traffic. Another way to specify this is to use protocol 17 that is udp. These two commands will produce the same result. The equivalent of the tcp filter is protocol 6.

:~$ sudo tcpdump -i eth0 udp
:~$ sudo tcpdump -i eth0 proto 17

Capture Hosts based on IP address

Using the host filter will capture traffic going to (destination) and from (source) the IP address.

:~$ sudo tcpdump -i eth0 host 10.10.1.1

Alternatively capture only packets going one way using src or dst.

:~$ sudo tcpdump -i eth0 dst 10.10.1.20

Write a capture file

Writing a standard pcap file is a common command option. Writing a capture file to disk allows the file to be opened in Wireshark or other packet analysis tools.

:~$ sudo tcpdump -i eth0 -s0 -w test.pcap

Line Buffered Mode

Without the option to force line (-l) buffered (or packet buffered -C) mode you will not always get the expected response when piping the tcpdump output to another command such as grep. By using this option the output is sent immediately to the piped command giving an immediate response when troubleshooting.

:~$ sudo tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Combine Filters

Throughout these examples you can use standard logic to combine different filters.

and or &&
or or ||
not or !

Practical Examples

In many of these examples there are a number of ways that the result could be achieved. As seen in some of the examples it is possible to focus the capture right down to individual bits in the packet.

The method you will use will depend on your desired output and how much traffic is on the wire. Capturing on a busy gigabit link may force you to use specific low level packet filters.

When troubleshooting you often simply want to get a result. Filtering on the port and selecting ascii output in combination with grepcut or awk will often get that result. You can always go deeper into the packet if required.

For example when capturing HTTP requests and responses you could filter out all packets except the data by removing SYN /ACK / FIN however if you are using grep the noise will be filtered anyway. Keep it simple.

This can be seen in the following examples, where the aim is to get a result in the simplest (and therefore fastest) manner.

1. Extract HTTP User Agents

Extract HTTP User Agent from HTTP request header.

:~$ sudo tcpdump -nn -A -s1500 -l | grep "User-Agent:"

By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.

:~$ sudo tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

2. Capture only HTTP GET and POST packets

Going deep on the filter we can specify only packets that match GET.

:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

Alternatively we can select only on POST requests. Note that the POST data may not be included in the packet captured with this filter. It is likely that a POST request will be split across multiple TCP data packets.

:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

The hexadecimal being matched in these expressions matches the ascii for GET and POST.

As an explanation tcp[((tcp[12:1] & 0xf0) >> 2):4] first determines the location of the bytes we are interested in (after the TCP header) and then selects the 4 bytes we wish to match against.

3. Extract HTTP Request URL's

Simply parse Host and HTTP Request location from traffic. By not targeting port 80 we may find these requests on any port such as HTTP services running on high ports.

:~$ sudo tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
	POST /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /wp-login.php HTTP/1.1
	Host: dev.example.com
	GET /favicon.ico HTTP/1.1
	Host: dev.example.com
	GET / HTTP/1.1
	Host: dev.example.com

4. Extract HTTP Passwords in POST Requests

Lets get some passwords from the POST data. Will include Host: and request location so we know what the password is used for.

:~$ sudo tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:25:54.799014 IP 10.10.1.30.39224 > 10.10.1.125.80: Flags [P.], seq 1458768667:1458770008, ack 2440130792, win 704, options [nop,nop,TS val 461552632 ecr 208900561], length 1341: HTTP: POST /wp-login.php HTTP/1.1
.....s..POST /wp-login.php HTTP/1.1
Host: dev.example.com
.....s..log=admin&pwd=notmypassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fdev.example.com%2Fwp-admin%2F&testcookie=1

5. Capture Cookies from Server and from Client

MMMmmm Cookies! Capture cookies from the server by searching on Set-Cookie: (from Server) and Cookie: (from Client).

:~$ sudo tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
Host: dev.example.com
Cookie: wordpress_86be02xxxxxxxxxxxxxxxxxxxc43=admin%7C152xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfb3e15c744fdd6; _ga=GA1.2.21343434343421934; _gid=GA1.2.927343434349426; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86be654654645645645654645653fc43=admin%7C15275102testtesttesttestab7a61e; wp-settings-time-1=1527337439

6. Capture all ICMP packets

See all ICMP packets on the wire.

:~$ sudo tcpdump -n icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:34:21.590380 IP 10.10.1.217 > 10.10.1.30: ICMP echo request, id 27948, seq 1, length 64
11:34:21.590434 IP 10.10.1.30 > 10.10.1.217: ICMP echo reply, id 27948, seq 1, length 64
11:34:27.680307 IP 10.10.1.159 > 10.10.1.1: ICMP 10.10.1.189 udp port 59619 unreachable, length 115

7. Show ICMP Packets that are not ECHO/REPLY (standard ping)

Filter on the icmp type to select on icmp packets that are not standard ping packets.

:~$ sudo tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:04.041037 IP 10.10.1.189 > 10.10.1.20: ICMP 10.10.1.189 udp port 36078 unreachable, length 156

8. Capture SMTP / POP3 Email

It is possible to extract email body and other data, in this example we are only parsing the email recipients.

:~$ sudo tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

9. Troubleshooting NTP Query and Response

In this example we see the NTP query and response.

:~$ sudo tcpdump dst port 123

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:02:19.112502 IP test33.ntp > 199.30.140.74.ntp: NTPv4, Client, length 48
21:02:19.113888 IP 216.239.35.0.ntp > test33.ntp: NTPv4, Server, length 48
21:02:20.150347 IP test33.ntp > 216.239.35.0.ntp: NTPv4, Client, length 48
21:02:20.150991 IP 216.239.35.0.ntp > test33.ntp: NTPv4, Server, length 48

10. Capture SNMP Query and Response

Using onesixtyone the fast SNMP protocol scanner we test an SNMP service on our local network and capture the GetRequest and GetResponse. For anyone who has had the (dis)pleasure of troubleshooting SNMP, this is a great way to see exactly what is happening on the wire. You can see the OID clearly in the traffic, very helpful when wrestling with MIBS.

:~$ onesixtyone 10.10.1.10 public

Scanning 1 hosts, 1 communities
10.10.1.10 [public] Linux test33 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
:~$ sudo tcpdump -n -s0  port 161 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:39:13.725522 IP 10.10.1.159.36826 > 10.10.1.20.161:  GetRequest(28)  .1.3.6.1.2.1.1.1.0
23:39:13.728789 IP 10.10.1.20.161 > 10.10.1.159.36826:  GetResponse(109)  .1.3.6.1.2.1.1.1.0="Linux testmachine 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64"

11. Capture FTP Credentials and Commands

Capturing FTP commands and login details is straight forward. After the authentication is established an FTP session can be active or passive this will determine whether the data part of the session is conducted over TCP port 20 or another ephemeral port. With the following command you will USER and PASS in the output (which could be fed to grep) as well as the FTP commands such as LIST, CWD and PASSIVE.

:~$ sudo tcpdump -nn -v port ftp or ftp-data

12. Rotate Capture Files

When capturing large amounts of traffic or over a long period of time it can be helpful to automatically create new files of a fixed size. This is done using the parameters -W-G and -C.

In this command the file capture-(hour).pcap will be created every (-G) 3600 seconds (1 hour). The files will be overwritten the following day. So you should end up with capture-{1-24}.pcap, if the hour was 15 the new file is (/tmp/capture-15.pcap).

:~$ tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200

13. Capture IPv6 Traffic

Capture IPv6 traffic using the ip6 filter. In these examples we have specified the TCP and UDP protocols using proto 6 and proto 17.

tcpdump -nn ip6 proto 6

IPv6 with UDP and reading from a previously saved capture file.

tcpdump -nr ipv6-test.pcap ip6 proto 17

14. Detect Port Scan in Network Traffic

In the following example you can see the traffic coming from a single source to a single destination. The Flags [S] and [R] can be seen and matched against a seemingly random series of destination ports. These ports are seen in the RESET that is sent when the SYN finds a closed port on the destination system. This is standard behaviour for a port scan by a tool such as Nmap.

We have another tutorial on Nmap that details captured port scans (open / closed / filtered) in a number of Wireshark captures.

:~$ tcpdump -nn

21:46:19.693601 IP 10.10.1.10.60460 > 10.10.1.199.5432: Flags [S], seq 116466344, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], length 0
21:46:19.693626 IP 10.10.1.10.35470 > 10.10.1.199.513: Flags [S], seq 3400074709, win 29200, options [mss 1460,sackOK,TS val 3547090332 ecr 0,nop,wscale 7], length 0
21:46:19.693762 IP 10.10.1.10.44244 > 10.10.1.199.389: Flags [S], seq 2214070267, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.693772 IP 10.10.1.199.389 > 10.10.1.10.44244: Flags [R.], seq 0, ack 2214070268, win 0, length 0
21:46:19.693783 IP 10.10.1.10.35172 > 10.10.1.199.1433: Flags [S], seq 2358257571, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.693826 IP 10.10.1.10.33022 > 10.10.1.199.49153: Flags [S], seq 2406028551, win 29200, options [mss 1460,sackOK,TS val 3547090333 ecr 0,nop,wscale 7], length 0
21:46:19.695567 IP 10.10.1.10.55130 > 10.10.1.199.49154: Flags [S], seq 3230403372, win 29200, options [mss 1460,sackOK,TS val 3547090334 ecr 0,nop,wscale 7], length 0
21:46:19.695590 IP 10.10.1.199.49154 > 10.10.1.10.55130: Flags [R.], seq 0, ack 3230403373, win 0, length 0
21:46:19.695608 IP 10.10.1.10.33460 > 10.10.1.199.49152: Flags [S], seq 3289070068, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695622 IP 10.10.1.199.49152 > 10.10.1.10.33460: Flags [R.], seq 0, ack 3289070069, win 0, length 0
21:46:19.695637 IP 10.10.1.10.34940 > 10.10.1.199.1029: Flags [S], seq 140319147, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695650 IP 10.10.1.199.1029 > 10.10.1.10.34940: Flags [R.], seq 0, ack 140319148, win 0, length 0
21:46:19.695664 IP 10.10.1.10.45648 > 10.10.1.199.5060: Flags [S], seq 2203629201, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695775 IP 10.10.1.10.49028 > 10.10.1.199.2000: Flags [S], seq 635990431, win 29200, options [mss 1460,sackOK,TS val 3547090335 ecr 0,nop,wscale 7], length 0
21:46:19.695790 IP 10.10.1.199.2000 > 10.10.1.10.49028: Flags [R.], seq 0, ack 635990432, win 0, length 0

15. Example Filter Showing Nmap NSE Script Testing

In this example the Nmap NSE script http-enum.nse is shown testing for valid urls against an open HTTP service.

On the Nmap machine:

:~$ nmap -p 80 --script=http-enum.nse targetip

On the target machine:

:~$ tcpdump -nn port 80 | grep "GET /"

GET /w3perl/ HTTP/1.1
GET /w-agora/ HTTP/1.1
GET /way-board/ HTTP/1.1
GET /web800fo/ HTTP/1.1
GET /webaccess/ HTTP/1.1
GET /webadmin/ HTTP/1.1
GET /webAdmin/ HTTP/1.1

16. Capture Start and End Packets of every non-local host

This example is straight out of the tcpdump man page. By selecting on the tcp-syn and tcp-fin packets we can show each established TCP conversation with timestamps but without the data. As with many filters this allows the amount of noise to be reduced in order to focus in on the information that you care about.

:~$ tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

17. Capture DNS Request and Response

Outbound DNS request to Google public DNS and the A record (ip address) response can be seen in this capture.

:~$ sudo tcpdump -i wlp58s0 -s0 port 53

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp58s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:19:06.879799 IP test.53852 > google-public-dns-a.google.com.domain: 26977+ [1au] A? play.google.com. (44)
14:19:07.022618 IP google-public-dns-a.google.com.domain > test.53852: 26977 1/0/1 A 216.58.203.110 (60)

18. Capture HTTP data packets

Only capture on HTTP data packets on port 80. Avoid capturing the TCP session setup (SYN / FIN / ACK).

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

19. Capture with tcpdump and view in Wireshark

Parsing and analysis of full appliication streams such as HTTP is much easier to perform with Wireshark (or tshark) rather than tcpdump. It is often more practical to capture traffic on a remote system using tcpdump with the write file option. Then copy the pcap to the local workstation for analysis with Wireshark.

Other than manually moving the file from the remote system to the local workstation it is possible to feed the capture to Wireshark over the SSH connection in real time. This tip is a favorite, pipe the raw tcpdump output right into wireshark on your local machine. Don't forget the not port 22 so you are not capturing your SSH traffic.

:~$ ssh root@remotesystem 'tcpdump -s0 -c 1000 -nn -w - not port 22' | wireshark -k -i -

Another tip is to use count -c on the remote tcpdump to allow the capture to finish otherwise hitting ctrl-c will not only kill tcpdump but also Wireshark and your capture.

20. Top Hosts by Packets

List the top talkers for a period of time or number of packets. Using simple command line field extraction to get the IP address, sort and count the occurrances. Capture is limited by the count option -c.

sudo tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
200 packets captured
261 packets received by filter
0 packets dropped by kernel
    108 IP 10.10.211.181
     91 IP 10.10.1.30
      1 IP 10.10.1.50

21. Capture all the plaintext passwords

In this command we are focusing on standard plain text protocols and chosing to grep on anything user or password related. By selecting the -B5 option on grep the aim is to get the preceding 5 lines that may provide context around the captured password (hostname, ip address, system).

:~$ sudo tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

22. DHCP Example

And our final tcpdump example is for monitoring DHCP request and reply. DHCP requests are seen on port 67 and the reply is on 68. Using the verbose parameter -v we get to see the protocol options and other details.

:~$ sudo tcpdump -v -n port 67 or 68

tcpdump: listening on enp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:37:50.059662 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none]
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Request
	    Requested-IP Option 50, length 4: 10.10.1.163
	    Hostname Option 12, length 14: "test-ubuntu"
	    Parameter-Request Option 55, length 16: 
	      Subnet-Mask, BR, Time-Zone, Default-Gateway
	      Domain-Name, Domain-Name-Server, Option 119, Hostname
	      Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
	      NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
14:37:50.059667 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:xx:xx:xx:d5, length 300, xid 0xc9779c2a, Flags [none]
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Request
	    Requested-IP Option 50, length 4: 10.10.1.163
	    Hostname Option 12, length 14: "test-ubuntu"
	    Parameter-Request Option 55, length 16: 
	      Subnet-Mask, BR, Time-Zone, Default-Gateway
	      Domain-Name, Domain-Name-Server, Option 119, Hostname
	      Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
	      NTP, Classless-Static-Route-Microsoft, Static-Route, Option 252
14:37:50.060780 IP (tos 0x0, ttl 64, id 53564, offset 0, flags [none], proto UDP (17), length 339)
    10.10.1.1.67 > 10.10.1.163.68: BOOTP/DHCP, Reply, length 311, xid 0xc9779c2a, Flags [none]
	  Your-IP 10.10.1.163
	  Server-IP 10.10.1.1
	  Client-Ethernet-Address 00:0c:xx:xx:xx:d5
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: ACK
	    Server-ID Option 54, length 4: 10.10.1.1
	    Lease-Time Option 51, length 4: 86400
	    RN Option 58, length 4: 43200
	    RB Option 59, length 4: 75600
	    Subnet-Mask Option 1, length 4: 255.255.255.0
	    BR Option 28, length 4: 10.10.1.255
	    Domain-Name-Server Option 6, length 4: 10.10.1.1
	    Hostname Option 12, length 14: "test-ubuntu"
	    T252 Option 252, length 1: 10
	    Default-Gateway Option 3, length 4: 10.10.1.1

Wrapping Up

These tcpdump examples, tips and commands are intended to give you a base understanding of the possibilities. Depending on what you are trying to achieve there are many ways that you could go deeper or combine different capture filters to suit your requirements.

Combining tcpdump with Wireshark is a powerful combination, particularly when you wish to dig into full application layer sessions as the decoders can assemble the full stream. We recently did a major update to our Wireshark Tutorial.

Thanks for reading, check out the man page for more detail and if you have any comments or suggestions please drop me a note using the contact form. Happy Packet Analysis!


'SECURITY > Network' 카테고리의 다른 글

[자료] TCP dump  (0) 2018.08.22
[자료] Capture a Network Trace without installing anything  (0) 2018.06.06
[자료] TCP dump  (0) 2018.06.02
[자료] NSE  (0) 2018.04.21
[자료] SSL 패킷 디크립트  (0) 2017.04.20
[정리] SNMP community string  (0) 2016.02.27

[자료] NSE

Information Gathering

1. DNS Brute Force

Find sub-domains with this script. Detecting sub-domains associated with an organizations domain can reveal new targets when performing a security assessment. The discovered hosts may be virtual web hosts on a single web server or may be distinct hosts on IP addresses spread across the world in different data centres.

The dns-brute.nse script will find valid DNS (A) records by trying a list of common sub-domains and finding those that successfully resolve.

nmap -p 80 --script dns-brute.nse vulnweb.com

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:58 EST
Nmap scan report for vulnweb.com (176.28.50.165)
Host is up (0.34s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     admin.vulnweb.com - 176.28.50.165
|     firewall.vulnweb.com - 176.28.50.165
|_    dev.vulnweb.com - 176.28.50.165

Nmap done: 1 IP address (1 host up) scanned in 28.41 seconds



2. Find Hosts on IP

Another tactic for expanding an attack surface is to find virtual hosts on an IP address that you are attempting to compromise (or assess). This can be done by using the hostmap-* scripts in the NSE collection. The hostmap-bfk.nseseems to work reasonably well providing a good starting point for your recon (IP to Host services do vary in accuracy).

nmap -p 80 --script hostmap-bfk.nse nmap.org

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:47 EST
Nmap scan report for nmap.org (173.255.243.189)
Host is up (0.19s latency).
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| hostmap-bfk: 
|   hosts: 
|     www.nmap.org
|     173.255.243.189
|     seclists.org
|     sectools.org
|     svn.nmap.org
|     nmap.org
|     hb.insecure.org
|     insecure.org
|     images.insecure.org
|     189.243.255.173.in-addr.arpa
|_    www.insecure.org

Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
Try our Free IP Tool Host search tool that uses the scans.io DNS data to reverse lookup an IP address to host name. Another option is bing.com that has the ability to search with ip:x.x.x.x however recently the accuracy of this search seems hit and miss.



3. Traceroute Geolocation

Perform a traceroute to your target IP address and have geolocation data plotted for each hop along the way. Makes correlating the reverse dns names of routers in your path with locations much easier.

sudo nmap --traceroute --script traceroute-geolocation.nse -p 80 hackertarget.com

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 21:03 EST
Nmap scan report for hackertarget.com (178.79.163.23)
Host is up (0.31s latency).
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| traceroute-geolocation: 
|   HOP  RTT     ADDRESS                                                GEOLOCATION
|   1    2.09    192.168.1.1                                            - ,- 
|   2    25.55   core-xxxxx.grapevine.net.au (203.xxx.32.20)            -27,133 Australia (Unknown)
|   3    31.61   core-xxxxx.grapevine.net.au (203.xxx.32.25)            -27,133 Australia (Unknown)
|   4    25.02   xe0-0-0-icr1.cbr2.transact.net.au (202.55.144.117)     -27,133 Australia (Unknown)
|   5    23.48   xe11-3-0.cr1.cbr2.on.ii.net (150.101.33.62)            -27,133 Australia (Unknown)
|   6    43.45   ae2.br1.syd4.on.ii.net (150.101.33.22)                 -27,133 Australia (Unknown)
|   7    175.24  te0-0-0-1.br1.lax1.on.ii.net (203.16.213.69)           -27,133 Australia (Unknown)
|   8    181.29  TenGE13-2.br02.lax04.pccwbtn.net (206.223.123.93)      38,-97 United States (Unknown)
|   9    310.46  telecity.ge9-9.br02.ldn01.pccwbtn.net (63.218.13.222)  51,0 United Kingdom (London)
|   10   309.63  212.111.33.238                                         51,0 United Kingdom (Unknown)
|_  11   338.95  hackertarget.com (178.79.163.23)                       51,0 United Kingdom (Unknown)

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   2.09 ms   192.168.1.1
2   25.55 ms  core-xxxxx.grapevine.net.au (203.xxx.32.20)
3   31.61 ms  core-xxxxx.grapevine.net.au (203.xxx.32.25)
4   25.02 ms  xe0-0-0-icr1.cbr2.transact.net.au (202.55.144.117)
5   23.48 ms  xe11-3-0.cr1.cbr2.on.ii.net (150.101.33.62)
6   43.45 ms  ae2.br1.syd4.on.ii.net (150.101.33.22)
7   175.24 ms te0-0-0-1.br1.lax1.on.ii.net (203.16.213.69)
8   181.29 ms TenGE13-2.br02.lax04.pccwbtn.net (206.223.123.93)
9   310.46 ms telecity.ge9-9.br02.ldn01.pccwbtn.net (63.218.13.222)
10  309.63 ms 212.111.33.238
11  338.95 ms hackertarget.com (178.79.163.23)



HTTP Recon

Nmap comes with a wide range of NSE scripts for testing web servers and web applications. An advantage of using the NSE scripts for your HTTP reconnaissance is that you are able to test aspects of a web server against large subnets. This can quickly provide a picture of the types of servers and applications in use within the subnet.

4. http-enum.nse

One of the more aggressive tests, this script effectively brute forces a web server path in order to discover web applications in use. Attempts will be made to find valid paths on the web server that match a list of known paths for common web applications. The standard test includes testing of over 2000 paths, meaning that the web server log will have over 2000 entries that are HTTP 404 not found, not a stealthy testing option! This is very similar to the famous Nikto web server testing tool (that performs 6000+ tests).

nmap --script http-enum 192.168.10.55

Nmap scan report for ubuntu-test (192.168.10.55)
Host is up (0.024s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
| http-enum: 
|   /robots.txt: Robots file
|   /readme.html: WordPress version 3.9.2
|   /css/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'

Additional options:

Specify base path, for example you could specify a base path of /pub/.

nmap --script -http-enum --script-args http-enum.basepath='pub/' 192.168.10.55

Nmap scan report for xbmc (192.168.1.5)
Host is up (0.0012s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /pub/: Root directory w/ listing on 'apache/2.2.22 (ubuntu)'
|   /pub/images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /pub/js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'

Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds



5. HTTP Title

It is not a difficult thing to find the Title of the web page from a web server, this script just makes it easier to get those title's in one set of results from a range of IP addresses.

Having the title of the page included in the Nmap scan results can provide context to a host, that may identify the primary purpose of the web server and whether that server is a potential attack target.

nmap --script http-title -sV -p 80 192.168.1.0/24

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 20:47 EST
Nmap scan report for 192.168.1.1
Host is up (0.0018s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Linksys wireless-G WAP http config (Name RT-N16)
|_http-title: 401 Unauthorized
Service Info: Device: WAP

Nmap scan report for xbmc (192.168.1.115)
Host is up (0.0022s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).

Nmap scan report for 192.168.1.118
Host is up (0.0035s latency).
PORT   STATE SERVICE VERSION
80/tcp open  upnp    Epson WorkForce 630 printer UPnP (UPnP 1.0; Epson UPnP SDK 1.0)
|_http-title: WorkForce 630
Service Info: Device: printer; CPE: cpe:/h:epson:workforce_630

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (8 hosts up) scanned in 10.17 seconds



Microsoft Windows Network Recon

Find operating systems, users, processes and more from systems within your local windows network with these information gathering scripts. Generally these smb-* scripts will get you a lot more information if you have valid credentials. However, with even Guest or Anonymous access you will usually be able to at least expand your knowledge of the network.

6. smb-os-discovery.nse

Determine operating system, computer name, netbios name and domain with the smb-os-discovery.nse script. An example use case could be to use this script to find all the Windows XP hosts on a large network, so they can be unplugged and thrown out (Windows XP is no longer supported by Microsoft). The key advantage to using Nmap for something like this rather than a Microsoft native tool is that it will find all systems connected to the network not just those attached to a domain.

nmap -p 445 --script smb-os-discovery 192.168.1.0/24

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 23:32 EST

Nmap scan report for test1 (192.168.1.115)
Host is up (0.0035s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3)
|   Computer name: ubuntu003
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: ubuntu003
|_  System time: 2014-09-24T23:34:41+10:00

Nmap scan report for 192.168.1.101
Host is up (0.018s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: test-xp3
|   NetBIOS computer name: TEST-XP3
|   Workgroup: WORKGROUP
|_  System time: 2014-09-24T23:33:01+01:00



7. smb-brute.nse

Another example of the smb series of NSE scripts is the smb-brute.nse that will attempt to brute force local accounts against the SMB service.

While I would not classify brute forcing accounts as a recon function of the assessment process this script can lead to large amount of recon if we do get valid credentials as there are other smb-* scripts that can be leveraged to retrieve all local user accounts (smb-enum-users.nse), groups (smb-enum-groups.nse), processes (smb-enum-processes.nse) and even execute processes remotely with the smb-psexec.nse script.

nmap -sV -p 445 --script smb-brute 192.168.1.101

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 23:47 EST
Nmap scan report for 192.168.1.101
Host is up (0.060s latency).
PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-brute: 
|_  No accounts found

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.04 seconds

As can be seen in the example above we have not found any accounts. So lets take a look at the activity on the wire while the smb-brute.nse script was running.

Nmap NSE SMB Brute Wireshark Capture

It is pretty clear from this Wireshark capture that sessions were being established and a large number of account credentials were being tested.

'SECURITY > Network' 카테고리의 다른 글

[자료] Capture a Network Trace without installing anything  (0) 2018.06.06
[자료] TCP dump  (0) 2018.06.02
[자료] NSE  (0) 2018.04.21
[자료] SSL 패킷 디크립트  (0) 2017.04.20
[정리] SNMP community string  (0) 2016.02.27
[자료] TCP TIME_WAIT 관련 글  (0) 2015.08.21

[자료] SSL 패킷 디크립트

How to Decrypt SSL traffic using Wireshark : SSL is one the best way to encrypt network traffic and avoiding men in the middle attacks and other session hijacking attacks. But there are still multiple ways by which hackers can decrypt SSL traffic and one of them is with the help of Wireshark. Wireshark has an awesome inbuilt feature which can decrypt any traffic over a selected network card. So friends today we will learn how to decrypt SSL traffic or HTTPS traffic over network with help of Wireshark tool.

following  Requirement for Decrypting  SSL Traffic :

  • Wireshark
  • SSL Private Key
  • Basic knowledge in the following areas:
    • Network traces
    • Networking, TCP/IP and SSL/TLS protocols
    • Certificates and the use of Public and Private Keys
    • The Wireshark network protocol analyzer

Note: We will be using Kali Linux for decryption of network traffic but similar can be done on windows operating system too with help of minor tweaks.

How to Decrypt SSL Traffic using Wireshark :

Step1 : Start monitor mode

Select your network card for monitoring network traffic by giving following command at terminal:

$ airmon-ng start wlan0

You can find complete list of network cards using a simple command ifconfig on terminal i.e. Kali Linux (or ipconfig/all on Windows).

You will need airmon in windows if you wish to use the same on windows OS.

 

Step 2 : Obtain SSL Private Key using OpenSSL

In order to obtain the SSL private key, you have to execute the below command at Kali Linux terminal:

openssl req -x509 -nodes -newkey rsa:1024 -keyout testkey.pem -out testcert.pem

The above command will create two files in your home directory:

a. testkey.pem (which is a private test key)

b. testcert.prem (which is a self signed certificate)

Note: You have to use the same keys on your server.

 

Step 3 : Setup Wireshark to decrypt network card traffic

You can start Wireshark by giving following command on terminal :

   $ wireshark

Now go in preferences in edit menu then go to protocol on left side and then SSL protocol.

And fill the following details as mentioned below :

IP : IP Address of Server

Port : 443

Protocol : HTTP

Key File : Select the key file generated in above step

Password : Its up to you, you wanna provide or not.

That’s it. Now you will get decrypted result for for any SSL or TLS protocols.

Note : You can also use a filter for SSL as mentioned below :

 tcp.port==443 –

This will filter all SSL traffic.
If you have any doubts regarding How to Decrypt SSL Traffic, feel free to askAnd fill the following details as mentioned below :

IP : IP Address of Server

Port : 443

Protocol : HTTP

Key File : Select the key file generated in above step

Password : Its up to you, you wanna provide or not.

That’s it. Now you will get decrypted result for for any SSL or TLS protocols.

Note : You can also use a filter for SSL as mentioned below :

 tcp.port==443 –


'SECURITY > Network' 카테고리의 다른 글

[자료] TCP dump  (0) 2018.06.02
[자료] NSE  (0) 2018.04.21
[자료] SSL 패킷 디크립트  (0) 2017.04.20
[정리] SNMP community string  (0) 2016.02.27
[자료] TCP TIME_WAIT 관련 글  (0) 2015.08.21
[Tool] CapTipper  (0) 2015.02.09

[정리] SNMP community string

1. 개념 설명 문서


SNMP의 취약점을 이용한 공격기법과 대응방안 [gusxodnjs].pdf


2. 설정


/etc/snmp/snmpd.conf 또는 /etc/snmp/conf/snmpd.conf 설정파일에서 


"com2sec notConfigUser default public" 값을 "com2sec notConfigUser default 변경값" 으로 수정해 줌 


서비스 재시작 해주고 service snmpd restart or /etc/init.d/snmpd start


3. 확인


snmpwalk로 확인하기


snmpwalk -v2c -c 변경값 localhost 

'SECURITY > Network' 카테고리의 다른 글

[자료] NSE  (0) 2018.04.21
[자료] SSL 패킷 디크립트  (0) 2017.04.20
[정리] SNMP community string  (0) 2016.02.27
[자료] TCP TIME_WAIT 관련 글  (0) 2015.08.21
[Tool] CapTipper  (0) 2015.02.09
[자료] Nmap 자세한 정리  (0) 2014.12.16

[자료] TCP TIME_WAIT 관련 글

http://sunyzero.tistory.com/198


TCP TIME_WAIT를 없애는 방법

'SECURITY > Network' 카테고리의 다른 글

[자료] SSL 패킷 디크립트  (0) 2017.04.20
[정리] SNMP community string  (0) 2016.02.27
[자료] TCP TIME_WAIT 관련 글  (0) 2015.08.21
[Tool] CapTipper  (0) 2015.02.09
[자료] Nmap 자세한 정리  (0) 2014.12.16
[자료] tcpdump 교육 자료  (0) 2014.12.15

[Tool] CapTipper

http://www.hakawati.co.kr/329

http://noplanlife.com/?p=1134

http://www.malware-traffic-analysis.net/2014/12/15/index.html


pcap 파일을 이용해 악성 트래픽을 분석하는 도구 자세한 내용은 위 링크 참고


git clone으로 설치 후 사용 가능 


재밌게 활용할 수 있을것 같다. 

'SECURITY > Network' 카테고리의 다른 글

[정리] SNMP community string  (0) 2016.02.27
[자료] TCP TIME_WAIT 관련 글  (0) 2015.08.21
[Tool] CapTipper  (0) 2015.02.09
[자료] Nmap 자세한 정리  (0) 2014.12.16
[자료] tcpdump 교육 자료  (0) 2014.12.15
[정리] 와이어샤크 필터링  (0) 2014.11.06

[자료] Nmap 자세한 정리

https://highon.coffee/docs/nmap/#target-specification