View Single Post
  #1   (View Single Post)  
Old 7th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Capturing leaked RFC 1918 private addresses with tcpdump

During checking a /var/log/pflog file on a server in a data center, I noticed that some blocked packets had RFC 1918 addresses as source address.
This type of addresses should not be routed over the public internet. See https://en.wikipedia.org/wiki/RFC_1918 for some info.

The technical department of the data center, asked if I could provide the MAC addresses. When using tcpdump on a regular NIC the -e option will show these.

Without the -e option tcpdump produces output like:
Code:
#  tcpdump -ni fxp0 port 53
tcpdump: listening on fxp0, link-type EN10MB
02:26:46.733389 192.168.222.20.38551 > 192.168.222.10.53: 34100+ A? www.google.com. (32)
02:26:46.746836 192.168.222.10.53 > 192.168.222.20.38551: 34100 6/0/0 A 74.125.195.105, A 74.125.195.147,[|domain]
With that option:
Code:
[cmd=#]# tcpdump -e -ni fxp0 port 53
tcpdump: listening on fxp0, link-type EN10MB
02:30:58.130165 00:1f:33:f1:ff:f9 00:08:c7:05:ca:0b 0800 71: 192.168.222.20.25142 > 192.168.222.10.53: 38983+ A? openbsd.org. (29)
02:30:58.130755 00:08:c7:05:ca:0b 00:1f:33:f1:ff:f9 0800 87: 192.168.222.10.53 > 192.168.222.20.25142: 38983 1/0/0 A 199.185.137.3 (45)
Using -e on /var/log/pflog:
Code:
# # tcpdump -enr /var/log/pflog | less

21:40:26.900734 rule 34/(match) block in on xl0: 220.76.215.195.38002 > 77.175.189.74.54044: udp 30
21:40:26.920243 rule 34/(match) block in on xl0: 220.76.215.195.38002 > 77.175.189.74.54044: udp 20
21:40:26.920667 rule 34/(match) block in on xl0: 220.76.215.195.38002 > 77.175.189.74.54044: udp 20
So instead of the MAC address, this option shows the pf.conf rule that triggered the logging.

So I had to come up with something else.

The following small script runs tcpdump(8) with an expression that instructs it to only capture RFC 1918 addresses. I also added 169.254.0.0/16 network that Windows computers use, if they do not get a DHCP offer.


Code:
#!/bin/sh
       
#NIC=vtnet0  
NIC=re0

LOG="rfc1918.pcap"
DIR="/var/log"
LOGFILE="$DIR/$LOG"
        
select="\
   src net 10.0.0.0/8 \
or src net 192.168.0.0/16 \
or src net 172.16.0.0/12 \
or src net 169.254.0.0/16
"
echo Installing log file : $LOGFILE ...
if [ -f ${LOGFILE} ] ; then
   echo $0 : saving  ${LOGFILE} into  $LOGFILE.old ...
   mv ${LOGFILE} $LOGFILE.old
fi
     
# -- for FreeBSD
##install -D ${DIR} -m 660 /dev/null ${LOG}

# --- for OpenBSD
install -m 660 /dev/null ${LOGFILE}
    
echo $0: Starting tcpdump ...

tcpdump -tttt -s256 -en -i ${NIC} -w ${LOGFILE} ${select} &
     
echo
pgrep tcpdump
ps -aux | grep tcpdump
# --- end of script
Running it:
Code:
#  ./checkRFC1918 
Installing log file : /var/log/rfc1918.pcap ...
./checkRFC1918 : saving /var/log/rfc1918.pcap into /var/log/rfc1918.pcap.old ...
./checkRFC1918: Starting tcpdump ...

38638
tcpdump: listening on vtnet0, link-type EN10MB (Ethernet), capture size 256 bytes
root    38638   0.0  0.4  20060  4140  1  S+    1:56AM     0:00.00 tcpdump -tttt -s256 -en -i vtnet0 -w /var/log/rfc1918.pcap src net 10.0.0.0/8 or src net 192.168.0.0/16 or src net 172.16.0.0/12

#  ls -l /var/log/rfc1918.pcap*
-rw-rw----  1 root  wheel     0 Feb  7 01:56 /var/log/rfc1918.pcap
-rw-rw----  1 root  wheel  5230 Feb  7 01:22 /var/log/rfc1918.pcap.old
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 7th February 2014 at 02:11 AM.
Reply With Quote