Hands-On Hacking Techniques 101

Similar documents
Experiment 2: Wireshark as a Network Protocol Analyzer

TCP /IP Fundamentals Mr. Cantu

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

Wireshark 101 Essential Skills for Network Analysis 2 nd Edition

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Network Analyzer :- Introduction to Wireshark

Computer Networks/DV2 Lab

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

So What is WireShark?

SharkFest 16. Advanced Wireshark Display Filters: How to Zoom in on the 10 Packets You Actually Need Download files from tinyurl.

King Fahd University of Petroleum & Minerals. Data Traffic Capture and Protocols Analysis using Sniffer Tool

Advanced Network Troubleshooting Using Wireshark (Hands-on)

Cisco Nexus 7000 Series Architecture: Built-in Wireshark Capability for Network Visibility and Control

Wireshark 101 Essential Skills for Network Analysis 1 st Edition

NETWORK PACKET ANALYSIS PROGRAM

UNI CS 3470 Networking Project 5: Using Wireshark to Analyze Packet Traces 12

Network Layer: Control/data plane, addressing, routers

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

Part 1: Training Project Information (Required for Formal Quotes) Online Live On-Demand (All Access Pass Subscriptions) Other

Network Traffic Analysis - Course Outline

Chapter 09 Network Protocols

COMP2330 Data Communications and Networking

Lab 4: Network Packet Capture and Analysis using Wireshark

CONTENTS IN DETAIL ACKNOWLEDGMENTS INTRODUCTION 1 PACKET ANALYSIS AND NETWORK BASICS 1 2 TAPPING INTO THE WIRE 17 3 INTRODUCTION TO WIRESHARK 35

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Protocol Analysis: Capturing Packets

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

Introduction to Troubleshooting TCP/IP Networks with Wireshark

EEC-484/584 Computer Networks

Chapter 2. Switch Concepts and Configuration. Part II

Computer Networks Security: intro. CS Computer Systems Security

n Describe sniffing concepts, including active and passive sniffing n Describe sniffing countermeasures n Describe signature analysis within Snort

This tutorial will help you in understanding IPv4 and its associated terminologies along with appropriate references and examples.

Assignment - 1 Chap. 1 Wired LAN s

Application-Centric Analysis Helps Maximize the Value of Wireshark

CIT 380: Securing Computer Systems. Network Security Concepts

Vorlesung Kommunikationsnetze

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

Interconnecting Networks with TCP/IP

Data & Computer Communication

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Brief Contents. Acknowledgments... xv. Introduction...xvii. Chapter 1: Packet Analysis and Network Basics Chapter 2: Tapping into the Wire...

Lab Exercise UDP. Objective. Requirements. Step 1: Capture a Trace

Computer Networks A Simple Network Analyzer Decoding Ethernet and IP headers

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

STEVEN R. BAGLEY PACKETS

[Yagnik* et al., 5(9): September, 2016] ISSN: IC Value: 3.00 Impact Factor: 4.116

COMPARATIVE ANALYSIS OF PACKET SNIFFERS : A STUDY

Lab Using Wireshark to Examine Ethernet Frames

Overview of Ethernet Networking

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Wireshark Basics 414C504F 29/01/2019

Muhammad Farooq-i-Azam CHASE-2006 Lahore

Configuring attack detection and prevention 1

Lab Exercise Protocol Layers

Network Intrusion Detection Systems. Beyond packet filtering

Traffic Visualization with Arista sflow and Splunk

Network Security Fundamentals. Network Security Fundamentals. Roadmap. Security Training Course. Module 2 Network Fundamentals

Lab Using Wireshark to Examine Ethernet Frames

Introduction to Wireshark

Network Layer. The Network Layer. Contents Connection-Oriented and Connectionless Service. Recall:

Network Layer. Recall: The network layer is responsible for the routing of packets The network layer is responsible for congestion control

LECTURE WK4 NETWORKING

Position of IP and other network-layer protocols in TCP/IP protocol suite

Objectives: (1) To learn to capture and analyze packets using wireshark. (2) To learn how protocols and layering are represented in packets.

Lab Assignment for Chapter 1

Defining Networks with the OSI Model. Module 2

Lecture 9: Internetworking

Week Date Teaching Attended 9 Mar 2013 Lab 9: Network Forensics

Data and Computer Communications. Chapter 2 Protocol Architecture, TCP/IP, and Internet-Based Applications

CS 43: Computer Networks. 21: The Network Layer & IP November 7, 2018

SAVIO STEPHEN DSOUZA (SSD37)

5105: BHARATHIDASAN ENGINEERING COLLEGE NATTARMPALLI UNIT I FUNDAMENTALS AND LINK LAYER PART A

ECE 358 Project 3 Encapsulation and Network Utilities

Chapter 7. Local Area Network Communications Protocols

CHAPTER 18 INTERNET PROTOCOLS ANSWERS TO QUESTIONS

EEC-684/584 Computer Networks

IP - The Internet Protocol

Hands-On Network Security: Practical Tools & Methods

Computer Networking: A Top Down Approach Featuring the. Computer Networks with Internet Technology, William

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

ECE4110 Internetwork Programming. Introduction and Overview

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

Networking Background

Network sniffing packet capture and analysis

Wireshark- Looking into the Packet. Henry A. McKelvey, MIS. Blacks in Technology

Computer Networks (Introduction to TCP/IP Protocols)

Multicast Communications. Slide Set were original prepared by Dr. Tatsuya Susa

Topics for This Week

Sniffing & Keylogger. Deff Arnaldy, M.Si

CS118 Discussion, Week 6. Taqi

Where we are in the Course

ICS 351: Networking Protocols

Guide to Networking Essentials, 6 th Edition. Chapter 7: Network Hardware in Depth

Chapter 5: Ethernet. Introduction to Networks - R&S 6.0. Cisco Networking Academy. Mind Wide Open

Lecture 2: Basic routing, ARP, and basic IP

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

COMS3200/7201 Computer Networks 1 (Version 1.0)

Transcription:

Hands-On Hacking Techniques 101 University of Petra Faculty of Information Technology Department of Computer Networking 2014 Dr. Ali Al-Shemery bsc [at] ashemery [dot] com

Dissecting Network Traffic using Modified by: Dr. Ali Al-Shemery Original by: John Kowalski W33K #3-Part2

Network Analysis Network analysis defined The process of capturing network traffic for the purpose of troubleshooting network anomalies with various tools and techniques. What is a sniffer? It is a tool that converts bits and bytes into a format that is human readable (in other words an interpreter).

Network Analyzer What is a network analyzer Can be anything! Portable laptop Dedicated hardware Generic PC used for packet captures What does an analyzer tool look like?

SUMMARY DETAIL DATA

Analyzer Components A packet analyzer is composed of five basic components 1. Hardware 2. Driver 3. Buffer 4. Real-Time Analysis Tool 5. Decode

Used for What? What is a protocol analysis tool used for? Converting binary to English Troubleshooting Performance analysis Logging traffic Establishing benchmarks Discovering faulty devices Intrusion detection Check for Network/Internet Policy Violations Virus detection

The Good, the Bad and the Ugly Like any tool the possibility for misuse exists Hackers can steal info The curious can snoop Passwords can be captured Learn what viruses would be most effective Learn IP addressing schemes for DOS attacks

Others? Other network analyzers WinDump Netsniff-ng Network General Sniffer (now NetScout) Network Monitor EthehrPeek TCP Dump Snoop Snort Dsniff Ettercap Etc.

How Sniffers Work? All Ethernet enabled devices see all of the traffic on the wire Ethernet is not a secure protocol so sniffers are the perfect tool for troubleshooting Normal NIC behavior Unicasts, broadcasts, multicasts Promiscuous mode All-Unicasts, all-broadcasts, all-multicasts, all-traffic!

It s not for me! It s not for me! It s not for me! End node in Normal mode I have a packet here for MAC Address 103 MAC 100 MAC 101 MAC 102 ROUTER MAC 103 MAC 104 That s my address! It s not for me!

It s not for me! It s not for me! It s not for me! End node in Promiscuous mode I have a packet here for MAC Address 103 MAC 100 MAC 101 MAC 102 ROUTER MAC 103 MAC 104 That s my address! It s not my address but I ll take it!

Wireshark #1 packet analyzer

What is Wireshark? Open source freeware licensed protocol analyzer Works in promiscuous and non-promiscuous modes Can capture data live or read it from a file Configurable GUI that is easy to read Multiple capture file formats for import and export Can capture wire or wireless data Supports more than 700 protocols Multi platforms It s primary strength is its large support of sniffer file formats and protocols

The User interface Summary Pane: Packet number Time Source Address (SA) Destination Address (DA) Name of highest level protocol Information on highest level protocol

The User interface Cont. Detail Pane: Tree-like structure that details each layer of each packet Analyzes the packets within each protocol

The User interface Cont. Data Pane: Contains the raw data Data displayed in hex and in text

Analysis Filters The recommended technique is to capture with no filters and then filter the capture file There are many ways to filter this data either during the capture or during the display

Display Filters Internet Protocol (IP) Field Name Type ip.addr Source or Destination Address IPv4 address ip.checksum Header checksum Unsigned 16-bit integer ip.checksum_bad Bad Header checksum Boolean ip.dsfield Differentiated Services field Unsigned 8-bit integer ip.dsfield.ce Explicit Congestion Notification Unsigned 8-bit integer ip.dsfield.dscp Differentiated Services Codepoint Unsigned 8-bit integer ip.dst Destination IPv4 address ip.flags Flags Unsigned 8-bit integer ip.flags.df Don t fragment Boolean ip.flags.mf More fragments Boolean ip.frag_offset Fragment offset Unsigned 16-bit integer ip.fragment IP Fragment Frame number ip.fragment.error Defragmentation error Frame number ip.fragment.multipletails Multiple tail fragments found Boolean

Display Filters Cont. ip.fragment.overlap Fragment overlap Boolean ip.fragment.toolongfragment Fragment too long Boolean ip.fragments IP fragments No value ip.hdr_len Header length Unsigned 8-bit integer ip.id Identification Unsigned 16-bit integer ip.len Total length Unsigned 16-bit integer ip.proto Protocol Unsigned 8-bit integer ip.reassembled_in Reassembled IP in frame Frame number ip.src Source IPv4 address ip.tos Type of service Unsigned 8-bit integer ip.tos.cost Cost Boolean ip.tos.delay Delay Boolean ip.tos.precedence Precedence Unsigned 8-bit integer ip.tos.reliability Reliability Boolean ip.tos.throughput Throughput Boolean ip.ttl Time-to-live Unsigned 8-bit integer ip.version Version Unsigned 8-bit integer

Filter Modifiers Modifier Designator Symbol Equal EQ == Not Equal NE!= Greater Than GT > Less Than LT < Greater than or Equal to GE >= Less than or Equal To LE <=

Supporting Programs T-Shark A command line version of Wireshark Editcap Used to remove packets from a file, and to translate the format of capture files. Mergecap Merges capture files together Text2pcap Reads text converts to capture file

Placement of the Sniffer is Critical

To be successful! You must also wear many hats!

Optimizing your Protocol Analyzer Have a fast enough PC CPU Memory Disk space Match the NIC speed/duplex with the source of the traffic being gathered Strip the extras down Failure to do so may result in lost data Don t update list of packets in real time No name resolution Dump 1 st using TCPDUMP/WINDUMP, Tshark then load into Wireshark

Using Wireshark The basics

- Menu bar - Tool bar - Summary window - Protocol Tree window - Data View window - Filter bar - Information field - Display information Wireshark Main Window

Example What does this summary info tell us?

Protocol window example Example What does this protocol info tell us?

Good place to find passwords and usernames! Data View Window

Cont. Filter bar Used to build display filters Will not allow invalid capture filters Filter is not applied until you click apply! Information field (bottom of capture) Displays capture filename and size Display information field P = Total D = Displayed M = Marked

File menu Example

Save Options There are several save options Captured Displayed Range

Save Options - NOTE Note that when you save a filtered capture, you strip off all other packets in the newly saved capture file Make sure you do not need these packets!

Wireshark Name Resolution Three modes MAC name resolution Uses OUI names Identified by 1 st 6 bytes Network name resolution i.e. DNS name resolution Transport name resolution Translates ports to names

Note that many file types are available Save as Dialogue Box

You can print in plain text, post-script or output to a file Print Dialog

Printing Options The summary line All packets Marked packets Packets from x to y All or partial detail

The Edit Menu

Find Packet Allows a search by filter, hex or string value Uses same filters as display filters Can search by HEX characters (good for MAC addresses) String search useful for usernames, etc Ability to search up or down Case sensitive or insensitive

Time Reference Toggle Allows you to calculate intra-packet times based on packets you select How long did client B take to respond to client A?

Allows you to customize Wireshark to your personal liking or needs Preferences

There is a lot of customizable information on the viewing capabilities of Wireshark The View Menu

Time Display Information Time is gathered from LOCAL system time Very important to synchronize times when doing simultaneous captures on two platforms Wireshark can display time since 1 st capture or delta time Automatically display live capture Useful when you need to watch the packet flow, but can slow the capture process

Color Filters Useful for the color-blind Allows you to change the color of protocols, errors, etc.

Example A color coded display can help you troubleshoot

Example Show packet in new window Allows you to zero in on a single packet

Capture Menu You can capture on any single interface on you Wireshark PC * The packet count and packets per second displayed in the Capture Interfaces dialog box are not the total seen by the interfaces, but are the total count and rate seen by the interface from the time the Capture Interface dialog box was opened

Characteristics Tab

Statistics Tab

Protocol (Ethernet) Tab

Capture Options How To display? What Is captured? Where To store? When To capture?

Example What interface? Buffer size? Promiscuous? Capture filter? Where to save? Use multiple Files? How many? When to stop?

Buffers Buffer size vs. Capture size Buffer size is dependant upon RAM Capture size is dependant upon hard drive size Too large a buffer can slow the capture process and cause data loss too small will not give the HDD time to write the data Defaults are best!

Capture Options While you can stop a capture based on: Capture a number of packets and stop Capture for a period of time and stop Capture a number of kilobytes and then stop

Capture Dialog Box

Capture Filters Capture filter list Name the filter Create the filter

Capture Filters vs. Display Filters Capture filters vs. Display filters Capture filters are used before the capture to narrow what is gathered Display filters are used after the capture to filter the output Capture and display filters are different Capture = tcp port http Display = protocol=http Both do the same thing!

There are literally thousands of capture options available and the good news is most have already been written for you. Filter Expressions

Example Operators include: ==!= > < >= <= Select operator

Example Note that the value will change depending upon the protocol chosen Select value

Display Filter Dialog Box Filter Name Filter String

To enable or not to enable? Disabling protocols may make your sniffer run faster (maybe) Enabling Protocols

Decoding Decode as Not used very often best not to override defaults Forces Wireshark to decode a protocol the way you decide.

Following Streams Following a TCP or SSL stream Very useful for following a conversation but usually only if the data is sent in the clear (telnet, SMTP, etc)

SMTP follow TCP stream example

Statistics Menu The statistics menu Provides many useful traffic statistics

Statistics Menu Options

Capture Summary Dialogue Box Gives a great quick summary of the capture statistics

Gives statistics broken down by each protocol Protocol Hierarchy Statistics

TCP Stream Graph

TCP Stream Graph Options

Troubleshooting with a sniffer (whether via graphs or data) becomes a piece of cake!* *This is, of course after you know what a normal network sniffer capture looks like!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback