Friday, August 27, 2010

Advanced tcpdump Kung-Fu

So i was messing with tcpdump again and needed a quick refresher on filters. I went back to one of my blog posts and some other resources i found on google and quickly got up to speed. I wanted to take things a little it further however and looked to get creative.

I started out by filtering icmp packets. I wanted to only see ping request packets coming to me. So i created the filter as follows:

# tcpdump -ni eth0 'icmp and (icmp[0] = 0x08)'

I then only wanted to extract the ip address of the host sending those icmp requests

# tcpdump -lni eth0 'icmp and (icmp[0] = 0x08)' cut -d " " -f 3 //Note that the '-l' option must be included to make stdout line buffered

With this information, i imagined taking things a lil further. What i then wanted to do was to block any machine that was sending icmp echo requests. I then remembered that honeyport script that was in a recent pauldotcom segment (I also blogged about it recently as well. Its really kool).

So the script went like this:

while [ 1 ];
do IP=`tcpdump -c 1 -lni eth0 'icmp and (icmp[0] = 0x08)' cut -d " " -f 3`;
echo -e "\n${IP} is pinging you.";
echo -e "Blocking IP: ${IP}";
iptables -A INPUT -p tcp -s${IP} -j DROP;
iptables -A INPUT -p icmp --icmp-type 8 -s ${IP} -j DROP && echo -e "Blocked...\n";

Then give the script file executable rights then let her rip.

The next small project i did was filtering out traffic coming from the server, but only the data that has the tcp flags PUSH or ACK set. I was using the edna music server for demonstration purposes and it defaults to port 8080.

So in one terminal i had my tcpdump sniffer set up like this:

# tcpdump -w dump.pcap -s0 -ni eth0 'tcp adn src port 8080 and ((tcp[13] = 0x18) or (tcp[13] = 0x10))'

So the idea behind this is that when a client connects, request a song and streams it, i can be the man in the middle just pulling the data that is sent back to the client in a stealthy manner. When you're finished with your sniffing session you can combine some command line tools to retrieve your data

# tcpflow -C -r dump.pcap strings grep "Content-Type" cut -d " " -f 2 sort //this gives you a list of the content types that were sent to the client. Note that -C prevents tcpflow from outputting the different streams into files, instead just displays the data on standard out.

# tcpflow -C -r dump.pcap more -d // after you issue this command you can hit the h key to get helpfull commands. The "/" is a common option used when you want to do regex searches through the data

Just another kool thing you can do on the fly to see the URLs that are being requested

# tcpdump -lni eth0 'dst port 53'cut -d " " -f 8

If you wanted the ip addresses of the clients as well, you can have another tcpdump window running simultaniously along with the above (Have then running side by side, line by line so interpretation is more efficient)

# tcpdump -lni eth0 'dst port 53' cut -d " " -f 3

No comments:

Post a Comment