chapter 6: protocol analysis and network programming

23
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 24, 2022 DRAFT 1 Chapter 6: Protocol Analysis and Network Programming

Upload: brynne-fernandez

Post on 02-Jan-2016

42 views

Category:

Documents


5 download

DESCRIPTION

Chapter 6: Protocol Analysis and Network Programming. Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions. Networking Theory and Practice. Open Systems Interconnection (OSI) defines the standard protocol stack - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Chapter 6: Protocol Analysis and Network Programming

Lecture Materials for the John Wiley & Sons book:

Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

April 20, 2023 DRAFT 1

Chapter 6: Protocol Analysis and Network Programming

Page 2: Chapter 6: Protocol Analysis and Network Programming

Networking Theory and Practice

•Open Systems Interconnection (OSI) defines the standard protocol stack

–Out of the 7 layers, only 4 are used in practice:

•Physical (Layer 1)•Data Link (Layer 2)•Network (Layer 3)•Transport (Layer 4)

–The successor to OSI is Reference Model for Open Distributed Processing (RM-ODP), we encountered in Chapter 3, Row 3.

04/20/23 DRAFT 2Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 3: Chapter 6: Protocol Analysis and Network Programming

Frequently Encountered Network Protocols

•IEEE 802.3 Ethernet protocol L2•IEEE 802.11 wireless protocols

(commercially known as Wi-Fi) L2•Address Resolution Protocol (ARP) L2•IP Version 4 (IPv4) L3•IP Version 6 (IPv6) L3•Internet Control Message Protocol

(ICMP) L3•User Datagram Protocol (UDP) L4•Transmission Control Protocol (TCP) L4

04/20/23 DRAFT 3Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 4: Chapter 6: Protocol Analysis and Network Programming

Network Protocol Analysis

•Network protocol analysis can be performed automatically by Wireshark

–Manual protocol analysis is outdated

•Each frame (L2) or packet (L3) has a header and a payload

–L3 header/payload are attached before and after L2 header/payload, i.e. encapsulate

–L4 headers/payload are attached before and after L3 header/payload

04/20/23 DRAFT 4Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 5: Chapter 6: Protocol Analysis and Network Programming

Address Resolution Protocol (ARP) and Layer 2 Analysis

04/20/23 DRAFT 5Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 6: Chapter 6: Protocol Analysis and Network Programming

ARP Frame

04/20/23 DRAFT 6Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 7: Chapter 6: Protocol Analysis and Network Programming

Internet Protocol (IP) Analysis

04/20/23 DRAFT 7Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 8: Chapter 6: Protocol Analysis and Network Programming

Internet Control Message Protocol (ICMP)

04/20/23 DRAFT 8Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 9: Chapter 6: Protocol Analysis and Network Programming

User Datagram Protocol (UDP) Analysis

04/20/23 DRAFT 9Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 10: Chapter 6: Protocol Analysis and Network Programming

Transmission Control Protocol (TCP) Analysis

04/20/23 DRAFT 10Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 11: Chapter 6: Protocol Analysis and Network Programming

Network Programming: Bash•Bash is an available command line shell for Linux and

Unix systems–It is selected in the /etc/passwd file

•In network programming we are able to execute network commands in a script at the command line or from a script file

•During penetration tests, we frequently encounter raw shells (that do not support even backspace) where we can only submit 1 command line at a time

–Use network programming to build security tools such as ping scans and banner grabbers (i.e. when services self identify)

•Network programming remains a rare but very useful skill among security pros

04/20/23 DRAFT 11Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 12: Chapter 6: Protocol Analysis and Network Programming

Linux/Unix Bash Basics: Standard Input, Output, Error, Pipes

•Sorting reverse numerical–# sort /tmp/alertIPs | uniq –c | sort –nr

•Append to file including standard error–mount error >> log.txt 2>&1

•Command sequence–# echo Hello Universe! > /tmp/tmp ; cd

/tmp ; ls ; cat tmp ; rm tmp ; ls ; cd ~

04/20/23 DRAFT 12Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 13: Chapter 6: Protocol Analysis and Network Programming

Linux/Unix Bash for Basic Network Programming

•Ping an IP; returns ICMP response–# ping –c1 –w2 10.10.100.100

•To ping an address range, i.e. a scan–# for i in `echo {1..254}`; do ping -c1 -

w2 10.10.100.$i; done

04/20/23 DRAFT 13Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 14: Chapter 6: Protocol Analysis and Network Programming

Linux/Unix Bash Network Sweep: Packaging a Script

•Package the ping sweep in a script file with Ctrl-C abort:

–#!/bin/bash–trap bashtrap INT–bashtrap() { echo "Bashtrap Punt!"; exit; }–for i in `echo {1..254}`; do ping -c1 -w2 10.10.100.$i;

done

•Use $1, $2, $3, … for command line arguments•Use if statement for conditionality, e.g.

–if $(test $# -eq 0 ); then network="10.10.100"; else network=$1; fi

04/20/23 DRAFT 14Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 15: Chapter 6: Protocol Analysis and Network Programming

Linux/Unix Bash Network Scanning using While

•Read IP domains from a hosts file:–#!/bin/bash–trap bashtrap INT–bashtrap() { echo "Bashtrap Punt!"; exit; }–if $(test $# -eq 0 ); then

network="10.10.100"; else network=$1; fi–while read n; do echo -e "\nSCANNING

$network.$n"; nmap -O -sV --top-ports 9 --reason $network.$n; done < hosts

04/20/23 DRAFT 15Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 16: Chapter 6: Protocol Analysis and Network Programming

Bash Banner Grabbing

#!/bin/bashtrap t INTfunction t { echo -e "\nExiting!"; exit; }if $(test $# -eq 0 ); then network="192.168.1"; else network=$1; fiwhile read host; do echo –e "\nTESTING $network.$host PORTS..."; while read port; do echo -n " $port"; echo "" | nc -n -v -w1 $network.$host $port; done < ports done < hosts

04/20/23 DRAFT 16Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 17: Chapter 6: Protocol Analysis and Network Programming

Windows Command Line Scripting

•In Windows Command Line the concepts are very similar to Bash

•Use .bat suffix for script (batch) files•Batch file arguments are %1, %2, %3,…•Script file variables use %% prefix•for /L for to iterate through numbers (i.e.

counting)•for /F to iterate through a set or file

–Works like a while loop in Bash

04/20/23 DRAFT 17Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 18: Chapter 6: Protocol Analysis and Network Programming

Windows Command Line : Standard IO, Pipes, and Sequences

•Example standard IO and pipes–C:\> type list.txt | sort /r >> sorted.txt &

dir /b /s & type sorted.txt

•Command sequence (&), conditional (&&)

–C:\> net use \\10.10.100.100 passw0rd /u:testuser && echo SUCCESS & net use \\10.10.100.100 /del

04/20/23 DRAFT 18Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 19: Chapter 6: Protocol Analysis and Network Programming

Windows Command Line: Network Programming using For /L

•Ping sweep–set network=%1–for /L %%h in (2, 1, 255) do @ping –n 1

%network%.%%h | find “byte=” > /nul && echo Host at %network%.%%h

04/20/23 DRAFT 19Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 20: Chapter 6: Protocol Analysis and Network Programming

Windows Command Line: Password Attack using For /F

set ipaddr=%1set usertarget=%2for /F %%p in (pass.txt) do @net use \\%ipaddr% %%p /u:%usertarget% 2> /nul && echo PASS=%p & net use \\%ipaddr% /del

04/20/23 DRAFT 20Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 21: Chapter 6: Protocol Analysis and Network Programming

Python Scripting

•There are various categories of programming languages from command line (Bash, Windows CLI) to interpreted/compiled scripting (Python, Ruby) to systems programming (C, C++, C#)

–Categories vary by number of lines needed to implement a capability, typical multiplier is 8

–Lower levels provide more detailed accesses, faster execution

–Python’s advantage is that it is highly portable and has an extensive function library

04/20/23 DRAFT 21Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Page 22: Chapter 6: Protocol Analysis and Network Programming

Python Programming for Accelerated Network Scanning

#!/usr/bin/python

import os

from threading import Thread

import time

start=time.ctime()

print start

scan="ping -c1 -w1 "

max=65

class threadclass(Thread):

def __init__ (self,ip):

Thread.__init__(self)

self.ip = ip

self.status = -1

def run(self):

result = os.popen(scan+self.ip,"r")

self.status=result.read()

threadlist = []

for host in range(1,max):

ip = "192.168.85."+str(host)

current = threadclass(ip)

threadlist.append(current)

current.start()

for t in threadlist:

t.join()

print "Status from ",t.ip,"is",repr(t.status)

print start

print time.ctime()

04/20/23 DRAFT 22Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Threaded scanning is about 60X faster than serial scans

Page 23: Chapter 6: Protocol Analysis and Network Programming

REVIEW Chapter Summary

Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

04/20/23 DRAFT 23