This post is a continuation of this
previous post. In the previous post, we looked at obtaining packets/flow data without the need for additional tools. In this post, we have to do a bit more, but we will also be able to achieve a lot more. Looks now focus on method 2.
Method 2:
This second method as you may recognize is a bit more convoluted but still gets the job done. I believe also it puts you in a much better position to do more than
method 1.
To get this started, we need some sample packets. Feel free to download these from any websites you wish. I have put some in the references. However, for this I will focus on packets which I have online and which have been used in my upcoming book.
Let's use "git" to "clone" this package. First I will make a directory to store the download. This directory is named "downloadedPackets". Once created, I then "cd" into that directory.
[securitynik@qradarCE ~]# mkdir downloadedPackets
[securitynik@qradarCE ~]# cd downloadedPackets/
Do note, once this directory is cloned, there will be more in there than just packets. If you plan to get a copy of my book, this maybe a great opportunity to get insights into what the packets are doing :-). You can grab the
sample chapters here.
[securitynik@qradarCE downloadedPackets]# git clone https://github.com/SecurityNik/SUWtHEh-.git
Cloning into 'SUWtHEh-'...
remote: Enumerating objects: 90, done.
remote: Total 90 (delta 0), reused 0 (delta 0), pack-reused 90
Unpacking objects: 100% (90/90), done.
Now that the directory has been cloned, I then "cd" into this directory. I then perform a "ls" and "wc" to learn hown many .pcap files are in this folder.
[securitynik@qradarCE SUWtHEh-]#cd SUWtHEh-/
[securitynik@qradarCE SUWtHEh-]# ls --all -l *.pcap | wc --lines
21
Above we see 21 pcap files.
Since "tcpreplay" is not installed on QRadar Community Edition, let's add it.
First let's install "libpcap-devel" via "yum"
[securitynik@qradarCE ~]# yum install libpcap-devel
....
--> Running transaction check
---> Package libpcap-devel.x86_64 14:1.5.3-11.el7 will be installed
--> Finished Dependency Resolution
....
Install 1 Package
Total download size: 118 k
Installed size: 163 k
Is this ok [y/d/N]: y
....
Installed:
libpcap-devel.x86_64 14:1.5.3-11.el7
Complete!
Now that we have "libpcap-devel", let's next get "tcpreplay" from
this link.
[securitynik@qradarCE ~]# wget https://github.com/appneta/tcpreplay/releases/download/v4.2.6/tcpreplay-4.2.6.tar.gz
--2018-11-02 20:11:32-- https://github.com/appneta/tcpreplay/releases/download/v4.2.6/tcpreplay-4.2.6.tar.gz
Resolving github.com (github.com)... 192.30.253.112, 192.30.253.113
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location:
.......
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.100.43
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.100.43|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3494827 (3.3M) [application/octet-stream]
Saving to: ‘tcpreplay-4.2.6.tar.gz’
100%[===========================================================================================================>] 3,494,827 3.01MB/s in 1.1s
2018-11-02 20:11:34 (3.01 MB/s) - ‘tcpreplay-4.2.6.tar.gz’ saved [3494827/3494827]
Once we have "tcpreplay-4.2.6.tar.gz", let's go ahead and untar, "configure", "make" and "make install", so that we can use "tcpreplay".
[securitynik@qradarCE ~]# tar -zxvf tcpreplay-4.2.6.tar.gz
tcpreplay-4.2.6/
tcpreplay-4.2.6/Makefile.am
tcpreplay-4.2.6/docs/
tcpreplay-4.2.6/docs/Makefile.am
tcpreplay-4.2.6/docs/Win32Readme.txt
tcpreplay-4.2.6/docs/HACKING
tcpreplay-4.2.6/docs/Makefile.in
..............
Let's now switch to the "tcpreplay-4.2.6" directory.
[securitynik@qradarCE ~]# cd tcpreplay-4.2.6
[securitynik@qradarCE tcpreplay-4.2.6]# ./configure
checking whether to enable maintainer-
.............
##########################################################################
TCPREPLAY Suite Configuration Results (4.2.6)
##########################################################################
libpcap: /usr (>= 0.9.6)
PF_RING libpcap no
libdnet: no
autogen: (unknown - man pages will not be built)
Use libopts tearoff: yes
64bit counter support: yes
tcpdump binary path: /usr/sbin/tcpdump
fragroute support: no
tcpbridge support: yes
tcpliveplay support: yes
Supported Packet Injection Methods (*):
Linux TX_RING: no
Linux PF_PACKET: yes
BSD BPF: no
libdnet: no
pcap_inject: yes
pcap_sendpacket: yes **
pcap_netmap no
Linux/BSD netmap: no
Tuntap device support: yes
* In order of preference; see configure --help to override
** Required for tcpbridge
************************************************************
Next up, time to execute make then make install. Let's run both together. If "make" runs successfully, only then will "make install run"
[securitynik@qradarCE tcpreplay-4.2.6]# make && make install
Now that "tcpreplay" is installed, let's go ahead and replay some of our packet captures.
Let's go back into our folder where our packets are.
[securitynik@qradarCE ~]# cd downloadedPackets/SUWtHEh-/
As always, before running any of these commands, you should look at the help or man pages. Here is a snapshot of the help.
[securitynik@qradarCE SUWtHEh-]# tcpreplay --help
tcpreplay (tcpreplay) - Replay network traffic stored in pcap files
Usage: tcpreplay [ -<flag> [<val>] | --<name>[{=| }<val>] ]... <pcap_file(s)>
-q, --quiet Quiet mode
-T, --timer=str Select packet timing mode: select, ioport, gtod, nano
--maxsleep=num Sleep for no more then X milliseconds between packets
-v, --verbose Print decoded packets via tcpdump to STDOUT
-A, --decode=str Arguments passed to tcpdump decoder
- requires the option 'verbose'
-K, --preload-pcap Preloads packets into RAM before sending
-c, --cachefile=str Split traffic via a tcpprep cache file
- requires the option 'intf2'
-- and prohibits the option 'dualfile'
-2, --dualfile Replay two files at a time from a network tap
- requires the option 'intf2'
-- and prohibits the option 'cachefile'
-i, --intf1=str Client to server/RX/primary traffic output interface
-I, --intf2=str Server to client/TX/secondary traffic output interface
--listnics List available network interfaces and exit
-l, --loop=num Loop through the capture file X times
- it must be in the range:
....
Let's use the "listnics" argument for "tcpreplay" to see what are the interfaces it has identified.
[securitynik@qradarCE SUWtHEh-]# tcpreplay --listnics
Available network interfaces:
docker0
appProxy
dockerInfra
dockerApps
vethbe3a5ae
veth679a5ac
veth17c3fda
ens33
veth39ffa79
vetha7d6436
veth0d9817d
any
nflog
nfqueue
usbmon1
usbmon2
As we can see above, "ens33" interface is available. Let's replay on this interface since it is already configured in method 1 (see previous post) for receiving flows.
Let's look at the pcaps which are available.
[securitynik@qradarCE SUWtHEh-]# ls --all -l *.pcap
-rw-r--r-- 1 securitynik securitynik 1018617 Nov 2 20:05 enum4linux_v.pcap
-rw-r--r-- 1 securitynik securitynik 1771 Nov 2 20:05 hydra_port_21.pcap
-rw-r--r-- 1 securitynik securitynik 9928 Nov 2 20:05 hydra_port_22.pcap
-rw-r--r-- 1 securitynik securitynik 7004 Nov 2 20:05 hydra_port_23.pcap
-rw-r--r-- 1 securitynik securitynik 1471289 Nov 2 20:05 hydra_port_445.pcap
-rw-r--r-- 1 securitynik securitynik 280812 Nov 2 20:05 metasploitable_9999_SUWtHEh.pcap
-rw-r--r-- 1 securitynik securitynik 62192 Nov 2 20:05 metasploitable_Telnet_SUWTHEh.pcap
-rw-r--r-- 1 securitynik securitynik 987362 Nov 2 20:05 MS17_010 - exploit.pcap
-rw-r--r-- 1 securitynik securitynik 57005 Nov 2 20:05 nbtscan.pcap
-rw-r--r-- 1 securitynik securitynik 13708 Nov 2 20:05 nbtscan-v.pcap
-rw-r--r-- 1 securitynik securitynik 4466911 Nov 2 20:05 nmap_host_scan_tcp.pcap
-rw-r--r-- 1 securitynik securitynik 106552 Nov 2 20:05 nmap_ping_scan.pcap
-rw-r--r-- 1 securitynik securitynik 8852 Nov 2 20:05 nmap_script_smb_ms17-010.pcap
-rw-r--r-- 1 securitynik securitynik 862576 Nov 2 20:05 nmap_script_vuln_ms17-010.pcap
-rw-r--r-- 1 securitynik securitynik 192987 Nov 2 20:05 nmap_sn.pcap
-rw-r--r-- 1 securitynik securitynik 462865 Nov 2 20:05 wget_index.pcap
-rw-r--r-- 1 securitynik securitynik 116 Nov 2 20:05 Win10_1-2.pcap
-rw-r--r-- 1 securitynik securitynik 24950772 Nov 2 20:05 WinXP-172.pcap
-rw-r--r-- 1 securitynik securitynik 540552 Nov 2 20:05 WinXP-4444-1820.pcap
-rw-r--r-- 1 securitynik securitynik 119400 Nov 2 20:05 WinXP-445.pcap
-rw-r--r-- 1 securitynik securitynik 25049045 Nov 2 20:05 WinXP.pcap
Let's try the file "enum4linux_v.pcap".
[securitynik@qradarCE SUWtHEh-]# tcpreplay --intf1=ens33 enum4linux_v.pcap
.... [I had some errors here]
Actual: 5348 packets (933025 bytes) sent in 10.39 seconds
Rated: 89735.3 Bps, 0.717 Mbps, 514.35 pps
Statistics for network device: ens33
Successful packets: 5341
Failed packets: 7
Truncated packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
************************************************************
Above we see there were 5341 packets successfully replayed.
Let's try another file. This time the large WinXP.pcap shown below with "25049045" bytes.
[securitynik@qradarCE SUWtHEh-]#tcpreplay --intf1=ens33 --mbps=10 WinXP.pcap
Actual: 24957 packets (24649709 bytes) sent in 19.72 seconds
Rated: 1249660.7 Bps, 9.99 Mbps, 1265.23 pps
Flows: 159 flows, 8.06 fps, 22135 flow packets, 2822 non-flow
Statistics for network device: ens33
Successful packets: 24957
Failed packets: 0
Truncated packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
We can also put multiple files if we wish. Let's do that with this last set of replaying.
[securitynik@qradarCE SUWtHEh-]#tcpreplay --intf1=ens33 --mbps=10 --loop=10 WinXP-172.pcap nmap_host_scan_tcp.pcap metasploitable_Telnet_SUWTHEh.pcap hydra_port_445.pcap MS17_010\ -\ exploit.pcap 2>/dev/null
Actual: 557910 packets (306752990 bytes) sent in 245.40 seconds
Rated: 1249999.8 Bps, 9.99 Mbps, 2273.44 pps
Flows: 197 flows, 0.80 fps, 10833000 flow packets, 17062500 non-flow
Statistics for network device: ens33
Successful packets: 552980
Failed packets: 4930
Truncated packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
From above, we see we have 552980 packets which were successfully replayed. Unfortunately, we have over 4930 which failed.
By looking at the help file "tcpreplay --help" or the man pages "man tcpreplay" you should be able to understand what all of the arguments to tcpreplay does. However, for "2>/dev/null" all I'm doing here is taking any error messages which gets generated during the execution of this command to a black hole. Basically don't print error messages on the screen just discard them.
As we now look into QRadar "Network Activity" tab, we can see some of the packets coming in.
Well hope you enjoyed these two sessions. Remember if you would really like to understand the pakcets and logs we download, feel free to download the sample chapters of the book here. Alternatively, I hope you grab a copy when it becomes available. :-)
Sample packets:
SecurityNik - Hack & Detect book sample packets and logs
Wireshark Sample Packets
NetResec
BE CAREFUL - Malware Sample from Malware-Traffic-Analysis.net
tcpreplay:
https://tcpreplay.appneta.com/wiki/installation.html
http://tcpreplay.synfin.net/wiki/tcpreplay