OT: Win32 app to read/interpret tcpdump file [7:1568]
I can tie this slightly on topic, but it's really not (but no doubt someone here will know). I've got a box that was hacked yesterday (not a box I admin or even have passwords to, but one on my network). Someone is using it for a drop box for ftp. For now, I've just killed everything with blocking incoming ftp and outgoing ftp-data to the box until the clueless admin can fix it (same CCNA I've complained about before). Oh, get this, this same clueless CCNA was told by a customer last week that they didn't want to talk to him anymore when he argued with them when the customer asked for the speed and number their ISDN router was calling, and he told them ISDN doesn't dial. I smoothed it all over and solved it (PBI/SBC had "lost" their password and was rejecting login). I've got my own personal linux box that I've saved some raw tcpdump captures of the transfers (just after I remove the ACL block and see a few logins occur), but I don't have anything that can view it intelligently. Sniffer Pro just says it's a file format it doesn't recognize (if I could get Sniffer Pro on the subnet, I could solve this real easy, but I don't feel like driving in to solve a problem that's not mine). So, what I want to see is the actual ftp (tcp/21) session info (how they are logging in, where they are going and what they are downloading). From what I can tell in the gibberish file, it looks like they're logging in anonymously and going to vti_cfg and downloading vti_log from somewhere, and possibly something with local drives (c, d, e, etc.). Got me, but I figure I should solve as much of this as I can before this clueless admin gets into the box and wipes out the evidence without knowing it. Anyone have a Win32 app that can read tcpdump raw capture files? Oh, I noticed this as all of our T1s outgoing bandwidth was locked solid at 189K as of last night. It all came from a single ethernet interface, and I know there are only 5 devices on that subnet (2 nameservers I maintain, my personal linux box, pix firewall, and this stupid iis box that this admin refuses to put behind the pix saying he has it secure. Hehee, guess where that box will be by the end of tomorrow?). Here's my on topic tie-in explaining what I blocked for all those wanting to learn about ACLs! e0/0 is where the hacked box is, the serial ports go out to our different ISPs (also, this shows how to add/modify an ACL without locking yourself out, in other words, remove it from the interfaces first, then modify, then re-apply it): int s0/1 no ip access-group 199 in int s1/1 no ip access-group 199 in int s1/2 no ip access-group 199 in no access-list 199 access-list 199 permit tcp host 63.206.176.163 host 207.92.43.210 eq ftp ; let my box in access-list 199 deny tcp any host 207.92.43.210 eq ftp !access-list 199 deny tcp any host 207.92.43.210 ; I used this at first to just kill it all access-list 199 permit ip any any int s0/1 ip access-group 199 in int s1/1 ip access-group 199 in int s1/2 ip access-group 199 in int e0/0 no ip access-group 198 in no access-list 198 access-list 198 permit tcp host 207.92.43.210 eq ftp-data host 63.206.176.163 ; let my box in access-list 198 deny tcp host 207.92.43.210 eq ftp-data any access-list 198 permit ip any any int e0/0 ip access-group 198 in -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=1568&t=1568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Win32 app to read/interpret tcpdump file [7:1568]
> the evidence without knowing it. Anyone have a Win32 app that can read > tcpdump raw capture files? > Try http://www.ethereal.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=1570&t=1568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Win32 app to read/interpret tcpdump file [7:1568]
Very cool, worked like a charm. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ ""Mike Taylor"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > the evidence without knowing it. Anyone have a Win32 app that can read > > tcpdump raw capture files? > > > > Try http://www.ethereal.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=1572&t=1568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Win32 app to read/interpret tcpdump file [7:1568]
On Mon, 23 Apr 2001, Jason J. Roysdon wrote: > the evidence without knowing it. Anyone have a Win32 app that can read > tcpdump raw capture files? I take it that tcpdump -r won't do? > refuses to put behind the pix saying he has it secure. Hehee, guess where > that box will be by the end of tomorrow?). In a dumpster, pinning its former maintainer face down in stinky, slimy garbage? :-) -- "Someone approached me and asked me to teach a javascript course. I was about to decline, saying that my complete ignorance of the subject made me unsuitable, then I thought again, that maybe it doesn't, as driving people away from it is a desirable outcome." --Me Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=1579&t=1568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Win32 app to read/interpret tcpdump file [7:1568]
I can read them back in, but what I wanted to be able to do was view the ASCII information being passed back and forth (username login, and all user commands/server responses like CWD & RETR). I couldn't find an easy way to do this with tcpdump (the raw dump to a file with -w isn't something that cat could just display, or even wordpad after I transferred it over). Ethereal was able to open the file just fine and give me the low-level decodes I needed and I found the account (anonymous) and directory (/_vty_pvt) and file (rzr-ress.). I get a permission denied when I try to retrieve it. If I remove the ACL block for even a second a ton of remote ftp clients will try to connect and start transferring the file again. I've emailed the clueless admin so he can find the file. I'm guessing it's some huge mpeg/avi movie file or possibly some other warez. You know, I wonder just how useful a warm body that can't follow directions is sometimes. *shrug* Dumpster idea is good, but customers would complain about their websites being down, and eventually someone would find it. Although, we wouldn't notice the difference in work load, except maybe not so much cleanup work ;-) -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ ""ElephantChild"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > On Mon, 23 Apr 2001, Jason J. Roysdon wrote: > > > the evidence without knowing it. Anyone have a Win32 app that can read > > tcpdump raw capture files? > > I take it that tcpdump -r won't do? > > > refuses to put behind the pix saying he has it secure. Hehee, guess where > > that box will be by the end of tomorrow?). > > In a dumpster, pinning its former maintainer face down in stinky, slimy > garbage? :-) > > -- > "Someone approached me and asked me to teach a javascript course. I was > about to decline, saying that my complete ignorance of the subject made > me unsuitable, then I thought again, that maybe it doesn't, as driving > people away from it is a desirable outcome." --Me > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=1603&t=1568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]