search

SySS-Research / Seth

Perform a MitM attack and extract clear text credentials from RDP connections
MIT License
1.38k stars 325 forks source link

Something went wrong while parsing the output of tcpdump #59

Closed man715 closed 1 year ago

man715 commented 1 year ago

sudo ./seth.sh -d eth0 10.10.10.16 10.10.10.11 10.10.10.15 ███████╗███████╗████████╗██╗ ██╗ ██╔════╝██╔════╝╚══██╔══╝██║ ██║ by Adrian Vollmer ███████╗█████╗ ██║ ███████║ seth@vollmer.syss.de ╚════██║██╔══╝ ██║ ██╔══██║ SySS GmbH, 2017 ███████║███████╗ ██║ ██║ ██║ https://www.syss.de ╚══════╝╚══════╝ ╚═╝ ╚═╝ ╚═╝ [] Linux OS detected, using iptables as the netfilter interpreter [] Spoofing arp replies... [] Turning on IP forwarding... [] Set iptables rules for SYN packets... [] Waiting for a SYN packet to the original destination... [!] Something went wrong while parsing the output of tcpdump [] Cleaning up... [*] Done

I'm running on Kali 2022.3 and I keep getting the error "Something went wrong while parsing the output of tcpdump".

How can I fix this error and MitM the RDP connection. The shell script does not error out without the -d flag but it does not see any of the traffic between the victim and the host.

All systems are on the same network and running tcpdump does show the traffic.

man715 commented 1 year ago

Okay, I got it fixed. I had to change the tcpdump command to the following:

ORIGINAL_DEST="$(tcpdump -n -c 1 -i "$IFACE" \                                                                                                                                                                                              
    "tcp[tcpflags] &  (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ece) != 0" and \                                                                                                                                                            
    src host "$VICTIM_IP" and dst port 3389 2> /dev/null \                                                                                                                                                                                  
    | awk '{print $5}' | sed 's/.\(3389\|ms-wbt-server\).*//')"
AdrianVollmer commented 1 year ago

Issues that come with solutions are the best issues.

Thanks, I'll include your patch!

AdrianVollmer commented 1 year ago

Actually, I'm wondering what the cause is. So far, the relevant filter was "tcp[tcpflags] == tcp-syn" to capture only SYN packets. Your suggested change will capture less, because it only captures packets where the SYN flag and the ECE flag is set. I'm not familiar with the ECE flag. Is this something specific to your setup at the time?

Would it make sense to change the filter to "tcp[tcpflags] & tcp-syn != 0"

man715 commented 1 year ago

I'm curious if it is my setup only or if that is the way that RDP connections work now. I know that in my testing environment, RDP connections did not just use SYN. Instead, it sent SYN and ECE which is why I had to modify the filter. I'm also not really certain why the original filter did not pickup the SYN and ECE packets.

In theory, the one you just proposed would work as it should pickup any packets that have the SYN set.

Does your RDP connections set the ECE flag?

AdrianVollmer commented 1 year ago

The original filter only picked up packets where only the SYN flag is set. If there is an additional flag set, it won't match.

My RDP client does not set the ECE flag. However, according to what I'm reading, the SYN flag is only set in the first packet by either side of the connection. So we should be fine if we set the filter such that checks for the presence of only the SYN flag.

Thanks for contributing!