October 29, 2019 · Basic Pen-Testing

2.3 : Essential Tools - tcpdump (Part V)

Extract http based password example

Let say you are an IT administrator, you have constructed a router and precaptured a traffic file.

Examine content
you can use -r flag or wireshark to open the file

tcpdump -r dump.pcap
# -n : dont convert address
# awk -F" " '{print $3}' : get #3 fragment by " "
# sort -u : sort asc, unique
tcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print $3}' | sort -u | head

Advanced filtering

# source host 10.0.0.1 only
tcpdump -n src host 10.0.0.1 -r password_cracking_filtered.pcap 
# destinate host 10.0.0.1 only
tcpdump -n dst host 10.0.0.1 -r password_cracking_filtered.pcap 
# port 81 only
tcpdump -n port 81 -r dump.pcap

Advanced dump

# -X Print package header in HEX & ASCII format
tcpdump -nX -r dump.pcap

Packect header filtering
In TCP/IP, the success connect flag is ACK.
In order to filter out only the successfully delivered packets PSH, we need to filter out only the ACK and PSH

TCP Flags :- C E U A P R S F
C 0x80 Reduced (CWR)
E 0x40 ECN Echo (ECE)
U 0x20 Urgent
A 0x10 Ack
P 0x08 Push
R 0x04 Reset
S 0x02 Syn
F 0x01 Fin

TCP Options :-
0 End of Options List
1 No Operation (NOP, Pad)
2 Maximum Segment Size
3 Window Scale
4 Selective ACK ok
8 Timestamp

0x10 + 0x08 = 0x18 = 24

more refs:
http://hackingsimpler.blogspot.com/2012/01/packet-header-analysis.html

so the result is:

tcpdump -A -n 'tcp[13] = 24' -r dump.pcap

So we can get the Authorization header to escalate the privileges.

tcpdump: Unable to write output: Broken pipe
>tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap | head -n 50


reading from file password_cracking_filtered.pcap, link-type EN10MB (Ethernet)
20:51:20.802032 IP 127.0.0.1.60509 > 10.0.0.1.8888: Flags [P.], seq 1855084075:1855084163, ack 4166855390, win 115, options [nop,nop,TS val 25538253 ecr 71430591], length 88
[email protected]..(
.].Qn.V+.]*....s1......
.....A..GET //panel HTTP/1.1
Host: panel.example.com:8888


20:51:20.802136 IP 127.0.0.1.60509 > 10.0.0.1.8888: Flags [P.], seq 0:88, ack 1, win 115, options [nop,nop,TS val 25538253 ecr 71430591], length 88
[email protected]..(
.].Qn.V+.]*....s1......
.....A..GET //panel HTTP/1.1
Host: panel.example.com:8888


20:51:20.802465 IP 127.0.0.1.60509 > 10.0.0.1.8888: Flags [P.], seq 0:88, ack 1, win 115, options [nop,nop,TS val 25538253 ecr 71430591], length 88
E.....@.:....D.c..(
.].Qn.V+.]*....s1......
.....A..GET //panel HTTP/1.1
Host: panel.example.com:8888


20:51:20.803109 IP 10.0.0.1.8888 > 127.0.0.1.60509: Flags [P.], seq 1:743, ack 88, win 905, options [nop,nop,TS val 71430591 ecr 25538253], length 742
E....f@.@.....(
.D.c.Q.].]*.n.V............
.A......HTTP/1.1 401 Authorization Required
Date: Mon, 22 Apr 2013 12:51:20 GMT
Server: Apache/2.2.20 (Ubuntu)
WWW-Authenticate: Basic realm="Password Protected Area"
Vary: Accept-Encoding
Content-Length: 488
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.20 (Ubuntu) Server at panel.example.com Port 8888</address>
</body></html>

more filtering..

> tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap | grep Authorization: | head

reading from file password_cracking_filtered.pcap, link-type EN10MB (Ethernet)
Authorization: Basic xxxxxxxxxxxxxxxxxxx=
Authorization: Basic xxxxxxxxxxxxxxxxxxx=
Authorization: Basic xxxxxxxxxxxxxxxxxxx=
Authorization: Basic xxxxxxxxxxxxxxxxxxx
Authorization: Basic xxxxxxxxxxxxxxxxxxx
Authorization: Basic xxxxxxxxxxxxxxxxxxx
Authorization: Basic xxxxxxxxxxxxxxxxxxx
Authorization: Basic xxxxxxxxxxxxxxxxxxx
Authorization: Basic xxxxxxxxxxxxxxxxxxx
Authorization: Basic xxxxxxxxxxxxxxxxxxx