SlideShare uma empresa Scribd logo

Tcpdump hunter

Transferir como PPTX, PDF
Andrew McNicol
Andrew McNicol

Hunting and Incident Response with Tcpdump, Linux utilities, BPFs, and Python

Tecnologia
1 de 29
Tcpdump, Linux Utilities, and BPFs for Incident Response
Quick Note • This talk isn’t about the full Incident Response process • We aren’t going to cover policy/reporting/etc • We are here to show some Kung Fu with tcpdump
Tcpdump for Network Forenscis • This presentation will show you how you can leverage tcpdump, Linux utilities, and BPFs to quickly rip through pcap • Understanding TCP/IP communications along with common attack patterns allows an analyst to profile suspicious behavior
• With any role in security it is critical to be the “Hunter” • You need to go beyond the automated tool – Write your own tools and scripts to address gaps in tools – Be able to manually perform you job function • #Don’t_Rely_On_Automated_Tools
Now for the boring stuff….syntax and some background stuff
Basic Syntax • Write to a file: – Tcpdump -ttttnnAi any -s0 -w file.cap • Read from a file: – Tcpdump -ttttnnAr file.cap • Command Switches Broken Down – Read the Man page: – -tttt: formats the time – -nn: prevents ports and IPs from being resolved – -i: interface to listen on – -r: read a pcap file in – -A: gives ASCII output – -s0: specifies the snap-in length so tcpdump grabs the full packet instead of only 96 bytes
Basic Syntax Cont. • -c: Useful switch to set a packet capture limit. • The command below sets a packet capture limit of 5000. This is useful to avoid having tcpdump processes going too far. – tcpdump -ttttnnAi any -s0 -w file.cap -c 5000 • You may also find it useful to launch your tcpdump process via a screen session, or nohup the process to avoid it closing if your connection to the server dies.
BPF Filters • Berkeley Packet Filters (BPFs) allow you to filter for packets for interest – host: filter based on a specific host – net: filter based on a specific network range – tcp: match only packets that are TCP – udp: match only packets that are UDP – port: filter based on a specific port – Boolean Logic (and, or)
More Advanced BPF Syntax • Match HTTP GET requests: – tcp[20:4]=0x47455420 • Match HTTP POST requests: – tcp[20:4]=0x504f5354 • Match TCP packets to network 10.0.0.0/8 – tcp and net 10.0.0.0/8 • Match TCP SYN packets to host 192.168.56.10 – tcp[13]=2 and host 192.168.56.10
Reading Pcap • You can combine Linux utilities to help summarize tcpdump’s output • The first and most common is the “less” utility. I commonly leverage it with “-S” to turn off word wrapping to which is easier for me to view: – tcpdump -ttttnnAr pcap_file.cap | less -S
Tcpdump and Linux Utilities • Many of the same techniques taught in our bash scripting lesson can be applied to tcpdump’s STDOUT • Below is a quick summary of useful utilities: – Grep / Egrep – Awk – Sed – Sort/Uniq
Tcpdump and Linux Utilities Cont. • Below is a quick example showing how you can leverage grep with tcpdump output:
Tcpdump and Linux Utilities Cont. • Below is an example of using sed to replace “GET” with “POST”
Tcpdump and Linux Utilities Cont. • Here is an example of using awk to print just the 6th element in the line:
Tcpdump and Linux Utilities Cont. • Now we can use awk again to print just the IP and not the port:
Tcpdump and Linux Utilities Cont. • Finally we can leverage sort and uniq to summarize the output:
Now for the fun stuff…Hunting 
Profiling Network Traffic • When hunting for compromise it’s a good idea to profile network activity • This involves defining the legitimate traffic and starting to look at the outliers • Let’s talk a bit about what I mean by outliers: – Systematic connections (TCP, UDP, DNS, Netflow) – Odd domain names: aldjkafsdpoiadfpoiasd.ru – Close to legit domain names: micosoftupdat.com
Profiling Network Traffic • I normally profile enterprise networks using a few different filters that grow to several hundred lines • I commonly break them down by: – DNS filter – Profile outbound DNS servers – Web filter – Profile web activity – Everything else filter – I catch the rest here
Bash For Loop 1-liner • Here is an really handy 1-liner I use all the time: for i in `ls *`; do <command> $i; done • This can help you automate many different commands you might need to do over and over, not just tcpdump • I will often move more complex automation tasks to Python
Incident Happens - GO • What do you do when you’re dealing with a potential compromise? – Depends heavily on what we know and what we have access to touch – Network traffic is one of the most powerful sources of data when dealing with a compromise • Assuming you know “Something bad is happening” how would you start?
Hunting: DNS • I normally start by hunting in DNS because I personally found a lot of success with this technique: – NXDOMAIN/Loopback/BOGON Name Resolution – Random looking: zaweqeoinadf.ru – Close to legit: micosoft.com – Timing: Always key – is this a machine? 1min, 5mins? – Hits for known bad infrastructure
Hunting: DNS Cont. • Below is an example of a DNS profile script:
Hunting: Mapping Infrastructure • Once you have 1 IP or Domain you should be able to map out more badguy infrastructure – Similar Whois Registrant Information – Similar sounding domains (cnndaily.com aoldaily.com) – Other domains pointing to same IP – Other domains around known bad guy IP (.12 is bad, what about .13, .14, .11?) – Any additional subdomains? – Other domains sharing that name server – Historical view of what that domain pointed to? Bad guys reuse infrastructure, what did that domain resolve to last year? • Robtext, iplist.net, nslist.net, webboar.com, Domain Dossier, Google, Virustotal, DNSDB, Edv-consulting,
Hunting: Outbound Connections • Focusing on just outbound SYNs is another effective profiling technique • The goal with this technique is to figure out what is normal and start to pick out the odd ball connection • I once found a SYN every 1 hour, looking into it further it was an encrypted communication stream to a badboy place – Automated tools don’t do this well #Hunter
Hunting: Outbound Connections • Here is a filter example for outbound SYNs: – I may have it focus on odd ports, or try to weed out ranges to more common ports “443/80”
Hunting: Automation • Let’s not try to fight this battle alone!
Hunting: Scripting • When hunting I find myself doing A LOT of whois lookups to get info then create a filter so….I automated it with Team Cymru’s Python whois module (tool available upon request):
Summary • Don’t rely on automated tools • Be the hunter - the one who finds what tools miss • Be flexible and able to write your own tools when needed

Recomendados

Configure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfConfigure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdf
BT Digital
 
rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyond
Andreas Granig
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentation
Kateryna Haskova
 
Netcat
NetcatNetcat
Netcat
penetration Tester
 
Nmap
NmapNmap
Nmap
Fat-Thing Gabriel-Culley
 
Linux networking
Linux networkingLinux networking
Linux networking
Arie Bregman
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 

Recomendados

Configure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfConfigure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdf
BT Digital
 
rtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyondrtpengine - Media Relaying and Beyond
rtpengine - Media Relaying and Beyond
Andreas Granig
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentation
Kateryna Haskova
 
Netcat
NetcatNetcat
Netcat
penetration Tester
 
Nmap
NmapNmap
Nmap
Fat-Thing Gabriel-Culley
 
Linux networking
Linux networkingLinux networking
Linux networking
Arie Bregman
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-Wireshark
Harsh Singh
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
Raghunath G
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorial
Chaman Poorani
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
NetProtocol Xpert
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff
 
Suricata
SuricataSuricata
Suricata
tex_morgan
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Wireshark ppt
Wireshark pptWireshark ppt
Wireshark ppt
bala150985
 
Mininet introduction
Mininet introductionMininet introduction
Mininet introduction
Vipin Gupta
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Server-Sent Events in Action
Server-Sent Events in ActionServer-Sent Events in Action
Server-Sent Events in Action
Andrei Rusu
 
Wireshark Traffic Analysis
Wireshark Traffic AnalysisWireshark Traffic Analysis
Wireshark Traffic Analysis
David Sweigert
 
Boost UDP Transaction Performance
Boost UDP Transaction PerformanceBoost UDP Transaction Performance
Boost UDP Transaction Performance
LF Events
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
Ray Jenkins
 
NMap
NMapNMap
NMap
Pritesh Raka
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
OpenFlow tutorial
OpenFlow tutorialOpenFlow tutorial
OpenFlow tutorial
openflow
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRouting
Faisal Reza
 
HAProxy 1.9
HAProxy 1.9HAProxy 1.9
HAProxy 1.9
HAProxy Technologies
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)
Sam Bowne
 

Mais conteúdo relacionado

Mais procurados

TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-Wireshark
Harsh Singh
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
Raghunath G
 
Wireshark Traffic Analysis
Wireshark Traffic AnalysisWireshark Traffic Analysis
Wireshark Traffic Analysis
David Sweigert
 

Mais procurados (20)

TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-Wireshark
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorial
 
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Suricata
SuricataSuricata
Suricata
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Wireshark ppt
Wireshark pptWireshark ppt
Wireshark ppt
 
Mininet introduction
Mininet introductionMininet introduction
Mininet introduction
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Server-Sent Events in Action
Server-Sent Events in ActionServer-Sent Events in Action
Server-Sent Events in Action
 
Wireshark Traffic Analysis
Wireshark Traffic AnalysisWireshark Traffic Analysis
Wireshark Traffic Analysis
 
Boost UDP Transaction Performance
Boost UDP Transaction PerformanceBoost UDP Transaction Performance
Boost UDP Transaction Performance
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
 
NMap
NMapNMap
NMap
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
OpenFlow tutorial
OpenFlow tutorialOpenFlow tutorial
OpenFlow tutorial
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRouting
 
HAProxy 1.9
HAProxy 1.9HAProxy 1.9
HAProxy 1.9
 

Destaque

Destaque (11)

CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)
 
CNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve CryptosystemsCNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve Cryptosystems
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
CNIT 141 8. Public-Key Cryptosystems Based on the DLP
CNIT 141 8. Public-Key Cryptosystems Based on the DLPCNIT 141 8. Public-Key Cryptosystems Based on the DLP
CNIT 141 8. Public-Key Cryptosystems Based on the DLP
 
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
Cloud Foundry Monitoring How-To: Collecting Metrics and LogsCloud Foundry Monitoring How-To: Collecting Metrics and Logs
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
 
CNIT 141: 10. Digital Signatures
CNIT 141: 10. Digital SignaturesCNIT 141: 10. Digital Signatures
CNIT 141: 10. Digital Signatures
 
Navigating the Ecosystem of Pivotal Cloud Foundry Tiles
Navigating the Ecosystem of Pivotal Cloud Foundry TilesNavigating the Ecosystem of Pivotal Cloud Foundry Tiles
Navigating the Ecosystem of Pivotal Cloud Foundry Tiles
 

Semelhante a Tcpdump hunter

Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 

Semelhante a Tcpdump hunter (20)

Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network security
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshooting
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
SecureWV - APT2
SecureWV - APT2SecureWV - APT2
SecureWV - APT2
 
LACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 WorldLACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 World
 
Preso fcul
Preso fculPreso fcul
Preso fcul
 
Enei
EneiEnei
Enei
 
DerbyCon - APT2
DerbyCon - APT2DerbyCon - APT2
DerbyCon - APT2
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Peer-to-peer Internet telephony
Peer-to-peer Internet telephonyPeer-to-peer Internet telephony
Peer-to-peer Internet telephony
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis course
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
 
There and back again
There and back againThere and back again
There and back again
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
 

Mais de Andrew McNicol

Mais de Andrew McNicol (11)

BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 

Tcpdump hunter

  • 1. Tcpdump, Linux Utilities, and BPFs for Incident Response
  • 2. Quick Note • This talk isn’t about the full Incident Response process • We aren’t going to cover policy/reporting/etc • We are here to show some Kung Fu with tcpdump
  • 3. Tcpdump for Network Forenscis • This presentation will show you how you can leverage tcpdump, Linux utilities, and BPFs to quickly rip through pcap • Understanding TCP/IP communications along with common attack patterns allows an analyst to profile suspicious behavior
  • 4. • With any role in security it is critical to be the “Hunter” • You need to go beyond the automated tool – Write your own tools and scripts to address gaps in tools – Be able to manually perform you job function • #Don’t_Rely_On_Automated_Tools
  • 5. Now for the boring stuff….syntax and some background stuff
  • 6. Basic Syntax • Write to a file: – Tcpdump -ttttnnAi any -s0 -w file.cap • Read from a file: – Tcpdump -ttttnnAr file.cap • Command Switches Broken Down – Read the Man page: – -tttt: formats the time – -nn: prevents ports and IPs from being resolved – -i: interface to listen on – -r: read a pcap file in – -A: gives ASCII output – -s0: specifies the snap-in length so tcpdump grabs the full packet instead of only 96 bytes
  • 7. Basic Syntax Cont. • -c: Useful switch to set a packet capture limit. • The command below sets a packet capture limit of 5000. This is useful to avoid having tcpdump processes going too far. – tcpdump -ttttnnAi any -s0 -w file.cap -c 5000 • You may also find it useful to launch your tcpdump process via a screen session, or nohup the process to avoid it closing if your connection to the server dies.
  • 8. BPF Filters • Berkeley Packet Filters (BPFs) allow you to filter for packets for interest – host: filter based on a specific host – net: filter based on a specific network range – tcp: match only packets that are TCP – udp: match only packets that are UDP – port: filter based on a specific port – Boolean Logic (and, or)
  • 9. More Advanced BPF Syntax • Match HTTP GET requests: – tcp[20:4]=0x47455420 • Match HTTP POST requests: – tcp[20:4]=0x504f5354 • Match TCP packets to network 10.0.0.0/8 – tcp and net 10.0.0.0/8 • Match TCP SYN packets to host 192.168.56.10 – tcp[13]=2 and host 192.168.56.10
  • 10. Reading Pcap • You can combine Linux utilities to help summarize tcpdump’s output • The first and most common is the “less” utility. I commonly leverage it with “-S” to turn off word wrapping to which is easier for me to view: – tcpdump -ttttnnAr pcap_file.cap | less -S
  • 11. Tcpdump and Linux Utilities • Many of the same techniques taught in our bash scripting lesson can be applied to tcpdump’s STDOUT • Below is a quick summary of useful utilities: – Grep / Egrep – Awk – Sed – Sort/Uniq
  • 12. Tcpdump and Linux Utilities Cont. • Below is a quick example showing how you can leverage grep with tcpdump output:
  • 13. Tcpdump and Linux Utilities Cont. • Below is an example of using sed to replace “GET” with “POST”
  • 14. Tcpdump and Linux Utilities Cont. • Here is an example of using awk to print just the 6th element in the line:
  • 15. Tcpdump and Linux Utilities Cont. • Now we can use awk again to print just the IP and not the port:
  • 16. Tcpdump and Linux Utilities Cont. • Finally we can leverage sort and uniq to summarize the output:
  • 17. Now for the fun stuff…Hunting 
  • 18. Profiling Network Traffic • When hunting for compromise it’s a good idea to profile network activity • This involves defining the legitimate traffic and starting to look at the outliers • Let’s talk a bit about what I mean by outliers: – Systematic connections (TCP, UDP, DNS, Netflow) – Odd domain names: aldjkafsdpoiadfpoiasd.ru – Close to legit domain names: micosoftupdat.com
  • 19. Profiling Network Traffic • I normally profile enterprise networks using a few different filters that grow to several hundred lines • I commonly break them down by: – DNS filter – Profile outbound DNS servers – Web filter – Profile web activity – Everything else filter – I catch the rest here
  • 20. Bash For Loop 1-liner • Here is an really handy 1-liner I use all the time: for i in `ls *`; do <command> $i; done • This can help you automate many different commands you might need to do over and over, not just tcpdump • I will often move more complex automation tasks to Python
  • 21. Incident Happens - GO • What do you do when you’re dealing with a potential compromise? – Depends heavily on what we know and what we have access to touch – Network traffic is one of the most powerful sources of data when dealing with a compromise • Assuming you know “Something bad is happening” how would you start?
  • 22. Hunting: DNS • I normally start by hunting in DNS because I personally found a lot of success with this technique: – NXDOMAIN/Loopback/BOGON Name Resolution – Random looking: zaweqeoinadf.ru – Close to legit: micosoft.com – Timing: Always key – is this a machine? 1min, 5mins? – Hits for known bad infrastructure
  • 23. Hunting: DNS Cont. • Below is an example of a DNS profile script:
  • 24. Hunting: Mapping Infrastructure • Once you have 1 IP or Domain you should be able to map out more badguy infrastructure – Similar Whois Registrant Information – Similar sounding domains (cnndaily.com aoldaily.com) – Other domains pointing to same IP – Other domains around known bad guy IP (.12 is bad, what about .13, .14, .11?) – Any additional subdomains? – Other domains sharing that name server – Historical view of what that domain pointed to? Bad guys reuse infrastructure, what did that domain resolve to last year? • Robtext, iplist.net, nslist.net, webboar.com, Domain Dossier, Google, Virustotal, DNSDB, Edv-consulting,
  • 25. Hunting: Outbound Connections • Focusing on just outbound SYNs is another effective profiling technique • The goal with this technique is to figure out what is normal and start to pick out the odd ball connection • I once found a SYN every 1 hour, looking into it further it was an encrypted communication stream to a badboy place – Automated tools don’t do this well #Hunter
  • 26. Hunting: Outbound Connections • Here is a filter example for outbound SYNs: – I may have it focus on odd ports, or try to weed out ranges to more common ports “443/80”
  • 27. Hunting: Automation • Let’s not try to fight this battle alone!
  • 28. Hunting: Scripting • When hunting I find myself doing A LOT of whois lookups to get info then create a filter so….I automated it with Team Cymru’s Python whois module (tool available upon request):
  • 29. Summary • Don’t rely on automated tools • Be the hunter - the one who finds what tools miss • Be flexible and able to write your own tools when needed