Busy This Week, Here’s A tcpdump example

I have been behind in my posts, and I have quite a few items to get posted. Today I wanted to walk through an example of tcpdump can be useful when tracking down malicious traffic on your network. I am going to use the example of IrnBot to demonstrate a handy technique. IrnBot (named after the Scottish drink IrnBru), also popularly known as Rinbot, produces a lot of traffic on port 1433, 2967 and 139. It also opens up a connection to irc servers on the outside over port 8080.

If you have a hub or a monitor port on a switch set up so that you can see traffic flowing across your network you can use tcpdump to capture the relevant packets to help you identify this worm. The first thing I would recommend is to dump your capture to a file. This allows tcpdump to capture faster and if you need to go back and reference something you saw earlier you have the data in a file rather than in your scrollback buffer.

To set up the initial dump, you can use the following. You should set the value after -i to whatever interface you use eth0, en1, etc. In this case I am using eth1. Also remember that the “\” indicates that the line continues, but I had to wrap it here due to fit issues.

    tcpdump -i eth1 -s0 -v -w irnbot-070420-0600.dmp \\
    port 1433 or port 2967 or port 139 or port 8080

This will get a capture file of all traffic using the source or destination port of 1433, 2967, 139 or 8080. If you know that certain devices should be generating this traffic, you can exclude them from the scan by using not host xxx.xxx.xxx.xxx where you replace the x’s with the ip address of the host. I like to add the -v to the capture, because it will give you a running total of captured packets. This comes in very handy if you make a mistake on your tcpdump expressions. If you find that the counter isn’t incrementing (or incrementing too fast), you can fix your problem before you spend time capturing and come up with an empty file.

To read this file back you can use the following…

    tcpdump -s0 -A -n -v -r irnbot-070420-0600.dmp

This will give you the raw tcpdump of what you captured. This can be hard to piece through, so I add some awk to get me better info.

    tcpdump -s0 -A -n -v -r 8080-4-18.dmp | \\
    awk '{ sub(/\\.[0-9]+$/,"",$18)} {print $18}' \\
    | sort | uniq -c | sort -b -n -r

This reads the file in removes the source port from the ip. It then hands the ip off to be sorted and then all of the unique ips are counted and the duplicates are removed with the uniq function. This is then sorted again with most active ips listed at the top.

You can do the same thing with the destination ips by changing it to

    tcpdump -s0 -A -n -v -r 8080-4-18.dmp | \\
    awk '{ sub(/\\.[0-9]+:/,"",$20)} {print $20}' \\
    | sort | uniq -c | sort -b -n -r

Another thing you might want to try is to just sort out all of the ips that are actually establishing connections. You can do this by looking for the packets that have both the syn and ack bits set. You can use this to get that information.

    tcpdump -s0 -A -n -v -r 8080-4-18.dmp \\
    'tcp[tcpflags] & tcp-syn !=0 and \\
    tcp[tcpflags] & tcp-ack !=0' \\
    | awk '{ sub(/\\.[0-9]+$/,"",$18)} {print $18}' \\
    | sort | uniq -c | sort -b -n -r

So you can see how you can quickly slice and dice your packet capture output to gather very relevant information quickly.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: