Tuesday, September 28, 2010

Stripping The Port Off Tcpdump Output

You can use the sed command in Linux to strip off the port from tcpdump output, after using awk to pull out the IP addresses. tcpdump adds a decimal point and the port number to both the source and destination, such as 192.168.11.1.23, which would designate port 23 on 192.168.11.1. If you wanted to capture all the source addresses on your network, you could do so with something like: tcpdump -nn -i eth0 -q | awk '{print $3}'. We're piping the output of tcpdump to the awk command instead of the screen and telling awk to print the third column. Our output, without awk,  would look something like this:
11:59:15.871010 IP 64.30.1.50.62792 > 71.40.100.181.443: tcp 31
awk prints only the third column, separated by spaces.
64.30.1.50.62792
To strip the last octet off, which is the port number, we could pipe the results of awk through sed, using the search and replace function, like this: sed 's/.[^.]*$//'

What we would then have would be just a column of source IP addresses. Pipe it into a text file using the redirection operator, > file1.
Now we can run that file through the sort command, to sort them numerically, and then through the uniq command, to remove duplicates, and pipe that into another filename:
sort file1 | uniq > file2.

So command 1 would be:
tcpdump -nn -i eth0 -q | awk '{print $3}' | sed 's/.[^.]*$//'  > file1 (change the -i parameter to whatever interface you will be monitoring)

And command2 would simply be:

sort file1 | uniq > file2

And file 2 can then be search, or run through a script to resolve hostnames, imported into a spreadsheet for reporting or whatever is needed.

Thursday, September 23, 2010

IDABench

One of my very favorite tools is IDABench. IDABench is a packet auditing tool using perl and tcpdump (and other libpcap based tools), based on Shadow. If you're familiar with Shadow, you know it's basic function is to capture packets into hourly dump files and give you a Web based interface to search those packets, as well as giving you a daily summary of source and destination addresses and ports. George Bakos, when he was at ISTS, the Institute for Security Technology Studies at Dartmouth, took Shadow and revamped it with Perl scripts to allow you to use ngrep, tethereal (now Wireshark's tshark) and p0f. What's even better is that IDABench is modular and can be modified to use just about any tool that can read pcap files. It runs on Linux and Apache and is a great tool for the intrusion analyst or team that looks at packets frequently. It hasn't been maintained for a number of years and as I searched for a download link, I found they all point back to ISTS and the page doesn't exist. That's a real shame, it's a very useful tool. If you're interested in trying it, let me know and I'll get the files to you...

Friday, September 10, 2010

Another Great Tool

There are a number of good packet crafting tools available for Linux distributions, including scapy, nemesis and my favorite, hping.
hping was written by Salvatore Sanfilippo and is now in it's third major version (last updated in 2005).
It is a packet crafter, which means it allows you to construct and send packets independent of your TCP/IP stack built into your OS, using raw sockets. You can create TCP (the default), ICMP, UDP or raw IP packets (no higher level embedded protocol)
hping is a command line tool run inside a tcl interpreter, so you can make use of all of tcl's abilities to script your commands.
You can download the tool here.

A basic example of crafting your own packets:

Let's use hping to send an ICMP Address Mask Request. We need to to know the ICMP type and code  for this, which is type 18, no code. We would construct our command as follows:


hping -1 -C 18  10.10.10.1

Here we're telling hping to send an ICMP packet (-1) of Type 18 (-C) to address 10.10.1.1.

Hping will display a line like this showing what operation it's doing:
HPING 10.10.1.1 (eth0 10.10.1.1): icmp mode set, 28 headers + 0 data bytes

Any replay from the host will be printed to the screen. In this case, the destination address dropped our packets. When we kill the command (Control-C), we'll see the stats:

--- 10.10.1.1 hping statistic ---
15 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

There's a built-in macro for this command, which is icmp--addr, so we could have just run hping icmp-addrr 10.10.1.1.

Lets use hping to send a ping packet so we can see the results:

hping -1 -C 8 10.10.1.1

HPING 10.10.1.1 (eth0 10.10.1.1): icmp mode set, 28 headers + 0 data bytes
len=46 ip=10.10.1.1 ttl=255 id=30150 icmp_seq=0 rtt=0.4 ms
len=46 ip=10.10.1.1 ttl=255 id=15674 icmp_seq=1 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=46964 icmp_seq=2 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=23097 icmp_seq=3 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=8324 icmp_seq=4 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=7159 icmp_seq=5 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=19765 icmp_seq=6 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=54740 icmp_seq=7 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=30929 icmp_seq=8 rtt=0.2 ms
^C
--- 10.10.1.1 hping statistic ---
9 packets tramitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.4 ms

Just like using the ping command, we see our response showing the ttl, sequence number and round trip time.

Now lets use hping to send some data in a TCP packet. Suppose we just wrote a very simple  IDS signature that looked for the string "evil_string_123" and wanted test and make sure it worked.
First, we'd create a text file with the string in it. Lets say we called it packet_data.

Now we could use hping to fire that packets wit that string to a host that sits behind our IDS, then watch for our signature to fire.

hping -p -S -d 14 -E packet_data 10.10.1.2

Here we're using a TCP packet (the default, so we don't need to specify) with the Syn flag set (-S), a data size of 20  in a file called packet_data, going to host 10.10.1.2.

Running a sniff on the box we're using, we should see our string in the packet data, like this:


12:09:17.837181 IP 10.10.1.15.2572 > 10.10.80.203.22: Flags [S], seq 168566124:168566144, win 512, length 20
        0x0000:  4500 003c 412a 0000 4006 d37c 0a0a 010f  E..
        0x0010:  0a0a 0102 0a0c 0016 0a0c 1d6c 5796 3dbf  ..P........lW.=.
        0x0020:  5002 0200 a8f6 0000 6576 696c 5f73 7472  P.......evil_str
        0x0030:  696e 675f 3132 330a 0000 0000            ing_123.....



Salvatore goes in depth in using the tool, especially in the tcl shell for scripting here.

Blog Archive