Tcpdump is a powerful yet simple network sniffer that displays traffic from your Ethernet adapter. Basic filtering can be applied to limit the traffic displayed or recorded to a file to only specific IP addresses, networks, TCP/UDP ports, or ICMP packets.
In this lab, you will be using tcpdump to sniff packets on a network.
The purpose of this activity is to provide information regarding how these programs function in order that adequate defenses can be designed and implemented. These programs should never be used in a malicious fashion against another user.
Part 1: Introduction to Tcpdump
- Create a snapshot of the Kali Linux VM. Turn on the Windows and Kali Linux VMs with the host-only network adapter.
- In a Terminal in the Kali Linux VM, view a list of common
tcpdump
commands and arguments.tcpdump --help
If the command is not found, this is likely from the
PATH
environment variable being different for the kali user versus the root user, where the former does not know where to find the package.
You can confirm this by trying to find the tcpdump executable file as the kali user then withsudo
privileges.which tcpdump sudo which tcpdump
Temporarily add the directory to the
PATH
variable.export PATH=$PATH:/usr/sbin
- Begin to sniff your localhost interface.
sudo tcpdump -i lo
- Open a new Terminal window.
Send one ICMP echo request against the loopback interface.
ping -c 1 127.0.0.1
Notice the changes in the terminal window where
tcpdump
is running. Stop the sniffing with Ctrl+C. - Tcpdump allows you to specify a port to sniff.
Start the Apache HTTP server.
sudo service apache2 start
- Begin to sniff packets over port 80.
sudo tcpdump -X -i eth0 port 80
- In the Windows VM, in a browser in Incognito or InPrivate mode, browse to
http://192.168.56.102
being the IP address of the Kali VM. You will be shown the Apache default webpage. Intcpdump
in Kali, stop the sniffing. Notice the captured information.
Part 2: Introduction to Iptables
- View the manual for the Linux firewall.
man iptables
- View the current firewall rules.
sudo iptables -S
- Start the SSH service.
sudo service ssh start
Suppose the Linux instance were a web server and this HTTP traffic should be normal but shell traffic should not. Although tcpdump is strictly a packet-capture tool, you could use some simple pattern-matching to monitor for some simple attacks.
- Change the Terminal directory to the Desktop.
Create a file tcpdump.sh with the following contents.
#!/bin/bash SUSPECT_IP=$(sudo tcpdump -n -l -i eth0 port 22 -c 1 | awk '{ print gensub(/(.*)\..*/,"\\1","g",$3) }') sudo iptables -A INPUT -S ${SUSPECT_IP} -j DROP exit
- Make the file executable.
sudo chmod +x tcpdump.sh
- Run the script you just wrote.
Tcpdump will begin to sniff traffic.
./tcpdump.sh
- In the Windows VM, in Command Prompt, attempt to SSH to the Kali VM.
ssh kali@192.168.56.102
In the browser, refresh the Apache webpage. Notice what errors you encounter. Despite tcpdump’s extensive capabilities, it is perhaps most useful for examining the types of network-level attacks.
- In the Kali VM, repeat step 9.
- Delete the last iptables rule from step 15 except for “-A”.
sudo iptables -D <rule>
- In the Windows VM, refresh the browser and retry to SSH.
- Close all windows and VMs.
- Please write up a paragraph answering the following questions.
- What information is output in steps 4 and 6? Were the source IP addresses always the same?
- In step 11, what does each part of this script do? How could the script be improved?
- What useful information could tcpdump provide to a threat actor? How could it be used against the victim?
- How could a network administrator use these tools to protect the network?