SlideShare a Scribd company logo
Tcpdump, Linux Utilities, and 
BPFs for Incident Response
Quick Note 
• This talk isn’t about the full Incident Response 
process 
• We aren’t going to cover policy/reporting/etc 
• We are here to show some Kung Fu with 
tcpdump
Tcpdump for Network Forenscis 
• This presentation will show you how you can 
leverage tcpdump, Linux utilities, and BPFs to 
quickly rip through pcap 
• Understanding TCP/IP communications along 
with common attack patterns allows an 
analyst to profile suspicious behavior
• With any role in security it is critical to be the “Hunter” 
• You need to go beyond the automated tool 
– Write your own tools and scripts to address gaps in tools 
– Be able to manually perform you job function 
• #Don’t_Rely_On_Automated_Tools
Now for the boring stuff….syntax and 
some background stuff
Basic Syntax 
• Write to a file: 
– Tcpdump -ttttnnAi any -s0 -w file.cap 
• Read from a file: 
– Tcpdump -ttttnnAr file.cap 
• Command Switches Broken Down – Read the Man page: 
– -tttt: formats the time 
– -nn: prevents ports and IPs from being resolved 
– -i: interface to listen on 
– -r: read a pcap file in 
– -A: gives ASCII output 
– -s0: specifies the snap-in length so tcpdump grabs the full 
packet instead of only 96 bytes
Basic Syntax Cont. 
• -c: Useful switch to set a packet capture limit. 
• The command below sets a packet capture limit 
of 5000. This is useful to avoid having tcpdump 
processes going too far. 
– tcpdump -ttttnnAi any -s0 -w file.cap -c 5000 
• You may also find it useful to launch your 
tcpdump process via a screen session, or nohup 
the process to avoid it closing if your connection 
to the server dies.
BPF Filters 
• Berkeley Packet Filters (BPFs) allow you to 
filter for packets for interest 
– host: filter based on a specific host 
– net: filter based on a specific network range 
– tcp: match only packets that are TCP 
– udp: match only packets that are UDP 
– port: filter based on a specific port 
– Boolean Logic (and, or)
More Advanced BPF Syntax 
• Match HTTP GET requests: 
– tcp[20:4]=0x47455420 
• Match HTTP POST requests: 
– tcp[20:4]=0x504f5354 
• Match TCP packets to network 10.0.0.0/8 
– tcp and net 10.0.0.0/8 
• Match TCP SYN packets to host 192.168.56.10 
– tcp[13]=2 and host 192.168.56.10
Reading Pcap 
• You can combine Linux utilities to help 
summarize tcpdump’s output 
• The first and most common is the “less” utility. 
I commonly leverage it with “-S” to turn off 
word wrapping to which is easier for me to 
view: 
– tcpdump -ttttnnAr pcap_file.cap | less -S
Tcpdump and Linux Utilities 
• Many of the same techniques taught in our 
bash scripting lesson can be applied to 
tcpdump’s STDOUT 
• Below is a quick summary of useful utilities: 
– Grep / Egrep 
– Awk 
– Sed 
– Sort/Uniq
Tcpdump and Linux Utilities Cont. 
• Below is a quick example showing how you 
can leverage grep with tcpdump output:
Tcpdump and Linux Utilities Cont. 
• Below is an example of using sed to replace “GET” with “POST”
Tcpdump and Linux Utilities Cont. 
• Here is an example of using awk to print just the 6th element 
in the line:
Tcpdump and Linux Utilities Cont. 
• Now we can use awk again to print just the IP and 
not the port:
Tcpdump and Linux Utilities Cont. 
• Finally we can leverage sort and uniq to summarize 
the output:
Now for the fun stuff…Hunting 
Profiling Network Traffic 
• When hunting for compromise it’s a good idea to 
profile network activity 
• This involves defining the legitimate traffic and 
starting to look at the outliers 
• Let’s talk a bit about what I mean by outliers: 
– Systematic connections (TCP, UDP, DNS, Netflow) 
– Odd domain names: aldjkafsdpoiadfpoiasd.ru 
– Close to legit domain names: micosoftupdat.com
Profiling Network Traffic 
• I normally profile enterprise networks using a 
few different filters that grow to several 
hundred lines 
• I commonly break them down by: 
– DNS filter – Profile outbound DNS servers 
– Web filter – Profile web activity 
– Everything else filter – I catch the rest here
Bash For Loop 1-liner 
• Here is an really handy 1-liner I use all the time: 
for i in `ls *`; do <command> $i; done 
• This can help you automate many different 
commands you might need to do over and over, 
not just tcpdump 
• I will often move more complex automation tasks 
to Python
Incident Happens - GO 
• What do you do when you’re dealing with a potential 
compromise? 
– Depends heavily on what we know and what we have access to touch 
– Network traffic is one of the most powerful sources of data when 
dealing with a compromise 
• Assuming you know “Something bad is happening” how 
would you start?
Hunting: DNS 
• I normally start by hunting in DNS because I 
personally found a lot of success with this 
technique: 
– NXDOMAIN/Loopback/BOGON Name Resolution 
– Random looking: zaweqeoinadf.ru 
– Close to legit: micosoft.com 
– Timing: Always key – is this a machine? 1min, 
5mins? 
– Hits for known bad infrastructure
Hunting: DNS Cont. 
• Below is an example of a DNS profile script:
Hunting: Mapping Infrastructure 
• Once you have 1 IP or Domain you should be able to map out more 
badguy infrastructure 
– Similar Whois Registrant Information 
– Similar sounding domains (cnndaily.com aoldaily.com) 
– Other domains pointing to same IP 
– Other domains around known bad guy IP (.12 is bad, what about .13, 
.14, .11?) 
– Any additional subdomains? 
– Other domains sharing that name server 
– Historical view of what that domain pointed to? Bad guys reuse 
infrastructure, what did that domain resolve to last year? 
• Robtext, iplist.net, nslist.net, webboar.com, Domain Dossier, 
Google, Virustotal, DNSDB, Edv-consulting,
Hunting: Outbound Connections 
• Focusing on just outbound SYNs is another 
effective profiling technique 
• The goal with this technique is to figure out what 
is normal and start to pick out the odd ball 
connection 
• I once found a SYN every 1 hour, looking into it 
further it was an encrypted communication 
stream to a badboy place 
– Automated tools don’t do this well #Hunter
Hunting: Outbound Connections 
• Here is a filter example for outbound SYNs: 
– I may have it focus on odd ports, or try to weed out ranges to more 
common ports “443/80”
Hunting: Automation 
• Let’s not try to fight this battle alone!
Hunting: Scripting 
• When hunting I find myself doing A LOT of whois lookups to 
get info then create a filter so….I automated it with Team 
Cymru’s Python whois module (tool available upon request):
Summary 
• Don’t rely on automated tools 
• Be the hunter - the one who finds what tools 
miss 
• Be flexible and able to write your own tools 
when needed

More Related Content

What's hot

Módulo-6-7-ip-com-sockets
Módulo-6-7-ip-com-socketsMódulo-6-7-ip-com-sockets
Módulo-6-7-ip-com-sockets
diogoa21
 
Aula básica de informática - Hardware e Software
Aula básica de informática - Hardware e SoftwareAula básica de informática - Hardware e Software
Aula básica de informática - Hardware e Software
passecursinho
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
Rede de computadores
Rede de computadoresRede de computadores
Rede de computadores
Jairo Soares Dolores Mosca
 
Endereçamento IPV4
Endereçamento IPV4Endereçamento IPV4
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
GLC Networks
 
Virtualização - Máquinas Virtuais
Virtualização - Máquinas VirtuaisVirtualização - Máquinas Virtuais
Virtualização - Máquinas Virtuais
André Felipe Santos Martins
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
Linux para leigos
Linux para leigos Linux para leigos
Linux para leigos
Guilherme Hinkelmann
 
Prática Laboratório CISCO - NAT
Prática Laboratório CISCO - NATPrática Laboratório CISCO - NAT
Prática Laboratório CISCO - NAT
Wellington Oliveira
 
Licensing on Cisco 2960, 3560X and 3750X...
Licensing on Cisco 2960, 3560X and 3750X...Licensing on Cisco 2960, 3560X and 3750X...
Licensing on Cisco 2960, 3560X and 3750X...
IT Tech
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
 
ONOS SDN Controller - Introduction
ONOS SDN Controller - IntroductionONOS SDN Controller - Introduction
ONOS SDN Controller - Introduction
Eueung Mulyana
 
CCNA
CCNACCNA
PresentacióN De InstalacióN Desatendida
PresentacióN De InstalacióN DesatendidaPresentacióN De InstalacióN Desatendida
PresentacióN De InstalacióN Desatendida
Tormenta
 
Mikrotik firewall filter
Mikrotik firewall filterMikrotik firewall filter
Mikrotik firewall filter
Achmad Mardiansyah
 
Administração de servidores Linux
Administração de servidores LinuxAdministração de servidores Linux
Administração de servidores Linux
João Sá
 
CCNA Lab Guide
CCNA Lab GuideCCNA Lab Guide
CCNA Lab Guide
Salachudin Emir
 
Programação de Microprocessadores
Programação de MicroprocessadoresProgramação de Microprocessadores
Programação de Microprocessadores
Diogo Silva
 
PRACTICAS_INSTRUCTOR_CCNA_3 (1).pdf
PRACTICAS_INSTRUCTOR_CCNA_3 (1).pdfPRACTICAS_INSTRUCTOR_CCNA_3 (1).pdf
PRACTICAS_INSTRUCTOR_CCNA_3 (1).pdf
joabnegrete
 

What's hot (20)

Módulo-6-7-ip-com-sockets
Módulo-6-7-ip-com-socketsMódulo-6-7-ip-com-sockets
Módulo-6-7-ip-com-sockets
 
Aula básica de informática - Hardware e Software
Aula básica de informática - Hardware e SoftwareAula básica de informática - Hardware e Software
Aula básica de informática - Hardware e Software
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
Rede de computadores
Rede de computadoresRede de computadores
Rede de computadores
 
Endereçamento IPV4
Endereçamento IPV4Endereçamento IPV4
Endereçamento IPV4
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
 
Virtualização - Máquinas Virtuais
Virtualização - Máquinas VirtuaisVirtualização - Máquinas Virtuais
Virtualização - Máquinas Virtuais
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
Linux para leigos
Linux para leigos Linux para leigos
Linux para leigos
 
Prática Laboratório CISCO - NAT
Prática Laboratório CISCO - NATPrática Laboratório CISCO - NAT
Prática Laboratório CISCO - NAT
 
Licensing on Cisco 2960, 3560X and 3750X...
Licensing on Cisco 2960, 3560X and 3750X...Licensing on Cisco 2960, 3560X and 3750X...
Licensing on Cisco 2960, 3560X and 3750X...
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
 
ONOS SDN Controller - Introduction
ONOS SDN Controller - IntroductionONOS SDN Controller - Introduction
ONOS SDN Controller - Introduction
 
CCNA
CCNACCNA
CCNA
 
PresentacióN De InstalacióN Desatendida
PresentacióN De InstalacióN DesatendidaPresentacióN De InstalacióN Desatendida
PresentacióN De InstalacióN Desatendida
 
Mikrotik firewall filter
Mikrotik firewall filterMikrotik firewall filter
Mikrotik firewall filter
 
Administração de servidores Linux
Administração de servidores LinuxAdministração de servidores Linux
Administração de servidores Linux
 
CCNA Lab Guide
CCNA Lab GuideCCNA Lab Guide
CCNA Lab Guide
 
Programação de Microprocessadores
Programação de MicroprocessadoresProgramação de Microprocessadores
Programação de Microprocessadores
 
PRACTICAS_INSTRUCTOR_CCNA_3 (1).pdf
PRACTICAS_INSTRUCTOR_CCNA_3 (1).pdfPRACTICAS_INSTRUCTOR_CCNA_3 (1).pdf
PRACTICAS_INSTRUCTOR_CCNA_3 (1).pdf
 

Viewers also liked

CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)
Sam Bowne
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentation
Kateryna Haskova
 
CNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve CryptosystemsCNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve Cryptosystems
Sam Bowne
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
CNIT 141 8. Public-Key Cryptosystems Based on the DLP
CNIT 141 8. Public-Key Cryptosystems Based on the DLPCNIT 141 8. Public-Key Cryptosystems Based on the DLP
CNIT 141 8. Public-Key Cryptosystems Based on the DLP
Sam Bowne
 
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
Cloud Foundry Monitoring How-To: Collecting Metrics and LogsCloud Foundry Monitoring How-To: Collecting Metrics and Logs
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
Altoros
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
Sachidananda Sahu
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-Wireshark
Harsh Singh
 
Tcpdump
TcpdumpTcpdump
Tcpdump
Sourav Roy
 
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
Sam Bowne
 
CNIT 141: 10. Digital Signatures
CNIT 141: 10. Digital SignaturesCNIT 141: 10. Digital Signatures
CNIT 141: 10. Digital Signatures
Sam Bowne
 
Navigating the Ecosystem of Pivotal Cloud Foundry Tiles
Navigating the Ecosystem of Pivotal Cloud Foundry TilesNavigating the Ecosystem of Pivotal Cloud Foundry Tiles
Navigating the Ecosystem of Pivotal Cloud Foundry Tiles
Altoros
 

Viewers also liked (13)

CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentation
 
CNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve CryptosystemsCNIT 141: 9. Elliptic Curve Cryptosystems
CNIT 141: 9. Elliptic Curve Cryptosystems
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
CNIT 141 8. Public-Key Cryptosystems Based on the DLP
CNIT 141 8. Public-Key Cryptosystems Based on the DLPCNIT 141 8. Public-Key Cryptosystems Based on the DLP
CNIT 141 8. Public-Key Cryptosystems Based on the DLP
 
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
Cloud Foundry Monitoring How-To: Collecting Metrics and LogsCloud Foundry Monitoring How-To: Collecting Metrics and Logs
Cloud Foundry Monitoring How-To: Collecting Metrics and Logs
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-Wireshark
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
 
CNIT 141: 10. Digital Signatures
CNIT 141: 10. Digital SignaturesCNIT 141: 10. Digital Signatures
CNIT 141: 10. Digital Signatures
 
Navigating the Ecosystem of Pivotal Cloud Foundry Tiles
Navigating the Ecosystem of Pivotal Cloud Foundry TilesNavigating the Ecosystem of Pivotal Cloud Foundry Tiles
Navigating the Ecosystem of Pivotal Cloud Foundry Tiles
 

Similar to Tcpdump hunter

Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network security
Chippy Thomas
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshooting
Skillspire LLC
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
SecureWV - APT2
SecureWV - APT2SecureWV - APT2
SecureWV - APT2
Adam Compton
 
LACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 WorldLACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 World
Carlos Martinez Cagnazzo
 
Preso fcul
Preso fculPreso fcul
Preso fcul
Tiago Henriques
 
Enei
EneiEnei
DerbyCon - APT2
DerbyCon - APT2DerbyCon - APT2
DerbyCon - APT2
Adam Compton
 
Nmap
NmapNmap
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019
Nikhil Raj
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
Chris Gates
 
Peer-to-peer Internet telephony
Peer-to-peer Internet telephonyPeer-to-peer Internet telephony
Peer-to-peer Internet telephony
Kundan Singh
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis course
TECHNOLOGY CONTROL CO.
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Chris Tankersley
 
There and back again
There and back againThere and back again
There and back again
Jon Spriggs
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015
Chris Tankersley
 

Similar to Tcpdump hunter (20)

Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network security
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshooting
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
SecureWV - APT2
SecureWV - APT2SecureWV - APT2
SecureWV - APT2
 
LACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 WorldLACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 World
 
Preso fcul
Preso fculPreso fcul
Preso fcul
 
Enei
EneiEnei
Enei
 
DerbyCon - APT2
DerbyCon - APT2DerbyCon - APT2
DerbyCon - APT2
 
Nmap
NmapNmap
Nmap
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019Null Delhi chapter - Feb 2019
Null Delhi chapter - Feb 2019
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Peer-to-peer Internet telephony
Peer-to-peer Internet telephonyPeer-to-peer Internet telephony
Peer-to-peer Internet telephony
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis course
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
 
There and back again
There and back againThere and back again
There and back again
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015
 

More from Andrew McNicol

BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
Andrew McNicol
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
Andrew McNicol
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
Andrew McNicol
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
Andrew McNicol
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
Andrew McNicol
 

More from Andrew McNicol (11)

BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec Career
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 

Recently uploaded

Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
kumarjarun2010
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
LINUS PROJECTS (INDIA)
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 

Recently uploaded (20)

Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 

Tcpdump hunter

  • 1. Tcpdump, Linux Utilities, and BPFs for Incident Response
  • 2. Quick Note • This talk isn’t about the full Incident Response process • We aren’t going to cover policy/reporting/etc • We are here to show some Kung Fu with tcpdump
  • 3. Tcpdump for Network Forenscis • This presentation will show you how you can leverage tcpdump, Linux utilities, and BPFs to quickly rip through pcap • Understanding TCP/IP communications along with common attack patterns allows an analyst to profile suspicious behavior
  • 4. • With any role in security it is critical to be the “Hunter” • You need to go beyond the automated tool – Write your own tools and scripts to address gaps in tools – Be able to manually perform you job function • #Don’t_Rely_On_Automated_Tools
  • 5. Now for the boring stuff….syntax and some background stuff
  • 6. Basic Syntax • Write to a file: – Tcpdump -ttttnnAi any -s0 -w file.cap • Read from a file: – Tcpdump -ttttnnAr file.cap • Command Switches Broken Down – Read the Man page: – -tttt: formats the time – -nn: prevents ports and IPs from being resolved – -i: interface to listen on – -r: read a pcap file in – -A: gives ASCII output – -s0: specifies the snap-in length so tcpdump grabs the full packet instead of only 96 bytes
  • 7. Basic Syntax Cont. • -c: Useful switch to set a packet capture limit. • The command below sets a packet capture limit of 5000. This is useful to avoid having tcpdump processes going too far. – tcpdump -ttttnnAi any -s0 -w file.cap -c 5000 • You may also find it useful to launch your tcpdump process via a screen session, or nohup the process to avoid it closing if your connection to the server dies.
  • 8. BPF Filters • Berkeley Packet Filters (BPFs) allow you to filter for packets for interest – host: filter based on a specific host – net: filter based on a specific network range – tcp: match only packets that are TCP – udp: match only packets that are UDP – port: filter based on a specific port – Boolean Logic (and, or)
  • 9. More Advanced BPF Syntax • Match HTTP GET requests: – tcp[20:4]=0x47455420 • Match HTTP POST requests: – tcp[20:4]=0x504f5354 • Match TCP packets to network 10.0.0.0/8 – tcp and net 10.0.0.0/8 • Match TCP SYN packets to host 192.168.56.10 – tcp[13]=2 and host 192.168.56.10
  • 10. Reading Pcap • You can combine Linux utilities to help summarize tcpdump’s output • The first and most common is the “less” utility. I commonly leverage it with “-S” to turn off word wrapping to which is easier for me to view: – tcpdump -ttttnnAr pcap_file.cap | less -S
  • 11. Tcpdump and Linux Utilities • Many of the same techniques taught in our bash scripting lesson can be applied to tcpdump’s STDOUT • Below is a quick summary of useful utilities: – Grep / Egrep – Awk – Sed – Sort/Uniq
  • 12. Tcpdump and Linux Utilities Cont. • Below is a quick example showing how you can leverage grep with tcpdump output:
  • 13. Tcpdump and Linux Utilities Cont. • Below is an example of using sed to replace “GET” with “POST”
  • 14. Tcpdump and Linux Utilities Cont. • Here is an example of using awk to print just the 6th element in the line:
  • 15. Tcpdump and Linux Utilities Cont. • Now we can use awk again to print just the IP and not the port:
  • 16. Tcpdump and Linux Utilities Cont. • Finally we can leverage sort and uniq to summarize the output:
  • 17. Now for the fun stuff…Hunting 
  • 18. Profiling Network Traffic • When hunting for compromise it’s a good idea to profile network activity • This involves defining the legitimate traffic and starting to look at the outliers • Let’s talk a bit about what I mean by outliers: – Systematic connections (TCP, UDP, DNS, Netflow) – Odd domain names: aldjkafsdpoiadfpoiasd.ru – Close to legit domain names: micosoftupdat.com
  • 19. Profiling Network Traffic • I normally profile enterprise networks using a few different filters that grow to several hundred lines • I commonly break them down by: – DNS filter – Profile outbound DNS servers – Web filter – Profile web activity – Everything else filter – I catch the rest here
  • 20. Bash For Loop 1-liner • Here is an really handy 1-liner I use all the time: for i in `ls *`; do <command> $i; done • This can help you automate many different commands you might need to do over and over, not just tcpdump • I will often move more complex automation tasks to Python
  • 21. Incident Happens - GO • What do you do when you’re dealing with a potential compromise? – Depends heavily on what we know and what we have access to touch – Network traffic is one of the most powerful sources of data when dealing with a compromise • Assuming you know “Something bad is happening” how would you start?
  • 22. Hunting: DNS • I normally start by hunting in DNS because I personally found a lot of success with this technique: – NXDOMAIN/Loopback/BOGON Name Resolution – Random looking: zaweqeoinadf.ru – Close to legit: micosoft.com – Timing: Always key – is this a machine? 1min, 5mins? – Hits for known bad infrastructure
  • 23. Hunting: DNS Cont. • Below is an example of a DNS profile script:
  • 24. Hunting: Mapping Infrastructure • Once you have 1 IP or Domain you should be able to map out more badguy infrastructure – Similar Whois Registrant Information – Similar sounding domains (cnndaily.com aoldaily.com) – Other domains pointing to same IP – Other domains around known bad guy IP (.12 is bad, what about .13, .14, .11?) – Any additional subdomains? – Other domains sharing that name server – Historical view of what that domain pointed to? Bad guys reuse infrastructure, what did that domain resolve to last year? • Robtext, iplist.net, nslist.net, webboar.com, Domain Dossier, Google, Virustotal, DNSDB, Edv-consulting,
  • 25. Hunting: Outbound Connections • Focusing on just outbound SYNs is another effective profiling technique • The goal with this technique is to figure out what is normal and start to pick out the odd ball connection • I once found a SYN every 1 hour, looking into it further it was an encrypted communication stream to a badboy place – Automated tools don’t do this well #Hunter
  • 26. Hunting: Outbound Connections • Here is a filter example for outbound SYNs: – I may have it focus on odd ports, or try to weed out ranges to more common ports “443/80”
  • 27. Hunting: Automation • Let’s not try to fight this battle alone!
  • 28. Hunting: Scripting • When hunting I find myself doing A LOT of whois lookups to get info then create a filter so….I automated it with Team Cymru’s Python whois module (tool available upon request):
  • 29. Summary • Don’t rely on automated tools • Be the hunter - the one who finds what tools miss • Be flexible and able to write your own tools when needed