Hands-On Hacking Techniques 101 University of Petra Faculty of Information Technology Department of Computer Networking 2014 Dr. Ali Al-Shemery bsc [at] ashemery [dot] com
Dissecting Network Traffic using Modified by: Dr. Ali Al-Shemery Original by: John Kowalski W33K #3-Part2
Network Analysis Network analysis defined The process of capturing network traffic for the purpose of troubleshooting network anomalies with various tools and techniques. What is a sniffer? It is a tool that converts bits and bytes into a format that is human readable (in other words an interpreter).
Network Analyzer What is a network analyzer Can be anything! Portable laptop Dedicated hardware Generic PC used for packet captures What does an analyzer tool look like?
SUMMARY DETAIL DATA
Analyzer Components A packet analyzer is composed of five basic components 1. Hardware 2. Driver 3. Buffer 4. Real-Time Analysis Tool 5. Decode
Used for What? What is a protocol analysis tool used for? Converting binary to English Troubleshooting Performance analysis Logging traffic Establishing benchmarks Discovering faulty devices Intrusion detection Check for Network/Internet Policy Violations Virus detection
The Good, the Bad and the Ugly Like any tool the possibility for misuse exists Hackers can steal info The curious can snoop Passwords can be captured Learn what viruses would be most effective Learn IP addressing schemes for DOS attacks
Others? Other network analyzers WinDump Netsniff-ng Network General Sniffer (now NetScout) Network Monitor EthehrPeek TCP Dump Snoop Snort Dsniff Ettercap Etc.
How Sniffers Work? All Ethernet enabled devices see all of the traffic on the wire Ethernet is not a secure protocol so sniffers are the perfect tool for troubleshooting Normal NIC behavior Unicasts, broadcasts, multicasts Promiscuous mode All-Unicasts, all-broadcasts, all-multicasts, all-traffic!
It s not for me! It s not for me! It s not for me! End node in Normal mode I have a packet here for MAC Address 103 MAC 100 MAC 101 MAC 102 ROUTER MAC 103 MAC 104 That s my address! It s not for me!
It s not for me! It s not for me! It s not for me! End node in Promiscuous mode I have a packet here for MAC Address 103 MAC 100 MAC 101 MAC 102 ROUTER MAC 103 MAC 104 That s my address! It s not my address but I ll take it!
Wireshark #1 packet analyzer
What is Wireshark? Open source freeware licensed protocol analyzer Works in promiscuous and non-promiscuous modes Can capture data live or read it from a file Configurable GUI that is easy to read Multiple capture file formats for import and export Can capture wire or wireless data Supports more than 700 protocols Multi platforms It s primary strength is its large support of sniffer file formats and protocols
The User interface Summary Pane: Packet number Time Source Address (SA) Destination Address (DA) Name of highest level protocol Information on highest level protocol
The User interface Cont. Detail Pane: Tree-like structure that details each layer of each packet Analyzes the packets within each protocol
The User interface Cont. Data Pane: Contains the raw data Data displayed in hex and in text
Analysis Filters The recommended technique is to capture with no filters and then filter the capture file There are many ways to filter this data either during the capture or during the display
Display Filters Internet Protocol (IP) Field Name Type ip.addr Source or Destination Address IPv4 address ip.checksum Header checksum Unsigned 16-bit integer ip.checksum_bad Bad Header checksum Boolean ip.dsfield Differentiated Services field Unsigned 8-bit integer ip.dsfield.ce Explicit Congestion Notification Unsigned 8-bit integer ip.dsfield.dscp Differentiated Services Codepoint Unsigned 8-bit integer ip.dst Destination IPv4 address ip.flags Flags Unsigned 8-bit integer ip.flags.df Don t fragment Boolean ip.flags.mf More fragments Boolean ip.frag_offset Fragment offset Unsigned 16-bit integer ip.fragment IP Fragment Frame number ip.fragment.error Defragmentation error Frame number ip.fragment.multipletails Multiple tail fragments found Boolean
Display Filters Cont. ip.fragment.overlap Fragment overlap Boolean ip.fragment.toolongfragment Fragment too long Boolean ip.fragments IP fragments No value ip.hdr_len Header length Unsigned 8-bit integer ip.id Identification Unsigned 16-bit integer ip.len Total length Unsigned 16-bit integer ip.proto Protocol Unsigned 8-bit integer ip.reassembled_in Reassembled IP in frame Frame number ip.src Source IPv4 address ip.tos Type of service Unsigned 8-bit integer ip.tos.cost Cost Boolean ip.tos.delay Delay Boolean ip.tos.precedence Precedence Unsigned 8-bit integer ip.tos.reliability Reliability Boolean ip.tos.throughput Throughput Boolean ip.ttl Time-to-live Unsigned 8-bit integer ip.version Version Unsigned 8-bit integer
Filter Modifiers Modifier Designator Symbol Equal EQ == Not Equal NE!= Greater Than GT > Less Than LT < Greater than or Equal to GE >= Less than or Equal To LE <=
Supporting Programs T-Shark A command line version of Wireshark Editcap Used to remove packets from a file, and to translate the format of capture files. Mergecap Merges capture files together Text2pcap Reads text converts to capture file
Placement of the Sniffer is Critical
To be successful! You must also wear many hats!
Optimizing your Protocol Analyzer Have a fast enough PC CPU Memory Disk space Match the NIC speed/duplex with the source of the traffic being gathered Strip the extras down Failure to do so may result in lost data Don t update list of packets in real time No name resolution Dump 1 st using TCPDUMP/WINDUMP, Tshark then load into Wireshark
Using Wireshark The basics
- Menu bar - Tool bar - Summary window - Protocol Tree window - Data View window - Filter bar - Information field - Display information Wireshark Main Window
Example What does this summary info tell us?
Protocol window example Example What does this protocol info tell us?
Good place to find passwords and usernames! Data View Window
Cont. Filter bar Used to build display filters Will not allow invalid capture filters Filter is not applied until you click apply! Information field (bottom of capture) Displays capture filename and size Display information field P = Total D = Displayed M = Marked
File menu Example
Save Options There are several save options Captured Displayed Range
Save Options - NOTE Note that when you save a filtered capture, you strip off all other packets in the newly saved capture file Make sure you do not need these packets!
Wireshark Name Resolution Three modes MAC name resolution Uses OUI names Identified by 1 st 6 bytes Network name resolution i.e. DNS name resolution Transport name resolution Translates ports to names
Note that many file types are available Save as Dialogue Box
You can print in plain text, post-script or output to a file Print Dialog
Printing Options The summary line All packets Marked packets Packets from x to y All or partial detail
The Edit Menu
Find Packet Allows a search by filter, hex or string value Uses same filters as display filters Can search by HEX characters (good for MAC addresses) String search useful for usernames, etc Ability to search up or down Case sensitive or insensitive
Time Reference Toggle Allows you to calculate intra-packet times based on packets you select How long did client B take to respond to client A?
Allows you to customize Wireshark to your personal liking or needs Preferences
There is a lot of customizable information on the viewing capabilities of Wireshark The View Menu
Time Display Information Time is gathered from LOCAL system time Very important to synchronize times when doing simultaneous captures on two platforms Wireshark can display time since 1 st capture or delta time Automatically display live capture Useful when you need to watch the packet flow, but can slow the capture process
Color Filters Useful for the color-blind Allows you to change the color of protocols, errors, etc.
Example A color coded display can help you troubleshoot
Example Show packet in new window Allows you to zero in on a single packet
Capture Menu You can capture on any single interface on you Wireshark PC * The packet count and packets per second displayed in the Capture Interfaces dialog box are not the total seen by the interfaces, but are the total count and rate seen by the interface from the time the Capture Interface dialog box was opened
Characteristics Tab
Statistics Tab
Protocol (Ethernet) Tab
Capture Options How To display? What Is captured? Where To store? When To capture?
Example What interface? Buffer size? Promiscuous? Capture filter? Where to save? Use multiple Files? How many? When to stop?
Buffers Buffer size vs. Capture size Buffer size is dependant upon RAM Capture size is dependant upon hard drive size Too large a buffer can slow the capture process and cause data loss too small will not give the HDD time to write the data Defaults are best!
Capture Options While you can stop a capture based on: Capture a number of packets and stop Capture for a period of time and stop Capture a number of kilobytes and then stop
Capture Dialog Box
Capture Filters Capture filter list Name the filter Create the filter
Capture Filters vs. Display Filters Capture filters vs. Display filters Capture filters are used before the capture to narrow what is gathered Display filters are used after the capture to filter the output Capture and display filters are different Capture = tcp port http Display = protocol=http Both do the same thing!
There are literally thousands of capture options available and the good news is most have already been written for you. Filter Expressions
Example Operators include: ==!= > < >= <= Select operator
Example Note that the value will change depending upon the protocol chosen Select value
Display Filter Dialog Box Filter Name Filter String
To enable or not to enable? Disabling protocols may make your sniffer run faster (maybe) Enabling Protocols
Decoding Decode as Not used very often best not to override defaults Forces Wireshark to decode a protocol the way you decide.
Following Streams Following a TCP or SSL stream Very useful for following a conversation but usually only if the data is sent in the clear (telnet, SMTP, etc)
SMTP follow TCP stream example
Statistics Menu The statistics menu Provides many useful traffic statistics
Statistics Menu Options
Capture Summary Dialogue Box Gives a great quick summary of the capture statistics
Gives statistics broken down by each protocol Protocol Hierarchy Statistics
TCP Stream Graph
TCP Stream Graph Options
Troubleshooting with a sniffer (whether via graphs or data) becomes a piece of cake!* *This is, of course after you know what a normal network sniffer capture looks like!