tcpdump

This is a CLI packet capture and inspection utility. TCP dump can be used to look at headers first then used to inspect full packets using another command.

Look at raw file #tcpdump -r password_cracking_filtered.pcap

Looking at IPs and ports #tcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print $3}' | sort | uniq -c | head //-n skip dns lookups //-r read //awk read the 3rd field //sort, uniq: remove repeat and add count //use head to display first 10 lines of output

What we saw was a single host making many request(multi ephemerals) to a single server over port 81.

We then want to dill down to see what we can see.

filter syntax: //filters to look at traffic #tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap #tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap #tcpdump -n port 81 -r password_cracking_filtered.pcap

Hex dump: #tcpdump -nX -r password_cracking_filtered.pcap | less

Next we set up a filter that displays packets that have both the ACK and PSH flags set. The PSH-push flag is used to force send packets that do not have full buffers. It is used for the first and last packets in an http request.

CEUAPRSF // ack and push #echo “$((2=00011000))” STDOUT//24 00011000= 24 in decimal

#tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap //-A: print packets in ascii //'tcp[13] = 24' we want the 14th byte to be equal to 24