1 v1.2
2 v1.2
Packet Analysis
3 v1.2
Agenda
• Overview of protocols
• Overview of various tools. For example tcpdump, tcpreplay,
cloudshark, tshark and wireshark
• Introduction to packet capturing
• Strategies for packet analysis
• Analyse encrypted traffic
4 v1.2
OSI and TCP/IP model
4
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Transport
Internet
Network Access (Link Layer)
OSI Reference Model TCP/IP Model
5 v1.2
OSI and TCP/IP model
5
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Transport
Internet
Network Access (Link Layer)
Layer 2: Ethernet, PPP, ARP, NDP, OSPF
Layer 4: TCP, UDP, SCTP
Layer 5: NFS, Socks
Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, DNS, DHCP
OSI Reference Model TCP/IP Model
Layer 3: IPv4, IPv6, ICMP, ICMPv6, IGMP
6 v1.2
6
OSI and TCP/IP model
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application (HTTP, DNS, FTP)
Transport (TCP/UDP)
Internet (IPv4/IPv6)
Network Access (Ethernet,
PPP)
DataTransport Header
IP Header
DataTransport Header
Data
DataTransport Header
IP HeaderFrame Header
0011010100000111
Transport (TCP/UDP)
Internet (IPv4/IPv6)
Network Access (Ethernet,
PPP)
Application (HTTP, DNS, FTP)
https://gettys.wordpress.com/2018/04/09/mythology-about-security/
7 v1.2
Ethernet frame
https://en.wikipedia.org/wiki/EtherType#Examples
8 v1.2
8
Internet Protocol (IPv4)
https://tools.ietf.org/html/rfc791#section-2.1
9 v1.2
Internet Protocol (IPv6)
https://tools.ietf.org/html/rfc8200#page-6
10 v1.2
Transmission Control Protocol (TCP)
https://tools.ietf.org/html/rfc793#section-3.1
11 v1.2
User Datagram Protocol
https://tools.ietf.org/html/rfc768
12 v1.2
OSI and TCP/IP model
12
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Transport
Internet
Network Access (Link Layer)
Layer 2: Ethernet, PPP, ARP, NDP, OSPF
Layer 4: TCP, UDP, SCTP
Layer 5: NFS, Socks
Layer 7: HTTP, FTP, IMAP, LDAP, NTP, Radius, SSH, SMTP, SNMP, Telnet, DNS, DHCP
OSI Reference Model TCP/IP Model
Layer 3: IPv4, IPv6, ICMP, ICMPv6, IGMP
13 v1.2
13
Servers
Routers
Terminal
Telnet
https://packetlife.net/captures/protocol/telnet/https://tools.ietf.org/html/rfc854
14 v1.2
14
Telnet
15 v1.2
15
• Authenticated and encrypted shell access to a remote host
• Client-server model
• TCP 22
• It is much more than a secure shell– Transport protocol (eg. SCP, SFTP)
– Connection forwarder• You can use it to build custom tunnels
Secure Shell (SSH)
https://packetlife.net/captures/protocol/ssh/
16 v1.2
Secure Shell (SSH)
https://packetlife.net/captures/protocol/ssh/
17 v1.2
Module 2: Tools
18 v1.2
18
Packet capture
• TCPdump– command line utility used to capture and analyse packets on
network interfaces.
• Wireshark / TShark– utility used to capture and analyse packets on network interfaces.
• Cloudshark– web-based utility used to analyse packet captures.
• Zeek (formerly Bro)– Network traffic analysis tool
19 v1.2
19
tcpdump
• tcpdump is a command line utility to capture and analyze
network packets
– From the man page:
20 v1.2
20
tcpdump
• tcpdump by default captures packets and prints it out
– n: don’t translate numbers to names (bypass the default)
– i: interface to listen onDNS queries
DNS responses
tcpdump –n –i en0 port 53
21 v1.2
21
tcpdump
• With the –w flag
– you can write it to a file for later analysis
-w: write to a file (test_capture.pcap)
-c: packet count
tcpdump –n –i en0 –w test_capture.pcap –c 100
22 v1.2
22
tcpdump
• You can read packets from a file with the –r flag
-r: read from a file (test_capture.pcap)
port: only read packets that match the port#
tcpdump –r test_capture.pcap port 443
23 v1.2
23
•Packets to or from a host
•Packets from:
•Packets to:
•Packets based on a protocol
Examples
tcpdump –ni en0 host 10.10.10.10
tcpdump –ni en0 dst 10.10.10.10
tcpdump –ni en0 src 10.10.10.10
tcpdump –ni en0 tcp
24 v1.2
24
Capture filters
• Only capture TCP packets with SYN flag set
• Capture ICMPv6 packets that are ONLY neighbor solicitations
tcpdump –ni en0 tcp[13]==2
tcpdump –ni en0 icmp6 and ip6[40] == 135
25 v1.2
25
Reading tcpdump Output
Timestamp
Source IP
Source port
Dst IPDst port
Query IDDNS Query
Query size
2 answers
•UDP packets:
26 v1.2
26
Reading tcpdump Output
P – PUSH(.) - ACK
Length = 531-1Length – 1959-531
•TCP packets:
•Seen a “connection refused” error?
•You sent SYN, but the server responded with RST packet!
27 v1.2
27
Wireshark
• Wireshark is a graphical network packet/protocol analyzer
28 v1.2
28
Why Wireshark?
• Network Admins use it:– to troubleshoot network problems
• Security Engineers use it:– to examine security problems
• Developers use it:– to debug protocol implementations
• People use it:– to learn network protocol internals
29 v1.2
29
What Wireshark isn’t
• Not an intrusion detection system
– Wont alert strange things in your network
• Will only ”read" packets
– will not manipulate packets on the network
30 v1.2
30
How to Install
• Straight forward
– Download
• https://www.wireshark.org/download.html
– Install
• Just double-click and follow the instructions
– Further details
• https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallWinInstall.html
• https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallOSXInstall.html
31 v1.2
31
Capture Packets
Interface to capture on
Capture
32 v1.2
32
Capture Packets
• Interface default in promiscuous mode
33 v1.2
33
Dashboard
Packet list pane
Packet bytes pane
Main toolbar
34 v1.2
34
Filters
• Capture filter
– Only capture packets that match the expression
• https://wiki.wireshark.org/CaptureFilters
35 v1.2
35
Filters
• Display filter
– Look for specifics: ports, protocols, etc.
• Helps drill down to traffic of interest
• >3000 protocols & ~250K fields (https://www.wireshark.org/docs/dfref/)
36 v1.2
36
Apply Filters
• ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]
• ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]
• http or dns [sets a filter to display all http and dns]
• tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]
• tcp.flags.reset==1 [displays all TCP resets]
• http.request [displays all HTTP GET requests]
• tcp contains rviews [displays all TCP packets that contain the word ‘rviews’. Excellent when searching on a specific string or user ID]
• !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]
37 v1.2
37
Protocol Streams
• Wireshark allows you to follow protocol streams
– As seen by the application layer
• Ex: may be you want to see a password in a telnet stream
38 v1.2
38
Protocol Streams
39 v1.2
39
Statistics menu
• What protocols are used in your network?
– Statistics -> Protocol Hierarchy
40 v1.2
40
Statistics menu
• Which host is consuming your bandwidth?
– Statistics -> Conversations
41 v1.2
41
Decrypt TLS traffic
• Need a certificate or shared key
https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures#ssl-with-decryption-keys
42 v1.2
42
Need CLI?
• Where you don’t have a user interface
– tshark is terminal version of Wireshark
• Has all the options of Wireshark
– https://www.wireshark.org/docs/man-pages/tshark.html
43 v1.2
Zeek (formerly Bro)
• Vern Paxon started development in 1995
• Zeek’s scripting language used for fine-grained anomaly-related
detection and processing.
• After processing network traffic, Zeek will output statistical log files
• By default, log files will be separated by the transport protocol and
related characteristics
Connection Protocol-Specific Detection Observations
conn.log http.log notice.log known_certs.log
files.log ftp.log signatures.log known_services.log
X509.log DNS.log traceroute.log weird.log
44 v1.2
Module 3: Strategies for packet analysis
45 v1.2
45
Signature analysis
• Distinctive marks of known bad traffic used to generate alerts.
– virus detection,
– malicious website or
– malware files.
• Distinctive marks include:– IP addresses
– Hostnames
– Offsets – for example, memory related exploit
– Debug information
– “Ego” strings (strings left in the code)
– Header information
46 v1.2
46
Signature analysis
• An example could be detecting a nmap scan of a network by looking at the source ip, destination ip and ports.
https://www.hackingarticles.in/understanding-nmap-scan-wireshark/
https://asecuritysite.com/log/nmap.zip
47 v1.2
47
Session analysis
• Utilises the session metadata to determine what is happening during a session.
– which devices causing the traffic
– the type of traffic or
– what data is being transferred.
• Looks at the behaviour of the sessions and looks for behaviour that is not normal.
48 v1.2
48
Session analysis
• An example is once a network has been compromised, ping (ICMP) may be used to exfiltrate data.
Wireshark filter: “data.len > 76”
https://www.cloudshark.org/captures/e7f1b8c0b434?filter=data.len%20>%2071
49 v1.2
49
Which technique?
• Signature analysis – can be used to create the alert; then
• Session analysis – can help investigate the alert further.
50 v1.2
Module 4: Demo
https://academy.apnic.net/en/virtual-labs?labId=55334
51 v1.2
51
TCPdump command example
# cd /opt/samples
# tcpdump -nn -r fake_av.pcap | wc -l
# tcpdump -nn -r fake_av.pcap | head
# tcpdump -nn -r fake_av.pcap | cut -f 3 -d " " | head
# tcpdump -nn -r fake_av.pcap 'tcp or udp' | cut -f 3 -d " " | cut -f 1-4 -d "." | head
Display top 10 destinations
# tcpdump -nn -r fake_av.pcap 'tcp or udp' | cut -f 5 -d " " | cut -f 1-4 -d "." | sort
| uniq -c | sort -nr | head
-nn = don’t use DNS to resolve IPs and display port no
-r = replay pcap file
-f = field to select
-d = delimiter to use
52 v1.2
52
TCPdump command example
# tcpdump -nn -r fake_av.pcap 'port 53' | head -5
# tcpdump -nn -r fake_av.pcap 'port 53' | grep -Ev '(com|net|org|gov|mil|arpa)' |
cut -f 9 -d " " | head
# tcpdump -nn -r fake_av.pcap 'port 53' | grep -Ev '(com|net|org|gov|mil|arpa)' |
cut -f 8 -d " " | grep -E '[a-z]’
If a suspicious domain name is found, use https://www.virustotal.com/gui/home/url
To check if malicious
53 v1.2
53
TCPdump command example
# cd /opt/samples/mta
# for capfile in $(ls *.pcap); do tcpdump -nn -r $capfile 'port 53' | grep -Ev
'(com|net|org|gov|mil|arpa)' | cut -f 8 -d " " | grep -E '[a-z]'; done;
Check for plain text passwords in pcap files
# for capfile in $(ls *.pcap); do tcpdump -nn -r $capfile port http or port ftp
or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5
'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=
|password=|pass:|user:|username:|password:|login:|pass |user '; done;
-l = force line buffered mode
-A = include ascii strings from the capture
54 v1.2
54
TShark command example
# cd /opt/samples
# tshark -r fake_av.pcap | wc -l
# tshark -r fake_av.pcap | head
# tshark -r fake_av.pcap –T fields –e ip.dst –e tcp.dstport | head
Display top 10 destinations
# tshark -r fake_av.pcap –T fields –e ip.dst | sort | uniq -c | sort -nr | head
55 v1.2
55
Bro command example
# mkdir ~/fake && cp /opt/samples/fake_av.pcap ~/fake/. && cd ~/fake
# bro –r -C fake_av.pcap local
# cat dns.log | jq .query | grep -Ev '(com|net|org|gov|mil|arpa)’ | uniq | grep -
E '[a-z]’
56 v1.2
Module 5: Exercises
57 v1.2
57
Exercise
• Install Wireshark
• Download captured (pcap) files from the lab website– Follow the guides in the next pages
58 v1.2
58
Exercise 1: Good Old Telnet
• File– telnet.pcap
• Question– Reconstruct the telnet session
• Q1: Who logged into 192.168.0.1– Username __________, Password __________ .
• Q2: After logging in, what did the user do?
59 v1.2
59
Exercise 2: Covert channel
• File– covertinfo.pcap
• Question: Is it a genuine ICMP packet?– Take a closer look! This is not a typical ICMP Echo/Reply…
60 v1.2
60
Ex 3: Suspicious FTP activity
• File– ftp.pcap
• Question– Q1: 10.121.70.151 is FTP ______ .
– Q2: 10.234.125.254 is FTP ______ .
– Q3: What is FTP Err Code 530?__________ .
– Q4: 10.234.125.254 attempts to ________.
• Tip– Number of login attempts within a minute?
61 v1.2
61
Exercise 4: Chatty Employees
• File– chat.dmp
• Question
• Q1: What kind protocol is used? _______
• Q2: This is conversation between [email protected] [email protected]
• Q3: What do they say about you (sysadmin)?
• Tip– Your chats can be monitored by your network admin.
62 v1.2
62
Exercise 5: SIP
• File– sip_chat.pcap
• Question:– Can we listen to SIP voice?
63 v1.2
Top Related