Learning by practicing: August 2020

Tuesday, August 11, 2020

Continuing mapping process - ProcDot

In this previous post and from content related to my book Hack and Detect, I demonstrated how you can map an attackers' TTPs from a visual perspective. This mapping immediately gives you visible insights into the attackers activity.

This post focuses on ProcDOT which was produced by the Austria Cert team.

The tool processes both Sysinternals Process Monitor log files along with PCAP files which are produced by tools such as Tcpdump, TShark, Wireshark, etc.

Without further ado let's get going. While there is both a Windows and a Linux version for this post, I will download and use the Windows.

Once we download and extract the file contents, I then executed Procdot by running "procdot.exe".

You are then asked to ensure the path of your plugins are properly configured. Specifically the website insists you read the "readme.txt". They asked nicely so you should ensure you read it. Once you read it you will see you need to have windump.exe and graphiviz on your system.

While I took the time to do that configuration above, it must be noted that I am unable to run Windump on my Windows 10 VM.

Let's now get logs from Process Monitor to see what we can learn about the process on our system.

In the interest of time and to keep it simple, I will focus on cmd.exe as the parent process.

Upon opening Process Monitor, I then went to the "File" -> "Capture Events" to disabling the capturing of events before I cleared the screen.

Next up, I created a filter for "Process Name is cmd.exe"

Now that the filter is set I then went back to "File" -> "Capture Events" to begin the capturing of events.

After executing a few commands in "cmd.exe", I then stopped capturing events. Next up save the file for input to ProcDOT by going to "File" -> "Save".

Next we see ProcDOT produced some information for our cmd.exe process and the threads. We do not see the children this process spawned. This is more than likely due to the filter we used with Process Monitor.

Let's now take a file where we have not set any specific filter and which was capturing for 1 minutes to see what we get. -

Looks a lot more interesting. However, there is also lots more data for us to analyze. That is where your analysis skills now come in.

References:

https://www.cert.at/en/downloads/software/software-procdot

https://www.procdot.com/downloadprocdotbinaries.htm

https://www2.graphviz.org/Packages/stable/windows/10/msbuild/Release/Win32/

https://www.winpcap.org/install/default.htm

https://www.procdot.com/onlinedocumentation.htm

Beginning password auditing with Domain Password Audit Tool (DPAT), NTDSUTIL and VSSADMIN

In this post, I am aiming to learn more about Domain Password Audit Tool (DPAT).

According to DPAT's GitHub page, this tool "is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as hashcat.potfile generated from the Hashcat tool during password cracking".

Considering the above, we need to get the passwords from the domain controller and feed that to hashcat or in my example John The Ripper (JTR) before we can feed the output to DPAT.

Well let's get going.

To gain access to the Windows NTDS.dit file, we will connect remotely to Windows Server 2019 via PSRemoting. PSRemoting is enabled by default on Windows Server. Alternatively, you may use "enable-psremoting" via Powershell to enable it.

From the Windows Domain Controller we can take advantage of Test-Wsman to verify PS-Remoting is enabled. WSMAN is short for Web Services Management Protocol.

PS C:\Users\Administrator> Test-WSMan -Verbose

wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

That is cool but we want to access it remotely. Let's try this now from my Windows 10 device which is connected to the securitynik.local domain.

PS C:\users\SecurityNik> Test-WSMan -ComputerName secnik-2k19 -Authentication Default

wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 10.0.17763 SP: 0.0 Stack: 3.0

Let's transition now to execute the "ntdsutil" command to grab a copy of AD database. We first use the "Enter-PSSession" command to connect to the remote server. Once connected, we execute "hostname" to confirm the host we have connected to, followed by "whoami" to confirm the user.

PS C:\users\SecurityNik> Enter-PSSession -ComputerName secnik-2k19.securitynik.local -Authentication Default
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> hostname
secnik-2k19
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> whoami
securitynik\securitynik

Now for "ntdsutil" let's find the database instances which currently exists.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "List Instances"
C:\Windows\system32\ntdsutil.exe: List Instances

Instance Name:         NTDS
LDAP Port:             389
SSL Port:              636
Install folder:        C:\Windows\NTDS
Database file:         C:\Windows\NTDS\ntds.dit
Log folder:            C:\Windows\NTDS
NTDS Mode    :         Active Directory Domain Controller Mode
C:\Windows\system32\ntdsutil.exe:
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents>

Let's now activate the "NTDS" Instance.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "Activate Instance NTDS"
C:\Windows\system32\ntdsutil.exe: Activate Instance NTDS
Active instance set to "NTDS".
C:\Windows\system32\ntdsutil.exe:

Next up, extend the existing command by leveraging the "ifm" command to create a full installation media of the NTDS instance and save it in a folder "c:\tmp" on the secnik-2k19 server.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "Activate Instance NTDS" "ifm" "create full c:\tmp"
C:\Windows\system32\ntdsutil.exe: Activate Instance NTDS
Active instance set to "NTDS".
C:\Windows\system32\ntdsutil.exe: ifm
ifm: create full c:\tmp
Creating snapshot...
Snapshot set {57102033-942a-43ef-841b-4b975fbe0c53} generated successfully.
Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} mounted as C:\$SNAP_202008031318_VOLUMEC$\
Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} is already mounted.
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202008031318_VOLUMEC$\Windows\NTDS\ntds.dit
     Target Database: c:\tmp\Active Directory\ntds.dit

                  Defragmentation  Status (omplete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Copying registry files...
Copying c:\tmp\registry\SYSTEM
Copying c:\tmp\registry\SECURITY
Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} unmounted.
IFM media created successfully in c:\tmp
ifm: C:\Windows\system32\ntdsutil.exe:

Let's now confirm the contents of the "c:\tmp" directory.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\

    Directory: C:\tmp

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         8/3/2020   1:18 PM                Active Directory
d-----         8/3/2020   1:18 PM                registry

Nice we got two folders. Let's now compress these into one archive file using the Powershell's "Compress-Archive" cmdlet.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Compress-Archive -Path c:\tmp\* -DestinationPath c:\tmp\ntds.zip -CompressionLevel Fast
est -Force -Verbose
VERBOSE: Preparing to compress...
VERBOSE: Performing the operation "Compress-Archive" on target "
C:\tmp\Active Directory
C:\tmp\registry".
VERBOSE: Adding 'C:\tmp\Active Directory\ntds.dit'.
VERBOSE: Adding 'C:\tmp\Active Directory\ntds.jfm'.
VERBOSE: Adding 'C:\tmp\registry\SECURITY'.
VERBOSE: Adding 'C:\tmp\registry\SYSTEM'.
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         8/3/2020   1:18 PM                Active Directory
d-----         8/3/2020   1:18 PM                registry

Confirming the file was successfully created.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\ntds.zip

    Directory: C:\tmp

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         8/3/2020   1:25 PM        5497917 ntds.zip

To get the "ntds.zip" file off off the system, let's use "net use" command to map a drive and copy the file. As we map the drive, we see this is reported as completed successfully.

D:\TOOLS>net use M: \\10.0.0.20\C$ /user:securitynik@securitynik.local
Enter the password for 'securitynik@securitynik.local' to connect to '10.0.0.20':
The command completed successfully.

We can further conform this by executing "net use" once again, without any additional arguments.

D:\TOOLS>net use
New connections will not be remembered.

Status       Local     Remote                    Network
-------------------------------------------------------------------------------
OK           M:        \\10.0.0.20\C$            Microsoft Windows Network
The command completed successfully.

Let's now copy the "ntds.zip" file unto our local system and confirm its existance.

D:\TOOLS>copy M:\tmp\ntds.zip .
        1 file(s) copied.

D:\TOOLS>dir ntds.zip
 Volume in drive D is Tools
 Volume Serial Number is F617-3FDD

 Directory of D:\TOOLS

2020-08-03  04:25 PM         5,497,917 ntds.zip
               1 File(s)      5,497,917 bytes
               0 Dir(s)  108,181,012,480 bytes free

Good stuff!! At this point, we have access to the "ntds.dit" file which holds the AD credentials.

Let's now move on to un-ziping the "ntds.zip" file with the ultimate aim of obtaining the hashes. To make this task easier, let's leverage the Impacket suite of Python scripts.

kali@securitynik:~$ unzip ntds.zip -d ntds
Archive:  ntds.zip
warning:  ntds.zip appears to use backslashes as path separators
  inflating: ntds/Active Directory/ntds.dit  
  inflating: ntds/Active Directory/ntds.jfm  
  inflating: ntds/registry/SECURITY  
  inflating: ntds/registry/SYSTEM

After extraction, Impacket to the rescue.

kali@securitynik:~/ntds$ ~/impacket/examples/secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile ntds.hashes -history
kali@securitynik:~/ntds$cat ntds.hashes
Impacket v0.9.22.dev1+20200728.230151.48a3124c - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0xd246c7f512f50bc6444d77d31b34ba98
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 21eb5b3777772c58c5e1bd65ad66e76b
[*] Reading and decrypting hashes from Active Directory/ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SECNIK-2K19$:1000:aad3b435b51404eeaad3b435b51404ee:b7b7c33ea8994be1ebd4f47202c3a9b6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:46ab1a2346b3ac6693d72b17691d5f77:::
securitynik.local\nik:1103:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
securitynik.local\nakia:1104:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026:::
... <TRUNCATED FOR BREVITY> ...
securitynik.local\securitynik:des-cbc-md5:32450b15e026d6e9
SECURITYNIK-WIN$:aes256-cts-hmac-sha1-96:1e67390661aeb7fe7e7006a1002e98d8b1d9b67239a67c2d2de9e3ec85215632
SECURITYNIK-WIN$:aes128-cts-hmac-sha1-96:33e9b147797864ca6e5a8c94ebece17d
SECURITYNIK-WIN$:des-cbc-md5:613d9e34a468e343
[*] Cleaning up...

Among the files the above creates, is "ntds.hashes.ntds". This file with hashes can now be provided to our tool of choice. I will use John the Ripper. However, do note DPAT also supports Hashcat also.

kali@securitynik:~/ntds$ sudo john ntds.hashes.ntds --format=nt
Using default input encoding: UTF-8
Loaded 26 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 4 candidates buffered for the current salt, minimum 24 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
                 (Guest)
Testing1         (Administrator)
Testing1         (securitynik.local\nik)
Testing1         (securitynik.local\nakia)
Testing1         (securitynik.local\neysa)
Testing1         (securitynik.local\saadia)
Testing1         (securitynik.local\admin)
Testing1         (securitynik.local\securitynik)
Proceeding with incremental:ASCII
....

Upon executing "./dpat.py" with the relevant arguments, we get:

kali@securitynik:~/DPAT$ sudo ./dpat.py --ntdsfile ../ntds/ntds.hashes.ntds --crackfile john.pot 
The Report has been written to the "_DomainPasswordAuditReport.html" file in the "DPAT Report" directory
Would you like to open the report now? [Y/n]N

I selected "N" as I wanted to see what is in the "DPAT Report" directory. Below we see the contents which were available for my system.

kali@securitynik:~/DPAT/DPAT Report$ ls
 0length_usernames.html   3reuse_usernames.html             password_history.html        top_password_stats.html
 0reuse_usernames.html    4reuse_usernames.html             password_length_stats.html   users_only_cracked_through_lm.html
 1reuse_usernames.html   'all hashes.html'                  password_reuse_stats.html
 2reuse_usernames.html    _DomainPasswordAuditReport.html   report.css

Time to use Firefox to look at the "_DomainPasswordAuditReport.html" file.

kali@securitynik:~/DPAT/DPAT Report$ firefox _DomainPasswordAuditReport.html &

Above, we see the summary information.

If we can get details on the password hashes used by clicking "Details" besides the password hashes

Similarly, we can get information on top password use stats, etc. Feel free to click the "Details" to learn more.

Alternative way of getting passwords with VSSADMIN

We achieved our objective above. However, an alternate way of getting credentials is via the Volume Shadow Copy Service. This is how tools such as Metasploit dump the Active Directory hashes.

PS C:\Tools> Enter-PSSession -ComputerName secnik-2k19.securitynik.local -Authentication Default
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents>

Let's first use "vssadmin" to see if any shadow copies currently exists.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

No items found that satisfy the query.

Next let's list the volumes

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list volumes
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Volume path: \\?\Volume{fd091226-0000-0000-0000-100000000000}\
    Volume name: \\?\Volume{fd091226-0000-0000-0000-100000000000}\
Volume path: C:\

Taking a peak at the providers

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list providers
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Provider name: 'Microsoft File Share Shadow Copy provider'
   Provider type: Fileshare
   Provider Id: {89300202-3cec-4981-9171-19f59559e0f2}
   Version: 1.0.0.1

Provider name: 'Microsoft Software Shadow Copy provider 1.0'
   Provider type: System
   Provider Id: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Version: 1.0.0.7

At this point no copies exist that we can take advantage of. Guess we have to create our own.

Let's check the status of the "VSS" Service

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Get-Service VSS

Status   Name               DisplayName
------   ----               -----------
Stopped  VSS                Volume Shadow Copy

We now have to start the "VSS" service, after which we verify it is running.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Start-Service vss
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Get-Service VSS

Status   Name               DisplayName
------   ----               -----------
Running  VSS                Volume Shadow Copy

Now that the service is running, let's create a shadow copy.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin create shadow /for=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Successfully created shadow copy for 'C:\'
    Shadow Copy ID: {d93157d0-53e5-4f1b-b378-dc10ed0fb468}
    Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3

Above, we see this is successful. Additionally, we can confirm this copy exists by listing the shadows as was done above.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Contents of shadow copy set ID: {80bcd232-f7b0-4378-884d-8344436a3bd8}
   Contained 1 shadow copies at creation time: 8/6/2020 8:27:56 PM
      Shadow Copy ID: {d93157d0-53e5-4f1b-b378-dc10ed0fb468}
         Original Volume: (C:)\\?\Volume{fd091226-0000-0000-0000-602200000000}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
         Originating Machine: secnik-2k19.securitynik.local
         Service Machine: secnik-2k19.securitynik.local
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessible
         Attributes: Persistent, Client-accessible, No auto release, No writers, Differential

Now let's access the NTDS.dit file on the shadow copy by copying it to the "c:\tmp" folder.

[secnik-2k19.securitynik.local]: PS C:\tmp> cmd.exe /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\
NTDS\ntds.dit c:\tmp\ntds.dit"
        1 file(s) copied.
[secnik-2k19.securitynik.local]: PS C:\tmp> dir c:\tmp\


    Directory: C:\tmp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         8/3/2020   1:18 PM                Active Directory
d-----         8/3/2020   1:18 PM                registry
-a----         8/3/2020   1:04 PM       18874368 ntds.dit
-a----         8/3/2020   1:25 PM        5497917 ntds.zip

Now that the file is in the "c:\tmp" directory, we can access it as we did above. Before closing off, let's disable the VSS service.

[secnik-2k19.securitynik.local]: PS C:\tmp> Stop-Service vss
[secnik-2k19.securitynik.local]: PS C:\tmp> Get-Service vss

Status   Name               DisplayName
------   ----               -----------
Stopped  vss                Volume Shadow Copy

Let's now delete the shadow copy we created and verify no shadow copies exist.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin delete shadows /for=C: /quiet
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

No items found that satisfy the query.

Well that's it for this post.

References:

https://github.com/clr2of8/DPAT

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7

https://www.dtonias.com/enable-powershell-remoting-check-enabled/

https://www.poftut.com/enable-powershell-remoting-psremoting-winrm/

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-5.1

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753343(v=ws.11)

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/compress-archive?view=powershell-7

https://github.com/SecureAuthCorp/impacket

https://adsecurity.org/?p=2398

https://www.rapid7.com/resources/dumping-active-directory-password-hashes/

https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service

https://stackoverflow.com/questions/24940243/running-cmd-command-in-powershell

Beginning Proxychains - Keeping a low profile

As a defender, it is always recommended to NOT interact with a suspicious (threat actor) IP from your own network. However, since we need to investigate the threat actor's IP(s), to learn something about the threat and or the device from which the attack is occurring, what can we do? The reality is there are many things we can do. One of these is to use tools such as ProxyChains as we will do in this post.

In this post, I am using Kali 2020.3. Proxychains is installed on Kali by default.

Here is my Kali version:

kali@securitynik:~$ lsb_release --all
No LSB modules are available.
Distributor ID: Kali
Description:    Kali GNU/Linux Rolling
Release:        2020.3
Codename:       kali-rolling

Before we start using proxychains, let's first take a look at the configuration. Specifically, I have changed the configuration from "strict_chain" to "random_chain". This was achieved by commenting "strict_chain" while uncommenting "random_chain". Here I use "grep" to show what the change looks like:

kali@securitynik:~$ cat /etc/proxychains.conf | grep --perl-regex "^# strict_chain|^random_chain"
# strict_chain
random_chain

Additionally, we look at the last 6 lines of the "/etc/proxychains.conf" file with a focus on the "[ProxyList]" section.

kali@securitynik:~$ cat /etc/proxychains.conf | tail --lines 6
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050

We see above it is using 127.0.0.1 9050 and defaults to "tor". Let's see if tor is listening on port 9050.

kali@securitynik:~$ ss --numeric --listening --tcp
State       Recv-Q       Send-Q             Local Address:Port             Peer Address:Port      Process

Above we see port 9050 is not listening. Let's verify if tor is installed.

kali@securitynik:~$ which tor
kali@securitynik:~$

Looks like tor is not installed. Let's install tor.

kali@securitynik:~$ sudo apt-get install tor
....

Once "tor" is installed, we look at the help.

kali@securitynik:~$ tor --help
Copyright (c) 2001-2004, Roger Dingledine
Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
Copyright (c) 2007-2020, The Tor Project, Inc.

tor -f <torrc> [args]
See man page for options, or https://www.torproject.org/ for documentation.

Let's now start tor

kali@securitynik:~$ tor
Jul 28 22:12:39.646 [notice] Tor 0.4.3.6 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1g, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.4.5.
Jul 28 22:12:39.647 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 28 22:12:39.647 [notice] Read configuration file "/etc/tor/torrc".
Jul 28 22:12:39.650 [notice] Opening Socks listener on 127.0.0.1:9050
Jul 28 22:12:39.651 [notice] Opened Socks listener on 127.0.0.1:9050
Jul 28 22:12:39.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jul 28 22:12:39.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jul 28 22:12:39.000 [notice] Bootstrapped 0% (starting): Starting
Jul 28 22:12:40.000 [notice] Starting with guard context "default"
Jul 28 22:12:40.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Jul 28 22:12:40.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
Jul 28 22:12:40.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
Jul 28 22:12:40.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
Jul 28 22:12:40.000 [notice] Bootstrapped 45% (requesting_descriptors): Asking for relay descriptors
Jul 28 22:12:41.000 [notice] Bootstrapped 59% (loading_descriptors): Loading relay descriptors
Jul 28 22:12:41.000 [notice] Bootstrapped 69% (loading_descriptors): Loading relay descriptors
Jul 28 22:12:42.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Jul 28 22:12:42.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Jul 28 22:12:43.000 [notice] Bootstrapped 100% (done): Done

Now that we see above the last line says "Done", let's run "ss" again, to see if port 9050 is now listening.

kali@securitynik:~$ ss --numeric --listening --tcp
State       Recv-Q       Send-Q             Local Address:Port             Peer Address:Port      Process      
LISTEN      0            4096                   127.0.0.1:9050                  0.0.0.0:*

Let's now use "ncat" to make a request to "www.securitynik.com" on port 443. Here is what that looks like without proxy chains.

kali@securitynik:~$ ncat --verbose www.securitynik.com 443
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 172.217.2.115:443.

If we do a "ping" on "www.securitynik.com", we see it returns the address above.

kali@securitynik:~$ ping www.securitynik.com
PING ghs.googlehosted.com (172.217.2.115) 56(84) bytes of data.

Let's now run that command one more time by prepending "proychains" to it.

kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443
ProxyChains-3.1 (http://proxychains.sf.net)
Ncat: Version 7.80 ( https://nmap.org/ncat )
|DNS-request| www.securitynik.com 
|R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.securitynik.com is 172.217.22.211
|R-chain|-<>-127.0.0.1:9050-<><>-172.217.22.211:443-<><>-OK
Ncat: Connected to 172.217.22.211:443.

Looks like both the DNS and HTTPS traffic has been proxied as seen by the "|R-chain|" above.

Let's run this one more time to see if the proxy changes as this was configured for "random".

kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443
ProxyChains-3.1 (http://proxychains.sf.net)
Ncat: Version 7.80 ( https://nmap.org/ncat )
|DNS-request| www.securitynik.com 
|R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.securitynik.com is 172.217.22.211
|R-chain|-<>-127.0.0.1:9050-<><>-172.217.22.211:443-<><>-OK
Ncat: Connected to 172.217.22.211:443.

Above it seems a new IP.

Let's run this one final time.

kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443
ProxyChains-3.1 (http://proxychains.sf.net)
Ncat: Version 7.80 ( https://nmap.org/ncat )
|DNS-request| www.securitynik.com 
|R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
|DNS-response| www.securitynik.com is 216.58.207.147
|R-chain|-<>-127.0.0.1:9050-<><>-216.58.207.147:443-<><>-OK
Ncat: Connected to 216.58.207.147:443.

Looks like each instance, we used a random IP address for our proxy chain.

Well hopefully the blog post above has made your job easier as a defender, as you look to learn about suspicious hosts.

References:

https://linuxhint.com/proxychains-tutorial/

https://anonymous-proxy-servers.net/en/help/proxychains.html

https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/

https://www.codeproject.com/tips/634228/how-to-use-proxychains-forwarding-ports

Beginning packet capturing with Windows Built in Packet Monitor (pktmon) packet capturing tool

Recently while doing some unrelated research, I came across this link from www.bleepingcomputer.com about Windows having a built in sniffer. I am aware of being able to use "netsh trace" to perform packet capturing but this seems like a better option. I may be wrong. Windows having built in sniffer is a good thing, as most of us who work with Linux are accustomed to having "tcpdump" there by default in most cases. What I like about the "pktmon.exe" version on my Windows 10 (2004), is that it support pcapng format.

Here is Microsoft's note on pktmon.exe.

"Packet Monitor (PacketMon) is an in-box cross-component network diagnostics tool for Windows. It can be used for packet capture, packet drop detection, packet filtering and counting. The tool is especially helpful in virtualization scenarios like container networking, SDN, etc. It is available in-box via pktmon.exe command, and via Windows Admin Center extensions."

In this post, I will be walking through "pktmon" with as much detail as possible. Most of the resources I found online basically gave a somewhat superficial view of this tool. My intention is to make this your one-stop shop for how to use Packet Monitor.

First up, we need to ensure our terminal is running with elevated privileges.

Once in the elevated terminal, let's look at the help

C:\Users\SecurityNik>pktmon help
pktmon { filter | comp | reset | start | stop } [OPTIONS | help]
    Monitor internal packet propagation and packet drop reports.

Commands
    filter     Manage packet filters.
    comp       Manage registered components.

    reset      Reset counters to zero.
    start      Start packet monitoring.
    stop       Stop monitoring.
    format     Convert log file to text.
    pcapng     Convert log file to pcapng format.
    unload     Unload PktMon driver.

help
    Show help text for a command.

If you need help for a particular component, you can use for example "pktmon filter help"

C:\Users\SecurityNik>pktmon filter help
pktmon filter { list | add | remove } [OPTIONS | help]

Commands
    list      Display active packet filters.
    add       Add a filter to control which packets are reported.
    remove    Removes all filters.

help
    Show help text for a command.

Before we begin, let's look at the registered components via "pktmon.exe comp help"

C:\Users\SecurityNik>pktmon comp help
pktmon comp { list | counters } [OPTIONS | help]

Commands
    list        List all active components.
    counters    Display current per-component counters.

help
    Show help text for a command.

If we look further at the help via "pktmon comp list help", we see we can show components that are hidden by default as well as specify the output to be json.

C:\Users\SecurityNik>pktmon comp list help
pktmon [comp] list
    List all active components.

-i, --show-hidden
    Show components that are hidden by default.

--json
    Output the list in JSON format.

At this point, we see we can list all active components via "pktmon comp list'. We will use the default output rather than json.

C:\Users\SecurityNik>pktmon comp list --show-hidden | more
VirtualBox Host-Only Ethernet Adapter
    Id: 13
    Driver: VBoxNetAdp6.sys
    MAC Address: 0A-00-27-00-00-05
    ifIndex: 5

    Filter Drivers:
        Id Driver      Name
        -- ------      ----
        38 wfplwfs.sys WFP Native Filter
        36 pacer.sys   QoS Packet Scheduler
        35 wfplwfs.sys WFP 802.3 Filter

    Protocols:
        Id Driver          Name        EtherType
        -- ------          ----        ---------
        96 tcpip.sys       TCPIP6      IPv6
        91 tcpip.sys       TCPIP       ARP, IPv4
        84 mslldp.sys      MSLLDP      LLDP
        83 rspndr.sys      RSPNDR      VLAN, LLTD
        82 vmnetbridge.sys VMNETBRIDGE * (All)
        81 ndisuio.sys     NDISUIO     88c7, VLAN, 802.1X
        80 lltdio.sys      LLTDIO      * (All)

    Application Protocols:
         Id Driver   Name IP Address
         -- ------   ---- ----------
        107 http.sys HTTP fe80::910f:2448:7235:77be
        101 http.sys HTTP 10.0.0.1

    ... <TRUNCATED FOR BREVITY> ...

From the output returned above, we see information on protocol, drivers, IPv4 and IPv6 addresses, etc.

Let's now look at the help for the counters via "pktmon comp counters help"

C:\Users\SecurityNik>pktmon comp counters help
pktmon [comp] counters [-t { all | drop | flow }] [-z] [--json]
    Display current per-component counters.

-t, --counter-type
    Select which types of counters to show.
    Supported values are all counters (default), drops only, or flows only.

-z, --show-zeros
    Show counters that are zero in both directions.

-i, --show-hidden
    Show components that are hidden by default.

--json
    Output the counters in JSON format.

Let's now look at the counters via "pktmon comp counters --counter-type all --show-hidden"

C:\Users\SecurityNik>pktmon comp counters --counter-type all --show-hidden
All counters are zero.

Now that we have a better understanding of the registered components, let's move to setting up our first a filter to capture traffic for a specific MAC address.

Let's verify if any filters exist via "pktmon filter list"

C:\Users\SecurityNik>pktmon filter list
There are no packet filters.

Time for our first filter. First, let's look at the help for adding a filter via "pktmon filter add help"

C:\Users\SecurityNik>pktmon filter add help
pktmon filter add <name> [-m mac [mac2]] [-v vlan] [-d { IPv4 | IPv6 | number }]
                         [-t { TCP [flags...] | UDP | ICMP | ICMPv6 | number }]
                         [-i ip [ip2]] [-p port [port2]] [-e [port]]
    Add a filter to control which packets are reported. For a packet to be
    reported, it must match all conditions specified in at least one filter.
    Up to 8 filters can be active at once.

    NOTE1: When two MACs (-m), IPs (-i), or ports (-p) are specified, the filter
           matches packets that contain both. It will not distinguish between source
           or destination for this purpose.

name
    Optional name or description of the filter.

Ethernet frame
    -m, --mac[-address]
        Match source or destination MAC address. See NOTE1 above.

    -v, --vlan
        Match by VLAN Id (VID) in the 802.1Q header.

    -d, --data-link[-protocol], --ethertype
        Match by data link (layer 2) protocol. Can be IPv4, IPv6, ARP, or
        a protocol number.

IP header
    -t, --transport[-protocol], --ip-protocol
        Match by transport (layer 4) protocol. Can be TCP, UDP, ICMP, ICMPv6, or
        a protocol number.
        To further filter TCP packets, an optional list of TCP flags to match can
        be provided. Supported flags are FIN, SYN, RST, PSH, ACK, URG, ECE, and CWR.

    -i, --ip[-address]
        Match source or destination IP address. See NOTE1 above.
        To match by subnet, use CIDR notation with the prefix length.

TCP/UDP header
    -p, --port
        Match source or destination port number. See NOTE1 above.

Encapsulation
    -e, --encap
        This filter also applies to encapsulated inner packets, in addition to the outer
        packet. Supported encapsulation methods are VXLAN, GRE, NVGRE, and IP-in-IP.
        Custom VXLAN port is optional, and defaults to 4789.

Example 1: Ping filter
        pktmon filter add MyPing -i 10.10.10.10 -t ICMP

Example 2: TCP SYN filter for SMB traffic
    pktmon filter add MySmbSyn -i 10.10.10.10 -t TCP SYN -p 445

Example 3: Subnet filter
    pktmon filter add MySubnet -i 10.10.10.0/24

Next we configure a capture for traffic with MAC address "0A-00-27-00-00-05" which we learned about above, when we looked at the registered components and is associated with "VirtualBox Host-Only Ethernet Adapter" and IP address "10.0.0.1"

C:\Users\SecurityNik>pktmon filter add VBox-Mac --mac  0A-00-27-00-00-05
Filter added.

Verify the filter exists by listing the filters again.

C:\Users\SecurityNik>pktmon filter list
 # Name     MAC Address
 - ----     -----------
 1 VBox-Mac 0A-00-27-00-00-05

Let's now look at the help for starting a capture

C:\Users\SecurityNik>pktmon start help
pktmon start [-c { all | nics | [ids...] }] [-d] [--etw [-p size] [-k keywords]]
             [-f] [-s] [--log-mode {circular | multi-file | real-time | memory}]
    Start packet monitoring.

-c, --components
    Select components to monitor. Can be all components, NICs only, or a
    list of component ids. Defaults to all.

-d, --drop-only
    Only report dropped packets. By default, successful packet propagation
    is reported as well.

ETW Logging
    --etw
        Start a logging session for packet capture.

    -p, --packet-size
        Number of bytes to log from each packet. To always log the entire
        packet, set this to 0. Default is 128 bytes.

    -k, --keywords
        Hexadecimal bitmask (i.e. sum of the below flags) that controls
        which events are logged. Default is 0x012.

        Flags:
        0x001 - Internal Packet Monitor errors.
        0x002 - Information about components, counters and filters.
                This information is added to the end of the log file.
        0x004 - Source and destination information for the first
                packet in NET_BUFFER_LIST group.
        0x008 - Select packet metadata from NDIS_NET_BUFFER_LIST_INFO
                enumeration.
        0x010 - Raw packet, truncated to the size specified in
                [--packet-size] parameter.

    -f, --file-name
        .etl log file. Default is PktMon.etl.

    -s, --file-size
        Maximum log file size in megabytes. Default is 512 MB.

    -l, --log-mode
        Select logging mode. Default is circular.

        circular
            New events overwrite the oldest ones when
            when the maximum file size is reached.

        multi-file
            A new log file is created when the maximum file size is reached.
            Log files are sequentially numbered. PktMon1.etl, PktMon2.etl, etc.

        real-time
            Display events and packets on screen at real time. No log file is created.
            Press Ctrl+C to stop monitoring.

        memory
            Events are written to a circular memory buffer.
            Buffer size is specified in [--file-size] parameter.
            Buffer contents is written to a log file during stop operation.

Picking the "--log-mode" as "real-time" mode to start things off. After setting up the filter, we then do a "ping 10.0.0.104". Remember, to cancel this monitor session, hit "CTRL+C" after which you should see "Flushing logs..."

C:\Users\SecurityNik>pktmon start  --etw --log-mode real-time
Active measurement started.
Processing...

21:31:10.816725700 PktGroupId 1, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 85, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
21:31:10.816732400 PktGroupId 1, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 36, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
21:31:10.816734200 PktGroupId 1, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 36, Edge 2, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
21:31:10.816735900 PktGroupId 1, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 38, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
21:31:10.816742000 PktGroupId 1, PktNumber 1, Appearance 5, Direction Tx , Type Ethernet , Component 38, Edge 2, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
21:31:10.816743500 PktGroupId 1, PktNumber 1, Appearance 6, Direction Tx , Type Ethernet , Component 13, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28
Flushing logs...

.... <TRUNCATED FOR BREVITY> ....

Here is what my ping looked like.

C:\Users\SecurityNik>ping 10.0.0.104 -n 1

Pinging 10.0.0.104 with 32 bytes of data:
Request timed out.

Ping statistics for 10.0.0.104:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

If we revisit the help above about "real-time" logging, it states "Display events and packets on screen at real time. No log file is created." However, when I look on my file system, a file with the default filename was created as seen below. Maybe I am missing something.

C:\Users\SecurityNik>dir PktMon.etl
 Volume in drive C is OS
 Volume Serial Number is D436-4013

 Directory of C:\Users\SecurityNik

2020-08-07  09:42 PM        50,331,648 PktMon.etl
               1 File(s)     50,331,648 bytes
               0 Dir(s)  34,686,263,296 bytes free

If you are reading this blog and know why a file was created even though I told it to do "real-time" logging, please let me know what I might have missed.

C:\Users\SecurityNik>pktmon filter remove 
Removed all filters.

Above we removed the previously configured filters. It does not look like there is an option at present to remove a specific filter.

Let's run another filter which focuses on ARP packets.

Once again, let's set and verify a filter.

C:\Users\SecurityNik>pktmon filter add ARP-Capture --ethertype arp
Filter added.

C:\Users\SecurityNik>pktmon filter list
 # Name        EtherType
 - ----        ---------
 1 ARP-Capture ARP

Starting the capture in "real-time" mode.

C:\Users\SecurityNik>pktmon start  --etw --log-mode real-time
Active measurement started.
Processing...

21:54:33.326462700 PktGroupId 7, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 49, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.......
21:54:36.322822700 PktGroupId 8, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 49, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.159.1, length 28
21:54:36.322828200 PktGroupId 8, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 11, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42
        00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.159.1, length 28
Flushing logs...

Now that we know how to capture ARP packets, let's move up the stack. Once again, delete all defined filters.

C:\Users\SecurityNik>pktmon filters remove
Removed all filters.

Let's continue at the IP layer. Time to add a filter to look for ICMP (protocol 1) packets to destination 9.9.9.9. After setting the filter, we verify its creation.

C:\Users\SecurityNik>pktmon filter add IP-TCP --data-link IPv4 --ip-protocol 1 --ip-address "9.9.9.9"
Filter added.

C:\Users\SecurityNik>pktmon filter list
 # Name   EtherType Protocol IP Address
 - ----   --------- -------- ----------
 1 IP-TCP IPv4      ICMP     9.9.9.9

Once again capturing to the screen, while setting the packet size option to "1500" bytes.

C:\Users\SecurityNik>pktmon start  --etw --log-mode real-time --packet-size 1500
Active measurement started.
Processing...

22:12:01.498988200 PktGroupId 844424930131972, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 74: 192.168.0.62 > 9.9.9.9: ICMP echo request, id 1, seq 6, length 40
... <TRUNCATED FOR BREVITY> ...
22:12:01.600308300 PktGroupId 281474976710661, PktNumber 1, Appearance 5, Direction Rx , Type Ethernet , Component 76, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74
        F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 74: 9.9.9.9 > 192.168.0.62: ICMP echo reply, id 1, seq 6, length 40
22:12:01.600310300 PktGroupId 281474976710661, PktNumber 1, Appearance 6, Direction Rx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74
        F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 74: 9.9.9.9 > 192.168.0.62: ICMP echo reply, id 1, seq 6, length 40
Flushing logs...

Looks good so far. Once again, delete the filter and let's extend the last filter.

Here is what my ping looked like. Remember, this needs to be executed after starting the filter.

C:\Users\SecurityNik>ping -n 1 9.9.9.9

Pinging 9.9.9.9 with 32 bytes of data:
Reply from 9.9.9.9: bytes=32 time=753ms TTL=54

Ping statistics for 9.9.9.9:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 753ms, Maximum = 753ms, Average = 753ms


C:\Users\SecurityNik>pktmon filter remove
Removed all filters.

Modifying and extending the previous filter, we now look for TCP traffic on port 443 where the SYN flag is set. Note below, this will also show packets with both the SYN and ACK flags set. I am not aware of a way of isolating the filter to only one specific flag at this time.

C:\Users\SecurityNik>pktmon filter add IP-TCP-SYN-443 --data-link IPv4 --ip-address 172.217.2.115 --transport-protocol tcp SYN --port 443
Filter added.

C:\Users\SecurityNik>pktmon filters list
 # Name           EtherType Protocol  IP Address    Port
 - ----           --------- --------  ----------    ----
 1 IP-TCP-SYN-443 IPv4      TCP (SYN) 172.217.2.115  443

C:\Users\SecurityNik>pktmon start  --etw --log-mode real-time --packet-size 1500
Active measurement started.
Processing...

23:02:26.539704700 PktGroupId 562949953421500, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:02:26.539709400 PktGroupId 562949953421500, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:02:26.539712200 PktGroupId 562949953421500, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 32, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:02:26.539714000 PktGroupId 562949953421500, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:02:26.599504500 PktGroupId 1688849860264106, PktNumber 1, Appearance 1, Direction Rx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 66: 172.217.2.115.443 > 192.168.0.62.65066: Flags [S.], seq 546326696, ack 1995496357, win 60720, options [mss 1380,nop,nop,sackOK,nop,wscale 8], length 0
23:02:26.599510100 PktGroupId 1688849860264106, PktNumber 1, Appearance 2, Direction Rx , Type Ethernet , Component 32, 
... <TRUNCATED FOR BREVITY>....

Here is what my PSPing looked like.

C:\Users\SecurityNik>psping.exe -t www.securitynik.com:443

PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

TCP connect to 172.217.2.115:443:
Infinite iterations (warmup 1) ping test:
Connecting to 172.217.2.115:443 (warmup): from 192.168.0.62:65066: 63.67ms

  Sent = 0, Received = 0, Lost = 0 (0% loss),
  Minimum = 0.00ms, Maximum = 0.00ms, Average = 0.00ms
Control-C
^C

Maybe you have learned about a specific session, on a particular pair of IP addresses and ports that you should be monitoring. Specifically, let's say there is a SSH session on "192.168.0.62:53726" and "192.168.0.4:22" as shown by the "nestat" output below.

C:\Users\SecurityNik>netstat -anop tcp | findstr /i "est" | findstr ":22"
  TCP    192.168.0.62:53726     192.168.0.4:22         ESTABLISHED     23548

A filter such as the following can be used.

C:\Users\SecurityNik>pktmon filter add --ip-address 192.168.0.4 192.168.0.62 --transport-protocol tcp --port 53726 22
Filter added.

Starting the capture and looking at the results, we see.

C:\Users\SecurityNik>pktmon start  --etw --log-mode real-time
Active measurement started.
Processing...

10:25:13.196576300 PktGroupId 1688849860264110, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90
        40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36
10:25:13.196581200 PktGroupId 1688849860264110, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90
        40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36
10:25:13.196584200 PktGroupId 1688849860264110, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 32, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90
        40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36
10:25:13.196585800 PktGroupId 1688849860264110, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90
        40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36
...<TRUNCATED FOR BREVITY>...

At this point, we should have a good idea how to capture packets through the OSI or TCP/IP model. We first captured at the network access layer. This was then followed by capture at the internet layer, moving to the transport layer and then the application layer, looking at packets on port 443 and 22.

Let's now write this out to output files, using the default name.

Using the previous filter.

C:\Users\SecurityNik>pktmon filter list
 # Name           EtherType Protocol  IP Address    Port
 - ----           --------- --------  ----------    ----
 1 IP-TCP-SYN-443 IPv4      TCP (SYN) 172.217.2.115  443

Starting the capture in a "Multifile" mode with maximum file size of 1GB (1000MB)

C:\Users\SecurityNik>pktmon start  --etw --log-mode multi-file --file-size 1000

Log file name:     C:\Users\SecurityNik\PktMon%d.etl
Logging mode:      Multifile
Maximum file size: 1000 MB

Active measurement started.

Now that the capture has started, let's look at the counters after generating some traffic to "www.securitynik.com" via "psping".

C:\Users\SecurityNik>psping.exe -t www.securitynik.com:443

PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

TCP connect to 172.217.2.115:443:
Infinite iterations (warmup 1) ping test:
Connecting to 172.217.2.115:443 (warmup): from 192.168.0.62:49688: 38.02ms
Connecting to 172.217.2.115:443: from 192.168.0.62:49689: 39.07ms

Looking at the counters.

C:\Users\SecurityNik>pktmon counters --show-hidden

Killer(R) Wi-Fi 6 AX1650s 160MHz Wireless Network Adapter (201D2W)
 Id Name                       Counter  Direction     Packets          Bytes | Direction     Packets          Bytes
 -- ----                       -------  ---------     -------          ----- | ---------     -------          -----
 33 Native WiFi Filter Driver  Upper    Rx                  6            396 | Tx                  6            396
 32 VirtualBox NDIS Light-W... Upper    Rx                  6            396 | Tx                  6            396
 31 QoS Packet Scheduler       Upper    Rx                  0              0 | Tx                  6            396
                                                                             |
 90 TCPIP (NDIS)               Lower    Rx                  6            396 | Tx                  6            396
 76 VMNETBRIDGE                Lower    Rx                  6            396 | Tx                  0              0
 75 NDISUIO                    Lower    Rx                  6            396 | Tx                  0              0
 74 LLTDIO                     Lower    Rx                  6            396 | Tx                  0              0

Let's now stop the capture.

C:\Users\SecurityNik>pktmon stop
Stopped active measurement.
Flushing logs...
Log file: C:\Users\SecurityNik\PktMon1.etl (No events lost)

Now that we have the file, let's convert it to two different outputs. First, let's change it to text.

Looking at the help for "format" via "pktmon.exe format help"

C:\Users\SecurityNik>pktmon.exe format help
pktmon format log.etl [-o log.txt] [-b] [-v [level]] [-x] [-e] [-l [port]
    Convert log file to text format.

-o, --out
    Name of the formatted text file.

-s, --stats-only
    Display log file statistical information.

Network packet formatting options

    -b, --brief
        Abbreviated packet format.

    -v, --verbose
        Verbosity level [1..3].

    -x, --hex
        Hexadecimal format.

    -e, --no-ethernet
        Don't print ethernet header.

    -l, --vxlan
        Custom VXLAN port.

Looking first at the statistics of of the previously captured data in the "PktMon1.epl" file

C:\Users\SecurityNik>pktmon format PktMon1.etl  --stats-only --verbose
Processing...

Start time              2020-08-07 23:17:46.996574700
Stop time               2020-08-07 23:22:43.422846700
Events total            788
Manifest-based events   788
WPP events              0

Provider                Microsoft-Windows-PktMon
Keywords                0000000000000012
Manifest-based events   788

Sending the output to a text file name "securitynik-pktmon.txt"

C:\Users\SecurityNik>pktmon format PktMon1.etl --out securitynik-pktmon.txt --verbose
Processing...

Events formatted:  788
Formatted file:    securitynik-pktmon.txt

Peaking into the "securitynik-pktmon.txt" file, we see.

C:\Users\SecurityNik>type securitynik-pktmon.txt | more
23:20:28.736260500 PktGroupId 1407374883553375, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30287, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.0.62.49684 > 172.217.2.115.443: Flags [S], seq 3212292088, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:20:28.736265200 PktGroupId 1407374883553375, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66
        40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30287, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.0.62.49684 > 172.217.2.115.443: Flags [S], seq 3212292088, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    ... <TRUNCATED FOR BREVITY> ...

Let's now get the "PktMon1.epl" file to our analysis machine where we have TShark/Wireshark installed. Here we once again do some conversion.

As always, looking at the help.

C:\Users\SecurityNik>pktmon pcapng help
pktmon pcapng log.etl [-o log.pcapng]
    Convert log file to pcapng format.
    Dropped packets are not included by default.

-o, --out
    Name of the formatted pcapng file.

-d, --drop-only
    Convert dropped packets only.

-c, --component-id
    Filter packets by a specific component ID.

Let's now convert the file.

C:\Users\SecurityNik>pktmon pcapng PktMon1.etl --out securitynik-pktmon.pcapng
Processing...

Packets total:     60
Packet drop count: 0
Packets formatted: 60
Formatted file:    securitynik-pktmon.pcapng

Reading the packets with TShark.

C:\Users\SecurityNik>"c:\Program Files\Wireshark\tshark.exe" -r securitynik-pktmon.pcapng -n | more
    1   0.000000 192.168.0.62 ΓåÆ 172.217.2.115 TCP 66 49684 ΓåÆ 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
    2   0.000005 192.168.0.62 ΓåÆ 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 ΓåÆ 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
    3   0.000006 192.168.0.62 ΓåÆ 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 ΓåÆ 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
    4   0.000008 192.168.0.62 ΓåÆ 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 ΓåÆ 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
    ... <TRUNCATED FOR BREVITY> ...

Looking at the protocol hierarchy in TShark

C:\Users\SecurityNik>"c:\Program Files\Wireshark\tshark.exe" -r securitynik-pktmon.pcapng -n -z io,phs -q

===================================================================
Protocol Hierarchy Statistics
Filter:

eth                                      frames:60 bytes:3960
  ip                                     frames:60 bytes:3960
    tcp                                  frames:60 bytes:3960
===================================================================

Well that's it for this post. I believe this to be the most comprehensive usage of Microsoft new packet capture utility on Windows as of at the time of writing.

References:

https://www.bleepingcomputer.com/news/microsoft/windows-10-quietly-got-a-built-in-network-sniffer-how-to-use/

https://techcommunity.microsoft.com/t5/networking-blog/introducing-packet-monitor/ba-p/1410594

https://techcommunity.microsoft.com/t5/networking-blog/windows-insiders-can-now-test-dns-over-https/ba-p/1381282

https://docs.microsoft.com/en-us/sysinternals/downloads/psping