Peter Luykx Posted July 28, 2020 Share Posted July 28, 2020 Hello, I'm new to PS. when testing the TCPdump function, i see that not all packets are captured by PS. I ran the TCPDump in armed mode and after a minute i stopped the process, i see a lot of packets are dropped by the kernel. I did the same in bridged mode with the same result. anybody an idea how i can collect all the packets? Maybe a better method? or is PS to lightweight to capture all packets? thanks in advanced, Peter Link to comment Share on other sites More sharing options...
Peter Luykx Posted August 3, 2020 Author Share Posted August 3, 2020 Nobody that can help me? Link to comment Share on other sites More sharing options...
Bob123 Posted August 4, 2020 Share Posted August 4, 2020 Can you give me a few examples and I can try to repeat the process with mine? I've only done a packet capture a few times and it seemed like it was all there...but that was several years ago. Thanks. Link to comment Share on other sites More sharing options...
Peter Luykx Posted August 4, 2020 Author Share Posted August 4, 2020 Hello Bob123, Thank you for your reply. I will try to explain it. if you would like i could make a video screen next time. i did the following. I have connected my computer to the Ethernet IN of the PS and Ethernet OUT to my router. I putted the PS in army mode. I opened SSH and typed tcpdump -i eth0 -s 65535 -w /mnt/loot/tcpdump/traces.pcap in the terminal window. I started downloaded a file that is 700mb big. Offcourse i didn't actually downloaded the whole file. i interrupted it at approximately 50MB. When i look at my loot folder, i see that my traces.pcap is only 7MB. When you stop the tcpdump command in the terminal window, i see the following message. tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 8077 packets captured 66286 packets received by filter 58208 packets dropped by kernel I have downloaded the payload from github and adapt it a bit so tcpdump would make x files of y mb and loop. but the result stays the same. i have the idea that not all packets are captured, but dropped by the kernel. #!/bin/bash # # Title: TCPDump # Description: Dumps networking-data to USB storage. Completes on button-press or storage full. # Author: Hak5 # Version: 1.0 # Category: sniffing # Target: Any # Net Mode: TRANSPARENT # LEDs # SUCCESS: Dump complete # FAIL: No USB storage found function monitor_space() { while true do [[ $(df | grep /mnt | awk '{print $4}') -lt 10000 ]] && { kill $1 LED G SUCCESS sync break } sleep 5 done } function finish() { # Kill TCPDump and sync filesystem kill $1 wait $1 sync # Indicate successful shutdown LED R SUCCESS sleep 1 # Halt the system LED OFF halt } function run() { /etc/init.d/sshd start & # Create loot directory mkdir -p /mnt/loot/tcpdump &> /dev/null # Set networking to TRANSPARENT mode and wait five seconds NETMODE BRIDGE sleep 5 C2CONNECT # Start tcpdump on the bridge interface #tcpdump -i br-lan -s 0 -w /mnt/loot/tcpdump/dump_$(date +%Y-%m-%d-%H%M%S).pcap &>/dev/null & tcpdump -i br-lan -s 65535 -w /mnt/loot/tcpdump/traces.pcap -W 50 -C 75 &>/dev/null & tpid=$! # Wait for button to be pressed (disable button LED) NO_LED=true BUTTON finish $tpid } # This payload will only run if we have USB storage [[ ! -f /mnt/NO_MOUNT ]] && { LED ATTACK run & monitor_space $! & } || { LED FAIL } Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.