2 Security Camp 2012
Agenda
n Basics n What is “Network Security Analysis” ? n How useful for your security activities? n Who Uses Network Analyzers
n Tool Introduction n About Wireshark n Sniffer Positioning n Features & Panels
n Exercise
3 Security Camp 2012
What is “Network Security Analysis” ?
n Important activities for incident responders and security analyst
n Currently data just travels around your network like a train. With a packet sniffer, get the ability to capture the data and look inside the packets to see what is actually moving along the tracks.
4 Security Camp 2012
What is “Network Security Analysis” ?
n Related to many security activities n Network monitoring
n To detect on-going incident n Network forensics:
n To find evidence in the specific incident n Malware analysis:
n To find capability of malware such as “sending important data to malicious servers” or “Bot command & control”
n Process of capturing, decoding, and analyzing network traffic
5 Security Camp 2012 5
Who Uses Network Analyzers n System administrators
n Understand system problems and performance n Intrusion detection
n Malicious individuals (intruders) n Capture cleartext data n Passively collect data on vulnerable protocols
n FTP, POP3, IMAP, SMATP, rlogin, HTTP, etc. n Capture VoIP data
n Mapping the target network n Traffic pattern discovery
n Actively break into the network (backdoor techniques)
6 Security Camp 2012
Network security analysis –Flow based
n Feature n Focus on network flow/traffic instead of each packet
n Good approach to get high level overview or accounting
n Tools n Netflow / sFlow n MRTG/RRDTool
7 Security Camp 2012
Network security analysis –Packet based
n Feature n Focus on each packet or group of packets n Can analyze thoroughly but high cost
n Tools / Techniques n Tcpdump n Wireshark / tshark
8 Security Camp 2012
Network security analysis –Packet based (Cont.) n Capture packet
n Don’t use Wireshark to capture packets n Avoid running Wireshark with root privilege n Use more simple program instead
n E.g. tcpdump, dumpcap
n Analyze packet: n Wireshark is the best friend for this purpose.
9 Security Camp 2012
Tool Introduction: About Wireshark
n Wireshark is free and open-source tool n Run on many OSs
n Windows / Linux / *BSD / Solaris and others n User Interface
n GUI - Packet list / Packet details / Packet Bytes n CUI – tshark (Command line modes)
n Many Features n Search / Filter/ Colorize / Statistics / others
n Vulnerability: http://www.wireshark.org/security/
10 Security Camp 2012 10
n Decodes over 750 protocols n Compatible with many other sniffers n Plenty of online resources are available n Supports command-line and GUI interfaces
n TSHARK (offers command line interface) has three components
n Editcap n Mergecap n text2pcap
Tool Introduction: About Wireshark (Cont.)
11 Security Camp 2012 11
Tool Introduction: Sniffer Positioning
12 Security Camp 2012
Hub
Tool Introduction: Sniffer Positioning (Cont.)
13 Security Camp 2012
Switches
Tool Introduction: Sniffer Positioning (Cont.)
14
Wireshark (and WinPcap) Wireshark – Application for Sniffing Packets
WinPcap – open source library for packet capture
Operating System – Windows & Unix/Linux
Network Card Drivers – Ethernet/WiFi Card
Ethernet Card
15 Security Camp 2012 15
Getting Wireshark
n Download the program from n www.wireshark.org/download.html
n Requires to install capture drivers (monitor ports and capture all traveling packets)
n Windows: winpcap (www.winpcap.org) n Linux: libpcap
16 Security Camp 2012 16
Running Wireshark
17 Security Camp 2012
Simple Capture
18 Security Camp 2012
Capture Options
19 Security Camp 2012 19
Details of the selected packet (#215)
Raw data (content of packet # 215)
Packet #215: HTTP packet
20 Security Camp 2012
Menu Bar
21 Security Camp 2012
Status Bar
22 Security Camp 2012 22
Filtering HTTP packets
only
23 Security Camp 2012
Right Click Filtering
24 Security Camp 2012
Follow TCP Stream
25 Security Camp 2012
26 Security Camp 2012
Protocol Hierarchy
27 Security Camp 2012
Protocol Hierarchy
28 Security Camp 2012
Conversations
29 Security Camp 2012
Conversations
30 Security Camp 2012
Expert Info
31 Security Camp 2012
Expert Info
32 Security Camp 2012
Capture Filter
Security Camp 2012
Exercise 1
FTP Traffic
34 Security Camp 2012
Exercise 1 : FTP Traffic
n Q1: 封包擷取日期? n Q2: Protocol analysis ? n Q3. FTP server's IP address is n Q4. FTP client's IP address is n Q5. FTP Err Code 530 means n Q4. 10.234.125.254 attempt
Security Camp 2012
Exercise 2
Malware Communication Traffic
36 Security Camp 2012
Exercise 2: Malware Communication Traffic
n Q1. What kind of malicious activity did this malware do?
n Q2. What is the malicious server's IP address?
Security Camp 2012
Exercise 3
Malicious HTTP Traffic
38 Security Camp 2012
n Q1. Which site and which page were defaced?
n site n page
n Q2. Which URL looks malicious? n Q3. Which software seemed to be the target
of this exploit? n Q4. What kind of malicioius activity was
executed after exploit?
39 Security Camp 2012
HTTP Analysis
40 Security Camp 2012
HTTP Analysis – Load Distribution
41 Security Camp 2012
HTTP Analysis – Packet Counter
42 Security Camp 2012
HTTP Analysis – Requests
43 Security Camp 2012
Export HTTP Objects
44 Security Camp 2012
Packet Length
45 Security Camp 2012
Packet Length