Friday, May 17, 2013

Using netcat to push dumped traffic to another host

Have  you ever been in a bind, where a network tool is available on a remote host and  your traffic of interests & that your trying to capture,  is on another host?

In my case, I use a very good L4 analysis tool that does not compiled very well under OpenBSD. So   I use my cloud based linux host, that has all of my tool/pkgs  installed.And with netcat, I can make a session and send my capture traffic thru to that host for analysis real time or later on.

Here's my setup,

HostA ( capturing machine )
HostB  ( A Cloud based linux host with my hacking tools installed :) )

So on hostA it would need access to HostB, this can be done via any means, but I've used  in the past ssh-tunneling, vpn-ipsec and in some cases I will would install a temporary iptable rule to  allow access on HostB and open it to the world.

e.g ( netcat will be enable on HostB port 24001 so a rule similar to below )

iptables -A INPUT -p tcp --dport 24001 -j ACCEPT

Now on HostB we start netcat on port 24001 and dump it's output to a file named "hosta.pcap".

nc -l 24001> hosta.pcap

and you can validate it's started via;

netstat -an | grep 24001
tcp4       0      0  *.24001                *.*                    LISTENZ

Zbab12:~ kfelix$

Now on HostA we can start our capture side of things. What we will do is enable nc and to send it's ouput to HostB, we will also pipe  our tcpdump output into netcat. So for this example, I'm dumping on my em1 and sending that output to  netcat on HostB via HostA netcat.

tcpdump  -s 1500 -l -w - -i em1 tcp and port 80 | nc 24001

At this point your writing the pcap output to netcat on HostB  and a written filename "hosta.pcap" will contain the  pcap content. I use something like the above when  pen-test with a onsite or remote plug.

key take aways from  this blog;
  • ensure you have  access on the tcp/udp ports for nc and any acl/rules consideration
  • make sure to use "-l" for tcpdump for buffering
  • whatever nc port you use, make sure it's open
  • ssh tunneling or vpnclient is your friend

Now go out and pen-test something :)

Ken Felix Freelance Network/Security Engineer
kfelix --at-- hyperfeed --d-o-t--com
     ^       ^
= ( @ @ ) =

No comments:

Post a Comment