Our Top Ten Network Tools and Techniques
Chris Brenton and Bill Stearns are seasoned networking adventurers with years of expertise, fearlessly exploring the realms of connectivity and safeguarding digital domains through their mastery in networking security.
In the following webcast, Chris and Bill will go through their top 10 security tools, techniques and network security tricks we use every day that may not be common knowledge for decoding packets and working with network streams. The focus will be on open-source tools and scripts that anyone can apply to their own environment.
Covered in the Webcast:
(1) SmarTTY Tour (Chris)
Dependency: Visual Studio Community Edition
https://visualgdb.com/vscommunity
(2) sshprep for Setting up SSH Keys and Configuration (Bill)
https://github.com/william-stearns/sshprep
https://www.youtube.com/watch?v=62hps0XZkN8
Install
mkdir ~/bin cd ~/bin curl -fsSL https://raw.githubusercontent.com/william-stearns/sshprep/main/sshprep -O chmod 755 sshprep
Use
sshprep ssh_hostname #Only need to run this once per remote host ssh ssh_hostname
(3) Print tshark Fields (Chris)
Let’s assume you want to print out only specified IP fields rather than the summary tshark provides. You can do this by leveraging display filters. A complete list of display filters can be seen by running:
tshark -G
You can also filter this output using grep. For example, to see all display filters associated with HTTP connections, use the following:
tshark -G | grep 'http\.' | less -S -x 50
Let’s assume I want to search a pcap and print out the top 5 FQDNs being queried and the answers given in response. I could run:
tshark -r <pcap name> -T fields -e dns.qry.name dns | sort | uniq -c | sort -rn | head -5
Top 10 IPs sending packets and where they are going:
tshark -r <pcap name> -T fields -e ip.src -e ip.dst | sort | uniq -c | sort -rn | head
(4) screen for Long Running Commands (Bill)
http://www.stearns.org/doc/screen-for-detachable-sessions.html
Install
sudo apt -y install screen || sudo yum -y install screen
Use: start a long-running command on this system
screen -S session_name -R #To start. Run commands here. <Ctrl>-a , d #To disconnect, letting command continue screen -S session_name -R #To reconnect later
Use: starting a long-running command on a remote system
ssh -t remote_system screen -S session_name -d -R #Run commands here <Ctrl>-a , d #To disconnect, letting command continue ssh -t remote_system screen -S session_name -d -R #Reconnect later
(5) Payload Simulator (Chris)
Three options:
(A) Use curl to define the user agent and screen to run in the background:
#!/bin/bash #beacon-test while : do curl -A 'Modzilla/0.0001 (Atari 7800)' $1 >/dev/null 2>&1 sleep $(shuf -i200-350 -n1) done
Then run this command with screen:
screen -S c2 -d -m /bin/beacon-test <Target IP or FQDN>
(B) Use hping3 to define the payload
echo This is my happy payload > foo.txt sudo hping3 -1 -E ./foo.txt -d 100 -c 3 <target IP>
Use Netcat to transfer file info
Create a test file:
echo This is an awesome file > send.txt
Set up a netcat listener to receive the file (sudo not needed for ports above 1024)
nc -l -p 1234 > received.txt
(C) Use netcat to send the file to the receiving system:
nc -w 3 <target IP> 1234 < send.txt
(6) gkrellm for System Status (Bill)
http://www.stearns.org/doc/network-monitoring.current.html
Other tools for visibility: https://www.activecountermeasures.com/peering-inside/
https://www.youtube.com/watch?v=-GfqEI1yLGM&t=72s
Install
sudo apt -y install gkrellm || sudo yum -y install gkrellm
Use
gkrellm & #To start <F1> #To bring up configuration screen
(7) Count Connects per Hour in pcaps and Zeek Logs (Chris)
https://random-class.s3.amazonaws.com/beacon-tshark
https://random-class.s3.amazonaws.com/beacon-data
sudo chmod 755 beacon*
Comments within each script. beacon-tshark takes pcap name as the first variable. Both take source and destination IP as input. Output is two columns, the hour and the number of connections that took place in that hour. Works best with 24 hours of data.
(8) rsync File Mirroring (Bill)
Sends totally new files and the changed portions of changed files. Use sshprep first to put keys in place so you don’t need a password.
http://www.stearns.org/doc/rsync-quickstart.txt
Install (on both local and remote system)
sudo apt -y install rsync || sudo yum -y install rsync
Use
rsync -av -e ssh /localpath/ destination:/path/ rsync -av -e ssh source:/path/ /localpath/
# “:” identifies the remote end
#All paths must end with a “/”
#Add -z to compress in transit
#Optional: –progress and –partial
(9) Print Packet Payloads with tshark (Chris)
tshark -r <pcap with ICMP data> -T fields -Y data.data -e "data.data" | xxd -r -p | less -S tshark -r <pcap with TCP data> -T fields -e tcp.payload | xxd -r -p | less -S tshark -r <pcap with UDP data> -T fields -e udp.payload | xxd -r -p | less -S
(10) Filtering with BPF (Bill)
Use tcpdump (to contrast to tshark, mention windump). Works with all pcap packet capture apps.
https://www.activecountermeasures.com/?s=BPF
https://www.activecountermeasures.com/filtering-out-high-volume-traffic/
Install
sudo apt -y install tcpdump || sudo yum -y install tcpdump
Use: Running tcpdump in an ssh connection to a remote machine:
sudo tcpdump -i eth0 -qtnp 'not (tcp port 22 and host my.ip.address)'
Use: Just interested in one IP
sudo tcpdump -i eth0 -qtnp 'host some.ip.address'
Use: Just interested in one port, such as LLMNR
sudo tcpdump -i eth0 -qtnp '(udp port 5355)'
Use: Don’t show high volume mysql replication between two db servers
sudo tcpdump -i eth0 -qtnp 'not (host 7.8.9.10 and host 14.15.16.17 and tcp port 3306)'
You are welcome to join our Threat Hunter Community Discord Server to join in on the conversation about this and other threat hunting related topics: https://discord.gg/threathunter
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.