Professional Documents
Culture Documents
PT BestOf 2022 PREVIEW
PT BestOf 2022 PREVIEW
Managing Editors
Amit Chugh, Da Co, David Michaud, Diane Barrett, Gabriel Carvalhaes, Hammad Arshed, Jaimandeep Singh, Jordan M.
Bonagura, Matthew Sabin, Nasreddine Bencherchali, Paul Mellen, Pradeep Mishra, Serge Laoun, Tom Updegrove
Special thanks to the Proofreaders & Betatesters who helped with this issue. Without their assistance there would not be
a PenTest Magazine.
Senior Consultant/Publisher
Paweł Marciniak
CEO
Joanna Kretowicz
joanna.kretowicz@pentestmag.com
DTP
Bruno Zwierz
bruno.zwierz@pentestmag.com
COVER DESIGN
PUBLISHER
www.pentestmag.com
All trademarks, trade names, or logos mentioned or used are the property of their respective owners.
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility
for misuse of the presented techniques or consequent data loss.
1
Dear PenTest Readers,
We would like to present you with a special edition, composed with the highlights of the articles
published in our monthly magazine issues in 2022. If you’re looking for the synthesis of the write-ups
that received the best reviews among our readers - here it is!
In “Best of 2022” you will read the top-notch articles on the most relevant topics in the recent months.
All of this practical knowledge, presented by the experts in their areas, will still be very helpful in 2023.
Inside you will read about Android Pentesting, Windows Privilege Escalation, WiFi Pentesting tools,
internal penetration tests, online games vulnerabilities, cloud security, OT/ICS cybersecurity monitoring,
and much more!
This is certainly a condensed compendium of practical cybersecurity tools, techniques, tips, and tricks.
Covering a really wide range of topics, every reader is going to be provided with some real treat here.
2
Contents
Android Application Pentest
Gabrielle Botbol 4
4
Wide-area Packet Capture with PacketStreamer
Network packet capture is a well understood practice. The basic technology that modern tools are built on first
appeared in a tool named ‘tcpdump’, released in 1988, and the associated file format (pcap) has stood the test
of time.
Although the technology has changed little, modern compute environments are very different from the single-
Unix-server assumptions that defined the design of tcpdump. Modern environments are cloud-based,
distributed across many servers, and use virtualization technologies that make it difficult to run kernel tools
such as tcpdump directly.
Use PacketStreamer if you need a lightweight, efficient method to collect raw network data from multiple
machines for central logging and analysis:
• Debugging: intermittent errors are happening and your log files don’t reveal enough details. You need to
gather network traffic to see what requests your servers are processing.
• Forensics: you want to capture traffic to sensitive services for storage and later inspection in the event of an
investigation.
• Threat hunting: you want to identify any unusual behavior that may indicate the presence of adversaries.
• Machine learning: you need to capture large volumes of network traffic from many production servers to train
machine learning engines to recognize normal and anomalous traffic.
We’ll share a walkthrough of building, installing and running PacketStreamer, and see what we find.
We’ll start with four cloud servers. Three are honeypot servers, running WordPress, a simple NGINX hello-world,
and honeydb.io. The fourth will be our receiver server where we aggregate and analyze the packet data.
Build PacketStreamer
On the build (receiver) server, let’s clone the source and build PacketStreamer. It’s a standalone Golang app,
and we’ll statically-link the build to make it as portable as possible:
# install the necessary build tools (Debian/Ubuntu; other OSs will differ)
5
Wide-area Packet Capture with PacketStreamer
cd PacketStreamer/
make STATIC=1
file packetstreamer
In one terminal on the receiver server, let’s start the PacketStreamer receiver process and pipe the pcap output
into tshark. We can use the included receiver-stdout.yaml configuration file, which configures the receiver to
accept traffic on port 8081:
./packetstreamer receiver \
The PacketStreamer receiver process will run quietly, waiting for connections from remote PacketStreamer
sensors. Pcap output from PacketStreamer will be piped to the tshark tool.
You could instead write the output to a file for later analysis, or even tee it to a file while watching using tshark.
That way, you can quickly spot anomalies (tshark output) and investigate the full packet dump.
Now, let’s deploy the sensors on each of our target servers. We first need to create a simple configuration file
sensor-remote.yaml that identifies the location of the remote receiver:
output:
server:
address: 12.34.56.78
port: 8081
pcapMode: all
6
Wide-area Packet Capture with PacketStreamer
Copy the PacketStreamer binary and the sensor-remote.yaml configuration file to each of the target servers:
ssh root@wordpress
We ran the sensors and receivers for 24 hours, looking for interesting HTTP requests (tshark -Y http) to the
target servers. We saw hundreds of drive-by attempts from dozens of different PI addresses, trying to find
unprotected secrets, find vulnerable control panel components, use injection to install malware, etc.
7
Wide-area Packet Capture with PacketStreamer
8
Wide-area Packet Capture with PacketStreamer
You can store the results locally in a pcap file for more detailed, later analysis, or (feature in development) write
them to an S3 bucket. You can analyze them using any tool that can process pcap data.
Conclusion
PacketStreamer was developed by Deepfence as part of a bigger observability and security analytics product.
We’ve open-sourced it because, to the best of our knowledge, there are no existing tools that capture and
merge multiple pcap streams, and function across Kubernetes, Docker, Fargate and operating system
environments.
We’d welcome any feedback, contributions and suggestions. Please start with the PacketStreamer GitHub
repository, and feel welcome to join the Deepfence Community Slack.