Post on 18-May-2015
Network Packet Analysis
Ahmad Muammar W.K. OSCP
Technical Workshop (21 Desember 2012)
Tuesday, January 22, 13
Agenda
• Play with Captured Network File
• Wireshark Feature
• Packet Analysis Case Study
• Another Packet Analysis Tools
• Create Wireshark Dissector
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
• Analyze fileds within protocols
• Analyze Protocols within packets
• Analyze Packets within streams
• Reconstruct higher-layer protocols
Packet Analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Wireshark StatisticsUsefull Feature for Analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
• Show Information About Data Capture
• Contain: File Information, Time package captured, Capture Information, Display Filter used, Traffic Summary, show Captured, Displayed (if display filter is set) and Marked.
Summary
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
• Display a hierarchical tree of protocol statistics
• Tree of all protocols captured, able to expand and collapse the subtree.
• We are able to get info about what is the most protocol in a network captured file and will be our hint.
Protocol Hierarchy
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
• Display a list of conversations (traffic between two endpoints)
• Support: Protocol Specific Windows, Name Resolution and Limit to Display Filter
Conversations
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
• Display user specified graphs (e.g number of pakets in the course of time)
• Support: 5 differently colored graphs base on Display filter.
IO Graphs
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Tuesday, January 22, 13
Wireshark CASE FILE : SATU
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Wireshark CASE FILE : DUA
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Use Wireshark Analysisplease :)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPNetwork Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPNetwork Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPNetwork Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPNetwork Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPNetwork Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Let the packet tell the truths
Network Packet Analysis - Ahmad Muammar W.K. OSCP
CASE FILE : TIGAReference: Practical Packet Analysis
http://chrissanders.org/captures/aurora.pcap
Tuesday, January 22, 13
Summary
• Victims received a targeted email from the attacker that appears to be legitimate, clicks a link within it, and sends a GET request to the attacke’s malicious site.
• The attacker’s web server issues 302 redirection to the victim, and the victim’s browser issues a GET request to the redirected URL.
Network Packet Analysis - Ahmad Muammar W.K. OSCPhttp://chrissanders.org/captures/aurora.pcap
Tuesday, January 22, 13
Summary
• The Attacker’s Web Server transmits a web page containing obfuscated JavaScript code to the client that includes a vulnerability exploit and an iframe containing a link to a malicious GIF Image
• The victim issues a GET Requests for the malicious image and downloads it from server
Network Packet Analysis - Ahmad Muammar W.K. OSCPhttp://chrissanders.org/captures/aurora.pcap
Tuesday, January 22, 13
Summary
• The javascript code transmitted earlier is deobfuscated using the malicious GIF, and the code executes on the victim’s machine, exploiting a vulnerability in Internet Explorer
• Once it exploited, the payload hidden within the obfuscated code is executed, opening a new session from the victim to the attacker on port 4321
Network Packet Analysis - Ahmad Muammar W.K. OSCPhttp://chrissanders.org/captures/aurora.pcap
Tuesday, January 22, 13
Summary
• A command Shell is spawned from the payload and shoveled back to the attacker.
• And its called “Operation Aurora”.
http://chrissanders.org/captures/aurora.pcap
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Another toolsfor packet analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
XPLICO
• Xplico is an open source Network Forensic Analysis Tool (NFAT).
• Extract from an internet traffic capture the applications data contained. From a pcap file to extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, etc.
• xplico.org
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Miner
• NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD)
• NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc
• netresec.com
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
PCAP Sample
• http://wiki.wireshark.org/SampleCaptures
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Packet AnalysisCreating Own Wireshark Dissector for Own/Others
protocol
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Wireshark Dissector
• Allow Wireshark to automatically break down into various section so that it can be analyzed
• Translator, decoder
• Not work for non-standard/default port.
• Creating With LUA
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
LUA
• "Lua" (pronounced LOO-ah) means "Moon" in Portuguese
• Lua is a powerful, fast, lightweight, embeddable scripting language.
• Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Download LUA
• LUA for Windows
• http://luaforwindows.luaforge.net/
• Install LUA
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Simple LUA
• code it:
• echo “print("Hello World")” > hello.lua
• run it:
• prompt> lua hello.lua
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Wireshark + LUACheck support and compatibility
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPNetwork Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Reference
• Lua Support In Wireshark - http://www.wireshark.org/docs/wsug_html_chunked/wsluarm.html
• http://wiki.wireshark.org/Lua
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPNetwork Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPNetwork Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis
Ahmad Muammar W.K. OSCP
Technical Workshop (21 Desember 2012)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13