Friday, November 2, 2018

Spoofing/Replaying IBM QRadar packets/flows - tcpreplay (the more interesting way)


This post is a continuation of this previous post. In the previous post, we looked at obtaining packets/flow data without the need for additional tools. In this post, we have to do a bit more, but we will also be able to achieve a lot more. Looks now focus on method 2.

Method 2:
This second method as you may recognize is a bit more convoluted but still gets the job done. I believe also it puts you in a much better position to do more than method 1.

To get this started, we need some sample packets. Feel free to download these from any websites you wish. I have put some in the references. However, for this I will focus on packets which I have online and which have been used in my upcoming book.

Let's use "git" to "clone" this package. First I will make a directory to store the download. This directory is named "downloadedPackets". Once created, I then "cd" into that directory.

[securitynik@qradarCE ~]# mkdir downloadedPackets
[securitynik@qradarCE ~]# cd downloadedPackets/

Do note, once this directory is cloned, there will be more in there than just packets. If you plan to get a copy of my book, this maybe a great opportunity to get insights into what the packets are doing :-). You can grab the sample chapters here.

[securitynik@qradarCE downloadedPackets]# git clone https://github.com/SecurityNik/SUWtHEh-.git
Cloning into 'SUWtHEh-'...
remote: Enumerating objects: 90, done.
remote: Total 90 (delta 0), reused 0 (delta 0), pack-reused 90
Unpacking objects: 100% (90/90), done.

Now that the directory has been cloned, I then "cd" into this directory. I then perform a "ls" and "wc" to learn hown many .pcap files are in this folder.

[securitynik@qradarCE SUWtHEh-]#cd SUWtHEh-/
[securitynik@qradarCE SUWtHEh-]# ls --all -l *.pcap | wc --lines
21

Above we see 21 pcap files.

Since "tcpreplay" is not installed on QRadar Community Edition, let's add it.

First let's install "libpcap-devel" via "yum"

[securitynik@qradarCE ~]# yum install libpcap-devel
....
--> Running transaction check
---> Package libpcap-devel.x86_64 14:1.5.3-11.el7 will be installed
--> Finished Dependency Resolution
....
Install  1 Package

Total download size: 118 k
Installed size: 163 k
Is this ok [y/d/N]: y
....
Installed:
  libpcap-devel.x86_64 14:1.5.3-11.el7

Complete!

Now that we have "libpcap-devel", let's next get "tcpreplay" from this link.

[securitynik@qradarCE ~]# wget https://github.com/appneta/tcpreplay/releases/download/v4.2.6/tcpreplay-4.2.6.tar.gz
--2018-11-02 20:11:32--  https://github.com/appneta/tcpreplay/releases/download/v4.2.6/tcpreplay-4.2.6.tar.gz
Resolving github.com (github.com)... 192.30.253.112, 192.30.253.113
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: 
.......
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.100.43
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.100.43|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3494827 (3.3M) [application/octet-stream]
Saving to: ‘tcpreplay-4.2.6.tar.gz’

100%[===========================================================================================================>] 3,494,827   3.01MB/s   in 1.1s

2018-11-02 20:11:34 (3.01 MB/s) - ‘tcpreplay-4.2.6.tar.gz’ saved [3494827/3494827]

Once we have "tcpreplay-4.2.6.tar.gz", let's go ahead and untar, "configure", "make" and "make install", so that we can use "tcpreplay".

[securitynik@qradarCE ~]# tar -zxvf tcpreplay-4.2.6.tar.gz
tcpreplay-4.2.6/
tcpreplay-4.2.6/Makefile.am
tcpreplay-4.2.6/docs/
tcpreplay-4.2.6/docs/Makefile.am
tcpreplay-4.2.6/docs/Win32Readme.txt
tcpreplay-4.2.6/docs/HACKING
tcpreplay-4.2.6/docs/Makefile.in
..............

Let's now switch to the "tcpreplay-4.2.6" directory.

[securitynik@qradarCE ~]# cd tcpreplay-4.2.6
[securitynik@qradarCE tcpreplay-4.2.6]# ./configure
checking whether to enable maintainer-
.............
##########################################################################
             TCPREPLAY Suite Configuration Results (4.2.6)
##########################################################################
libpcap:                    /usr (>= 0.9.6)
PF_RING libpcap             no
libdnet:                    no
autogen:                     (unknown - man pages will not be built)
Use libopts tearoff:        yes
64bit counter support:      yes
tcpdump binary path:        /usr/sbin/tcpdump
fragroute support:          no
tcpbridge support:          yes
tcpliveplay support:        yes

Supported Packet Injection Methods (*):
Linux TX_RING:              no
Linux PF_PACKET:            yes
BSD BPF:                    no
libdnet:                    no
pcap_inject:                yes
pcap_sendpacket:            yes **
pcap_netmap                 no
Linux/BSD netmap:           no
Tuntap device support:      yes

* In order of preference; see configure --help to override
** Required for tcpbridge

************************************************************

Next up, time to execute make then make install. Let's run both together. If "make" runs successfully, only then will "make install run"

[securitynik@qradarCE tcpreplay-4.2.6]# make && make install


Now that "tcpreplay" is installed, let's go ahead and replay some of our packet captures.
Let's go back into our folder where our packets are.


[securitynik@qradarCE ~]# cd downloadedPackets/SUWtHEh-/

As always, before running any of these commands, you should look at the help or man pages. Here is a snapshot of the help.

[securitynik@qradarCE SUWtHEh-]# tcpreplay --help
tcpreplay (tcpreplay) - Replay network traffic stored in pcap files
Usage:  tcpreplay [ -<flag> [<val>] | --<name>[{=| }<val>] ]... <pcap_file(s)>

   -q, --quiet                Quiet mode
   -T, --timer=str            Select packet timing mode: select, ioport, gtod, nano
       --maxsleep=num         Sleep for no more then X milliseconds between packets
   -v, --verbose              Print decoded packets via tcpdump to STDOUT
   -A, --decode=str           Arguments passed to tcpdump decoder
                                - requires the option 'verbose'
   -K, --preload-pcap         Preloads packets into RAM before sending
   -c, --cachefile=str        Split traffic via a tcpprep cache file
                                - requires the option 'intf2'
                                -- and prohibits the option 'dualfile'
   -2, --dualfile             Replay two files at a time from a network tap
                                - requires the option 'intf2'
                                -- and prohibits the option 'cachefile'
   -i, --intf1=str            Client to server/RX/primary traffic output interface
   -I, --intf2=str            Server to client/TX/secondary traffic output interface
       --listnics             List available network interfaces and exit
   -l, --loop=num             Loop through the capture file X times
                                - it must be in the range:
....

Let's use the "listnics" argument for "tcpreplay" to see what are the interfaces it has identified.

[securitynik@qradarCE SUWtHEh-]# tcpreplay --listnics
Available network interfaces:
docker0
appProxy
dockerInfra
dockerApps
vethbe3a5ae
veth679a5ac
veth17c3fda
ens33
veth39ffa79
vetha7d6436
veth0d9817d
any
nflog
nfqueue
usbmon1
usbmon2

As we can see above, "ens33" interface is available. Let's replay on this interface since it is already configured in method 1 (see previous post) for receiving flows.

Let's look at the pcaps which are available.


[securitynik@qradarCE SUWtHEh-]# ls --all -l *.pcap
-rw-r--r-- 1 securitynik securitynik  1018617 Nov  2 20:05 enum4linux_v.pcap
-rw-r--r-- 1 securitynik securitynik     1771 Nov  2 20:05 hydra_port_21.pcap
-rw-r--r-- 1 securitynik securitynik     9928 Nov  2 20:05 hydra_port_22.pcap
-rw-r--r-- 1 securitynik securitynik     7004 Nov  2 20:05 hydra_port_23.pcap
-rw-r--r-- 1 securitynik securitynik  1471289 Nov  2 20:05 hydra_port_445.pcap
-rw-r--r-- 1 securitynik securitynik   280812 Nov  2 20:05 metasploitable_9999_SUWtHEh.pcap
-rw-r--r-- 1 securitynik securitynik    62192 Nov  2 20:05 metasploitable_Telnet_SUWTHEh.pcap
-rw-r--r-- 1 securitynik securitynik   987362 Nov  2 20:05 MS17_010 - exploit.pcap
-rw-r--r-- 1 securitynik securitynik    57005 Nov  2 20:05 nbtscan.pcap
-rw-r--r-- 1 securitynik securitynik    13708 Nov  2 20:05 nbtscan-v.pcap
-rw-r--r-- 1 securitynik securitynik  4466911 Nov  2 20:05 nmap_host_scan_tcp.pcap
-rw-r--r-- 1 securitynik securitynik   106552 Nov  2 20:05 nmap_ping_scan.pcap
-rw-r--r-- 1 securitynik securitynik     8852 Nov  2 20:05 nmap_script_smb_ms17-010.pcap
-rw-r--r-- 1 securitynik securitynik   862576 Nov  2 20:05 nmap_script_vuln_ms17-010.pcap
-rw-r--r-- 1 securitynik securitynik   192987 Nov  2 20:05 nmap_sn.pcap
-rw-r--r-- 1 securitynik securitynik   462865 Nov  2 20:05 wget_index.pcap
-rw-r--r-- 1 securitynik securitynik      116 Nov  2 20:05 Win10_1-2.pcap
-rw-r--r-- 1 securitynik securitynik 24950772 Nov  2 20:05 WinXP-172.pcap
-rw-r--r-- 1 securitynik securitynik   540552 Nov  2 20:05 WinXP-4444-1820.pcap
-rw-r--r-- 1 securitynik securitynik   119400 Nov  2 20:05 WinXP-445.pcap
-rw-r--r-- 1 securitynik securitynik 25049045 Nov  2 20:05 WinXP.pcap

Let's try the file "enum4linux_v.pcap".

[securitynik@qradarCE SUWtHEh-]# tcpreplay --intf1=ens33 enum4linux_v.pcap
.... [I had some errors here]
Actual: 5348 packets (933025 bytes) sent in 10.39 seconds
Rated: 89735.3 Bps, 0.717 Mbps, 514.35 pps
Statistics for network device: ens33
        Successful packets:        5341
        Failed packets:            7
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0
************************************************************


Above we see there were 5341 packets successfully replayed.

Let's try another file. This time the large WinXP.pcap shown below with "25049045" bytes.


[securitynik@qradarCE SUWtHEh-]#tcpreplay --intf1=ens33 --mbps=10 WinXP.pcap
Actual: 24957 packets (24649709 bytes) sent in 19.72 seconds
Rated: 1249660.7 Bps, 9.99 Mbps, 1265.23 pps
Flows: 159 flows, 8.06 fps, 22135 flow packets, 2822 non-flow
Statistics for network device: ens33
        Successful packets:        24957
        Failed packets:            0
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0


We can also put multiple files if we wish. Let's do that with this last set of replaying.


[securitynik@qradarCE SUWtHEh-]#tcpreplay --intf1=ens33 --mbps=10 --loop=10 WinXP-172.pcap nmap_host_scan_tcp.pcap metasploitable_Telnet_SUWTHEh.pcap hydra_port_445.pcap  MS17_010\ -\ exploit.pcap 2>/dev/null

Actual: 557910 packets (306752990 bytes) sent in 245.40 seconds
Rated: 1249999.8 Bps, 9.99 Mbps, 2273.44 pps
Flows: 197 flows, 0.80 fps, 10833000 flow packets, 17062500 non-flow
Statistics for network device: ens33
        Successful packets:        552980
        Failed packets:            4930
        Truncated packets:         0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0


From above, we see we have 552980 packets which were successfully replayed. Unfortunately, we have over 4930 which failed.

By looking at the help file "tcpreplay --help" or the man pages "man tcpreplay" you should be able to understand what all of the arguments to tcpreplay does. However, for "2>/dev/null" all I'm doing here is taking any error messages which gets generated during the execution of this command to a black hole. Basically don't print error messages on the screen just discard them.

As we now look into QRadar "Network Activity" tab, we can see some of the packets coming in.




















Well hope you enjoyed these two sessions. Remember if you would really like to understand the pakcets and logs we download, feel free to download the sample chapters of the book here. Alternatively, I hope you grab a copy when it becomes available. :-)

Sample packets:
SecurityNik - Hack & Detect book sample packets and logs
Wireshark Sample Packets
NetResec
BE CAREFUL - Malware Sample from Malware-Traffic-Analysis.net

tcpreplay:
https://tcpreplay.appneta.com/wiki/installation.html
http://tcpreplay.synfin.net/wiki/tcpreplay



No comments:

Post a Comment