Scripting and Automation are Skills with which you shine in crowd: February 2013

Tuesday, February 26, 2013

TCPDUMP NETWORK TRAFFIC

tcpdump is the premier network analysis tool for information securityprofessionals. Having a solid grasp of this Ã¼ber-powerful application is mandatory for anyone desiring a thorough understanding of TCP/IP. Many prefer to use higher level analysis tools such as Ethereal Wireshark, but I believe this to usually be a mistake.

In a discipline so dependent on a true understanding of concepts vs. rote learning, it's important to stay fluent in the underlying mechanics of the TCP/IP suite. A thorough grasp of these protocols allows one to troubleshoot at a level far beyond the average analyst, but mastery of the protocols is only possible through continued exposure to them.

When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason I strongly advocate using tcpdump instead of other tools whenever possible.

15:31:34.079416 IP (tos 0x0, ttl  64, id 20244, offset 0, flags [DF], 
proto: TCP (6), length: 60) source.35970 > dest.80: S, cksum 0x0ac1 
(correct), 2647022145:2647022145(0) win 5840 0x0000:  4500 003c 4f14 4000 
4006 7417 0afb 0257  E..  0x0010:  4815 222a 8c82 0050 9dc6 5a41 0000 
0000  H."*...P..ZA....  0x0020:  a002 16d0 0ac1 0000 0204 05b4 
0402 080a  ................  0x0030:  14b4 1555 0000 0000 0103 0302

Options

Below are a few options (with examples) that will help you greatly when working with the tool. They're easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this page can serve as a reference for you, as it does me.

First off, I like to add a few options to the tcpdump command itself, depending on what I'm looking at. The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed. The second is -X, which displays both hex and ascii content within the packet. The final one is -S, which changes the display of sequence numbers to absolute rather than relative. The idea there is that you can't see weirdness in the sequence numbers if they're being hidden from you. Remember, the advantage of using tcpdump vs. another tool is getting manual interaction with the packets.

It's also important to note that tcpdump only takes the first 68 96 bytes of data from a packet by default. If you would like to look at more, add the -s numberoption to the mix, where number is the number of bytes you want to capture. I recommend using 0 (zero) for a snaplength, which gets everything. Here's a short list of the options I use most:

-i any : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.
-nn : Don't resolve hostnames or port names.
-X : Show the packet's contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.

[ The default snaplength as of tcpdump 4.0 has changed from 68 bytes to 96 bytes. While this will give you more of a packet to see, it still won't get everything. Use -s 1514 to get full coverage ]

Basic Usage

So, based on the kind of traffic I'm looking for, I use a different combination of options to tcpdump, as can be seen below:

Basic communication // see the basics without many options
# tcpdump -nS

Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
# tcpdump -nnvvS

A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet
# tcpdump -nnvvXS

Heavy packet viewing // the final "s" increases the snaplength, grabbing the whole packet
# tcpdump -nnvvXSs 1514

Here's a capture of exactly two (-c2) ICMP packets (a ping and pong) using some of the options described above. Notice how much we see about each packet.

hermes root # tcpdump -nnvXSs 0 -c2 icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), 23:11:10.370321 IP 
(tos 0x20, ttl  48, id 34859, offset 0, flags [none], length: 84) 
69.254.213.43 > 72.21.34.42: icmp 64: echo request seq 0

        0x0000:  4520 0054 882b 0000 3001 7cf5 45fe d52b  E..T.+..0.|.E..+
        0x0010:  4815 222a 0800 3530 272a 0000 25ff d744  H."*..50'*..%..D
        0x0020:  ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213  .^..............
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435 3637                                4567
23:11:10.370344 IP (tos 0x20, ttl  64, id 35612, offset 0, flags [none], 
length: 84) 72.21.34.42 > 69.254.213.43: icmp 64: echo reply seq 0
        0x0000:  4520 0054 8b1c 0000 4001 6a04 4815 222a  E..T....@.j.H."*
        0x0010:  45fe d52b 0000 3d30 272a 0000 25ff d744  E..+..=0'*..%..D
        0x0020:  ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213  .^..............
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435 3637                                4567
2 packets captured
2 packets received by filter
0 packets dropped by kernel
hermes root #

Common Syntax

Expressions allow you to trim out various types of traffic and find exactly what you're looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump. There are three main types of expression: type, dir, and proto.

Type options are host, net, and port. Direction is indicated by dir, and there you can have src, dst, src or dst, and src and dst. Here are a few that you should definitely be comfortable with:

host // look for traffic based on IP address (also works with hostname if you're not using -n)
# tcpdump host 1.2.3.4

src, dst // find traffic from only a source or destination (eliminates one side of a hostconversation)
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6

net // capture an entire network using CIDR notation
# tcpdump net 1.2.3.0/24

proto // works for tcp, udp, and icmp. Note that you don't have to type proto
# tcpdump icmp

port // see only traffic to or from a certain port
# tcpdump port 3389

src, dst port // filter based on the source or destination port
# tcpdump src port 1025
# tcpdump dst port 389

src/dst, port, protocol // combine all three
# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53

You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.

Port Ranges // see traffic to any port in a range
tcpdump portrange 21-23

Packet Size Filter // only see packets below or above a certain size (in bytes)
tcpdump less 32
tcpdump greater 128

[ You can use the symbols for less than, greater than, and less than or equal/ greater than or equal signs as well. ]

// filtering for size using symbols

tcpdump > 32

tcpdump <= 128

Writing to a File

tcpdump allows you to send what you're capturing to a file for later use using the-w option, and then to read it back using the -r option. This is an excellent way to capture raw traffic and then run it through various tools later.

The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.

Capture all Port 80 Traffic to a File

# tcpdump -s 1514 port 80 -w capture_file

Then, at some point in the future, you can then read the traffic back in like so:

Read Captured Traffic back into `tcpdump`

# tcpdump -r capture_file

Getting Creative

Expressions are nice, but the real magic of tcpdump comes from the ability tocombine them in creative ways in order to isolate exactly what you're looking for. There are three ways to do combinations, and if you've studied computers at all they'll be pretty familar to you:

AND
and or &&
OR
or or ||
EXCEPT
not or !

More Examples

# TCP traffic from 10.5.2.3 destined for port 3389

tcpdump -nnvvS and src 10.5.2.3 and dst port 3389

# Traffic originating from the 192.168 network headed for the 10 or 172.16 networks

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

# Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network

tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net and not icmp

# Traffic originating from Mars or Pluto that isn't to the SSH port

tcpdump -vv src mars and not dst port 22

As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you're looking for and then to build the syntax to isolate that specific type of traffic.

Grouping

Also keep in mind that when you're building complex queries you might have to group your options using single quotes. Single quotes are used in order to telltcpdump to ignore certain special characters -- in this case the "( )" brackets. This same technique can be used to group using other expressions such as host, port,net, etc. Take a look at the command below:

# Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22(incorrect)

tcpdump src 10.0.2.4 and (dst port 3389 or 22)

If you tried to run this otherwise very useful command, you'd get an error because of the parenthesis. You can either fix this by escaping the parenthesis (putting a \ before each one), or by putting the entire command within single quotes:

# Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22 (correct)

tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'

Advanced

You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.

[ Hint: An anagram for the TCP flags: Unskilled Attackers Pester Real SecurityFolk ]

Show me all URGENT (URG) packets...

# tcpdump 'tcp[13] & 32!=0'

Show me all ACKNOWLEDGE (ACK) packets...

# tcpdump 'tcp[13] & 16!=0'

Show me all PUSH (PSH) packets...

# tcpdump 'tcp[13] & 8!=0'

Show me all RESET (RST) packets...

# tcpdump 'tcp[13] & 4!=0'

Show me all SYNCHRONIZE (SYN) packets...

# tcpdump 'tcp[13] & 2!=0'

Show me all FINISH (FIN) packets...

# tcpdump 'tcp[13] & 1!=0'

Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packets...

# tcpdump 'tcp[13]=18'

[ Note: Only the PSH, RST, SYN, and FIN flags are displayed in tcpdump's flag field output. URGs and ACKs are displayed, but they are shown elsewhere in the output rather than in the flags field ]

Keep in mind the reasons these filters work. The filters above find these various packets because tcp[13] looks at offset 13 in the TCP header, the number represents the location within the byte, and the !=0 means that the flag in question is set to 1, i.e. it's on.

As with most powerful tools, however, there are multiple ways to do things. The example below shows another way to capture packets with specific TCP flags set.

Capture TCP Flags Using the tcpflags Option...

# tcpdump 'tcp[tcpflags] & & tcp-syn != 0'

Specialized Traffic

Finally, there are a few quick recipes you'll want to remember for catching specific and specialized traffic, such as IPv6 and malformed/likely-malicious packets.

IPv6 traffic

# tcpdump ip6

Packets with both the RST and SYN flags set (why?)

# tcpdump 'tcp[13] = 6'

Traffic with the 'Evil Bit' Set

# tcpdump 'ip[6] & 128 != 0'

Conclusion

Well, this primer should get you going strong, but the man page should always be handy for the most advanced and one-off usage scenarios. I truly hope this has been useful to you, and feel free to contact me if you have any questions. ::

Additional Resources and References

¹ http://danielmiessler.com/study/tcpflags/
² http://danielmiessler.com/study/lsof/
³ http://danielmiessler.com/study/find/
⁴ http://danielmiessler.com/study/subnetting/
⁵ http://www.tcpdump.org/tcpdump_man.html

☐ If you enjoyed this content, consider connecting via RSS or Twitter.

Monday, February 25, 2013

Encrypt shell scripts

URL : wget http://mirror.pnl.gov/ubuntu//pool/universe/s/shc/shc_3.8.6-3_amd64.deb

There used to be a utility shc that turns scripts into binaries (obscuring code and passwords), available from the older Debian repositories:

http://archive.debian.net/etch/i386/shc

You can install it by adding the repository:

deb http://archive.debian.org/debian etch maini.e.
sudo add-apt-repository 'http://archive.debian.org/debian etch main'

Or execute this command

echo 'deb http://archive.debian.org/debian etch main' > /etc/apt/source.list.d/archive-shc.list

Then update the apt-get repository data.

sudo apt-get update

and then installing the shc package:sudo apt-get install shc
Usage instructions are at:http://www.datsi.fi.upm.es/~frosal/sources/shc.html

Now you can create encrypt file by following command

root@Shankar:~# shc -rf check_response_time.sh

Friday, February 22, 2013

How to detect server is virtual or physical

You may be interested in [[the perl module|perl-module-for-virtualization-detection]] implementing these tricks.

Frequently, we want to install our software in a virtual machine. This can be OK, but frequently they hit a CPU, memory, or IO limit caused by running in a constrained virtual environment. When this happens, we really like to know if they're running under virtualization when we try to support them. Here's some tricks to detect, from a shell ..... Read more...

Wednesday, February 13, 2013

Something more then Monitoring

Something More then Monitoring.

Modify post-installations :

After you get Nagios installed and running properly, you'll no doubt want to start monitoring more than just your local machine (your monitoring host). One way of monitoring a remote Linux/UNIX™ host is to use the NRPE addon that allows you to monitor disk usage, CPU load, memory usage, and other local resources/attributes on the remote host. See Resources for a list of monitoring links.

You'll most likely want to monitor Windows® machines, Netware servers, routers/switches, network printers, and publicly available services (HTTP, FTP, SSH, and so on).

Monitor redundancy and failover :

With redundant hosts, you can maintain the ability to monitor your network when the primary host that runs Nagios fails, or when portions of your network become unreachable, which could impact SLA guarantees. Before you implement the redundancy monitoring tool, make sure you implemented event handlers for hosts and services, issued external commands to Nagios, executed NRPE addons on remote hosts, and checked the status of the Nagios process with the check_nagios plug-in. You will need to modify sample scripts in the eventhandlers subdirectory of the Nagios distribution.

Scenario #1

In one redundancy implementation scenario, the master and slave hosts monitor the same hosts and service on the network. Under normal circumstances, only the master host will be sending out notifications to contacts about problems. The slave host running Nagios will take over the job of notifying contacts about problems if the master host is down or stops running Ajax applications.

Just make sure the lag time between the master host failing and the slave host taking over is minimal. You can do this by having, for example, the master host recheck the slave host to allow for fast detection of host problems.

Scenario #2

The basic goal of failover monitoring is to have the Nagios process on the slave host sit idle while the Nagios process on the master host is running. If the process on the master host stops running (or if the host goes down), the Nagios process on the slave host starts monitoring everything.

Detect and handle state flapping :

Flapping occurs when a service or host changes state too frequently, resulting in a storm of problem and recovery notifications. Flapping can be indicative of configuration problems (such as thresholds set too low), troublesome services, or real network problems impacting SLA guarantees.

A host or service is determined to have started flapping when its percent state change first exceeds a high flapping threshold. A host or service is determined to have stopped flapping when its percent state goes below a low flapping threshold (assuming that is was previously flapping).

For both hosts and services, there are global high and low thresholds and host- or service-specific thresholds that you can configure. Nagios will use the global thresholds for flap detection if you do not specify host- or service-specific thresholds. To enable flapping detection, you'll need to set flap_detection directives to 1.

Consider security :

Some security measures you should consider are to use a dedicated monitoring service to install Nagios for your Ajax applications, and make sure only the Nagios users read or write in the check result directory. Do not run Nagios as a root.

If you are using external commands, make sure you set proper permission in the /user/local/nagios/var/rw directory. You'll need to require authentication to CGIs and use full paths in the command definition.

Don't forget to hide sensitive information with $USERn$ macros, and secure access to remote agents. Encrypt communication channels between Nagios installations and between Nagios servers and your monitoring agents. Also important is the stripping of dangerous characters from macros before they are used in notifications.

Optimize Nagios :

This section discusses some things to consider when you attempt to optimize Nagios to improve server performance. First, disable environment macros, adjust buffer slots, and check service latencies to determine the best value for maximum concurrent checks. Use compiled—not interpreted—plug-ins, schedule regular host checks, and enable cached host checks.

Next, optimize hardware for maximum performance, and set the maximum time that the Nagios daemon can spend processing the results of host and service checks. Most important of all, take advantage of graph performance statistics with the Multi Router Traffic Grapher (MRTG—see Resources for a link) to keep track of how well your Nagios installation handles the load over time and how your configuration changes affect it.

Get Nagios addons :

Nagios comes with three core addons: NRPE, NDOUtils, and NSCA. While they give you the basic command-line options, you can add other options as listed in the Nagios Plugin Manual. See Resources for links to both the addons and manual.

NRPE

The NRPE addon is designed to let you execute Nagios plug-ins on remote Linux/UNIX machines. NRPE can check remote services on other hosts through ftp and http. From the monitoring host, Nagios can monitor the CPU, disk usage, memory usage, and other local resources on remote machines.

Because these public resources are not usually exposed to external machines, NRPE must be installed on the remote machines. It allows you to execute scripts and check metrics on remote Windows machines.

While using SSH is more secure than the NRPE addon, SSH imposes a larger (CPU) overhead on both the monitoring and remote machines. This can become an issue when you start monitoring hundreds or thousands of machines. Many Nagios administrators opt for using the NRPE addon because of the lower load it imposes.

NDOUtils

The NDOUtils addon lets you export current and historical data of configurations and events from one or more Nagios instances to a MySQL database. Storing information from Nagios in a database will allow for quicker retrieval.

NSCA

The NSCA addon is installed on the monitory host, and lets you integrate passive alerts and checks from remote machines and applications with Nagios. This is useful for processing security alerts as well as redundant and distributed Nagios setups.

Conclusion

This article helps you to plan ahead to improve the monitoring and performance of your Ajax applications with Nagios, an open source host, service, and network program on remote servers. Because network performance is critical not only to developers, but also to testers, system administrators, and potential users, being aware of and resolving potential performance and environmental monitoring issues can make your development team's and users' experiences trouble-free.

Thursday, February 7, 2013

How to Encrypt and Decrypt a File using GnuPG in Linux

Using GnuPG gpg command you can generate public and private keys. In this tutorial, we will use the keys generated by gpg command to send and receive encrypted files, and digitally sign a file. Encrypt a file and send it to your Friend 1. Import your friend’s public key When you want to send a [...]

Friday, February 1, 2013

awk command

To Print Last field with sapretor

awk -F: '{ print $NF }' input.txt

To Print Second Last field with sapretor

awk -F: '{ print $(NF-1) }' input.txt

pattern matching and processing 

awk 'pattern {action}' filename 

reads one line at a time from file, checks for pattern match, performs action if pattern matched pattern

NR is a special awk variable meaning the line number of the current record
can use a line number, to select a specific line, by comparing it to NR (for example: NR == 2)
can specify a range of line numbers (for example: NR == 2, NR == 4)
can specify a regular expression, to select all lines that match

$n are special awk variables, meaning the value of the nth field (field delimiter is space or tab)

$0 is the entire record
can use field values, by comparing to $n (for example: $3 == 65)
every line is selected if no pattern is specified

instructions

print - print line(s) that match the pattern, or print fields within matching lines
print is default if no action is specified
there are many, many instruction, including just about all C statements with similar syntax
other instructions will be covered in future courses

examples, using the file cars from page 654 of "A Practical Guide to Linux"

awk 'NR == 2, NR == 4' cars - print the 2nd through 4th lines (default action is to print entire line)
awk '/chevy/' cars - print only lines matching regular expression, same as grep 'chevy' cars
awk '{print $3, $1}' cars - print third and first field of all lines (default pattern matches all lines)
awk '/chevy/ {print $3, $1}' cars - print third and first fiield of lines matching regular expression
awk '$3 == 65' cars - print only lines with a third field value of 65
awk '$5 < = 3000' cars - print only lines with a fifth field value that is less than or equal to 3000
the file testfile can be used with the following examples:
awk '{print $1}' testfile - print first field of every record
awk '{print $3 $1}' testfile
awk '{print $3, $1}' testfile - inserts output field separator (variable OFS, default is space)
awk -F, '{print $2}' testfile - specifies that , is input field separator, default is space or tab
awk '$2 ~ /[0-9]/ {print $3, $1}' testfile - searches for reg-exp (a digit) only in the second field
awk '{printf "%-30s%20s\n", $3, $2}' testfile - print 3rd field left-justified in a 30 character field, 2nd field right-justified in a 20 character field, then skip to a new line (required with printf)

awk '$3 <= 23' testfile - prints lines where 3rd field has a value <= 23
awk '$3 <='$var1' {print $3}' testfile - $var1 is a shell variable, not an awk variable, e.g. first execute: var1=23
awk '$3<='$2' {$3++} {print $0}' testfile - if field 3 <= argument 2 then increment field 3, e.g. first execute: set xxx 23

awk '$3> 1 && $3 < 23' testfile - prints lines where 3rd field is in range 1 to 23
awk '$3 < 2 || $3 > 4' testfile - prints lines where 3rd field is outside of range 2 to 4
awk '$3 < "4"' testfile - double quotes force string comparison
NF is an awk variable meaning # of fields in current record
awk '! (NF == 4)' testfile - lines without 4 fields
NR is an awk variable meaning # of current record
awk 'NR == 2,NR==7' testfile - range of records from record number 2 to 7
BEGIN is an awk pattern meaning "before first record processed"
awk 'BEGIN {OFS="~"} {print $1, $2}' testfile - print 1st and 2nd field of each record, separated by ~
END is an awk pattern meaning "after last record processed"
awk '{var+=$3} END {print var}' testfile - sum of 3rd fields in all records
awk '{var+=$3} END {print var/NR}' testfile - average of 3rd fields in all records - note that awk handles decimal arithmetic

awk '$5 > var {var=$5} END {print var}' testfile - maximum of 5th fields in all records
awk '$5 > var {var=$5} END {print var}' testfile - maximum of 5th fields in all records
sort -rk5 testfile | awk 'NR==1 {var=$5} var==$5 {print $0}' - print all records with maximum 5th field

Simple awk operations involving functions within the command line:

awk '/chevy/' cars

# Match lines (records) that contain the keyword chevy note that chevy is a regular expression...

awk '{print $3, $1}' cars

# Pattern not specified - therefore, all lines (records) for fields 3 and 1 are displayed
# Note that comma (,) between fields represents delimiter (ie. space)

awk '/chevy/ {print $3, $1}' cars

# Similar to above, but for chevy

awk '/^h/' cars

# Match cars that begin with h

awk '$1 ~ /^h/' cars ### useful ###

# Match with field #1 that begins with h

awk '$1 ~ /h/' cars

# Match with field #1 any epression containing the letter h

awk '$2 ~ /^[tm]/ {print $3, $2, "$" $5}' cars

# Match cars that begin with t or m and display field 3 (year), field 2 (model name) and then $ followed by field 4 (price)

--------------------------------------------------------------------------------------------------
Complex awk operations involving functions within the command line:

awk ‘/chevy/ {print $3, $1}’ cars
# prints 3rd & 1st fields of record containing chevy

awk ‘$1 ~ /^c/ {print $2, $3}’ cars
# print 2nd & 3rd fields of record with 1st field beginning with c

awk ‘NR==2 {print $1, $4}’ cars
# prints 1st & 4th fields of record for record #2

awk ‘NR==2, NR==8 {print $2, $3}’ cars
# prints 2nd & 3rd fields of record for records 2 through 8

awk ‘$3 >= 65 {print $3, $1}’ cars
# prints 3rd & 1st fields of record with 3rd field >= 65

awk ‘$5 >= “2000” && $5 < “9000” {print $2, $3}’ cars
# prints 2nd & 3rd fields of record within range of 2000 to under 9000

Total Hit Counter