Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput...
Transcript of Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput...
![Page 1: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/1.jpg)
1
Packet Capture & Analysis
![Page 2: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/2.jpg)
2
Why do we need to capture packets &
How is it relevant to security?
![Page 3: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/3.jpg)
33
tcpdump• tcpdump is a command line utility to capture and
analyze network packets– From the man page:
![Page 4: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/4.jpg)
44
tcpdump• tcpdump by default captures packets and prints it
out
-n: don’t translate numbers to names (bypass the default)
-i: interface to listen on
DNS queries
DNS responses
tcpdump –n –i en0 port 53
![Page 5: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/5.jpg)
55
tcpdump• With the –w flag– you can write it to a file for later analysis
-w: write to a file (test_capture.pcap)
-c: packet count
tcpdump –n –i en0 –w test_capture.pcap –c 100
![Page 6: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/6.jpg)
66
tcpdump• You can read packets from a file with the –r flag
-r: read from a file (test_capture.pcap)
port: only read packets that match the port#
tcpdump –r test_capture.pcap port 443
![Page 7: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/7.jpg)
77
Examples
tcpdump –ni en0 host 10.10.10.10
tcpdump –ni en0 dst 10.10.10.10
tcpdump –ni en0 src 10.10.10.10
• Packets to or from a host
• Packets from:
• Packets to:
• Packets based on a protocoltcpdump –ni en0 tcp
![Page 8: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/8.jpg)
88
• Only capture TCP packets with SYN flag set
• Capture ICMPv6 packets that are ONLY neighbor solicitations
Capture filters
tcpdump –ni en0 tcp[13]==2
tcpdump –ni en0 icmp6 and ip6[40] == 135
![Page 9: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/9.jpg)
99
Reading tcpdump Output• UDP packets:
TimestampSource IP
Source portDst IP
Dst portQuery ID
DNS QueryQuery size
2 answers
![Page 10: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/10.jpg)
1010
Reading tcpdump Output• TCP packets:
• Seen a “connection refused” error?
• You sent SYN, but the server responded with RST packet!
P – PUSH(.) - ACK
Length = 531-1Length – 1959-531
![Page 11: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/11.jpg)
1111
Wireshark• Wireshark is a graphical network packet/protocol
analyzer
![Page 12: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/12.jpg)
1212
Why Wireshark?• Network Admins use it:– to troubleshoot network problems
• Security Engineers use it:– to examine security problems
• Developers use it:– to debug protocol implementations
• People use it:– to learn network protocol internals
![Page 13: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/13.jpg)
1313
What Wireshark isn’t• Not an intrusion detection system– Wont alert strange things in your network
• Will only ”read" packets– will not manipulate packets on the network
![Page 14: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/14.jpg)
1414
How to Install• Straight forward– Download• https://www.wireshark.org/download.html
– Install• Just double-click and follow the instructions
![Page 15: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/15.jpg)
1515
Capture Packets
Interface to capture on
Capture
![Page 16: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/16.jpg)
1616
Capture Packets• Interface default in promiscuous mode
![Page 17: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/17.jpg)
1717
Dashboard
Captured packets
Raw Data
Menu
![Page 18: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/18.jpg)
1818
Filters• Capture filter– Only capture packets that match the expression• https://wiki.wireshark.org/CaptureFilters
![Page 19: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/19.jpg)
1919
Filters• Display filter – Look for specifics: ports, protocols, etc.• Helps drill down to traffic of interest• >3000 protocols & ~250K fields (https://www.wireshark.org/docs/dfref/)
![Page 20: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/20.jpg)
2020
Protocol Streams• Wireshark allows you to follow protocol streams– As seen by the application layer• Ex: may be you want to see a password in a telnet stream
![Page 21: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/21.jpg)
2121
Protocol Streams
![Page 22: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/22.jpg)
2222
Statistics menu• What protocols are used in your network?
Statistics -> Protocol Hierarchy
![Page 23: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/23.jpg)
2323
• Which host is consuming your bandwidth?Statistics -> Conversations
Statistics menu
![Page 24: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/24.jpg)
2424
Need CLI?• Where you don’t have a user interface– tshark is terminal version of Wireshark• Has all the options of Wireshark
– https://www.wireshark.org/docs/man-pages/tshark.html
![Page 25: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/25.jpg)
2525
Exercise• Install Wireshark on your PC– https://www.wireshark.org/download.html
• Run Wireshark– Capture inbound/outbound traffic on your wireless NIC
• Download the pcap files from the lab wiki– Follow lab guide in this slide deck
![Page 26: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/26.jpg)
2626
Exercise 1: Telnet• File– telnet.pcap
• Question– Reconstruct the telnet session
• Q1: Who logged into 192.168.0.1– Username __________, Password __________ .
• Q2: After logging in what did the user do?
![Page 27: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/27.jpg)
2727
Exercise 2: Massive TCP SYN• File– SYN1.pcap and SYN2.pcap
• Question– Point the difference with them
• Q1: SYN1.pcap is a _________ attempt.• Q2: SYN2.pcap is a _________ attempt.
• Tip– Pay attention to Src IP
![Page 28: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/28.jpg)
2828
Exercise 3: Employee gossip• File– chat.dmp
• Question– Q1: What kind protocol is used? _______– Q2: This is conversation between [email protected] and
[email protected]– Q3: What do they say about the Sys Admin?
• Tip– Use secure chat
![Page 29: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/29.jpg)
2929
Ex 4: Suspicious FTP activity• File– ftp.pcap
• Question– Q1: What is the FTP server IP? ______ .– Q2: What is the client IP? ______ .– Q3: What is FTP Error Code 530? __________ .– Q4: What is 10.234.125.254 doing? ________.
• Tip– How many login error occur within a minute?
![Page 30: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/30.jpg)
3030
Exercise 5: Unidentified Traffic• File– foobar.pcap
• Question– Q1: see what’s going on with wireshark gui
Statistics -> Conversation
– Q2: Which application use TCP/6346? • Check the web.
![Page 31: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/31.jpg)
3131
Exercise 6: Covert channel• File– covertinfo.pcap
• Question– Take a closer look! This is not a typical ICMP Echo/Reply…– Q1: What kind of tool do they use? • Check the web.
– Q2: what other applications tunnel user traffic?
![Page 32: Packet Analysis 20190526 · 2019-05-27 · DNS Query Query size 2 answers. 10 Reading tcpdumpOutput •TCP packets: ... –to examine security problems •Developers use it: ... •Run](https://reader030.fdocuments.in/reader030/viewer/2022040822/5e6c91f17fc4ec678e40c3f5/html5/thumbnails/32.jpg)
3232
Exercise 7: SIP• File– sip_chat.pcap
• Questions:– Q1: Can we listen to SIP voice?– Q2: How can we listen using Wireshark?
• Tip:– Use SIPS/SRTP