Comprehensive Guide to tcpdump (Part 3)

This is the third article in the Comprehensive Guide to tcpdump Series. Please find the first and second articles of the series below.

In this part, we will cover some of the advance features which we were unable to cover in the previous parts of the series. So we can get more benefits from this tool.

Table of Content

  • Version Information
  • Quick mode
  • Verbose mode
  • HTTP Requests
  • User Agent
  • Port Range
  • Destination
  • Source
  • Network
  • TCP Packets
  • Tcpdump to Wireshark

Version Information

Let’s begin with one of the simplest commands so that we can understand and relate all the practicals during the article. We can use this parameter to print the tcpdump, libpcap and OpenSSL version string.

Quick Mode

Arguably if the network is very quite, performing any operation during that time will take more time than usual. The person who developed tcpdump thought of this conundrum and gave us the way to speed up the process by using the “-q” parameter. It will print less information about protocols and data packets to save time.

Verbose Mode

The verbose mode is famous to provide extra information regarding operations. in TCPDump, verbose mode provides such the information too. For instance, time to live, identification, total length. It can also enable additional packet integrity checks such as verifying the IP and ICMP header checksum values.

TCPDump provides us with plenty of parameters that are moved around this mode like -v, -vv, -vvv, where each parameter has its unique efficiency.

  • -v parameter is the traditional verbose mode.
  • -vv parameter is more than the traditional verbose mode, additional fields are printed from NFS (Network File System) reply packets and SMB packets are fully decoded.
  • -vvv parameter has something more to provide like tenet options etc.

HTTP Requests

As we all know, HTTP Requests is an information message from the client to a server over the hypertext transfer protocol (HTTP). It has various methods to deliver this information. These methods are case-sensitive and always mentioned in the UPPERCASE. Through tcpdump, we can capture these request to analyze the traffic sent over the said protocol traffic.

The method which we can capture through tcpdump are the following :

  • GET- This method is used to retrieve the information from the given server using a given URL. Requests using GET should only retrieve data and have no other effect on it. We can also capture this request with the help of tcpdump.

  • POST- This request is used to send data to the server. Like customer information, file upload, etc. using HTML forms. Traffic over this protocol can analyzed using the following command :

  • Request-URL- It is a uniform resource identifier, which identifies the resource on which we need to apply requests. The most common form of this is used to identify a resource on a server. If a client wants to retrieve the data directly from the server, where it originated, then it would create a connection to port 80 of the host and send the request. These requests can be captured using the following commands:

User Agent

With TCPDump, you can also see which traffic is generated from which application. We can also find the user agents in our data traffic by using the following command :

Port Range

Some ordinary port filters help us to analyze the traffic on a particular port. But in tcpdump, we give our scan a range of ports through which it can monitor the destination of TCP/UDP or other port-based network protocols.

Destination

To check the flow of data in network traffic towards a particular destination, use the following command for this :

Source

To check the data traffic coming from a particular source, we can follow the command given below :

Network

To find the packets going to or from in a particular network, we can use the following function to analyze this traffic:

TCP Packets

TCP packet is the format consists of the fields such as source port and destination port field. Through these fields, we can identify the endpoints of the connections and can also capture these TCP packets in its various flag format. i.e. SYN, RST and ACK.

  • SYN- SYN flag is known as Synchronizes sequence numbers to initiate a TCP connection. We can capture this particular packet from traffic with the help of tcpdump.

  • RST- RST flag is known as reset flag. This flag is sent from the receiver to the sender if a packet is sent to a particular host that was expecting it. RST flag is used to re-establish a TCP end-to-end connection. We can capture this flag from our data traffic with the help of tcpdump.

  • ACK- ACK flag is known as the Acknowledgement flag. This flag is used to acknowledge that our data packet has been successfully received. We can capture these flags with tcpdump to study our data traffic.

Tcpdump to Wireshark

The only difference between the Wireshark and TCPDump is that Wireshark is GUI while tcpdump is a command-line tool. But with the help of a few sources, we use a command on tcpdump and view our data traffic results in Wireshark which, we find is the best way to analyze our traffic. This can be done using the following command :

After running this command it will immediately open the Wireshark and will ask a few questions about our scan. Press OK to move further.

After this, it will ask you which network interface we want to capture the data packets. In our case it will be eth0, so we are selecting that network interface.

After completing all the formalities our live data capture screen will appear with our captured data packets.

By following these steps we can run a command for tcpdump and capture its results in Wireshark.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher, Contact Linkedin and twitter.

Hack the Box: Postman Walkthrough

Today, we’re sharing another Hack Challenge Walkthrough box: POSTMAN design by The Cyber Geek and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set: Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Penetration Methodologies

  • Network Scanning
    • Nmap
  • Enumeration
    • Redis
  • Initial Foothold
    • Access SSH
  • Privilege Escalation
    • Webmin

Network Scanning

As we know the machine IP of the victim, Nmap scans will begin with the identification of open ports and services across them.

We find port 80 open for HTTP from this scanning study, and port 22 open for SSH, too. In addition, I have noticed port 1000 for webmin and the port 6379 for Redis is open.

Enumeration

The Redis security model is: “it’s totally insecure to let untrusted clients access the system, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running”.

You can read more about it from here

Since we saw port 6379 is available for Redis, we try to communicate with this with the help of the Redis client.

We noticed, that Redis is insecure and not AUTH required, so we discovered “.ssh directory” for the Redis as mentioned above, due to unsafe configuration we can transfer any file inside the server.

Further, I generate an ssh key pair using the ssh-keygen command given below:

I have a key and my goal is to place it in the server memory and then move it to a file in such a way that the authorized keys file that results remains valid.

Initial Foothold

As we have uploaded our ssh key into server thus it’s time to connect with a remote machine with the help following command

Here, we notice two things: first there is a user whose name is  “Matt” and a file with name “id_rsa.bak”, let’s find out the path for this file.

So, with the help of find command, we enumerate the path for id_rsa.bak file which lie inside /opt directory.

So id_rsa.bak file is actually the id_rsa private key, I copied it into a text file and saved it as a hash.

Then we have used ssh2john to convert this SSH key into a crackable file with the help of John the ripper and further used the rockyou.txt wordlist for this.

Hmmm!! so we have obtained ssh key “computer2008” for the user Matt.

As we knew that webmin was running over port 10000 thus we navigate to a web browser and explore the URL where we submit above-enumerated creds.

Boom! We logged in successfully and notice the installed version for webmin i.e. 1.910; now we can search for its exploit if available.

With the help of searchsploit, we found a Metasploit module for exploiting remote command execution. This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the “Package Updates” module can execute arbitrary commands with root privileges.

Privilege Escalation

Without wasting time, we loaded the Metasploit module and set the value required to initialize the exploit.

We got the meterpreter session with root privilege, let’s enumerate flags.

Let’s capture both flags user.txt and root.txt from inside the /home/Matt/ and /root respectively.

Conclusion: In this machine, we have learned about two major vulnerability and their exploitation, the first was insure Redis and the other was webmin.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

MuzzyBox: 1: Vulnhub Walkthrough

Introduction

Today we are going to crack this machine called MuzzyBox. It was created by Muzzy. Duh! This is a Capture the Flag type of challenge. The approach towards solving this machine is a bit different from the standard procedure. It consists of 3 Challenges. Each having a flag of its own. Let’s get cracking!!

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover
    • Nmap
  • Initial Enumeration
    • Browsing HTTP Service at port 80
  • Challenge #1
    • Browsing the HTTP Service at port 3000
    • Downloading the idcard.png template
    • Editing the idcard.png
    • Reading Flag #1
  • Challenge #2
    • Browsing the HTTP Service at port 8989
    • Getting a Python Shell
    • Reading Flag #2
  • Challenge #3
    • Detecting of the Server Side Template Injection
    • Getting shell using tplmap
    • Enumerating the shell
    • Getting SSH session
    • Enumerating ls command
    • Reading Flag #3

Walkthrough

Network Scanning

To Attack any machine, we need to detect the IP Address of the Machine. This can be done using netdiscover command. To detect the IP Address, we can co-relate it with the MAC Address of the Machine that can be obtained from the Virtual Machine Configurations Setting. The IP Address of the machine was detected to be: 192.168.1.6

Now that we have the IP Address, we need to enumerate open ports on the machine. For this, we will be running a nmap scan. To get the most information and fast, we ran the Aggressive Scan.

The Nmap Aggressive scan quickly gave us some great information. It positively informed that the following ports and services are running 22 (SSH), 80(HTTP), 3000(HTTP), 15000(HTTP). So nice of the author of the machine to give us so many HTTP services to explore. Let’s move on to Enumeration Stage.

Initial Enumeration

Let’s start with the traditional HTTP port. Port 80. We ran the browser and opened the IP Address of the Machine. It gave us an Index Page. It consists of a text file named index.txt. That was odd but okay. We moved on further by clicking on that file.

Here we get this nicely crafted introduction of the Lab Environment. This machine has been divided into 3 Challenges. Each containing a flag.

Challenge #1

Let’s Start with Challenge #1. The information about this challenge state that Washington University created an online library. But currently, only Principle is Authorized. The library is hosted on the HTTP service running on port 3000. Also, there is an idcard named image hosted on port 9633. Let’s start with an enumerating port of 3000.

Okay, that’s quite a dull library. But in the end, it is a library. If you go through the introduction text written. You might get to know that the developers of the library have implemented a security measure to prevent unauthorized access. They have used an alternative of SQL DB to secure the database. How nice of them to provide us this sweet information. The process to enter the library is to upload the idcard on this page and then the access is allowed.

The template is provided to us on the port 9633. Let’s take a look at it. Now we know that the principal has access to the library. But what we don’t know is the name of the principal. We will have to figure out a way to get through this.

For starters, we downloaded the idcard.png file to our attacker machine using wget command.

Initially, the introduction on the page at 3000 port told us that the authentication is checked using an alternative of SQLDB. Now if we think about it, if they are not using an SQLDB then the next best alternative is NoSQL. We tried to google some of the NoSQL based payloads that can help us in this situation. We found quite a few. We decided to use this one.

Now we took the idcard.png image that we downloaded and tried to edit it to make it look like the image shown in the screenshot given below. It is quite easy you can use any online tool for the same. We made the following changes.

Now that we have the idcard ready. Let’s upload it. The upload was a success and we have successfully cracked the Challenge #1. This flag is in the form of a PIN. Let’s take note of this, we may need it down the road.

Challenge #2

We move onto the next challenge. After we broke the authentication in the previous challenge, the University developed a new website. How Unnecessary! It is under maintenance. We are asked to list the current directory and read the flag file. It shouldn’t be difficult. The new website is hosted on port 8989. Upon browsing the webpage, we see that it is an error page. While we were casually looking at the errors, we saw that there was a console icon. We hovered over it and got the message that it will “Open an interactive python shell in this frame”. How convenient!

We clicked on the console icon, we are greeted with a pop that tells us to enter a PIN. If we remember correctly from the previous challenge we received the flag in the form of a PIN. Let’s try it to get in.

PIN: 123-456-789

Since it was in “Python Interactive Shell”, we need some python shellcode to pop up a shell over here. We went to the pentestmonkey reverse shell cheat sheet and got the Python Reverse shell. We modified it a little bit to execute it line by line as shown in the given image. We chose the port 5555 for getting the reverse shell and opened the netcat listener for the same. As soon as we execute the last command, we see that we have a shell.

The objective of this challenge was to list the current directory, so we ran the ls command. We found a directory named flag. Inside this directory, we found a script called ctf2.py. We read the contents of this script to get ourselves the second flag.

Again we seem to have a hint in this flag. It tells us to read a file at the home directory of the user webssti.

Challenge #3

Two challenges down. One to go! We went back to the index for the description of the third challenge. It says that when we compromised the machine in the last challenge the root user started to audit the machine. Well, he/she really should do a better job. It wasn’t that difficult to exploit them. We are told that the root user is using sudo and bash with the ls command. This seems interesting. At last, we are told to read the final flag using an “Out-of-Band technique”. This challenge is hosted on the port 15000. We modified the URL to print the Raj name. #PersonalTouch. So what kind of vulnerability is this? Its Elementary, My Dear Watson. It is a Server-Side Template Injection.

For exploiting this vulnerability, we have just the tool. It is called tplmap. It is available on GitHub. To use it we cloned it to our attacker machine. After that, we traversed into this directory to find the python file named tplmap.py. We ran it with the proper parameters for the injection point as well as the -os-shell parameter to pop out a shell.

We got ourselves a shell in no time. We ran the id command to enumerate the user. Back to the previous challenge. We saw that the flag from the previous challenge asks us to read a file in the home directory of this user. We are indeed logged in as the webssti user. We checked the directory using the pwd command as well as listed the current directory contents using the ls command. There was a directory named ssti. We listed its contents to find the no_flag.txt file that we were looking for. We read the file using the cat command. This tells us the ssh username as well as password. Brilliant!!

Time to get that SSH shell. We entered the previously found credentials and got logged in. As the final flag was inside the root folder, we tried to read that flag. But we were unsuccessful.

Time to work our mind to escalate privilege on this shell. We ran the sudo -l command to enumerate but we were unsuccessful. We remembered from the introduction that the root user was using sudo as well as bash with the ls command. So it came us that Path Variable method might work here. We used the echo command to print the path for the ls command. After this, we enumerated which ls command we are running. We found that directory /usr/local/sbin was writable by our user. This means that we can create a file there and name it ls. Then we will be able to execute that file. Let’s do this using the nano command as shown in the image given below.

We used curl command to send a POST request onto our attacker machine with the contents fo the Final Flag. Clever Isn’t it?

Now before we save that file and exit the nano editor, we started the netcat listener on the port 1234. In no time we have the Final Flag.

This was a good set of challenges. I enjoyed it a lot while solving it. The first and second challenge was nice and surely something that you can come across in real life. Also this format of small challenges instead a standard CTF was a fresh approach. I appreciate the author and I look forward to more in this series.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. I am writing this article while working from home. Take Care and be Healthy!

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Sahu: Vulnhub Walkthrough

Today we are going to complete a boot2root challenge of the lab Sahu. The lab is developed by Vivek Gautam and can be downloaded from here. Lab us fairly for the beginners and helps to get familiar with the concept of CTF challenges. It also helps to develop your enumeration skills as it solely focuses on enumeration.

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover scan
    • Nmap scan
  • Enumeration
    • Browsing HTTP service at port 80
    • Directory Bruteforce using dirb
    • Enumerating Source Code
    • Directory Generation using Crunch
    • Bruteforce Zip Password using fcrackzip
  • Exploitation
    • Connecting to Target using SMB
    • Enumerating SMB
  • Post Exploitation
    • Running LinEnum script
  • Privilege Escalation
    • Writable /etc/password file
    • Generating Password Hash using Openssl
    • Appending hash to /etc/passwd
    • Getting Root Privileges
  • Reading Root Flag

The first stage in starting the challenge is knowing your target and for that following command will be used :

After that we will start active reconnaissance by scanning our target IP using nmap with the following command :

With nmap, as it can be seen in the image above, open ports are shown. These ports are 21, 22, 80, 139, 445 with the services of FTP, SSH, HTTP, NetBIOS-ssn samba. Because of banner grabbing, it was observed that anonymous login was enabled in FTP. Therefore, try to log in from FTP with the following commands :

Here, enter the password anonymous. Once you are logged in from FTP use the ls command to check the contents it has. The single zip file was found here, namely ftp.zip.

When opened, it asked for a password but as the password is not known we moved further. Open the IP address in the browser and the can he webpage as shown in the following :

Now we enumerated the directories with directory buster using the command :

As a result, we found a directory /H/A/R/, if you remembered that the image on the web-page was of Haryana so we can correctly assume that the full directory will be /H/A/R/Y/A/N/A/ and when opened in the browser you can see the following :

In the source code, there will be a phrase saying “try to extract with hurry”. Now, this is something useful.

We had found an image on a web page and we have the hint in the source code. So we will use steghide to extract any metadata and to do so, use the following command :

And when asked to enter the word hurry and as you can see in the image below we found a file and then read it said, “I have found the password for a zip file but I have forgot the last part of it, can you find out. 5AHU**”

Now, according to the hint, it means that the first four characters of the password are 5AHU and password is of six characters in length and we must find last two characters in order to get the password. We can easily do this using crunch and construct a dictionary to fuzz up the password. The last to characters could be of any combination i.e. it can be alpha-numeric or special character and so on, therefore, use the following set of command to make a dictionary using a crunch of every possible combination:

Once our wordlist for dictionary attack is created we can commence our attack using fcrackzip and for that use the following command :

The password has been cracked using the above method and retrieved an ftp.txt file in which a username and password is found. As from the nmap port scan it was clear that the SMB port(139) was open. We ran the Enum4Linux to enumerate the SMB service

Thus, it is clear that a connection through sambashare can be made using smbclient and so to do the same, following command will be used :

and when asked provide the password which was retrieved from ftp.txt.

Now, connecting through smbclient gave us an opportunity to traverse around which lead us to find ssh.txt. upon reading ssh.txt file revealed a username and password. As the username and password are found in ssh.txt it can safely be assumed that these are the credentials for SSH login. Let’s try to login through SSH, using the following command :

Further, provide the password when asked and log in through SSH will be successful. After logging in the machine, we decided to use the wget command to transfer the LinEnum script to the Target Machine. Followed by the transfer, we gave the proper permissions to the script and then run it.

As a result, we found that /etc/passwd file is writable which allows us to make a new user and alter its permissions as per our desires.

To make a new user, use the following command :

Now we have the hash, all we need is to append this user hash in the target machine.

On the target machine, we use the echo command to add this user into the /etc/passwd file. We can verify that the user has successfully been added by taking a look at the /etc/passwd using the tail command. Now that we have added user, let’s login to that user using the su command. As the user we created had root privileges so we own the root on this machine.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here