tcpdump advanced filters

Using this tcp header map I was able to catch the 3 way handshake between a client and server.

Below is the tcp header map




So looking at the tcp header map we know that the tcp header map, the syn,ack flags are on byte #13

Remember that the header starts at byte #0, so if we want to catch the communication initialization between a client and a server we need to catch the flags syn, syn-ack, and ack

client ------- Sends Syn ---------Server
Server -----answers syn-ack---client
client ----ansers ack -------------server
------Communication has been established--------
to catch this sequence for any given service, let's say port 22 (where ssh lives) we create the filter

tcpdump -i eth0 -n --tq '(tcp[13] = 2 or tcp[13] = 16 or tcp [13]=18) and ((src host 1.2.3.4 and dst port 22) and (dst host 5.6.7.8 and src port 22))'

 This will catch syn, syn-ack and ack

So tcp[13] = 2 means: on byte 13 the following pattern is: syn
cwr=0
ece=0
urg=0 (urgent)
ack=0(acknowledge)
psh=0(push)
rst=0(reset)
syn=1(sync)
fin=0(finish)

The above pattern is binary so 00000010 = 2

so tcp[13] = 18 on byte 13 the following pattern is: syn-ack
cwr=0
ece=0
urg=0 (urgent)
ack=1(acknowledge)
psh=0(push)
rst=0(reset)
syn=1(sync)
fin=0(finish)
The above pattern is binary so 00010010 = 18


o tcp[13] = 16on byte 13 the following pattern is: ack
cwr=0
ece=0
urg=0 (urgent)
ack=1(acknowledge)
psh=0(push)
rst=0(reset)
syn=0(sync)
fin=0(finish)
The above pattern is binary so 00010000 = 16

2nd part of the filter means: 
((src host 1.2.3.4 and dst port 22) and (dst host 5.6.7.8 and src port 22))

that my client (src host) is 1.2.3.4 and the destination port must be 22
and that my server (dst host) is 5.6.7.8 and the source port is 22

So pretty much the tcpdump builds a logical table

 (tcp[13] = 2 or tcp[13] = 16 or tcp [13]=18) and ((src host 1.2.3.4 and dst port 22) and (dst host 5.6.7.8 and src port 22))'

if this condiftion is true (tcp[13] = 2 or tcp[13] = 16 or tcp [13]=18)
if this condition is true ((src host 1.2.3.4 and dst port 22) and (dst host 5.6.7.8 and src port 22))

the packet will be captured and printed onto the screen


Happy filtering!
  

Kernel "Hax" (kernel hacks)

Hello
          This is my first module of Kernel Hacking, after several days reading the book named Professional kernel Architecture by Wolfgang Mauerer and some other documentation, I was able to write my first kernel module.


The only thing it does is to intercept the system call mkdir


/*********************************************/
/* Francisco Garcia Garcia                                                */
/* kernel system call interception                                        */
/* Written on Ubuntu 14.04 Jessie/Sid                               */
/* Kernel mod name  little bunny.c                     */
/* ignore the module name it is just for educational purposes*/
/*********************************************/


/*********************Libraries*************************************/
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/fs.h>
#include <linux/syscalls.h>
#include <asm/errno.h>
#include <asm/unistd.h>
#include <linux/mman.h>
#include <asm/proto.h>
#include <asm/delay.h>
#include <linux/init.h>
#include <linux/highmem.h>
#include <linux/sched.h>
#include <linux/cred.h>
/********************************************************************/
/*The kernel system call table is no longer shared, so I had to look it up                            */
/* cat /proc/kallsyms | grep -i table | grep -i system                                                            */
/* so the address is: ffffffff81801400                                                                                  *//
/*********************************************************************/
void **syscall_table = (void *)0xffffffff81801400;
/***real mkdir system call **/
asmlinkage long (*real_mkdir)(const char __user *pathname, mode_t __user mode);

/*** Fake system call Implementation                                                                   ***/
asmlinkage long mkdir_intercept(const char __user *pathname, mode_t __user mode) {
  printk("mkdir intercepted!!!!!");
  return 0;
}

/**** Module macro to tell the kernel to use it **********************/
static int __init mkdir_init(void)
{
  unsigned int l;
  pte_t *pte;  /*page table entry kernel has direct mapping to memory it does not use vma conversion*/
  pte = lookup_address((long unsigned int)syscall_table,&l);  /* get me the address for system tables*/
  pte->pte |= _PAGE_RW;  /*change the memory bit to read write*/
  real_mkdir = syscall_table[__NR_mkdir]; /*save the original system call*/
  syscall_table[__NR_mkdir]=mkdir_intercept; /*insert my face system call */
  return 0;
}
/*** let's clean up when the module is unloaded from the kernel ***/
static void __exit mkdir_cleanup(void)
{
  unsigned int l;
  pte_t *pte; /*page table entry kernel has direct mapping to memory it does not use vma conversion*/
  syscall_table[__NR_mkdir]=real_mkdir; /*restore original system call */
  pte = lookup_address((long unsigned int)syscall_table,&l); /*get the address */
  pte->pte &= ~ _PAGE_RW; /*set read write mode bit*/
return;
}

module_init(mkdir_init);
module_exit(mkdir_cleanup);

Enjoy