Exploit Notes
Exploit Notes

Exploits related to Network

Protocol

Dynamic Host Configuration Protocol (DHCP) Pentesting
FTP (File Transfer Protocol) Pentesting
IRC (Internet Relay Chat) Pentesting
Memcache Pentesting
Modbus Pentesting
NFS (Network File System) Pentesting
NTP (Network Time Protocol) Pentesting
RTSP (Real Time Streaming Protocol) Pentesting
Restricted Shell (rbash, rzsh) Bypass
SNMP (Simple Network Management Protocol) Pentesting
SSH (Secure Shell) Pentesting
TFTP (Trivial File Transfer Protocol) Pentesting
Telnet Pentesting
UPnP (Universal Plug and Play) Pentesting
VNC (Virtual Network Computing) Pentesting
WASTE Pentesting

Port Forwarding

Port Forwarding with Chisel
Port Forwarding with Plink
Port Forwarding with SSH
Port Forwarding with Socat

WiFi

MITM (Man in the Middle) Attack
WiFi Hacking

Tool

Tshark
Wireshark

VPN

IPsec VPN Pentesting
OpenVPN Hacking

Others

ARP (Address Resolution Protocol) Spoofing
EthernetIP Pentesting
Firewall
Honeypots
MAC Flooding Attack
Network Traffic Analysis (NTA)
Networking
Rsync Pentesting
Tor

Network Traffic Analysis (NTA)

Last modified: 2023-01-29

Network

Packet Analysis

wireshark example.pcap

# Tcpdump
sudo tcpdump -i eth0 icmp
# output pcap file
sudo tcpdump -i eth0 icmp -w /tmp/tcpdump.pcap

Brim

Brim is an application to search and analyze super-structured data.

brim sample.pcap

  • Filters

    _path=="http" "example.com" id.resp_p==80 | cut ts, host, id.resp_p, uri | sort ts

# Find UserAgent in HTTP requests
user_agent | cut _path,id.orig_h,id.resp_h,method,host,user_agent

Snort

Snort is a network intrusion detection system (NIDS) and intrusion prevention system (NIPS).

# Validate the configuration
# -c: Identify the config file
# -T: Test the configuration
sudo snort -c /etc/snort/snort.conf -T

# Sniffer mode
# -d: Dump packet data
# -e: Link-layer header grabbing
# -v: Verbose mode
sudo snort -dev
# -X: Full packet dump mode
sudo snort -X

# Logger mode
# -l: Logger mode
sudo snort -dev -l .
# -K ASCII: ASCII mode 
sudo snort -dev -K ASCII -l .

# IDS/IPS mode
# -A full: full alert mode
sudo snort -c /etc/snort/snort.conf -A full
# Using local rules
sudo snort -c /etc/snort/rules/local.rules -A full
# -q: Quiet mode
# --daq: Data aquisition
# -i: Listen on interface <if>
sudo snort -c local.rules -q --daq afpacket -i eth0:eth1 -A full
# Wait until packets receiving, the file will be dumped.

# Read generated logs
sudo snort -r snort.log.xxxxxxxx
# Filters
sudo snort -r snort.log.xxxxxxxx -X
sudo snort -r snort.log.xxxxxxxx tcp
sudo snort -r snort.log.xxxxxxxx 'udp and port 53'

# Investigate pcap file
# -n: The first N packets
sudo snort -c /etc/snort/snort.conf -q -r example.pcap -A full -n 10
# --pcap-list: Multiple pcap files
sudo snort -c /etc/snort/snort.conf -q --pcap-list="example.pcap example2.pcap" -A full -n 10

  • Modify rules

    We can edit /etc/snort/rules/local.rules or our custom local.rules in another directory.

    sudo vim /etc/snort/rules/local.rules

    Below is the example rules.

    # ICMP
alert icmp any any <> any any (msg:"ICMP Packet Found"; sid:1000001; rev:1;)

# Drop
drop tcp any any -> any any (sid:1000005;)

Detect a Type of Malware

  1. Extract files from PCAP.

    1. Open target pcap file on Wireshark.
    2. Select "File" -> "Export Options" -> "HTTP..."
    3. Save the target file.

  2. Get the MD5 hash.

    md5sum suspicious.exe

  3. Search on VirusTotal using the MD5 hash.

Twitter GitHub

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.