peterh - Linux - Blog - packet capture with ssh and tcpdump on a remote host and display with wireshark

packet capture with ssh and tcpdump on a remote host and display with wireshark

Friday, August 25, 2023, 11:53 - Network
Posted by Administrator

#> mkfifo /tmp/shark
#> ssh USER@HOST 'sudo -S /usr/sbin/tcpdump -i eth0 -w - -p -n -s 0' > /tmp/shark

In an other session

#> sudo wireshark -k -i /tmp/shark

Then go back to first session and enter the ssh password.

Or in one line

#> ssh USER@HOST 'sudo -S /usr/sbin/tcpdump -i eth0 -w - -p -n -s 0' | wireshark -k -i -

[ view entry ] ( 3419 views ) | print article

systemd-networkd - Play AP on plugin of your USB WIFI Stick

Thursday, June 18, 2020, 11:07 - System, Network, Debian/Ubuntu
Posted by Administrator

check wifi device name

~# ip addr | grep -A 5 wlan

10: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000

IP configuration of your Wifi Stick for systemd-networkd

/etc/systemd/network/hostapd.network

[Match]
Name=wlan0

[Network]
Address=192.168.0.1/24
DHCPServer=yes
IPMasquerade=true
IPForward=true

[DHCPServer]
PoolOffset=100
PoolSize=20
EmitDNS=yes
DNS=your_dns_server

Autostart of hostapd

/etc/systemd/system/hostapd.service.d/override.conf

[Unit]
Requires=sys-subsystem-net-devices-wlan0.device systemd-networkd.service
After=sys-subsystem-net-devices-wlan0.device
BindsTo=sys-subsystem-net-devices-wlan0.device

[Install]
WantedBy=sys-subsystem-net-devices-wlan0.device

~# systemctl enable hostapd

Autostop of hostapd

/etc/system/systemd-networkd.service.d/override.conf

[Unit]
After=hostapd.service
BindsTo=hostapd.service

[ view entry ] ( 9096 views ) | print article

forward http requests to an other host

Tuesday, June 2, 2020, 09:44 - System, Network
Posted by Administrator

iptables -t nat -A PREROUTING -p tcp -d THISIP --dport 80 -j DNAT --to-destination OTHERIP:80
iptables -t nat -A POSTROUTING -p tcp -d OTHERIP --dport 80 -j MASQUERADE
iptables -I FORWARD -p tcp -d OTHERIP --dport 80 -j ACCEPT

[ view entry ] ( 2804 views ) | print article

Multiple em28xx USB devices not automatically detected by the module

Monday, November 18, 2019, 11:03 - System, Debian/Ubuntu
Posted by Administrator

I got multiple USB devices working with em28xx module.

Usually a module option gives the em28xx module the order of the devices if not automatically detected
(ex. options em28xx card=80,92,9,9).

But the order at boot is every time different (order for module option not usb detection).

The only working solution for me is to manual loading, scan the order from kernel logs, unload and load with the scanned order:

/etc/modprobe.d/em28xx

blacklist em28xx
blacklist em28xx_v4l
blacklist em28xx_dvb
blacklist em28xx_rc

/etc/systemd/system/em28xx.service

[Unit]
Description=em28xx card sequence detection
After=local-fs.target
Before=motion.service vdr.service

[Service]
ExecStart=/usr/local/bin/em28xx_detect.sh
Type=oneshot

[Install]
WantedBy=multi-user.target

/usr/local/bin/em28xx_detect.sh

#!/bin/sh

modprobe em28xx
sleep 1
modprobe -r em28xx_rc
modprobe -r em28xx_v4l
modprobe -r em28xx_dvb
modprobe -r em28xx

IFS="
"
for line in $(dmesg|grep em28xx|grep 'New device'|tail -4) 
do
  [ -z "$cards" ] || cards="${cards},"
  case "$line" in
    *eb1a:2821*) cards="${cards}9" ;;
    *2013:024c*) cards="${cards}80" ;;
    *2013:0258*) cards="${cards}92" ;;
  esac
done

modprobe em28xx card=$cards disable_ir=1 disable_usb_speed_check=1

sleep 10

[ view entry ] ( 7857 views ) | print article

portforward only key based chroot ssh access without a shell for the user under 64 Bit

Wednesday, October 3, 2018, 08:37 - System, Debian/Ubuntu, Security
Posted by Administrator

/etc/ssh/sshd_config:

...
Match user USER
  PasswordAuthentication no
  AllowTcpForwarding yes
  X11Forwarding no
  PermitTunnel no
  GatewayPorts no
  AllowAgentForwarding no
  ChrootDirectory /home/USER

But if the client needs a login shell this failed.

Well you could tell the client to not use a login shell:

ssh -N -L2222:IP:22 USER@SERVER

putty: SSH / Protocol Option enable "Don't start a shell or command at all"

or use an own loginshell where the user only can press return to disconnect:

sudo useradd USER -d /home/USER -s /bin/bash
sudo mkdir /home/USER
sudo chown USER:USER /home/USER
sudo su USER
cd
touch .hushlogin    (is used to not display motd's)
mkdir .ssh
chmod 0700 .ssh 
cd .ssh 
ssh-keygen -t rsa -b 4096 
mv id_rsa.pub authorized_keys
exit
sudo passwd -d USER
sudo chown root:root /home/USER          (for sshd chroot)
sudo cp own_loginshell /home/USER/

move /home/USER/.ssh/id_rsa out to your test account and test with "ssh -i id_rsa USER@IP"

I had some troubles with a chrooted environment:

/etc/passwd USER:x:ID:ID::/home/USER:/own_loginshell

.hushlogin is NOT working and motd with last login is shown!
pam.d/sshd is running all scripts in /etc/update-motd.d.

Solution move .hushlogin to /home/USER/home/USER

To hide motd and have no delays at login we could add an exception in pam.d/sshd for our user USER

session [default=2 success=ignore] pam_succeed_if.so quiet user != USER

before

session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate

/etc/passwd USER:x:ID:ID::/:/own_loginshell

.hushlogin is working but before sshd is doing a chroot it checks the key against
authorized_keys based on our homedir (is / for chroot) wee need to

add "AuthorizedKeysFile /home/USER/.ssh/authorized_keys" to sshd_config

Compiling

For 64Bit there is something different to 32Bit and with my studies i compiled with

gcc -s -Os -nostdlib -ffreestanding own_loginshell.c -o own_loginshell

#> chroot /ROOTDIR ./own_loginshell
chroot: failed to run command ‘./own_loginshell’: No such file or directory

With

#> strace chroot /ROOTDIR ./own_loginshell

you only see

execve("./own_loginshell", ["./own_loginshell"], 0x7fff17d94fe8 /* 24 vars */) = -1 ENOENT (No such file or directory)

But with the help of "readelf -l own_loginshell" you see

[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]

You have to copy /lib64/ld-linux-x86-64.so.2 to CHROOT/lib64/

Or compile with "-static"

own_loginshell.c:

/*
   simple program to print to stdout and read from stdin without libc for x86-64

   taken from https://hero.handmade.network/forums/code-discussion/t/861-compiling_without_libc_on_linux

   gcc -s -Os -nostdlib -ffreestanding -static own_loginshell.c -o own_loginshell
*/

#include <stddef.h>
#include <syscall.h>

static void exit(int code)
{
    __asm__ __volatile__(
        "syscall"
        :
        : "a"(__NR_exit)
        : "cc", "rcx", "r11", "memory");
    __builtin_unreachable(); // syscall above never returns
}

// returns negative value for error (for example, if error is EINVAL, then -EINVAL is returned)
static int write(int fd, const void *buf, size_t size)
{
    long result;
    __asm__ __volatile__(
        "syscall"
        : "=a"(result)
        : "0"(__NR_write), "D"(fd), "S"(buf), "d"(size)
        : "cc", "rcx", "r11", "memory");
    return result;
}

static int read(int fd, char *buf, size_t size)
{
    long result;
    __asm__ __volatile__(
        "syscall"
        : "=a"(result)
        : "0"(__NR_read), "D"(fd), "S"(buf), "d"(size)
        : "cc", "rcx", "r11", "memory");
    return result;
}
    
void _start()
{   
    char text[] = "press enter to close connection";

    // for this example let's ignore result of write
    // but you should really handle it
    // 1 is stdout file handle
    write(1, text, sizeof(text) - 1);
    read(0, text, 1);
    
    exit(0);
}

[ view entry ] ( 2086 views ) | print article

<Back | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Next> Last>>