Thursday, August 13, 2009

TCPDUMP

TCPDUMP USE
The following will record all raw traffic to a dump file for latter analysis. The -s 0 option specifies that the full packet should be saved without truncation; the -v option will report every 10 seconds the number of packets captured so far.
tcpdump -i eth0 -s 0 -v -w traffic.pcap
The following tcpdump example will dump raw binary Yahoo IM traffic to stdout. Note the '-w -' option to write binary to stdout.
tcpdump -i eth0 -n -l -w - "port mmcc"
This will dump Yahoo IM with filtering of unreadable binary characters. Note the -A, -q, and -s 0 options are used to filter and dump ASCII data. The -l option sets line-buffered output. You may also remove the -t option if you would like to see timestamps on each packet.
tcpdump -i eth0 -l -t -A -q -s 0 "port mmcc"
You may sometimes get a Permission denied error when working with tcpdump. This is probably caused by AppArmor. You can check by running this command:
grep tcpdump /sys/kernel/security/apparmor/profiles
If you see tcpdump in that file then you can set AppArmor to just complain instead of block by running the following:
aa-complain /usr/sbin/tcpdump
The following will dump mail traffic.
tcpdump -i eth0 -l -t -A -q -s 0 "port 25 or port 587 or port 110 or port 143"




To display the Standard TCPdump output:

#tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

21:57:29.004426 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
21:57:31.228013 arp who-has 192.168.1.2 tell 192.168.1.1
21:57:31.228020 arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown)
21:57:38.035382 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
21:57:38.613206 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36

To display the verbose output:

#tcpdump -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1
22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown)
22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53

Network interfaces available for the capture:

#tcpdump -D
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo

To display numerical addresses rather than symbolic (DNS) addresses:

#tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:02:36.111595 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:36.669853 IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36
22:02:41.702977 arp who-has 192.168.1.2 tell 192.168.1.1
22:02:41.702984 arp reply 192.168.1.2 is-at 00:04:11:11:11:11
22:02:45.106515 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:50.392139 IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138)
22:02:54.139658 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:57.866958 IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535

To display the quick output:

#tcpdump -q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:03:55.594839 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
22:03:55.698827 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
22:03:56.068088 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
22:03:56.068096 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
22:03:57.362863 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:03:57.964397 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:04:06.406521 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:04:15.393757 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53

Capture the traffic of a particular interface:

tcpdump -i eth0
To capture the UDP traffic:

#tcpdump udp
To capture the TCP port 80 traffic:

#tcpdump port http
To capture the traffic from a filter stored in a file:

#tcpdump -F file_name
To create a file where the filter is configured (here the TCP 80 port)

#vim file_name
port 80
To stop the capture after 20 packets:

#tcpdump -c 20
To send the capture output in a file instead of directly on the screen:

#tcpdump -w capture.log
To read a capture file:

#tcpdump -r capture.log
reading from file capture.log, link-type EN10MB (Ethernet)

09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: P 1548302662:1548303275(613) ack 148796145 win 16527
09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: . ack 613 win 86
09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P 1:511(510) ack 613 win86
09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: . ack 511 win 16527

The captured data isn't stored in plain text so you cannot read it with a text editor, you have to use a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical interface.

The capture.log file is opened with Wireshark.


To display the packets having "www.openmaniak.com" as their source or destination address:

#tcpdump host www.openmaniak.com
To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:

#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp
To display the packets content:

#tcpdump -A
Packets capture during a FTP connection. The FTP password can be easily intercepted because it is sent in clear text to the server.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes
20:53:24.872785 IP ubuntu.local.40205 > 192.168.1.2.ftp: S 4155598838:4155598838(0) win 5840
....g....................
............
20:53:24.879473 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183
....g.I@.............
........
20:53:24.881654 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 43 win 183
....g.I@.......8.....
......EN
20:53:26.402046 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183
....g.I@......`$.....
...=..ENUSER teddybear

20:53:26.403802 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 76 win 183
....h.I@.............
...>..E^
20:53:29.169036 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183
....h.I@......#c.....
......E^PASS wakeup

20:53:29.171553 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 96 win 183
....h.I@.,...........
......Ez
20:53:29.171649 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183
....h.I@.,...........
......EzSYST

20:53:29.211607 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 115 win 183
....h.I@.?.....j.....
......Ez
20:53:31.367619 IP ubuntu.local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183
....h.I@.?...........
......EzQUIT

20:53:31.369316 IP ubuntu.local.40205 > 192.168.1.2.ftp: . ack 155 win 183
....h.I@.g...........
......E.
20:53:31.369759 IP ubuntu.local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183
....h.I@.h.....e.....
......E.

We see in this capture the FTP username (teddybear) and password (wakeup).

===============================
===============================


Tcpdump is the premier network analysis tool for information security and networking enthusiasts and/or professionals. In my own primer I cover tcpdump basics; if you're interested in becoming familiar with the application via an introduction, I suggest you check it out first.

Here I'm simply going to give a number of recipes that you're likely to find useful during your day to day activities. They will range from common, general captures to complex filters designed to look for a number of unique traffic types.

Basics

Below are a few options you can use when invoking tcpdump in order to control the output. The examples given will be in the basic form of tcpdump $recipe, so remember to add your own options as needed.

Basic Communication // See the basics without many options

# tcpdump -nS
Basic Communication (very verbose) // see a good amount of traffic, with verbosity and no name help

# tcpdump -nnvvS
A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet

# tcpdump -nnvvXS
Heavy packet viewing // the final "s" increases the snaplength, grabbing the whole packet

# tcpdump -nnvvXSs 1514

Recipes

1. host // look for traffic based on IP address (also works with hostname if you're not using -n)
# tcpdump host 1.2.3.4

2. src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6

3. net // capture an entire network using CIDR notation
# tcpdump net 1.2.3.0/24

4. proto // works for tcp, udp, and icmp. Note that you don't have to type proto
# tcpdump icmp

5. port // see only traffic to or from a certain port
# tcpdump port 3389

6. src, dst port // filter based on the source or destination port
# tcpdump src port 1025
# tcpdump dst port 3389


Combinations

TCP traffic from 10.5.2.3 destined for port 3389:
# tcpdump tcp and src 10.5.2.3 and dst port 3389

Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
# tcpdump src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:
# tcpdump dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp

Traffic originating from Mars or Pluto that isn't to the SSH port:
# tcpdump -vv src mars or pluto and not dst port 22

Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22:
# tcpdump 'src 10.0.2.4 and \(dst port 3389 or 22\)'

Advanced filters can help with troubleshooting and can reveal anomalous traffic on a network that would normally go unnoticed.

Finding Flags

Hint: Use the following acronym to remember your flags: Unskilled Attackers Pester Real Security Folk

Show me all URG packets:
# tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:
# tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:
# tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:
# tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:
# tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:
# tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:
# tcpdump 'tcp[13] = 18'

how do install software on slackware?

A little roll-yur-own walk through:

This walkthrough works on non-system, user programs, not root-only programs: (For system programs the walk through is the same except you will want to be root and be in the /usr/src directrory)

1. Make a directory under your username (optional) to build software in, from command line:
mkdir ~/src

Then change directory into it:

cd ~/src

2. Get your source code. You can find this at sourceforge.net or freshmeat.net, and a few other places. Often on these sites they will list dependancies, pay close attention, if you dont have one of the programs that program you want "depends" on, it will either not compile or run after it is compiled. You may have to install the programs it depends on first. Save the source in the /home/YourUsername/src (this is the same as "~/src") These will have the extensions "tar.gz" or "tar.bz2" Side note: TAR is an acronym for Tape ARchive-- they are often called "tarballs"

3. From command line, make sure your still in the "~/src" and make sure your file is saved in the correct location:

ls -la ./

Then lets un-compress the archive:
If it is a "tar.gz" then use this command:

tar -zxvf ./NameOfFile.tar.gz

If it is "tar.bz2" then:

tar -xvjf ./NameOfFile.tar.bz2

This will uncompress the tarball and put the data in a directory that it will create, the directory will have the same name as the original file only without the extension.

Side note: the difference between them is the type of compession-- zip and bzip.

4. Next read the README and INSTALL files. They may or may not exist and they may or may not contain anything usefull. First lets get into the right directory:

cd ./NameOfFile/

Then check to see if a README or INSTALL files exist:

ls -la | less

("|" is above your enter key)

You can read them from the command line:

vim ./README

and

vim ./INSTALL

You can replace "vim" in the above with: nano pico elvis emacs
These are different editors. The editor you choose is a highly personal thing (I really dont know why, I could care less, I have seen may debates on which one is better....)

If you are in gnome or kde -- just browse to it, use the default editor.

It is hard to explain if these contain anything usefull-- this one you will have to use your judgement. If some info seems important and doesnt make any sense you could probably post it...

5. Then we need to check configure options:

./configure --help | less

This will give you a list of options, read these carefully, the feature you want in the software may not be enabled by default. Also if you enable an option that clearly depends on other software you will need to make sure that software exists on you system. Common example is samba support.

6. Lets configure:

./configure --enable=Option --enable=oiption2

The "--enable=option" is obtained from step 5 above-- your software may not need any options, and thats OK. Yours may simply look like:

./configure

If it gives you errors, most likely it is because of missing dependancies. You will need to resolve these before continueing.

7. Compile software:

./make

If it gives you errors at this point:
A-- Make sure your depancies are met! and double check README, INSTALL and your compile options.
B-- Email the maintainer of the software with your very specific hardware, your distro/version, and compile option. Include the error from command line, it will many lines above were it crashes. Ask if he would like you to do a backtrace. (If he would like a backtrace-- ask for instructions) Dont expect an answer right away, people do these things in thier spare time. Be courtious!!!-- your getting (or will get) free software! If he wants any other info, try to provide it for him.
C-- If you are great at debuggin software-- by all means fix the problem. Then send a patch back to the maintainer.

If you didnt have any troubles, gratz you've compiled some software.

8. Make a package out of the software. This is very distro specific. If you want your package management software to be able to remove it. I unfortunatly cannot help much with this one, I'm sure many people here can help with this step. My distro of choice the line between package and source install is very thin (slackware). So I dont use this step.

In Slackware it would be (you will need to be root):
makepkg name-version-arch-build.tgz

9. Now we need root privlages to install the software:

su

(It will now ask for your root password)

If you skipped 8 above:

./make install

If you made a package out of it, use your package installer (distro specific) to install the software.

In slackware:
installpkg name-version-arch-build.tgz

10. Try to run the software-- The first time run it from command line, if it crashes this will give you some hints as to what happened. You may be able to fix it, if not send the maintainer any information that can about the crash. Again be courtious (even if they are not!).

11. If you need to re-compile (some software you may have to this many time lol):
First:

./make clean

Second (this may or may not work-- dont be too concerned if it doesnt)

./make uninstall

Then follow the steps again...



I hope somebody finds this useful-- pretty slow day here in montana.

many connections togheder

if we have some connection like :pppoe,lan,dialup etc.connection can be up,but remmeber we need to use that chosen connection Gateway to connected Net!
first :
route del default : for delete default gateway
route add default gw XXX.XXX.XXX.XXX
route -n view connections and their Gateway
cat /etc/resolve.conf :view DNS
if you connect PPPOE and you have Bridg connection so u need to use this Comand line
Route add default dev ppp0

Untar

if it ends in .tar:

tar -xvf filename.tar
(you don't need the v, it is for verbose, i like verbose though)

if it ends in .tar.gz:
tar -zxvf filename.tar.gz

if it ends in .tar.bz2:
tar -Ixvf filename.tar.bz2 or tar -jxvf filename.tar.bz2

(many non debian systems don't have bzip2 integrated into
their tar yet.. debian 2.2 uses -Ixvf and debian 3.0
uses -jxvf)

if it ends in .tar.Z:
tar -Zxvf filename.tar.Z