Hacking Cheat Sheets Part : Tcpdump
Some people ask me why would I use tcpdump command line packet sniffer instead of wireshark GUI packet sniffer. My reply is you wont always have access to GUI when working on a particular victim machine, but most unix and linux come with tcpdump by default. So knowing how to do packet captures and read them in tcpdump is an essential skill.Â
tcpdump stuff. reason to use this is in some cases you cant run wireshark, you can run tcpdump on pretty much any system
* First off, I like to add a few options to the tcpdump command itself, depending on what Iâm looking at. The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed. The second is -X, which displays both hex and ascii content within the packet. The final one is -S, which changes the display of sequence numbers to absolute rather than relative. The idea there is that you canât see weirdness in the sequence numbers if theyâre being hidden from you. Remember, the advantage of using tcpdump vs. another tool is getting manual interaction with the packets.
* Itâs also important to note that tcpdump only takes the first 68 96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. I recommend using 0 (zero) for a snaplength, which gets everything. Hereâs a short list of the options I use most:
-i any : Listen on all interfaces just to see if youâre seeing any traffic.
-n : Donât resolve hostnames.
-nn : Donât resolve hostnames or port names.
-X : Show the packetâs contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
[ The default snaplength as of tcpdump 4.0 has changed from 68 bytes to 96 bytes. While this will give you more of a packet to see, it still won't get everything. Use -s 1514 to get full coverage ]
* Basic communication // see the basics without many options
# tcpdump -nS
* Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
# tcpdump -nnvvS
* A deeper look at the traffic // adds -X for payload but doesnât grab any more of the packet
# tcpdump -nnvvXS
* Heavy packet viewing // the final âsâ increases the snaplength, grabbing the whole packet
# tcpdump -nnvvXSs 1514
* Expressions allow you to trim out various types of traffic and find exactly what youâre looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump. There are three main types of expression: type, dir, and proto. Type options are host, net, and port. Direction is indicated by dir, and there you can have src, dst, src or dst, and src and dst. Here are a few that you should definitely be comfortable with:
* host // look for traffic based on IP address (also works with hostname if youâre not using -n)
# tcpdump host 1.2.3.4
* src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6
* net // capture an entire network using CIDR notation
# tcpdump net 1.2.3.0/24
* proto // works for tcp, udp, and icmp. Note that you donât have to type proto
# tcpdump icmp (show this by doing hping3 -I eth0 -S -c 4 10.0.0.115, and seeing this displays nothing and then do a ping and see it displays that)
* port // see only traffic to or from a certain port
# tcpdump port 3389
* src, dst port // filter based on the source or destination port
# tcpdump src port 1025 # tcpdump dst port 389
* src/dst, port, protocol // combine all three
# tcpdump src port 1025 and tcp
# tcpdump udp and dst port 53 (do this one and bring up firefox and go to a page)
# tcpdump tcp and dst port 53 (do this one and then do dig google.com axfr)
* You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.
* Port Ranges // see traffic to any port in a range
tcpdump portrange 21-23
* Packet Size Filter // only see packets below or above a certain size (in bytes)
tcpdump less 32
tcpdump greater 128
[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
// filtering for size using symbols
tcpdump > 32
tcpdump <= 128
* tcpdump allows you to send what youâre capturing to a file for later use using the -w option, and then to read it back using the -r option. This is an excellent way to capture raw traffic and then run it through various tools later. The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.
* Capture all Port 80 Traffic to a File
# tcpdump -s 1514 port 80 -w capture_file
* Read Captured Traffic back into tcpdump
# tcpdump -r capture_file
* Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what youâre looking for. There are three ways to do combinations, and if youâve studied computers at all theyâll be pretty familar to you:
AND
and or &&
OR
or or ||
EXCEPT
not or !
# TCP traffic from 10.5.2.3 destined for port 3389
tcpdump -nnvvS and src 10.5.2.3 and dst port 3389
# Traffic originating from the 192.168 network headed for the 10 or 172.16 networks
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
# Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network
tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net and not icmp
# Traffic originating from Mars or Pluto that isn't to the SSH port
tcpdump -vv src mars and not dst port 22
* As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you're looking for and then to build the syntax to isolate that specific type of traffic.
* Also keep in mind that when you're building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters -- in this case the "( )" brackets. This same technique can be used to group using other expressions such as host, port, net, etc. Take a look at the command below
* # Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22 (incorrect)
tcpdump src 10.0.2.4 and (dst port 3389 or 22)
* If you tried to run this otherwise very useful command, you'd get an error because of the parenthesis. You can either fix this by escaping the parenthesis (putting a \ before each one), or by putting the entire command within single quotes:
# Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22 (correct)
tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
* You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.
[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester Real Security Folk ] the numbers below say look at offset 13 in the header and the numbers after the & represent its binary placement (fin is 1, Â syn is 2, rst is 4 and so on). where they get the 13th offset is if you look at a picture of a tcp header each line is represented by 4 bytes, so the first line is bytes 0-3(src port and dst port), the next line is bytes 4-7 (sequence number), next is 8-11 (ack number), next is 12-15 (offset,flags,and window length) so this line we see byte 12 is the offset, byte 13 takes up the flags section in the header). Try each of these using hping3 -I eth0 -S -c 4 -p 80 10.0.0.115 for the syn flag one. The other ones you may need to take out the port 80 bit to get it to send
Show me all URGENT (URG) packets...
# tcpdump 'tcp[13] & 32!=0'
Show me all ACKNOWLEDGE (ACK) packets...
# tcpdump 'tcp[13] & 16!=0'
Show me all PUSH (PSH) packets...
# tcpdump 'tcp[13] & 8!=0'
Show me all RESET (RST) packets...
# tcpdump 'tcp[13] & 4!=0'
Show me all SYNCHRONIZE (SYN) packets...
# tcpdump 'tcp[13] & 2!=0'
Show me all FINISH (FIN) packets...
# tcpdump 'tcp[13] & 1!=0'
Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets...
[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump's flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]
* Keep in mind the reasons these filters work. The filters above find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it's on.
* Finally, there are a few quick recipes you'll want to remember for catching specific and specialized traffic, such as IPv6 and malformed/likely-malicious packets.
* # tcpdump ip6
--------------------------------------------------------------------------------------------
* most common one is tcpdump -nni eth0. the -n is dont resolve host names, the second n tells tcpdump to display port numbers only
* some basic syntax:
-nn = dont use dns to resolve ips and display port numbers
-i = interface to watch
dst = watch only traffic destined to a net, host, or port
src = watch only traffic whose source is a net, host, or port
net = specifies a network 10.0.0.0/24
host = specifies a host 10.0.0.115
port = specifies a port also a portrange
proto = protocol is tcp udp icmp
* some examples:
* tcpdump -nni eth0 host 10.0.0.115
* tcpdump -nni eth0 dst host 10.0.0.115 and proto tcp
* tcpdump -nni eth0 src not 10.0.0.0/24 and proto tcp and portrange 1-1024
* so do a tcpdump -nni eth0 host 10.0.0.115 (or whatever your metasploitable2 is ) and then bring up a separate window and ping 10.0.0.115. see the traffic that comes through
* scoping it down this way makes it easier to go through tons of data
* so these commands here are only going to show you the headers of the packet, not the actual data. thats where s0 comes in
* -s0 (thats a zero) sets the snaplength to 0 which means use the required length to catch whole packets.
* -A prints each packet (minus its link level header) in ASCII
* tcpdump -s0 -A -nni eth0 dst host 10.0.0.115 and ping it from second terminal
* tcpdump -s0 -A -nni eth0 dst host 10.0.0.115 and dst port 80
* now nc 10.0.0.115 80 and see the results
* tcpdump -s0 -A -nni eth0 dst host 10.0.0.115 and dst port 80 and src net 10.0.0.0/24
* do another netcat to 80
* tcpdump -s0 -A -nni eth0 dst net 10.0.0.0/24
* you could also ignore net ranges and ports too like:
* tcpdump -s0 -A -nni eth0 not port 22 and dst host 10.0.0.115 and not src net 192.168.1.0/24 and not host 10.0.0.101
* doing our netcat here still yields the same
* you cant limit the size of the pcap, only the packets count
* tcpdump -vv -c10000 -s0 -A -w raystester.pcap -nni eth0 not port 22
-c = count of packets to display for exiting
-vv = displays the number of packets captured
-w = write the raw packets to file
* run netcat again and then hit enter a couple times and ctrl + c
* now to view that data (r = read from file) type:
* tcpdump -s0 -A -nn -r raystester.pcap
* you can also do wireshark raystester.pcap & and view those packets in wireshark
* now lets see how we can use tcpdump to quickly see what flags are in the packet
* tcpdump -s0 -A -nni etho dst host 10.0.0.115
* now in second terminal type hping3 -I eth0 -P -c 5 10.0.0.115
* review the packets and see the order tcpdump does it in. First is the timestamp, second is the src address and port , thirds is the dst address and port and fourth is the Flags where the P is
