![Wireshark - Start [APNIC TRAINING WIKI]](/img/61/4-3-wireshark.jpg)
Transcription
6/19/18Wireshark25-29 June 2018PacNOG 22, Honiara, Solomon IslandsSupported by:Issue Date:Revision:1Why we need to capture packet & howit’s related to security?1
6/19/18tcpdump Definitiontcpdump is a utility used to capture and analyze packets onnetwork interfaces. Details about these packets can either bedisplayed to the screen or they can be saved to a file for lateranalysis. tcpdump utilizes the libpcap library for packetcapturing.tcpdump command example# tcpdump –nni eth0# tcpdump –nni eth0 host 10.10.10.10# tcpdump –nni eth0 dst host 10.10.10.10 and proto tcp# tcpdump –nni eth0 src net 10.10.10.0/24 and port tcpand portrange 1-1024-nn don’t use DNS to resolve IPs and display port no-i interface to watchdst watch only traffic destined to a net, host or portsrc watch only traffic whose src is a net, host or portnet specifies networkhost specifies hostport specifies a portproto protocol ie tcp or udp2
6/19/18tcpdump command example# tcpdump –nni eth0 –s0# tcpdump –nni eth0 not port 22 –s0 –c 1000# tcpdump –nni eth0 not port 22 and dst host 10.10.10.10and not src net 10.20.30.0/24-s0 setting samples length to 0 means use the required length to catch wholepacket-c no to packetstcpdump pcaps# tcpdump –nni eth0 -w capture.pcap –vv –c 1000# tcpdump –nni eth0 –r capture.pcap and port 80-w capture.pcap save capture packet to capture.pcap–vv display number of packet captured-r caputre.pcap read capture file-c no to packets3
6/19/18tcpdump OutputIP 199.59.148.139.443 192.168.1.8.54343: Flags [P.],seq 53:106, ack 1, win 67, options [nop,nop,TS val854797891 ecr 376933204], length 53IP 192.168.1.8.54343 199.59.148.139.443: Flags [.], ack106, win 4092, options [nop,nop,TS val 376934736 ecr854797891], length 0IP 199.59.148.139.443 192.168.1.8.54343: Flags [P.],seq 106:159, ack 1, win 67, options [nop,nop,TS val854797891 ecr 376933204], length 53IP 192.168.1.8.54343 199.59.148.139.443: Flags [.], ack159, win 4091, options [nop,nop,TS val 376934736 ecr854797891], length 0What is Wireshark? Wireshark is a network packet/protocol analyzer.– A n e tw o rk p a c k e t a n a ly z e r w ill try to c a p tu re n e tw o rk p a c k e ts a n dtrie s to d isp la y th a t p a cke t d a ta a s d e ta ile d a s p o ssib le . Wireshark is perhaps one of the best open source packetanalyzers available today for UNIX and Windows.4
6/19/18About Wireshark Formerly known as “Ethereal”– A u th o r, G e ra ld C o m b s q u it N e tw o rk In te g ra tio n S e rvice s– F re e Requirement– N e e d to in sta ll w in p c a p– L a te st w ire sh a rk in sta lle r co n ta in s w in p ca p , d o n ’t w o rry– (O n W in d o w s V is ta ) N e e d A d m in is tra to r P riv ile g e to c a p tu re GUI– D ra m a tic a lly im p ro ve dWhy Wireshark network administrators use it to troubleshoot networkproblems network security engineers use it to examine securityproblems developers use it to debug protocol implementations people use it to learn network protocol internals Wireshark isn't an intrusion detection system. Wireshark will not manipulate things on the network, it willonly "measure" things from it.5
6/19/18How to Install Very straight forward Just double-click and follow the instructions. https://www.wireshark.org/download.htmlCapture6
6/19/18DashboardMenuFilterCaptureDataRaw DataFilters Capture filter– C a p tu re Tra ffic th a t m a tch ca p tu re filte r ru le– s a ve d isk sp a ce– p re ve n t p a cke t lo ss Display filter Tweak appearance7
6/19/18Apply Filters ip .a d d r 1 0 .0 .0 .1 [S e ts a filte r fo r a n y p a cke t w ith 1 0 .0 .0 .1 , a s e ith e rth e so u rce o r d e st] ip .a d d r 1 0 .0 .0 .1 & & ip .a d d r 1 0 .0 .0 .2 [se ts a co n ve rsa tio n filte rb e tw e e n th e tw o d e fin e d IP a d d re sse s] h ttp o r d n s [s e ts a filte r to d is p la y a ll h ttp a n d d n s ] tc p .p o rt 4 0 0 0 [s e ts a filte r fo r a n y T C P p a cke t w ith 4 0 0 0 a s a so u rc eo r d e st p o rt] tc p .fla g s .re se t 1 [d is p la ys a ll T C P re se ts] h ttp .re q u e st [d is p la y s a ll H T T P G E T re q u e sts] tc p c o n ta in s rv ie w s [d is p la ys a ll T C P p a cke ts th a t co n ta in th e w o rd‘rv ie w s’. E x ce lle n t w h e n se a rch in g o n a sp e cific strin g o r u se r ID ] !(a rp o r icm p o r d n s ) [m a sks o u t a rp , icm p , d n s , o r w h a te ve r o th e rp ro to co ls m a y b e b a ckg ro u n d n o ise . A llo w in g yo u to fo cu s o n th e tra ffico f in te re st]Follow TCP Stream8
6/19/18Follow TCP Stream B u ild T C P S tre a m– Select TCP Packet - Follow TCP StreamUse “Statistics” What protocol is used in your network– S ta tistics - P ro to co l H ie ra rch y9
6/19/18Use “Statistics” Which host most chatty– S ta tistics - C o n ve rsa tio n sNeed CLI? If you stick to character based interface, try tshark.exe C:\program files\wireshark\tshark.exe10
6/19/18Tcpdump & Wireshark tcpdump -i interface -s 65535 -w some-file Exercise Install Wireshark into your PC Run wireshark and Capture inbound/outbound traffic Download capture files from– F o llo w th e in stru c to r's g u id e .11
6/19/18Exercise 1: Good Old Telnet File– te ln e t.p ca p Question– R e c o n s tru c t th e te ln e t se ssio n . Q1: Who logged into 192.168.0.1– U s e rn a m e , P a ssw o rd . Q2: After logged in what did the user do?– Tip– te ln e t tra ffic is n o t s e cu reExercise 2: Massive TCP SYN File– m a ssive syn 1 .p ca p a n d m a ssive syn 2 .p ca p Question– P o in t th e d iffe re n ce w ith th e m . Q1: massivesyn1.pcap is a attempt. Q2: massivesyn2.pcap is a attempt. Tip– P a y a tte n tio n to S rc IP12
6/19/18Exercise 3: Chatty Employees File– c h a t.d m p Question Q1: What kind protocol is used? Q2: This is conversation between @hotmail.com and@hotmail.com Q3: What do they say about you(sysadmin)? Tip– Yo u r c h a t c a n b e m o n ito re d b y n e tw o rk a d m in .Exercise 4: Suspicious FTP activity File– ftp 1 .p c a p Question– Q 1 : 1 0 .1 2 1 .7 0 .1 5 1 is F T P .– Q 2 : 1 0 .2 3 4 .1 2 5 .2 5 4 is F T P .– Q 3 : F T P E rr C o d e 5 3 0 m e a n s .– Q 4 : 1 0 .2 3 4 .1 2 5 .2 5 4 a tte m p t . Tip– H o w m a n y lo g in e rro r o ccu r w ith in a m in u te ?13
6/19/18Exercise 5: Unidentified Traffic File– F o o b a r.p ca p Question– Q 1 : s e e w h a t’s g o in g o n w ith w ire sh a rk g u i Statistics - Conversation List - TCP (*)– Q 2 : W h ic h a p p lica tio n u se T C P /6 3 4 6 ? C h e ck th e w e b .Exercise 6: Covert channel File– c o ve rtin fo .p c a p Question– Ta k e a c lo s e r lo o k ! T h is is n o t a ty p ic a l IC M P E c h o /R e p ly – Q 1 : W h a t k in d o f to o l d o th e y u s e ? C h e ck th e w e b .– Q 2 : N a m e o th e r a p p lica tio n w h ic h tu n n e lin g u se r tra ffic.14
6/19/18Exercise 7: SIP File– s ip ch a t.p c a p Questions:– Q 1 : C a n w e liste n to S IP vo ice ?– Q 2 : H o w !!Virustotal https://www.virustotal.com/ Checking virusThis document is uncontrolled when printed. Before use, check the APNIC electronic masterdocument to verify that this is the current version.3015
6/19/18LAB3216
6/19/18Defense and Mitigation – Community You can’t do it all alone!33Defense and Mitigation – Community and luckily, there is a great community providingservices/tools, such as– S e cu rity @ A P N IC h ttp s://w w w.a p n ic.n e t/se cu rity– P a ssive D N S b y c e rt.a t– P a n o p tico n S h a re d P ro xy b y circl.lu e t a l.– o p e n re so lve rp ro je ct.co m / w w w.o p e n re so lve r.n l– n 6 R e p o rts b y c e rt.p l– C A P R e p o rts b y Te a m C ym ru– p h ish ta n k.co m , s p a m co p .n e t– C o n ta cts c o n ta c ts c o n ta cts– a n d m a n y m o re – w h a t e lse d o yo u kn o w / o ffe r?3417
cwww.weibo.com/APNICrirIssue Date:Revision:Thank You!END OF SESSION363618
What is Wireshark? Wireshark is a network packet/protocol analyzer. - A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. Wireshark is perhaps one of the best open source packet analyzers available today for UNIX and Windows.
