Advanced Packet Analysis and Troubleshooting Using Wireshark

23AFLisa Bock

Pennsylvania College of Technology

Monday October 5, 2015 11:00am - 12:15amTrack AF | Level 1 | Atlantic VI

Learning Objectives

• Examine common protocols such as– TCP, HTTP, DNS, and FTP

• Evaluate – TCP/IP protocol stack vulnerabilities– Common passive attack signatures– Common active attack and malware signatures

EXPLORE THE WIRESHARK INTERFACE

Capture Packets

• Once you open a capture you will see three panes:– Top: packet list of all of the packets

received during the capture session – Middle: details of a single frame– Bottom: the bytes of a single frame

ICMP

Internet Control Message Protocol

• Used to send error messages and query the network

• No data is exchanged

ICMP is actually an integral part of IP, and

must be implemented by every IP module.

A Scout for IP!

Internet Control Message Protocol

• ICMP is used by ping – It can generate echo-request/echo-reply

query messages.• Four types of query messages

generated by the ping command

ICMP Message

Start with ICMP

Tracert to Generate ICMP Traffic

An ICMP Example

• Shows the ICMP packets tracing the route to COMMON.org

• Filter icmp• You will see the entire tracert

communication• With a few errors!

ICMP-Destination Unreachable

ICMP within an IP Packet

When an ICMP error message is sent, the message always contains the IP header and the first 8 bytes of the IP datagram that caused the ICMP error to be generated.

ICMP Error Codes

• Type 3 Destination Unreachable Codes 0 - Net Unreachable 1 - Host Unreachable 2 - Protocol Unreachable

ICMP Error Codes

• Type 11 Time Exceeded Codes 0 – TTL Exceeded 1 - Fragment Reassembly Time

ExceededYou should not

allow fragmentation on

your network!

Which ICMP do you allow?

• The only essential ICMP traffic –Type 3 Destination unreachable–Type 4 Source quench

• Optional–0 Echo Reply–8 Echo–11 Time Exceeded (traceroute)

ICMP Attacks

• Can be altered for evil purposes. – ICMP is used in reconnaissance by

Kali Linux –Denial of Service–Covert Channel

Network Scans

• Nmap is a tool used to discover hosts and services on a network

• Creates a "map" of the network

Network Scans

• It can be used to quickly scan thousands of ports–To see ports in open or closed

states. • By default, Nmap performs a SYN

Scan

Nmap

• Scanning can be used as a passive attack in the form of reconnaissance.

• After running a scan, the software will output results from the IP range you selected

Nmap Output

• Ports | Hosts –The results of the port scan– Including the well-known services

for those ports.

Nmap Output

• Topology – an interactive view of the connections

between hosts in a network. • Host Details

– Details such as the number of ports, IP addresses, hostnames, operating systems, and more.

DDOS

• Go to http://map.ipviking.com/

25

Normal Three Way Handshake

26

Port Scan

• An Ack Reset sent in response to a Syn frame

• Sent to acknowledge the receipt of the frame – Lets the client know that the server

cannot allow the connection on that port.

Port Scan

• Same source and destination IP address

• Only the SYN flag is set• The destination port numbers of each

packet changes as it tries every port

http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-two

Port Scan

• Packets 14, 15 and 16 we see an actual connection

• Then it continues to attempt another connection in Packet 18, 19, 20

• Enable SYN flood protection

SEC-Bittorrent

• BitTorrent - peer-to-peer file sharing • Uses a distributed sloppy hash table (DHT)

for storing peer contact information for "trackerless" torrents – Consists of a number of different queries and

corresponding responses. • Ping G used to check if a peer is available.

SEC-Bittorrent

• Find_node G used to find the contact information for a peer.

• Get_peers G requests a list of peers which have pieces of the content.

• Announce_peer G announces the contact information for the peer to the network.

SEC-Bittorrent

Right click on packet 22 and follow UDP Stream

Advice

• Understand attacks • Take steps to defend your iSeries device• National Cyber Awareness System• https://www.us-cert.gov/ncas• Keep system patched and updated• Monitor

WEP and why it is weak - Demo

• GO TO http://goo.gl/HYTVzz• Software such as Kali Linux or Aircrack can

recover the key used – After intercepting and analyzing only a small

amount of WEP traffic.

28:E6:6B:E9:D3:B6:20:95:DD:E9:2F:BE:37

QUESTIONS?

More Resources

• For more Packet Captures go to http://www.netresec.com/?page=PcapFiles

• Wireshark Network Analysis, by Laura Chappell, Chappell Binding

• Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated

Lynda.com

• See my course on Lynda.com!• Troubleshooting your Network with Wireshark