This chapter is from the book
This chapter is from the book
This chapter is from the book
Packet Capture
Capturing network traffic is often a part of vulnerability scanning. Seeing what data is being transmitted, and what is in that data, can be quite useful. In this section, we will take a look at some common packet sniffers/scanners.
tcpdump
One of the most common packet scanners for Linux is tcpdump. It has also been ported to Windows. You will need to download it for Windows; you can get it from here: http://www.tcpdump.org/. It works from the shell/command line, and it is relatively easy to use. To start it, you have to indicate which interface to capture packets on such as:
tcpdump -i eth0
This command causes tcpdump to capture the network traffic for the network card, eth0. You can also alter tcpdump’s behavior with a variety of command flags such as the following:
tcpdump -c 500 -i eth0
This tells tcpdump to capture only the first 500 packets on interface eth0 and then stop.
tcpdump -D
This command will display all of the interfaces on your computer so you can select which one to use. You can see all three of these options in Figure 8-2.
)
FIGURE 8-2 TCP Dump.
There are several ways to use TCPdump. Here are a few examples:
tcpdump host 192.168.2.3 will only show you traffic going to or from 192.168.2.3.
tcpdump -i any gets traffic to and from any interface on your computer.
tcpdump -i eth0 will only get traffic for the interface eth0.
tcpdump port 3389 will only show traffic for port 3389.
# tcpdump smtp will only show traffic using the SMTP protocol.
You can find more details at https://danielmiessler.com/study/tcpdump/#complex-grouping.
Wireshark
Wireshark is one of the most widely known network packet sniffers. Often a penetration tester can learn a great deal from simply sniffing the network traffic on a target network. Wireshark provides a convenient graphical user interface (GUI) for examining network traffic. It is a free download, which you can get at https://www.wireshark.org/. The tool can be downloaded for Windows or Macintosh. It has a graphical user interface, as opposed to being command line based. Figure 8-3 shows the main Wireshark interface.
)
FIGURE 8-3 Wireshark Main Screen.
If you click the Expression button, shown in the red box in Figure 8-4, then the Display Filter Expression window will appear (also shown in Figure 8-4), allowing you to create filters.
)
FIGURE 8-4 Filters.
Filters are necessary because Wireshark is going to capture all traffic it sees, thus leading to a lot of irrelevant packets. By using filters, you can pare down what is shown to just what you are currently interested in. It should also be noted that filters are one aspect of Wireshark that has expanded a great deal in the last few versions.
When using Wireshark, you can highlight any packet and then see the details of that packet, including the various network headers such as Ethernet, TCP, and IP as demonstrated in Figure 8-5. You can also right-click on a specific packet and then choose to view the entire conversation associated with that packet.
When you double-click on any packet, you will see the data and you can expand the headers as shown in Figure 8-6.
)
FIGURE 8-5 Follow TCP Stream.
)
FIGURE 8-6 Packet Details.
If you click the Statistics drop-down menu, there are a number of interesting options, shown in Figure 8-7.
FIGURE 8-7 Wireshark Statistics.
As you can see, if there is DNS or DHCP traffic that has been captured, you can select that option to gather statistics related to that protocol. Selecting conversations will let you see statistics for IPv4, IPv6, TCP, and UDP conversations. HTTP can provide you with a great deal of information on HTTP traffic. Obviously there are many other choices. This chapter is not meant to be a Wireshark tutorial, but rather hopes to provide you a basic working knowledge of Wireshark.
Wireshark is a very versatile tool. It is worth taking the time to learn completely all the features of this tool. Fortunately, there are a number of resources on the Wireshark page at https://www.wireshark.org/#learnWS to help you learn.
The reason you use a tool like Wireshark is to get a very granular view of what is being transmitted over the network. You may actually see data, including credentials, sent in cleartext. Or you will be able to see TLS being established and used. You may also see error codes sent back from a web server. There is a wealth of data that can be derived from mapping network traffic.
){kind=link}