MITM 7: Sniffing with TCPDump

Posted on February 25, 2012

0


I’ve been thinking about whether develop a new application — and reinvent the wheel like for ARP poisoning with libnet and libpcap — or using tools already available. I finally decided to use TCPDump because this tool might be really handy in many situations. I think I will improve ARP Spoof SI anyway with a password sniffer but for now, let’s focus on TCPDump.

TCPDump is a a powerful command-line packet analyzer, developed together with libpcap, that dump traffic on a network. While Wireshark can basically do the same but with a Graphical User Interface (GUI) (i.e. sniffing and filtering network communications) TCPDump allows easier interoperations with other applications. Wireshark is oriented for the presentation of the data (dump) and TCPDump is oriented for the dump itself. Both use the library libpcap (or WinPcap on Windows OS) for capturing packets.

Tutorial

We’ll first start with a short tutorial about usage of TCPDump. TCPDump is used for dumping and printing network traffic on the network interfaces.

INSTALL

You can either install TCPDump with apt-get (on Debian-based OS) or port (on OS X):

sudo apt-get install tcpdump
sudo port install tcpdump

Or you can also install it from the source codes. Here is the official documentation for installing TCPDump:

Here is the official install documentation of TCPDump:

After libpcap has been built (either install it with “make install” or
make sure both the libpcap and tcpdump source trees are in the same
directory), run ./configure (a shell script). “configure” will
determine your system attributes and generate an appropriate Makefile
from Makefile.in. Now build tcpdump by running “make”.

If everything builds ok, su and type “make install”. This will install
tcpdump and the manual entry. Any user will be able to use tcpdump to
read saved captures. Whether a user will be able to capture traffic
depends on the OS and the configuration of the system; see the tcpdump
man page for details. DO NOT give untrusted users the ability to
capture traffic. If a user can capture traffic, he or she could use
utilities such as tcpdump to capture any traffic on your net, including
passwords.

Remember to execute TCPDump with root privileges since it uses the promiscuous mode (if available) on the network interface and might require to open socket that need those rights.

DUMP

Dumping the entire traffic might not be very useful and could complicate the work of the user. Therefore TCPDump embed a filtering system in order to dump only what the user need. The syntax for filtering packets is:

tcpdump <protocol> proto <p> <direction> <type> <value>

Several filter rules can be applied by using logical expression AND, OR or NOT.

Here is a list of the values for protocol:

  • tcp
  • udp
  • ip
  • ip6
  • arp
  • rarp
  • decnet
  • ether (tr, fddi)

Here is a list of the values for p:

  • udp (need to be escaped: \\udp)
  • tcp (need to be escaped: \\tcp)
  • icmp (need to be escaped: \\icmp)
  • icmp6
  • igmp
  • igrp
  • pim
  • ah
  • esp
  • vrrp

Here is a list of the values for direction:

  • src
  • dst

Here is a list of the values for type:

  • host (default)
  • net
  • port

Here are few example based on the syntax described previously:

# Capture ICMP packet (ping for instance) from the host 192.168.0.10
tcpdump ip proto \\icmp and src host 192.168.0.10
# or you can use the shortcut
tcpdump icmp and src host 192.168.0.10

# Capture all http (port 80) packets sent to google.com
tcpdump tcp and dst host google.com and port 80
# or you can use the shortcut
tcpdump tcp and dst google.com and port 80

It is also possible to filter regarding the length of the packet with the expression less and greater. Even more interesting, it is possible to select precisely the data of the packet to filter. Few value are available directly with a name. For ICMP and TCP packets, it is possible to filter particular values:

  • icmp[icmptype] (ICMP type field)
  • icmp[icmpcode] (ICMP code field)
  • tcp[tcpflags] (TCP flags field)

Each ICMP type can be filter based on the value:

  • icmp-echoreply
  • icmp-unreach
  • icmp-sourcequench
  • icmp-redirect
  • icmp-echo
  • icmp-routeradvert
  • icmp-routersolicit
  • icmp- timxceed
  • icmp-paramprob
  • icmp-tstamp
  • icmp-tstampreply
  • icmp-ireq
  • icmp-ireqreply
  • icmp-maskreq
  • icmp-maskreply

TCP flags can be filtered based on the value:

  • tcp-fin
  • tcp-syn
  • tcp-rst
  • tcp- push
  • tcp-push
  • tcp-ack
  • tcp-urg

To access other data from the packet, it is possible to use the selector syntax: proto[expr:size] where proto is a protocol (see list protocol, expr is the offset (in byte) relative to the beginning of the packet (header) of the protocol indicated. Size is optional, by default it is set to one. It means the number of byte to used for the filter.

Here is an example to get an idea of how to use those selectors:

# Regarding the Ethernet header, the 13th byte is the Ethertype
# 0x0800 is the Ethertype for the protocol IP (note: you need to use quotes)
tcpdump 'ether[12:2] & 0xF7FF = 0'
# or you can use the shortcut
tcpdump ether[12:2] = 0xF7FF
# or you can use the shortcut
tcpdump ip

The ampersand is used for the mathematic operator AND. If the two (ether[12:2]) bytes with an offset of 12 (ether[12:2]) from the beginning of the Ethernet (ether[12:2]) header is 0x0800, it return 0x0000 (= 16 x 1 bits) because 0xF7FF is equal the binary opposite of 0x0800. Thus if it’s equal to 0, it means the Ethertype is the IP protocol.

Options

By default, TCPDump will capture packet on the first interface in its list. To display the list of interface, you can use the parameter -D:

Tosch:ARP-Spoof-SI Tosch$ tcpdump -D
1.en0
2.en1
3.lo0

Once you know all the interfaces available for sniffing, you can either use the number or the name to select which interface to use with the parameter -i:

tcpdump -i en1

Whenever your filter is well calibrated, you might need to capture only the x first packets thanks to the parameter -c:

tcpdump -i en1 -c 3 arp

OUTPUT

You can print each packet in ASCII (which is easier to read) thanks to parameter -A.
An other interesting option is to save the raw dump in a file with the parameter -w. TCPDump will save in pcap format. This means you can open the file later on with Wireshark or with TCPDump and the parameter -r.

For more information about the options available and the usage of TCPDump, read the Manpage. Once again all those information are available on the Wiki of Sec ITs so if you want to add more information or modify mistakes, feel free to edit the article.

MITM sniffing

Now that you understand how to use TCPDump and filter the capture, let’s sniff for interesting information. As I described in the HTTP tampering tutorial, whenever you login on a web page, the data you enter in the login form are put in the HTTP request in clear text (but not in SSL). This means it should be possible to get the credential of victim using a webservice with the protocol HTTP (without SSL).

First we need to capture any HTTP communication (port 80) from the victim (src 192.168.1.10) with the output in ASCII (-A):

tcpdump -A -i en1 tcp and src 192.168.1.10 and port 80

Being on my OS X, I used my interface en1 (Wireless) for the ARP attack, thus I need to sniff on this device.

The next step is to send this output to another filter (grep) in order to parse the form data for password. The problem is that, regarding the website, the name password’s <input> might be different, but we will assume that at least the four letter pass are in the line.

# I had to break the line but it has to be written in one.
tcpdump -A -i en1 -l tcp and src 192.168.1.10 and port 80 |
grep -Pio "pass[a-z0-9%_\-]*=[^&]+"

-l make stdout line buffered so we can pipe the result to grep.
grep is used to output every lines that contains the four letters pass, an equal (=) and end with an ampersand.
-P Interpret PATTERN as a Perl regular expression.
-i Ignore case distinctions in both the PATTERN and the input files.
-o Show only the part of a matching line that matches PATTERN.

The output of the grep is the id of the <input> (that contains the four letter pass), an equal then the value of the <input>. In a html form:

<form>
<input id="user_password" type="password"/>
</form>

The output of the tcpdump piped with grep would be:

user_password=The-value-typed-by-the-user

Regarding the websites used by the victim, you may change the PATTERN. Also, it might be interesting for the attacker to save the dump by using the parameter -w and after the capture, analyse the dump for password manually or with couple grep.

Conclusion

Most of MITM by ARP poisoning has a sniffing application embedded much efficient than this TCPDump usage. I just hope this tutorial help you to have a better idea of how those applications work and how a MITM attack can be easy to perform and dangerous.

Next tutorial will about countermeasure and defence. Hope you’re enjoying this tutorial so far. Please don’t hesitate to leave a comment.

Tagged: , ,
Posted in: Tutorials