loader
  • Subject-matter expert for interconnecting the nodes
  • HomeKL015 – Traffic Capture and Port Scan

KL015 – Traffic Capture and Port Scan

KaliLinux
Hossein O.
0 Comments

tcpdump

tcpdump is a text-based network sniffer. Let’s capture some traffic. We have used switch -i to indicate the interface on Kali Linux which we want to sniff on. Then we have specified our filer to match the traffic. If we don’t specify any filter, we capture all the traffic passing through that interface.

┌──(kali㉿kali-2)-[~]
└─$ sudo tcpdump -i eth0 'tcp port 80 and host 10.0.0.41'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

┌──(kali㉿kali-1)-[~/Documents]
└─$ telnet 10.0.0.42 80
Trying 10.0.0.42...
telnet: Unable to connect to remote host: Connection refused

┌──(kali㉿kali-2)-[~]
└─$ sudo tcpdump -i eth0 'tcp port 80 and host 10.0.0.41'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:03:00.496549 IP 10.0.0.41.44344 > 10.0.0.42.http: Flags [S], seq 4134350744, win 64240, options [mss 1460,sackOK,TS val 2593871620 ecr 0,nop,wscale 7], length 0
16:03:00.496615 IP 10.0.0.42.http > 10.0.0.41.44344: Flags [R.], seq 0, ack 4134350745, win 0, length 0

The telnet command is used for interactive communication with another host using the TELNET protocol. Here we have specified the custom port 80 (as opposed to the default port 23) to try to establish a connection to the remote host on port 80. In this case, we used telnet to test of port 80 is open on the remote host. Later in this post, you will learn another tool to test the open port(s).

Wireshark

Like Tcpdump, Wireshark is another sniffer. It has a graphical user interface which gives you more flexibility than Tcpdump if you are more interested in GUI tools.

Launching Wireshark

From CLI run sudo wireshark. You can also run wireshark from GUI via Applications menu.

Launch Wireshark from GUI

When it load, we see a window where we can select the interface we want to sniff. We can also select the display filters or capture filters in the same window. You must note that you cannot modify the capture filters after the capture is started. But you can change the display filters as you go.

The secret to using Wireshark (or any other packet sniffer) is learning how to use filters. What are filters? They let you drill down to the exact traffic you want to capture (capture filters) or you want to see (display filters).

Capture Filter

Wireshark uses the same syntax (like tcp port 80) for capture filters as tcpdump or any other program which uses the libpcap (on Linux) WinPcap (On Windows) libraries.
Capture filters are set before starting the packet capture. they are much more limited than display filters and are used to reduce the size of our packet capture. Let’s start apache2 service with sudo systemctl start apache2 on our kali-2 machine whose IP address is 10.0.0.42. Then start wireshark on our kali-1 machine with capture filter of host 10.0.0.42. Don’t forget to start the capture by hitting the blue shark sign the top menu.

Capture Filter on kali-1

Now, open Firefox then browse: http://10.0.0.42.

Browse kali-2’s default Web Page

It’s time to check what we have so far sniffed:

Packet Capture Using Capture Filter

For more information about capture filters, refer to the Wireshark documentation on: https://wiki.wireshark.org/CaptureFilters

Display Filter

Display filters (like tcp.port == 80) are used to hide some packets from the packet list. You can change the display filters on the fly. In our example above, as you can see, there are some ICMP packets in our capture. Let’s say we want to only see packets related to TCP Port 80. Here is how:

Employing a Display Filter

Following TCP (or UDP) Streams

Although you can read the message for individual packets, but we can leverage Wireshark’s ability to reassemble the packets which belong to a specific session. This allows us to view the whole message outright to easily read the message. Here is how:

Follow a TCP Stream in Wireshark

Because HTTP is a clear-text protocol, we can read the entire stream:

Port Scanning with Nmap

Port scanning is the process of inspecting TCP or UDP ports on a remote machine with the intention
of detecting what services are running on the target.

WARNING: Port Scan can be considered illegal in some jurisdictions. Make sure you must NOT perform it outside the labs.

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. While Nmap is commonly used for security audits, many systems and network administrators find it useful for other routine tasks.

The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used.

TCP Scanning

The simplest TCP port scanning technique, usually called CONNECT scanning, relies on the TCP three-way handshake mechanism. (Refer to this post for basic information on TCP 3-way handshake).

Let’s run nmap on kali-2 to check what TCP ports are open on kali-2.

┌──(kali㉿kali-1)-[~]
└─$ sudo nmap -sT 10.0.0.42
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-16 22:26 EDT
Nmap scan report for 10.0.0.42
Host is up (0.00011s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:98:CE:3F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

As an exercise, run packet capture with Wireshark, then run the port scan. Can you find the SYN, ACK, RST messages?

UDP Scanning

Remember that we don’t have three-way handshake or another mechanism to establish a connection with the remote host. That is UDP is stateless. Because of that, the port scan mechanism with UDP is different than the mechanism with TCP scan. UDP port scan relies on ICMP Port Unreachable (ICMP messages are explained here). If the destination UDP port is closed, the host replies with ICMP Port Unreachable. That makes the UDP port scanning unreliable because if the target does not send ICMP Port Unreachable, the scanner reports that the port is open. nmap uses another technic for UDP port scanning for common ports, such as port 161, which is used by SNMP, it will send a protocol-specific SNMP packet in an attempt to get a response from an application bound to that port.

Network Sweeping with Nmap

As mentioned earlier, nmap’s power is not limited to scan only one particular host, but large amount of hosts.

┌──(kali㉿kali-1)-[~]
└─$ nmap -sn 10.0.0.0-254
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-16 22:38 EDT
Nmap scan report for 10.0.0.1
Host is up (0.00093s latency).
Nmap scan report for 10.0.0.9
Host is up (0.00063s latency).
Nmap scan report for 10.0.0.14
Host is up (0.00061s latency).
Nmap scan report for kali-1 (10.0.0.41)
Host is up (0.00029s latency).
Nmap scan report for 10.0.0.42
Host is up (0.00049s latency).
Nmap done: 255 IP addresses (5 hosts up) scanned in 3.02 second

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Recent Comments

Archives

Categories

Elissa Garlin

Think of a news blog that’s filled with content hourly on the day of going live.

Recent Posts

Categories

Tags

BGP EVPN Broadcast CCIE CCIE DC CCNP cisco Clos network CyberSecurity Data Center datacenter DC Exchange GNU/Linux Incident Response InfoSec IS-IS Kali Layer 2 Connectivity Layer 2 Technologies linus torvalds Linux linux bash linux basic commands linux commands Linux file structure Linux file system linux path linux tutorial lpic1 lpic1 linux Multitenancy Network Network Virtualization Overlay Nexus NVO NX-OS NXOS Overlay shell Underlay Unicast Virtual eXtensible LAN VNI VTEP VXLAN