2019 oplossingen labo 2 - Lars Lemmens

Met dank aan de Github van Martijn en natuurlijk Lars Lemmens

LABO 2

What is the IP address of your computer?

What is the status code returned from the server to your browser?

When was the HTML file that you are retrieving last modified on the server?

'user:~$' • echo -ne 'HEAD /HTTP-Wireshark-file1.html HTTP/1.1\r\nHost:  virtualhostname.x.cnw2.uclllabs.be\r\n\r\n' | nc localhost 80 | grep 'Last-Modified:'

'user:~$' • tshark -r http.pcapng -Y http -T fields -e http.last_modified

• The -n argument does not output the trailing newline
• The -e argument enables interpretation of backslash escapes
• The nc command is a TCP/IP swiss army knife
• The -r argument reads the packet date from infile
• The -Y command captures the link type
• The -e argument (in tshark command) adds a field to the list of fields to display if -T fields is selected

How many bytes of content are being returned to your browser?

What software and version is the web server running?

'user:~$' • tshark -r http.pcapng -Y http.server -T fields -e ip.src -e http.server | sort -u

• The -r argument reads the packet date from infile
• The -Y argument captures the link type
• The -T argument sets the format of the output when viewing decoded packet data.
• The -e argument (in tshark command) adds a field to the list of fields to display if -T fields is selected
• The sort command sorts lines of text files
• The -u argument output only the first of an equal run

Explain in detail the above tshark command.

What TCP ports are in use at the client and the server during your browsing session?

'user:~$' • tshark -r http.pcapng -Y http -T fields -e tcp.port | sort -u

• The -r argument reads the packet date from infile
• The -Y argument captures the link type
• The -T argument sets the format of the output when viewing decoded packet data.
• The -e argument (in tshark command) adds a field to the list of fields to display if -T fields is selected
• The sort command sorts lines of text files
• The -u argument output only the first of an equal run

Exercise 1:

Which HTTP method was used the most during the entire browsing session?

'user:~$' • tshark -r http.pcapng -Y http.request.method -T fields -e http.request.method | sort | uniq -c | head -1 | awk '{print $2}'
'user:~$' • tshark -r http.pcapng -Y http.request.method -T fields -e http.request.method | sort | uniq -c | awk 'NR=1{print $2}'

• The tshark command dumps and analyzes network traffic
• The -r argument reads the packet date from infile
• The -T argument sets the format of the output when viewing decoded packet data.
• The -e argument (in tshark command) adds a field to the list of fields to display if -T fields is selected
• The sort command sorts lines of text files
• The uniq command reports or omits repeated lines
• The -c argument prefixes lines by the number of occurences
• The head command shows output for only the first part of files
• The awk command is used for pattern scanning and processing language

In case you would like to automate this: With tshark and a Bash loop"

'user:~$' • tshark -r http.pcapng -Y 'http.request.method==GET' -T fields -e tcp.srcport | sort -u | while read PORT;do tshark -r http.pcapng -Y "tcp.dstport==$PORT && http.server contains Apache" -T fields -e ip.src;done | sort -u

• The tshark command dumps and analyzes network traffic
• The -r argument reads the packet date from infile
• The -T argument sets the format of the output when viewing decoded packet data.
• The -e argument (in tshark command) adds a field to the list of fields to display if -T fields is selected
• The sort command sorts lines of text files
• The -u argument output only the first of an equal run
• The -Y command captures the link type

Exercise 2:

How many HTTP GET request messages did your browser send?

'user:~$' • tshark -r http.pcapng -Y http.request.method==GET | wc -l

• The tshark command dumps and analyzes network traffic
• The -r argument reads the packet date from infile
• The wc command prints a newline, word, and byte counts for each file
• The -l argument prints the newline counts

To which Internet addresses were these GET requests sent?

'user:~$' • tshark -r http.pcapng -Y http.request.method==GET -T fields -e ip.dst | sort -u

• The tshark command dumps and analyzes network traffic
• The -r argument reads the packet date from infile
• The -Y command captures the link type
• The -T argument sets the format of the output when viewing decoded packet data.
• The -e argument (in tshark command) adds a field to the list of fields to display if -T fields is selected
• The sort command sorts lines of text files
• The -u argument output only the first of an equal run

Exercise 5:

Use Netcat to download these images. check the echo -ne options or use printf. If needed, slow down netcat with option -i. The image part in the HTTP stream starts after a blank line.

'user:~$' • echo -ne "GET /nw2/images/image1.jpg HTTP/1.1\r\nHost: darthvader.uclllabs.be\r\n\r\n" |\ nc darthvader.uclllabs.be 80 | sed '1,/^\r/d' > image1.jpg

'user:~$' • echo -ne "GET /nw2/images/image1.jpg HTTP/1.1\r\nHost: darthvader.uclllabs.be\r\n\r\n" |\ nc darthvader.uclllabs.be 80 | grep -A9999999999999999 -B0 -Pa 'JFIF' > image1.jpg

• The -n argument does not output the trailing newline
• The -e argument enables interpretation of backslash escapes
• The sed command is a stream editor for filtering and transforming text
• The nc command is a TCP/IP swiss army knife
• The -A argument prints NUM lines of trailing context after matching lines.
• The -B argument interprets PATTERN as a Perl regular expression (PCRE, see below).
• The -a argument processes a binary file as if it were text; this is equivalent to the --binary-files=text option.

Exercise 7:

Use httpie, a cURL-like tool for humans to inspect the various HTTP headers in request and responses. Connect to various websites and explain the use of the HTTP headers.

'user:~$' • http -v -a Rey:StarWars http://darthvader.uclllabs.be/nw2/private/

• The -v argument is for verbose

Exercise 8:

A simulated phone is running at http://darthvader.uclllabs.be/nw2/phone/. Create a oneliner to bruteforce the pincode. Tip: pincode range: 1200-1300

'user:~$' • for foo in {1200..1300}; do if wget -q --http-user='admin' --http-password=$foo http://darthvader.uclllabs.be/nw2/phone; then echo $foo;break;fi;done

• The wget command is the non-interactive network downloader
• The -q argument turns of the wget's output
• The --http-user AND --http-password specifies the username and the password on a http server

Exercise 9:

"Put the following text.txt on your web server. This text contains the string Goed bezig :-)

Write an HTTP request by using the Range header so your web server will only return this exact string 'Goed bezig :-)'. Try to do this by only using netcat

'user:~$' • curl http://your.server.name/output.txt -i -H "Range: bytes=1-"
'user:~$' • echo -ne "GET /output.txt HTTP/1.1\r\nHost: your.server.name\r\nRange: bytes=1-\r\n\r\n" | nc your.server.name 80

• The curl command is used to transfer a URL
• The -i argument includes the HTTP-header in the output
• The -H argument is used as a extra header to use when getting a web page
• The nc command is a TCP/IP swiss army knife
• The -n argument does not output the trailing newline
• The -e argument enables interpretation of backslash escapes

Exercise 10:

This can be accomplished by sending the output of tshark or tcpdump to STDOUT instead of a regular file. Direct this STDOUT stream to Wireshark running on your local computer.

'root #' • ssh myserver.X.cnw2.uclllabs.be tcpdump -nli eth0 not tcp port 22345 -s0 -w - | wireshark -nki -

'root #' • ssh myserver.X.cnw2.uclllabs.be 'tshark -nli eth0 -f "not tcp port 22345" -s0 -w -' | wireshark -nki -

• The ssh command is a remote login program
• The -n argument redirects stdin from /dev/null (actually, prevents reading from stdin).
• The -l argument specifies the user to log in as on the remote machine.
• The -i argument selects a file from which the identity (private key) for public key authentication is read.
• The -s argument may be used to request invocation of a subsystem on the remote system
• The -w argument Requests tunnel device forwarding with the specified tun(4) devices between the client (local_tun) and the server (remote_tun).
• The -n argument disables network object name resolution (such as hostname, TCP and UDP port names), the -N flag might override this one.
• The -k argument starts the capture session immediately.
• The -i argument sets the name of the network interface or pipe to use for live packet capture.
• The -f argument (in tshark command) sets the capture filter expression

Exercise 11:

Capture some HTTP traffic while browsing several websites and save it to the file http.pcapng.

You can also use the test capture in /home/logs on leia. create a CLI oneliner which parses the captured file http.pcapng and displays all HTTP server strings which do not contain Apache.

Only the commands tshark and sort are allowed.

'user:~$' • tshark -r http.pcapng -Y 'http.server && !(http.server contains Apache)' -T fields -e http.server | sort -u

• The -r argument reads the packet date from infile
• The -Y command captures the link type
• The -T argument sets the format of the output when viewing decoded packet data.
• The -e argument (in tshark command) adds a field to the list of fields to display if -T fields is selected
• The sort command sorts lines of text files
• The -u argument output only the first of an equal run

Exercise 12:

This exercise is a small variation of the previous one. Count and sort all HTTP server strings which do not contain Apache in HTTP responses on your GET requests.

'user:~$' • tshark -r http.pcapng -Y '!(http.request.method==GET)' -T fields -e tcp.srcport | sort -u | while read PORT;do tshark -r http.pcapng -Y "tcp.dstport==$PORT && http.server && !(http.server contains Apache)" -T fields -e http.server;done | sort | uniq -c | sort -rn

• The tshark command dumps and analyzes network traffic
• The -r argument reads the packet date from infile
• The -Y command captures the link type
• The -e argument (in tshark command) adds a field to the list of fields to display if -T fields is selected
• The sort command sorts lines of text files
• The -u argument output only the first of an equal run
• The -T argument sets the format of the output when viewing decoded packet data.
• The uniq command reports or omits repeated lines
• The -c command prefixes lines by the number of occurrences
• The -r argument (in sort command) reverses the results of comparisons
• The -n compare according to string numerical value