Network Forensics, Part 3: tcpdump for Network Analysis

Hacking Network Basics

Welcome back, my aspiring network forensic analysts!

 

tcpdump in Action

 

Tcpdump was among the very first (1988) Linux/UNIX based sniffers and is built into most Linux/UNIX distributions. Although it may not be the easiest sniffer use, its versatility and lightweight design make it worth knowing. Tcpdump can be particularly useful if you have to analyze a non-GUI based system or a remote system where a GUI would be slow, inefficient, and not very stealthy.

IP Header

 

To start tcpdump, enter;

 

kali > tcpdump

As you can see, as soon as you enter the command tcpdump, packets begin to flow across your screen. These packets are largely communication between your Kali system and the LAN gateway.

Let’s try creating some traffic to analyze. For instance, let’s try sending a ping (ICMP echo request) to a Windows 7 system from one terminal and run tcpdump from the other.

 

kali > ping 192.168.0.114

 

kali > tcpdump

Let’s zoom in on the tcpdump screen so we can see detail there.

As you can see above, tcpdump displays the protocol (ICMP) and the type (echo request and echo reply).

If we want to capture the output to a file where we can analyze it at a later time, we can use the –w option followed by the file name.

 

kali > tcpdump –w myoutput.cap

 

Filter by IP Address

We may want to filter out all the traffic except that traffic coming back from the Windows 7 system. Tcpdump–developed by researchers at the Lawrence Livermore Lab in Berkeley, CA running BSD Unix– utilizes the Berkeley Packet Filter (BPF) format to create filters.

 

We can create that filter for the Windows 7 IP address by entering;

 

kali > tcpdump host 192.168.0.114

Now you can see just the traffic coming and going to the Windows 7 system as we have filtered out all the other traffic.

Now, let’s connect to the Apache webserver on our Kali machine from the Windows 7 system (or any other system). First, start the Apache2 web server built into Kali.

 

kali > systemctl apache2 start

 

This starts your Apache web server. Next, start tcpdump again on your Kali system.

 

kali > tcpdump host 192.168.0.114

 

Now, open a browser on your Windows 7 system and navigate to the Kali system IP address.

 

You should begin to see packets appearing in the tcpdump terminal.

Note that we can see the 3-way TCP handshake in the highlighted polygon. You can see first an “S” flag, then an “S.” flag (tcpdump represents the A or ACK flag with a “.”) and then “.” flag or written another way, S-SYN/ACK-ACK.

 

This filter displays traffic coming and going from our Windows 7 system. If we want to filter for just the traffic coming FROM our Windows 7 system, we can create a filter like;

 

kali > tcpdump src host 192.168.0.114

Now, we are only seeing the traffic coming (src) from our Windows 7 system (192.168.0.114).

 

Filter by Port

What if we wanted to filter out all the traffic except that which was going to a particular port on our Apache web server. Let’s try to filter out everything except traffic going to port 80 (HTTP). If we use the –vv option (very verbose) in tcpdump, it will decode all the IP and TCP headers and the user agent (the user agent can often be used to identify the user). To get these results, we could write a filter like this;

 

kali > tcpdump –vv dst port 80

Filter by TCP Flags

What if we wanted to see only the traffic with SYN flags sets on it? We could create a filter like this;

 

kali > tcpdump ‘tcp[tcpflags]==tcp-syn’

Of course, we can create a filter for each of the TCP flags such as;

 

kali > tcpdump ‘tcp[tcpflags]==tcp-ack’

 

kali > tcpdump ‘tcp[tcpflags]==tcp-fin’

 

kali > tcpdump ‘tcp[tcpflags]==tcp-rst’

 

kali > tcpdump ‘tcp[tcpflags]==tcp-psh’

 

kali > tcpdump ‘tcp[tcpflags]==tcp-urg’

 
 

Combining Filters

Tcpdump enables us to use filters together using a logical AND (&&) or a logical OR (||). So, if we wanted to filter for a particular IP address and TCP port 80 we would create a filter such as;

 

kali > tcpdump host 192.168.0.114 and port 80

 

We can also use a logical OR, such as;

 

kali > tcpdump port 80 or port 443

 

If we wanted to see all the traffic except that travelling from a particular IP address, we can use the negation symbol (!) or not.

 

kali > tcpdump not host 192.168.0.114

 

Filtering for Passwords and Identifying Artifacts

To filter for passwords in cleartext, we could build a filter for various ports and then use egrep to search for strings indicating logins or passwords.

 

kali > tcpdump port 80 or port 21 or port 25 or port 110 or port 143 or port 23 –lA | egrep –i B5 ‘pass=|pwd=|log=|login=|user=|username=|pw=|passw=|password=’

 

If you want to filter for just the user agent (an identifying signature of the user and their browser) we could create filter such as;

 

kali > tcpdump –vvAls | grep ‘User-Agent’

Finally, to filter for just the browser cookies, we can create the following filter.

 

kali > tcpdump –vvAls | grep ‘Set-Cookie|Host|Cookie:’

 

Summary

tcpdump is a powerful command-line tool for analyzing network traffic with multiple capabilities. Time invested in learning its BPF based filtering system is time well invested. As a security admin or hacker, you may not have access to a GUI on remote system and in those circumstances, tcpdump would be the tool of choice.