ECSAv4 Module 04 Advanced Sniffing Techniques NoRestriction - 2 PDF

Advanced P Penetration t ti T Testing ti and Security Analysis
Module 4 Advanced Sniffing Techniques

Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright 2004 EC-Council. All rights reserved worldwide.
EC-Council
Module Objective
This module will familiarize you with:

Wireshark h k Filters IP Display Filters:
Tshark Editcap Mergecap Text2pcap
Using Wireshark h k for f Network k Troubleshooting bl h Network Troubleshooting Methodology Scanning Techniques
EC-Council
What is Wireshark?
Wireshark is a network analyzer. It reads packets from the network, decodes them, and presents them in an easy-to-understand format.
Features of Wireshark include:

It is a distributed GPL. It is available for UNIX and WINDOWS. promiscuous and non-promiscuous p modes. It works in p It can capture data from the network or read from a capture file. It supports tcpdump format capture filters. It can read capture files from over 25 different products. It can filter and search the packets. packets
EC-Council
Wireshark: Screenshot
EC-Council
Wireshark: Filters
Filtering packets helps you find a desired packet without sifting through all of them. Wireshark has the ability to use both capture and display filters. The capture filter syntax follows the same syntax that tcpdump uses from f th libpcap the lib lib library. It is used on the command line or in the Capture Filter dialog box to capture certain types of traffic. traffic Display filters provide a powerful syntax to sort traffic that is already captured. captured
EC-Council
IP Display Filters
EC-Council
IP Display Filters (contd)
EC-Council
IP Display Filters (contd)
EC-Council
Example
To see j just HTTP request q packets p (e.g., ( g , GET POST, , HEAD, and so on) ) type: yp http.request Filter fields can also be compared p against g values such as http.request.method==GET to see only HTTP GET requests. The comparison operators can be expressed using the following abbreviations and symbols: Abbreviations
Equal: Not equal: Greater than Less Than Greater than or equal to Less than or equal to
Symbols 1
eq ne gt lt ge le
Symbols 2
== ne > < >= <=
EC-Council
Wireshark: Tshark
Tshark is the command-line version of Wireshark, which can be used to capture live packets from the wire or to read saved capture files. files By default, Tshark prints the summary line information to the screen. This is the same information contained in the top pane of the Wireshark GUI.
TCP 1320 > telnet [SYN] 1.199008 192.168.100.132 -> 1320 > telnet t l t [SYN] Seq=1102938967 Ack=0 Win=16384 Len=0 1.199246 192.168.100.132 -> 192.168.100.122 Seq=1102938967 Ack=0 Win=16384 Len=0 1.202244 192.168.100.122 -> 192.168.100.132 TCP telnet ACK] Seq=3275138168 Ack=1102938968 Win=49640 Len=0 1.202268 192.168.100.132 -> 192.168.100.122 TCP 1320 > Seq=1102938968 Ack=3275138169 Win=17520 Len=0 1.202349 192.168.100.132 -> 192.168.100.122 TCP 1320 > Seq=1102938968 Ack=3275138169 Win=17520 Len=0 192.168.100.122 TCP
> 1320 [SYN telnet [ACK] telnet [ACK]
EC-Council
Wireshark: Tcpdump
Tcpdump is a command line computer network debugging tool.
It is used as a substitute to Wireshark while capturing the packets at remote occasions. For ensuring the capture of the complete packet, use the following command line:
tcpdump -i <interface> -s 1500 -w <some-file> ^C command is necessary to terminate the packet capture
EC-Council
Wireshark: Capinfos
Capinfos is a utility of Wireshark used for printing information about binary capture files.
$ Capinfos -h Capinfos Prints information about capture files. Usage: capinfos[-t][-c][-s][-d][-u][-a][-e][-y][-i][-z][-h] <capfile> where -t display the capture type of <capfile> -c c count the number of packets -s display the size of the file -d display the total length of all packets in the file(in bytes) -u display the capture duration (in seconds) -a display the capture start time -e display the capture end time -y display average data rate (in bytes) -i display average data rate (in bits) -z display average packet size (in bytes) -h h produces d this hi help h l listing. li i If no data flags are given, default is to display all statistics
EC-Council
Wireshark: Idl2wrs
Idl2wrs is the command line tool that is used for creating dissectors from CORBA IDL files where these IDL files are user specified.
It parses the data struct and generates get CDR xxx calls for decoding CORBA traffic.
Prerequisites for Idl2wrs are Python and omniidl.
EC-Council
Conversion of CORBA IDL File to Wireshark Dissector

1. Writing C code to stdout
idl2wrs <your file.idl> E.g.: idl2wrs echo.idl
2 For writing to a file, 2. file redirect the output. output

idl2wrs echo.idl > packet-test-idl.c
3 Use shell script wrapper; if not, 3. not go to step 4 or step 5. 5 4. Writing C code to stdout
Usage: omniidl iidl -p ./ / -b b wireshark_be i h k b <your file.idl> fil idl E.g. omniidl -p ./ -b wireshark_be echo.idl
5. For writing to a file, redirect the output.

omniidl -p ./ -b wireshark_be echo.idl > packet-test-idl.c EC-Council
Conversion of CORBA IDL File to Wireshark Dissector (cont (contd) d)

6. Copy the resultant C code to Wireshark src directory. directory
7. Edit two files to include the p 7 packet-test-idl.c
cp packet-test-idl.c /dir/where/wireshark/lives/ edit Makefile.am edit dit Makefile.nmake M k fil k
8. Run the configure option.

./configure (or ./autogen.sh)
9. Code should be compiled.

EC-Council
Wireshark: Dumpcap
Dumpcap is a command line tool used for capturing data from the live network k and d copying i those h packets k to a file. fil
Capture interface: -i <interface> name or idx of interface (def: first l loopback) b k) -f <capture filter> packet filter in libpcap filter syntax -s <snaplen> packet snapshot length (def: 65535) -p don't capture in promiscuous mode -B B <buffer size> size of kernel buffer (def: 1MB) -y <link type> link layer type (def: first appropriate) -D print list of interfaces and exit -L print list of link-layer types of iface and exit none
Stop conditions: -c <packet count> stop after n packets (def: infinite) -a <autostop cond.> ... duration:NUM - stop after NUM seconds filesize:NUM - stop this file after NUM KB files:NUM - stop after NUM files
EC-Council
Wireshark: Dumpcap (cont d) (contd)

Output (files): -w <filename> name of file to save (def: tempfile) -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs filesize:NUM - switch to next file after NUM KB files:NUM - ringbuffer: replace after NUM files Miscellaneous: -v print version information and exit -h display this help and exit Ctrl-C Ctrl C to stop capturing at any time
EC-Council
Wireshark: Editcap
Editcap p is used to remove p packets from a file and to translate the format of capture files.
It is I i similar i il to the h Save S A feature. As f Editcap can read d all ll of f the h same types of f files that Wireshark can, and writes to the libpcap format by default.
C:\Program C \ Files\Wireshark>editcap il \ i h k di -r -v -F snoop capture capture_snoop 1-5 File capture is a libpcap (tcpdump Wireshark etc.) capture file Add_Selected: 1-5 I l i Inclusive ... 1 5 Record: 1 Record: 2 R Record: d 3
EC-Council
Wireshark: Mergecap
Mergecap is used to combine multiple saved capture files into a single output file. It can read all of the same types of files that Wireshark can and writes to the libpcap format by default.
C:\Program Files\Wireshark>mergecap -v -F snoop -w merge_snoop capture1 capture2 capture3 capture4 mergecap: capture1 is type libpcap (tcpdump Wireshark etc.) mergecap: capture2 is type libpcap (tcpdump Wireshark etc.)
EC-Council
Wireshark: Text2pcap
Text2pcap reads in ASCII hexdump captures and writes the data into a libpcap output file. It is capable of reading hexdumps containing multiple packets and building a capture file of multiple packets. It can also read hexdumps of application-level data by inserting dummy Ethernet IP and User Datagram Protocol (UDP) or TCP headers.
C:\Program Files\Wireshark>text2pcap hex_sample.txt libpcap_output Input from: hex_sample.txt O t t to: Output t lib libpcap_output t t Wrote packet of 168 bytes at 0 Read 1 potential packets wrote 1 packets
EC-Council
Upgrading Wireshark
The latest version of Wireshark is 0.99.8 0 99 8
Below is the recommended upgrading process for Wireshark:

HTTP, , DCP ETSI, , SSL, , DHCP/BOOTP, , and MMS dissectors should be disabled. Select Analyze. Check Enabled Protocols from the menu. Ensure ANSI MAP, MAP BTSDP BTSDP, DCP (ETSI), (ETSI) DNP 3.0, FB/IPB GDS DB, HTTP, MEGACO, NCP, PPP, SSL are un-checked. Click Save. Click OK.
EC-Council
Protocol Dissection
A protocol dissector is a dissector that allows Wireshark to break down the protocols l into i small ll sections i so as to analyze l them. h Wireshark uses various dissectors for analyzing y g different p protocols.
It provides searching and filtering of the file at a time.
EC-Council
Protocol Dissection (cont d) (contd)
EC-Council
Steps to Solve GNU/ Linux Server Network Connectivity Issues

Ensure the use of ping and traceroute command. Ch k for Check f default d f l route / gateway IP. Look for the IP address, , network cables, and power supply. Check for firewall logs and ensure that correct ports are connected. d Perform a network analysis.
EC-Council
Using Wireshark for Network Troubleshooting

A good approach to network troubleshooting involves the following seven steps:
Recognize the symptoms. Define the problem. Analyze A l th the problem. bl Isolate the problem. Identify and test the cause of the problem. Solve the problem. Verify that the problem has been solved.
1 2 3 4 5 6 7
EC-Council
Network Troubleshooting Methodology
EC-Council
Using Wireshark for System Administration

Th basics The b i of f the h ARP are:
When a system needs to communicate with another system on the same subnet, and has an IP address for that system y but not a MAC address, an ARP request is broadcast onto the Ethernet segment. (e.g., a network with hosts 192.168.1.1 and 192.168.1.2 having MAC addresses 00:01:02:03:04:05 and 06:07:08:09:0a:0b) and issues the following command sequence through ARP:
00:01:02:03:04:05 to ff:ff:ff:ff:ff:ff Who has 192.168.1.2? Tell 192.168.1.1 06:07:08:09:0a:0b to 00:01:02:03:04:05 192.168.1.2 is at 06:07:08:09:0a:0b
EC-Council
ARP Problems
ARP traffic is a necessary precursor to normal network traffic.
Wireshark can be used to check for the presence of this traffic on th network. the t k There are several conditions of ARP that indicate specific problems. bl If there is no ARP traffic from the system on the network, either you are not capturing y p g the traffic correctly y or there are driver or OS issues preventing network communication. If the system is issuing ARP requests but there is no response from the host, host it may not be on the network. network
EC-Council
ICMP Echo Request/Reply Header Layout

The type ICMP protocol field, which is a 1-byte field at the very beginning of the ICMP protocol header, p , indicates the type yp of ICMP p packet. If the type field is 8, the packet is an ICMP echo (ping) request. If the type field is 0, the packet is an ICMP echo (ping) reply. This capture filter tests for packets that are either ICMP ping requests or ICMP ping replies by retrieving the first byte:
icmp[0] == 8 or icmp[0] == 0
EC-Council
TCP Flags
The TCP flags Th fl fi ld is field i a bit field, fi ld which hi h is i an integer i t where h th individual the i di id l bits bit are used as separate fields.
For example, the TCP flags field is an 8-bit integer field, but the bits in that integer represent independent fields that are either true or false (or 1 or 0).
EC-Council
TCP SYN Packet Flags Bit Field

The TCP flags field can have a multiple bits set. set In this case, , only y the tcp tcp-syn sy b bit is set; ; therefore, , the value 002 can be tested, which is the value of tcp-syn:
tcp[tcpflag] == 0x02 or: tcp[tcpflag] == tcp-syn
EC-Council
TCP SYN Packet Flags Bit Field (cont d) (contd)

In this packet TCP handshake (a Synchronize (SYN)/Acknowledge (ACK) packet), b th th both the t tcp-syn and d tcp-ack t k bits bit are set. t To write a filter to test for the SYN bit, use the bitwise and operator to mask out all of the bits except for the SYN bit. tcp[tcpflag] & tcp-syn == 0x02 or tcp[tcpflag] & tcp-syn tcp syn == tcp-syn tcp syn
EC-Council
Capture Filter: Examples
EC-Council
Scenario 1: SYN no SYN+ACK

If your Wireshark capture shows that the client is sending a SYN packet, b t no response is but i received i d from f th server, the the th server is i not t processing i the packet. It could be that a firewall between the two hosts is blocking the packet, packet or that the server itself has a firewall running on it.
EC-Council
Scenario 2: SYN Immediate Response RST

If your Wireshark capture shows that the server is responding with the reset (RST) flag, the destination server is receiving the packet but there is no application bound to that port.
Make sure that your application is bound to the correct port on the correct IP address.
EC-Council
Scenario 3: SYN SYN+ACK ACK

If your Wireshark capture shows that the TCP connection is established and that it i immediately di t l closes, l th destination the d ti ti server may be b rejecting j ti the th clients li t IP address dd due to security restrictions. On UNIX systems, y , check the tcpwrappers p pp file at etc/hosts.allow / and /etc/hosts.deny and verify that you havent inadvertently blocked communication.
Connection Closed
EC-Council
Tapping into the Network

Wiresharks TAP system is a dominant and flexible process for providing event driven notification for packets matching certain protocols.
Tapping system is divided into two parts:

Code in the actual dissectors to allow tapping of data. Event driven code that registers a tap listener and processes received packets of data.
Wire tapping is the process of tapping the wired network t k using i sniffers. iff
Wireless tapping pp g requires q specifications p such as signal g strength and different wireless management packets.
EC-Council
Tapping into the Network (cont (contd) d)

Tapping into a hubbed network:
A hubbed network provides information on each data packet to the packet analyst. This network provides slow network traffic with low bandwidth, and is rarely used.
Tapping into a switched network:

A switched network limits tapping to the port on which the sniffer is plugged in. This network captures the traffic from a targeted device by Port mirroring, ARP cache poisoning, and hubbing out. out
EC-Council
Using Wireshark for Security Administration

One of the most popular and useful Wireshark features is packet reassembly, which allows us to see the contents of exchanged data. For protocols such as Telnet and FTP, Wireshark clearly displays the username sername and password pass ord for the connection, connection without itho t any an reassembly. For unknown, custom, or otherwise obscure protocols, packet reassembly bl can be b used. d To use reassembly, capture the traffic through Wireshark or another tool and then load the capture file into Wireshark and right click on any packet in the connection. Select the Follow TCP Stream option.
EC-Council
Detecting Internet Relay Chat Activity

Besides the policy implications of chat rooms, IRC is frequented by hackers and used as a command and control mechanism. mechanism IRC normally uses TCP port 6667. If you set Wireshark to detect traffic with destination port 6667, you will see IRC traffic that looks like the following:
Local client to IRC server port 6667: USER username localsystem.example.com irc.example.net :gaim Remote IRC server to local client: NOTICE AUTH :*** Looking g up p y your hostname... Local client to IRC server port 6667: NICK clever-nick-name Remote IRC server to local client: NOTICE AUTH :*** Checking identNOTICE AUTH :*** Found your hostname
EC-Council
Wireshark as a Detector for Proprietary Information Transmission

If your company marks its confidential and proprietary information with a consistent phrase, there is no reason you cannot use Wireshark to detect the transmission of information.
You can use Wireshark to capture all outbound traffic on a span port and then use Wiresharks Find Packet function.
EC-Council
Sniffer Detection
When the interface is placed into promiscuous mode, the PROMISC k keyword d appears in i the h attributes ib section, i as shown h i the in h example l below: b l
EC-Council
Wireless Sniffing with Wireshark

Wireshark has sophisticated p wireless p protocol analysis y support pp to help p administrators troubleshoot wireless networks. It can capture p traffic from the air and decode it into a format that helps p administrators track down issues that are causing poor performance, intermittent connectivity, and other common problems. You will need to purchase and install AirPcap to be able to sniff Wireless traffic.
EC-Council
AirPcap
CACE Technologies have introduced a commercial product called AirPcap. A combination bi ti of f a USB IEEE 802.11b/g 802 11b/ adapter d t , supporting ti driver d i software, ft and da client configuration utility. AirPcap provides a simple mechanism to capture wireless traffic in monitor mode on Windows workstations at a reasonable cost.
AirPcap is available at www.cacetech.com
EC-Council
AirPcap (contd)
If y you want to analyze y the traffic for a specific p wireless AP or station, you must identify the channel or frequency used by the target device, and configure your wireless card to use the same channel before initiating your packet capture.
This is because wireless cards can only operate on a single frequency at any given time.
If you want to capture traffic from multiple channels simultaneously, you would need an additional wireless card for every channel you wanted to monitor.
EC-Council
Frequency
EC-Council
Using Channel Hopping

If you want to capture traffic for a specific station, station how do you locate the channel number that it is operating on?
One technique is to use the channel hopping command to rapidly scan through all available wireless channels until the appropriate channel number is identified.
Channel hopping will cause you to lose traffic, because you are rapidly switching channels. If your wireless card is configured to operate on channel 11 and you hop to another channel, you will not be able to hear any traffic that is occurring on channel 11 until you return as part of the channel-hopping pattern.
EC-Council
Interference and Collisions

Another challenge of sniffing wireless networks is the risk of interference and lost packets. Unlike an Ethernet network that can transmit and monitor the network simultaneously, wireless cards can only receive or transmit asynchronously.
Wireless networks must take special precautions to prevent multiple stations f from t transmitting itti at t the th same time. ti
While these collision collision-avoidance avoidance mechanisms work well, it is still possible to experience collisions between multiple transmitters on the same channel, or to experience collisions with wireless local area networks (LANs) and other devices using the same frequency (for example, cordless phones, baby monitors, microwave ovens, ovens and so on). on) EC-Council
Recommendations for Sniffing Wireless Traffic

Locate the capture p station near the source:
When initiating a packet capture, locate the capture station close to the source of the wireless activity you are interested in (i.e., an AP or a wireless station).
Disable other nearby transmitters:

To achieve a more accurate packet capture, disable any built-in wireless transmitters on the capture station.
Reduce CPU utilization while capturing:

If y your host experiences p excessive CPU utilization during g a packet p capture, p , you may experience packet loss in the wireless capture (e.g., it is not a good idea to burn a DVD while capturing wireless traffic).
Match channel selection EC-Council

Analyzing Wireless Traffic
EC-Council
Analyzing Wireless Traffic (cont d) (contd)
EC-Council
IEEE 802.11 Header
Following the frame statistics data, Wireshark starts to dissect the protocol information for the selected packet.
The IEEE 802.11 header is fairly complex; unlike a standard Ethernet header, it is between 24 and 30 bytes (compared to the standard Ethernet header of 14 bytes), has th three or four f addresses dd ( (compared d to t Ethernets Eth t two t addresses), dd ) and d has h many more fields to specify various pieces of information pertinent to wireless networks. Wireless frames can have additional protocols appended to the end of the IEEE 802.11 header, including encryption options, Quality of Service (QoS) options, and embedded protocol identifiers (IEEE 802.2 header), all before actually getting any data to represent the upper-layer Network layer protocols.
EC-Council
IEEE 802.11 Header Fields
EC-Council
IEEE 802.11 Header Fields (cont d) (contd)
EC-Council
Filters
Filter for a station MAC:
With the packet capture open, apply a display filter to display only traffic from the client station using the wlan.sa display field name. Assuming the station MAC address is 00:09:5b:e8:c4:03, the display filter would be applied as: wlan.sa eq 00:09:5b:e8:c4:03
Filter on BSSID:
wlan.bssid lan bssid eq 00:11:92:6e:cf:00 00 11 92 6e cf 00
Filter on SSID:
We can apply a display filter to identify all packets that includes the SSID NOWIRE as shown below: wlan_mgt.tag.interpretation eq "NOWIRE"
EC-Council
Filtering on Source MAC Address and BSSID
EC-Council
Filtering on BSSID
EC-Council
Filter on SSID
EC-Council
Wireless Frame Types Filters
EC-Council
Unencrypted Data Traffic

Another common analysis technique is to identify wireless traffic that is unencrypted. This s may ay be in a an e effort o t to identify de t y misconfigured sco gu ed devices that could be disclosing sensitive information over the wireless network. Most rogue devices are deployed without encryption.
Filters include:
wlan.fc.protected wlan fc protected ne 1 wlan.fc.protected ne 1 and wlan.fc.type eq 2
EC-Council
Unencrypted Data Traffic (cont d) (contd)
EC-Council
Identifying Hidden SSIDs

Many organizations have adopted SSID cloaking, cloaking which prevents their APs from advertising their SSIDs to anyone who asks.
When an AP wants to obscure the SSID of the network, it does not respond when it receives a request for the network name, and it removes the SSID advertisement from beacon frames. Because it is mandatory to include some indicator of the network name (whether legitimate or not) in beacon frames, vendors have adopted different conventions for obscuring the SSID by replacing it with one or more space characters or NULL bytes (one or more 0s) or an SSID with ith a l length th of f0 0. Filter:
In this I hi example, l we see that h the h BSSID of f the h network k is i 00:0b:86:c2:a4:89 b 86 8 wlan.bssid eq 00:0b:86:c2:a4:89 and wlan.fc.type_subtype eq 0
EC-Council
Revealed SSID
EC-Council
Identifying EAP Authentication Failures
Troubleshooting authentication problems on the wireless network can be challenging, and often requires a packet sniffer to determine if the failure is happening on the client or over the network.
Wireshark can assist in identifying EAP authentication h i i failure f il messages.
Filter eap.code eq 4
EC-Council
Identifying the EAP Type
EC-Council
Identifying Key Negotiation Properties

Some EAP methods S th d negotiate ti t a Transport T t Layer L S Security it (TLS) tunnel t l before exchanging authentication information to protect weak authentication protocol data.
In order to establish the TLS tunnel, at least one digital certificate is transmitted from the AP to the station.
Filter: il eap and ssl.handshake.type eq 11
EC-Council
EAP Identity Disclosure
EC-Council
Identifying WEP
WEP is the most p prevalent encryption yp mechanism used to p protect wireless networks.
I is It i also l widely id l known k as an insecure i protocol. l
Wireshark uniquely identifies WEP-encrypted WEP encrypted traffic by decoding the 4-byte WEP header that follows the IEEE 802.11 header.
We can identify W id tif WEP traffic t ffi by b identifying id tif i any frames f th t include that i l d the mandatory WEP Initialization Vector (IV).
Filter:
wlan.wep.iv
EC-Council
Identifying WEP (contd)
EC-Council
Identifying TKIP and CCMP

TKIP is the successor to WEP, and is designed to be a software upgrade for hardware built only to support WEP. TKIP was designed to work on legacy WEP hardware, it retained the use of the same underlying encryption protocol, RC4. RC4 is still considered safe for current use; it is no longer an acceptable encryption mechanism for use by U S government agencies. U.S. i Another alternative is to use the CCMP protocol, which uses the Advanced Encryption System (AES) cipher. Like WEP, both TKIP and CCMP use an encryption protocol header that follows the IEEE 802.11 header. This header is modified from the legacy WEP header, allowing us to identify whether TKIP or CCMP are in use, but does not allow us to differentiate TKIP from CCMP. We can only determine that one or the other is currently in use by looking at this header. We can use a display p y filter to identify y this header by y filtering g on the extended IV field:
wlan.tkip.extiv wlan.bssid eq 00:0f:66:e3:e4:03 and wlan.fc.type_subtype eq 8
EC-Council
Identifying TKIP or CCMP Traffic
EC-Council
Identifying IPsec/VPN
Some wireless networks will not use the standard IEEE 802.11 encryption mechanisms, instead opting for an upper-layer encryption mechanism, such as IPsec IPsec.
Wireshark can identify this type of encryption mechanism by applying a display filter for any of the associated IPsec protocols such as the Internet Security Association and Key Management Protocol (ISAKMP), the Encapsulating Security Payload (ESP), or the Authentication Header (AH) protocol.
To identify IPsec traffic, apply a p y filter as follows: display

isakmp or ah or esp
EC-Council
Identifying IPsec/VPN
EC-Council
Decrypting Traffic
One of the challenges of wireless traffic analysis is the ability to inspect the contents of encrypted data frames. Wireshark offers some options to analyze WEP-encrypted data. When configured with the appropriate WEP key, Wireshark can automatically decrypt WEP-encrypted data and dissect the plaintext contents of these frames. p In order for Wireshark to decrypt the contents of WEP-encrypted packets, it must be given the appropriate WEP key for the network. Wireshark does not assist you in breaking WEP keys or attacking the WEP protocol. It does not support decrypting TKIP or CCMP packets.
EC-Council
Decrypting Traffic (cont d) (contd)
EC-Council
Scanning
N t Network k scanning i i used is d to t identify id tif available il bl network t k resources.
Also known as discovery or enumeration, network scanning can be used to discover available hosts, ports, or resources on the network.
Once a vulnerable resource is detected, it can be exploited, and the device can be compromised.
Sometimes, an actual intruder is behind the scanning, and sometimes it is a result of worm activity. activity
EC-Council
TCP Connect Scan

TCP connect scan is used to determine which ports are open and listening on a target device.
This type yp of scanning g is the most basic because it completes p the TCP three-way handshake with open ports and immediately closes them. An intruder sends a SYN packet and analyzes the response. A response packet with the Reset (RST) and Acknowledgment (ACK) flags set indicates that the port is closed.
If a SYN/ACK is i received, i d it indicates i di t that th t the th port t is i open and d listening. li t i
The intruder will then respond p with an ACK to complete p the connection followed by an RST/ACK to immediately close the connection.
EC-Council
TCP Connect Scan (contd)
EC-Council

The previous screenshot shows the attacker, 192.168.0.9, sending SYN packets to the t target, t 192.168.0.99 192 168 0 99 Most ports respond with an RST/ACK packet; however, the highlighted packets show the SYN/ACK response and the subsequent ACK followed by the RST/ACK exchange on the domain name system (DNS) port. You will also notice that the intruders source port increases by one for each attempted connection. You can find these by using a filter, such as tcp.flags.syn==1&&tcp.flags.ack==1 or tcp.flags==18 to view packets with the SYN and ACK flags set. p responses p for each p port because several scanning g methods The filter will show multiple were used.
EC-Council
EC-Council
SYN Scan
It is also known as a half-open scan, because a full TCP connection is never completed. It is used to determine which ports are open and listening on a target device. An intruder A i t d sends d a SYN packet k t and d analyzes l th response. If an RST/ACK the / i received, is i d it indicates that the port is closed. If a SYN/ACK is received, it indicates that the port is open and listening. The intruder will then follow with an RST to close the connection. SYN scans are known as stealth scans because few devices will notice or log them.
EC-Council
SYN Scan (contd)
EC-Council
SYN Scan (contd)

The previous figure shows that the attacker, 192.168.0.9, is sending SYN packets to the target, 192 168 0 99 192.168.0.99
Most p ports respond p with an RST/ACK / p packet.
The highlighted packets show the SYN/ACK response and the subsequent RST exchange on the https port. t
You will also notice that the intruder is using somewhat static source ports, 52198 and 52199.
EC-Council
XMAS Scan
The XMAS scan determines which ports are open by sending packets with invalid flag settings to a target device. It is considered a stealth scan because it may be able to bypass some firewalls and IDSes more easily than the SYN scans.
This XMAS scan sends packets with the Finish (FIN), Push (PSH), and Urgent (URG) flags set.
Closed p ports will respond p with an RST/ACK, and open p p ports will drop p the p packet and not respond. This type of scan will not work against systems running Microsoft Windows, Cisco IOS BSDI, IOS, BSDI HP/UX, HP/UX MVS, MVS and d IRIX. They will all respond with RST packets k t , even from open ports.
EC-Council
XMAS Scan (contd)
EC-Council
XMAS Scan (contd)

The p previous figure g shows that the attacker, 192.168.0.9, is sending gp packets to the target, 192.168.0.99, with the FIN, PSH, and URG flags set. Most ports respond with an RST/ACK packet; however, the highlighted packet f the for h sunrpc port never receives a response. This lack of a response p indicates that the p port is open p and has dropped pp the p packet. You will also notice that the intruder is using decoy addresses of 192.168.0.1, 192 168 0 199 and 192.168.0.254 192.168.0.199, 192 168 0 254 You will also notice that the intruder is using somewhat static source ports, 35964 and 35965.
EC-Council
Null Scan
The null scan determines which ports are open by sending packets with invalid flag settings to a target device. It is considered a stealth scan because it may be able to bypass some firewalls and IDSes more easily than the SYN scans. This Null scan sends packets with all flags turned off. Closed ports will respond with an RST/ACK, and open ports will drop the packet and not p respond. This type of scan will not work against systems running Microsoft Windows, Cisco IOS, BSDI, HP/UX, MVS, and IRIX. Th will They ill all ll respond d with ith RST/ACK packets k t , even from f open ports. t
EC-Council
Null Scan (contd)
EC-Council
Null Scan (contd)

The previous figure shows that the attacker, 192.168.0.9, is sending packets to the t target. t 192.168.0.99 has all flags turned off, as indicated by the empty brackets [ ]. Most ports respond with an RST/ACK packet. The highlighted Th hi hli h d packet k for f the h https h port never receives i a response, thereby h b indicating that the port is open and has dropped the packet. Notice that the intruder is using somewhat static source ports, ports 42294 and 42295. 42295
EC-Council
Remote Access Trojans

Trojans are malicious programs that are often disguised as other programs such as jokes, games, network k utilities, ili i and d sometimes i even the h Trojan j removal program itself.
Trojans are often used to distribute backdoor programs without the victims being aware that they are being installed.
Backdoors operate in a client-server architecture and allow the intruder to have complete control of a victims computer remotely over the network.
They give an intruder access to just about every function of the computer, including logging keystrokes, activating the webcam, logging passwords, and uploading and downloading files.
EC-Council
NetBus Analysis
It is easily detectable using antivirus software, many variations exist. The NetBus backdoor Trojan is also one of the older and more common Windows backdoor Trojans Trojans.
It runs over a TCP connection with default ports of 12345 and 12346.
EC-Council
NetBus Analysis (contd)
EC-Council
Trojan Analysis Example: NetBus Analysis

The previous figure shows that intruder is running the client on 192.168.1.1, which is connected to the server ser er on the victims ictims computer at 192.168.1.200. 192 168 1 200 You will notice that the server is running on the default ports 12345 and 12346 and gp pushed between the client and server. that data is being The two separate source ports indicate two distinct TCP connections.
EC-Council
Wireshark DNP3 Dissector Infinite Loop Vulnerability

Wiresharks DNP3 dissector infinite loop vulnerability causes its process to enter i t the into th infinite i fi it loop. l With infinite looping, an attacker masks other types of attacks. Below is the loop that appears due to this vulnerability: for f { (t (temp16 16 = 0 0; t temp16 16 < num_items; it t temp16++) 16++)
EC-Council
Time Stamps
A time ti stamp t is i the th point i t of f time ti the th data d t packet k t is i captured. t d Libpcap or winPcap library provides time stamps to the Wireshark. Timestamps are documented to be analyzed later. Wireshark internals:
Deal with the time display format of the timestamps. The time display format can be adjusted by the user. Depending upon the requirement, Wireshark converts the timestamp to capture either file format or Wiresharks internal f format. EC-Council
Time Stamps: Wireshark Internals
EC-Council
Time Stamps (contd)

C t i file Capturing fil formats: f t
Time stamps are supported by each and every capture file format of Wireshark Wireshark. File formats store the time stamps with a precision (e.g. nano sec or micro sec). The Wireshark captures the file format supporting micro seconds resolution. l
Accuracy:
Wireshark displays time stamps that are generated by its other resources (Libpcap/winPcap). Since time stamps are just displayed, displayed the point of accuracy is critical. EC-Council
Time Zones
Setting a computers time correctly: y
Set the time zone according to the current location. Set the computer timings according to the local time. Use NTP (Network Time Protocol) to automatically adjust time of the computer automatically.
EC-Council
Packet Reassembling
Packet reassembling mechanism is implemented in the Wireshark for finding, decoding, and displaying the large chunks of data. Network protocols handle the chunk boundaries in such a way that when the data is large, it spreads data over multiple packets.
EC-Council
Checksums
A checksum or redundancy checking is the process of checking the functionality of Wireshark. To ensure data integrity, checksums are used by the network protocols. Through checksum algorithms, simple errors can be solved. The algorithms that are applied for particular network protocol depends on the error rate, error detection, detection ability of the processor, processor performance of the checksum, checksum etc. etc Packet loss and re-transmission:
Packet loss is the error condition where data packets are transmitted correctly, correctly but without reaching the destination. Transmitting the lose data packets again is called re-transmission. Re-transmission occurs when there is loss of data packet or acknowledgement packet.
Note: Ensure that there is no presence of Ethernet duplex setting mismatch (this avoids packet loss and
re-transmission).
EC-Council
Summary
In this module, we reviewed network protocol analyzer Wireshark, its features and working:
IP display filters.
We have discussed various commands used in Wireshark, such as:

Tshark. Tcpdump. Capinfos. p Idl2wrs. Editcap. Mergecap. Text2pcap.
We have discussed the use of Wireshark in network troubleshooting. We have reviewed various scanning techniques.
EC-Council
EC-Council
EC-Council
EC-Council

ECSAv4 Module 04 Advanced Sniffing Techniques NoRestriction - 2 PDF

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

ECSAv4 Module 04 Advanced Sniffing Techniques NoRestriction - 2 PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

Advanced P Penetration t ti T Testing ti and Security Analysis

Module 4 Advanced Sniffing Techniques

This module will familiarize you with:

Features of Wireshark include:

IP Display Filters (contd)

IP Display Filters (contd)

> 1320 [SYN telnet [ACK] telnet [ACK]

Tcpdump is a command line computer network debugging tool.

Prerequisites for Idl2wrs are Python and omniidl.

Conversion of CORBA IDL File to Wireshark Dissector

2 For writing to a file, 2. file redirect the output. output

5. For writing to a file, redirect the output.

Conversion of CORBA IDL File to Wireshark Dissector (cont (contd) d)

8. Run the configure option.

9. Code should be compiled.

Wireshark: Dumpcap (cont d) (contd)

Below is the recommended upgrading process for Wireshark:

It provides searching and filtering of the file at a time.

Protocol Dissection (cont d) (contd)

Steps to Solve GNU/ Linux Server Network Connectivity Issues

Using Wireshark for Network Troubleshooting

Network Troubleshooting Methodology

Using Wireshark for System Administration

ICMP Echo Request/Reply Header Layout

TCP SYN Packet Flags Bit Field

TCP SYN Packet Flags Bit Field (cont d) (contd)

Capture Filter: Examples

Scenario 1: SYN no SYN+ACK

Scenario 2: SYN Immediate Response RST

Scenario 3: SYN SYN+ACK ACK

Tapping into the Network

Tapping system is divided into two parts:

Tapping into the Network (cont (contd) d)

Tapping into a switched network:

Using Wireshark for Security Administration

Detecting Internet Relay Chat Activity

Wireshark as a Detector for Proprietary Information Transmission

Wireless Sniffing with Wireshark

AirPcap is available at www.cacetech.com

Using Channel Hopping

Interference and Collisions

Recommendations for Sniffing Wireless Traffic

Disable other nearby transmitters:

Reduce CPU utilization while capturing:

Match channel selection EC-Council

Analyzing Wireless Traffic

Analyzing Wireless Traffic (cont d) (contd)

IEEE 802.11 Header

IEEE 802.11 Header Fields

IEEE 802.11 Header Fields (cont d) (contd)

Filtering on Source MAC Address and BSSID

Wireless Frame Types Filters

Unencrypted Data Traffic

Unencrypted Data Traffic (cont d) (contd)

Identifying Hidden SSIDs

Identifying EAP Authentication Failures

Wireshark can assist in identifying EAP authentication h i i failure f il messages.

Identifying the EAP Type

Identifying Key Negotiation Properties

 Filter: il eap and ssl.handshake.type eq 11

EAP Identity Disclosure

I is It i also l widely id l known k as an insecure i protocol. l

Filter: il eap and ssl.handshake.type eq 11