Lecture Materials for the John Wiley & Sons book:

Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

April 20, 2023 DRAFT 1

Chapter 6: Protocol Analysis and Network Programming

Networking Theory and Practice

•Open Systems Interconnection (OSI) defines the standard protocol stack

–Out of the 7 layers, only 4 are used in practice:

•Physical (Layer 1)•Data Link (Layer 2)•Network (Layer 3)•Transport (Layer 4)

–The successor to OSI is Reference Model for Open Distributed Processing (RM-ODP), we encountered in Chapter 3, Row 3.

04/20/23 DRAFT 2Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Frequently Encountered Network Protocols

•IEEE 802.3 Ethernet protocol L2•IEEE 802.11 wireless protocols

(commercially known as Wi-Fi) L2•Address Resolution Protocol (ARP) L2•IP Version 4 (IPv4) L3•IP Version 6 (IPv6) L3•Internet Control Message Protocol

(ICMP) L3•User Datagram Protocol (UDP) L4•Transmission Control Protocol (TCP) L4

04/20/23 DRAFT 3Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Network Protocol Analysis

•Network protocol analysis can be performed automatically by Wireshark

–Manual protocol analysis is outdated

•Each frame (L2) or packet (L3) has a header and a payload

–L3 header/payload are attached before and after L2 header/payload, i.e. encapsulate

–L4 headers/payload are attached before and after L3 header/payload

04/20/23 DRAFT 4Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Address Resolution Protocol (ARP) and Layer 2 Analysis

04/20/23 DRAFT 5Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

ARP Frame

04/20/23 DRAFT 6Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Internet Protocol (IP) Analysis

04/20/23 DRAFT 7Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Internet Control Message Protocol (ICMP)

04/20/23 DRAFT 8Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

User Datagram Protocol (UDP) Analysis

04/20/23 DRAFT 9Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Transmission Control Protocol (TCP) Analysis

04/20/23 DRAFT 10Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Network Programming: Bash•Bash is an available command line shell for Linux and

Unix systems–It is selected in the /etc/passwd file

•In network programming we are able to execute network commands in a script at the command line or from a script file

•During penetration tests, we frequently encounter raw shells (that do not support even backspace) where we can only submit 1 command line at a time

–Use network programming to build security tools such as ping scans and banner grabbers (i.e. when services self identify)

•Network programming remains a rare but very useful skill among security pros

04/20/23 DRAFT 11Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Linux/Unix Bash Basics: Standard Input, Output, Error, Pipes

•Sorting reverse numerical–# sort /tmp/alertIPs | uniq –c | sort –nr

•Append to file including standard error–mount error >> log.txt 2>&1

•Command sequence–# echo Hello Universe! > /tmp/tmp ; cd

/tmp ; ls ; cat tmp ; rm tmp ; ls ; cd ~

04/20/23 DRAFT 12Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Linux/Unix Bash for Basic Network Programming

•Ping an IP; returns ICMP response–# ping –c1 –w2 10.10.100.100

•To ping an address range, i.e. a scan–# for i in `echo {1..254}`; do ping -c1 -

w2 10.10.100.$i; done

04/20/23 DRAFT 13Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Linux/Unix Bash Network Sweep: Packaging a Script

•Package the ping sweep in a script file with Ctrl-C abort:

–#!/bin/bash–trap bashtrap INT–bashtrap() { echo "Bashtrap Punt!"; exit; }–for i in `echo {1..254}`; do ping -c1 -w2 10.10.100.$i;

done

•Use $1, $2, $3, … for command line arguments•Use if statement for conditionality, e.g.

–if $(test $# -eq 0 ); then network="10.10.100"; else network=$1; fi

04/20/23 DRAFT 14Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Linux/Unix Bash Network Scanning using While

•Read IP domains from a hosts file:–#!/bin/bash–trap bashtrap INT–bashtrap() { echo "Bashtrap Punt!"; exit; }–if $(test $# -eq 0 ); then

network="10.10.100"; else network=$1; fi–while read n; do echo -e "\nSCANNING

$network.$n"; nmap -O -sV --top-ports 9 --reason $network.$n; done < hosts

04/20/23 DRAFT 15Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Bash Banner Grabbing

#!/bin/bashtrap t INTfunction t { echo -e "\nExiting!"; exit; }if $(test $# -eq 0 ); then network="192.168.1"; else network=$1; fiwhile read host; do echo –e "\nTESTING $network.$host PORTS..."; while read port; do echo -n " $port"; echo "" | nc -n -v -w1 $network.$host $port; done < ports done < hosts

04/20/23 DRAFT 16Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Windows Command Line Scripting

•In Windows Command Line the concepts are very similar to Bash

•Use .bat suffix for script (batch) files•Batch file arguments are %1, %2, %3,…•Script file variables use %% prefix•for /L for to iterate through numbers (i.e.

counting)•for /F to iterate through a set or file

–Works like a while loop in Bash

04/20/23 DRAFT 17Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Windows Command Line : Standard IO, Pipes, and Sequences

•Example standard IO and pipes–C:\> type list.txt | sort /r >> sorted.txt &

dir /b /s & type sorted.txt

•Command sequence (&), conditional (&&)

–C:\> net use \\10.10.100.100 passw0rd /u:testuser && echo SUCCESS & net use \\10.10.100.100 /del

04/20/23 DRAFT 18Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Windows Command Line: Network Programming using For /L

•Ping sweep–set network=%1–for /L %%h in (2, 1, 255) do @ping –n 1

%network%.%%h | find “byte=” > /nul && echo Host at %network%.%%h

04/20/23 DRAFT 19Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Windows Command Line: Password Attack using For /F

set ipaddr=%1set usertarget=%2for /F %%p in (pass.txt) do @net use \\%ipaddr% %%p /u:%usertarget% 2> /nul && echo PASS=%p & net use \\%ipaddr% /del

04/20/23 DRAFT 20Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Python Scripting

•There are various categories of programming languages from command line (Bash, Windows CLI) to interpreted/compiled scripting (Python, Ruby) to systems programming (C, C++, C#)

–Categories vary by number of lines needed to implement a capability, typical multiplier is 8

–Lower levels provide more detailed accesses, faster execution

–Python’s advantage is that it is highly portable and has an extensive function library

04/20/23 DRAFT 21Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Python Programming for Accelerated Network Scanning

#!/usr/bin/python

import os

from threading import Thread

import time

start=time.ctime()

print start

scan="ping -c1 -w1 "

max=65

class threadclass(Thread):

def __init__ (self,ip):

Thread.__init__(self)

self.ip = ip

self.status = -1

def run(self):

result = os.popen(scan+self.ip,"r")

self.status=result.read()

threadlist = []

for host in range(1,max):

ip = "192.168.85."+str(host)

current = threadclass(ip)

threadlist.append(current)

current.start()

for t in threadlist:

t.join()

print "Status from ",t.ip,"is",repr(t.status)

print start

print time.ctime()

04/20/23 DRAFT 22Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Threaded scanning is about 60X faster than serial scans

REVIEW Chapter Summary

Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

04/20/23 DRAFT 23