~a14m/HTB

e8df2d855d7d8f6b6d9353fc8f412c1702c78b54 — a14m 2 years ago cd1e730 master
Add the network analysis cheatsheet
1 files changed, 129 insertions(+), 0 deletions(-)

A cheatsheets/Netrwork-Analysis.md
A cheatsheets/Netrwork-Analysis.md => cheatsheets/Netrwork-Analysis.md +129 -0
@@ 0,0 1,129 @@
# Cheat Sheet

Keep in mind, unless you are utilizing root, `sudo` privileges will be required to execute any applications that need to bind a network interface or set it into promiscuous mode. 

## Tcpdump
| **Command**   | **Description**   |
| --------------|-------------------|
| `tcpdump --version` | Prints the tcpdump and libpcap version strings then exits. |
| `tcpdump -h` | Prints the help and usage information. |
| `tcpdump -D` | Prints a list of usable network interfaces from which tcpdump can capture. |
| `tcpdump -i (interface name or #)` | Executes tcpdump and utilizes the interface specified to capture on. |
| `tcpdump -i (int) -w file.pcap` | Runs a capture on the specified interface and writes the output to a file. |
| `tcpdump -r file.pcap` | TCPDump will read the output from a specified file. |
| `tcpdump -r/-w file.pcap -l \\| grep 'string'` | TCPDump will utilize the capture traffic from a live capture or a file and set stdout as line-buffered. We can then utilize pipe (\\|) to send that output to other tools such as grep to look for strings or specific patterns. |
| `tcpdump -i (int) host (ip)` | TCPDump will start a capture on the interface specified at (int) and will only capture traffic originating from or destined to the IP address or hostname specified after `host`.|
| `tcpdump -i (int) port (#)` | Will filter the capture for anything sourcing from or destined to port (#) and discard the rest. |
| `tcpdump -i (int) proto (#)` | Will filter the capture for any protocol traffic matching the (#). For example, (6) would filter for any TCP traffic and discard the rest. |
| `tcpdump -i (int) (proto name)` | Will utilize a protocols common name to filter the traffic captured. TCP/UDP/ICMP as examples. |

## Tcpdump Common Switches and Filters
| **Switch/Filter**   | **Description**   |
| --------------|-------------------|
| `D` | Will display any interfaces available to capture from.       |
| `i` | Selects an interface to capture from. ex. -i eth0         |
| `n` | Do not resolve hostnames.         |
| `nn` | Do not resolve hostnames or well-known ports.         |
| `e` | Will grab the ethernet header along with upper-layer data.       |
| `X` | Show Contents of packets in hex and ASCII.        |
| `XX` | Same as X, but will also specify ethernet headers. (like using Xe)        |
| `v, vv, vvv` | Increase the verbosity of output shown and saved.         |
| `c` | Grab a specific number of packets, then quit the program.          |
| `s` | Defines how much of a packet to grab.         |
| `S` | change relative sequence numbers in the capture display to absolute sequence numbers. (13248765839 instead of 101)        |
| `q` | Print less protocol information.          |
| `r file.pcap` | Read from a file.         |
| `w file.pcap` | Write into a file     |
| `host` | Host will filter visible traffic to show anything involving the designated host. Bi-directional    |
| `src / dest` |`src` and `dest` are modifiers. We can use them to designate a source or destination host or port.    |
| `net` |`net` will show us any traffic sourcing from or destined to the network designated. It uses / notation.    |
| `proto` |will filter for a specific protocol type. (ether, TCP, UDP, and ICMP as examples)    |
| `port` |`port` is bi-directional. It will show any traffic with the specified port as the source or destination.     |
| `portrange` |`Portrange` allows us to specify a range of ports. (0-1024)    |
| `less / greater "< >"` |`less` and `greater` can be used to look for a packet or protocol option of a specific size.     |
| `and / &&` |`and` `&&` can be used to concatenate two different filters together. for example, src host AND port.    |
| `or` |`or`  Or allows for a match on either of two conditions. It does not have to meet both. It can be tricky.   |
| `not` |`not` is a modifier saying anything but x. For example,  not UDP.    |

----
## TShark
| **Command**   | **Description**   |
| --------------|-------------------|
| `tshark -h` | Prints the help menu. |  
| `tshark -D` | List available interfaces to capture from. |  
| `tshark -i (int)` | Capture on a selected interface. Replace (int) with the interface name or number. |
| `tshark -i eth0 -f "host (ip)"` | apply a filter with (-f) looking for a specific host while utilizing tshark |
| `D` | Will display any interfaces available to capture from and then exit out.          |  
| `L` | Will list the Link-layer mediums you can capture from and then exit out. (ethernet as an example)         |  
| `i` | choose an interface to capture from. (-i eth0)        |  
| `f` | packet filter in libpcap syntax. Used during capture.         |   
| `c` | Grab a specific number of packets, then quit the program. Defines a stop condition.        |  
| `a` | Defines an autostop condition. It can be after a duration, specific file size, or after a certain number of packets.         |    
| `r (pcap-file)` | Read from a file.         |  
| `W (pcap-file)` | Write into a file using the pcapng format.     |  
| `P` | Will print the packet summary while writing into a file (-W)     |  
| `x` | will add Hex and ASCII output into the capture.     |  
| `h` | See the help menu     |   

----
## WireShark

| **Capture Filter**   | **Description**   |
| --------------|-------------------|
| `host x.x.x.x` | Capture only traffic pertaining to a certain host         |  
| `net x.x.x.x/24` | Capture traffic to or from a specific network (using slash notation to specify the mask)          |  
| `src/dst net x.x.x.x/24` | Using src or dst net will only capture traffic sourcing from the specified network or destined to the target network          |  
| `port #` | will filter out all traffic except the port you specify           |  
| `not` | will capture everything except the variable specified. ex. `not port 80`          |  
| `and` | AND will concatenate your specified ports. ex. `host 192.168.1.1 and port 80`           |  
| `portrange x-x` | Portrange will grab traffic from all ports within the range only          |  
| `ip / ether / tcp` | These filters will only grab traffic from specified protocol headers.     |  
| `broadcast / multicast / unicast` | Grabs a specific type of traffic. one to one, one to many, or one to all.         |

 **Display Filter**   | **Description**   |
| --------------|-------------------|
| `ip.addr == x.x.x.x` | Capture only traffic pertaining to a certain host. This is an OR statement.           |  
| `ip.addr == x.x.x.x/24` | Capture traffic pertaining to a specific network. This is an OR statement. |  
| `ip.src/dst == x.x.x.x` | Capture traffic to or from a specific host. |  
| `dns / tcp / ftp / arp / ip` | filter traffic by a specific protocol. There are many more options.           |  
| `tcp.port == x` | filter by a specific tcp port.        |  
| `src.port / dst.port ==x`  | will capture everything except the port specified.         |  
| `and / or / not` | AND will concatenate, OR will find either of two options, NOT will exclude your input option.         |
| `tcp.stream eq #` | Allows us to follow a tcp session in which we captured the entire stream. Replace (#) with the session to reassemble.  |
| `http` | Will filter for any traffic matching the http protocol. |
| `http && image-jfif` | This filter will display any packet with a jpeg image file. |
| `ftp` | Filters for the ftp protocol. |
| `ftp.request.command` | Will filter for any control commands sent over ftp control channel. |
| `ftp-data` | Will show any objects transfered over ftp. |

----  
## Misc Commands
| **Command**   | **Description**   |
| --------------|-------------------|
| `sudo *` | Sudo will run the command that proceeds it with elevated privileges. |
| `which (application)` | Utilizes which to determine if (application) is installed on the host. Replace the application with what you are looking for. ex. `which tcpdump` |
| `sudo apt install (application)` | Uses elevated privileges to install an application package if it does not exist on the host. ex. `sudo apt install wireshark`|
| `man (application)` | Displays the manual pages for an application. ex. `man tcpdump`. |

## Common Ports and Protocols
| **Protocol**   | **Port Number**   | **Description**   |
| --------------|-------------------|-------------------|
| `20` | FTP-Data | Data channel for passing FTP files. |
| `21` | FTP-Command | Control channel for issuing commands to an FTP server. |
| `22` | SSH | Secure Shell Service port. Provides secure remote communications |
| `23` | Telnet	| Telnet service provides cleartext communications between hosts. |
| `25` | SMTP | Simple Mail Transfer protocol. Utilized for email transmissions between servers. | 
| `53` | DNS | Domain Name Services. Provides name resolution with multiple protocols |
| `69` | TFTP | Trivial File Transfer Protocol. A lightweight, minimal-function transfer protocol. |
| `80` | HTTP | HyperText Transfer Protocol. Provides dynamic web services |
| `88` | Kerberos | Providing cryptographic network authentication |
| `110`	| POP3 | Mail service utilized by clients to retrieve email from a server. |
| `111`	| RPC | Remote Procedure Call. Remote service for managing network file systems. |
| `115`	| SFTP | SSH File Transfer Protocol. An extension of SSH providing secure and reliable FTP services. |
| `123` | NTP | Network Time Protocol. Provides timing and sync services for network devices. |
| `137` | Netbios-NS | Local network name resolution. |
| `139` | Netbios-SSN | Provides session services for data transfer. Services like SMB can utilize it. |
| `179`	| BGP | Border Gateway Protocol. BGP is a protocol for exchanging routing info with autonomous systems worldwide. | 
| `389` | LDAP | Lightweight Directory Access Protocol. System agnostic authentication and authorization services. |
| `443` | HTTPS	| HyperText Transfer Protocol Secure. An extension of HTTP utilizing SSL/TLS for encrypting the communications. |
| `445` | SMB |	Server Message Block. SMB allows for the sharing of services, files, networking ports, and printers between hosts. |