tcpdump

/Tag:tcpdump

Sniffing the Network

This article is intended to provide a simple demonstration of how easy it is to sniff/intercept traffic on various types of networks, and serve as a warning to utilize secure methods of communication on a) untrusted networks and b) known networks with the potential for untrusted clients or administrators. The first consideration is the topology of the network we’re connected to. To consider 5 common scenarios: Wired ethernet hub network: Hubs are becoming more and more obsolete as they are changed to switches. Multiple devices can be connected to a hub, and any data received by the hub from one device is broadcast out to all other devices. This means that all devices receive all network traffic. Not only is this an inefficient use of bandwidth, but each device is trusted to accept traffic destined for itself and to ignore traffic destined for another node. To sniff such a network, a node simply needs to switch it’s network interface card to “promiscuous mode”, meaning that it accepts all traffic received. Wired ethernet switched network: Multiple devices can be connected to a switch, however a switch has greater intelligence than a hub. The switch will inspect the traffic sent on each port, and learn the hardware (MAC) address of the client connected to a particular port. Once learned, the switch will inspect any frames it receives on a port, and forward that frame to the known recipient’s port alone. Other devices connected to the switch will not receive traffic that is not destined for them. This offers enhanced bandwidth usage over a hub. Switches rely on ARP packets which are easily forged in order to learn which devices are on which ports. Wireless open networks: Multiple devices can connect to an open wireless network. All data is broadcast across the network in plain text, and any attacker can sniff/intercept traffic being broadcast across the network. An open wireless network may present the user with a form of hotspot login page before granting internet access, however this does not detract from the network itself being open. WEP encrypted wireless network: A WEP encrypted network requires a WEP key to encrypt and decrypt network traffic. WEP has long been an outdated and insecure method of wireless network protection, and cracking a wireless network’s WEP key is fast and requires low skill. WEP is not secure. In addition, all clients connected to the network use the same WEP key to connect. That results in any user on the network with the WEP key being table to view any traffic transmitted to and from other nodes on the network. WPA/WPA2 encrypted network: A WPA/WPA2 encrypted network is significantly more secure than a WEP network. Whilst attacks exist on parts of the protocol, and extensions such as WPS, no known attack is able to recover a complex WPA/WPA2 password within an acceptable period of time. Whilst all clients connect to the network with the same password, the protocol is engineered to create different keystreams between each connected client and the access point. This means that simple sniffing in the traditional sense is not possible on the network. […]

By | December 14th, 2014|Linux, Security Consultant, Wireless|0 Comments

Linux DHCP Server

DHCP is an acronym for Dynamic Host Configuration Protocol. It allows a host to broadcast a request for it’s IP settings. Hopefully, a DHCP server like the one we’ll be configuring will respond. Running tcpdump shows a dhcp request looks like: 17:26:02.003956 00:00:00:00:00:00 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request, length 300 Configuration is easy, to start with, just run ‘apt-get install dhcpd’ […]

By | September 15th, 2009|Linux, Technology|0 Comments

Some simple filtering and sniffing with tcpdump

tcpdump is one of the best network debugging tools available. In it’s most basic form, it will print network traffic in terms of a source and destination address to the console, more advanced uses include printing out captured ASCII and simple but powerful filtering. tcpdump -ieth0 -n # Start tcpdump listening on interface eth0, and do not attempt to resolve IP addresses to hostnames ( -n ). What we see is: 20:51:40.848211 IP 217.10.X.X.22 > 93.97.Y.Y.52381: P 76216:76364(148) ack 261 win 8576 20:51:40.853726 IP 93.97.Y.Y.52381 > 217.10.X.X.22: . ack 59548 win 16848 And this is repeated over and over. Now this is a feedback loop. As we are connected via port 22 (SSH), this loop will continue, and we must therefore filter it out: tcpdump -ieth0 -n tcp port not 22 Now we can cleanly monitor traffic. What happens though if we want to view SSH traffic, but not our own? tcpdump -ieth0 -n tcp port not 22 and host not 93.97.Y.Y We can build this filter up as much as we wish. Let’s start watching HTTP (tcp port 80) traffic only: tcpdump -ieth0 -n tcp port 80 Finally, let’s set the ‘snaplen’ to 1500 bytes, and print out the captured data in ASCII: tcpdump -ieth0 -n tcp port 80 -A -s1500 20:56:25.260143 IP 217.10.X.X.80 > 88.110.Y.Y.51171: P 1:550(549) ack 172 win 1728 E..Mn @.@..w. ..Xn!..P….’@…P…3…HTTP/1.1 404 Not Found Date: Mon, 15 Dec 2008 21:05:17 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 Content-Length: 313 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /favicon.ico was not found on this server.</p> <hr> <address>Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 Server at www.[HIDDEN].com Port 80</address> </body></html> And from this we can see all HTTP traffic. As you can see, it’s that easy to capture and decode plaintext traffic. We can do the same on port 110 (POP3): […]

By | December 15th, 2008|Technology|2 Comments

Quick Linux and Windows OpenVPN HOWTO and tutorial, including VPN routing

OpenVPN is a popular Windows/Linux VPN Server/Client pair. I think there’s a separate GUI available for it if you’re so minded. This howto will cover command line usage only. I’ll provide example configuration based on a Linux server and a Windows client, however the same applies pretty easily if you wanted to mix and match. On Debian, apt-get install openvpn. On any other linux distro, use your own package manager or alternatively download from source and compile. […]

By | September 15th, 2008|Internetworking & Routing, Linux, Technology|3 Comments