Follow by Email

Thursday, October 20, 2011

Cisco ASA/ PIX – Capturing Traffic

This document shows how to capture traffic directly at the Cisco PIX/ASA Firewall. Thats a very powerful tool for troubleshooting.

The Topology used in this test:
Capturing Traffic on the PIX - Topology

All traffic for the bastionhost (172.16.1.2) has to be captured for further analysis, the IP of the insidehost (10.0.1.12) is source-NATed to 172.16.1.20 when connecting to the DMZ.

This setup is based on the following PixOS-Release:

pix1# show version

Cisco PIX Firewall Version 6.3(3)
...
Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Licensed Features:
Failover:                    Enabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces:          10
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

The capture-command:

pix1(config)# capture
Not enough arguments.
Usage: capture  [access-list ] [buffer ]
               [ethernet-type ] [interface ]
               [packet-length ]
               [circular-buffer]
       clear capture 
       no capture  [access-list []] [circular-buffer]
               [interface ]
       show capture [ [access-list ] [count ]
                     [detail] [dump]]

Configuring the capture-function:
  1. Write an access-list that describes the interesting traffic (optional)
  2. Bind a capture-statement to an interface
  3. Wait for traffic
  4. Display or download the capture
Example:

pix1(config)# access-list capture-bastion permit ip any host bastionhost
pix1(config)# access-list capture-bastion permit ip host bastionhost any
pix1(config)# capture cap1 access-list capture-bastion interface dmz
pix1(config)#
pix1(config)# show capture
capture cap1 access-list capture-bastion interface dmz
pix1(config)#
pix1(config)# show capture cap1
0 packet captured
0 packet shown
pix1(config)#
(now we ping the bastionhost and access the web-server)

The resulting capture on the PIX:

pix1(config)# show capture cap1 detail
9 packets captured
19:28:27.554536 000d.56a9.3bbe 000c.297c.dffa 0x0800 74: 172.16.1.20 > bastionhost:
 icmp: echo request (ttl 128, id 46758)
19:28:27.555131 000c.297c.dffa 0002.b326.0704 0x0800 74: bastionhost > 172.16.1.20:
 icmp: echo reply (ttl 255, id 210)
19:28:38.482488 000d.56a9.3bbe 000c.297c.dffa 0x0800 62: 172.16.1.20.3874 > bastionhost.80:
 S [tcp sum ok] 306572975:306572975(0) win 65520  (DF)
 (ttl 128, id 46777)
19:28:38.483159 000c.297c.dffa 0002.b326.0704 0x0800 62: bastionhost.80 > 172.16.1.20.3874:
 S [tcp sum ok] 2581607285:2581607285(0) ack 306572976 win 15120
  (DF) (ttl 64, id 211)
19:28:38.483419 000d.56a9.3bbe 000c.297c.dffa 0x0800 54: 172.16.1.20.3874 > bastionhost.80:
 . [tcp sum ok] 306572976:306572976(0) ack 2581607286 win 65520 (DF) (ttl 128, id 46778)
19:28:38.484731 000d.56a9.3bbe 000c.297c.dffa 0x0800 402: 172.16.1.20.3874 > bastionhost.80:
 P 306572976:306573324(348) ack  2581607286 win 65520 (DF) (ttl 128, id 46779)
19:28:38.485158 000c.297c.dffa 0002.b326.0704 0x0800 60: bastionhost.80 > 172.16.1.20.3874:
 . [tcp sum ok] 2581607286:2581607286(0) ack 306573324 win 15120 (DF) (ttl 64, id 212)
19:28:38.488179 000c.297c.dffa 0002.b326.0704 0x0800 584: bastionhost.80 > 172.16.1.20.3874:
 P 2581607286:2581607816(530) ack 306573324 win 16380 (DF) (ttl 64, id 213)
19:28:38.614714 000d.56a9.3bbe 000c.297c.dffa 0x0800 54: 172.16.1.20.3874 > bastionhost.80:
 . [tcp sum ok] 306573324:306573324(0) ack 2581607816 win 64990 (DF) (ttl 128, id 46783)
9 packets shown

pix1(config)# show capture cap1 dump
13 packets captured
19:28:27.554536 172.16.1.20 > bastionhost: icmp: echo request
0x0000   4500 003c b6a6 0000 8001 29e4 ac10 0114        E..<......).....
0x0010   ac10 0102 0800 315c 0300 1900 6162 6364        ......1....abcd
0x0020   6566 6768 696a 6b6c 6d6e 6f70 7172 7374        efghijklmnopqrst
0x0030   7576 7761 6263                                 uvwabc
19:28:27.555131 bastionhost > 172.16.1.20: icmp: echo reply
0x0000   4500 003c 00d2 0000 ff01 60b8 ac10 0102        E..<......`.....
0x0010   ac10 0114 0000 395c 0300 1900 6162 6364        ......9....abcd
0x0020   6566 6768 696a 6b6c 6d6e 6f70 7172 7374        efghijklmnopqrst
0x0030   7576 7761 6263                                 uvwabc
19:28:38.482488 172.16.1.20.3874 > bastionhost.80: S 306572975:306572975(0)
    win 65520 
0x0000   4500 0030 b6b9 4000 8006 e9d7 ac10 0114        E..0..@.........
0x0010   ac10 0102 0f22 0050 1245 eeaf 0000 0000        .....".P.E......
0x0020   7002 fff0 1959 0000 0204 04ec 0101 0402        p....Y..........
19:28:38.483159 bastionhost.80 > 172.16.1.20.3874: S 2581607285:2581607285(0)
    ack 306572976 win 15120 
0x0000   4500 0030 00d3 4000 4006 dfbe ac10 0102        E..0..@.@.......
0x0010   ac10 0114 0050 0f22 99e0 3375 1245 eeb0        .....P."..3u.E..
0x0020   7012 3b10 10d3 0000 0204 04ec 0101 0402        p.;.............

Now we want to see more payload:

pix1(config)# clear capture cap1
pix1(config)# show capture cap1
0 packet captured
0 packet shown
pix1(config)#
pix1(config)# capture cap1 packet-length 1500
pix1(config)#
pix1(config)# show capture
capture cap1 access-list capture-bastion packet-length 1500 interface dmz
pix1(config)#
(we access the web-server again)

pix1(config)# show capture cap1 dump
...
19:40:04.374980 172.16.1.20.3876 > bastionhost.80: P 2217891186:2217891534(348)
    ack 3327525020 win 65520
0x0000   4500 0184 b868 4000 8006 e6d4 ac10 0114        E....h@.........
0x0010   ac10 0102 0f24 0050 8432 5572 c656 009c        .....$.P.2Ur.V..
0x0020   5018 fff0 4f1b 0000 4745 5420 2f66 6176        P...O...GET /fav
0x0030   6963 6f6e 2e69 636f 2048 5454 502f 312e        icon.ico HTTP/1.
0x0040   310d 0a48 6f73 743a 2031 3732 2e31 362e        1..Host: 172.16.
0x0050   312e 320d 0a55 7365 722d 4167 656e 743a        1.2..User-Agent:
0x0060   204d 6f7a 696c 6c61 2f35 2e30 2028 5769         Mozilla/5.0 (Wi
0x0070   6e64 6f77 733b 2055 3b20 5769 6e64 6f77        ndows; U; Window
0x0080   7320 4e54 2035 2e31 3b20 656e 2d55 533b        s NT 5.1; en-US;
0x0090   2072 763a 312e 372e 3529 2047 6563 6b6f         rv:1.7.5) Gecko
0x00a0   2f32 3030 3431 3130 3720 4669 7265 666f        /20041107 Firefo
0x00b0   782f 312e 300d 0a41 6363 6570 743a 2069        x/1.0..Accept: i
0x00c0   6d61 6765 2f70 6e67 2c2a 2f2a 3b71 3d30        mage/png,*/*;q=0
0x00d0   2e35 0d0a 4163 6365 7074 2d4c 616e 6775        .5..Accept-Langu
0x00e0   6167 653a 2064 652d 6465 2c64 653b 713d        age: de-de,de;q=
0x00f0   302e 382c 656e 2d75 733b 713d 302e 352c        0.8,en-us;q=0.5,
0x0100   656e 3b71 3d30 2e33 0d0a 4163 6365 7074        en;q=0.3..Accept
0x0110   2d45 6e63 6f64 696e 673a 2067 7a69 702c        -Encoding: gzip,
0x0120   6465 666c 6174 650d 0a41 6363 6570 742d        deflate..Accept-
0x0130   4368 6172 7365 743a 2049 534f 2d38 3835        Charset: ISO-885
0x0140   392d 312c 7574 662d 383b 713d 302e 372c        9-1,utf-8;q=0.7,
0x0150   2a3b 713d 302e 370d 0a4b 6565 702d 416c        *;q=0.7..Keep-Al
0x0160   6976 653a 2033 3030 0d0a 436f 6e6e 6563        ive: 300..Connec
0x0170   7469 6f6e 3a20 6b65 6570 2d61 6c69 7665        tion: keep-alive
0x0180   0d0a 0d0a                                      ....

We can transfer the capture to our workstation:

pix1(config)# copy capture:cap1 tftp://10.0.1.12/bastion.txt
copying Capture to tftp://10.0.1.12/bastion.txt:
pix1(config)#

C:TFTP-Root>dir
 Volume in drive C has no label.
 Volume Serial Number is 5001-0224

 Directory of C:TFTP-Root

16.11.2004  18:50          .
16.11.2004  18:50          ..
16.11.2004  18:49             2.754 bastion.txt
               1 File(s)          2.754 bytes
               2 Dir(s)   1.801.687.040 bytes free

C:TFTP-Root>
The capture on the workstation (viewed with notepad):
Capturing Traffic on the PIX - The copied Textfile

We can also export the capture in pcap-format (tcpdump):

pix1(config)# copy capture:cap1 tftp://10.0.1.12/bastion.cap pcap
copying Capture to tftp://10.0.1.12/bastion.cap:
pix1(config)#

C:TFTP-Root>dir
 Volume in drive C has no label.
 Volume Serial Number is 5001-0224

 Directory of C:TFTP-Root

16.11.2004  18:55             .
16.11.2004  18:55             ..
16.11.2004  18:55             5.747 bastion.cap
16.11.2004  18:49             2.754 bastion.txt
               2 File(s)          8.501 bytes
               2 Dir(s)   1.801.527.296 bytes free

C:TFTP-Root>
The capture on the workstation (viewd with Ethereal):
Capturing Traffic on the PIX - The copied pcap file

The capture can also be downloaded with a browser
If we want to view or download the capture with a browser we have to activate the https-server (thats automatically done if you have activated the PDM/ASDM). This Example shows the PIXv6 syntax:

pix1(config)# http server enable
pix1(config)#
pix1(config)# http 10.0.1.12 255.255.255.255 inside
pix1(config)#
pix1(config)# domain-name security-planet.de
pix1(config)#
pix1(config)# ca generate rsa key 1024
For  >= 1024, key generation could
  take up to several minutes. Please wait.
Keypair generation process begin.
.Success.

pix1(config)#
We can view the capture in the browser:
Capturing Traffic on the PIX - Viewing the dump
Or we can download the capture as pcap:
Capturing Traffic on the PIX - Downloading the pcap

Finally we delete the capture on the PIX:

pix1(config)# no capture cap1
pix1(config)#
pix1(config)# show capture cap1
ERROR: capture  does not exist
pix1(config)# show capture
pix1(config)#

No comments:

Post a Comment