Our Top Ten Network Tools and Techniques

Chris Brenton and Bill Stearns are seasoned networking adventurers with years of expertise, fearlessly exploring the realms of connectivity and safeguarding digital domains through their mastery in networking security.

In the following webcast, Chris and Bill will go through their top 10 security tools, techniques and network security tricks we use every day that may not be common knowledge for decoding packets and working with network streams. The focus will be on open-source tools and scripts that anyone can apply to their own environment.

 

 

 

 

Covered in the Webcast:

 

(1) SmarTTY Tour (Chris)

https://sysprogs.com/SmarTTY/

Dependency: Visual Studio Community Edition

https://visualgdb.com/vscommunity

 

(2) sshprep for Setting up SSH Keys and Configuration (Bill)

https://github.com/william-stearns/sshprep

https://www.youtube.com/watch?v=62hps0XZkN8

Install

mkdir ~/bin
cd ~/bin
curl -fsSL https://raw.githubusercontent.com/william-stearns/sshprep/main/sshprep -O
chmod 755 sshprep

Use

sshprep ssh_hostname #Only need to run this once per remote host
ssh ssh_hostname

 

(3) Print tshark Fields (Chris)

Let’s assume you want to print out only specified IP fields rather than the summary tshark provides. You can do this by leveraging display filters. A complete list of display filters can be seen by running:

tshark -G

You can also filter this output using grep. For example, to see all display filters associated with HTTP connections, use the following:

tshark -G | grep 'http\.' | less -S -x 50

Let’s assume I want to search a pcap and print out the top 5 FQDNs being queried and the answers given in response. I could run:

tshark -r <pcap name> -T fields -e dns.qry.name dns | sort | uniq -c | sort -rn | head -5

Top 10 IPs sending packets and where they are going:

tshark -r <pcap name> -T fields -e ip.src -e ip.dst | sort | uniq -c | sort -rn | head

 

(4) screen for Long Running Commands (Bill)

http://www.stearns.org/doc/screen-for-detachable-sessions.html

Install

sudo apt -y install screen || sudo yum -y install screen

Use: start a long-running command on this system

screen -S session_name -R #To start. Run commands here.
<Ctrl>-a , d #To disconnect, letting command continue
screen -S session_name -R #To reconnect later

Use: starting a long-running command on a remote system

ssh -t remote_system screen -S session_name -d -R #Run commands here
<Ctrl>-a , d #To disconnect, letting command continue
ssh -t remote_system screen -S session_name -d -R #Reconnect later

 

(5) Payload Simulator (Chris)

Three options:

(A) Use curl to define the user agent and screen to run in the background:

#!/bin/bash
#beacon-test
while :
do
        curl -A 'Modzilla/0.0001 (Atari 7800)' $1 >/dev/null 2>&1
        sleep $(shuf -i200-350 -n1)
done

Then run this command with screen:

screen -S c2 -d -m /bin/beacon-test <Target IP or FQDN>

(B) Use hping3 to define the payload

echo This is my happy payload > foo.txt
sudo hping3 -1 -E ./foo.txt -d 100 -c 3 <target IP>

Use Netcat to transfer file info

Create a test file:

echo This is an awesome file > send.txt

Set up a netcat listener to receive the file (sudo not needed for ports above 1024)

nc -l -p 1234 > received.txt

(C) Use netcat to send the file to the receiving system:

nc -w 3 <target IP> 1234 < send.txt

 

(6) gkrellm for System Status (Bill)

http://www.stearns.org/doc/network-monitoring.current.html

Other tools for visibility: https://www.activecountermeasures.com/peering-inside/

https://www.youtube.com/watch?v=-GfqEI1yLGM&t=72s

Install

sudo apt -y install gkrellm || sudo yum -y install gkrellm

Use

gkrellm & #To start
<F1> #To bring up configuration screen

 

(7) Count Connects per Hour in pcaps and Zeek Logs (Chris)

https://random-class.s3.amazonaws.com/beacon-tshark
https://random-class.s3.amazonaws.com/beacon-data

sudo chmod 755 beacon*

Comments within each script. beacon-tshark takes pcap name as the first variable. Both take source and destination IP as input. Output is two columns, the hour and the number of connections that took place in that hour. Works best with 24 hours of data.

 

(8) rsync File Mirroring (Bill)

Sends totally new files and the changed portions of changed files. Use sshprep first to put keys in place so you don’t need a password.

http://www.stearns.org/doc/rsync-quickstart.txt

Install (on both local and remote system)

sudo apt -y install rsync || sudo yum -y install rsync

Use

rsync -av -e ssh /localpath/ destination:/path/
rsync -av -e ssh source:/path/ /localpath/

# “:” identifies the remote end
#All paths must end with a “/”
#Add -z to compress in transit
#Optional: –progress and –partial

 

(9) Print Packet Payloads with tshark (Chris)

tshark -r <pcap with ICMP data> -T fields -Y data.data -e "data.data" | xxd -r -p | less -S
tshark -r <pcap with TCP data> -T fields -e tcp.payload | xxd -r -p | less -S
tshark -r <pcap with UDP data> -T fields -e udp.payload | xxd -r -p | less -S

 

(10) Filtering with BPF (Bill)

Use tcpdump (to contrast to tshark, mention windump). Works with all pcap packet capture apps.

https://www.activecountermeasures.com/?s=BPF

https://www.activecountermeasures.com/filtering-out-high-volume-traffic/

Install

sudo apt -y install tcpdump || sudo yum -y install tcpdump

Use: Running tcpdump in an ssh connection to a remote machine:

sudo tcpdump -i eth0 -qtnp 'not (tcp port 22 and host my.ip.address)'

Use: Just interested in one IP

sudo tcpdump -i eth0 -qtnp 'host some.ip.address'

Use: Just interested in one port, such as LLMNR

sudo tcpdump -i eth0 -qtnp '(udp port 5355)'

Use: Don’t show high volume mysql replication between two db servers

sudo tcpdump -i eth0 -qtnp 'not (host 7.8.9.10 and host 14.15.16.17 and tcp port 3306)'

 

 

You are welcome to join our Threat Hunter Community Discord Server to join in on the conversation about this and other threat hunting related topics: https://discord.gg/threathunter

 

 

Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To
Archives