Ultimate portable covert Hacking device – Part 4

TCPDump. If you want to capture traffic you need to be using this tool. TCPDump is small lightweight and really easy to understand once you learn the basic syntax. It’s the perfect tool to gather info off the wired or wireless network. If you’re running it on a computer with dsniff installed you can use dsniff to route traffic through your computer and see everything your target is doing even on a switched network (See the article on How-To spy on other users on the local network from back in August )

The first thing we need to do is tell TCPDump what exactly we want out of the capture. There are for basic levels of verbosity

  1. tcpdump

    which just shows us just the basics

  2. tcpdump -v

    you can add 1 to 3 ‘v’ characters to increase the displayed output.

  3. tcpdump -vX

    -X adds the full payload (minus its link level header) of the packet

  4. tcpdump -vXs 1500

    -s increases the snaplen bytes of the packets the default of 68 bytes is adequate for most IP, ICMP, TCP and UDP packets but can truncate some other protocols.

The real power of TCPDump comes in some of the ways you can filter the traffic you’re capturing. For example if you only want to capture all traffic to or from a specific IP you would use the “host” argument so say we wanted to capture all traffic to or from 192.168.1.1 we would use

tcpdump host 192.168.1.1

But we don’t need to capture all of that say we only want to capture traffic from or to that host well we can get more specific using the “src” and “dst” arguments like so

Capture all traffic going to 192.168.1.1

tcpdump dst 192.168.1.1

Capture all traffic coming from 192.168.1.1

tcpdump src 192.168.1.1

This is all well and good but this is capturing a whole lot of traffic I’m not interested in like HTTP (port 80)  traffic and FTP (port 21)  traffic I only want to capture SMTP (port 25) traffic. well I can do that as well.

tcpdump port 25

This will capture all the traffic over port 25

If you need to capture traffic to/from an entire subnet instead of to/from a single host there’s a “net” argument that can be used interchangeably with the “host” argument. You do need to supply a network in CIDR notation ( eg, 192.168.1.0/24 ) instead of a single IP address

So the following would capture all traffic to or from the 192.168.1.0 (subnet 255.255.255.0 ) network

tcpdump net 192.168.1.0/24

Now all the arguments above can be combined using the operators “and”, “or”, “not” and “\(\)”

So here’s some examples

Capture all traffic from the host at 10.0.0.254 and destined for the network 192.168.1.0/24 on port 25

tcpdump src host 10.0.0.254 and dst net 192.168.1.0/24 and dst port 25

Capture all traffic destined for 192.168.1.0/24 or 10.0.0.0/24 and not on port 80

tcpdump \(dst net 192.168.1.0/24 or 10.0.0.0/24\) and not port 80

One of the most useful features is writing your capture to a file so you can analyze it later (possibly using something like WireShark, TcpReplay or other security tools that support pcap files. The “-w” argument accepts a name of a file to save your capture to.

tcpdump -w mycapfile.pcap

You can then use the resulting capture file in any other tool that accepts pcap format files.

If you haven’t already make sure you read parts [1] , [2] and [3] in the “Ultimate portable covert hacking device” series

As always if you have any questions, comments or suggestions please post them in the comment section below.

More info on TCPDump filters can be found at the following links.

http://www.wains.be/pub/networking/tcpdump_advanced_filters.txt

http://www.linux.org/lessons/advanced/x442.html

If you enjoyed this post, make sure you subscribe to my RSS feed!

Published by

LiamM

I'm a self labeled Nerd who enjoys Playing Video Games, restoring classic muscle cars (i have a 65' Mustang in the works) , Running Big Data Clusters, Tattoos, Working on System Automation, Riding and customizing Motorcycles, and writing python Code. I'm an SRE with DemonWare/Activision Specializing in Big Data/Hadoop operations but all opinions and views expressed on this site are solely my own.