Have you ever been on a pentest, or troubleshooting a customer issue, and the "next step" was to capture packets on a Windows host? Then you find that installing winpcap or wireshark was simply out of scope or otherwise not allowed on that SQL, Exchange, Oracle or other host? It used to be that this is when we'd recommend installing Microsoft's Netmon packet capture utility, but even then lots of IT managers would hesitate about using the "install" word in association with a critical server. Well, as they say in networking (and security as well), there's always another way, and this is that way. "netsh trace" is your friend. And yes, it does exactly what it sounds like it does. Type "netsh trace help" on any Windows 7 Windows Server 2008 or newer box, and you'll see the following: C:\>netsh trace help The following commands are available: Commands in this context: Of course, in most cases, tracing everything on any production box is not advisable - especially if it's your main Exchange, SQL or Oracle server. We'll need to filter the capture, usually to a specific host IP, protocol or similar. You can see more on this here: netsh trace show capturefilterhelp One of the examples in this output shows you how t o e.g. 'netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1' You could also add Protocol=TCP or UDP and so on.. Full syntax and notes for netsh trace can be found here: https://technet.microsoft.com/en-us/library/dd878517 For instance, the following session shows me capturing an issue with a firewall that I'm working on. Note that you need admin rights to run this, the same as any capture tool. In a pentest you would likely specify an output file that isn't in the users' directory. C:\>netsh trace start capture=yes IPv4.Address=192.168.122.2 Trace configuration: When you are done capturing data, it's time to stop it: C:\> netsh trace stop Tracing session was successfully stopped. c:\ The cool thing about this is that it doesn't need a terminal session (with a GUI, cursor keys and so on). If all you have is a metasploit shell, netsh trace works great! If this is a capture for standard sysadmin work, you can simply copy the capture over to your workstation and proceed on with analysis. If this is a pentest, a standard copy might still work (remember, we're on a Microsoft server), but if you need netcat type function to exfiltrate your capture, take a look at PowerCat (which is a netcat port in PowerShell). Next, open the file (which is in Microsoft's ETL format) in Microsoft's Message Analyzer app - which you can install on your workstation rather than the server we ran the capture on ( http://www.microsoft.com/en-us/download/details.aspx?id=44226 ). Message Analyzer has a surprisingly nice interface and some decent packet parsing, you might be able to wrap up your analysis just in this tool (see below). If you do need another packet analysis tool, it's easy to a File / Save As / Export, and save as a PCAP file that Wireshark, tcpdump, SNORT, ngrep, standard python or perl calls, or any other standard tool can read natively. Or you can convert to PCAP using PowerShell (of course you can). A short, simple script to do this might look like: $s = New-PefTraceSession -Path “C:\output\path\spec\OutFile.Cap” -SaveOnStop This Powershell cmdlet is not available in Windows 7 - you'll need Windows 8, or Server 2008 or newer If 'netsh trace' has solved an interesting problem for you, or was the tool that got you some interesting data in a pentest, please, use our comment form to let us know how you used it (within your NDA of course!) =============== |
Rob VandenBrink 579 Posts ISC Handler Mar 4th 2015 |
Thread locked Subscribe |
Mar 4th 2015 7 years ago |
Windows 7 SP1 users can use the PowerShell cmdlet by first downloading PowerShell v3.0 from http://www.microsoft.com/powershell, which requires Microsoft .NET Framework 4.0 or higher, downloadable from http://www.microsoft.com/net.
|
Chris 2 Posts |
Quote |
Mar 4th 2015 7 years ago |
Cool, thanks! Even outside pentesting, this will be useful in plain old troubleshooting. Often there are servers where I don't want to install winpcap/windump, and don't have easy access to a span port. This will be useful.
|
John 88 Posts |
Quote |
Mar 4th 2015 7 years ago |
I have found it useful to put the PowerShell commands into a one-liner .bat file, so a .etl file can be drag-and-dropped onto the batch file to convert it:
powershell -command "import-module PEF; $s = New-PefTraceSession -Path '%~n1.cap' -SaveOnStop; $s | Add-PefMessageProvider -Provider '%~1' ; $s | Start-PefTraceSession" |
Chris 2 Posts |
Quote |
Mar 4th 2015 7 years ago |
I tested a Win8.1 machine, and it didn't have access to the New-Pef... commands. I'm assuming you have to install the MS message analyzer to get access to the powershell cmdlets?
|
John 88 Posts |
Quote |
Mar 4th 2015 7 years ago |
Thanks for the tip, really usefull. I noticed in Win7 that after start/stop the applications lost open tcp sessions. Will check when that happens.
|
John 1 Posts |
Quote |
Mar 4th 2015 7 years ago |
Good tip - some extra information to prevent confusion: on Windows 7, the NETSH TRACE command is only available on the 64-bit version of NETSH so in case it tells you the TRACE command is not available then just make sure to run the 64-bit version...
Dror c:\>netsh trace The following command was not found: trace. c:\>run -l netsh 1) CHOSEN: netsh.exe [C:\Windows\SysWOW64] 2) netsh.exe [C:\Windows\winsxs\amd64_microsoft-windows-netsh_31bf3856ad364e35_6.1.7600.16385_none_bb95e7e51189d8f9] 3) windows - What appid should I use with netsh.exe- - Stack Overflow.url [F:\AWS\Sec] c:\>run -1 netsh trace Running: C:\Windows\SysWOW64\netsh.exe: The following command was not found: trace. c:\>run -2 netsh trace Running: C:\Windows\winsxs\amd64_microsoft-windows-netsh_31bf3856ad364e35_6.1.7600.16385_none_bb95e7e51189d8f9\netsh.exe: ? - convert - Converts a trace file to an HTML report. correlate - Normalizes or filters a trace file to a new output file. diagnose - Start a diagnose session. dump - help - show - List interfaces, providers and tracing state. start - Starts tracing. stop - Stops tracing. |
D 1 Posts |
Quote |
Mar 5th 2015 7 years ago |
I had seen this before, but never hurts to get the word out. Definitely nice for quick and dirty. Would be great if they added support for LoopBack (Localhost, 127.0.0.1) traffic but I could not find any way to do that. Microsoft Message Analyzer supposedly has "scenarios" which seem to enable capture loopback traffic. NetSh Trace also alludes to "Scenarios" , but I am not sure that the scenarios between netsh trace and Message analyzer would be compatible (and if you had to install Message Analyzer to get the scenarios, not much of a time savings. Hopefully MS will add a scenario that allows for Loopback capture at some point. This is DEFINTELY handier than having to go through an install to debug normal Ethernet traffic on a server.
|
D 20 Posts |
Quote |
Mar 5th 2015 7 years ago |
Yes. I wondered the same thing and can confirm that the commandlets become available after the install of Microsoft's Message Analyzer.
|
egagne 3 Posts |
Quote |
Mar 6th 2015 7 years ago |
Two features about "net trace":
- With "net trace" is possible to use persistent mode, to continue capturing even restarts. - You can also filter the captured traffic : netsh trace show CaptureFilterHelp Extracted from: http://www.sysadmit.com/2016/06/windows-capturar-trafico.html |
egagne 1 Posts |
Quote |
Jun 6th 2016 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!