Tcpdump is a powerful yet simple network sniffer that displays traffic from your Ethernet adapter. Basic filtering can be applied to limit the traffic displayed or recorded to a file to only specific IP addresses, networks, TCP/UDP ports, or ICMP packets.
In this lab, you will be using tcpdump to sniff packets on a network.
The purpose of this activity is to provide information regarding how these programs function in order that adequate defenses can be designed and implemented. These programs should never be used in a malicious fashion against another user.
Part 1: Introduction to Tcpdump
- Create a snapshot of the Kali Linux VM. Turn on the Windows and Kali Linux VMs with the host-only network adapter.
- In a Terminal in the Kali Linux VM, view a list of common
tcpdumpcommands and arguments.tcpdump --helpIf the command is not found, this is likely from the
PATHenvironment variable being different for the kali user versus the root user, where the former does not know where to find the package.
You can confirm this by trying to find the tcpdump executable file as the kali user then withsudoprivileges.which tcpdump sudo which tcpdumpTemporarily add the directory to the
PATHvariable.export PATH=$PATH:/usr/sbin - Begin to sniff your localhost interface.
sudo tcpdump -i lo
- Open a new Terminal window.
Send one ICMP echo request against the loopback interface.
ping -c 1 127.0.0.1Notice the changes in the terminal window where
tcpdumpis running. Stop the sniffing with Ctrl+C. - Tcpdump allows you to specify a port to sniff.
Start the Apache HTTP server.
sudo service apache2 start - Begin to sniff packets over port 80.
sudo tcpdump -X -i eth0 port 80 - In the Windows VM, in a browser in Incognito or InPrivate mode, browse to
http://192.168.56.102being the IP address of the Kali VM. You will be shown the Apache default webpage. Intcpdumpin Kali, stop the sniffing. Notice the captured information.
Part 2: Introduction to Iptables
- View the manual for the Linux firewall.
man iptables - View the current firewall rules.
sudo iptables -S - Start the SSH service.
sudo service ssh startSuppose the Linux instance were a web server and this HTTP traffic should be normal but shell traffic should not. Although tcpdump is strictly a packet-capture tool, you could use some simple pattern-matching to monitor for some simple attacks.
- Change the Terminal directory to the Desktop.
Create a file tcpdump.sh with the following contents.
#!/bin/bash SUSPECT_IP=$(sudo tcpdump -n -l -i eth0 port 22 -c 1 | awk '{ print gensub(/(.*)\..*/,"\\1","g",$3) }') sudo iptables -A INPUT -S ${SUSPECT_IP} -j DROP exit - Make the file executable.
sudo chmod +x tcpdump.sh - Run the script you just wrote.
Tcpdump will begin to sniff traffic.
./tcpdump.sh - In the Windows VM, in Command Prompt, attempt to SSH to the Kali VM.
ssh kali@192.168.56.102In the browser, refresh the Apache webpage. Notice what errors you encounter. Despite tcpdump’s extensive capabilities, it is perhaps most useful for examining the types of network-level attacks.
- In the Kali VM, repeat step 9.
- Delete the last iptables rule from step 15 except for “-A”.
sudo iptables -D <rule> - In the Windows VM, refresh the browser and retry to SSH.
- Close all windows and VMs.
- Please write up a paragraph answering the following questions.
- What information is output in steps 4 and 6? Were the source IP addresses always the same?
- In step 11, what does each part of this script do? How could the script be improved?
- What useful information could tcpdump provide to a threat actor? How could it be used against the victim?
- How could a network administrator use these tools to protect the network?