Chapter 6: Protocol Analysis and Network Programming
-
Upload
brynne-fernandez -
Category
Documents
-
view
42 -
download
5
description
Transcript of Chapter 6: Protocol Analysis and Network Programming
![Page 1: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/1.jpg)
Lecture Materials for the John Wiley & Sons book:
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
April 20, 2023 DRAFT 1
Chapter 6: Protocol Analysis and Network Programming
![Page 2: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/2.jpg)
Networking Theory and Practice
•Open Systems Interconnection (OSI) defines the standard protocol stack
–Out of the 7 layers, only 4 are used in practice:
•Physical (Layer 1)•Data Link (Layer 2)•Network (Layer 3)•Transport (Layer 4)
–The successor to OSI is Reference Model for Open Distributed Processing (RM-ODP), we encountered in Chapter 3, Row 3.
04/20/23 DRAFT 2Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 3: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/3.jpg)
Frequently Encountered Network Protocols
•IEEE 802.3 Ethernet protocol L2•IEEE 802.11 wireless protocols
(commercially known as Wi-Fi) L2•Address Resolution Protocol (ARP) L2•IP Version 4 (IPv4) L3•IP Version 6 (IPv6) L3•Internet Control Message Protocol
(ICMP) L3•User Datagram Protocol (UDP) L4•Transmission Control Protocol (TCP) L4
04/20/23 DRAFT 3Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 4: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/4.jpg)
Network Protocol Analysis
•Network protocol analysis can be performed automatically by Wireshark
–Manual protocol analysis is outdated
•Each frame (L2) or packet (L3) has a header and a payload
–L3 header/payload are attached before and after L2 header/payload, i.e. encapsulate
–L4 headers/payload are attached before and after L3 header/payload
04/20/23 DRAFT 4Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 5: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/5.jpg)
Address Resolution Protocol (ARP) and Layer 2 Analysis
04/20/23 DRAFT 5Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 6: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/6.jpg)
ARP Frame
04/20/23 DRAFT 6Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 7: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/7.jpg)
Internet Protocol (IP) Analysis
04/20/23 DRAFT 7Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 8: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/8.jpg)
Internet Control Message Protocol (ICMP)
04/20/23 DRAFT 8Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 9: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/9.jpg)
User Datagram Protocol (UDP) Analysis
04/20/23 DRAFT 9Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 10: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/10.jpg)
Transmission Control Protocol (TCP) Analysis
04/20/23 DRAFT 10Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 11: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/11.jpg)
Network Programming: Bash•Bash is an available command line shell for Linux and
Unix systems–It is selected in the /etc/passwd file
•In network programming we are able to execute network commands in a script at the command line or from a script file
•During penetration tests, we frequently encounter raw shells (that do not support even backspace) where we can only submit 1 command line at a time
–Use network programming to build security tools such as ping scans and banner grabbers (i.e. when services self identify)
•Network programming remains a rare but very useful skill among security pros
04/20/23 DRAFT 11Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 12: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/12.jpg)
Linux/Unix Bash Basics: Standard Input, Output, Error, Pipes
•Sorting reverse numerical–# sort /tmp/alertIPs | uniq –c | sort –nr
•Append to file including standard error–mount error >> log.txt 2>&1
•Command sequence–# echo Hello Universe! > /tmp/tmp ; cd
/tmp ; ls ; cat tmp ; rm tmp ; ls ; cd ~
04/20/23 DRAFT 12Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 13: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/13.jpg)
Linux/Unix Bash for Basic Network Programming
•Ping an IP; returns ICMP response–# ping –c1 –w2 10.10.100.100
•To ping an address range, i.e. a scan–# for i in `echo {1..254}`; do ping -c1 -
w2 10.10.100.$i; done
04/20/23 DRAFT 13Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 14: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/14.jpg)
Linux/Unix Bash Network Sweep: Packaging a Script
•Package the ping sweep in a script file with Ctrl-C abort:
–#!/bin/bash–trap bashtrap INT–bashtrap() { echo "Bashtrap Punt!"; exit; }–for i in `echo {1..254}`; do ping -c1 -w2 10.10.100.$i;
done
•Use $1, $2, $3, … for command line arguments•Use if statement for conditionality, e.g.
–if $(test $# -eq 0 ); then network="10.10.100"; else network=$1; fi
04/20/23 DRAFT 14Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 15: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/15.jpg)
Linux/Unix Bash Network Scanning using While
•Read IP domains from a hosts file:–#!/bin/bash–trap bashtrap INT–bashtrap() { echo "Bashtrap Punt!"; exit; }–if $(test $# -eq 0 ); then
network="10.10.100"; else network=$1; fi–while read n; do echo -e "\nSCANNING
$network.$n"; nmap -O -sV --top-ports 9 --reason $network.$n; done < hosts
04/20/23 DRAFT 15Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 16: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/16.jpg)
Bash Banner Grabbing
#!/bin/bashtrap t INTfunction t { echo -e "\nExiting!"; exit; }if $(test $# -eq 0 ); then network="192.168.1"; else network=$1; fiwhile read host; do echo –e "\nTESTING $network.$host PORTS..."; while read port; do echo -n " $port"; echo "" | nc -n -v -w1 $network.$host $port; done < ports done < hosts
04/20/23 DRAFT 16Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 17: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/17.jpg)
Windows Command Line Scripting
•In Windows Command Line the concepts are very similar to Bash
•Use .bat suffix for script (batch) files•Batch file arguments are %1, %2, %3,…•Script file variables use %% prefix•for /L for to iterate through numbers (i.e.
counting)•for /F to iterate through a set or file
–Works like a while loop in Bash
04/20/23 DRAFT 17Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 18: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/18.jpg)
Windows Command Line : Standard IO, Pipes, and Sequences
•Example standard IO and pipes–C:\> type list.txt | sort /r >> sorted.txt &
dir /b /s & type sorted.txt
•Command sequence (&), conditional (&&)
–C:\> net use \\10.10.100.100 passw0rd /u:testuser && echo SUCCESS & net use \\10.10.100.100 /del
04/20/23 DRAFT 18Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 19: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/19.jpg)
Windows Command Line: Network Programming using For /L
•Ping sweep–set network=%1–for /L %%h in (2, 1, 255) do @ping –n 1
%network%.%%h | find “byte=” > /nul && echo Host at %network%.%%h
04/20/23 DRAFT 19Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 20: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/20.jpg)
Windows Command Line: Password Attack using For /F
set ipaddr=%1set usertarget=%2for /F %%p in (pass.txt) do @net use \\%ipaddr% %%p /u:%usertarget% 2> /nul && echo PASS=%p & net use \\%ipaddr% /del
04/20/23 DRAFT 20Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 21: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/21.jpg)
Python Scripting
•There are various categories of programming languages from command line (Bash, Windows CLI) to interpreted/compiled scripting (Python, Ruby) to systems programming (C, C++, C#)
–Categories vary by number of lines needed to implement a capability, typical multiplier is 8
–Lower levels provide more detailed accesses, faster execution
–Python’s advantage is that it is highly portable and has an extensive function library
04/20/23 DRAFT 21Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
![Page 22: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/22.jpg)
Python Programming for Accelerated Network Scanning
#!/usr/bin/python
import os
from threading import Thread
import time
start=time.ctime()
print start
scan="ping -c1 -w1 "
max=65
class threadclass(Thread):
def __init__ (self,ip):
Thread.__init__(self)
self.ip = ip
self.status = -1
def run(self):
result = os.popen(scan+self.ip,"r")
self.status=result.read()
threadlist = []
for host in range(1,max):
ip = "192.168.85."+str(host)
current = threadclass(ip)
threadlist.append(current)
current.start()
for t in threadlist:
t.join()
print "Status from ",t.ip,"is",repr(t.status)
print start
print time.ctime()
04/20/23 DRAFT 22Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Threaded scanning is about 60X faster than serial scans
![Page 23: Chapter 6: Protocol Analysis and Network Programming](https://reader034.fdocuments.us/reader034/viewer/2022042608/5681324e550346895d98c7ee/html5/thumbnails/23.jpg)
REVIEW Chapter Summary
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
04/20/23 DRAFT 23