DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Capturing leaked RFC 1918 private addresses with tcpdump

During checking a /var/log/pflog file on a server in a data center, I noticed that some blocked packets had RFC 1918 addresses as source address.
This type of addresses should not be routed over the public internet. See https://en.wikipedia.org/wiki/RFC_1918 for some info.

The technical department of the data center, asked if I could provide the MAC addresses. When using tcpdump on a regular NIC the -e option will show these.

Without the -e option tcpdump produces output like:
Code:
#  tcpdump -ni fxp0 port 53
tcpdump: listening on fxp0, link-type EN10MB
02:26:46.733389 192.168.222.20.38551 > 192.168.222.10.53: 34100+ A? www.google.com. (32)
02:26:46.746836 192.168.222.10.53 > 192.168.222.20.38551: 34100 6/0/0 A 74.125.195.105, A 74.125.195.147,[|domain]
With that option:
Code:
[cmd=#]# tcpdump -e -ni fxp0 port 53
tcpdump: listening on fxp0, link-type EN10MB
02:30:58.130165 00:1f:33:f1:ff:f9 00:08:c7:05:ca:0b 0800 71: 192.168.222.20.25142 > 192.168.222.10.53: 38983+ A? openbsd.org. (29)
02:30:58.130755 00:08:c7:05:ca:0b 00:1f:33:f1:ff:f9 0800 87: 192.168.222.10.53 > 192.168.222.20.25142: 38983 1/0/0 A 199.185.137.3 (45)
Using -e on /var/log/pflog:
Code:
# # tcpdump -enr /var/log/pflog | less

21:40:26.900734 rule 34/(match) block in on xl0: 220.76.215.195.38002 > 77.175.189.74.54044: udp 30
21:40:26.920243 rule 34/(match) block in on xl0: 220.76.215.195.38002 > 77.175.189.74.54044: udp 20
21:40:26.920667 rule 34/(match) block in on xl0: 220.76.215.195.38002 > 77.175.189.74.54044: udp 20
So instead of the MAC address, this option shows the pf.conf rule that triggered the logging.

So I had to come up with something else.

The following small script runs tcpdump(8) with an expression that instructs it to only capture RFC 1918 addresses. I also added 169.254.0.0/16 network that Windows computers use, if they do not get a DHCP offer.


Code:
#!/bin/sh
       
#NIC=vtnet0  
NIC=re0

LOG="rfc1918.pcap"
DIR="/var/log"
LOGFILE="$DIR/$LOG"
        
select="\
   src net 10.0.0.0/8 \
or src net 192.168.0.0/16 \
or src net 172.16.0.0/12 \
or src net 169.254.0.0/16
"
echo Installing log file : $LOGFILE ...
if [ -f ${LOGFILE} ] ; then
   echo $0 : saving  ${LOGFILE} into  $LOGFILE.old ...
   mv ${LOGFILE} $LOGFILE.old
fi
     
# -- for FreeBSD
##install -D ${DIR} -m 660 /dev/null ${LOG}

# --- for OpenBSD
install -m 660 /dev/null ${LOGFILE}
    
echo $0: Starting tcpdump ...

tcpdump -tttt -s256 -en -i ${NIC} -w ${LOGFILE} ${select} &
     
echo
pgrep tcpdump
ps -aux | grep tcpdump
# --- end of script
Running it:
Code:
#  ./checkRFC1918 
Installing log file : /var/log/rfc1918.pcap ...
./checkRFC1918 : saving /var/log/rfc1918.pcap into /var/log/rfc1918.pcap.old ...
./checkRFC1918: Starting tcpdump ...

38638
tcpdump: listening on vtnet0, link-type EN10MB (Ethernet), capture size 256 bytes
root    38638   0.0  0.4  20060  4140  1  S+    1:56AM     0:00.00 tcpdump -tttt -s256 -en -i vtnet0 -w /var/log/rfc1918.pcap src net 10.0.0.0/8 or src net 192.168.0.0/16 or src net 172.16.0.0/12

#  ls -l /var/log/rfc1918.pcap*
-rw-rw----  1 root  wheel     0 Feb  7 01:56 /var/log/rfc1918.pcap
-rw-rw----  1 root  wheel  5230 Feb  7 01:22 /var/log/rfc1918.pcap.old
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 7th February 2014 at 02:11 AM.
Reply With Quote
Reply

Tags
pf.conf, pflog, rfc 1918, tcpdump

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
understanding tcpdump frcc OpenBSD Security 3 11th April 2013 10:10 PM
Security 1 MILLION accounts leaked in megahack on banks, websites J65nko News 0 28th August 2012 06:29 PM
Security Millions of Last.fm passwords leaked J65nko News 0 8th June 2012 08:42 PM
HostV's virtual private servers go very private J65nko News 0 10th February 2010 05:17 AM
i would like to know about tcpdump chamnanpol FreeBSD General 8 17th September 2008 11:00 AM


All times are GMT. The time now is 03:14 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick