Monday, November 7, 2011

Misc 52

It's been such a long time since I've come up with an article that I find it hard to name this one. It seems miscellaneous anyway, so I'll name it that way.
This article is about using port-mirroring with Linux iptables for purposes such as Sniffing, IDS Monitoring and so on.

For this article, I'm going to show you how to capture DNS requests made by an application on an Android phone. Sounds difficult, but with sniffing, you can finish this task in less than 5 minutes!

First, you need to get on the Linux box (via Telnet or whatever) doing the routing. (Well, I'm technically on a WRT160NL running DD-WRT, so it is a Linux box)

We'll need to enter the following commands:
iptables -t mangle -A PREROUTING -s -j ROUTE --tee --gw

In this case, is the phone's IP address, while is the IP of the system doing the sniffing. The above command redirects traffic coming FROM the phone.

In iptables, a packet goes through the following tables:
1) Filter
2) NAT
3) Mangle

Filter is for filtering of unwanted packets, NAT is for address translations, and Mangle is for final modification of packets (for things like QoS or mirroring).

Visit here to have a clearer idea of how the packet is routed.

The ROUTE target is an experimental target that performs routing in the mangle table. The -tee parameter specifies to MIRROR a packet, and the -gw parameter specifies the gateway to send it through.

Here is the documentation for the ROUTE target

Next, if we're interested in the return traffic, we can also enter the following commands:
iptables -t mangle -A POSTROUTING -d -j ROUTE --tee --gw

If we are interested in ALL traffic, we can omit the -d and -s parameters.

Now we can fire up Wireshark and do some sniffing. First, we'll need to select the right interface for sniffing. Mine is quite obvious:

Now, as we are interested in DNS traffic in this scenario, we'll use the filter:
ip.addr == && udp.port == 53

Go generate the request in your phone. Lo and behold, as if black magic, you now know the DNS names your phone applications are connecting to.

From here you can do what you want. Let's say you want to find out what port the phone is accessing and what type of traffic goes through. No problem, just scroll down and look for the line where the answer comes back in (usually one line after the request).

We'll then use the following filters:
ip.addr == && tcp.flags.syn == 1

Of course, replace with the response address. You'll get something like this:

In our case, it's port 8300 we're looking for!

Of course, this is not where we stop. Remember, the extra rule takes up extra CPU cycles. When you're done, remember to remove everything using:
iptables -t mangle -D PREROUTING -s -j ROUTE --tee --gw
iptables -t mangle -D POSTROUTING -d -j ROUTE --tee --gw


  1. We stumbled over here from a different web address and thought
    I should check things out. I like what I see so now i'm following you. Look forward to exploring your web page repeatedly.

    Here is my blog post :: http://www.franco...
    Also see my webpage :: Low Cost Startup Businesses

  2. Hi my family member! I wish to say that this article
    is amazing, nice written and include almost all important infos.
    I'd like to peer extra posts like this .

    Also visit my webpage: http://moodle.pf.unipo.sk/user/profile.php?id=5094
    my web site :: Benutzer:CharlesLe – Mitglieder

  3. This design is incredible! You definitely know how to
    keep a reader entertained. Between your wit and your videos, I was almost moved to start my own blog (well, almost.
    ..HaHa!) Fantastic job. I really enjoyed what you had
    to say, and more than that, how you presented it.

    Too cool!

    Also visit my web blog: HasenChat - Blog View - Recreating Your Image With A Much Better Taste In Fashion

  4. I blog frequently and I really appreciate your information.
    This great article has truly peaked my interest.
    I am going to bookmark your blog and keep checking for new
    details about once per week. I subscribed to your Feed as well.

    my page: best stay at home jobs for moms

  5. Ridiculous quest there. What occurred after? Take care!

    My web blog - Обсуждение участника:AshleighO — OSZone.net wiki

  6. Hi! Do you use Twitter? I'd like to follow you if that would be okay. I'm definitely enjoying your blog and look forward to new updates.

    Feel free to surf to my website; simply click the following page

  7. I'm gone to convey my little brother, that he should also pay a quick visit this blog on regular basis to obtain updated from latest information.

    My webpage - Email Console

  8. Highly descriptive post, I liked that a lot. Will there be a part 2?

    Have a look at my site; private krankenversicherung testsieger

  9. I don't even know how I ended up here, but I thought this post was great. I do not know who you are but definitely you're going to a famous blogger if
    you aren't already ;) Cheers!

    my web blog - kleidung kaufen online