Perform these actions below on the remote device.
First, on some versions of Linux and if you are using the latest version of Kali, execute the following to reconfigure TShark to allow non-superusers to capture packets.
1 | kali@securitynik:~$sudo dpkg-reconfigure wireshark-common |
When asked “Should non-superusers be able to capture
packets?” select “Yes”.
Add the “kali” user to the “wireshark” group by executing
1 | kali@securitynik:~$sudo usermod --append --groups wireshark kali |
Then start SSH Server
on the remote device using “systemctl”
as follows:
1 | kali@securitynik:~$ sudo systemctl start ssh |
Next verify the SSH server is running by leveraging “systemctl status ssh”
kali@securitynik:~$ sudo systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-04-03 22:23:03 EDT; 16min ago Docs: man:sshd(8) man:sshd_config(5) Process: 2011 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 2012 (sshd) Tasks: 1 (limit: 2338) Memory: 2.6M CGroup: /system.slice/ssh.service └─2012 /usr/sbin/sshd –D |
Now that you know it is
running use the “ss” command to
verify the service is listening:
1 2 3 | kali@securitynik:~$ss --numeric --listen --tcp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 10.0.0.102:22 0.0.0.0:* |
On your local machine
Generate your RSA private and public keys also called your key pair. I will generate this without a passphrase as I’m trying to avoid more administrative overhead.
securitynik@SECURITYNIK-SYS:/tmp$ ssh-keygen -C "Created by securitynik@securitynik-sys - used for remote tshark execut ion" -E sha256 -t rsa -f ~/.ssh/id_tshark Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/securitynik/.ssh/id_tshark. Your public key has been saved in /home/securitynik/.ssh/id_tshark.pub. The key fingerprint is: SHA256:ZnLnKvF4psGdL3dT06GE3X5BECdk7Fa0e0NfSZoOKZs Created by securitynik@securitynik-sys - used for remote tshark exec ution The key's randomart image is: +---[RSA 2048]----+ | o*++ | | o.*oo| | . o+o++.| | +.o=.++| | . SE. o.o+=| | ..* + .o.=| | o+o . . ..| | o.=o. o | | .=.o.. . | +----[SHA256]-----+ |
Verify the certificates have been successfully created
1 2 | securitynik@SECURITYNIK-SYS:/tmp$ ls ~/.ssh/id_tshark* /home/securitynik/.ssh/id_tshark /home/securitynik/.ssh/id_tshark.pub |
Verify the contents of the public key file.
securitynik@SECURITYNIK-SYS:/tmp$ cat ~/.ssh/id_tshark.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI5wsGheY8+SIQWaFnUB5pNUBy1Z7E6bpY0RHBDw8/vQNzmmrxEj5ImeINBHhtpbClkdyBgzMCRVJbusU vC+rHdB8BKPialpalERteJ4Ohpj1ChIWibvBac/GrXscUzSPkv42d7j5YISfH7kAHUSqi6uWVjx4Hy8fCrV3cI8QMg85LATVYu5fSsh52GnNLiAoKHp5fzQ mKvVE56jqKtXHIYU6Q5r9ibpEhdkvgxHlP74DSWJocjoo7miDA6fU6/Q6yucAEt2tNsiZZ+gZhZjhteFTo1H4+SkuJL21wcn0CIE3QlstdIBYjtHU9wXhiH xNbpKKGzSkTf01CvzRgx61Z Created by securitynik@securitynik-sys - used for remote tshark execution
As everything looks good with the public key, let’s transfer the it to the remote machine using the “ssh-copy-id” command.
securitynik@SECURITYNIK-SYS:/tmp$ ssh-copy-id -i ~/.ssh/id_tshark.pub kali@securitynik
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/securitynik/.ssh/id_tshark.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
kali@securitynik's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'kali@securitynik'"
and check to make sure that only the key(s) you wanted were added.
As we have been asked to attempt to authenticate with “kali@securitynik”, let’s first disable password based authentication, enable and enable “PubkeyAuthentication” in the “/etc/sshd_config”file. This is followed by restarting the SSH service. Once I edited my "/etc/ssh/sshd_config" on the remote device, here is what it looks like:
kali@securitynik:~$ cat /etc/ssh/sshd_config | grep --perl-regexp "^Pubkey|^PasswordA" PubkeyAuthentication yes PasswordAuthentication no
Time to restart SSH
service
kali@securitynik:~$ sudo systemctl restart ssh
securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark
Linux securitynik 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
kali@securitynik:~$
Looks good! You now know that you can authenticate against the remote machine using the key pair
Exit that remote
machine by typing “exit” to return to
your local machine.
From the local machine
now execute.
securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark 'tshark --interface eth0 -w - ' | tshark --i
nterface - --color
If everything went
according to plan, you should now see packets scrolling on your screen.
Here I am rewriting the
filter, to capture only ICMP packets on the remote host and writing the
contents to a file to a local file while also printing the contents to the
local screen.
Now analyze the local file as you would any other PCAP. Here I’m analyzing the first record of the file "remote_tshark_icmp.pcapng"
Ok, that’s it for how to setup a remote capture. If you wish to learn more, ensure you grab a copy of my book upon its release.
References:
Red Hat Configuring Open SSH
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-ssh-configuration
Stack Overflow - How to capture remote system network traffic
securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark 'tshark --interface eth0 -w - -f "icmp"' | t
shark --interface - --color --print -w /tmp/remote_tshark_icmp.pcapng
Capturing on 'Standard input'
Capturing on 'eth0'
1 0.000000000 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64
2 0.006688350 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64
3 0.013294378 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64
4 0.019760206 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64
5 0.025964669 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64
6 0.037445834 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64
7 0.048449875 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64
8 0.053346311 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64
9 0.060709915 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64
10 0.066094294 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64
^C10 packets captured
Now analyze the local file as you would any other PCAP. Here I’m analyzing the first record of the file "remote_tshark_icmp.pcapng"
securitynik@SECURITYNIK-SYS:/tmp$ tshark -r remote_tshark_icmp.pcapng -c 1 -x
0000 0a 00 27 00 00 1e 08 00 27 1f 30 76 08 00 45 00 ..'.....'.0v..E.
0010 00 3e 00 01 00 00 40 01 66 5a 0a 00 00 64 0a 00 .>....@.fZ...d..
0020 00 01 08 00 96 67 00 00 00 00 4d 61 73 74 65 72 .....g....Master
0030 69 6e 67 20 54 53 68 61 72 6b 20 4e 65 74 77 6f ing TShark Netwo
0040 72 6b 20 46 6f 72 65 6e 73 69 63 73 rk Forensics
Ok, that’s it for how to setup a remote capture. If you wish to learn more, ensure you grab a copy of my book upon its release.
References:
Red Hat Configuring Open SSH
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-ssh-configuration
Stack Overflow - How to capture remote system network traffic
When is your book coming out? Thanks!
ReplyDelete