Upload
berenice-cummings
View
236
Download
0
Tags:
Embed Size (px)
Citation preview
Advanced Packet Analysis and Troubleshooting Using Wireshark
23AFLisa Bock
Pennsylvania College of Technology
Monday October 5, 2015 11:00am - 12:15amTrack AF | Level 1 | Atlantic VI
Learning Objectives
• Examine common protocols such as– TCP, HTTP, DNS, and FTP
• Evaluate – TCP/IP protocol stack vulnerabilities– Common passive attack signatures– Common active attack and malware signatures
EXPLORE THE WIRESHARK INTERFACE
Capture Packets
• Once you open a capture you will see three panes:– Top: packet list of all of the packets
received during the capture session – Middle: details of a single frame– Bottom: the bytes of a single frame
ICMP
Internet Control Message Protocol
• Used to send error messages and query the network
• No data is exchanged
ICMP is actually an integral part of IP, and
must be implemented by every IP module.
A Scout for IP!
Internet Control Message Protocol
• ICMP is used by ping – It can generate echo-request/echo-reply
query messages.• Four types of query messages
generated by the ping command
ICMP Message
Start with ICMP
Tracert to Generate ICMP Traffic
An ICMP Example
• Shows the ICMP packets tracing the route to COMMON.org
• Filter icmp• You will see the entire tracert
communication• With a few errors!
ICMP-Destination Unreachable
ICMP within an IP Packet
When an ICMP error message is sent, the message always contains the IP header and the first 8 bytes of the IP datagram that caused the ICMP error to be generated.
ICMP Error Codes
• Type 3 Destination Unreachable Codes 0 - Net Unreachable 1 - Host Unreachable 2 - Protocol Unreachable
ICMP Error Codes
• Type 11 Time Exceeded Codes 0 – TTL Exceeded 1 - Fragment Reassembly Time
ExceededYou should not
allow fragmentation on
your network!
Which ICMP do you allow?
• The only essential ICMP traffic –Type 3 Destination unreachable–Type 4 Source quench
• Optional–0 Echo Reply–8 Echo–11 Time Exceeded (traceroute)
ICMP Attacks
• Can be altered for evil purposes. – ICMP is used in reconnaissance by
Kali Linux –Denial of Service–Covert Channel
Network Scans
• Nmap is a tool used to discover hosts and services on a network
• Creates a "map" of the network
Network Scans
• It can be used to quickly scan thousands of ports–To see ports in open or closed
states. • By default, Nmap performs a SYN
Scan
Nmap
• Scanning can be used as a passive attack in the form of reconnaissance.
• After running a scan, the software will output results from the IP range you selected
Nmap Output
• Ports | Hosts –The results of the port scan– Including the well-known services
for those ports.
Nmap Output
• Topology – an interactive view of the connections
between hosts in a network. • Host Details
– Details such as the number of ports, IP addresses, hostnames, operating systems, and more.
Normal Three Way Handshake
26
Port Scan
• An Ack Reset sent in response to a Syn frame
• Sent to acknowledge the receipt of the frame – Lets the client know that the server
cannot allow the connection on that port.
Port Scan
• Same source and destination IP address
• Only the SYN flag is set• The destination port numbers of each
packet changes as it tries every port
http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-two
Port Scan
• Packets 14, 15 and 16 we see an actual connection
• Then it continues to attempt another connection in Packet 18, 19, 20
• Enable SYN flood protection
SEC-Bittorrent
• BitTorrent - peer-to-peer file sharing • Uses a distributed sloppy hash table (DHT)
for storing peer contact information for "trackerless" torrents – Consists of a number of different queries and
corresponding responses. • Ping G used to check if a peer is available.
SEC-Bittorrent
• Find_node G used to find the contact information for a peer.
• Get_peers G requests a list of peers which have pieces of the content.
• Announce_peer G announces the contact information for the peer to the network.
SEC-Bittorrent
Right click on packet 22 and follow UDP Stream
Advice
• Understand attacks • Take steps to defend your iSeries device• National Cyber Awareness System• https://www.us-cert.gov/ncas• Keep system patched and updated• Monitor
WEP and why it is weak - Demo
• GO TO http://goo.gl/HYTVzz• Software such as Kali Linux or Aircrack can
recover the key used – After intercepting and analyzing only a small
amount of WEP traffic.
28:E6:6B:E9:D3:B6:20:95:DD:E9:2F:BE:37
QUESTIONS?
More Resources
• For more Packet Captures go to http://www.netresec.com/?page=PcapFiles
• Wireshark Network Analysis, by Laura Chappell, Chappell Binding
• Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated
Lynda.com
• See my course on Lynda.com!• Troubleshooting your Network with Wireshark