advanced packet analysis and troubleshooting using wireshark 23af lisa bock pennsylvania college of...
TRANSCRIPT
![Page 1: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/1.jpg)
Advanced Packet Analysis and Troubleshooting Using Wireshark
23AFLisa Bock
Pennsylvania College of Technology
Monday October 5, 2015 11:00am - 12:15amTrack AF | Level 1 | Atlantic VI
![Page 2: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/2.jpg)
Learning Objectives
• Examine common protocols such as– TCP, HTTP, DNS, and FTP
• Evaluate – TCP/IP protocol stack vulnerabilities– Common passive attack signatures– Common active attack and malware signatures
![Page 3: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/3.jpg)
EXPLORE THE WIRESHARK INTERFACE
![Page 4: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/4.jpg)
Capture Packets
• Once you open a capture you will see three panes:– Top: packet list of all of the packets
received during the capture session – Middle: details of a single frame– Bottom: the bytes of a single frame
![Page 5: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/5.jpg)
ICMP
![Page 6: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/6.jpg)
Internet Control Message Protocol
• Used to send error messages and query the network
• No data is exchanged
![Page 7: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/7.jpg)
ICMP is actually an integral part of IP, and
must be implemented by every IP module.
A Scout for IP!
![Page 8: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/8.jpg)
Internet Control Message Protocol
• ICMP is used by ping – It can generate echo-request/echo-reply
query messages.• Four types of query messages
generated by the ping command
![Page 9: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/9.jpg)
ICMP Message
![Page 10: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/10.jpg)
Start with ICMP
![Page 11: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/11.jpg)
Tracert to Generate ICMP Traffic
![Page 12: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/12.jpg)
An ICMP Example
• Shows the ICMP packets tracing the route to COMMON.org
• Filter icmp• You will see the entire tracert
communication• With a few errors!
![Page 13: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/13.jpg)
ICMP-Destination Unreachable
![Page 14: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/14.jpg)
ICMP within an IP Packet
When an ICMP error message is sent, the message always contains the IP header and the first 8 bytes of the IP datagram that caused the ICMP error to be generated.
![Page 15: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/15.jpg)
ICMP Error Codes
• Type 3 Destination Unreachable Codes 0 - Net Unreachable 1 - Host Unreachable 2 - Protocol Unreachable
![Page 16: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/16.jpg)
ICMP Error Codes
• Type 11 Time Exceeded Codes 0 – TTL Exceeded 1 - Fragment Reassembly Time
ExceededYou should not
allow fragmentation on
your network!
![Page 17: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/17.jpg)
Which ICMP do you allow?
• The only essential ICMP traffic –Type 3 Destination unreachable–Type 4 Source quench
• Optional–0 Echo Reply–8 Echo–11 Time Exceeded (traceroute)
![Page 18: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/18.jpg)
ICMP Attacks
• Can be altered for evil purposes. – ICMP is used in reconnaissance by
Kali Linux –Denial of Service–Covert Channel
![Page 19: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/19.jpg)
Network Scans
• Nmap is a tool used to discover hosts and services on a network
• Creates a "map" of the network
![Page 20: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/20.jpg)
Network Scans
• It can be used to quickly scan thousands of ports–To see ports in open or closed
states. • By default, Nmap performs a SYN
Scan
![Page 21: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/21.jpg)
Nmap
• Scanning can be used as a passive attack in the form of reconnaissance.
• After running a scan, the software will output results from the IP range you selected
![Page 22: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/22.jpg)
Nmap Output
• Ports | Hosts –The results of the port scan– Including the well-known services
for those ports.
![Page 23: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/23.jpg)
![Page 24: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/24.jpg)
Nmap Output
• Topology – an interactive view of the connections
between hosts in a network. • Host Details
– Details such as the number of ports, IP addresses, hostnames, operating systems, and more.
![Page 26: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/26.jpg)
Normal Three Way Handshake
26
![Page 27: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/27.jpg)
Port Scan
• An Ack Reset sent in response to a Syn frame
• Sent to acknowledge the receipt of the frame – Lets the client know that the server
cannot allow the connection on that port.
![Page 28: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/28.jpg)
Port Scan
• Same source and destination IP address
• Only the SYN flag is set• The destination port numbers of each
packet changes as it tries every port
http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-two
![Page 29: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/29.jpg)
Port Scan
• Packets 14, 15 and 16 we see an actual connection
• Then it continues to attempt another connection in Packet 18, 19, 20
• Enable SYN flood protection
![Page 30: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/30.jpg)
SEC-Bittorrent
• BitTorrent - peer-to-peer file sharing • Uses a distributed sloppy hash table (DHT)
for storing peer contact information for "trackerless" torrents – Consists of a number of different queries and
corresponding responses. • Ping G used to check if a peer is available.
![Page 31: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/31.jpg)
SEC-Bittorrent
• Find_node G used to find the contact information for a peer.
• Get_peers G requests a list of peers which have pieces of the content.
• Announce_peer G announces the contact information for the peer to the network.
![Page 32: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/32.jpg)
SEC-Bittorrent
Right click on packet 22 and follow UDP Stream
![Page 33: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/33.jpg)
Advice
• Understand attacks • Take steps to defend your iSeries device• National Cyber Awareness System• https://www.us-cert.gov/ncas• Keep system patched and updated• Monitor
![Page 34: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/34.jpg)
WEP and why it is weak - Demo
• GO TO http://goo.gl/HYTVzz• Software such as Kali Linux or Aircrack can
recover the key used – After intercepting and analyzing only a small
amount of WEP traffic.
28:E6:6B:E9:D3:B6:20:95:DD:E9:2F:BE:37
![Page 35: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/35.jpg)
QUESTIONS?
![Page 36: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/36.jpg)
More Resources
• For more Packet Captures go to http://www.netresec.com/?page=PcapFiles
• Wireshark Network Analysis, by Laura Chappell, Chappell Binding
• Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated
![Page 37: Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF Lisa Bock Pennsylvania College of Technology Monday October 5, 2015 11:00am - 12:15am](https://reader035.vdocument.in/reader035/viewer/2022062222/5697bfa91a28abf838c9a05a/html5/thumbnails/37.jpg)
Lynda.com
• See my course on Lynda.com!• Troubleshooting your Network with Wireshark