wireshark – HackerTarget.com

Proxy your Phone to Burp

the admin — Tue, 27 Oct 2015 10:02:48 +0000

In this guide we configure Burp Suite to proxy all the traffic from your phone, tablet or other wifi device. As a bonus you will also have full access to all the WIFI packets for consumption by Wireshark or your traffic analysis tool of choice.

Use this traffic analysis technique to hunt bug bounties in your favorite Android or iOS APP.

What do I need?

An old laptop with an Ethernet port and a Wireless adapter
Ubuntu running on the old laptop. Any Linux will do, but this guide will show you with Ubuntu 14.04
Burp running on any computer on your local network

Here is how it works

Step 1. Configure the laptop as a Wireless Router

Hook the laptop up to the local network using the Ethernet adapter and make sure you can browse the Internet (using the Ethernet adapter).

Follow these steps to configure using Network Manager a new wireless network in infrastructure mode;

1. Untick the enable wifi option to temporarily disable the WIFI
2. Select edit connections
3. Add new wireless network (set ssid and mode to infrastructure)

4. Name the access point (mytestingaccesspoint)
5. In IPv4 change method to "Shared to other computers", this is a quick way to sort out DHCP and NAT for your new wireless network.

6. Set security (set a password)

Edit the file /etc/NetworkManager/system-connections/mytestingaccesspoint

Find the line that has mode=infrastructure and change it to mode=ap. This is required as AP is not an option in Network Manager. Note that not all wireless cards support the AP mode.

Once you have this network (mytestingaccesspoint) enabled, your wireless devices should be able to see it and connect using the password you have set.

If you can browse the network from your mobile device, on your laptop you will see two different IP ranges for your wireless adapter (wlan0) and the ethernet (eth0) adapter. The Ubuntu laptop is forwarding the traffic from the new wireless network onto the Ethernet network and out to the internet.

Try tcpdump -i wlan0 on the laptop. Fire up some apps on your phone or a browser. You should see traffic; this is your mobile device traffic. If your wireless device is not wlan0 you will need to use the correct device in the forward rule below so make sure this works.

That concludes the first part of the guide, getting the mobile device traffic to route through a Linux enabled system.

Step 2. Forward Traffic to Burp for Transparent Proxying

In the second part of the guide we will use an iptables NAT table rule to forward all HTTP port 80 traffic to the Burp Proxy running on another system.

Once we get the HTTP traffic into the Burp proxy server we can view, intercept and even inject on HTTP requests.

It only takes one line, on your Linux based router (the laptop).

iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j DNAT --to 192.168.1.100:8080

Now in Burp you need to set the proxy to listen on all IP addresses and there are two other options that are required for transparent proxying.

Note that with these changes you are opening up Burp Suite, make sure you understand the changes.

1. Select the Proxy Tab | Options | Edit the Running Proxy | Change to Bind All interfaces

2. While you are here select "Request Handling" and tick the option to Support invisible proxying (if you need this). Without it you will likely get an error when you attempt to proxy the HTTP traffic transparently.

3. Still on the Proxy Options Tab, scroll down to the bottom and select the "Allow Requests to web interface using fully qualified DNS hostnames"

dd-wrt as an alternative

If you have a compatible router you might be able to use dd-wrt or other firmware project to install Linux on your SOHO router. With Linux on your router you could use a similar port forward rule to push port 80 traffic to burp. There are lots of options available, one of the advantages of the old laptop method is if you mess up on the Laptop the rest of the household can still use the Internet (unless of course you really mess it up). Have fun...

The post Proxy your Phone to Burp appeared first on HackerTarget.com.

ngrep and tcpflow – packet capture on a shoestring

the admin — Wed, 08 May 2013 14:38:55 +0000

Ngrep and TCPflow packet capture tools are useful for fast access to packets on the wire. As you will see in the examples they make grabbing text out of the network stream a piece of cake.

You may have heard of Wireshark (formerly Ethereal), a powerful network packet capture tool that enables a user to grab packets off the wire, load pcaps and analyse the data all in one GUI. While Wireshark is a must-have tool for many IT pro's there are times when a simple command line tool can get the job done faster.

Ngrep - or Network Grep Installation

On your Ubuntu (or Debian based) system install with apt-get. Under Fedora, Centos or RHEL if the package is not available in the repos, grab a copy of the rpm and install with a simple rpm -ivh (no dependencies required).

testbox:~#apt-get install ngrep
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  ngrep
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 29.1 kB of archives.
After this operation, 92.2 kB of additional disk space will be used.

Wow, take a look at that - 29.1kB had to be downloaded and 92.2 kB of disk space has been used by this tool. Maybe I should get a bigger hard drive!!

Ngrep Examples

A couple of basic examples to get you started.

testbox:~#ngrep -d wlan0 '^POST'
interface: wlan0 (192.168.1.0/255.255.255.0)
match: ^POST

The syntax is -d wlan0 for the device you wish to capture from, followed by the expression to match. This example will match packets with POST at the start of the line, or HTTP POST requests in a simple text output format. The '#' marks indicate packets that did not match the expression. Further filtering can be done on ports and ip addresses.

Here is a more telling example to give you an idea of the possibilities.

testbox:~#ngrep -t -d wlan0 'pwd'
interface: wlan0 (192.168.1.0/255.255.255.0)
match: pwd
#############
T 2013/05/08 23:30:46.559360 192.168.1.100:48187 -> 173.255.232.18:80 [AP]
  POST /wp-login.php HTTP/1.1..Host: hackertarget.com..User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8..Accept-Language: en-US,en;q=0.5..Accept-Encoding: gzip, deflate..Referer: http://hackertarget.com/wp-login.php..Connection: keep-alive..Content-Type: application/x-www-form-urlencoded..Content-Length: 106....log=admin&pwd=testpassword&wp-submit=Log+In&redirect_to=http%3A%2F%2Fhackertarget.com%2Fwp-adminF&testcookie=1                                                                                                          
###############################################################################################################^Cexit
124 received, 0 dropped

The addition of the -t will put a timestamp on the matching results. Notice what I have done here, a simple grep for the string 'pwd' has shown the HTTP POST request with my login and password for the https://hackertarget.com/ login page. A quick example that demonstrates the importance of using the SSL version of the site (https://hackertarget.com/).

tcpflow - logging all the data

With tcpflow the installation is similar to that of ngrep, at least under Ubuntu.

apt-get install tcpflow

tcpflow will log all the tcpflows - or TCP sessions into text files in the current directory where it runs. Use tcpdump command line switches for determining what to capture.

tcpflow -i wlan0 'port 80'

This example will capture all HTTP flows over port 80 and store them as text files. A great way to troubleshoot web applications, or network protocols.

Tshark - another worthy command line packet capture tool

tshark is part of the Wireshark package, and is basically a text or console based version of Wireshark. It has many options and can be used to perform much of what ngrep and tcpflow do. However, the advantage of ngrep and tcpflow is their simplicity and ease of use. It will often come down to what tools you have available on the system.

These examples just touch the surface whether troubleshooting or performing security analysis; any plain text protocol can be inspected, POP3, SMTP, IRC, DNS and HTTP are just a few possibilities. On a related note the excellent bro (now known as Zeek Network Security Monitor) performs excellent flow analysis and is a tool worth investigating if you are performing security related packet captures.

Keep in mind that as with any packet capture tool, when using ngrep, tcpflow, tshark or wireshark ensure you have permission from management or legal that you are allowed to be looking closely at those packets, especially if there are other peoples traffic traversing the system you are on.

Practical examples for carving valuable information from the wire.

tshark tutorial and cheat sheet.

tshark Tutorial

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.

Use cases & more info

The post ngrep and tcpflow – packet capture on a shoestring appeared first on HackerTarget.com.