In the SANS SEC503: Intrusion Detection in Depth class, we learn about packets, starting from the Ethernet layer all the way up to the application layer. However, to get those packets to analyze, you have to capture them. Capturing on a local device for most folks is non-trivial. However, performing a remote capture can be a challenge for some folks
In this post, you learn how to perform remote packet capturing. That is, we have a remote computing device where TShark is installed and we would like to perform a capture on the remote device but see and or write the traffic to a local device. The two machines I will use are a Kali based Linux and Ubuntu running under Windows Subsystem for Linux (WSL). The assumption also is that you are unable to authenticate to the remote device (Kali) using the "root" as well as you will not be able to authenticate with passwords in the future for your capture activities.
Let's get going.
Perform these actions below on the remote device.
First, on some versions of Linux and if you are using the latest version of Kali, execute the following to reconfigure TShark to allow non-superusers to capture packets.
kali@securitynik:~$sudo dpkg-reconfigure wireshark-common
When asked “Should non-superusers be able to capture packets?” select “Yes”.
Add the “kali” user to the “wireshark” group by executing
kali@securitynik:~$sudo usermod --append --groups wireshark kali
Then start SSH Server on the remote device using “systemctl” as follows:
kali@securitynik:~$ sudo systemctl start ssh
Next verify the SSH server is running by leveraging “systemctl status ssh”
kali@securitynik:~$ sudo systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-04-03 22:23:03 EDT; 16min ago Docs: man:sshd(8) man:sshd_config(5) Process: 2011 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 2012 (sshd) Tasks: 1 (limit: 2338) Memory: 2.6M CGroup: /system.slice/ssh.service └─2012 /usr/sbin/sshd –D
Now that you know it is running use the “ss” command to verify the service is listening on port 22 which is typically associated with SSH:
kali@securitynik:~$ss --numeric --listen --tcp State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 10.0.0.102:22 0.0.0.0:*
On your local machine
Generate your RSA private and public keys also called your key pair. I will generate this without a passphrase as I’m trying to avoid more administrative overhead.
securitynik@SECURITYNIK-SYS:/tmp$ ssh-keygen -C "Created by securitynik@securitynik-sys - used for remote tshark execution" -E sha256 -t rsa -f ~/.ssh/id_tshark Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/securitynik/.ssh/id_tshark. Your public key has been saved in /home/securitynik/.ssh/id_tshark.pub. The key fingerprint is: SHA256:ZnLnKvF4psGdL3dT06GE3X5BECdk7Fa0e0NfSZoOKZs Created by securitynik@securitynik-sys - used for remote tshark exec ution The key's randomart image is: +---[RSA 2048]----+ | o*++ | | o.*oo| | . o+o++.| | +.o=.++| | . SE. o.o+=| | ..* + .o.=| | o+o . . ..| | o.=o. o | | .=.o.. . | +----[SHA256]-----+
Verify the certificates have been successfully created
securitynik@SECURITYNIK-SYS:/tmp$ ls ~/.ssh/id_tshark* /home/securitynik/.ssh/id_tshark /home/securitynik/.ssh/id_tshark.pub
Verify the contents of the public key file.
securitynik@SECURITYNIK-SYS:/tmp$ cat ~/.ssh/id_tshark.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI5wsGheY8+SIQWaFnUB5pNUBy1Z7E6bpY0RHBDw8/vQNzmmrxEj5ImeINBHhtpbClkdyBgzMCRVJbusU vC+rHdB8BKPialpalERteJ4Ohpj1ChIWibvBac/GrXscUzSPkv42d7j5YISfH7kAHUSqi6uWVjx4Hy8fCrV3cI8QMg85LATVYu5fSsh52GnNLiAoKHp5fzQ mKvVE56jqKtXHIYU6Q5r9ibpEhdkvgxHlP74DSWJocjoo7miDA6fU6/Q6yucAEt2tNsiZZ+gZhZjhteFTo1H4+SkuJL21wcn0CIE3QlstdIBYjtHU9wXhiH xNbpKKGzSkTf01CvzRgx61Z Created by securitynik@securitynik-sys - used for remote tshark execution
As everything looks good with the public key, let’s transfer the it to the remote machine using the “ssh-copy-id” command.
securitynik@SECURITYNIK-SYS:/tmp$ ssh-copy-id -i ~/.ssh/id_tshark.pub kali@securitynik /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/securitynik/.ssh/id_tshark.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys kali@securitynik's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'kali@securitynik'" and check to make sure that only the key(s) you wanted were added.
As we have been asked to attempt to authenticate with “kali@securitynik”, let’s first disable password based authentication and enable “PubkeyAuthentication” in the “/etc/sshd_config”file. Next restart the SSH service. Here is what my "/etc/ssh/sshd_config" looks like on the remote device after editing it.
kali@securitynik:~$ cat /etc/ssh/sshd_config | grep --perl-regexp "^Pubkey|^PasswordA" PubkeyAuthentication yes PasswordAuthentication no
Time to restart SSH service
kali@securitynik:~$ sudo systemctl restart ssh
Now that everything looks good, let’s test our authentication using the previously created keys.
securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark Linux securitynik 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64 The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. kali@securitynik:~$
Looks good! You now know that you can authenticate against the remote machine using they key pair.
Exit that remote machine by typing “exit” to return to your local machine.
From the local machine now execute.
securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark 'tshark --interface eth0 -w - ' | tshark --interface - --color
If everything went according to plan, you should now see packets scrolling on your screen.
Here I am rewriting the filter, to capture only ICMP packets on the remote host and writing the contents to a file to a local file while also printing the contents to the local screen.
securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark 'tshark --interface eth0 -w - -f "icmp"' | tshark --interface - --color --print -w /tmp/remote_tshark_icmp.pcapng Capturing on 'Standard input' Capturing on 'eth0' 1 0.000000000 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64 2 0.006688350 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64 3 0.013294378 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64 4 0.019760206 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64 5 0.025964669 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64 6 0.037445834 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64 7 0.048449875 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64 8 0.053346311 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64 9 0.060709915 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64 10 0.066094294 10.0.0.100 → 10.0.0.1 ICMP 76 Echo (ping) request id=0x0000, seq=0/0, ttl=64 ^C10 packets captured
Now analyze the local file as you would any other PCAP. Here I’m analyzing the first record of the file "remote_tshark_icmp.pcapng"
securitynik@SECURITYNIK-SYS:/tmp$ tshark -r remote_tshark_icmp.pcapng -c 1 -x 0000 0a 00 27 00 00 1e 08 00 27 1f 30 76 08 00 45 00 ..'.....'.0v..E. 0010 00 3e 00 01 00 00 40 01 66 5a 0a 00 00 64 0a 00 .>....@.fZ...d.. 0020 00 01 08 00 96 67 00 00 00 00 4d 61 73 74 65 72 .....g....Master 0030 69 6e 67 20 54 53 68 61 72 6b 20 4e 65 74 77 6f ing TShark Netwo 0040 72 6b 20 46 6f 72 65 6e 73 69 63 73 rk Forensics
Ok, that’s it for how to setup a remote capture. Come hang out with us at one of the upcoming SANS SEC503: Intrusion Detection in Depth class, to learn more about packets and how we use them to track activities across the entire Lockheed Martin Cyber Kill Chain.
Red Hat Configuring Open SSH
Stack Overflow - How to capture remote system network traffic