Time
28 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Hello. My name is Dustin, and welcome to pen test basics sniffing
00:05
TCP Dump is also a packet capture an analyzer tool, but it is a command line packet capture tool, so it is very similar to a wire shark, but it just uses the command line versus a gooey.
00:20
It's typically used on Lenox machines, but it does have a Windows version called Wind Dump as well.
00:28
TCP Dump is very lightweight and easy to use for both capturing packets in reading previous Packet captures
00:39
in this demo, we're going to go over a few different things is starting with installing Windham on our Windows machine,
00:46
and then we're actually gonna hop into our Callie Lennox machine and get right into capturing life data. ESO. We'll go over some P camps and show you how to open a peek up pea cap as well. So let's go ahead and pop in to our Windows machine.
01:06
All right, so you can see we are in our Windows machine here, so it's Wyndham is really easy to install. All we'll need to do is grab the file, and you can get that from Win p capt dot org's slash wind dump
01:22
and we will get computers and our shared folder.
01:25
As you can see, I've got wind dump right here.
01:27
So I right click it and we're gonna copy it over
01:33
and let's go ahead and just double click it.
01:37
There we go. So already listening on this device
01:45
and you can see it's just capturing data that's going on through this device, so it's really easy to use. There are different flags and different options you can use to actually run with it,
01:56
but we'll get into that on our Lennox machine.
02:00
So let's
02:01
open that.
02:06
All right, so here is our limits machine
02:08
and we'll log in with the default route and tour,
02:20
and we will let that load. So TCP Dump, like I mentioned, is a command line interface tool. So it'll do pretty much everything the wire shark does just with the command line, which is kind of nice. If you need to script anything, it's a lot easier to do than trying to script things with a gooey. So if we open
02:38
our terminal,
02:45
let it come up here with me, close out my other virtual machine,
02:50
give us a little more memory back, all right, So let's go ahead.
02:53
Open our terminal.
02:55
Okay, so we've got our terminal open, so TCP dump is as simple as typing TCP dump. So if we launch our help first,
03:07
you can see how to use it. It's pretty easy to use. You can basically sort by bite size count, file size. Um, open up files or I'm sorry, right files
03:21
Everything all right from the command mines, It's really easy to use. So the first and probably most common thing you'll do with this start dumping traffic from an interface. So if we run and I have config, we'll see what interfaces we've got available.
03:37
So we've got each zero and w land zero. Let's try and dump traffic from our East zero.
03:45
We did t c d Don't
03:47
gash I for interface, and then we're gonna do eat zero.
03:54
We will see it is listening on each zero so it doesn't look like he's getting things. Let's kind of start generating some traffic will open fire fox,
04:10
and we will go to
04:12
Well,
04:16
let's look up very
04:21
Check out that sigh
04:24
heard it's pretty cool.
04:28
Looks pretty cool. So let's go ahead and cancel that out.
04:32
Go back to our terminal. And as you can see, you hit control C to stop.
04:38
We've
04:39
got quite a bit of traffic here.
04:42
Throw back up to the top.
04:45
And so it is all in command line interface. So typically, what you would do is you would write this to a file to further analyze or use scripts to kind of go through it and find exactly what you're looking for.
05:00
Yeah, lots and lots of traffic that went through there and just that quick amount of time.
05:08
So as we mentioned amusing the TCP dump Dash I interface. And then whatever interface you'd like to dump traffic on is probably your most common use. You can also don't traffic on all interfaces, and that's another one that you may need to do. And that's just TCP dump Dash I for interface
05:27
and any
05:30
as you can see, it is listening on all ports,
05:39
it generates more traffic.
05:49
And again, you saw how much traffic that generated just by
05:53
doing, the quick ones will exit out of there
05:57
terminal. So we've got a ton of traffic again.
06:00
So if we'd like to see traffic that's going to our from a host, You can use the TCP dump Post Command. So let's see what our,
06:14
uh 10 0 to 15. So we do TCP
06:19
Can I do
06:23
15?
06:27
I want to make sure we d'oh post
06:31
it is now listening on each zero for any traffic going to or from this host.
06:39
So if we open another terminal here
06:46
Waas,
06:50
you can see
06:51
the traffic's coming right through already. Because we're filtering for this host,
06:58
You see,
07:01
force
07:05
destination. In that time, I d s t And we'll just do any traffic. They do
07:16
Google. So it is listening for this any any traffic destine to eat. Dottie, Dottie, Dottie! So we pain
07:26
poured up or not for four.
07:30
See? Nothing's going through.
07:33
What if we kill that?
07:41
All right,
07:43
What if we
07:46
a sigh? Berry?
07:50
So it did resolve it.
07:53
Not
07:55
It doesn't look like things are going through. That's okay though. But as you see on the right, where we're listening, we're not seeing any traffic.
08:01
So let's go ahead and king.
08:07
And now we're seeing traffics. If you were just looking for a specific, um, destination I p, you can filter by that as well.
08:18
Another way to filter is with the network command TCP Dump net. And with that, you can actually type in the particular net address or ah, subject as well. So blue TCP dumb
08:33
nets and in the impact, your network 19 to 1 *** age.
08:37
He was one. Got one network for zero network
08:41
Clash 24
08:45
and so that would filter traffic just on that network.
08:50
You can also filter by specific ports or protocols.
08:56
So if we only wanted to see, um,
08:58
let's see remote desktop traffic.
09:03
You need a CCP dump
09:05
port
09:07
33 89.
09:09
And that would only look for traffic of on that port. And you can also do, um,
09:18
the actual
09:20
protocol name. Like I see in peace. You could just dump ICMP traffic,
09:26
and that's just TCP dump than the protocol name.
09:31
Another one that may be useful is a specific port range. If you're only looking for certain ports, you TCP dump
09:39
sport reigns
09:43
and then you can take in the port range. And that's the range of traffic reports that it would be looking for.
09:50
There's a lot of different ways to filter traffic, depending on what you're looking for, and if you ever need help? You just do that TCP dump help Commander Man TCP tum to see it
10:03
Another thing. It's really useful if you don't like just reading over the stuff you're not gonna script anything is writing it to a file, which you can then open up, like with a wire shark. Gooey. So if we wanted to dump all traffic, um, say
10:20
we will do.
10:22
And actually, no. Well d'oh
10:26
destination
10:28
All of our Google traffic or anything going Thio got a study study
10:33
and we want to write it too.
10:37
Ghoul. Deanna,
10:39
Peak up.
10:43
And so it's gonna do that. It's listening.
10:46
Weeping.
10:50
You can see
10:54
you don't see anything happening over here. But let's take a look here. We're gonna open up.
11:01
So if we
11:03
do TCP dump and we want to read a file, it's just are for me. And we named a Google Dina stop
11:13
and you can see that we actually opened up that file. So it's not actively out putting it to the screen is writing it to a file,
11:22
so that's useful for a lot of different reasons. If you just didn't want to fill up everything or you wanted to say that to analyze it at a later time.
11:31
You can do that by writing in to a file.

Up Next

Pentest Fundamentals: Sniffing

In Pentest Fundamentals: Sniffing, Dustin Parry explains what sniffing is, the different types of sniffing tools, and the reason why attackers perform packet sniffing. Some of the sniffing tools that the instructor concentrates on are Wireshark and TCPdump, and he uses these tools to capture data and analyze it.

Instructed By

Instructor Profile Image
Dustin Parry
Network Security Engineer
Instructor