Hands-On Hacking Techniques 101

Transcription

1 Hands-On Hacking Techniques 101 University of Petra Faculty of Information Technology Department of Computer Networking 2014 Dr. Ali Al-Shemery bsc [at] ashemery [dot] com

2 Dissecting Network Traffic using Modified by: Dr. Ali Al-Shemery Original by: John Kowalski W33K #3-Part2

3 Network Analysis Network analysis defined The process of capturing network traffic for the purpose of troubleshooting network anomalies with various tools and techniques. What is a sniffer? It is a tool that converts bits and bytes into a format that is human readable (in other words an interpreter).

4 Network Analyzer What is a network analyzer Can be anything! Portable laptop Dedicated hardware Generic PC used for packet captures What does an analyzer tool look like?

5 SUMMARY DETAIL DATA

6 Analyzer Components A packet analyzer is composed of five basic components 1. Hardware 2. Driver 3. Buffer 4. Real-Time Analysis Tool 5. Decode

7 Used for What? What is a protocol analysis tool used for? Converting binary to English Troubleshooting Performance analysis Logging traffic Establishing benchmarks Discovering faulty devices Intrusion detection Check for Network/Internet Policy Violations Virus detection

8 The Good, the Bad and the Ugly Like any tool the possibility for misuse exists Hackers can steal info The curious can snoop Passwords can be captured Learn what viruses would be most effective Learn IP addressing schemes for DOS attacks

9 Others? Other network analyzers WinDump Netsniff-ng Network General Sniffer (now NetScout) Network Monitor EthehrPeek TCP Dump Snoop Snort Dsniff Ettercap Etc.

10 How Sniffers Work? All Ethernet enabled devices see all of the traffic on the wire Ethernet is not a secure protocol so sniffers are the perfect tool for troubleshooting Normal NIC behavior Unicasts, broadcasts, multicasts Promiscuous mode All-Unicasts, all-broadcasts, all-multicasts, all-traffic!

11 It s not for me! It s not for me! It s not for me! End node in Normal mode I have a packet here for MAC Address 103 MAC 100 MAC 101 MAC 102 ROUTER MAC 103 MAC 104 That s my address! It s not for me!

12 It s not for me! It s not for me! It s not for me! End node in Promiscuous mode I have a packet here for MAC Address 103 MAC 100 MAC 101 MAC 102 ROUTER MAC 103 MAC 104 That s my address! It s not my address but I ll take it!

13 Wireshark #1 packet analyzer

14 What is Wireshark? Open source freeware licensed protocol analyzer Works in promiscuous and non-promiscuous modes Can capture data live or read it from a file Configurable GUI that is easy to read Multiple capture file formats for import and export Can capture wire or wireless data Supports more than 700 protocols Multi platforms It s primary strength is its large support of sniffer file formats and protocols

15 The User interface Summary Pane: Packet number Time Source Address (SA) Destination Address (DA) Name of highest level protocol Information on highest level protocol

16 The User interface Cont. Detail Pane: Tree-like structure that details each layer of each packet Analyzes the packets within each protocol

17 The User interface Cont. Data Pane: Contains the raw data Data displayed in hex and in text

18 Analysis Filters The recommended technique is to capture with no filters and then filter the capture file There are many ways to filter this data either during the capture or during the display

19 Display Filters Internet Protocol (IP) Field Name Type ip.addr Source or Destination Address IPv4 address ip.checksum Header checksum Unsigned 16-bit integer ip.checksum_bad Bad Header checksum Boolean ip.dsfield Differentiated Services field Unsigned 8-bit integer ip.dsfield.ce Explicit Congestion Notification Unsigned 8-bit integer ip.dsfield.dscp Differentiated Services Codepoint Unsigned 8-bit integer ip.dst Destination IPv4 address ip.flags Flags Unsigned 8-bit integer ip.flags.df Don t fragment Boolean ip.flags.mf More fragments Boolean ip.frag_offset Fragment offset Unsigned 16-bit integer ip.fragment IP Fragment Frame number ip.fragment.error Defragmentation error Frame number ip.fragment.multipletails Multiple tail fragments found Boolean

20 Display Filters Cont. ip.fragment.overlap Fragment overlap Boolean ip.fragment.toolongfragment Fragment too long Boolean ip.fragments IP fragments No value ip.hdr_len Header length Unsigned 8-bit integer ip.id Identification Unsigned 16-bit integer ip.len Total length Unsigned 16-bit integer ip.proto Protocol Unsigned 8-bit integer ip.reassembled_in Reassembled IP in frame Frame number ip.src Source IPv4 address ip.tos Type of service Unsigned 8-bit integer ip.tos.cost Cost Boolean ip.tos.delay Delay Boolean ip.tos.precedence Precedence Unsigned 8-bit integer ip.tos.reliability Reliability Boolean ip.tos.throughput Throughput Boolean ip.ttl Time-to-live Unsigned 8-bit integer ip.version Version Unsigned 8-bit integer

21 Filter Modifiers Modifier Designator Symbol Equal EQ == Not Equal NE!= Greater Than GT > Less Than LT < Greater than or Equal to GE >= Less than or Equal To LE <=

22 Supporting Programs T-Shark A command line version of Wireshark Editcap Used to remove packets from a file, and to translate the format of capture files. Mergecap Merges capture files together Text2pcap Reads text converts to capture file

23 Placement of the Sniffer is Critical

24

25

26

27 To be successful! You must also wear many hats!

28 Optimizing your Protocol Analyzer Have a fast enough PC CPU Memory Disk space Match the NIC speed/duplex with the source of the traffic being gathered Strip the extras down Failure to do so may result in lost data Don t update list of packets in real time No name resolution Dump 1 st using TCPDUMP/WINDUMP, Tshark then load into Wireshark

29 Using Wireshark The basics

30 - Menu bar - Tool bar - Summary window - Protocol Tree window - Data View window - Filter bar - Information field - Display information Wireshark Main Window

31 Example What does this summary info tell us?

32 Protocol window example Example What does this protocol info tell us?

33 Good place to find passwords and usernames! Data View Window

34 Cont. Filter bar Used to build display filters Will not allow invalid capture filters Filter is not applied until you click apply! Information field (bottom of capture) Displays capture filename and size Display information field P = Total D = Displayed M = Marked

35 File menu Example

36 Save Options There are several save options Captured Displayed Range

37 Save Options - NOTE Note that when you save a filtered capture, you strip off all other packets in the newly saved capture file Make sure you do not need these packets!

38

39 Wireshark Name Resolution Three modes MAC name resolution Uses OUI names Identified by 1 st 6 bytes Network name resolution i.e. DNS name resolution Transport name resolution Translates ports to names

40 Note that many file types are available Save as Dialogue Box

41 You can print in plain text, post-script or output to a file Print Dialog

42 Printing Options The summary line All packets Marked packets Packets from x to y All or partial detail

43 The Edit Menu

44 Find Packet Allows a search by filter, hex or string value Uses same filters as display filters Can search by HEX characters (good for MAC addresses) String search useful for usernames, etc Ability to search up or down Case sensitive or insensitive

45 Time Reference Toggle Allows you to calculate intra-packet times based on packets you select How long did client B take to respond to client A?

46 Allows you to customize Wireshark to your personal liking or needs Preferences

47 There is a lot of customizable information on the viewing capabilities of Wireshark The View Menu

48 Time Display Information Time is gathered from LOCAL system time Very important to synchronize times when doing simultaneous captures on two platforms Wireshark can display time since 1 st capture or delta time Automatically display live capture Useful when you need to watch the packet flow, but can slow the capture process

49 Color Filters Useful for the color-blind Allows you to change the color of protocols, errors, etc.

50 Example A color coded display can help you troubleshoot

51 Example Show packet in new window Allows you to zero in on a single packet

52 Capture Menu You can capture on any single interface on you Wireshark PC * The packet count and packets per second displayed in the Capture Interfaces dialog box are not the total seen by the interfaces, but are the total count and rate seen by the interface from the time the Capture Interface dialog box was opened

53 Characteristics Tab

54 Statistics Tab

55 Protocol (Ethernet) Tab

56 Capture Options How To display? What Is captured? Where To store? When To capture?

57 Example What interface? Buffer size? Promiscuous? Capture filter? Where to save? Use multiple Files? How many? When to stop?

58 Buffers Buffer size vs. Capture size Buffer size is dependant upon RAM Capture size is dependant upon hard drive size Too large a buffer can slow the capture process and cause data loss too small will not give the HDD time to write the data Defaults are best!

59 Capture Options While you can stop a capture based on: Capture a number of packets and stop Capture for a period of time and stop Capture a number of kilobytes and then stop

60 Capture Dialog Box

61 Capture Filters Capture filter list Name the filter Create the filter

62 Capture Filters vs. Display Filters Capture filters vs. Display filters Capture filters are used before the capture to narrow what is gathered Display filters are used after the capture to filter the output Capture and display filters are different Capture = tcp port http Display = protocol=http Both do the same thing!

63 There are literally thousands of capture options available and the good news is most have already been written for you. Filter Expressions

64 Example Operators include: ==!= > < >= <= Select operator

65 Example Note that the value will change depending upon the protocol chosen Select value

66 Display Filter Dialog Box Filter Name Filter String

67 To enable or not to enable? Disabling protocols may make your sniffer run faster (maybe) Enabling Protocols

68 Decoding Decode as Not used very often best not to override defaults Forces Wireshark to decode a protocol the way you decide.

69 Following Streams Following a TCP or SSL stream Very useful for following a conversation but usually only if the data is sent in the clear (telnet, SMTP, etc)

70 SMTP follow TCP stream example

71 Statistics Menu The statistics menu Provides many useful traffic statistics

72 Statistics Menu Options

73 Capture Summary Dialogue Box Gives a great quick summary of the capture statistics

74 Gives statistics broken down by each protocol Protocol Hierarchy Statistics

75 TCP Stream Graph

76 TCP Stream Graph Options

77 Troubleshooting with a sniffer (whether via graphs or data) becomes a piece of cake!* *This is, of course after you know what a normal network sniffer capture looks like!

78

79