tcpdump hunter

Click here to load reader

Post on 15-Jul-2015




1 download

Embed Size (px)



Tcpdump, Linux Utilities, and BPFs for Incident Response

Quick NoteThis talk isnt about the full Incident Response process

We arent going to cover policy/reporting/etc

We are here to show some Kung Fu with tcpdumpTcpdump for Network ForenscisThis presentation will show you how you can leverage tcpdump, Linux utilities, and BPFs to quickly rip through pcap

Understanding TCP/IP communications along with common attack patterns allows an analyst to profile suspicious behavior

With any role in security it is critical to be the Hunter

You need to go beyond the automated toolWrite your own tools and scripts to address gaps in toolsBe able to manually perform you job function


Now for the boring stuff.syntax and some background stuff

Basic SyntaxWrite to a file:Tcpdump -ttttnnAi any -s0 -w file.cap

Read from a file:Tcpdump -ttttnnAr file.cap

Command Switches Broken Down Read the Man page:-tttt: formats the time-nn: prevents ports and IPs from being resolved -i: interface to listen on-r: read a pcap file in-A: gives ASCII output -s0: specifies the snap-in length so tcpdump grabs the full packet instead of only 96 bytes

Basic Syntax Cont.-c: Useful switch to set a packet capture limit.

The command below sets a packet capture limit of 5000. This is useful to avoid having tcpdump processes going too far. tcpdump -ttttnnAi any -s0 -w file.cap -c 5000

You may also find it useful to launch your tcpdump process via a screen session, or nohup the process to avoid it closing if your connection to the server dies.

BPF FiltersBerkeley Packet Filters (BPFs) allow you to filter for packets for interesthost: filter based on a specific hostnet: filter based on a specific network rangetcp: match only packets that are TCP udp: match only packets that are UDPport: filter based on a specific port Boolean Logic (and, or)

More Advanced BPF SyntaxMatch HTTP GET requests:tcp[20:4]=0x47455420Match HTTP POST requests:tcp[20:4]=0x504f5354Match TCP packets to network and net TCP SYN packets to host[13]=2 and host PcapYou can combine Linux utilities to help summarize tcpdumps output

The first and most common is the less utility. I commonly leverage it with -S to turn off word wrapping to which is easier for me to view:tcpdump -ttttnnAr pcap_file.cap | less -STcpdump and Linux UtilitiesMany of the same techniques taught in our bash scripting lesson can be applied to tcpdumps STDOUT

Below is a quick summary of useful utilities:Grep / EgrepAwkSedSort/UniqTcpdump and Linux Utilities Cont.Below is a quick example showing how you can leverage grep with tcpdump output:

Tcpdump and Linux Utilities Cont.Below is an example of using sed to replace GET with POST

Tcpdump and Linux Utilities Cont.Here is an example of using awk to print just the 6th element in the line:

Tcpdump and Linux Utilities Cont.Now we can use awk again to print just the IP and not the port:

Tcpdump and Linux Utilities Cont.Finally we can leverage sort and uniq to summarize the output:

Now for the fun stuffHunting

Profiling Network TrafficWhen hunting for compromise its a good idea to profile network activity

This involves defining the legitimate traffic and starting to look at the outliers

Lets talk a bit about what I mean by outliers:Systematic connections (TCP, UDP, DNS, Netflow)Odd domain names: aldjkafsdpoiadfpoiasd.ruClose to legit domain names: micosoftupdat.comProfiling Network TrafficI normally profile enterprise networks using a few different filters that grow to several hundred lines

I commonly break them down by:DNS filter Profile outbound DNS serversWeb filter Profile web activityEverything else filter I catch the rest hereBash For Loop 1-linerHere is an really handy 1-liner I use all the time:

for i in `ls *`; do $i; done

This can help you automate many different commands you might need to do over and over, not just tcpdump

I will often move more complex automation tasks to PythonIncident Happens - GOWhat do you do when youre dealing with a potential compromise?Depends heavily on what we know and what we have access to touchNetwork traffic is one of the most powerful sources of data when dealing with a compromise

Assuming you know Something bad is happening how would you start?

Hunting: DNSI normally start by hunting in DNS because I personally found a lot of success with this technique:NXDOMAIN/Loopback/BOGON Name ResolutionRandom looking: zaweqeoinadf.ruClose to legit: micosoft.comTiming: Always key is this a machine? 1min, 5mins?Hits for known bad infrastructureHunting: DNS Cont.Below is an example of a DNS profile script:

Hunting: Mapping InfrastructureOnce you have 1 IP or Domain you should be able to map out more badguy infrastructureSimilar Whois Registrant InformationSimilar sounding domains ( domains pointing to same IPOther domains around known bad guy IP (.12 is bad, what about .13, .14, .11?)Any additional subdomains?Other domains sharing that name serverHistorical view of what that domain pointed to? Bad guys reuse infrastructure, what did that domain resolve to last year?

Robtext,,,, Domain Dossier, Google, Virustotal, DNSDB, Edv-consulting, Hunting: Outbound ConnectionsFocusing on just outbound SYNs is another effective profiling technique

The goal with this technique is to figure out what is normal and start to pick out the odd ball connection

I once found a SYN every 1 hour, looking into it further it was an encrypted communication stream to a badboy placeAutomated tools dont do this well #HunterHunting: Outbound ConnectionsHere is a filter example for outbound SYNs:I may have it focus on odd ports, or try to weed out ranges to more common ports 443/80

Hunting: AutomationLets not try to fight this battle alone!

Hunting: ScriptingWhen hunting I find myself doing A LOT of whois lookups to get info then create a filter so.I automated it with Team Cymrus Python whois module (tool available upon request):

SummaryDont rely on automated tools

Be the hunter - the one who finds what tools miss

Be flexible and able to write your own tools when needed

View more