LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Tools of the Trade: Part 2
Pages: 1, 2, 3

Another session in tcpdump

Comment on this articleDo you have any additional tips concerning how to use tcpdump and Tripwire to protect your Linux server.
Post your comments

Let's look at something with more meat. Remember last time I showed a TCP session using Ethereal. Well, let's look at a similar session in tcpdump. For the purposes of this illustration, I've cut out a bunch of extraneous data.



For this particular packet dump, I used the following command: tcpdump -l -vvv -x -X > tcpdat & tail -f tcpdat. This command makes tcpdump give both Hex and ASCII output in a very verbose mode.

15:55:37.842404 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 107:110(3) ack 88 win 5840 <nop,nop,timestamp 250412784 526505810>
Telnet:

0x0000  fffd 01                 DO ECHO
(DF) [tos 0x10]  (ttl 64, id 45160, len 55)
0x0000  4510 0037 b068 4000 4006 05e1 c0a8 0119  E..7.h@.@.......
0x0010  c0a8 01fe 9033 0017 7524 4eec 744a ed10  .....3..u$N.tJ..
0x0020  8018 16d0 2035 0000 0101 080a 0eec fef0  .....5..........
0x0030  1f61 d752 fffd 01                        .a.R...
15:55:37.843792 192.168.1.254.telnet > Mallard.36915: P [tcp sum ok] 88:107(19) ack 110 win 32120  <nop,nop,timestamp 526505810 250412784> (DF) (ttl 64, id 6922, len 71)
0x0000  4500 0047 1b0a 4000 4006 9b3f c0a8 01fe  E..G..@.@..?....
0x0010  c0a8 0119 0017 9033 744a ed10 7524 4eef  .......3tJ..u$N.
0x0020  8018 7d78 2b8d 0000 0101 080a 1f61 d752  ..}x+........a.R
0x0030  0eec fef0 0d0a 6c6f 6361 6c68 6f73 7420  ......localhost.
0x0040  6c6f 6769 6e3a 20                        login:.

OK. We've connected to the remote system. Notice the last line. The fact that we're waiting for a login ID is clear. Now, understand that with telnet, every keystroke is sent to the remote system as a separate packet. With that in mind, look at the very last character of the next few packets. Note: some packets have been removed as they are echo packets sent from the server back to the client system.

15:55:37.879456 Mallard.36915 > 192.168.1.254.telnet: . [tcp sum ok] 110:110(0) ack 107 win 5840  <nop,nop,timestamp 250412788 526505810> (DF) [tos 0x10]  (ttl 64, id 45161, len 52)
0x0000   4510 0034 b069 4000 4006 05e3 c0a8 0119  E..4.i@.@.......
0x0010   c0a8 01fe 9033 0017 7524 4eef 744a ed23  .....3..u$N.tJ.#
0x0020   8010 16d0 2124 0000 0101 080a 0eec fef4  ....!$..........
0x0030   1f61 d752                                .a.R
15:55:38.672320 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 111:112(1) ack 108 win 5840  <nop,nop,timestamp 250412867 526505873> (DF) [tos 0x10]  (ttl 64, id 45164, len 53)
0x0000   4510 0035 b06c 4000 4006 05df c0a8 0119  E..5.l@.@.......
0x0010   c0a8 01fe 9033 0017 7524 4ef0 744a ed24  .....3..u$N.tJ.$
0x0020   8018 16d0 b18a 0000 0101 080a 0eec ff43  ...............C
0x0030   1f61 d791 6f                             .a..o
15:55:38.798130 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 112:113(1) ack 109 win 5840  <nop,nop,timestamp 250412879 526505893> (DF) [tos 0x10]  (ttl 64, id 45166, len 53)
0x0000   4510 0035 b06e 4000 4006 05dd c0a8 0119  E..5.n@.@.......
0x0010   c0a8 01fe 9033 0017 7524 4ef1 744a ed25  .....3..u$N.tJ.%
0x0020   8018 16d0 b168 0000 0101 080a 0eec ff4f  .....h.........O
0x0030   1f61 d7a5 6f                             .a..o
15:55:38.922395 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 113:114(1) ack 110 win 5840 <nop,nop,timestamp 250412892 526505906> (DF) [tos 0x10] (ttl 64, id 45168, len 53)
0x0000   4510 0035 b070 4000 4006 05db c0a8 0119  E..5.p@.@.......
0x0010   c0a8 01fe 9033 0017 7524 4ef2 744a ed26  .....3..u$N.tJ.&
0x0020   8018 16d0 ac4c 0000 0101 080a 0eec ff5c  .....L.........\
0x0030   1f61 d7b2 74   .a..t

Oh my! someone is trying to log in as root. First of all, you should never log in as root directly. It's safer to log in as yourself and then issue the su command to become root. Let's see what else we have.

15:55:39.175941 192.168.1.254.telnet > Mallard.36915: P [tcp sum ok] 113:123(10) ack 116 win 32120  <nop,nop,timestamp 526505943 250412916> (DF) (
ttl 64, id 6928, len 62)
0x0000   4500 003e 1b10 4000 4006 9b42 c0a8 01fe  E..>..@.@..B....
0x0010   c0a8 0119 0017 9033 744a ed29 7524 4ef5  .......3tJ.)u$N.
0x0020   8018 7d78 d18f 0000 0101 080a 1f61 d7d7  ..}x.........a..
0x0030   0eec ff74 5061 7373 776f 7264 3a20       ...tPassword:.

Ok, waiting for the password now. Again, pay attention to the last character of each of the following packets.

15:55:40.290932 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 116:117(1) ack 123 win 5840  <nop,nop,timestamp 250413029 526505943> (DF) [tos 0x10]  (ttl 64, id 45173, len 53)
0x0000  4510 0035 b075 4000 4006 05d6 c0a8 0119  E..5.u@.@.......
0x0010  c0a8 01fe 9033 0017 7524 4ef5 744a ed33  .....3..u$N.tJ.3
0x0020  8018 16d0 b78e 0000 0101 080a 0eec ffe5  ................
0x0030  1f61 d7d7 68                             .a..h
15:55:40.382285 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 117:118(1) ack 123 win 5840  <nop,nop,timestamp 250413038 526506057> (DF) [tos 0x10]  (ttl 64, id 45174, len 53)
0x0000  4510 0035 b076 4000 4006 05d5 c0a8 0119  E..5.v@.@.......
0x0010  c0a8 01fe 9033 0017 7524 4ef6 744a ed33  .....3..u$N.tJ.3
0x0020  8018 16d0 b012 0000 0101 080a 0eec ffee  ................
0x0030  1f61 d849 6f                             .a.Io
15:55:40.485134 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 118:119(1) ack 123 win 5840 <nop,nop,timestamp 250413048 526506066> (DF) [tos 0x10]  (ttl 64, id 45175, len 53)
0x0000  4510 0035 b077 4000 4006 05d4 c0a8 0119  E..5.w@.@.......
0x0010  c0a8 01fe 9033 0017 7524 4ef7 744a ed33  .....3..u$N.tJ.3
0x0020  8018 16d0 b1fe 0000 0101 080a 0eec fff8  ................
0x0030  1f61 d852 6d                             .a.Rm
15:55:40.611048 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 119:120(1) ack 123 win 5840  <nop,nop,timestamp 250413061 526506076> (DF) [tos 0x10]  (ttl 64, id 45176, len 53)
0x0000  4510 0035 b078 4000 4006 05d3 c0a8 0119  E..5.x@.@.......
0x0010  c0a8 01fe 9033 0017 7524 4ef8 744a ed33  .....3..u$N.tJ.3
0x0020  8018 16d0 b9e6 0000 0101 080a 0eed 0005  ................
0x0030  1f61 d85c 65                             .a.\e
15:55:40.918409 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 120:121(1) ack 123 win 5840  <nop,nop,timestamp 250413091 526506089> (DF) [tos 0x10]  (ttl 64, id 45177, len 53)
0x0000  4510 0035 b079 4000 4006 05d2 c0a8 0119  E..5.y@.@.......
0x0010  c0a8 01fe 9033 0017 7524 4ef9 744a ed33  .....3..u$N.tJ.3
0x0020  8018 16d0 bcba 0000 0101 080a 0eed 0023  ...............#
0x0030  1f61 d869 62                             .a.ib
15:55:41.080038 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 121:122(1) ack 123 win 5840  <nop,nop,timestamp 250413108 526506120> (DF) [tos 0x10]  (ttl 64, id 45178, len 53)
0x0000  4510 0035 b07a 4000 4006 05d1 c0a8 0119  E..5.z@.@.......
0x0010  c0a8 01fe 9033 0017 7524 4efa 744a ed33  .....3..u$N.tJ.3
0x0020  8018 16d0 bd89 0000 0101 080a 0eed 0034  ...............4
0x0030  1f61 d888 61                             .a..a
15:55:41.221580 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 122:123(1) ack 123 win 5840  <nop,nop,timestamp 250413122 526506136> (DF) [tos 0x10]  (ttl 64, id 45179, len 53)
0x0000  4510 0035 b07b 4000 4006 05d0 c0a8 0119  E..5.{@.@.......
0x0010  c0a8 01fe 9033 0017 7524 4efb 744a ed33  .....3..u$N.tJ.3
0x0020  8018 16d0 ab6a 0000 0101 080a 0eed 0042  .....j.........B
0x0030  1f61 d898 73                             .a..s
15:55:41.312177 Mallard.36915 > 192.168.1.254.telnet: P [tcp sum ok] 123:124(1) ack 123 win 5840  <nop,nop,timestamp 250413131 526506150> (DF) [tos 0x10]  (ttl 64, id 45180, len 53)
0x0000  4510 0035 b07c 4000 4006 05cf c0a8 0119 E..5.|@.@.......
0x0010  c0a8 01fe 9033 0017 7524 4efc 744a ed33  .....3..u$N.tJ.3
0x0020   8018 16d0 b952 0000 0101 080a 0eed 004b  .....R.........K
0x0030   1f61 d8a6 65                             .a..e

We now know the password for the root account to this box is "homebase." We know that's the last character because of the next few packets which show the remote system information confirming a successful login.

15:55:41.876090 192.168.1.254.telnet > Mallard.36915: P 125:195(70) ack 126 win 32120  <nop,nop,timestamp 526506213 250413178> (DF) (ttl 64, id
6938, len 122)
0x0000   4500 007a 1b1a 4000 4006 9afc c0a8 01fe  E..z..@.@.......
0x0010   c0a8 0119 0017 9033 744a ed35 7524 4eff  .......3tJ.5u$N.
0x0020   8018 7d78 2034 0000 0101 080a 1f61 d8e5  ..}x.4.......a..
0x0030   0eed 007a 5468 696e 4c69 6e75 7820 6c6f  ...zThinLinux.lo
0x0040   6361 6c68 6f73 7420 322e 322e 3134 2d74  calhost.2.2.14-t
0x0050   6869                                     hi
15:55:41.964197 192.168.1.254.telnet > Mallard.36915: P [tcp sum ok] 195:206(11) ack 126 win 32120  <nop,nop,timestamp 526506222 250413187> (DF) (ttl 64, id 6939, len 63)
0x0000   4500 003f 1b1b 4000 4006 9b36 c0a8 01fe  E..?..@.@..6....
0x0010   c0a8 0119 0017 9033 744a ed7b 7524 4eff  .......3tJ.{u$N.
0x0020   8018 7d78 7705 0000 0101 080a 1f61 d8ee  ..}xw........a..
0x0030   0eed 0083 6c6f 6361 6c68 6f73 7423 20    ....localhost#.

There you have it, easy as pie.

With a little more experimentation and familiarity with tcpdump, you can do much more. Once again, if this same session used Secure Shell (SSh) instead, the attacker would not be able to capture any of this information, it would be garbage and of no use at all.

I hope I've showed you just how easy it is to look at packets on a network. There is much much more to it than what I've showed here, but this should give you a starting point for further learning.

Pages: 1, 2, 3

Next Pagearrow




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: