tcpdump - standard Unix tool for analyzing network packets

(Up-to-date source of this post.)

• despite its name it can do much more than capturing TCP headers
• can sniff traffic on many network types (including 802.1Q VLAN)
• de facto standard for command line packet analysis in Unix environment

Useful options:

-D -- list available interfaces

-i INTERFACE -- listen on INTERFACE (default: lowest numbered interface)

-w FILE -- write raw packets to FILE

-r FILE -- read packets from FILE

-nn -- turn off host and protocol name resolution (to avoid generating DNS packets)

-s0 -- set snaplength to 0, i.e. read the whole packet not just first 68 bytes (default if version >= 4.0)

-t -- turn off timestamp entries

-c COUNT -- capture COUNT packets and stop

Examples:

tcpdump -nni eth1 -w packets.pcap
tcpdump -nnr packets.pcap

Output format will vary based upon what protocols are in use:

• TCP

  timestamp L3_protocol sIP.sPort > dIP.dPort: TCP_flags,
  TCP_sequence_number, TCP_acknowledgement_number, TCP_windows_size,
  data_length
  

• UDP

  timestamp L3_protocol sIP.sPort > dIP.dPort: L4_protocol, data_length
  

• use up to -vvv to provide more information on headers

• use -x to get entire packets (including data not just headers) in hex format
• use -A to get entire packets in hex and ASCII format
• use -X to get entire packets in hex and ASCII format

Packet Filtering

• utilizes the Berkeley Packet Filter (BPF) format

• added to the end of the command (recommended to use single quotes)

  tcpdump -nnr packets.pcap 'tcp dst port 8080' -w packets_tcp8080.pcap
  tcpdump -nnr packets.pcap -F known_good_hosts.bpf
  

BPF

           operator
 primitive   |      primitive
     |       |         |
+---------+  | +----------------+
|         |  | |                |
udp port 53 && dst host 192.0.2.2
 |        |
 |        value
qualifier

Qualifiers

• host
• net - network in CIDR notation
• port
• src - communication source
• dst - communication destination
• ip - IP protocol
• tcp - TCP protocol
• upd - UPP protocol

Logical operators

• && - true when both conditions are true
• || - true when either condition is true
• ! - true when a condition is NOT met

Examples

• host 192.0.2.100 - match traffic to/from 192.0.2.100
• dst host 2001:db8:85a3::8a2e:370:7334 - match traffic to the IPv6 address
• ether host 00:50:56:98:60:92 - match traffic to the specified MAC address
• !port 22 - match any traffic not to/from port 22
• icmp - match all ICMP traffic
• !ip6 - match everything that is not IPv6

---

Resources

• Applied Network Security Monitoring

GSM

(Up-to-date source of this post.)

Cellular network

• a radio network distributed over land areas called cells
• each cell is served by at least one transceiver - BTS (Base Transceiver Station) = cell site
• this enables a large number of portable transceivers (e.g. mobile phones) to communicate with each other
• example of a cellular network: the mobile phone network or PLMN

GSM

• World's most popular standard for mobile telephony systems (80% of mobile market uses the standard)
• both signaling and speech channels are digital (1G was analog, ex. NMT)
• second generation (2G) of mobile phone system
• GSM release '97 - added packet data capabilities via GPRS
• GSM release '99 - higher data transmission via EDGE
• UMTS (Universal Mobile Telecommunications System) - 3G mobile cellular technology for networks based on GSM standards
• LTE - 4G, standard for wireless communication of high-speed data for mobile phones and data terminals, based on the GSM/EDGE and UMTS/HSPA

Network Structure

GSM PLMN has two main logical domains:

1. access network - most used access networks in western Europe as of 2009 (can be deployed in parallel):
   • GERAN (GSM EDGE radio access network)
   • UTRAN (UMTS terrestrial radio access network) - HSPA can be implemented into UMTS to increase data transfer speed
2. core network
   • circuit switched domain
   • packet switched domain
   • IP multimedia subsystem (IMS)

GPRS/UMTS architecture with the main interfaces:

The network is structured into a number of discrete sections:

• the base station subsystem (BSS) - handles traffic and signaling between a mobile phone and the NSS (access network)
• the network and switching subsystem (NSS) - part of the network most similar to a fixed network (VOICE, circuit switched)
• the GPRS core network - optional part for packet based Internet connections (NON-VOICE, packet switched)
• operations support system (OSS) for maintenance

See this picture for GSM communication.

BSC = Base Station Controller

• intelligence behind the BTSs (allocation of radio channels, measurements from the mobile phones, handover control from BTS to BTS)
• concentrator towards the mobile switching center (MSC)
• the most robust element in the BSS
• often based on a distributed computer architecture

PCU = Packet Control Unit

• late addition to the GSM standard
• processing tasks for packet data

MSC = Mobile Switching Centre

HLR = Home Location Register

• database of subscribers
• a central database that contains details of each mobile phone subscriber that is authorized to use the GSM and/or WCDMA core network of this PLMN

VLR = Visitor Location Register

• register of roaming subscribers

AUC

• database of authentication keys

EIR

• stolen devices (phones) register

SS7 = Signaling System #7

• a set of telephone signaling protocols
• main purpose: setup/tear down telephone calls
• other uses: number portability, SMS, etc.

SGSN = Serving GPRS Support Node

• delivery of data packets from and to mobile stations withing its geographical service area
• packet routing and transfer, mobility management, logical link management, authentication and charging functions

GGSN = Gateway GPRS Support Node

• main component of the GPRS network
• inter-networking between the GPRS network and external packet switched networks
• router to a sub-network

AT commands

Huawei, Android

• at+cgmi - manufacturer
• at+cgmm - model
• at+cimi - IMSI
• at+cmgw="0914123456",145,"STO UNSENT" - store message to memory
• at+cmgl="all" - show stored messages
• at+cmss=3 - send message n. 3 from memory
• at+cmgd=2 - delete message n. 2 from memory

Links

General

• Mobile Internet Usage -- Thesis by a Finnish student
• Mobile network
• P. Luptak: Strucny prehlad do bezpecnosti GSM (in Slovak)

AT commands

• Send SMS using AT commands - I was able to send an SMS following this guide
• AT+C commands of GSM devices
• http://www.traud.de/gsm/
• SMS Tutorial

Hacking

• Osmocom OpenBSC - functionality of BSC (Base Station Controller), MSC (Mobile Switching Center), HLR (Home Location Register), AuC (Authentication Center), VLR (Visitor Location Register), EIR (Equipment Identity Register)
• AirProbe - GSM-Sniffer
• Kraken - cryptographic weaknesses found in today's cellular networks
• Nové trendy v GSM odpočúvaní (P. Luptak)
• GSM security map
• Decrypting GSM phone calls - tools
• 28c3: Defending mobile phones (Video) - impersonating another MS
  • 28c3: Defending mobile phones (PDF)
  • "We will release tools to be used at the camp"
• 27c3: Wideband GSM Sniffing (Video) -- Call/SMS interception and decrypting
  • clarifications about 27C3 GSM Sniff Talk -- you can't get the tools used for cracking A5/1 and traffic sniffing

PDUSpy

• WAP Push SI exploit
• PDUSpy manual
• PDUSpy download

Books

• M. Grayson et al.: IP Design for Mobile Networks (Cisco Press, 2009)
• A. Henry-Labordere, V. Jonack: SMS and MMS Interworking in Mobile Networks (Artech House, 2004)

Netcat

(Up-to-date source of this post.)

TCP/IP swiss army knife. Simple (yet powerful!) Unix utility that reads and writes data across network connections, using TCP or UDP.

Netcat as a Client

Connect to some port of some host:

nc <host> <port>

• your STDIN is sent to the host
• anything that comes back across network is sent to your STDOUT
• this continues indefinitely, until the network side closes (not until EOF on STDIN like many other apps)

Test remote HTTP server:

nc google.com 80
GET / HTTP/1.0

(press Enter two times after the GET line)

Check UDP port is open:

nc -vu ns.nameserver.tld 53

Make sure no data (zero) is sent to the port you connect to:

nc -v -z host.tld 21-25

Change source port / address (ex. to evade a FW):

nc -p 16000 host.tld 22
nc -s 1.2.3.4 host.tld 8181

Netcat as a Server

Listen for an incoming connection on some port:

nc -l <port>

Send a directory over the network:

.. host A (receiving data)

nc -l 1234 | tar xvf -

.. host B (sending data)

tar cf - </some/dir> | nc -w 3 <hostA> 1234

Send a whole partition over the network:

.. host A (receiving data)

nc -l 1234 | dd of=backup_sda1

.. host B (sending data)

dd if=/dev/sda1 | nc -w 3 <hostA> 1234

Run a command (potentially dangerous!); ex. open a shell access:

.. host A (server)

nc -l 9999 -e /bin/bash

.. host B (client)

nc hostA 9999

More

• http://mylinuxbook.com/linux-netcat-command/

SSH Tunnel

(Up-to-date source of this post.)

Forwarding remote port (firewall tunneling via SSH)

We want to allow the tech access the incomp (intranet) host from the outcomp.sk (Internet) host:

1) Redirect the port 2222 on outcomp.sk to port 22 on incomp:

incomp:~$ ssh -R 2222:localhost:22 user@outcomp.sk
outcomp.sk:~$ while [ 1 ]; do date; sleep 300; done  # to keep the connection open

2) Connect to intranet host:

outcomp.sk:~$ ssh -p 2222 root@localhost

We want to connect to router web interface (to make some configuration changes) which is not accessible from Internet. However we can connect to a Linux server behind the router.

1) /etc/ssh/sshd_config of host.in.internet.com has to contain:

GatewayPorts yes

2) LAN (intranet) host:

ssh -R "*:3333:192.168.1.1:443" host.in.internet.com

3) Web browser somewhere in Internet:

https://host.in.internet.com:3333

Forwarding local port

We want to connect to a remote database running on dbserver but it is configured to allow connections only from localhost (127.0.0.1). We use port 3307 on the client because the default 3306 port is already being used (e.g. you are running MySQL server on the client).

client:~$ ssh -L 3307:localhost:3306 root@dbserver
client:~$ mysql -u root -p dbname -P 3307

See also

• ssh -R 2222:localhost:22 user@host
• ssh -L 3307:localhost:3306 user@host

traceroute Explained

(Up-to-date source of this post.)

traceroute shows the route the packets have to take to get to a destination host. For example:

$ traceroute sdf.lonestar.org
traceroute to sdf.lonestar.org (192.94.73.15), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  5.475 ms  6.020 ms  6.647 ms
 2  st-static-srk231.87-197-192.telecom.sk (87.197.192.231)  8.832 ms  15.973 ms  15.933 ms
< ... >
20  ge8-7.distb1.sea2.hopone.net (209.160.60.194)  186.286 ms  186.246 ms  175.897 ms
21  SDF.ORG (192.94.73.15)  174.879 ms  174.283 ms  174.816 ms

But what does the output mean exactly and how does traceroute work?

It displays the sequence of gateways (showing the name and the IP address) through which an IP packet travels to reach its destination. The three numbers are the round trip times for each gateway. You can sometimes see the following instead of the number of miliseconds:

• * -- no response (error packet) received [congestion or ICMP packet was dropped because it has a low priority]
• * * * -- no "time exceed" messages received at all [gateway is down, firewall discards the packets or packets are slow to return]
• !N, !H, !P -- "network unreachable", "host unreachable", "protocol unreachable" - in any of these cases usually this is the last gateway you can get to [routing problem or a broken network link]

traceroute works by sending three packets to each gateway on its route. These packets have artificially low TTL field (actually "hop count to live") set. The first three packets have TTL of 1. When they reach the gateway their TTL is descreased and when it reaches 0 the gateway discards the packet and sends back an ICMP "time exceeded" message. The originating hosts exctracts the gateway's IP address from the header of the error packet and resolves it to a name by using the DNS. This process repeats until the destination is reached or the gateway number limit (30) is exceeded.