Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of...
-
Upload
berenice-cummings -
Category
Documents
-
view
229 -
download
0
Transcript of Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of...
Advanced Packet Analysis and Troubleshooting Using Wireshark
23AFLisa Bock
Pennsylvania College of Technology
Monday October 5, 2015 11:00am - 12:15amTrack AF | Level 1 | Atlantic VI
Learning Objectives
• Examine common protocols such as– TCP, HTTP, DNS, and FTP
• Evaluate – TCP/IP protocol stack vulnerabilities– Common passive attack signatures– Common active attack and malware signatures
EXPLORE THE WIRESHARK INTERFACE
Capture Packets
• Once you open a capture you will see three panes:– Top: packet list of all of the packets
received during the capture session – Middle: details of a single frame– Bottom: the bytes of a single frame
ICMP
Internet Control Message Protocol
• Used to send error messages and query the network
• No data is exchanged
ICMP is actually an integral part of IP, and
must be implemented by every IP module.
A Scout for IP!
Internet Control Message Protocol
• ICMP is used by ping – It can generate echo-request/echo-reply
query messages.• Four types of query messages
generated by the ping command
ICMP Message
Start with ICMP
Tracert to Generate ICMP Traffic
An ICMP Example
• Shows the ICMP packets tracing the route to COMMON.org
• Filter icmp• You will see the entire tracert
communication• With a few errors!
ICMP-Destination Unreachable
ICMP within an IP Packet
When an ICMP error message is sent, the message always contains the IP header and the first 8 bytes of the IP datagram that caused the ICMP error to be generated.
ICMP Error Codes
• Type 3 Destination Unreachable Codes 0 - Net Unreachable 1 - Host Unreachable 2 - Protocol Unreachable
ICMP Error Codes
• Type 11 Time Exceeded Codes 0 – TTL Exceeded 1 - Fragment Reassembly Time
ExceededYou should not
allow fragmentation on
your network!
Which ICMP do you allow?
• The only essential ICMP traffic –Type 3 Destination unreachable–Type 4 Source quench
• Optional–0 Echo Reply–8 Echo–11 Time Exceeded (traceroute)
ICMP Attacks
• Can be altered for evil purposes. – ICMP is used in reconnaissance by
Kali Linux –Denial of Service–Covert Channel
Network Scans
• Nmap is a tool used to discover hosts and services on a network
• Creates a "map" of the network
Network Scans
• It can be used to quickly scan thousands of ports–To see ports in open or closed
states. • By default, Nmap performs a SYN
Scan
Nmap
• Scanning can be used as a passive attack in the form of reconnaissance.
• After running a scan, the software will output results from the IP range you selected
Nmap Output
• Ports | Hosts –The results of the port scan– Including the well-known services
for those ports.
Nmap Output
• Topology – an interactive view of the connections
between hosts in a network. • Host Details
– Details such as the number of ports, IP addresses, hostnames, operating systems, and more.
Normal Three Way Handshake
26
Port Scan
• An Ack Reset sent in response to a Syn frame
• Sent to acknowledge the receipt of the frame – Lets the client know that the server
cannot allow the connection on that port.
Port Scan
• Same source and destination IP address
• Only the SYN flag is set• The destination port numbers of each
packet changes as it tries every port
http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-two
Port Scan
• Packets 14, 15 and 16 we see an actual connection
• Then it continues to attempt another connection in Packet 18, 19, 20
• Enable SYN flood protection
SEC-Bittorrent
• BitTorrent - peer-to-peer file sharing • Uses a distributed sloppy hash table (DHT)
for storing peer contact information for "trackerless" torrents – Consists of a number of different queries and
corresponding responses. • Ping G used to check if a peer is available.
SEC-Bittorrent
• Find_node G used to find the contact information for a peer.
• Get_peers G requests a list of peers which have pieces of the content.
• Announce_peer G announces the contact information for the peer to the network.
SEC-Bittorrent
Right click on packet 22 and follow UDP Stream
Advice
• Understand attacks • Take steps to defend your iSeries device• National Cyber Awareness System• https://www.us-cert.gov/ncas• Keep system patched and updated• Monitor
WEP and why it is weak - Demo
• GO TO http://goo.gl/HYTVzz• Software such as Kali Linux or Aircrack can
recover the key used – After intercepting and analyzing only a small
amount of WEP traffic.
28:E6:6B:E9:D3:B6:20:95:DD:E9:2F:BE:37
QUESTIONS?
More Resources
• For more Packet Captures go to http://www.netresec.com/?page=PcapFiles
• Wireshark Network Analysis, by Laura Chappell, Chappell Binding
• Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated
Lynda.com
• See my course on Lynda.com!• Troubleshooting your Network with Wireshark