Use tcpdump and WinDump on Linux and Windows to capture outbound connections initiated on the host

January 03, 2022 , ,

 Assuming your server starts connections with an obscure host, it very well may be an indication that your server has been compromised. With the assistance of tcpdump and WinDump, you can without much of a stretch catch outbound TCP parcels on Linux and Windows.

Introduce tcpdump and WinDump

Tcpdump is frequently installed on Linux. If not, you can install it on Ubuntu with the accompanying orders:

sudo apt update sudo apt install tcpdump

Assuming you work with another Linux distro, you need to utilize the relating introduce orders.

On Windows, you can work with the free WinDump apparatus. Before you can utilize WinDump, you need to introduce WinPcap. You can download the two projects here. When WinPcap is introduced, you can duplicate WinDump to your preferred organizer and execute the order from that point. WinDump doesn't need to be introduced.

Outbound associations

At whatever point you have motivation to accept that attacker have installed malware on your servers, you should check whether your server sets up associations with its lords. We need to recognize here between outbound traffic overall and outbound traffic that is started on your host.

On Linux, you can utilize tcpdump to show all outbound connections with this order:

tcpdump -i any src host 10.0.0.1

10.0.0.1 is here the IP address of your host. The - I boundary decides the organization interface where tcpdump tunes in. To tune in on all organization interfaces, you can track down the introduced interfaces in your server with the ifconfig order. This is the comparing WinDump order:

windump src host 10.0.0.1

WinDump consequently tunes in on all points of interaction, so we needn't bother with the - I boundary here. To tune in on a particular connection point, you can utilize the windump - D order to list all introduced network connectors.

Tuning in on a particular network adapter with WinDump
Catching just outbound connections started by the host
The greater part of the outbound traffic is your server's reaction to demands from customers. Assuming that numerous customers interface with your server from outer IP addresses, you will be overpowered by the quantity of connections showed. Assuming attacker installed pernicious programming on your server, all things considered, the malware will attempt to interface with its lord; that is, it will start an association with an outside IP address.

To catch outbound TCP parcels that are started on your server, you should comprehend the three-way handshake idea of the TCP convention. At whatever point a customer attempts to set up a TCP association, it sets the SYN banner. The server then, at that point, reacts with a SYN/ACK parcel and toward the finish of the three-way handshake, the customer answers with an ACK bundle.


Along these lines, to catch just TCP bundles that are started on our machine, we need to tell tcpdump to show just parcels where the SYN banner is set. We likewise need to prohibit parcels where the ACK banner is set on the grounds that in any case we additionally get the reactions of the outside have:

tcpdump -i any src host 10.0.0.1 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0"

Note that the syntax of tcpdump doesn't permit something like "(tcp-syn) == 1." Also notice that you can't supplant "&" with "and" as well as the other way around. This is the comparing WinDump order on Windows:

windump src host 192.168.178.29 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0"

Recognizing malware connections

Try not to freeze assuming connections are shown to obscure hosts. Specifically, on a Windows framework, you will in all probability see numerous outbound connections with Microsoft servers since Windows especially prefers to "telephone home." Microsoft calls this telemetry; others call it private information collecting.

To confirm that your system has been contained, you need to involve the whois administration for every obscure IP address to decide its proprietor.

Viewing as the executable

To realize which program set up the connections with a specific IP, you can utilize the netstat order with the - p boundary. Utilize the - n boundary to show just numeric qualities and - c to show connections consistently persistently.

netstat -pnc

In the event that you pipe the result to grep, you can limit the result for your dubious IP address. This is the order for Linux:

netstat -pnc | grep 8.8.8.8

On Windows, we need to utilize the - b boundary rather than - p. To show associations consistently, you need to indicate the time span that netstat uses to rehash the order. In the model beneath, the time span is 1. Rather than grep we need to utilize findstr on Windows.


netstat -b 1 | findstr 8.8.8.8

Logging tcpdump and WinDump connections 

Since the malware on your server may connect just at specific occasions to its lord, you should log connections started by your server. To do this, we divert the result with ">":

tcpdump -i any src host 10.0.0.1 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" &> outbound.log &

On a bash shell, the "&" toward the finish of the order guarantees that tcpdump runs behind the scenes and continues to log later you end your meeting. This is the relating order for Windows:

start /B windump src host 10.0.0.1 and "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" > outbound.log



Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.