首页 > 技术点滴 > Intruder Detection with tcpdump

Intruder Detection with tcpdump

2012年10月28日 baoz 阅读评论

原文在 http://www.admin-magazine.com/Articles/Intruder-Detection-with-tcpdump ,比较实用,另外不确认-s参数的使用是否会改进抓包性能,只抓取一定长度的数据。转载开始

By David J. Dodd

Tcpdump is a widely used and powerful tool that captures, parses, and analyzes network traffic. Created by the Network Research Group at Lawrence Berkeley National Laboratory, Berkeley, California, tcpdump (http://www.tcpdump.org) is deployed with libpcap (a C/C++ library for network traffic capture) and maintained by the libpcap developers (http://sourceforge.net/projects/tcpdump/). With tcpdump, you can analyze large binary files that are too large to view casually with a tool like Wireshark by whittling your file down to only the information pertinent to your investigation. Most distributions have tcpdump installed by default, but if not, use your distro’s package manager. The SourceForge link above has project information as well as the code.

Tcpdump runs locally on your machine and can read or write network traffic information to a file. A basic capture uses the syntax

where -n means tcpdump should not resolve IP addresses to domain names or port numbers to service names, -i <interface> is the interface to use, and -s specifies how much of the packet to record – I use 1515, which is sufficient for most cases, but if you don’t specify a size, it will only capture the first 68 bytes of each packet. Except in older versions of tcpdump, a snaplen value of 0 uses a length necessary to capture whole packets. Figure 1 dissects the output of a sample dump, and Table 1 shows more examples of tcpdump options and when to use them.

dump-F01

Figure 1: Output from tcpdump.

dump-Tab1

File Read and Write

Tcpdump allows you to write to a file with the -w option and read from a file with the -r option:

If you want to see the files as they are captured and save them to a file, use the following options:

This command tells tcpdump to line-buffer its output, and by piping to the tee utility, it sends output to the screen and output.txt simultaneously, but not in binary format. The best way to do that is run a second instance of tcpdump.

Timestamps

When tcpdump captures packets in libpcap format, it adds a timestamp entry to the record in each packet in the capture file. Monitoring software like tcpdump uses libpcap to capture packets traveling over a network, read saved capture files, and analyze them, and you can augment that data with the -tttt flag, which adds a date to the timestamp (Figure 2).

dump-F02

Figure 2: Intercepting packets over a network and stamping them with a time and date.

If you are not sure you understand the time differences reported and need to be absolutely sure of time, use the -tt option to show seconds and microseconds since the beginning of the Unix epoch (00:00:00 UTC on January 1, 1970) (Figure 3).

dump-F03

Figure 3: Reporting time since the beginning of the Unix epoch.

The useful expressions in Table 2 can help you cut the amount of traffic down to just what you need.

dump-Tab2

Searching for Packet Information

If you want to search for information in the packet you have to know where to look. Tcpdump starts counting bytes of header information at byte 0; the 13th byte contains the TCP flags shown in Figure 4.

dump-F04

Figure 4: Header bytes 12-15.

Looking at byte 13, if SYN and ACK are set, then your binary value would be 00010010, which are the same as decimal 18. This command searches for packets with this type of data in byte 13:

Figure 5 is an example of what this command will return.

dump-F05

Figure 5: Searching byte 13 for packets with SYN and ACK set.

When capturing data with tcpdump, one way to ignore the ARP traffic is to put it in a filter:

This will catch only tcp, udp, or icmp.

Tables 3 and 4 show you what you need to know to find all TCP packets with the SYN ACK or other flags set.

dump-Tab3
dump-Tab4

Incident Response

When analyzing network traffic, a tool like tcpdump is critical. I’ll share some examples of using tcpdump to view a couple of different dump files as a way to learn more about network problems or possible attack scenarios. The first is a binary dump file of a snort log. You have the following information: The IP address of the Linux system is 192.168.100.45; an attacker got in using a WU-FTPD vulnerability and deployed a backdoor. What can you find out about how the attack happened and what the attacker did?

First, take a look at the file:

The log appears long at this point, so you might want to run the file in snort,

which gives you information like total packets processed, protocol breakdown, alerts, and so on (Figures 6 and 7).

dump-F06

Figure 6: Checking a binary dump file of a snort log.

dump-F07

Figure 7: Running the file in snort.

Next, extract the full snort log file for analysis,

which gives you a readable file to parse. After looking through it, you find ip-proto-11, which is Network Voice Protocol (NVP) traffic. Now you can search through the file looking for ip-proto-11.

This command reads the snort001.log file, looks for log proto 11, and writes the contents to the NVP-traffic.log file. Next, you need to be able to view the binary file.

This file contains both hex and ASCII, which is nice, but you just want the IP address. Try this,

which gives you a list of IP addresses that were communicating by Network Voice Protocol (NVP) (Figure 8).

dump-F08

Figure 8: IP addresses communicating via NVP.

Next, I’ll show you another snort dump file from a compromised Windows box that was communicating with an IRC server.

With which IRC servers did the server at 172.16.134.191 communicate? To look for TCP connections, try using tcpdump with a filtering expression to capture SYN/ACK packets coming in from outside servers:

This command produces a long list of connections going from 172.16.134.191 to outside connections (Figure 9).

dump-F09

Figure 9: Some connections going from the server of interest to outside connections.

Because IRC communicates on ports 6666-6669, add that information to the command to narrow down the search:

Now the list has been narrowed down to three IPs that were communicating with the server using IRC (Figure 10).

dump-F10

Figure 10: Searching ports 6666-6669.

The Author

David J. Dodd holds a current Top Secret DoD Clearance and is available for consulting on various Information Assurance projects. A former US Marine with an Avionics background in Electronic Countermeasures Systems, David has given talks at the San Diego Regional Security Conference and SDISSA. He is a member of InfraGard and contributes to Securing Our eCity (http://securingourecity.org). He works for pbnetworks Inc. (http://pbnetworks.net), a service-disabled-veteran–owned business located in San Diego, CA. You can contact him by emailing dave@pbnetworks.net.

分类: 技术点滴 标签:
  1. 本文目前尚无任何评论.