1 v1.2

2 v1.2

Packet Analysis

3 v1.2

Agenda

• Overview of protocols

• Overview of various tools. For example tcpdump, tcpreplay,

cloudshark, tshark and wireshark

• Introduction to packet capturing

• Strategies for packet analysis

• Analyse encrypted traffic

4 v1.2

OSI and TCP/IP model

4

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Transport

Internet

Network Access (Link Layer)

OSI Reference Model TCP/IP Model

5 v1.2

OSI and TCP/IP model

5

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Transport

Internet

Network Access (Link Layer)

Layer 2: Ethernet, PPP, ARP, NDP, OSPF

Layer 4: TCP, UDP, SCTP

Layer 5: NFS, Socks

Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, DNS, DHCP

OSI Reference Model TCP/IP Model

Layer 3: IPv4, IPv6, ICMP, ICMPv6, IGMP

6 v1.2

6

OSI and TCP/IP model

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application (HTTP, DNS, FTP)

Transport (TCP/UDP)

Internet (IPv4/IPv6)

Network Access (Ethernet,

PPP)

DataTransport Header

IP Header

DataTransport Header

Data

DataTransport Header

IP HeaderFrame Header

0011010100000111

Transport (TCP/UDP)

Internet (IPv4/IPv6)

Network Access (Ethernet,

PPP)

Application (HTTP, DNS, FTP)

https://gettys.wordpress.com/2018/04/09/mythology-about-security/

7 v1.2

Ethernet frame

https://en.wikipedia.org/wiki/EtherType#Examples

8 v1.2

8

Internet Protocol (IPv4)

https://tools.ietf.org/html/rfc791#section-2.1

9 v1.2

Internet Protocol (IPv6)

https://tools.ietf.org/html/rfc8200#page-6

10 v1.2

Transmission Control Protocol (TCP)

https://tools.ietf.org/html/rfc793#section-3.1

11 v1.2

User Datagram Protocol

https://tools.ietf.org/html/rfc768

12 v1.2

OSI and TCP/IP model

12

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Transport

Internet

Network Access (Link Layer)

Layer 2: Ethernet, PPP, ARP, NDP, OSPF

Layer 4: TCP, UDP, SCTP

Layer 5: NFS, Socks

Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, DNS, DHCP

OSI Reference Model TCP/IP Model

Layer 3: IPv4, IPv6, ICMP, ICMPv6, IGMP

13 v1.2

13

Servers

Routers

Terminal

Telnet

https://packetlife.net/captures/protocol/telnet/https://tools.ietf.org/html/rfc854

14 v1.2

14

Telnet

15 v1.2

15

• Authenticated and encrypted shell access to a remote host

• Client-server model

• TCP 22

• It is much more than a secure shell– Transport protocol (eg. SCP, SFTP)

– Connection forwarder• You can use it to build custom tunnels

Secure Shell (SSH)

https://packetlife.net/captures/protocol/ssh/

16 v1.2

Secure Shell (SSH)

https://packetlife.net/captures/protocol/ssh/

17 v1.2

Module 2: Tools

18 v1.2

18

Packet capture

• TCPdump– command line utility used to capture and analyse packets on

network interfaces.

• Wireshark / TShark– utility used to capture and analyse packets on network interfaces.

• Cloudshark– web-based utility used to analyse packet captures.

• Zeek (formerly Bro)– Network traffic analysis tool

19 v1.2

19

tcpdump

• tcpdump is a command line utility to capture and analyze

network packets

– From the man page:

20 v1.2

20

tcpdump

• tcpdump by default captures packets and prints it out

– n: don’t translate numbers to names (bypass the default)

– i: interface to listen onDNS queries

DNS responses

tcpdump –n –i en0 port 53

21 v1.2

21

tcpdump

• With the –w flag

– you can write it to a file for later analysis

-w: write to a file (test_capture.pcap)

-c: packet count

tcpdump –n –i en0 –w test_capture.pcap –c 100

22 v1.2

22

tcpdump

• You can read packets from a file with the –r flag

-r: read from a file (test_capture.pcap)

port: only read packets that match the port#

tcpdump –r test_capture.pcap port 443

23 v1.2

23

•Packets to or from a host

•Packets from:

•Packets to:

•Packets based on a protocol

Examples

tcpdump –ni en0 host 10.10.10.10

tcpdump –ni en0 dst 10.10.10.10

tcpdump –ni en0 src 10.10.10.10

tcpdump –ni en0 tcp

24 v1.2

24

Capture filters

• Only capture TCP packets with SYN flag set

• Capture ICMPv6 packets that are ONLY neighbor solicitations

tcpdump –ni en0 tcp[13]==2

tcpdump –ni en0 icmp6 and ip6[40] == 135

25 v1.2

25

Reading tcpdump Output

Timestamp

Source IP

Source port

Dst IPDst port

Query IDDNS Query

Query size

2 answers

•UDP packets:

26 v1.2

26

Reading tcpdump Output

P – PUSH(.) - ACK

Length = 531-1Length – 1959-531

•TCP packets:

•Seen a “connection refused” error?

•You sent SYN, but the server responded with RST packet!

27 v1.2

27

Wireshark

• Wireshark is a graphical network packet/protocol analyzer

28 v1.2

28

Why Wireshark?

• Network Admins use it:– to troubleshoot network problems

• Security Engineers use it:– to examine security problems

• Developers use it:– to debug protocol implementations

• People use it:– to learn network protocol internals

29 v1.2

29

What Wireshark isn’t

• Not an intrusion detection system

– Wont alert strange things in your network

• Will only ”read" packets

– will not manipulate packets on the network

30 v1.2

30

How to Install

• Straight forward

– Download

• https://www.wireshark.org/download.html

– Install

• Just double-click and follow the instructions

– Further details

• https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html

• https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallOSXInstall.html

31 v1.2

31

Capture Packets

Interface to capture on

Capture

32 v1.2

32

Capture Packets

• Interface default in promiscuous mode

33 v1.2

33

Dashboard

Packet list pane

Packet bytes pane

Main toolbar

34 v1.2

34

Filters

• Capture filter

– Only capture packets that match the expression

• https://wiki.wireshark.org/CaptureFilters

35 v1.2

35

Filters

• Display filter

– Look for specifics: ports, protocols, etc.

• Helps drill down to traffic of interest

• >3000 protocols & ~250K fields (https://www.wireshark.org/docs/dfref/)

36 v1.2

36

Apply Filters

• ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]

• ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]

• http or dns [sets a filter to display all http and dns]

• tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]

• tcp.flags.reset==1 [displays all TCP resets]

• http.request [displays all HTTP GET requests]

• tcp contains rviews [displays all TCP packets that contain the word ‘rviews’. Excellent when searching on a specific string or user ID]

• !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]

37 v1.2

37

Protocol Streams

• Wireshark allows you to follow protocol streams

– As seen by the application layer

• Ex: may be you want to see a password in a telnet stream

38 v1.2

38

Protocol Streams

39 v1.2

39

Statistics menu

• What protocols are used in your network?

– Statistics -> Protocol Hierarchy

40 v1.2

40

Statistics menu

• Which host is consuming your bandwidth?

– Statistics -> Conversations

41 v1.2

41

Decrypt TLS traffic

• Need a certificate or shared key

https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures#ssl-with-decryption-keys

42 v1.2

42

Need CLI?

• Where you don’t have a user interface

– tshark is terminal version of Wireshark

• Has all the options of Wireshark

– https://www.wireshark.org/docs/man-pages/tshark.html

43 v1.2

Zeek (formerly Bro)

• Vern Paxon started development in 1995

• Zeek’s scripting language used for fine-grained anomaly-related

detection and processing.

• After processing network traffic, Zeek will output statistical log files

• By default, log files will be separated by the transport protocol and

related characteristics

Connection Protocol-Specific Detection Observations

conn.log http.log notice.log known_certs.log

files.log ftp.log signatures.log known_services.log

X509.log DNS.log traceroute.log weird.log

44 v1.2

Module 3: Strategies for packet analysis

45 v1.2

45

Signature analysis

• Distinctive marks of known bad traffic used to generate alerts.

– virus detection,

– malicious website or

– malware files.

• Distinctive marks include:– IP addresses

– Hostnames

– Offsets – for example, memory related exploit

– Debug information

– “Ego” strings (strings left in the code)

– Header information

46 v1.2

46

Signature analysis

• An example could be detecting a nmap scan of a network by looking at the source ip, destination ip and ports.

https://www.hackingarticles.in/understanding-nmap-scan-wireshark/

https://asecuritysite.com/log/nmap.zip

47 v1.2

47

Session analysis

• Utilises the session metadata to determine what is happening during a session.

– which devices causing the traffic

– the type of traffic or

– what data is being transferred.

• Looks at the behaviour of the sessions and looks for behaviour that is not normal.

48 v1.2

48

Session analysis

• An example is once a network has been compromised, ping (ICMP) may be used to exfiltrate data.

Wireshark filter: “data.len > 76”

https://www.cloudshark.org/captures/e7f1b8c0b434?filter=data.len%20>%2071

49 v1.2

49

Which technique?

• Signature analysis – can be used to create the alert; then

• Session analysis – can help investigate the alert further.

50 v1.2

Module 4: Demo

https://academy.apnic.net/en/virtual-labs?labId=55334

51 v1.2

51

TCPdump command example

# cd /opt/samples

# tcpdump -nn -r fake_av.pcap | wc -l

# tcpdump -nn -r fake_av.pcap | head

# tcpdump -nn -r fake_av.pcap | cut -f 3 -d " " | head

# tcpdump -nn -r fake_av.pcap 'tcp or udp' | cut -f 3 -d " " | cut -f 1-4 -d "." | head

Display top 10 destinations

# tcpdump -nn -r fake_av.pcap 'tcp or udp' | cut -f 5 -d " " | cut -f 1-4 -d "." | sort

| uniq -c | sort -nr | head

-nn = don’t use DNS to resolve IPs and display port no

-r = replay pcap file

-f = field to select

-d = delimiter to use

52 v1.2

52

TCPdump command example

# tcpdump -nn -r fake_av.pcap 'port 53' | head -5

# tcpdump -nn -r fake_av.pcap 'port 53' | grep -Ev '(com|net|org|gov|mil|arpa)' |

cut -f 9 -d " " | head

# tcpdump -nn -r fake_av.pcap 'port 53' | grep -Ev '(com|net|org|gov|mil|arpa)' |

cut -f 8 -d " " | grep -E '[a-z]’

If a suspicious domain name is found, use https://www.virustotal.com/gui/home/url

To check if malicious

53 v1.2

53

TCPdump command example

# cd /opt/samples/mta

# for capfile in $(ls *.pcap); do tcpdump -nn -r $capfile 'port 53' | grep -Ev

'(com|net|org|gov|mil|arpa)' | cut -f 8 -d " " | grep -E '[a-z]'; done;

Check for plain text passwords in pcap files

# for capfile in $(ls *.pcap); do tcpdump -nn -r $capfile port http or port ftp

or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5

'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=

|password=|pass:|user:|username:|password:|login:|pass |user '; done;

-l = force line buffered mode

-A = include ascii strings from the capture

54 v1.2

54

TShark command example

# cd /opt/samples

# tshark -r fake_av.pcap | wc -l

# tshark -r fake_av.pcap | head

# tshark -r fake_av.pcap –T fields –e ip.dst –e tcp.dstport | head

Display top 10 destinations

# tshark -r fake_av.pcap –T fields –e ip.dst | sort | uniq -c | sort -nr | head

55 v1.2

55

Bro command example

# mkdir ~/fake && cp /opt/samples/fake_av.pcap ~/fake/. && cd ~/fake

# bro –r -C fake_av.pcap local

# cat dns.log | jq .query | grep -Ev '(com|net|org|gov|mil|arpa)’ | uniq | grep -

E '[a-z]’

56 v1.2

Module 5: Exercises

57 v1.2

57

Exercise

• Install Wireshark

• Download captured (pcap) files from the lab website– Follow the guides in the next pages

58 v1.2

58

Exercise 1: Good Old Telnet

• File– telnet.pcap

• Question– Reconstruct the telnet session

• Q1: Who logged into 192.168.0.1– Username __________, Password __________ .

• Q2: After logging in, what did the user do?

59 v1.2

59

Exercise 2: Covert channel

• File– covertinfo.pcap

• Question: Is it a genuine ICMP packet?– Take a closer look! This is not a typical ICMP Echo/Reply…

60 v1.2

60

Ex 3: Suspicious FTP activity

• File– ftp.pcap

• Question– Q1: 10.121.70.151 is FTP ______ .

– Q2: 10.234.125.254 is FTP ______ .

– Q3: What is FTP Err Code 530?__________ .

– Q4: 10.234.125.254 attempts to ________.

• Tip– Number of login attempts within a minute?

61 v1.2

61

Exercise 4: Chatty Employees

• File– chat.dmp

• Question

• Q1: What kind protocol is used? _______

• Q2: This is conversation between _____@hotmail.comand ______@hotmail.com

• Q3: What do they say about you (sysadmin)?

• Tip– Your chats can be monitored by your network admin.

62 v1.2

62

Exercise 5: SIP

• File– sip_chat.pcap

• Question:– Can we listen to SIP voice?

63 v1.2