Wireshark: Difference between revisions

From Bitpost wiki
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 19: Line 19:
  ssh bitpost "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/bitpost_443
  ssh bitpost "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/bitpost_443


FIX THE EXPOSED SERVER to disable [ssh root]:
CLEANUP
* remove pipe
ssh viper && sudo rm /tmp/bitpost_443
* FIX THE EXPOSED SERVER to disable [ssh root]:
  ssh bitpost
  ssh bitpost
  emacs /etc/ssh/sshd_config # remove root from AllowUsers
  emacs /etc/ssh/sshd_config # remove root from AllowUsers
=== Over X ===
Not sure a good idea...
    m@mbehrnsm-red:~$ ssh -Y jrh1
    ec2-user@ip-172-31-29-104:~$ sudo su -
    [root@ip-172-31-29-104 ~]# xauth add $(xauth -f ~ec2-user/.Xauthority list|tail -1)
    [root@ip-172-31-29-104 ~]# wireshark&

Latest revision as of 13:35, 28 February 2018

Guidelines

  • LEARN HOW TO FILTER, or be overwhelmed
  • You can't see url path or query params when using https, they are encrypted

Remote monitoring

It's not too hard to monitor another machine that may not have X on it.

First you have to TEMPORARILY allow [ssh root] on the exposed server, DO NOT LEAVE THIS ON:

ssh bitpost
emacs /etc/ssh/sshd_config # add root to AllowUsers

Then on the monitoring box, set up a shared pipe, use ssh to route a tcpdump, and capture it in wireshark.

ssh viper
sudo su -
mkfifo /tmp/bitpost_443 # make a shared pipe
wireshark -k -i /tmp/bitpost_443
ssh bitpost "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/bitpost_443

CLEANUP

  • remove pipe
ssh viper && sudo rm /tmp/bitpost_443
  • FIX THE EXPOSED SERVER to disable [ssh root]:
ssh bitpost
emacs /etc/ssh/sshd_config # remove root from AllowUsers

Over X

Not sure a good idea...

   m@mbehrnsm-red:~$ ssh -Y jrh1
   ec2-user@ip-172-31-29-104:~$ sudo su -
   [root@ip-172-31-29-104 ~]# xauth add $(xauth -f ~ec2-user/.Xauthority list|tail -1)
   [root@ip-172-31-29-104 ~]# wireshark&