Networking for InfoSec Professionals

1. ##############################
2. # Intro to Routing/Switching #
3. ##############################
4. Reference:
5. http://www.brianlinkletter.com/imunes-on-linux/
6.  
7.  
8. sudo apt-get install -y openvswitch-switch xterm wireshark ImageMagick tcl tcllib tk user-mode-linux
9.  
10. wget -qO- https://get.docker.com/ | sh
11.  
12. sudo usermod -aG docker strategicsec
13.  
14. sudo service docker start
15.  
16. sudo docker run -v /usr/local/bin:/target jpetazzo/nsenter
17.  
18. sudo git clone https://github.com/imunes/imunes.git
19.  
20. cd imunes
21.  
22. sudo make install
23.  
24. sudo imunes -p
25.  
26. sudo imunes
27.  
28.  
29.  
30. Now build the following topologies referenced here:
31. http://www.technig.com/packet-tracer-ccna-practical-labs/
32.  
33.  
34.  
35. #################
36. # Intro to IPv6 #
37. #################
38. Reference:
39. https://www.linux.com/learn/ipv6-crash-course-linux
40. https://www.digitalocean.com/community/tutorials/how-to-configure-tools-to-use-ipv6-on-a-linux-vps
41. http://www.tomicki.net/ipv6.router.php
42.  
43. ####################
44. # Intro to TCPDump #
45. ####################
46. http://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/
47.  
48. sudo apt-get install tcpdump
49.  
50.  
51.  
52. Basic sniffing
53.  
54. sudo tcpdump -n
55.  
56.  
57. Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy
58. sudo tcpdump -v -n
59.  
60.  
61.  
62. Getting the ethernet header (link layer headers)
63.  
64. In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.
65. sudo tcpdump -vv -n -e
66.  
67.  
68. Sniffing a particular interface
69.  
70. In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.
71. sudo tcpdump -D
72.  
73.  
74. Filtering packets using expressions
75. Selecting protocols
76.  
77. $ sudo tcpdump -n tcp
78.  
79.  
80. Particular host or port
81.  
82. Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101
83.  
84. $ sudo tcpdump -n 'src 192.168.1.101'
85.  
86.  
87. Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
88.  
89. $ sudo tcpdump -n 'udp and dst port 53'
90.  
91.  
92. To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
93.  
94. $ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
95.  
96.  
97. Search the network traffic using grep
98.  
99. Grep can be used along with tcpdump to search the network traffic. Here is a very simple example
100.  
101. $ sudo tcpdump -n -A | grep -e 'POST'
102.  
103.  
104. So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
105. Here is quick example to sniff passwords using egrep
106.  
107.  
108. tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
109.  
110.  
111. ####################
112. # Advanced TCPDump #
113. ####################
114. https://danielmiessler.com/study/tcpdump/
115.  
116. -i any : Listen on all interfaces just to see if you’re seeing any traffic.
117. -i eth0 : Listen on the eth0 interface.
118. -D : Show the list of available interfaces
119. -n : Don’t resolve hostnames.
120. -nn : Don’t resolve hostnames or port names.
121. -q : Be less verbose (more quiet) with your output.
122. -X : Show the packet’s contents in both hex and ASCII.
123. -XX : Same as -X, but also shows the ethernet header.
124. -v, -vv, -vvv : Increase the amount of packet information you get back.
125. -c : Only get x number of packets and then stop.
126. icmp : Only get ICMP packets.
127. -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
128. -S : Print absolute sequence numbers.
129. -e : Get the ethernet header as well.
130. -q : Show less protocol information.
131. -E : Decrypt IPSEC traffic by providing an encryption key.
132.  
133.  
134.  
135. Basic communication // see the basics without many options
136. # tcpdump -nS
137.  
138. Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
139. # tcpdump -nnvvS
140.  
141. A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet
142. # tcpdump -nnvvXS
143.  
144. Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet
145. # tcpdump -nnvvXSs 1514
146.  
147. Here’s a capture of exactly two (-c2) ICMP packets (a ping and pong) using some of the options described above. Notice how much we see about each packet.
148.  
149. hermes root # tcpdump -nnvXSs 0 -c2 icmp
150.  
151.  
152. host // look for traffic based on IP address (also works with hostname if you’re not using -n)
153. # tcpdump host 1.2.3.4
154.  
155.  
156. src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
157. # tcpdump src 2.3.4.5
158. # tcpdump dst 3.4.5.6
159.  
160.  
161. net // capture an entire network using CIDR notation
162. # tcpdump net 1.2.3.0/24
163.  
164.  
165. proto // works for tcp, udp, and icmp. Note that you don’t have to type proto
166. # tcpdump icmp
167.  
168.  
169. port // see only traffic to or from a certain port
170. # tcpdump port 3389
171.  
172. src, dst port // filter based on the source or destination port
173. # tcpdump src port 1025 # tcpdump dst port 389
174.  
175. src/dst, port, protocol // combine all three
176. # tcpdump src port 1025 and tcp
177. # tcpdump udp and src port 53
178.  
179.  
180. You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.
181.  
182. Port Ranges // see traffic to any port in a range
183. tcpdump portrange 21-23
184.  
185. Packet Size Filter // only see packets below or above a certain size (in bytes)
186. tcpdump less 32
187. tcpdump greater 128
188. [ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
189.  
190. // filtering for size using symbols
191. tcpdump > 32
192. tcpdump <= 128
193.  
194.  
195. The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.
196.  
197. Capture all Port 80 Traffic to a File
198.  
199. # tcpdump -s 1514 port 80 -w capture_file
200.  
201. Then, at some point in the future, you can then read the traffic back in like so:
202.  
203. Read Captured Traffic back into tcpdump
204.  
205. # tcpdump -r capture_file
206.  
207. Getting Creative
208.  
209. Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied computers at all they’ll be pretty familar to you:
210.  
211. AND
212. and or &&
213. OR
214. or or ||
215. EXCEPT
216. not or !
217. More Examples
218.  
219. # TCP traffic from 10.5.2.3 destined for port 3389
220.  
221. tcpdump -nnvvS src 10.5.2.3 and dst port 3389
222.  
223. # Traffic originating from the 192.168 network headed for the 10 or 172.16 networks
224.  
225. tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
226.  
227. # Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network
228.  
229. tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net and not icmp
230.  
231. # Traffic originating from Mars or Pluto that isn’t to the SSH port
232.  
233. tcpdump -vv src mars and not dst port 22
234.  
235. As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.
236.  
237. Grouping
238.  
239. Also keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters — in this case the “( )” brackets. This same technique can be used to group using other expressions such as host, port, net, etc. Take a look at the command below:
240.  
241. # Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (incorrect)
242.  
243. tcpdump src 10.0.2.4 and (dst port 3389 or 22)
244.  
245. If you tried to run this otherwise very useful command, you’d get an error because of the parenthesis. You can either fix this by escaping the parenthesis (putting a \ before each one), or by putting the entire command within single quotes:
246.  
247. # Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (correct)
248.  
249. tcpdump ‘src 10.0.2.4 and (dst port 3389 or 22)’
250.  
251. Advanced
252.  
253. You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.
254.  
255. [ Hint: An anagram for the TCP flags: Unskilled Attackers Pester Real Security Folk ]
256.  
257. Show me all URGENT (URG) packets…
258.  
259. # tcpdump ‘tcp[13] & 32!=0‘
260.  
261. Show me all ACKNOWLEDGE (ACK) packets…
262.  
263. # tcpdump ‘tcp[13] & 16!=0‘
264.  
265. Show me all PUSH (PSH) packets…
266.  
267. # tcpdump ‘tcp[13] & 8!=0‘
268.  
269. Show me all RESET (RST) packets…
270.  
271. # tcpdump ‘tcp[13] & 4!=0‘
272.  
273. Show me all SYNCHRONIZE (SYN) packets…
274.  
275. # tcpdump ‘tcp[13] & 2!=0‘
276.  
277. Show me all FINISH (FIN) packets…
278.  
279. # tcpdump ‘tcp[13] & 1!=0‘
280.  
281. Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets…
282.  
283. # tcpdump ‘tcp[13]=18‘
284.  
285. [ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]
286.  
287. Keep in mind the reasons these filters work. The filters above find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.
288.  
289. As with most powerful tools, however, there are multiple ways to do things. The example below shows another way to capture packets with specific TCP flags set.
290.  
291. Capture TCP Flags Using the tcpflags Option…
292.  
293. # tcpdump ‘tcp[tcpflags] & & tcp-syn != 0‘
294.  
295. Specialized Traffic
296.  
297. Finally, there are a few quick recipes you’ll want to remember for catching specific and specialized traffic, such as IPv6 and malformed/likely-malicious packets.
298.  
299. IPv6 traffic
300.  
301. # tcpdump ip6
302.  
303. Packets with both the RST and SYN flags set (why?)
304.  
305. # tcpdump ‘tcp[13] = 6’
306.  
307. Traffic with the ‘Evil Bit’ Set
308.  
309. # tcpdump ‘ip[6] & 128 != 0‘
310.  
311.  
312. #########
313. # NGrep #
314. #########
315. http://www.binarytides.com/search-network-traffic-ngrep-tutorial/
316.  
317. Install ngrep on Ubuntu
318. $ sudo apt-get install ngrep
319.  
320.  
321. Search network traffic for string "User-Agent: "
322. $ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
323.  
324. In the above command :
325. a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
326. b) The d option specifies the interface to sniff. eth0 in this case.
327. c) "User-Agent: " is the string to search for. All packets that have that string are displayed.
328.  
329. 2. Search network packets for GET or POST requests :
330.  
331. $ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
332.  
333. The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).
334.  
335. 3. ngrep without any options would simply capture all packets.
336.  
337. $ sudo ngrep
338.  
339. https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
340.  
341. $ sudo ngrep -d eth0 -n 3
342.  
343. $ sudo ngrep -d any port 25
344. This will let you monitor all activity crossing source or destination port 25
345. (SMTP).
346.  
347. $ sudo ngrep -wi -d wlan0 'user|pass' port 6667
348.  
349. $ sudo ngrep -wi -d any 'user|pass' port 21
350.  
351.  
352. ###############
353. # NTop Basics #
354. ###############
355. Reference:
356. https://www.maketecheasier.com/install-configure-ntop/
357.  
358.  
359.  
360. #################
361. # PCAP Analysis #
362. #################
363. cd /home/malware/Desktop/Browser\ Forensics
364.  
365. ls | grep pcap
366.  
367. perl chaosreader.pl suspicious-time.pcap
368.  
369. firefox index.html
370.  
371. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
372.  
373. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
374.  
375. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
376. malware
377.  
378.  
379. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
380.  
381.  
382.  
383.  
384.  
385. #############################
386. # PCAP Analysis with tshark #
387. #############################
388. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
389.  
390.  
391. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
392.  
393.  
394. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
395.  
396.  
397. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
398.  
399.  
400. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
401.  
402. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
403.  
404. tshark -r suspicious-time.pcap -qz ip_hosts,tree
405.  
406. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
407.  
408. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
409.  
410.  
411. whois rapidshare.com.eyu32.ru
412.  
413. whois sploitme.com.cn
414.  
415.  
416. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
417.  
418. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
419.  
420. tshark -r suspicious-time.pcap -qz http_req,tree
421.  
422. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
423.  
424. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
425.  
426.  
427.  
428. ######################################
429. # PCAP Analysis with forensicPCAP.py #
430. ######################################
431. cd ~/Desktop
432. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
433.  
434. sudo easy_install cmd2
435. malware
436.  
437. python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
438.  
439. ForPCAP >>> help
440.  
441.  
442. Prints stats about PCAP
443. ForPCAP >>> stat
444.  
445.  
446. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
447. ForPCAP >>> dns
448.  
449. ForPCAP >>> show
450.  
451.  
452. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
453. ForPCAP >>> dstports
454.  
455. ForPCAP >>> show
456.  
457.  
458. Prints the number of ip source and store them.
459. ForPCAP >>> ipsrc
460.  
461. ForPCAP >>> show
462.  
463.  
464. Prints the number of web's requests and store them
465. ForPCAP >>> web
466.  
467. ForPCAP >>> show
468.  
469. Prints the number of mail's requests and store them
470. ForPCAP >>> mail
471.  
472. ForPCAP >>> show
473.  
474.  
475. ###############
476. # Snort Build #
477. ###############
478. http://computer-outlines.over-blog.com/article-nids-snort-barnyard2-apache2-base-with-ubuntu-14-04-lts-123532107.html
479.  
480.  
481. ###################
482. # Surricata Build #
483. ###################
484. https://gist.github.com/cleesmith/3ae872eb46d1ea102667