mindspace/learn

Learn

Lifestack
Blog

Learn

Lifestack
Blog

Appearance

Cyber Security 101 -> Networking

Link: Cyber Security 101 > Networking
Difficulty: Easy
Date Completed: 2025-05-19

Tcpdump: The Basics

TCPdump: The Basics Room

Name of the library that is associated with tcpdump is libpcap.

Specify the Network Interface

Specify the Network Interface to listen on: -i INTERFACE. You can choose to listen on all available interfaces by using -i any.

Save the Captured Packets

A command such as ip address show would list all available network interfaces.

Read captured packets from a file

In many cases we should check the captured packets again later. This can be achieved by saving to a file using -w FILENAME. Can later be inspected with Wireshark or tcpdump -r FILENAME.

Limit the number of captured packets

You can specify the number of packets to capture by specifying the -c COUNT option.

Don't resolve IP addresses and port numbers

CAREFUL

Tcpdump will resolve IP addresses and print friendly domain names. To avoid making such DNS lookups, you can use the -n argument.

Similarly, if you don't want port numbers to be resolved, such as 80 to http, you can use the -nn to stop both DNS and port number lookups.

Produce (more) verbose output

You can use the -v option to produce more verbose output. This will print "the time to live, identification, total length and options in an IP packet". You can use -vv or -vvv for even more verbosity.

Filtering by host

Let's say you are only interested in IP packets exchanged with your network printer or a specific game server. You can easily limit the captured packets to this host using host IP or host HOSTNAME.

If you want to limit the packets to those from a particular source IP address or hostname, you must use src host IP or src host HOSTNAME. Similarly, you can use dst host IP or dst host HOSTNAME to limit the packets to those sent to a particular destination.

Filtering by port

If you want to capture all DNS traffic, you can limit the captured packets to those on port 53. DNS uses UDP and TCP ports 53 by default.

Filtering by protocol

You can limit your packet capture to a specific protocol; examples include: ip, ip6, tcp, udp, icmp. For example: sudo tcpdump -i ens5 icmp -n.

Logical Operators

Three logical operators that can be handy:

  • and: captures packets where both conditions are true. For example: tcpdump host 1.1.1.1 and tcp captures tcp traffic with host 1.1.1.1.
  • or: captures packets where either condition is true. For example: tcpdump udp or icmp captures udp or icmp traffic.
  • not: captures packets that do not match the condition. For example: tcpdump not port 22 captures all traffic except SSH. Another example: tcpdump not tcp captures all traffic except TCP.

For example, to read a file called traffic.pcap and filter for packets from the source IP:

bash
tcpdump -r traffic.pcap src host 192.168.124.1 -n | wc

> reading from file traffic.pcap, link-type EN10MB (Ethernet)
    910   17415  140616

We can see that there are 910 packets from the source IP.

What is the IP address of the host that asked for the MAC address of 192.168.124.137?

bash
tcpdump -r traffic.pcap arp -n

> reading from file traffic.pcap, link-type EN10MB (Ethernet)
07:18:29.940761 ARP, Request who-has 192.168.124.137 tell 192.168.124.148, length 28
07:18:29.940776 ARP, Reply 192.168.124.137 is-at 52:54:00:23:60:2b, length 28

What hostname (subdomain) appears in the first DNS query?

bash
tcpdump -r traffic.pcap port 53 -c 1

> reading from file traffic.pcap, link-type EN10MB (Ethernet)
07:18:24.058626 IP ip-192-168-124-137.eu-west-1.compute.internal.33672 > ip-192-168-124-1.eu-west-1.compute.internal.domain: 39913+ A? mirrors.rockylinux.org. (40)

Advanced Filtering

We can limit the displayed packets to those smaller or larger than a certain length:

  • greater LENGTH: filters packets that have a length greater than or equal to LENGTH.
  • less LENGTH: filters packets that have a length less than or equal to LENGTH.

RECOMMENDATION

Check the pcap-filter manual page by issuing the comamnd man pcap-filter for more information on the filtering options.

Binary operations

A binary operation works on bits, i.e. zeroes and ones. An operation takes one or two bits and returns one bit. Let's explain in more depth the following three binary operations:

  • &: AND, takes two bits and returns 0 unless both inputs are 1.
  • |: OR, takes two bits and returns 1 unless both inputs are 0.
  • !: NOT, takes one bit and returns 1 if the input is 0 and 0 if the input is 1.

Header bytes

The purpose of this section is to be able to filter packets based on the contents of a header byte. Consider the following protocols: APR, Ethernet, ICMP, IP, TCP and UDP. How can we tell Tcpdump to filter packets based on the contents of protocol header bytes?

Using pcap-filter syntax, Tcpdump allows you to refer to the contents of any byte in the header using the following syntax: proto[expr:size], where:

  • proto is the protocol name (e.g. tcp, ip, icmp, etc.)
  • expr is the offset of the byte in the header (e.g. 0, 1, 2, etc.)
  • size indicates the number of bytes that interest us, which can be one, two or four bytes.

To better understand this, consider the following two examples from the pcap-filter manual page:

  • ether[0] & 1 != 0: takes the first byte in the Ethernet header and the decimal number 1 and applies the & (the AND binary operator). It will return true if the result is not requal to the number 0. The purpose of this filter is to show packets sent to a multicast address. A multicast Ethernet address is a particular address that identifies a group of devices intended to receive the same data.
  • ip[0] & 0xf != 5: takes the first byte in the IP header and compares it with the hexadecimal number F. It will return true if the result is not requal to the decimal number 5. The purpose of this filter is to catch all IP packets with options.

You can use tcp[tcpflags] to refer to the TCP flags field. The following TCP flags are available to compare with:

  • tcp-syn: TCP SYN (Synchronize) flag
  • tcp-ack: TCP ACK (Acknowledgment) flag
  • tcp-fin: TCP FIN (Finish) flag
  • tcp-rst: TCP RST (Reset) flag
  • tcp-push: TCP PUSH flag

Based on the above, we can write:

bash
tcpdump -r traffic.pcap "tcp[tcpflags] == tcp-syn"

This will capture all TCP packets with only the SYN flag set, while all the other flags are unset.

bash
tcpdump -r traffic.pcap "tcp[tcpflags] & tcp-syn != 0"

This will capture all TCP packets with at least the SYN flag set.

bash
tcpdump -r traffic.pcap "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

This will capture TCP packets with at least the SYN or ACK flags set.

TIP

How many packets have only the TCP Reset (RST) flag set?

bash
tcpdump -r traffic.pcap "tcp[tcpflags] == tcp-rst" | wc -l

Displaying packets

Tcpdump is a rich program with many options to customize how the packets are printed and displayed. We have selected to cover the following five options:

  • -q: quick output; print brief packet information.
  • -e: print the link-level header (MAC address).
  • -A: show packet data in ASCII.
  • -xx: show packet data in hexadecimal format.
  • -X: show packet headers and data in hex and ASCII.

Nmap: The Basics

Nmap: The Basics Room

Imagine the scenario where you are connected to a network and using various network resources, such as email and web browsing. Two questions arise. The first is how we can discover other live devices on this network or on other networks. The second is how we can find out the network services running on these live devices; examples include SSH and web servers.

One approach is to do it manually. If asked to uncover which devices are live on the 192.168.0.1/24 network, one can use basic tools such as ping, arp-scan, or some other tool to check the 254 IP addresses.

Each tool has its limitations. For example ping won't give any information if the target system's firewall blocks ICMP traffic. Moreover, arp-scan only works if your device is connected to the same network, i.e. over Ethernet or WiFi.

Discovering the running services on a specific host is equally time-consuming if one relies on manual solutions or inefficient scripts. For instance, one can use telnet to try one port after the other, however, with thousands of ports to scan, this can be a very time-consuming task.

A very efficient solution that can solve the above two requirements and many more is the Nmap network scanner. Nmap is an open-source network scanner that was first published in 1997. It is a powerful and flexible network scanner that can be adopter to various scenarios and setups.

We will learn how to:

  • discover live hosts on a network
  • find running services on the live hosts
  • distinguish the different types of port scans
  • detect the versions of the running services
  • control the timing of the scan
  • format the output of the scan

Host discovery: who is online?

Let's start with the first question: who is online? This task aims to find out how to use Nmap to discover the live hosts. Nmap uses various sophisticated ways to discover live hosts.

Before we start, we should mention that Nmap uses multiple ways to specify its targets:

  • IP range using -: if you want to scan all the IP addresses from 192.168.0.1 to 192.168.0.10, you can write 192.168.0.1-10.
  • IP subnet using /: if you want to scan a subnet, you can express it as 192.168.0.1/24, and this would be equivalent to 192.168.0.0-255.
  • Hostname: you can also specify your target by hostname, for example: example.thm.

Let's say you want to discover the online hosts on a network. Nmap offers the -sn option, i.e. ping scan. Running Nmap as non-root user would limit us to fundamental types of scans such as ICMP echo and TCP connect scans.

Scanning a "local" network

In this context, we use the term "local" to refer to the network we are directly connected to, such as an Ethernet or WiFi network. In the first demonstration, we will scan the WiFi network to which we are connected. Our IP address is 192.168.66.89 and we are scanning the 192.168.66.0/24 network. The nmap -sn 192.168.66.0/24 command will do the job.

bash
nmap -sn 192.168.66.0/24

Starting Nmap 7.92 ( https://nmap.org ) at 2024-08-07 13:49 EEST
Nmap scan report for XiaoQiang (192.168.66.1)
Host is up (0.0069s latency).
MAC Address: 44:DF:65:D8:FE:6C (Unknown)
Nmap scan report for S190023240007 (192.168.66.88)
Host is up (0.090s latency).
MAC Address: 7C:DF:A1:D3:8C:5C (Espressif)
Nmap scan report for wlan0 (192.168.66.97)
Host is up (0.20s latency).
MAC Address: 10:D5:61:E2:18:E6 (Tuya Smart)
Nmap scan report for 192.168.66.179
Host is up (0.10s latency).
MAC Address: E4:AA:EC:8F:88:C9 (Tianjin Hualai Technology)
[...]
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.64 seconds

Because we are scanning the local network, where we are connected via Ethernet or WiFi, we can look up the MAC addresses of the devices. Consequently, we can figure out the network card vendors, which is beneficial information as it can help us guess the type of target device(s).

When scanning a directly connected network, Nmap starts by sending ARP requests. When a device responts to the ARP request, Nmap labels it with "Host is up".

Scanning a remote network

Consider the case of a "remote" network. In this context, "remote" means that at least one router separates our system from this network. As a result, all our traffic to the target systems must go through one or more routers. Unlike scanning a local network, we cannot send an ARP request to the target.

Our system has the IP address 192.168.66.89 and belongs to the 192.168.66.0/24 network. In the terminal below we scan the target network 192.168.11.0/24 where there are two or more routers (hops) separate our local system from the target hosts.

bash
nmap -sn 192.168.11.0/24

Starting Nmap 7.92 ( https://nmap.org ) at 2024-08-07 14:05 EEST
Nmap scan report for 192.168.11.1
Host is up (0.018s latency).
Nmap scan report for 192.168.11.151
Host is up (0.0013s latency).
Nmap scan report for 192.168.11.152
Host is up (0.13s latency).
Nmap scan report for 192.168.11.154
Host is up (0.22s latency).
Nmap scan report for 192.168.11.155
Host is up (2.3s latency).
Nmap done: 256 IP addresses

The Nmap output shows that five hosts are up. But how did Nmap discover this? Lets see some sample traffic generated by Nmap:

  • 192.168.11.1 is live and responded to the ICMP echo (ping) request.
  • 192.168.11.2 seems down. Nmap sent two ICMP echo (ping) requests, two ICMP timestamp requests, two TCP packets to port 443 with the SYN flag set, and two TCP packets to port 80 with the ACK flag set. The target didn’t respond to any. We observe several ICMP destination unreachable packets from the 192.168.11.151 router.

It is worth noting that we can have more control over how Nmap discovers live hosts such as -PS[portlist], -PA[portlist], -PU[portlist] for TCP SYN, TCP ACK, and UDP discovery via the given ports.

As a final point, Nmap offers a list scan with the option -sL. This scan only lists the targets to scan without actually scanning them. For example, nmap -sL 192.168.0.1/24 will list the 256 targets that will be scanned.

USEFUL -sL OPTION

This option helps confirm the targets before running the actual scan. This scan can be helpful if you want to discover the devices on a network without causing much noise

Port scanning: who is listening?

Earlier, we used -sn to discover the live hosts. In this task, we want to discover the network services listening on these live hosts. By network service, we mean any process that is listening for incoming connections on a TCP or UDP port. Common network services include web servers, which usually listen on TCP ports 80 and 443, and DNS servers, which typically listen on UDP (and TCP) port 53.

Scanning TCP Ports

Connect Scan

The connect scan can be triggered using -sT. It tries to complete the TCP three-way handshake with every target TCP port.

SYN Scan (Stealth)

Later

nmap -sT -A 10.10.206.166 to scan for services and versions

Machine Walkthrough

Reconnaissance

bash
# Initial scan
nmap -sC -sV -oA nmap/initial 10.10.10.x

# Deeper scan
nmap -p- 10.10.10.x

Findings:

  • Port 22: SSH
  • Port 80: HTTP
  • etc.

Enumeration

Web enumeration:

bash
gobuster dir -u http://10.10.10.x -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Findings:

  • /admin
  • /uploads
  • etc.

Exploitation

Describe the vulnerability and how you exploited it:

bash
# Example exploit command
python3 exploit.py -t 10.10.10.x

Privilege Escalation

Steps taken to escalate privileges:

bash
# Example commands
sudo -l
find / -perm -u=s -type f 2>/dev/null

Flags

  • user.txt: flag_value_here (or just note that you obtained it)
  • root.txt: flag_value_here (or just note that you obtained it)

Lessons Learned

  • Key takeaway 1
  • Key takeaway 2
  • Key takeaway 3

References

Released under the MIT License.

Copyright © 2025-present Wojciech Tyziniec