Packet analysis (Basic)
Transcript of Packet analysis (Basic)
![Page 1: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/1.jpg)
Network Packet Analysis (basic)
Ahmad Muammar W.K. OSCP
Technical Workshop (25 Oktober 2012)
Tuesday, January 22, 13
![Page 2: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/2.jpg)
Introduction
• A.K.A y3dips
• Pro. Bandwidth Hunter
• IT(Sec) Consultant/Pentester/py.Coder
• Founder echo.or.id, ubuntu-id, idsecconf
• @y3dips, [email protected]
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 3: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/3.jpg)
Packet Analysis
• Captured Network Traffic
• Analyze the protocols, carve out the files, search for strings
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 4: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/4.jpg)
• Analyze fileds within protocols
• Analyze Protocols within packets
• Analyze Packets within streams
• Reconstruct higher-layer protocols
Packet Analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 5: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/5.jpg)
• Too many stream packet
• Packet corrupted or truncated
• Contents encrypted at different layers
• Unstandard protocols
Issue Found
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 6: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/6.jpg)
• Examination of one or more fields within the protocol’s data structure.
Protocol Analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 7: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/7.jpg)
• Packet Analysis
Packet Analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 8: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/8.jpg)
WiresharkAhmad Muammar W.K. OSCP
Network Packet Analysis Technical Workshop (25 Oktober 2012)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 9: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/9.jpg)
WireSharkAdvance Usage
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 10: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/10.jpg)
Wireshark Display
• Packet List
• Packet Details
• Packet Bytes
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 11: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/11.jpg)
Packet ListPacket List
Packet Details
Packet Bytes
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 12: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/12.jpg)
WiresharkColoring Rules
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 13: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/13.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 14: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/14.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 15: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/15.jpg)
WiresharkCapture Filters
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 16: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/16.jpg)
Capture Filtersfor the shake of the performance
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 17: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/17.jpg)
Capture/BPF syntax
• Type: host, net, port
• Direction: src, dst
• Proto: ether, ip, tcp, udp
• Logical oepration: &&, ||, !
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 18: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/18.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 19: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/19.jpg)
Capture Filters
• Filtering the host
• host ipv4/ipv6
• host hostname
• ether host mac (00-11-22-33-44-55)
• src/dst host 192.168.1.1
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 20: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/20.jpg)
Capture Filters
• Filtering the Protocol/Port
• port 443
• !port 443
• protocol name (e.g: icmp)
• !protocol name (e.g !icmp)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 21: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/21.jpg)
Capture Filters
• Protocol Field
• icmp[0] == 3 (unreachable)
• icmp[0] == 8 (echo request)
• tcp[13] & 4 == 4 (RST)
• tcp[13] & 1 == 1 (FIN)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 22: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/22.jpg)
Display FiltersSee only what you wanna see
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 23: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/23.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 24: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/24.jpg)
Display Filters
• !tcp.port=443
• tcp.flag.syn=1
• !arp
• tcp.port==21 || tcp.port==23
• smtp || pop || imap
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 25: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/25.jpg)
Packet AnalysisWrong Dissector
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 26: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/26.jpg)
Protocol Dissector
• Allow Wireshark to automatically break down into various section so that it can be analyzed
• Translator, decoder
• Not work for non-standard/default port.
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 27: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/27.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 28: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/28.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 29: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/29.jpg)
Wrong Dissector
• So its an SSL traffic
• But, why we able to see all info
• FTP Traffic using port 443?
• Decode it with FTP
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 30: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/30.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 31: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/31.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 32: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/32.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 33: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/33.jpg)
Packet AnalysisReconstruct File and Data
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 34: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/34.jpg)
Reconstruct Data
• nc -lv 110 > confidential.pdf
• nc -vv 192.168.1.222 110 < confidential.pdf
• non standard port send pdf and zip
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 35: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/35.jpg)
Packet AnalysisReconstruct PDF File
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 36: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/36.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 37: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/37.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 38: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/38.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 39: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/39.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 40: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/40.jpg)
Packet AnalysisReconstruct Zip File from NC file transfer
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 41: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/41.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 42: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/42.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 43: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/43.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 44: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/44.jpg)
Packet AnalysisReconstruct Zip File from FTP server
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 45: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/45.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 46: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/46.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 47: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/47.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 48: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/48.jpg)
Packet AnalysisDecrypting and decode ssl packet
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 49: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/49.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 50: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/50.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 51: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/51.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 52: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/52.jpg)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
![Page 53: Packet analysis (Basic)](https://reader033.fdocuments.us/reader033/viewer/2022050921/5559f713d8b42aa8098b48d9/html5/thumbnails/53.jpg)
Network Packet Analysis
Ahmad Muammar W.K. OSCP
Technical Workshop (25 Oktober 2012)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13