Remote packet capturing with TShark
By Securitynik on 2020-04-05 20:34:15

In the SANS SEC503: Intrusion Detection in Depth class, we learn about packets, starting from the Ethernet layer all the way up to the application layer. However, to get those packets to analyze, you have to capture them. Capturing on a local device for most folks is non-trivial. However, performing a remote capture can be a challenge for some folks

In this post, you learn how to perform remote packet capturing. That is, we have a remote computing device where TShark is installed and we would like to perform a capture on the remote device but see and or write the traffic to a local device. The two machines I will use are a Kali based Linux and Ubuntu running under Windows Subsystem for Linux (WSL). The assumption also is that you are unable to authenticate to the remote device (Kali) using the "root" as well as you will not be able to authenticate with passwords in the future for your capture activities.

Let's get going.

Perform these actions below on the remote device.

First, on some versions of Linux and if you are using the latest version of Kali, execute the following to reconfigure TShark to allow non-superusers to capture packets.

kali@securitynik:~$sudo dpkg-reconfigure wireshark-common

When asked “Should non-superusers be able to capture packets?” select “Yes”.

Add the “kali” user to the “wireshark” group by executing

kali@securitynik:~$sudo usermod --append --groups wireshark kali

Then start SSH Server on the remote device using “systemctl” as follows:

kali@securitynik:~$ sudo systemctl start ssh

Next verify the SSH server is running by leveraging “systemctl status ssh

kali@securitynik:~$ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2020-04-03 22:23:03 EDT; 16min ago
       Docs: man:sshd(8)
    Process: 2011 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 2012 (sshd)
      Tasks: 1 (limit: 2338)
     Memory: 2.6M
     CGroup: /system.slice/ssh.service
             └─2012 /usr/sbin/sshd –D

Now that you know it is running use the “ss” command to verify the service is listening on port 22 which is typically associated with SSH:

kali@securitynik:~$ss --numeric --listen --tcp
State      Recv-Q     Send-Q         Local Address:Port         Peer Address:Port    Process    
LISTEN     0          128           *     

On your local machine
Generate your RSA private and public keys also called your key pair. I will generate this without a passphrase as I’m trying to avoid more administrative overhead.

securitynik@SECURITYNIK-SYS:/tmp$ ssh-keygen -C "Created by securitynik@securitynik-sys - used for remote tshark execution" -E sha256 -t rsa -f ~/.ssh/id_tshark
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/securitynik/.ssh/id_tshark.
Your public key has been saved in /home/securitynik/.ssh/
The key fingerprint is:
SHA256:ZnLnKvF4psGdL3dT06GE3X5BECdk7Fa0e0NfSZoOKZs Created by securitynik@securitynik-sys - used for remote tshark exec
The key's randomart image is:
+---[RSA 2048]----+
|            o*++ |
|            o.*oo|
|         . o+o++.|
|          +.o=.++|
|      . SE. o.o+=|
|     ..* +   .o.=|
|      o+o .  . ..|
|      o.=o. o    |
|      .=.o.. .   |

 Verify the certificates have been successfully created

securitynik@SECURITYNIK-SYS:/tmp$ ls ~/.ssh/id_tshark*
/home/securitynik/.ssh/id_tshark  /home/securitynik/.ssh/

Verify the contents of the public key file.

securitynik@SECURITYNIK-SYS:/tmp$ cat ~/.ssh/
xNbpKKGzSkTf01CvzRgx61Z Created by securitynik@securitynik-sys - used for remote tshark execution

As everything looks good with the public key, let’s transfer the it to the remote machine using the “ssh-copy-id” command.

securitynik@SECURITYNIK-SYS:/tmp$ ssh-copy-id -i ~/.ssh/ kali@securitynik
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/securitynik/.ssh/"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
kali@securitynik's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'kali@securitynik'"
and check to make sure that only the key(s) you wanted were added.

As we have been asked to attempt to authenticate with “kali@securitynik”, let’s first disable password based authentication and enable “PubkeyAuthentication” in the “/etc/sshd_config”file.  Next restart the SSH service. Here is what my "/etc/ssh/sshd_config" looks like on the remote device after editing it.

kali@securitynik:~$ cat /etc/ssh/sshd_config | grep --perl-regexp "^Pubkey|^PasswordA"
PubkeyAuthentication yes
PasswordAuthentication no

Time to restart SSH service

kali@securitynik:~$ sudo systemctl restart ssh

Now that everything looks good, let’s test our authentication using the previously created keys.

securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark
Linux securitynik 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Looks good! You now know that you can authenticate against the remote machine using they key pair.

Exit that remote machine by typing “exit” to return to your local machine.

From the local machine now execute.

securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark 'tshark --interface eth0 -w - ' | tshark --interface - --color

If everything went according to plan, you should now see packets scrolling on your screen.

Here I am rewriting the filter, to capture only ICMP packets on the remote host and writing the contents to a file to a local file while also printing the contents to the local screen.

securitynik@SECURITYNIK-SYS:/tmp$ ssh kali@securitynik -i ~/.ssh/id_tshark 'tshark --interface eth0 -w - -f "icmp"' | tshark --interface - --color --print -w /tmp/remote_tshark_icmp.pcapng
Capturing on 'Standard input'
Capturing on 'eth0'
    1 0.000000000 →     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    2 0.006688350 →     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    3 0.013294378 →     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    4 0.019760206 →     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    5 0.025964669 →     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    6 0.037445834 →     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    7 0.048449875 →     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    8 0.053346311 →     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
    9 0.060709915 →     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
   10 0.066094294 →     ICMP 76 Echo (ping) request  id=0x0000, seq=0/0, ttl=64
^C10 packets captured

Now analyze the local file as you would any other PCAP. Here I’m analyzing the first record of the file "remote_tshark_icmp.pcapng"

securitynik@SECURITYNIK-SYS:/tmp$ tshark -r  remote_tshark_icmp.pcapng -c 1 -x
0000  0a 00 27 00 00 1e 08 00 27 1f 30 76 08 00 45 00   ..'.....'.0v..E.
0010  00 3e 00 01 00 00 40 01 66 5a 0a 00 00 64 0a 00   .>....@.fZ...d..
0020  00 01 08 00 96 67 00 00 00 00 4d 61 73 74 65 72   .....g....Master
0030  69 6e 67 20 54 53 68 61 72 6b 20 4e 65 74 77 6f   ing TShark Netwo
0040  72 6b 20 46 6f 72 65 6e 73 69 63 73               rk Forensics

Ok, that’s it for how to setup a remote capture. Come hang out with us at one of the upcoming SANS SEC503: Intrusion Detection in Depth class, to learn more about packets and how we use them to track activities across the entire Lockheed Martin Cyber Kill Chain.

Red Hat Configuring Open SSH
Stack Overflow - How to capture remote system network traffic