LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-29-2020, 02:35 PM   #1
walterbyrd
Member
 
Registered: Apr 2004
Posts: 734

Rep: Reputation: 46
Can tcpdump and/or wireshark and/or netcat forward traffic to another device?


If I exploited a host, and wanted to send traffic going to that host to another device, what would be the best tool to do that with?

I would think I could do that with tcpdump. Maybe also wireshark? I think netcat might be able to do this.

Any thoughts?
 
Old 03-30-2020, 12:04 PM   #2
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 21,692

Rep: Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274
see man tcpdump (or homepage):
Quote:
tcpdump, a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
see man wireshark (or homepage):
Quote:
Wireshark is the world’s foremost and widely-used network protocol analyzer
How do you think they can forward any traffic?
netcat is probably a better choice, but I still do not understand what do you want to achieve
 
1 members found this post helpful.
Old 03-30-2020, 12:19 PM   #3
sevendogsbsd
Senior Member
 
Registered: Sep 2017
Distribution: FreeBSD
Posts: 2,252

Rep: Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011Reputation: 1011
The closest thing out of those examples I can think of is a reverse or bind shell using netcat. As pan64 mentioned, neither of the other tools is for that purpose. Google "reverse shell using netcat" and you'll get a bunch of examples. Host hacking is not my field of expertise so I cannot advise you there.
 
Old 04-08-2020, 01:11 PM   #4
walterbyrd
Member
 
Registered: Apr 2004
Posts: 734

Original Poster
Rep: Reputation: 46
I should have mentioned, I am studying for a certification exam.

I think I would be able to redirect with tcpdump. I know tcpdump with save packets, so why not forward them? Something like:

# tcpdump <options> <ipaddress> > /dev/otherdevice ?
 
Old 04-08-2020, 01:18 PM   #5
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,258
Blog Entries: 3

Rep: Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713
If you have Bash or another shell which allows process substitution on the machine with wireshark, then you can use that. Here it is over SSH, but netcat or other similar methods should work, too:

Code:
wireshark -k -i <( ssh -f -q -i ~/.ssh/key_rsa \
        'sudo tcpdump -l -i eth0 -w - "not port 22"' )
You'll need to set /etc/sudoers.conf to allow tcpdump to run without a prompt for a password, or just use root directly.
 
Old 04-08-2020, 01:20 PM   #6
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 21,692

Rep: Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274
the redirection belongs to the shell, not the command (like tcpdump). You can redirect any command, like ls, ps, grep, whatever.
/dev/tcp/host/port is a bash builtin so bash allows to redirect output to another host.
 
Old 04-08-2020, 01:43 PM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,258
Blog Entries: 3

Rep: Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713
On the machine sending the data:

Code:
tcpdump -pli eth0 -w - 'not port 22 and not port 4321' | nc 192.168.121.55 4321
On the machine receiving the data, which is using the IP address 192.168.121.55 in this example:

Code:
nc -l 192.168.121.55 4321 | tcpdump -l -r
Or

Code:
nc -l 192.168.121.55 4321 > othermachine.pcap
Look at the examples given in the manual page for netcat and for tcpdump pay special attention to using -r and -w for stdin and stdout.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Linux Security Fundamentals Part 5: Introduction to tcpdump and wireshark LXer Syndicated Linux News 0 02-26-2017 11:51 PM
I've found tcpdump tagged as 'Installed' in PPM, why I can't find a tcpdump command ? illidan.modeler Puppy 1 09-07-2013 07:50 AM
how do I setup wireshark to capture traffic from another computer shawn1 Linux - Networking 17 09-26-2012 02:24 PM
netcat / tcpdump howto do saavik Linux - Networking 9 09-18-2007 05:34 AM
Want to know method wireshark or tcpdump to capture packet? haxpor Programming 1 04-12-2007 01:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration