In my case, I use a very good L4 analysis tool that does not compiled very well under OpenBSD. So I use my cloud based linux host, that has all of my tool/pkgs installed.And with netcat, I can make a session and send my capture traffic thru to that host for analysis real time or later on.
Here's my setup,
HostA ( capturing machine )
HostB ( A Cloud based linux host with my hacking tools installed :) )
So on hostA it would need access to HostB, this can be done via any means, but I've used in the past ssh-tunneling, vpn-ipsec and in some cases I will would install a temporary iptable rule to allow access on HostB and open it to the world.
e.g ( netcat will be enable on HostB port 24001 so a rule similar to below )
iptables -A INPUT -p tcp --dport 24001 -j ACCEPT
Now on HostB we start netcat on port 24001 and dump it's output to a file named "hosta.pcap".
nc -l 24001> hosta.pcap
and you can validate it's started via;
netstat -an | grep 24001
tcp4 0 0 *.24001 *.* LISTENZ
Now on HostA we can start our capture side of things. What we will do is enable nc and to send it's ouput to HostB, we will also pipe our tcpdump output into netcat. So for this example, I'm dumping on my em1 and sending that output to netcat on HostB via HostA netcat.
tcpdump -s 1500 -l -w - -i em1 tcp and port 80 | nc 18.104.22.168 24001
At this point your writing the pcap output to netcat on HostB and a written filename "hosta.pcap" will contain the pcap content. I use something like the above when pen-test with a onsite or remote plug.
key take aways from this blog;
- ensure you have access on the tcp/udp ports for nc and any acl/rules consideration
- make sure to use "-l" for tcpdump for buffering
- whatever nc port you use, make sure it's open
- ssh tunneling or vpnclient is your friend
Now go out and pen-test something :)
Ken Felix Freelance Network/Security Engineer
kfelix --at-- hyperfeed --d-o-t--com
= ( @ @ ) =