Wireshark - wiki.apnictraining.net · • tcp contains rviews[displays all TCP packets that contain...
Transcript of Wireshark - wiki.apnictraining.net · • tcp contains rviews[displays all TCP packets that contain...
6/19/18
1
Issue Date:
Revision:
Wireshark
1
25-29 June 2018PacNOG 22, Honiara, Solomon IslandsSupported by:
Why we need to capture packet & how it’s related to security?
6/19/18
2
tcpdump Definition
tcpdump is a utility used to capture and analyze packets on network interfaces. Details about these packets can either be displayed to the screen or they can be saved to a file for later analysis. tcpdump utilizes the libpcap library for packet capturing.
tcpdump command example
# tcpdump –nni eth0
# tcpdump –nni eth0 host 10.10.10.10
# tcpdump –nni eth0 dst host 10.10.10.10 and proto tcp
# tcpdump –nni eth0 src net 10.10.10.0/24 and port tcpand portrange 1-1024
-nn = don’t use DNS to resolve IPs and display port no-i = interface to watchdst = watch only traffic destined to a net, host or portsrc = watch only traffic whose src is a net, host or portnet = specifies networkhost = specifies hostport = specifies a portproto = protocol ie tcp or udp
6/19/18
3
tcpdump command example
# tcpdump –nni eth0 –s0
# tcpdump –nni eth0 not port 22 –s0 –c 1000
# tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24
-s0 = setting samples length to 0 means use the required length to catch whole packet-c = no to packets
tcpdump pcaps
# tcpdump –nni eth0 -w capture.pcap –vv –c 1000
# tcpdump –nni eth0 –r capture.pcap and port 80
-w capture.pcap = save capture packet to capture.pcap–vv = display number of packet captured-r caputre.pcap = read capture file-c = no to packets
6/19/18
4
tcpdump Output
IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106, ack 1, win 67, options [nop,nop,TS val854797891 ecr 376933204], length 53
IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack106, win 4092, options [nop,nop,TS val 376934736 ecr854797891], length 0
IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 106:159, ack 1, win 67, options [nop,nop,TS val854797891 ecr 376933204], length 53
IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack159, win 4091, options [nop,nop,TS val 376934736 ecr854797891], length 0
What is Wireshark?
• Wireshark is a network packet/protocol analyzer. – A netw ork packet analyzer w ill try to capture netw ork packets and
tries to d isp lay that packet data as deta iled as possib le .
• Wireshark is perhaps one of the best open source packet analyzers available today for UNIX and Windows.
6/19/18
5
About Wireshark
• Formerly known as “Ethereal”– Author, G era ld C om bs quit N etw ork In tegration Services– Free
• Requirement– N eed to insta ll w inpcap– Latest w ireshark insta ller conta ins w inpcap, don’t w orry
– (O n W indow s Vista) N eed Adm in istra tor P riv ilege to capture
• GUI– D ram atica lly im proved
Why Wireshark
• network administrators use it to troubleshoot network problems
• network security engineers use it to examine security problems
• developers use it to debug protocol implementations• people use it to learn network protocol internals
• Wireshark isn't an intrusion detection system.• Wireshark will not manipulate things on the network, it will
only "measure" things from it.
6/19/18
6
How to Install
• Very straight forward• Just double-click and follow the instructions.
• https://www.wireshark.org/download.html
Capture
6/19/18
7
DashboardMenu
Filter
Capture Data
Raw Data
Filters
• Capture filter– C apture Traffic that m atch capture filter ru le– save d isk space
– prevent packet loss
• Display filter• Tweak appearance
6/19/18
8
Apply Filters
• ip .addr == 10.0.0.1 [Sets a filte r for any packet w ith 10.0.0 .1 , as e ither the source or dest]
• ip .addr==10.0.0.1 && ip .addr==10.0.0.2 [sets a conversation filte r betw een the tw o defined IP addresses]
• h ttp or dns [sets a filte r to d isp lay a ll h ttp and dns]
• tcp.port==4000 [sets a filte r for any TC P packet w ith 4000 as a source or dest port]
• tcp.flags.reset==1 [d isp lays a ll TC P resets]
• h ttp .request [d isp lays a ll H TTP G ET requests]• tcp conta ins rv iew s [d isp lays a ll TC P packets that conta in the w ord
‘rv iew s’. Excellent w hen search ing on a specific string or user ID ]
• !(arp or icm p or dns) [m asks out arp, icm p, dns, or w hatever o ther protoco ls m ay be background no ise. A llow ing you to focus on the tra ffic o f in terest]
Follow TCP Stream
6/19/18
9
Follow TCP Stream
• Build TC P S tream
– Select TCP Packet -> Follow TCP Stream
Use “Statistics”
• What protocol is used in your network– Statistics -> P rotoco l H ierarchy
6/19/18
10
Use “Statistics”
• Which host most chatty– Statistics -> C onversations
Need CLI?
• If you stick to character based interface, try tshark.exe• C:\program files\wireshark\tshark.exe
6/19/18
11
Tcpdump & Wireshark
• tcpdump -i <interface> -s 65535 -w <some-file>
Exercise
• Install Wireshark into your PC• Run wireshark and Capture inbound/outbound traffic• Download capture files from
– Follow the instructor's gu ide.
6/19/18
12
Exercise 1: Good Old Telnet
• File– te lnet.pcap
• Question– R econstruct the te lnet session.
• Q1: Who logged into 192.168.0.1– U sernam e __________, Passw ord __________ .
• Q2: After logged in what did the user do?– Tip
– te lnet tra ffic is not secure
Exercise 2: Massive TCP SYN
• File– m assivesyn1.pcap and m assivesyn2.pcap
• Question– Point the d ifference w ith them .
• Q1: massivesyn1.pcap is a _________ attempt.• Q2: massivesyn2.pcap is a _________ attempt.• Tip
– Pay attention to S rc IP
6/19/18
13
Exercise 3: Chatty Employees
• File– chat.dm p
• Question• Q1: What kind protocol is used? _______• Q2: This is conversation between [email protected] and
[email protected]• Q3: What do they say about you(sysadmin)?
• Tip– Your chat can be m onitored by netw ork adm in.
Exercise 4: Suspicious FTP activity
• File– ftp1.pcap
• Question– Q 1: 10.121.70.151 is FTP ______ .
– Q 2: 10.234.125.254 is FTP ______ .– Q 3: FTP E rr C ode 530 m eans __________ .
– Q 4: 10.234.125.254 attem pt ________.
• Tip– H ow m any log in error occur w ith in a m inute?
6/19/18
14
Exercise 5: Unidentified Traffic
• File– Foobar.pcap
• Question– Q 1: see w hat’s go ing on w ith w ireshark gui
• Statistics -> Conversation List -> TCP (*)
– Q 2: W hich application use TC P/6346? C heck the w eb.
Exercise 6: Covert channel
• File– covertin fo .pcap
• Question– Take a c loser look! Th is is not a typ ica l IC M P Echo/R eply…
– Q 1: W hat k ind of too l do they use? C heck the w eb.– Q 2: N am e other application w hich tunneling user tra ffic .
6/19/18
15
Exercise 7: SIP
• File– sip_chat.pcap
• Questions:– Q 1: C an w e lis ten to S IP vo ice?
– Q 2: H ow !!
Virustotal
• https://www.virustotal.com/• Checking virus
30This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version.
6/19/18
16
LAB
32
6/19/18
17
Defense and Mitigation – Community
• You can’t do it all alone!
33
Defense and Mitigation – Community
• … and luckily, there is a great community providing services/tools, such as– Security @ APN IC https://w w w.apnic.net/security
– Passive D N S by cert.a t– Panopticon Shared P roxy by c irc l.lu et a l.
– openresolverpro ject.com / w w w.openresolver.n l– n6 R eports by cert.p l
– C AP R eports by Team C ym ru– phishtank.com , spam cop.net
– C ontacts contacts contacts– … and m any m ore – w hat e lse do you know / o ffer?
34
6/19/18
18
Issue Date:
Revision:
www.facebook.com/APNIC
www.twitter.com/apnic
www.youtube.com/apnicmultimedia
www.flickr.com/apnic
www.weibo.com/APNICrir
3636
Thank You!END OF SESSION