Tuesday, August 11, 2020
Continuing mapping process - ProcDot
Beginning password auditing with Domain Password Audit Tool (DPAT), NTDSUTIL and VSSADMIN
PS C:\Users\Administrator> Test-WSMan -Verbose wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor : Microsoft Corporation ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
PS C:\users\SecurityNik> Test-WSMan -ComputerName secnik-2k19 -Authentication Default wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor : Microsoft Corporation ProductVersion : OS: 10.0.17763 SP: 0.0 Stack: 3.0
PS C:\users\SecurityNik> Enter-PSSession -ComputerName secnik-2k19.securitynik.local -Authentication Default [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> hostname secnik-2k19 [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> whoami securitynik\securitynik
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "List Instances" C:\Windows\system32\ntdsutil.exe: List Instances Instance Name: NTDS LDAP Port: 389 SSL Port: 636 Install folder: C:\Windows\NTDS Database file: C:\Windows\NTDS\ntds.dit Log folder: C:\Windows\NTDS NTDS Mode : Active Directory Domain Controller Mode C:\Windows\system32\ntdsutil.exe: [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents>
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "Activate Instance NTDS" C:\Windows\system32\ntdsutil.exe: Activate Instance NTDS Active instance set to "NTDS". C:\Windows\system32\ntdsutil.exe:
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> ntdsutil "Activate Instance NTDS" "ifm" "create full c:\tmp" C:\Windows\system32\ntdsutil.exe: Activate Instance NTDS Active instance set to "NTDS". C:\Windows\system32\ntdsutil.exe: ifm ifm: create full c:\tmp Creating snapshot... Snapshot set {57102033-942a-43ef-841b-4b975fbe0c53} generated successfully. Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} mounted as C:\$SNAP_202008031318_VOLUMEC$\ Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} is already mounted. Initiating DEFRAGMENTATION mode... Source Database: C:\$SNAP_202008031318_VOLUMEC$\Windows\NTDS\ntds.dit Target Database: c:\tmp\Active Directory\ntds.dit Defragmentation Status (omplete) 0 10 20 30 40 50 60 70 80 90 100 |----|----|----|----|----|----|----|----|----|----| ................................................... Copying registry files... Copying c:\tmp\registry\SYSTEM Copying c:\tmp\registry\SECURITY Snapshot {cfb56d3b-7c27-4176-a6e4-e5b75610916c} unmounted. IFM media created successfully in c:\tmp ifm: C:\Windows\system32\ntdsutil.exe:
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\ Directory: C:\tmp Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 8/3/2020 1:18 PM Active Directory d----- 8/3/2020 1:18 PM registry
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Compress-Archive -Path c:\tmp\* -DestinationPath c:\tmp\ntds.zip -CompressionLevel Fast est -Force -Verbose VERBOSE: Preparing to compress... VERBOSE: Performing the operation "Compress-Archive" on target " C:\tmp\Active Directory C:\tmp\registry". VERBOSE: Adding 'C:\tmp\Active Directory\ntds.dit'. VERBOSE: Adding 'C:\tmp\Active Directory\ntds.jfm'. VERBOSE: Adding 'C:\tmp\registry\SECURITY'. VERBOSE: Adding 'C:\tmp\registry\SYSTEM'. Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 8/3/2020 1:18 PM Active Directory d----- 8/3/2020 1:18 PM registry
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> dir C:\tmp\ntds.zip Directory: C:\tmp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 8/3/2020 1:25 PM 5497917 ntds.zip
D:\TOOLS>net use M: \\10.0.0.20\C$ /user:securitynik@securitynik.local Enter the password for 'securitynik@securitynik.local' to connect to '10.0.0.20': The command completed successfully.
D:\TOOLS>net use New connections will not be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK M: \\10.0.0.20\C$ Microsoft Windows Network The command completed successfully.
D:\TOOLS>copy M:\tmp\ntds.zip . 1 file(s) copied. D:\TOOLS>dir ntds.zip Volume in drive D is Tools Volume Serial Number is F617-3FDD Directory of D:\TOOLS 2020-08-03 04:25 PM 5,497,917 ntds.zip 1 File(s) 5,497,917 bytes 0 Dir(s) 108,181,012,480 bytes free
kali@securitynik:~$ unzip ntds.zip -d ntds Archive: ntds.zip warning: ntds.zip appears to use backslashes as path separators inflating: ntds/Active Directory/ntds.dit inflating: ntds/Active Directory/ntds.jfm inflating: ntds/registry/SECURITY inflating: ntds/registry/SYSTEM
kali@securitynik:~/ntds$ ~/impacket/examples/secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile ntds.hashes -history kali@securitynik:~/ntds$cat ntds.hashes Impacket v0.9.22.dev1+20200728.230151.48a3124c - Copyright 2020 SecureAuth Corporation [*] Target system bootKey: 0xd246c7f512f50bc6444d77d31b34ba98 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 21eb5b3777772c58c5e1bd65ad66e76b [*] Reading and decrypting hashes from Active Directory/ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SECNIK-2K19$:1000:aad3b435b51404eeaad3b435b51404ee:b7b7c33ea8994be1ebd4f47202c3a9b6::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:46ab1a2346b3ac6693d72b17691d5f77::: securitynik.local\nik:1103:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: securitynik.local\nakia:1104:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026::: ... <TRUNCATED FOR BREVITY> ... securitynik.local\securitynik:des-cbc-md5:32450b15e026d6e9 SECURITYNIK-WIN$:aes256-cts-hmac-sha1-96:1e67390661aeb7fe7e7006a1002e98d8b1d9b67239a67c2d2de9e3ec85215632 SECURITYNIK-WIN$:aes128-cts-hmac-sha1-96:33e9b147797864ca6e5a8c94ebece17d SECURITYNIK-WIN$:des-cbc-md5:613d9e34a468e343 [*] Cleaning up...
kali@securitynik:~/ntds$ sudo john ntds.hashes.ntds --format=nt Using default input encoding: UTF-8 Loaded 26 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider --fork=2 Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Warning: Only 4 candidates buffered for the current salt, minimum 24 needed for performance. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist (Guest) Testing1 (Administrator) Testing1 (securitynik.local\nik) Testing1 (securitynik.local\nakia) Testing1 (securitynik.local\neysa) Testing1 (securitynik.local\saadia) Testing1 (securitynik.local\admin) Testing1 (securitynik.local\securitynik) Proceeding with incremental:ASCII ....
kali@securitynik:~/DPAT$ sudo ./dpat.py --ntdsfile ../ntds/ntds.hashes.ntds --crackfile john.pot The Report has been written to the "_DomainPasswordAuditReport.html" file in the "DPAT Report" directory Would you like to open the report now? [Y/n]N
kali@securitynik:~/DPAT/DPAT Report$ ls 0length_usernames.html 3reuse_usernames.html password_history.html top_password_stats.html 0reuse_usernames.html 4reuse_usernames.html password_length_stats.html users_only_cracked_through_lm.html 1reuse_usernames.html 'all hashes.html' password_reuse_stats.html 2reuse_usernames.html _DomainPasswordAuditReport.html report.css
kali@securitynik:~/DPAT/DPAT Report$ firefox _DomainPasswordAuditReport.html &
Above, we see the summary information.
We achieved our objective above. However, an alternate way of getting credentials is via the Volume Shadow Copy Service. This is how tools such as Metasploit dump the Active Directory hashes.
PS C:\Tools> Enter-PSSession -ComputerName secnik-2k19.securitynik.local -Authentication Default [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents>
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. No items found that satisfy the query.
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list volumes vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Volume path: \\?\Volume{fd091226-0000-0000-0000-100000000000}\ Volume name: \\?\Volume{fd091226-0000-0000-0000-100000000000}\ Volume path: C:\
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list providers vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Provider name: 'Microsoft File Share Shadow Copy provider' Provider type: Fileshare Provider Id: {89300202-3cec-4981-9171-19f59559e0f2} Version: 1.0.0.1 Provider name: 'Microsoft Software Shadow Copy provider 1.0' Provider type: System Provider Id: {b5946137-7b9f-4925-af80-51abd60b20d5} Version: 1.0.0.7
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Get-Service VSS Status Name DisplayName ------ ---- ----------- Stopped VSS Volume Shadow Copy
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Start-Service vss [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> Get-Service VSS Status Name DisplayName ------ ---- ----------- Running VSS Volume Shadow Copy
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin create shadow /for=C: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Successfully created shadow copy for 'C:\' Shadow Copy ID: {d93157d0-53e5-4f1b-b378-dc10ed0fb468} Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Contents of shadow copy set ID: {80bcd232-f7b0-4378-884d-8344436a3bd8} Contained 1 shadow copies at creation time: 8/6/2020 8:27:56 PM Shadow Copy ID: {d93157d0-53e5-4f1b-b378-dc10ed0fb468} Original Volume: (C:)\\?\Volume{fd091226-0000-0000-0000-602200000000}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3 Originating Machine: secnik-2k19.securitynik.local Service Machine: secnik-2k19.securitynik.local Provider: 'Microsoft Software Shadow Copy provider 1.0' Type: ClientAccessible Attributes: Persistent, Client-accessible, No auto release, No writers, Differential
[secnik-2k19.securitynik.local]: PS C:\tmp> cmd.exe /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\ NTDS\ntds.dit c:\tmp\ntds.dit" 1 file(s) copied. [secnik-2k19.securitynik.local]: PS C:\tmp> dir c:\tmp\ Directory: C:\tmp Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 8/3/2020 1:18 PM Active Directory d----- 8/3/2020 1:18 PM registry -a---- 8/3/2020 1:04 PM 18874368 ntds.dit -a---- 8/3/2020 1:25 PM 5497917 ntds.zip
[secnik-2k19.securitynik.local]: PS C:\tmp> Stop-Service vss [secnik-2k19.securitynik.local]: PS C:\tmp> Get-Service vss Status Name DisplayName ------ ---- ----------- Stopped vss Volume Shadow Copy
[secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin delete shadows /for=C: /quiet vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. [secnik-2k19.securitynik.local]: PS C:\Users\securitynik\Documents> vssadmin list shadows vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. No items found that satisfy the query.
Beginning Proxychains - Keeping a low profile
kali@securitynik:~$ lsb_release --all No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2020.3 Codename: kali-rolling
kali@securitynik:~$ cat /etc/proxychains.conf | grep --perl-regex "^# strict_chain|^random_chain" # strict_chain random_chain
kali@securitynik:~$ cat /etc/proxychains.conf | tail --lines 6 [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050
kali@securitynik:~$ ss --numeric --listening --tcp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
kali@securitynik:~$ which tor kali@securitynik:~$
kali@securitynik:~$ sudo apt-get install tor ....
kali@securitynik:~$ tor --help Copyright (c) 2001-2004, Roger Dingledine Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson Copyright (c) 2007-2020, The Tor Project, Inc. tor -f <torrc> [args] See man page for options, or https://www.torproject.org/ for documentation.
kali@securitynik:~$ tor Jul 28 22:12:39.646 [notice] Tor 0.4.3.6 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1g, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.4.5. Jul 28 22:12:39.647 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning Jul 28 22:12:39.647 [notice] Read configuration file "/etc/tor/torrc". Jul 28 22:12:39.650 [notice] Opening Socks listener on 127.0.0.1:9050 Jul 28 22:12:39.651 [notice] Opened Socks listener on 127.0.0.1:9050 Jul 28 22:12:39.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip. Jul 28 22:12:39.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6. Jul 28 22:12:39.000 [notice] Bootstrapped 0% (starting): Starting Jul 28 22:12:40.000 [notice] Starting with guard context "default" Jul 28 22:12:40.000 [notice] Bootstrapped 5% (conn): Connecting to a relay Jul 28 22:12:40.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay Jul 28 22:12:40.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay Jul 28 22:12:40.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done Jul 28 22:12:40.000 [notice] Bootstrapped 45% (requesting_descriptors): Asking for relay descriptors Jul 28 22:12:41.000 [notice] Bootstrapped 59% (loading_descriptors): Loading relay descriptors Jul 28 22:12:41.000 [notice] Bootstrapped 69% (loading_descriptors): Loading relay descriptors Jul 28 22:12:42.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits Jul 28 22:12:42.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits Jul 28 22:12:42.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits Jul 28 22:12:42.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits Jul 28 22:12:42.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits Jul 28 22:12:42.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit Jul 28 22:12:43.000 [notice] Bootstrapped 100% (done): Done
kali@securitynik:~$ ss --numeric --listening --tcp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:*
kali@securitynik:~$ ncat --verbose www.securitynik.com 443 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Connected to 172.217.2.115:443.
kali@securitynik:~$ ping www.securitynik.com PING ghs.googlehosted.com (172.217.2.115) 56(84) bytes of data.
kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443 ProxyChains-3.1 (http://proxychains.sf.net) Ncat: Version 7.80 ( https://nmap.org/ncat ) |DNS-request| www.securitynik.com |R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK |DNS-response| www.securitynik.com is 172.217.22.211 |R-chain|-<>-127.0.0.1:9050-<><>-172.217.22.211:443-<><>-OK Ncat: Connected to 172.217.22.211:443.
kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443 ProxyChains-3.1 (http://proxychains.sf.net) Ncat: Version 7.80 ( https://nmap.org/ncat ) |DNS-request| www.securitynik.com |R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK |DNS-response| www.securitynik.com is 172.217.22.211 |R-chain|-<>-127.0.0.1:9050-<><>-172.217.22.211:443-<><>-OK Ncat: Connected to 172.217.22.211:443.
kali@securitynik:~$ proxychains ncat --verbose www.securitynik.com 443 ProxyChains-3.1 (http://proxychains.sf.net) Ncat: Version 7.80 ( https://nmap.org/ncat ) |DNS-request| www.securitynik.com |R-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK |DNS-response| www.securitynik.com is 216.58.207.147 |R-chain|-<>-127.0.0.1:9050-<><>-216.58.207.147:443-<><>-OK Ncat: Connected to 216.58.207.147:443.
Beginning packet capturing with Windows Built in Packet Monitor (pktmon) packet capturing tool
Recently while doing some unrelated research, I came across this link from www.bleepingcomputer.com about Windows having a built in sniffer. I am aware of being able to use "netsh trace" to perform packet capturing but this seems like a better option. I may be wrong. Windows having built in sniffer is a good thing, as most of us who work with Linux are accustomed to having "tcpdump" there by default in most cases. What I like about the "pktmon.exe" version on my Windows 10 (2004), is that it support pcapng format.
Here is Microsoft's note on pktmon.exe.
"Packet Monitor (PacketMon) is an in-box cross-component network diagnostics tool for Windows. It can be used for packet capture, packet drop detection, packet filtering and counting. The tool is especially helpful in virtualization scenarios like container networking, SDN, etc. It is available in-box via pktmon.exe command, and via Windows Admin Center extensions."
In this post, I will be walking through "pktmon" with as much detail as possible. Most of the resources I found online basically gave a somewhat superficial view of this tool. My intention is to make this your one-stop shop for how to use Packet Monitor.
First up, we need to ensure our terminal is running with elevated privileges.
Once in the elevated terminal, let's look at the help
C:\Users\SecurityNik>pktmon help pktmon { filter | comp | reset | start | stop } [OPTIONS | help] Monitor internal packet propagation and packet drop reports. Commands filter Manage packet filters. comp Manage registered components. reset Reset counters to zero. start Start packet monitoring. stop Stop monitoring. format Convert log file to text. pcapng Convert log file to pcapng format. unload Unload PktMon driver. help Show help text for a command.
C:\Users\SecurityNik>pktmon filter help pktmon filter { list | add | remove } [OPTIONS | help] Commands list Display active packet filters. add Add a filter to control which packets are reported. remove Removes all filters. help Show help text for a command.
C:\Users\SecurityNik>pktmon comp help pktmon comp { list | counters } [OPTIONS | help] Commands list List all active components. counters Display current per-component counters. help Show help text for a command.
C:\Users\SecurityNik>pktmon comp list help pktmon [comp] list List all active components. -i, --show-hidden Show components that are hidden by default. --json Output the list in JSON format.
C:\Users\SecurityNik>pktmon comp list --show-hidden | more VirtualBox Host-Only Ethernet Adapter Id: 13 Driver: VBoxNetAdp6.sys MAC Address: 0A-00-27-00-00-05 ifIndex: 5 Filter Drivers: Id Driver Name -- ------ ---- 38 wfplwfs.sys WFP Native Filter 36 pacer.sys QoS Packet Scheduler 35 wfplwfs.sys WFP 802.3 Filter Protocols: Id Driver Name EtherType -- ------ ---- --------- 96 tcpip.sys TCPIP6 IPv6 91 tcpip.sys TCPIP ARP, IPv4 84 mslldp.sys MSLLDP LLDP 83 rspndr.sys RSPNDR VLAN, LLTD 82 vmnetbridge.sys VMNETBRIDGE * (All) 81 ndisuio.sys NDISUIO 88c7, VLAN, 802.1X 80 lltdio.sys LLTDIO * (All) Application Protocols: Id Driver Name IP Address -- ------ ---- ---------- 107 http.sys HTTP fe80::910f:2448:7235:77be 101 http.sys HTTP 10.0.0.1 ... <TRUNCATED FOR BREVITY> ...
C:\Users\SecurityNik>pktmon comp counters help pktmon [comp] counters [-t { all | drop | flow }] [-z] [--json] Display current per-component counters. -t, --counter-type Select which types of counters to show. Supported values are all counters (default), drops only, or flows only. -z, --show-zeros Show counters that are zero in both directions. -i, --show-hidden Show components that are hidden by default. --json Output the counters in JSON format.
C:\Users\SecurityNik>pktmon comp counters --counter-type all --show-hidden All counters are zero.
C:\Users\SecurityNik>pktmon filter list There are no packet filters.
C:\Users\SecurityNik>pktmon filter add help pktmon filter add <name> [-m mac [mac2]] [-v vlan] [-d { IPv4 | IPv6 | number }] [-t { TCP [flags...] | UDP | ICMP | ICMPv6 | number }] [-i ip [ip2]] [-p port [port2]] [-e [port]] Add a filter to control which packets are reported. For a packet to be reported, it must match all conditions specified in at least one filter. Up to 8 filters can be active at once. NOTE1: When two MACs (-m), IPs (-i), or ports (-p) are specified, the filter matches packets that contain both. It will not distinguish between source or destination for this purpose. name Optional name or description of the filter. Ethernet frame -m, --mac[-address] Match source or destination MAC address. See NOTE1 above. -v, --vlan Match by VLAN Id (VID) in the 802.1Q header. -d, --data-link[-protocol], --ethertype Match by data link (layer 2) protocol. Can be IPv4, IPv6, ARP, or a protocol number. IP header -t, --transport[-protocol], --ip-protocol Match by transport (layer 4) protocol. Can be TCP, UDP, ICMP, ICMPv6, or a protocol number. To further filter TCP packets, an optional list of TCP flags to match can be provided. Supported flags are FIN, SYN, RST, PSH, ACK, URG, ECE, and CWR. -i, --ip[-address] Match source or destination IP address. See NOTE1 above. To match by subnet, use CIDR notation with the prefix length. TCP/UDP header -p, --port Match source or destination port number. See NOTE1 above. Encapsulation -e, --encap This filter also applies to encapsulated inner packets, in addition to the outer packet. Supported encapsulation methods are VXLAN, GRE, NVGRE, and IP-in-IP. Custom VXLAN port is optional, and defaults to 4789. Example 1: Ping filter pktmon filter add MyPing -i 10.10.10.10 -t ICMP Example 2: TCP SYN filter for SMB traffic pktmon filter add MySmbSyn -i 10.10.10.10 -t TCP SYN -p 445 Example 3: Subnet filter pktmon filter add MySubnet -i 10.10.10.0/24
C:\Users\SecurityNik>pktmon filter add VBox-Mac --mac 0A-00-27-00-00-05 Filter added.
C:\Users\SecurityNik>pktmon filter list # Name MAC Address - ---- ----------- 1 VBox-Mac 0A-00-27-00-00-05
C:\Users\SecurityNik>pktmon start help pktmon start [-c { all | nics | [ids...] }] [-d] [--etw [-p size] [-k keywords]] [-f] [-s] [--log-mode {circular | multi-file | real-time | memory}] Start packet monitoring. -c, --components Select components to monitor. Can be all components, NICs only, or a list of component ids. Defaults to all. -d, --drop-only Only report dropped packets. By default, successful packet propagation is reported as well. ETW Logging --etw Start a logging session for packet capture. -p, --packet-size Number of bytes to log from each packet. To always log the entire packet, set this to 0. Default is 128 bytes. -k, --keywords Hexadecimal bitmask (i.e. sum of the below flags) that controls which events are logged. Default is 0x012. Flags: 0x001 - Internal Packet Monitor errors. 0x002 - Information about components, counters and filters. This information is added to the end of the log file. 0x004 - Source and destination information for the first packet in NET_BUFFER_LIST group. 0x008 - Select packet metadata from NDIS_NET_BUFFER_LIST_INFO enumeration. 0x010 - Raw packet, truncated to the size specified in [--packet-size] parameter. -f, --file-name .etl log file. Default is PktMon.etl. -s, --file-size Maximum log file size in megabytes. Default is 512 MB. -l, --log-mode Select logging mode. Default is circular. circular New events overwrite the oldest ones when when the maximum file size is reached. multi-file A new log file is created when the maximum file size is reached. Log files are sequentially numbered. PktMon1.etl, PktMon2.etl, etc. real-time Display events and packets on screen at real time. No log file is created. Press Ctrl+C to stop monitoring. memory Events are written to a circular memory buffer. Buffer size is specified in [--file-size] parameter. Buffer contents is written to a log file during stop operation.
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time Active measurement started. Processing... 21:31:10.816725700 PktGroupId 1, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 85, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816732400 PktGroupId 1, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 36, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816734200 PktGroupId 1, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 36, Edge 2, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816735900 PktGroupId 1, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 38, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816742000 PktGroupId 1, PktNumber 1, Appearance 5, Direction Tx , Type Ethernet , Component 38, Edge 2, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 21:31:10.816743500 PktGroupId 1, PktNumber 1, Appearance 6, Direction Tx , Type Ethernet , Component 13, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 0A-00-27-00-00-05 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.104 tell 10.0.0.1, length 28 Flushing logs... .... <TRUNCATED FOR BREVITY> ....
C:\Users\SecurityNik>ping 10.0.0.104 -n 1 Pinging 10.0.0.104 with 32 bytes of data: Request timed out. Ping statistics for 10.0.0.104: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
C:\Users\SecurityNik>dir PktMon.etl Volume in drive C is OS Volume Serial Number is D436-4013 Directory of C:\Users\SecurityNik 2020-08-07 09:42 PM 50,331,648 PktMon.etl 1 File(s) 50,331,648 bytes 0 Dir(s) 34,686,263,296 bytes free
C:\Users\SecurityNik>pktmon filter remove Removed all filters.
C:\Users\SecurityNik>pktmon filter add ARP-Capture --ethertype arp Filter added. C:\Users\SecurityNik>pktmon filter list # Name EtherType - ---- --------- 1 ARP-Capture ARP
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time Active measurement started. Processing... 21:54:33.326462700 PktGroupId 7, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 49, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168....... 21:54:36.322822700 PktGroupId 8, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 49, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.159.1, length 28 21:54:36.322828200 PktGroupId 8, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 11, Edge 1, Filter 1, OriginalSize 42, LoggedSize 42 00-50-56-C0-00-08 > FF-FF-FF-FF-FF-FF, ethertype ARP (0x0806), length 42: Request who-has 192.168.159.2 tell 192.168.159.1, length 28 Flushing logs...
C:\Users\SecurityNik>pktmon filters remove Removed all filters.
C:\Users\SecurityNik>pktmon filter add IP-TCP --data-link IPv4 --ip-protocol 1 --ip-address "9.9.9.9" Filter added. C:\Users\SecurityNik>pktmon filter list # Name EtherType Protocol IP Address - ---- --------- -------- ---------- 1 IP-TCP IPv4 ICMP 9.9.9.9
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time --packet-size 1500 Active measurement started. Processing... 22:12:01.498988200 PktGroupId 844424930131972, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 74: 192.168.0.62 > 9.9.9.9: ICMP echo request, id 1, seq 6, length 40 ... <TRUNCATED FOR BREVITY> ... 22:12:01.600308300 PktGroupId 281474976710661, PktNumber 1, Appearance 5, Direction Rx , Type Ethernet , Component 76, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74 F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 74: 9.9.9.9 > 192.168.0.62: ICMP echo reply, id 1, seq 6, length 40 22:12:01.600310300 PktGroupId 281474976710661, PktNumber 1, Appearance 6, Direction Rx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 74, LoggedSize 74 F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 74: 9.9.9.9 > 192.168.0.62: ICMP echo reply, id 1, seq 6, length 40 Flushing logs...
C:\Users\SecurityNik>ping -n 1 9.9.9.9 Pinging 9.9.9.9 with 32 bytes of data: Reply from 9.9.9.9: bytes=32 time=753ms TTL=54 Ping statistics for 9.9.9.9: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 753ms, Maximum = 753ms, Average = 753ms C:\Users\SecurityNik>pktmon filter remove Removed all filters.
C:\Users\SecurityNik>pktmon filter add IP-TCP-SYN-443 --data-link IPv4 --ip-address 172.217.2.115 --transport-protocol tcp SYN --port 443 Filter added. C:\Users\SecurityNik>pktmon filters list # Name EtherType Protocol IP Address Port - ---- --------- -------- ---------- ---- 1 IP-TCP-SYN-443 IPv4 TCP (SYN) 172.217.2.115 443 C:\Users\SecurityNik>pktmon start --etw --log-mode real-time --packet-size 1500 Active measurement started. Processing... 23:02:26.539704700 PktGroupId 562949953421500, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.539709400 PktGroupId 562949953421500, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.539712200 PktGroupId 562949953421500, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 32, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.539714000 PktGroupId 562949953421500, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: 192.168.0.62.65066 > 172.217.2.115.443: Flags [S], seq 1995496356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:02:26.599504500 PktGroupId 1688849860264106, PktNumber 1, Appearance 1, Direction Rx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 F0-B4-D2-5A-D3-E2 > 40-EC-99-B9-17-25, ethertype IPv4 (0x0800), length 66: 172.217.2.115.443 > 192.168.0.62.65066: Flags [S.], seq 546326696, ack 1995496357, win 60720, options [mss 1380,nop,nop,sackOK,nop,wscale 8], length 0 23:02:26.599510100 PktGroupId 1688849860264106, PktNumber 1, Appearance 2, Direction Rx , Type Ethernet , Component 32, ... <TRUNCATED FOR BREVITY>....
C:\Users\SecurityNik>psping.exe -t www.securitynik.com:443 PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility Copyright (C) 2012-2016 Mark Russinovich Sysinternals - www.sysinternals.com TCP connect to 172.217.2.115:443: Infinite iterations (warmup 1) ping test: Connecting to 172.217.2.115:443 (warmup): from 192.168.0.62:65066: 63.67ms Sent = 0, Received = 0, Lost = 0 (0% loss), Minimum = 0.00ms, Maximum = 0.00ms, Average = 0.00ms Control-C ^C
C:\Users\SecurityNik>netstat -anop tcp | findstr /i "est" | findstr ":22" TCP 192.168.0.62:53726 192.168.0.4:22 ESTABLISHED 23548
C:\Users\SecurityNik>pktmon filter add --ip-address 192.168.0.4 192.168.0.62 --transport-protocol tcp --port 53726 22 Filter added.
C:\Users\SecurityNik>pktmon start --etw --log-mode real-time Active measurement started. Processing... 10:25:13.196576300 PktGroupId 1688849860264110, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 10:25:13.196581200 PktGroupId 1688849860264110, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 10:25:13.196584200 PktGroupId 1688849860264110, PktNumber 1, Appearance 3, Direction Tx , Type Ethernet , Component 32, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 10:25:13.196585800 PktGroupId 1688849860264110, PktNumber 1, Appearance 4, Direction Tx , Type Ethernet , Component 33, Edge 1, Filter 1, OriginalSize 90, LoggedSize 90 40-EC-99-B9-17-25 > 00-24-E8-F0-F6-79, ethertype IPv4 (0x0800), length 90: 192.168.0.62.53726 > 192.168.0.4.22: Flags [P.], seq 2998725233:2998725269, ack 582136694, win 1026, length 36 ...<TRUNCATED FOR BREVITY>...
C:\Users\SecurityNik>pktmon filter list # Name EtherType Protocol IP Address Port - ---- --------- -------- ---------- ---- 1 IP-TCP-SYN-443 IPv4 TCP (SYN) 172.217.2.115 443
C:\Users\SecurityNik>pktmon start --etw --log-mode multi-file --file-size 1000 Log file name: C:\Users\SecurityNik\PktMon%d.etl Logging mode: Multifile Maximum file size: 1000 MB Active measurement started.
C:\Users\SecurityNik>psping.exe -t www.securitynik.com:443 PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility Copyright (C) 2012-2016 Mark Russinovich Sysinternals - www.sysinternals.com TCP connect to 172.217.2.115:443: Infinite iterations (warmup 1) ping test: Connecting to 172.217.2.115:443 (warmup): from 192.168.0.62:49688: 38.02ms Connecting to 172.217.2.115:443: from 192.168.0.62:49689: 39.07ms
C:\Users\SecurityNik>pktmon counters --show-hidden Killer(R) Wi-Fi 6 AX1650s 160MHz Wireless Network Adapter (201D2W) Id Name Counter Direction Packets Bytes | Direction Packets Bytes -- ---- ------- --------- ------- ----- | --------- ------- ----- 33 Native WiFi Filter Driver Upper Rx 6 396 | Tx 6 396 32 VirtualBox NDIS Light-W... Upper Rx 6 396 | Tx 6 396 31 QoS Packet Scheduler Upper Rx 0 0 | Tx 6 396 | 90 TCPIP (NDIS) Lower Rx 6 396 | Tx 6 396 76 VMNETBRIDGE Lower Rx 6 396 | Tx 0 0 75 NDISUIO Lower Rx 6 396 | Tx 0 0 74 LLTDIO Lower Rx 6 396 | Tx 0 0
C:\Users\SecurityNik>pktmon stop Stopped active measurement. Flushing logs... Log file: C:\Users\SecurityNik\PktMon1.etl (No events lost)
C:\Users\SecurityNik>pktmon.exe format help pktmon format log.etl [-o log.txt] [-b] [-v [level]] [-x] [-e] [-l [port] Convert log file to text format. -o, --out Name of the formatted text file. -s, --stats-only Display log file statistical information. Network packet formatting options -b, --brief Abbreviated packet format. -v, --verbose Verbosity level [1..3]. -x, --hex Hexadecimal format. -e, --no-ethernet Don't print ethernet header. -l, --vxlan Custom VXLAN port.
C:\Users\SecurityNik>pktmon format PktMon1.etl --stats-only --verbose Processing... Start time 2020-08-07 23:17:46.996574700 Stop time 2020-08-07 23:22:43.422846700 Events total 788 Manifest-based events 788 WPP events 0 Provider Microsoft-Windows-PktMon Keywords 0000000000000012 Manifest-based events 788
C:\Users\SecurityNik>pktmon format PktMon1.etl --out securitynik-pktmon.txt --verbose Processing... Events formatted: 788 Formatted file: securitynik-pktmon.txt
C:\Users\SecurityNik>type securitynik-pktmon.txt | more 23:20:28.736260500 PktGroupId 1407374883553375, PktNumber 1, Appearance 1, Direction Tx , Type Ethernet , Component 78, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30287, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.62.49684 > 172.217.2.115.443: Flags [S], seq 3212292088, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 23:20:28.736265200 PktGroupId 1407374883553375, PktNumber 1, Appearance 2, Direction Tx , Type Ethernet , Component 31, Edge 1, Filter 1, OriginalSize 66, LoggedSize 66 40-EC-99-B9-17-25 > F0-B4-D2-5A-D3-E2, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30287, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.62.49684 > 172.217.2.115.443: Flags [S], seq 3212292088, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 ... <TRUNCATED FOR BREVITY> ...
C:\Users\SecurityNik>pktmon pcapng help pktmon pcapng log.etl [-o log.pcapng] Convert log file to pcapng format. Dropped packets are not included by default. -o, --out Name of the formatted pcapng file. -d, --drop-only Convert dropped packets only. -c, --component-id Filter packets by a specific component ID.
C:\Users\SecurityNik>pktmon pcapng PktMon1.etl --out securitynik-pktmon.pcapng Processing... Packets total: 60 Packet drop count: 0 Packets formatted: 60 Formatted file: securitynik-pktmon.pcapng
C:\Users\SecurityNik>"c:\Program Files\Wireshark\tshark.exe" -r securitynik-pktmon.pcapng -n | more 1 0.000000 192.168.0.62 → 172.217.2.115 TCP 66 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 2 0.000005 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 3 0.000006 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 4 0.000008 192.168.0.62 → 172.217.2.115 TCP 66 [TCP Out-Of-Order] 49684 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 ... <TRUNCATED FOR BREVITY> ...
C:\Users\SecurityNik>"c:\Program Files\Wireshark\tshark.exe" -r securitynik-pktmon.pcapng -n -z io,phs -q =================================================================== Protocol Hierarchy Statistics Filter: eth frames:60 bytes:3960 ip frames:60 bytes:3960 tcp frames:60 bytes:3960 ===================================================================