tcpdump - Traffic Capture & Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys hackersploit here back again with another video and in this video we are going to be looking at tcp dump now i did mention uh that i will be trying to complete the entire um you know traffic sniffing and capturing packet capturing series where we looked at wireshark and uh we went through all of that and now it's time to look at some command line uh based utilities uh especially the packet capturing ones so in this video we're gonna be looking at tcp dump all right now before we get started uh apologies once again for the lack of videos in the past week as i mentioned i've been working on on a lot of things you know trying to get new ideas out there trying to trying to see how i can improve the channel and uh for those of you who are requesting hack the box videos those are also coming uh i had an issue with my account where i could not actually register for a vip account into a very very small issue but it's sorted now so uh you should be getting videos uh in addition to the vol knob videos that also are scheduled to be coming out every friday so with that uh without out of the way let's get started so uh for those of you wondering what tcp dump is tcp dump is essentially a command line based packet capturing utility and allows us to sniff uh capture and monitor any type of traffic on a network really really easily now some of you might be afraid of command line tools like especially when i mention tools like tcp down because if you've ever used it you know that it really is something that many people for uh for beginners they really don't know how to get control of and they prefer graphical user interfaces because they understand what they're dealing with with ability like tcp dump it's very important to understand the syntax if because if you understand the syntax then you'll understand a lot about how to use the tool all right so tcp dump allows you to sniff traffic from almost all layers of the of the osi model so all the way from layer 1 to layer 7 which is excellent and you can pretty much do whatever you want with the packets you've captured you can store them and analyze them later in wireshark et cetera et cetera and i'll show you that in a second all right so as i mentioned tcp dump is a really reliable tool especially if you're not in a graphical user environment and you're working in for example a vps which is a virtual private server or you're working professionally in an environment where you don't have your own computer with you and you're simply sshinging into a box it can be really useful to have a tool like tcp dump uh you know in your arsenal so uh if you pre pretty much a lot of you guys actually brought this issue up and you're wondering well what if i'm actually trying to hack into a box or you're doing a you know ctf challenge and you want to launch a traffic analyzer or a traffic capturing tool within the box that you've essentially got into and you don't have a vnc session where you don't have a graphical user interface then this is where tcp tcp dump comes into place all right so let's get started with tcp dump now by default it comes pre-installed in cali and parrot os as far as my knowledge serves me but again please do let me know if it's available in other penetration testing distributions like cane enable or kane as it's called and a few others but uh that being said let's get started so the first thing we're going to do is simply type in tcp dump and we want to open our trusty help menu all right now the help menu in tcp dump i have to admit is not really helpful okay now of course you can use any of the other options here to specify any specific uh any specific type of functionality that you want but as i've mentioned the most important things that we're going to be looking at is the file that are displayed in the help menus the file the intern the interface here and a verbose if i can find it which is a lowercase v if it's not here don't worry i'll get to that in a second so really the help menu isn't extremely helpful which is kind of sad because this is an extremely powerful tool i use it more than i use wireshark actually use wireshark for analyzing the traffic that i've captured i'll show you that in a second all right so uh let's get started with a very basic uh with a very basic scan so for good practice i always recommend specifying the the interface that you want to use so i you know i can say i want to use ethernet 0 which is what i'm using right now or i can say i want to use lan 0 which requires me to have a monitor mode enabled on my wireless device so that means if it was activated i would have to use lan zero mon and i hopefully you know how to do that so in my case uh you know uh judging or giving the fact that ethernet is promiscuous and i am connected to a switch here i should be able to be okay you know using ethernet that way it's always important to specify the interface that you're using the next thing that you might want to do if you are analyzing it on the fly or on the go i would recommend that you use the verbose option here all right so that will essentially print out all the the traffic that's being uh captured uh now if you'll see most uh network penetration testers really revision testers really don't use this they prefer to save it into a file we'll get to that very very shortly all right so let's talk about filters now so let's say i want to you know scan for specific data because if i simply hit enter you can see it's going to capture a wide variety of data right over you can see and you pretty much can understand what's going on where it's coming from what computer it's coming from where it's going uh what the source is what the destination is so yeah it's crazy to monitor traffic like this and this where beginners really get confused so hopefully i can clarify that right now all right so what i'm going to do is i'm just going to stop this and let me just clear that up and we'll open up the previous command here and now we talk about filters so tcp dump also has filters and the great thing is that they are very similar to the ones that we saw in um in in wireshark so the great thing is as well is they're not sorted out in terms of display and capture essentially what's going to be displayed can be denoted by the verbose option and your capture filters are again as i've just mentioned that's what we're going to be taking a look at so uh remember we are capturing everything in regards to the filter so it's very important that you realize that it will not capture all the data in the background as well that's the difference between tcp dump all right so let's say i want to start capturing data from a host let's start off with the host filter which you know you can specify a host right over here so 192.168.1.1 we can say for example and i hit enter and then any traffic in regards to that host is going to be monitored so uh that's one example of course then you can move on and i've just opened a web page on my other computer here to bbc.com let's see if that actually uh if we did get the arp request first and you can essentially monitor that right over here where it gives you the um well let me just see if i can find that here um let's see if we can actually find the response here well this is actually where y shot comes into play and i'll get to that in a second uh so let's see anything here from the ip uh let me just see if i can get that right and anyway i'll get to that in a second i don't want to confuse you guys too early all right so let me just clear that up and we'll go into tcp dump one more time so that is the host filter all right we can also use google.com all right so or we can say bpc.com for example that's a very simple example so again you know i can refresh and that is limited to the host that you specify okay and of course this is not going to respond anyhow because we'll specify our host outside our range so let me just clear that out and that is how to use the host filter now let's look at something a bit more interesting all right let's look at the source and destination uh ips that you can specify on the network so let me open up the command that we're using so again i you usually like keeping this as standard where you use tcp dump you specify the interface you're working with and then you specify the verbose option that's if you want the data to be displayed to you again i'll get to that in a second so when you're talking about the source and destination filters as i mentioned these are very similar to the ones that you'll find with wireshark so you have src and you have the dst for destination so in this case let's say we are looking for traffic with a destination ip address of the cali operating system which let me just display that to you so you guys can actually confirm that it is 192.168.1.107 so this uh so this computer right over here let me just clear that up and we can get started all right so instead of using a host we're going to say verbose everything and we're going to say we want our traffic in regards or any traffic that has a destination ip address of 192.168.1.107. now of course you can replace that with a source whatever you want whatever traffic you're trying to capture i'm going to hit enter and it's going to start listening for any traffic with the destination ip address of 192.168.1.107 so let me just refresh this bbc page here and there we are we can see we've got all the traffic then there's quite a bit in regards to the api that it's collecting and you can specify that i'll explain the filters in a second so you can see it's getting all that data that of course has the destination ip a destination iip that's very important not a destination port all right so then uh that is how to capture or how to specify a destination and source port and again you can also change that to an src or the source port uh the sorry the source i p and we'd enter and as you can see this this data is very different from the one that we received previously because this is where the uh the source is being uh the source ip is 192.968.1.107 all right so i'm going to stop that right now and we'll clear that up all right so now let's look at combining filters all right this is very important now because as i mentioned or even previously with wireshark combining is where you get the real magic of any traffic or packet capturing utility all right so let's say i want to capture any traffic or all traffic between my uh between this computer uh and the access point or my access point so i can say tcp dump ethernet zero and we want to you know we want to verbose the output here or we want of a post output and we can say the the destination is going to be 192.168.1.107 now when we talk about combining filters uh with tcp dump very similar as i mentioned to uh wireshark we use the and or not expressions so we can say and we want to capture the traffic uh between and so we're saying uh the destination of 192.168.1.17 and uh the source of 192.168.1.1 which is my default gateway or my access point whatever you're going to call it so i'm going to hit enter and it's going to start capturing that traffic so let me just again reload this uh bbc page i'll be using this as the example just to show you that the traffic actually does work and as you can see there you are if i can just stop this here you can just see right over here we have all the plugins of course from the website loading up as well uh but again when you talk about analyzing this i'll show you that in a second all right so please do have patience as i actually go through all the filters so that is how to combine all right now and talk about scanning the entire network which is what something a lot of you guys actually talk about with tcp dump it's very easy to specify this all right so again let me just write out out the command for you so tcp dump and i can specify again the interface here always good practice to do that ethernet 0 we want to verbose the output here and now to specify the entire network or your subnet we use the net command and then we specify the subnet that we are using so i can say 192.168.1 point uh point zero and 24 for the entire range that's you know specifies that's a medium size network range where it goes uh uh up to 255 ip addresses so i'm going to hit enter and again that's going to start capturing traffic from all of these from all devices on this network range and i just reloaded bbc.com on another computer that's right next to me and hopefully we're able to analyze this um so let's actually stop the traffic here uh right over here and we have a lot of data being captured and for some reason uh yeah there we did stop it all right so we have tcp data captured right over here and hopefully i can actually show you how to capture tcp data in a second so there's a lot of traffic being captured and again this is where a tool uh that displays this type of data really well like wireshark comes into play i'll get to that in a second but anyway i'll get to all of this in a second now and now it can be analyzed really well because for me uh what i usually do is i use tcp dump for for the captcha and then i use a graphical user interface uh like wireshark you know to analyze the traffic or to actually go through it in a more accurate type of way all right so uh that is essentially how to scan data coming from the entire network or you know a specified range now when you're talking about protocol and port specific filters this is where tcp and ports come into play so let me just show you a simple command here so deep tcp dump all right and we're going to specify again the in the the uh interface sorry and we're going to verbose and we're going to say tcp that is a protocol specific um filter so against atcp or udp whatever so i'm going to say tcp and uh and i can say i want all tcp data coming from the network range 192.68.1.0 and the range of 24 which you know is um is a good way of specifying the entire range and i'm going to hit enter and again it's going to start capturing all tcp data that's very important remember it's all the the protocol that we've specified here is tcp so it's only going to be it's only going to be going through that data or looking for tcp data and as you can see now the traffic is a little bit more standardized and we're getting a little bit more accurate data in regards to what we want all right so we'll get to all of this in a second so let me just clear this out and uh whoops sorry about that guys let me just clear that up and now let's look at uh port specific filters we haven't looked at that so again the syntax for ports is is divided really differently so for example i can run a simple command here or let me just open up the previous one so i can say um we can go for the entire network or just traffic or just capture any data we want and we can do that using the port uh we can say we all only want traffic uh that is uh with the port 80 so any traffic going and coming to the port 80 so we know with the source and destination that's if you don't specify it all right so i'm going to hit enter and this is on the entire this is any traffic that can be captured and of course we're not going to get a lot of that data even if i try and reload bbc.com here uh it really isn't going through any of those ports so yeah nothing special there but however this is where you get the real awesome options in terms of filtering and this is where you have your source port and your destination port all right so let me just show you that right now uh in in a simple example here so let's say i want to start capturing um you know https data ssl whatever you're going to call it so tcp dump uh interface is ethernet 0 and we're for boosting the output here and we're going to say we are going to say the source port is going to be port 443 uh yeah source port is going to be 443 and uh we want a destination of uh 192.168.1.107 so we want to capture all data with a source port of uh 443 and a destination ip of 192.168.1.107 so i'm going to hit enter and for some reason yeah i did not specify my interface i specific i specified etho not ethernet 0 so i'm going to hit enter let's reload bbc.com hopefully this does work for us or i can open up another website here and voila there you can see uh this is all i all packets coming well all are packets that have a source port of uh 443 and a destination ip of 192 from 168.1.107 and the protocol as we we already know with port 403 is usually tcp as we already know so we can see all these synapse right over here so uh it's all going it's going through the entire process here and again it also has to look at all the other apis or all other websites affiliated with the website that you know that your target is visiting etc etc so let me just close that and that is how to specify your uh your source port now you can also use your destination port remember if you're looking for protocol specific traffic so you know usually what i find is we have port 22 you know you can always specify traffic that way all right so let us now talk about um let us talk about good practice with tcp dump which is something i've not talked about so usually what i would recommend around your capture or your display filters whatever i would prefer you call it a capture filter i would recommend that you specify or you encapsulate it with quotation marks with single quotation marks all right so let's say i want to run the same i want to run the same command that i did just before so to do that i simply put my my capture filters within an encapsulated uh quotation marks all right so i can put my command my filter in here and this is good practice because it allows you to sift through what your your capture filters are all right so i'll say here uh we're looking for a source sorry a source port uh of port 443 and again we're using our operational our expressions right over here so and or not so and uh we are looking for a destination uh ip of uh what what am i saying here a destination of 192.168.1.107 and i'm going to hit enter all right so i'm gonna close i'm gonna close the the the i'm gonna close the capture filter now with a single quotation mark and i'm gonna hit enter and as you can see it's going to run the same thing and there we are we can see that the traffic is going to be captured right over here all right and we can see that for some reason it's connecting to uh an aws server here which is pretty much telling me that bbc.com has a load balancer set up but anyway that's another video for a different time and that is good practice in regards to your quotation marks right over here all right so let me just clear that up and let me talk about um essentially saving traffic into a pcap file all right this is very important i don't know if i've mentioned this before uh and this is where uh you're analyzing your traffic comes into play so let's say i wanted to capture all tcp traffic this is a very simple example so dcp dump and now instead of displaying the traffic to me i want to save it in a pcap file so i can analyze it with you know traffic analyzers like wireshark so i can analyze the traffic in a real accurate way so i can say tcp dump and we use the w command to write it out to a file and i'm going to specify the the location of which i want to save the pcap file so root root desktop and i'm going to save it as traffic dot pcapp and now i specify the interface which is ethernet zero and um we want to verbals or you can leave that out if you don't want to and now i'm going to specify my capture filters right over here so we are going to say i'm looking for um let's see all tcp traffic all right so we're going to say tcp and uh we're going to say the entire network range here 192.168.1.0 24 and close that up all right so this is going to capture all the packets into a pcapp file i'm going to hit enter and it's going to tell you right over here how many packets it's got so you can see it's got three six and nine now and we're gonna wait for that to capture quite a bit of data before we actually open it up in wireshark so let's wait for that and we've got 54 74 so let me close that now so we use the control plus c command on your keyboard to stop the capture and it's going to tell you 92 packets captured by uh received by the filter and zero packets were dropped by the kernel all right so let me open that up with your with wireshark so it'll be on my desktop right over here i'm gonna hit ok and voila we can see that it captured all tcp traffic on uh on on the network sorry about that guys and if we just look at all the data right over here we can see that we have uh we have not specified anything special so there you are and now i can start analyzing the traffic that i want so uh we have an ack right over here and again you can go ahead and say follow tcp stream and you can see the data is extremely comprehensive capturing all the data that you would with a tool like wireshark except now you can capture it and then transfer it onto your your computer and analyze the traffic there and i can run another we can run other capture filters here so i can say for example uh i'm looking for a source port uh source port is uh what sorry about that guys so src port is 443 and the ds the destination is 192.68.1.107 and we're just gonna uh hit enter and save it as traffic one dot um pickup and i'm gonna hit enter and we're just going to reload bbc.com because this is on this computer right over here and hopefully now this gives us yeah there we've got 23 packets so i'm going to close or stop the capture and we're going to open up traffic 1.dcap here so there we are and it opened up hopefully it doesn't open up two instances because i think i clicked it four times which is weird uh anyway there you are you have your synax right over here and if we look at the tls data you can go ahead and see you have your server hello and let's see if we can see uh these yeah there we are we have the certificate uh exchange where it essentially exchanges the keys between your between the server and your browser all right so that's a very good that it captured that uh let's look at some tcp data here and we can you know again follow the tcp stream and of course there we are we have we can essentially go through some of the data here that was captured uh let's see if we can get anything special yet yeah nothing much right over here and we have the act the final ack if we follow this tcp stream let's see if we're able to get anything there uh nothing much but anyway uh the purpose of this video was to show you how to capture uh how to capture data with tcp dump all right so that's going to be it for this video guys hopefully you found value in this video if you did please leave a like down below if you have any questions or suggestions let me know in the comment section on my social networks or on my website and i'll be seeing you guys in the next video

Info

Channel: HackerSploit

Views: 117,715

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, kali linux, hacking, hacker, tcpdump linux, tcpdump on f5, tcpdump for windows, tcpdump kali linux, tcpdump output, tcpdump examples, tcpdump flags, tcpdump start samsung, tcpdump analysis using wireshark, tcpdump and wireshark, tcpdump, tcpdump tutorial for beginners, tcpdump tutorial youtube, tcpdump tutorial español, tcpdump linux tutorial, exploit tutorial, hacking tutorial, how to hack

Id: 1lDfCRM6dWk

Channel Id: undefined

Length: 23min 20sec (1400 seconds)

Published: Thu Nov 29 2018