334.1 Network Hardening

Topic 334: Network Security

Weight: 4

Description: Candidates should be able to secure networks against common threats. This includes analyzing network traffic of specific nodes and protocols.

Key Knowledge Areas:

Understand wireless networks security mechanisms
Configure FreeRADIUS to authenticate network nodes
Use Wireshark and tcpdump to analyze network traffic, including filters and statistics
Use Kismet to analyze wireless networks and capture wireless network traffic
Identify and deal with rogue router advertisements and DHCP messages
Awareness of aircrack-ng and bettercap

The following is a partial list of the used files, terms and utilities:

radiusd
radmin
radtest
radclient
radlast
radwho
radiusd.conf
/etc/raddb/*
wireshark
tshark
tcpdump
kismet
ndpmon

FreeRADIUS

What is the RADIUS Protocol?

Remote Authentication Dial-In User Service or RADIUS is a networking protocol that offers centralized Authentication, Authorization and Accounting (AAA) management for users who connect and network service.

Authentication is the process of determining whether the client (user, device, or process) is a genuine user of the system.
Authorization is the process of determining what the client is allowed to do on the network.
Accounting is the process of monitoring the client’s activity on the network and providing the information necessary to calculate the cost for services.

You don't have to use all three of the AAA protocols, but only the ones you need. For example, you may not need accounting but only client authentication, or perhaps all you want is accounting, and client authorization is managed by something else.

It is extremely efficient and manages thousands of requests on modest hardware. Of course it works for all network protocols and not just dialup, but the name remains the same.

FreeRADIUS

FreeRADIUS is the open source RADIUS implementation, and is the most widely-used RADIUS server.

Install Freeradius

[root@rocky8 ~]# dnf install  freeradius freeradius-utils freeradius-mysql freeradius-perl

Start Freeradius Service

[root@rocky8 ~]# systemctl enable radiusd --now
Created symlink /etc/systemd/system/multi-user.target.wants/radiusd.service → /usr/lib/systemd/system/radiusd.service.

[root@rocky8 ~]# systemctl status radiusd
● radiusd.service - FreeRADIUS high performance RADIUS server.
   Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2022-09-08 11:44:19 +0430; 2s ago
  Process: 863414 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
  Process: 863411 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
  Process: 863372 ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap (code=exited, status=0/SUCCESS)
  Process: 863370 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
 Main PID: 863417 (radiusd)
    Tasks: 6 (limit: 12245)
   Memory: 78.6M
   CGroup: /system.slice/radiusd.service
           └─863417 /usr/sbin/radiusd -d /etc/raddb

Sep 08 11:44:18 rocky8 sh[863372]:                   URI:http://www.example.com/example_ca.crl
Sep 08 11:44:18 rocky8 sh[863372]: Certificate is to be certified until Nov  7 07:14:18 2022 GMT (60 days)
Sep 08 11:44:18 rocky8 sh[863372]: Write out database with 1 new entries
Sep 08 11:44:18 rocky8 sh[863372]: Data Base Updated
Sep 08 11:44:18 rocky8 sh[863372]: openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:'whatever' -passout pass:'w>
Sep 08 11:44:18 rocky8 sh[863372]: chmod g+r client.p12
Sep 08 11:44:18 rocky8 sh[863372]: openssl pkcs12 -in client.p12 -out client.pem -passin pass:'whatever' -passout pass:'whatever'
Sep 08 11:44:18 rocky8 sh[863372]: chmod g+r client.pem
Sep 08 11:44:18 rocky8 sh[863372]: cp client.pem 'user@example.org'.pem
Sep 08 11:44:19 rocky8 systemd[1]: Started FreeRADIUS high performance RADIUS server..

radiusd

As you can see above, FreeRADIUS provides the radiusd daemon which provides an authentication service.

/etc/raddb/*

For every part of FreeRADIUS, in the configuration directory (/etc/raddb, /etc/freeradius or similar) there is a fully commented example file included, that explains what it does, and how to use it. Read those sample files too!

Again, many of the configuration files are ONLY documented in the comments included in the files.

Reading the configuration files is REQUIRED to fully understand how to create complex configurations of the server.

Main configuration files

radiusd.conf -- FreeRADIUS server primary configuration file. Server logging and performance settings may be fine-tuned in this file. It is well commented.
clients.conf -- client configuration directives
modules configuration
sites configuration
proxy.conf -- proxy radius and realm configuration directives
policy.d (previously policy.conf in v2)

radmin

radmin - FreeRADIUS Administration tool, is a FreeRADIUS Server administration tool that connects to the control socket of a running server, and gives a command-line interface to it.

At this time, only a few commands are supported. Please type "help" at the command prompt for detailed information about the supported commands.

radmin [-d config_directory] [-D dictionary_directory] [-e command] [-E] [-f socket_file] [-h] [-i input_file] [-n name] [-q]

WARNING

The security protections offered by this command are limited to the permissions on the Unix domain socket, and the server configuration. If someone can connect to the Unix domain socket, they have a substantial amount of control over the server.

OPTIONS
       The following command-line options are accepted by the program.

       -d config directory
              Defaults to /etc/raddb. radmin looks here for the server configuration files to find the "listen" section that defines the control socket filename.

       -D dictionary directory
              Set main dictionary directory. Defaults to /usr/share/freeradius.

       -e command
              Run command and exit.

       -E     Echo commands as they are being executed.

       -f socket_file
              Specify the socket filename directly.  The radiusd.conf file is not read.

       -h     Print usage help information.

       -i input_file
              Reads input from the specified file.  If not specified, stdin is used.  This also sets "-q".

       -n mname
              Read raddb/name.conf instead of raddb/radiusd.conf.

       -q     Quiet mode.

COMMANDS
       The commands implemented by the command-line interface are almost completely controlled by the server.  There are a few commands interpreted locally by radmin:

       reconnect
              Reconnect to the server.

       quit   Exit from radmin.

       exit   Exit from radmin.

       The other commands are implemented by the server.  Type "help" at the prompt for more information.

EXAMPLES
       debug file /var/log/radius/bob.log
              Set debug logs to /var/log/radius/bob.log.  There is very little checking of this filename.  Rogue administrators may be able use this command to  over-write  almost  any
              file on the system.  If those administrators have write access to "radius.conf", they can do the same thing without radmin, too.

       debug condition '(User-Name == "bob")'
              Enable  debugging output for all requests that match the condition.  Any "unlang" condition is valid here.  The condition is parsed as a string, so it must be enclosed in
              single or double quotes.  Strings enclosed in double-quotes must have back-slashes and the quotation marks escaped inside of the string.

              Only one debug condition can be active at a time.

       debug condition '((User-Name == "bob") || (Packet-Src-IP-Address == 192.0.2.22))'
              A more complex condition that enables debugging output for requests containing User-Name "bob", or requests that originate from source IP address 192.0.2.22.

       debug condition
              Disable debug conditionals.

radmin have a long list of commands, read it man page, this was only a part of that!

Additional utilities ship with the freeradius-utils package.

Basic Configuration

Always start with the "default" configuration. It will work everywhere, and do almost everything you need. The only change you will need to make is to define users and passwords.

Making a lot of changes to the configuration files is the best way to break the server. Don't do that.

Define a Client IP

For initial testing from localhost with radtest(see in this lesson), the server comes with a default definition for 127.0.0.1 and ::1

For testing from external machines, edit /etc/raddb/clients.conf and add an entry. There are many examples and the syntax is easy:

client NAME {
  ipaddr = IPADDRESS
  secret = SECRET
}

where:

ipaddr — Specifies the client IP.
secret — The shared secret used to encrypt and decrypt communication between client and server.

example:

client private-network-1 {
ipaddr = 192.0.2.0/24
secret = s3cr3t
}

Define a User and Password

Edit /etc/raddb/users and create an example user account as the first entry. i.e. at the top of the file, such as:

testing Cleartext-Password := "password"

Start the server in debugging mode

At this point you should be able to manually start radiusd. You should do this with the debugging enabled so that you can see what happens:

$ radiusd -X

The location and the name of the FreeRADIUS server executable may vary, for example it could be /usr/sbin/freeradius. But the -X parameter is essential, always use it!

Lots of output will scroll by, and it will eventually say:

Read to process requests.

Sometimes people want to change default port to run on 1645, the old RADIUS port (the new one is 1812), if replacing a legacy RADIUS server. Other than that, it's possible that the EAP Module initial setup will fail.

radtest

Once the FreeRADIUS server is operational, you can use radtest to test an account from the command line,command format:

radtest {username} {password} Pradius-server} {nas-port-number} {radius_secret}

[root@rocky8 ~]# radtest -h
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname]
        -d RADIUS_DIR       Set radius directory
        -t <type>           Set authentication method
                            type can be pap, chap, mschap, or eap-md5
        -P protocol         Select udp (default) or tcp
        -x                  Enable debug output
        -4                  Use IPv4 for the NAS address (default)
        -6                  Use IPv6 for the NAS address

our example:

$ radtest testing mypass localhost 0 s3cre3t

Where testing is the user name configured above, and mypass is the password for the user. These can be real user names and passwords, of course.

You should see output like:

Sending Access-Request of id 226 to 127.0.0.1:1812
      User-Name = 'testing'
      User-Password = 'mypass'
      NAS-IP-Address = radius.domain.com
      NAS-Port = 10

rad_recv : Access-Accept packet from host 127.0.0.1:1812,id=226, length=56
      Framed-IP-Address = 80.84.161.1
      Framed-Protocol = PPP
      Service-Type = Framed-User
      Framed-Compression = Van-Jacobson-TCP-IP
      Framed-IP- Netmask = 255.255.255.255

The key is to get an 'Access Accept' response.

At this point you should have text-file authentication working in FreeRADIUS. Also based on the default settings, the authentication methods now work for the testing user

PAP
CHAP
MS-CHAPv1
MS-CHAPv2
PEAP
EAP-TTLS
EAP-GTC
EAP-MD5.

If you made changes to the default configuration, odds are that one or more of these authentication methods will stop working.

The next step is to add more users, and/or to configure directories and databases.

radclient

radclient is a radius client program included as part of FreeRADIUS. It can send arbitrary RADIUS packets to a RADIUS server, then shows the reply. It can be used to test changes you made in the configuration of the radius server, or it can be used to monitor if a radius server is up.

radclient reads radius attribute/value pairs from it standard input, or from a file specified on the command line. It then encodes these attribute/value pairs using the dictionary, and sends them to the remote server.

The User-Password and CHAP-Password attributes are automatically encrypted before the packet is sent to the server.

[root@rocky8 ~]# radclient -h
Usage: radclient [options] server[:port] <command> [<secret>]
  <command>              One of auth, acct, status, coa, disconnect or auto.
  -4                     Use IPv4 address of server
  -6                     Use IPv6 address of server.
  -c <count>             Send each packet 'count' times.
  -d <raddb>             Set user dictionary directory (defaults to /etc/raddb).
  -D <dictdir>           Set main dictionary directory (defaults to /usr/share/freeradius).
  -f <file>[:<file>]     Read packets from file, not stdin.
                         If a second file is provided, it will be used to verify responses
  -F                     Print the file name, packet number and reply code.
  -h                     Print usage help information.
  -n <num>               Send N requests/s
  -p <num>               Send 'num' packets from a file in parallel.
  -q                     Do not print anything out.
  -r <retries>           If timeout, retry sending the packet 'retries' times.
  -s                     Print out summary information of auth results.
  -S <file>              read secret from file, not command line.
  -t <timeout>           Wait 'timeout' seconds before retrying (may be a floating point number).
  -v                     Show program version information.
  -x                     Debugging mode.
  -P <proto>             Use proto (tcp or udp) for transport.

examples:

echo "User-Name = testing" | /usr/local/bin/radclient localhost:1812 auth s3cr3t
echo "User-Name=testing,User-Password=mypass,Framed-Protocol=PPP " | /usr/local/bin/radclient localhost:1812 auth s3cr3t
echo "Message-Authenticator = 0x00" | /usr/local/bin/radclient localhost:1812 auth s3cr3t

radlast

The FreeRADIUS server can write an accounting log in the wtmp format of the local system.

wtmp

On the Linux, Solaris, and BSD operating systems, wtmp is a file containing a history of all logins and logouts. On Linux systems, it is located at /var/log/wtmp. Various commands access wtmp to report login statistics, including the who and lastb commands.

The "w" in "wtmp" stands for "who" — as it does in the w command, which displays what users are currently logged in to the system.

radlast is a frontend for the systems last command ( it just calls last with the -f path_to_radwtmp_file argument, and passes all options on the command line to the system last command.)

[root@rocky8 ~]# radlast -h

Usage:
 last [options] [<username>...] [<tty>...]

Show a listing of last logged in users.

Options:
 -<number>            how many lines to show
 -a, --hostlast       display hostnames in the last column
 -d, --dns            translate the IP number back into a hostname
 -f, --file <file>    use a specific file instead of /var/log/wtmp
 -F, --fulltimes      print full login and logout times and dates
 -i, --ip             display IP numbers in numbers-and-dots notation
 -n, --limit <number> how many lines to show
 -R, --nohostname     don't display the hostname field
 -s, --since <time>   display the lines since the specified time
 -t, --until <time>   display the lines until the specified time
 -p, --present <time> display who were present at the specified time
 -w, --fullnames      display full user and domain names
 -x, --system         display system shutdown entries and run level changes
     --time-format <format>  show timestamps in the specified <format>:
                               notime|short|full|iso

 -h, --help           display this help
 -V, --version        display version

For more details see last(1).

radwho

The FreeRADIUS server can be configured to maintain an active session database in a file called radutmp. This utility shows the content of that session database.

[root@rocky8 ~]# radwho -h
radwho: invalid option -- 'h'
Usage: radwho [-d raddb] [-cfihnprRsSZ] [-N nas] [-P nas_port] [-u user] [-U user]
  -c                   Show caller ID, if available.
  -d                   Set the raddb directory (default is /etc/raddb).
  -F <file>            Use radutmp <file>.
  -i                   Show session ID.
  -n                   No full name.
  -N <nas-ip-address>  Show entries matching the given NAS IP address.
  -p                   Show port type.
  -P <port>            Show entries matching the given nas port.
  -r                   Print output as raw comma-delimited data.
  -R                   Print output as RADIUS attributes and values.
                       includes ALL information from the radutmp record.
  -s                   Show full name.
  -S                   Hide shell users from radius.
  -u <user>            Show entries matching the given user.
  -U <user>            Like -u, but case-sensitive.
  -Z                   Include accounting stop information in radius output.  Requires -R.

What is NAS?

In a RADIUS Access-Request packet, the NAS-IP-Address attribute provides the identifying IP Address of the requesting Network Access Server (NAS).

For example,

$ radwho -ZRN 10.0.0.1 | radclient -f - radius.example.net acct s3cr3t

will result in all an Accounting-Request packet being sent to the RADIUS server, which tells the server that the NAS rebooted. i.e. It "kills" all of the users on that NAS.

To "kill" one user, specify NAS, username, and NAS port:

$ radwho -ZRN 10.0.0.1 -u user -P 10 | radclient -f - radius.example.net acct s3cre3t

Other combinations are also possible. let's warp it up:

Administering FreeRADIUS:

radmin: radmin is used to connect to, and administer a running RADIUS server.
radtest: The configuration may be tested using the radtest command. It is a wrapper around radclient which may be used to interface with a RADIUS server.

Using radtest:

radtest user password radius-server nas-port-number secret

radclient: radclient is the client-side program used to interact with a RADIUS server.
radlast: radlast is a wrapper around the last command that targets /var/log/radius/radwtemp instead of the default.
radwho: radwho shows currently logged on users.

Man pages are available for radtest, radclient, radlast, and radwho and provide more detailed information.

Network Utilities

tcpdump

tcpdump is a packet sniffing and packet analyzing tool for a System Administrator to troubleshoot connectivity issues in Linux. It is used to capture, filter, and analyze network traffic such as TCP/IP packets going through your system. It is many times used as a security tool as well. tcpdump also give us a option to save the captured information in a pcap file, these pcap files can then be opened through Wireshark or through the command tool itself.

[root@rocky8 ~]# tcpdump port  22 -c5
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
22:22:31.564185 IP rocky8.ssh > 192.168.108.1.63368: Flags [P.], seq 1291099877:1291100053, ack 3488420628, win 1432, length 176
22:22:31.614585 IP 192.168.108.1.63368 > rocky8.ssh: Flags [.], ack 176, win 4103, length 0
22:22:31.748273 IP rocky8.ssh > 192.168.108.1.63368: Flags [P.], seq 176:288, ack 1, win 1432, length 112
22:22:31.749019 IP rocky8.ssh > 192.168.108.1.63368: Flags [P.], seq 288:368, ack 1, win 1432, length 80
22:22:31.749953 IP 192.168.108.1.63368 > rocky8.ssh: Flags [.], ack 368, win 4102, length 0
5 packets captured
6 packets received by filter
0 packets dropped by kernel

Tcpdump continues to capture packets until it receives an interrupt signal. You can interrupt capturing by pressing Ctrl+C. In this case, since I am connected to this server using ssh, tcpdump captured all these packets. To limit the number of packets captured and stop tcpdump, i have used the -c (for count) option.

By default, tcpdump resolves IP addresses and ports into names, as shown in the previous example. When troubleshooting network issues, it is often easier to use the IP addresses and port numbers; disable name resolution by using the option -n and port resolution with -nn:

[root@rocky8 ~]# tcpdump port  22 -c5 -nn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
22:47:27.536043 IP 192.168.108.101.22 > 192.168.108.1.63368: Flags [P.], seq 1291106181:1291106229, ack 3488423124, win 1432, length 48
22:47:27.537150 IP 192.168.108.101.22 > 192.168.108.1.63368: Flags [P.], seq 48:160, ack 1, win 1432, length 112
22:47:27.537386 IP 192.168.108.101.22 > 192.168.108.1.63368: Flags [P.], seq 160:240, ack 1, win 1432, length 80
22:47:27.537523 IP 192.168.108.1.63368 > 192.168.108.101.22: Flags [.], ack 240, win 4105, length 0
22:47:27.537602 IP 192.168.108.101.22 > 192.168.108.1.63368: Flags [P.], seq 240:304, ack 1, win 1432, length 64
5 packets captured
5 packets received by filter
0 packets dropped by kernel

some use full tcpdump commands:

tcpdump command	Description
tcpdump -D	Display available interfaces
tcpdum -i ens33	Capture Packets from specific interface
tcpdump -c 10 -i ens33	Capture only N neumber of packets
tcpdump -w myfile.pcap -i ens33	Capture and save packets in a file
tcpdump -r myfile.pcap	Read captured packets file
tcpdump -n -i ens33	Capture IP address Packets
tcpdum -i ens33 tcp	Only TCP Packets are captured
tcpdump -i ens33 port 22	Capture packets from specific port
tcpdump portrange 21-23	use a range of ports to find traffic
tcpdump -i eth0 src 192.168.10.150	Capture packets from source IP
tcpdump -i eth0 dst 209.85.144.139	Capture packets from destination IP
tcpdump -i ens33 ipv6	Sniffing for IPv6

tcpdump command

Description

tcpdump -D

Display available interfaces

tcpdum -i ens33

Capture Packets from specific interface

tcpdump -c 10 -i ens33

Capture only N neumber of packets

tcpdump -w myfile.pcap -i ens33

Capture and save packets in a file

tcpdump -r myfile.pcap

Read captured packets file

tcpdump -n -i ens33

Capture IP address Packets

tcpdum -i ens33 tcp

Only TCP Packets are captured

tcpdump -i ens33 port 22

Capture packets from specific port

tcpdump portrange 21-23

use a range of ports to find traffic

tcpdump -i eth0 src 192.168.10.150

Capture packets from source IP

tcpdump -i eth0 dst 209.85.144.139

Capture packets from destination IP

tcpdump -i ens33 ipv6

Sniffing for IPv6

What is PCAP?

Packet Capture or PCAP (also known as libpcap) is an application programming interface (API) that captures live network packet data from OSI model Layers 2-7. Network analyzers like Wireshark create .pcap files to collect and record packet data from a network. PCAP comes in a range of formats including Libpcap, WinPcap, and PCAPng.

These PCAP files can be used to view TCP/IP and UDP network packets. If you want to record network traffic then you need to create a .pcapfile. You can create a .pcapfile by using a network analyzer or packet sniffing tool like Wireshark or tcpdump.

to get familiar with pcap-filters try man pcap-filter. The most important filters to know for the exam are:

• host IP

• port PORT

• portrange PORT-PORT

• tcp portrange PORT-PORT

wireshark

Wireshark is a popular open source graphical user interface (GUI) tool for analyzing packets. However, it also provides a powerful command-line utility called TShark for people who prefer to work on the Linux command line.

### Capture Filters in Wireshark:
#Capture only traffic to or from IP address 172.18.5.4: 
           host 172.18.5.4
#Capture traffic to or from a range of IP addresses:
           net 192.168.0.0/24 
           net 192.168.0.0 mask 255.255.255.0 
#Capture traffic from a range of IP addresses: 
           src net 192.168.0.0/24
           src net 192.168.0.0 mask 255.255.255.0 
#Capture traffic to a range of IP addresses: 
          dst net 192.168.0.0/24 
          dst net 192.168.0.0 mask 255.255.255.0 
#Capture only DNS (port 53) traffic: 
          port 53 
#Capture a range of TCP ports: 
          tcp portrange 1501-1549 
          portrange 1501-1549 and tcp

While wireshark is a GUI tool, it has a CLI equivalent knowns as tshark

tshark

tshark. The terminal version of Wireshark supports similar options and is a lot useful when a Graphical User Interface (GUI) isn’t available. Without any switches, tshark performs similarly to tcpdump:

[root@rocky8 ~]# tshark
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens160'
    1 0.000000000 192.168.108.1 → 192.168.108.101 TCP 60 63368 → 22 [ACK] Seq=1 Ack=1 Win=4104 Len=0
    2 0.502419349 192.168.108.101 → 192.168.108.1 SSH 118 Server: Encrypted packet (len=64)
    3 0.560927325 192.168.108.1 → 192.168.108.101 TCP 60 63368 → 22 [ACK] Seq=1 Ack=65 Win=4104 Len=0
^C    4 1.021169855 192.168.108.101 → 192.168.108.1 SSH 150 Server: Encrypted packet (len=96)
    5 1.072133101 192.168.108.1 → 192.168.108.101 TCP 60 63368 → 22 [ACK] Seq=1 Ack=161 Win=4103 Len=0
5 packets captured

tshark examples:

tshark Command	Description
tshark -D	get a list of the available network interfaces
tshark -i enp0s3	capture specific network interface traffic
tshark -i enp0s3 -c 5	capture 5 number of packets
tshark -i enp0s3 -i usbmon1 -i lo	capture multiple interfaces traffic
tshark -i enp0s3 -f "port 80 or port 53" -c 3	only capture packets from ports 80 or 53
tshark -i enp0s3 -w /tmp/test_capture.pcap	Saving Captured Traffic to a File
tshark -i enp0s3 -a duration:120 -w /tmp/test_capture.pcap	auto stop after 120 sec
tshark -i enp0s3 -a filesize:50 -w /tmp/test_capture.pcap	auto stop after 50K file size
tshark -i enp0s3 -f "port 53 or port 21" -b filesize:15 -a files:2 -w /tmp/test_capture.pcap	use “-b” with a filesize flag to save each file of size 15 Kb, maximum number of files=2
tshark -r /tmp/test_capture.pcap \| head	reading .pacap files
tshark -r /tmp/test_capture.pcap -T fields -e frame.number -e ip.src -e ip.dst \| head	Selecting Fields to Output via -T fields
tshark -i enp0s3 -c 1 -V host 104.26.10.240	show entire packets

tshark Command

Description

tshark -D

get a list of the available network interfaces

tshark -i enp0s3

capture specific network interface traffic

tshark -i enp0s3 -c 5

capture 5 number of packets

tshark -i enp0s3 -i usbmon1 -i lo

capture multiple interfaces traffic

tshark -i enp0s3 -f "port 80 or port 53" -c 3

only capture packets from ports 80 or 53

tshark -i enp0s3 -w /tmp/test_capture.pcap

Saving Captured Traffic to a File

tshark -i enp0s3 -a duration:120 -w /tmp/test_capture.pcap

auto stop after 120 sec

tshark -i enp0s3 -a filesize:50 -w /tmp/test_capture.pcap

auto stop after 50K file size

tshark -i enp0s3 -f "port 53 or port 21" -b filesize:15 -a files:2 -w /tmp/test_capture.pcap

use “-b” with a filesize flag to save each file of size 15 Kb, maximum number of files=2

tshark -r /tmp/test_capture.pcap | head

reading .pacap files

tshark -r /tmp/test_capture.pcap -T fields -e frame.number -e ip.src -e ip.dst | head

Selecting Fields to Output via -T fields

tshark -i enp0s3 -c 1 -V host 104.26.10.240

show entire packets

ndpmon

• Neighbor Discovery Protocol Monitor

• Compiled versions available for BSD, OSX, and Debian

• Used for monitoring ICMPv6 packets

• Writes output to syslog

kismet

Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework. Kismet works with Wi-Fi interfaces, Bluetooth interfaces, some SDR (software defined radio) hardware like the RTLSDR, and other specialized capture hardware.

kismet_client

root@kali:~# kismet_client -h
Usage: kismet_client [OPTION]
 *** Generic Options ***
 -h, --help                   The obvious

kismet_drone

root@kali:~# kismet_drone -h
Usage: kismet_drone [OPTION]
Nearly all of these options are run-time overrides for values in the
kismet.conf configuration file.  Permanent changes should be made to
the configuration file.
 *** Generic Options ***
 -f, --config-file            Use alternate configuration file
     --no-line-wrap           Turn of linewrapping of output
                              (for grep, speed, etc)
 -s, --silent                 Turn off stdout output after setup phase
     --daemonize              Spawn detatched in the background

 *** Kismet Remote Drone Options ***
     --drone-listen           Override Kismet drone listen options

 *** Packet Capture Source Options ***
 -c, --capture-source         Specify a new packet capture source
                              (Identical syntax to the config file)
 -C, --enable-capture-sources Enable capture sources (comma-separated
                              list of names or interfaces)

kismet_server Usage Example

Start the Kismet server, using the wireless interface as the capture source (-c wlan0) and use the external GPSD option (–use-gpsd-gps):

root@kali:~# kismet_server -c wlan0 --use-gpsd-gps
ERROR: Kismet was started as root, NOT launching external control binary.
       This is NOT the preferred method of starting Kismet as Kismet will
       continue to run as root the entire time.  Please read the README
       file section about Installation & Security and be sure this is what
       you want to do.
INFO: Reading from config file /etc/kismet/kismet.conf
INFO: No 'dronelisten' config line and no command line drone-listen
      argument given, Kismet drone server will not be enabled.
INFO: Created alert tracker...
INFO: Creating device tracker...
INFO: Registered 80211 PHY as id

aircrack_ng

Aircrack-ng is a complete suite of tools to assess WiFi network security.

It focuses on different areas of WiFi security:

Monitoring: Packet capture and export of data to text files for further processing by third party tools
Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
Testing: Checking WiFi cards and driver capabilities (capture and injection)
Cracking: WEP and WPA PSK (WPA 1 and 2)

All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily on Linux but also Windows, macOS, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

bettercap

The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.

bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.