Sunday, April 5, 2020

From my upcoming Book: Mastering TShark Network Forensics: Remote packet capturing with TShark

In the bonus section of my upcoming book, Mastering TShark Network Forensics, you learn how to perform remote packet capturing. That is, we have a remote computing device where TShark is installed and we would like to perform a capture on the remote device but see and or write the traffic to a local device. Throughout the book, you use “root” on the local machine to execute TShark. However, what happens when you now have a remote device you would like to connect to and for which you are unable to login as “root” to perform your capturing activities.

Perform these actions below on the remote device.

First, on some versions of Linux and if you are using the latest version of Kali, execute the following to reconfigure TShark to allow non-superusers to capture packets.

kali@securitynik:~$sudo dpkg-reconfigure wireshark-common

When asked “Should non-superusers be able to capture packets?” select “Yes”.
Add the “kali” user to the “wireshark” group by executing

kali@securitynik:~$sudo usermod --append --groups wireshark kali

Then start SSH Server on the remote device using “systemctl” as follows:

kali@securitynik:~$ sudo systemctl start ssh

Next verify the SSH server is running by leveraging “
systemctl status ssh

kali@securitynik:~$ sudo systemctl status ssh
 ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2020-04-03 22:23:03 EDT; 16min ago
       Docs: man:sshd(8)
    Process: 2011 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 2012 (sshd)
      Tasks: 1 (limit: 2338)
     Memory: 2.6M
     CGroup: /system.slice/ssh.service
             └─2012 /usr/sbin/sshd D

Now that you know it is running use the “ss” command to verify the service is listening:

kali@securitynik:~$ss --numeric --listen --tcp
State      Recv-Q     Send-Q         Local Address:Port         Peer Address:Port    Process    
LISTEN     0          128           *     

On your local machine
Generate your RSA private and public keys also called your key pair. I will generate this without a passphrase as I’m trying to avoid more administrative overhead.

securitynik@SECURITYNIK-SYS:/tmp$ ssh-keygen -C "Created by securitynik@securitynik-sys - used for remote tshark execut
ion" -E sha256 -t rsa -f ~/.ssh/id_tshark
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/securitynik/.ssh/id_tshark.
Your public key has been saved in /home/securitynik/.ssh/
The key fingerprint is:
SHA256:ZnLnKvF4psGdL3dT06GE3X5BECdk7Fa0e0NfSZoOKZs Created by securitynik@securitynik-sys - used for remote tshark exec
The key's randomart image is:
+---[RSA 2048]----+
|            o*++ |
|            o.*oo|
|         . o+o++.|
|          +.o=.++|
|      . SE. o.o+=|
|     ..* +   .o.=|
|      o+o .  . ..|
|      o.=o. o    |
|      .=.o.. .   |

 Verify the certificates have been successfully created

securitynik@SECURITYNIK-SYS:/tmp$ ls ~/.ssh/id_tshark*
/home/securitynik/.ssh/id_tshark  /home/securitynik/.ssh/

Verify the contents of the public key file.

securitynik@SECURITYNIK-SYS:/tmp$ cat ~/.ssh/
xNbpKKGzSkTf01CvzRgx61Z Created by securitynik@securitynik-sys - used for remote tshark execution

As everything looks good with the public key, let’s transfer the it to the remote machine using the “ssh-copy-id” command.

securitynik@SECURITYNIK-SYS:/tmp$ ssh-copy-id -i ~/.ssh/ kali@securitynik
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/securitynik/.ssh/"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
kali@securitynik's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'kali@securitynik'"
and check to make sure that only the key(s) you wanted were added.

As we have been asked to attempt to authenticate with “kali@securitynik”, let’s first disable password based authentication, enable and enable “PubkeyAuthentication” in the “/etc/sshd_config”file. This is followed by restarting the SSH service. Once I edited my "/etc/ssh/sshd_config" on the remote device, here is what it looks like:

kali@securitynik:~$ cat /etc/ssh/sshd_config | grep --perl-regexp "^Pubkey|^PasswordA"
PubkeyAuthentication yes
PasswordAuthentication no
Time to restart SSH service

kali@securitynik:~$ sudo systemctl restart ssh
Now that is all set, let’s test our authentication using the keys created previously.

securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark
Linux securitynik 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Looks good! You now know that you can authenticate against the remote machine using the key pair

Exit that remote machine by typing “exit” to return to your local machine.
From the local machine now execute.

securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark 'tshark --interface eth0 -w - ' | tshark --i
nterface - --color

If everything went according to plan, you should now see packets scrolling on your screen.

Here I am rewriting the filter, to capture only ICMP packets on the remote host and writing the contents to a file to a local file while also printing the contents to the local screen.

securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark 'tshark --interface eth0 -w - -f "icmp"' | t
shark --interface - --color --print -w /tmp/remote_tshark_icmp.pcapng
Capturing on 'Standard input'
Capturing on 'eth0'
    1 0.000000000     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    2 0.006688350     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    3 0.013294378     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    4 0.019760206     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    5 0.025964669     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    6 0.037445834     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    7 0.048449875     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    8 0.053346311     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    9 0.060709915     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
   10 0.066094294     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
^C10 packets captured

Now analyze the local file as you would any other PCAP. Here I’m analyzing the first record of the file "remote_tshark_icmp.pcapng"

securitynik@SECURITYNIK-SYS:/tmp$ tshark -r  remote_tshark_icmp.pcapng -c 1 -x
0000  0a 00 27 00 00 1e 08 00 27 1f 30 76 08 00 45 00   ..'.....'.0v..E.
0010  00 3e 00 01 00 00 40 01 66 5a 0a 00 00 64 0a 00   .>....@.fZ...d..
0020  00 01 08 00 96 67 00 00 00 00 4d 61 73 74 65 72   .....g....Master
0030  69 6e 67 20 54 53 68 61 72 6b 20 4e 65 74 77 6f   ing TShark Netwo
0040  72 6b 20 46 6f 72 65 6e 73 69 63 73               rk Forensics

Ok, that’s it for how to setup a remote capture. If you wish to learn more, ensure you grab a copy of my book upon its release.

Red Hat Configuring Open SSH
Stack Overflow - How to capture remote system network traffic