Category Archives for Security

Network forensics with tshark

Let’s say we have a packet capture file (.pcap) and we want to get as much information out of it as possible. One option could be wireshark and its command line version tshark. Using the latter we will be able to manipulate and format the output using tools like sed, grep, awk…

Extracting host names with tshark

Since we are dealing with mostly http traffic we may be interested in the sites that have been visited. To obtain this information we can use the http.host field and then a bit of sorting and this will show us the top 10 sites.

tshark -T fields -e http.host -r tor.pcap > dns.txt
cat dns.txt | sort | uniq -c | sort -nr | head

Continue reading

Finding windows host on your network

If you ever wondered if there is a quick way to find all the Windows host in your network with exact version information, you are in the right place! We are going to see a few tools that will aid us in this task by quering the CIFS service (also known as SMB / NetBIOS) which is run by all Windows host.

To get us started let’s see the nbtscan tool, we can give it network range in the form of a CIDR or just with two values separated with a dash. This will give us a nice list of all the Windows host on our network with their netbios names.
Continue reading

Socat: A very powerful networking tool

Welcome to this socat tutorial. Socat is a network utility similar to netcat. Socat supports ipv6 and ssl and is available for both windows and linux. The first thing you will notice with this tool is that it has a different syntax on what you are used to with netcat or other standard unix tools.

socat [options] <address> <address>

You have to provide both addresses in order for it to work, now these addresses look like this:

protocol:ip:port

Let’s get started with some examples. First I want to show you how you can get the same functionality as with netcat.

nc localhost 80
socat - TCP4:localhost:80 OR socat STDIN TCP4:localhost:80
nc -lp localhost 700
socat TCP4-LISTEN:700 STDOUT
nc -lp localhost 700 -e /bin/bash
socat TCP4-LISTEN:700 EXEC:/bin/bash

Now we can go beyond netcat with some ssl examples, but first we need to generate a ssl cert for the server.

Generate a SSL cert

openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.key

socat tutorial

SSL server

socat OPENSSL-LISTEN:443,cert=/cert.pem -

SSL client

socat - OPENSSL:localhost:443

Both addresses don’t have to use the same protocol, so you can do “ssl server -> non-ssl server”. You should also check out the options that you can apply, for example you can use fork to tell socat to listen and handle multiple clients.

socat TCP4-LISTEN:5000,fork OPENSSL:localhost:443

Finally if you are tunneling a connection between servers using socat you can use the -v option to print all the traffic to stdout.

I hope you enjoyed this quick socat tutorial. If you want to learn more, check out the socat man page, section “ADDRESS TYPES” or the online documentation.

CLI ninja: Ping Sweep

Ever wanted to do a ping sweep in this new network you just broke in but you don’t want (or can’t, for some reason, AVs etc…) to upload any tools? Or even in your own network but you don’t have time to install nmap for whatever reason?

Well, you can still do it by leveraging the OS built-in tools. With a for loop we can launch a ping for a whole class C in about 3 min in windows and in about 10 sec in Linux.

Linux Ping Sweep

for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep "bytes from" &) ;done

What this does is a for loop from 1 to 254, $i takes the value of the current iteration so in the first one it will be 1 then 2, 3… and so on, then we tell it to call the ping command with the -c option which means only ping once otherwise it would ping forever after that we pipe the output to grep so we only see the hosts that actually responded and the & at the end send it to the background so it will launch all the pings in parallel. If we only want the ip address and not the whole line we can further filter this using cut.

Windows Ping Sweep

for /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.1.%i > nul && echo 192.168.1.%i is up.

As you can see the idea is the same, -n being the equivalent of -c in Linux’s ping and -w is the timeout, then we send the output to nul and echo only if the ping command was successful (that’s what the && is for)

Introducing Dirfuzz

Dirfuzz is a tool for directory discovery of web applications, by default it uses a dictionary based approach which is in data/fdirs.txt it can also use the crawler module to find links up to 1 level of depth.

dirfuzz

Dirfuzz is designed to give you plenty of information fast and without having to scroll through hundreds of pages of output or deal with a clunky GUI. Dirfuzz is also capable of crawling a page to retrieve links, email address and potential injection points. To activate this feature use the -l1 option.

The project is hosted at github and you can download it and get a bit more info from there:

https://github.com/matugm/dirfuzz