top of page
Search

Project 14: Using hackthebox to learn tcpdump

  • Writer: Ben Lee
    Ben Lee
  • Jul 19, 2023
  • 2 min read

Today, I'll be using hackthebox academy to learn the fundamnetals of tcpdump. Along with excellent study material, this platform also provides a virtual machine named the 'pwnbox' which I have paid to rent.



Task #1

Validate Tcpdump is installed on our machine.


To do this, I used the command 'which tcpdump'


Task #2

Start a capture.


Once we know tcpdump is installed, we are ready to start our first capture. If we are unsure of what interfaces we have to listen from, we can utilize a built-in switch to list them all for us.


Which tcpdump switch is used to show us all possible interfaces we can listen to?


To see the available interfaces, I use the '-D' switch


Task #3

Utilize Basic Capture Filters.


Now that we can capture traffic, let us modify how that information is presented to us. We will accomplish this by adding verbosity to our output and displaying contents in ASCII and Hex. Once we complete this task, attempt it again using other switches.


To add verbosity and display the output in ASCII and Hex, I used the switch '-vX'


Task #4

Save a Capture to a .PCAP file.


Now it is up to us how we wish to capture and see the output. Remember, when utilizing capture filters, it will modify what we get. Grab our first full capture from the wire, and save it to a PCAP file. This will be a sample to baseline the enterprise network.


I named my file 'test.pcap' and used the command 'sudo tcpdump -i eth0 -vX -w /home/test/pcap'


Task #5

Read the Capture from a .PCAP file.


Our team members have given us a PCAP they captured while surveying another section of the enterprise, read the PCAP file into tcpdump, and modify our view of the PCAP to help us determine what is happening. We can disable hostname and port resolution for simplicity and ensure we see any TCP sequence and acknowledgment numbers in absolute values. For the sake of the lab, utilize the PCAP file we created in the previous step for this task.


To disable hostname & port resolution, I used the switch '-nn', and to output the TCP sequences in absolute values, I used the switch '-S'.


I finished with the tasks, now it's time for the questions.


Done! Was decently tough (especially at the end).


 
 
 

Comments

bottom of page