Advertisement
joemccray

Networking for InfoSec Professionals

Aug 15th, 2016
1,297
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##############################
  2. # Intro to Routing/Switching #
  3. ##############################
  4. Reference:
  5. http://www.brianlinkletter.com/imunes-on-linux/
  6.  
  7.  
  8. sudo apt-get install -y openvswitch-switch xterm wireshark ImageMagick tcl tcllib tk user-mode-linux
  9.  
  10. wget -qO- https://get.docker.com/ | sh
  11.  
  12. sudo usermod -aG docker strategicsec
  13.  
  14. sudo service docker start
  15.  
  16. sudo docker run -v /usr/local/bin:/target jpetazzo/nsenter
  17.  
  18. sudo git clone https://github.com/imunes/imunes.git
  19.  
  20. cd imunes
  21.  
  22. sudo make install
  23.  
  24. sudo imunes -p
  25.  
  26. sudo imunes
  27.  
  28.  
  29.  
  30. Now build the following topologies referenced here:
  31. http://www.technig.com/packet-tracer-ccna-practical-labs/
  32.  
  33.  
  34.  
  35. #################
  36. # Intro to IPv6 #
  37. #################
  38. Reference:
  39. https://www.linux.com/learn/ipv6-crash-course-linux
  40. https://www.digitalocean.com/community/tutorials/how-to-configure-tools-to-use-ipv6-on-a-linux-vps
  41. http://www.tomicki.net/ipv6.router.php
  42.  
  43. ####################
  44. # Intro to TCPDump #
  45. ####################
  46. http://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/
  47.  
  48. sudo apt-get install tcpdump
  49.  
  50.  
  51.  
  52. Basic sniffing
  53.  
  54. sudo tcpdump -n
  55.  
  56.  
  57. Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy
  58. sudo tcpdump -v -n
  59.  
  60.  
  61.  
  62. Getting the ethernet header (link layer headers)
  63.  
  64. In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.
  65. sudo tcpdump -vv -n -e
  66.  
  67.  
  68. Sniffing a particular interface
  69.  
  70. In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.
  71. sudo tcpdump -D
  72.  
  73.  
  74. Filtering packets using expressions
  75. Selecting protocols
  76.  
  77. $ sudo tcpdump -n tcp
  78.  
  79.  
  80. Particular host or port
  81.  
  82. Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101
  83.  
  84. $ sudo tcpdump -n 'src 192.168.1.101'
  85.  
  86.  
  87. Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
  88.  
  89. $ sudo tcpdump -n 'udp and dst port 53'
  90.  
  91.  
  92. To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
  93.  
  94. $ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
  95.  
  96.  
  97. Search the network traffic using grep
  98.  
  99. Grep can be used along with tcpdump to search the network traffic. Here is a very simple example
  100.  
  101. $ sudo tcpdump -n -A | grep -e 'POST'
  102.  
  103.  
  104. So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
  105. Here is quick example to sniff passwords using egrep
  106.  
  107.  
  108. tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
  109.  
  110.  
  111. ####################
  112. # Advanced TCPDump #
  113. ####################
  114. https://danielmiessler.com/study/tcpdump/
  115.  
  116. -i any : Listen on all interfaces just to see if you’re seeing any traffic.
  117. -i eth0 : Listen on the eth0 interface.
  118. -D : Show the list of available interfaces
  119. -n : Don’t resolve hostnames.
  120. -nn : Don’t resolve hostnames or port names.
  121. -q : Be less verbose (more quiet) with your output.
  122. -X : Show the packet’s contents in both hex and ASCII.
  123. -XX : Same as -X, but also shows the ethernet header.
  124. -v, -vv, -vvv : Increase the amount of packet information you get back.
  125. -c : Only get x number of packets and then stop.
  126. icmp : Only get ICMP packets.
  127. -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  128. -S : Print absolute sequence numbers.
  129. -e : Get the ethernet header as well.
  130. -q : Show less protocol information.
  131. -E : Decrypt IPSEC traffic by providing an encryption key.
  132.  
  133.  
  134.  
  135. Basic communication // see the basics without many options
  136. # tcpdump -nS
  137.  
  138. Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
  139. # tcpdump -nnvvS
  140.  
  141. A deeper look at the traffic // adds -X for payload but doesn’t grab any more of the packet
  142. # tcpdump -nnvvXS
  143.  
  144. Heavy packet viewing // the final “s” increases the snaplength, grabbing the whole packet
  145. # tcpdump -nnvvXSs 1514
  146.  
  147. Here’s a capture of exactly two (-c2) ICMP packets (a ping and pong) using some of the options described above. Notice how much we see about each packet.
  148.  
  149. hermes root # tcpdump -nnvXSs 0 -c2 icmp
  150.  
  151.  
  152. host // look for traffic based on IP address (also works with hostname if you’re not using -n)
  153. # tcpdump host 1.2.3.4
  154.  
  155.  
  156. src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
  157. # tcpdump src 2.3.4.5
  158. # tcpdump dst 3.4.5.6
  159.  
  160.  
  161. net // capture an entire network using CIDR notation
  162. # tcpdump net 1.2.3.0/24
  163.  
  164.  
  165. proto // works for tcp, udp, and icmp. Note that you don’t have to type proto
  166. # tcpdump icmp
  167.  
  168.  
  169. port // see only traffic to or from a certain port
  170. # tcpdump port 3389
  171.  
  172. src, dst port // filter based on the source or destination port
  173. # tcpdump src port 1025 # tcpdump dst port 389
  174.  
  175. src/dst, port, protocol // combine all three
  176. # tcpdump src port 1025 and tcp
  177. # tcpdump udp and src port 53
  178.  
  179.  
  180. You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.
  181.  
  182. Port Ranges // see traffic to any port in a range
  183. tcpdump portrange 21-23
  184.  
  185. Packet Size Filter // only see packets below or above a certain size (in bytes)
  186. tcpdump less 32
  187. tcpdump greater 128
  188. [ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
  189.  
  190. // filtering for size using symbols
  191. tcpdump > 32
  192. tcpdump <= 128
  193.  
  194.  
  195. The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.
  196.  
  197. Capture all Port 80 Traffic to a File
  198.  
  199. # tcpdump -s 1514 port 80 -w capture_file
  200.  
  201. Then, at some point in the future, you can then read the traffic back in like so:
  202.  
  203. Read Captured Traffic back into tcpdump
  204.  
  205. # tcpdump -r capture_file
  206.  
  207. Getting Creative
  208.  
  209. Expressions are nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied computers at all they’ll be pretty familar to you:
  210.  
  211. AND
  212. and or &&
  213. OR
  214. or or ||
  215. EXCEPT
  216. not or !
  217. More Examples
  218.  
  219. # TCP traffic from 10.5.2.3 destined for port 3389
  220.  
  221. tcpdump -nnvvS src 10.5.2.3 and dst port 3389
  222.  
  223. # Traffic originating from the 192.168 network headed for the 10 or 172.16 networks
  224.  
  225. tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
  226.  
  227. # Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network
  228.  
  229. tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net and not icmp
  230.  
  231. # Traffic originating from Mars or Pluto that isn’t to the SSH port
  232.  
  233. tcpdump -vv src mars and not dst port 22
  234.  
  235. As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.
  236.  
  237. Grouping
  238.  
  239. Also keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters — in this case the “( )” brackets. This same technique can be used to group using other expressions such as host, port, net, etc. Take a look at the command below:
  240.  
  241. # Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (incorrect)
  242.  
  243. tcpdump src 10.0.2.4 and (dst port 3389 or 22)
  244.  
  245. If you tried to run this otherwise very useful command, you’d get an error because of the parenthesis. You can either fix this by escaping the parenthesis (putting a \ before each one), or by putting the entire command within single quotes:
  246.  
  247. # Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22 (correct)
  248.  
  249. tcpdump ‘src 10.0.2.4 and (dst port 3389 or 22)’
  250.  
  251. Advanced
  252.  
  253. You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.
  254.  
  255. [ Hint: An anagram for the TCP flags: Unskilled Attackers Pester Real Security Folk ]
  256.  
  257. Show me all URGENT (URG) packets…
  258.  
  259. # tcpdump ‘tcp[13] & 32!=0‘
  260.  
  261. Show me all ACKNOWLEDGE (ACK) packets…
  262.  
  263. # tcpdump ‘tcp[13] & 16!=0‘
  264.  
  265. Show me all PUSH (PSH) packets…
  266.  
  267. # tcpdump ‘tcp[13] & 8!=0‘
  268.  
  269. Show me all RESET (RST) packets…
  270.  
  271. # tcpdump ‘tcp[13] & 4!=0‘
  272.  
  273. Show me all SYNCHRONIZE (SYN) packets…
  274.  
  275. # tcpdump ‘tcp[13] & 2!=0‘
  276.  
  277. Show me all FINISH (FIN) packets…
  278.  
  279. # tcpdump ‘tcp[13] & 1!=0‘
  280.  
  281. Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets…
  282.  
  283. # tcpdump ‘tcp[13]=18‘
  284.  
  285. [ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump‘s flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]
  286.  
  287. Keep in mind the reasons these filters work. The filters above find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it’s on.
  288.  
  289. As with most powerful tools, however, there are multiple ways to do things. The example below shows another way to capture packets with specific TCP flags set.
  290.  
  291. Capture TCP Flags Using the tcpflags Option…
  292.  
  293. # tcpdump ‘tcp[tcpflags] & & tcp-syn != 0‘
  294.  
  295. Specialized Traffic
  296.  
  297. Finally, there are a few quick recipes you’ll want to remember for catching specific and specialized traffic, such as IPv6 and malformed/likely-malicious packets.
  298.  
  299. IPv6 traffic
  300.  
  301. # tcpdump ip6
  302.  
  303. Packets with both the RST and SYN flags set (why?)
  304.  
  305. # tcpdump ‘tcp[13] = 6’
  306.  
  307. Traffic with the ‘Evil Bit’ Set
  308.  
  309. # tcpdump ‘ip[6] & 128 != 0‘
  310.  
  311.  
  312. #########
  313. # NGrep #
  314. #########
  315. http://www.binarytides.com/search-network-traffic-ngrep-tutorial/
  316.  
  317. Install ngrep on Ubuntu
  318. $ sudo apt-get install ngrep
  319.  
  320.  
  321. Search network traffic for string "User-Agent: "
  322. $ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
  323.  
  324. In the above command :
  325. a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
  326. b) The d option specifies the interface to sniff. eth0 in this case.
  327. c) "User-Agent: " is the string to search for. All packets that have that string are displayed.
  328.  
  329. 2. Search network packets for GET or POST requests :
  330.  
  331. $ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
  332.  
  333. The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).
  334.  
  335. 3. ngrep without any options would simply capture all packets.
  336.  
  337. $ sudo ngrep
  338.  
  339. https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
  340.  
  341. $ sudo ngrep -d eth0 -n 3
  342.  
  343. $ sudo ngrep -d any port 25
  344. This will let you monitor all activity crossing source or destination port 25
  345. (SMTP).
  346.  
  347. $ sudo ngrep -wi -d wlan0 'user|pass' port 6667
  348.  
  349. $ sudo ngrep -wi -d any 'user|pass' port 21
  350.  
  351.  
  352. ###############
  353. # NTop Basics #
  354. ###############
  355. Reference:
  356. https://www.maketecheasier.com/install-configure-ntop/
  357.  
  358.  
  359.  
  360. #################
  361. # PCAP Analysis #
  362. #################
  363. cd /home/malware/Desktop/Browser\ Forensics
  364.  
  365. ls | grep pcap
  366.  
  367. perl chaosreader.pl suspicious-time.pcap
  368.  
  369. firefox index.html
  370.  
  371. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  372.  
  373. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  374.  
  375. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  376. malware
  377.  
  378.  
  379. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  380.  
  381.  
  382.  
  383.  
  384.  
  385. #############################
  386. # PCAP Analysis with tshark #
  387. #############################
  388. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  389.  
  390.  
  391. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  392.  
  393.  
  394. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  395.  
  396.  
  397. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
  398.  
  399.  
  400. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  401.  
  402. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  403.  
  404. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  405.  
  406. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  407.  
  408. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  409.  
  410.  
  411. whois rapidshare.com.eyu32.ru
  412.  
  413. whois sploitme.com.cn
  414.  
  415.  
  416. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  417.  
  418. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  419.  
  420. tshark -r suspicious-time.pcap -qz http_req,tree
  421.  
  422. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  423.  
  424. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  425.  
  426.  
  427.  
  428. ######################################
  429. # PCAP Analysis with forensicPCAP.py #
  430. ######################################
  431. cd ~/Desktop
  432. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  433.  
  434. sudo easy_install cmd2
  435. malware
  436.  
  437. python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
  438.  
  439. ForPCAP >>> help
  440.  
  441.  
  442. Prints stats about PCAP
  443. ForPCAP >>> stat
  444.  
  445.  
  446. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  447. ForPCAP >>> dns
  448.  
  449. ForPCAP >>> show
  450.  
  451.  
  452. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  453. ForPCAP >>> dstports
  454.  
  455. ForPCAP >>> show
  456.  
  457.  
  458. Prints the number of ip source and store them.
  459. ForPCAP >>> ipsrc
  460.  
  461. ForPCAP >>> show
  462.  
  463.  
  464. Prints the number of web's requests and store them
  465. ForPCAP >>> web
  466.  
  467. ForPCAP >>> show
  468.  
  469. Prints the number of mail's requests and store them
  470. ForPCAP >>> mail
  471.  
  472. ForPCAP >>> show
  473.  
  474.  
  475. ###############
  476. # Snort Build #
  477. ###############
  478. http://computer-outlines.over-blog.com/article-nids-snort-barnyard2-apache2-base-with-ubuntu-14-04-lts-123532107.html
  479.  
  480.  
  481. ###################
  482. # Surricata Build #
  483. ###################
  484. https://gist.github.com/cleesmith/3ae872eb46d1ea102667
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement