packet-analysis

Deep packet inspection

Table of Contents Introduction nDPI Build and install ndpi-netfilter Realtime capture Iptables/netfilter SSH Youtube Social Networks Introduction Port-independent, P2P, and encrypted protocols and packets have made the conventional network traffics analysis that based on packet header (transport protocol and application ports) obsolete. Deep Packet Inspection (DPI) technology can be used to identify and classify these encrypted, port-independent, P2P protocols.

SQL injection with sqlmap

Table of Contents Scan for vulnerability Create a HTTP request file Scan the target Explore the vulnerable target’s databases and system Dictionary attack against password hashes and dump full credentials OS Shell Access Behind the scene Speedup the process and specify custom injection payloads Capture and decode the payload with Ngrep with Wireshark Decode the payload Scan for vulnerability Create a HTTP request file Use -r option instead of passing long parameters of --url, --user-agent, etc.

Wireshark: A quick troubleshoot on slow network (1)

Table of Contents Quick drill into errors and connection issues Identify the protocols with high traffic Get the connection speed to a site Get the time spent in waiting for a response Identify the bad packets (TCP errors) ratio Generate the statistic:- runs wireshark and starts capturing the network packets until the statistic builds. Quick drill into errors and connection issues Navigates to 'Analyze' → 'Expert Info' , a high number of errors and warnings indicates problems.

Ngrep: quick peek at http traffic

Table of Contents Quick peek Sorts out unique User-Agent (devices) Monitor the occurrence of the keywords Monitor HTTP GET | POST traffic by IP addresses DNS Quick peek Monitor activities on device eth0 port 80: -W byline: linefeeds (LF) are printed as linefeeds, more readable. -qt: quiet mode and print human-readable timestamp. # ngrep -d eth0 -W byline -qt port 80 Sorts out unique User-Agent (devices) In corporate environment, desktop/laptop OS build is often standardized.

Extract files from captured network traffic pcap (2)

Table of Contents Tcpxtract Tcpextract Tcpxtract Supports 26 file formats, extensible (/etc/tcpxtract.conf), however it requires the clear start and end markers. Supports only TCP packets, no UDP. Live capture from an interface and extract: $ mkdir -p /tmp/enp0s3-tcpxtract-output $ sudo tcpxtract -d enp0s3 -o /tmp/enp0s3-tcpxtract-output Extract from the pcap file: Tcpextract Similar to both tcpflow and tcpxtract, tcpextract extracts all files it recognized from a pcap file or interface.

Extract files from captured network traffic pcap (1)

Table of Contents Introduction Wireshark HTTP objects and files Binary files Tcpflow & Foremost Introduction The process is mostly the same in network packets data-carving, which comprises of: Gain access and collect the raw bytes Strip the protocol information Extract and write the data to file The differences of these tools are their capabilities i.e., the supported protocols and file formats.

Sniff DNS Queries

Table of Contents Dnstop Tcpdump Wireshark / Tshark Dnstop is a console libpcap application that displays various tables of DNS traffic on a network including: Source IP addresses Destination IP addresses Query types Top level domains Second level domains # dnstop enp0s3 -l 3 Use ctrl-r to reset the counter/refresh the history to get the latest queries. Tcpdump Capture packets from port 53 (DNS):