Wireshark: Difference between revisions
No edit summary |
No edit summary |
||
| Line 25: | Line 25: | ||
ssh bitpost | ssh bitpost | ||
emacs /etc/ssh/sshd_config # remove root from AllowUsers | emacs /etc/ssh/sshd_config # remove root from AllowUsers | ||
=== Over X === | |||
Not sure a good idea... | |||
m@mbehrnsm-red:~$ ssh -Y jrh1 | |||
ec2-user@ip-172-31-29-104:~$ sudo su - | |||
[root@ip-172-31-29-104 ~]# xauth add $(xauth -f ~ec2-user/.Xauthority list|tail -1) | |||
[root@ip-172-31-29-104 ~]# wireshark& | |||
Latest revision as of 13:35, 28 February 2018
Guidelines
- LEARN HOW TO FILTER, or be overwhelmed
- You can't see url path or query params when using https, they are encrypted
Remote monitoring
It's not too hard to monitor another machine that may not have X on it.
First you have to TEMPORARILY allow [ssh root] on the exposed server, DO NOT LEAVE THIS ON:
ssh bitpost emacs /etc/ssh/sshd_config # add root to AllowUsers
Then on the monitoring box, set up a shared pipe, use ssh to route a tcpdump, and capture it in wireshark.
ssh viper sudo su - mkfifo /tmp/bitpost_443 # make a shared pipe wireshark -k -i /tmp/bitpost_443 ssh bitpost "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/bitpost_443
CLEANUP
- remove pipe
ssh viper && sudo rm /tmp/bitpost_443
- FIX THE EXPOSED SERVER to disable [ssh root]:
ssh bitpost emacs /etc/ssh/sshd_config # remove root from AllowUsers
Over X
Not sure a good idea...
m@mbehrnsm-red:~$ ssh -Y jrh1 ec2-user@ip-172-31-29-104:~$ sudo su - [root@ip-172-31-29-104 ~]# xauth add $(xauth -f ~ec2-user/.Xauthority list|tail -1) [root@ip-172-31-29-104 ~]# wireshark&