All posts tagged tcpdump

Lucas,  one of the amazing guys I work with, built this script to automatically configure CentOS systems to capture packets. On a large distributed network packet captures are a must to troubleshoot network problems as well as do incident response. This script reduced the total time it takes to configure a system to do packet captures and reduces errors since all of the configurations are the same.

As advertised, it is designed and tested on CentOS but should work on Red Hat Linux and any of the derivative systems as well.

I was on an assessment this week just second checking some scanner results and I ran across an interesting page (Figure 1).

cgi-bin in URL

Figure 1: cgi-bin in URL

I saw the cgi-bin and thought that it might be worth giving it a second look for shellshock. Shellshock is the awesome brand name for CVE-2014-6271 which is a GNU Bash vulnerability. The client had placed significant restrictions on actual exploitation on the network; this was truly a vulnerability assessment with validation instead of a penetration test. The first thing I needed to do was see if the web server might be running on a vulnerable OS so I did a simple Nmap scan (Figure 2).

Nmap results for web server

Figure 2: Nmap results for web server

Now I had a potentially vulnerable OS and application vector to attack so I fired up Burp Suite and captured a request to the application (Figure 3).

Request to R2 web application

Figure 3: Request to R2 web application

Knowing that I couldn’t due a Bash one-liner or upload any code to the system due to the restrictions I decided to start a tcpdump session looking for traffic from the remote host tcpdump host (Figure 5) and modified the User-Agent string ( ) { :; }; /bin/bash “ping -c 10” before forwarding the request on.

Shellshocking the User-Agent

Figure 4: Shellshocking the User-Agent

tcpdump filtered for vulnerable host

Figure 5: tcpdump filtered for vulnerable host

Look at all those glorious packets! Just a reminder that *nix systems will ping until cancelled so the -c 10 option instructed it to only send 10 instead of pinging until the end of time. If this was a true penetration test instead of sending a ping command I would have used a bash one-liner to get an interactive shell. This was my first in the wild shellshock so it was still pretty fun.