ECSAv4 Module 04 Advanced Sniffing Techniques_NoRestriction

Advanced P t ti T ti Penetration Testing

and Security Analysis

Module 4Module 4Advanced Sniffing Techniques

Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Module Objective

h k

This module will familiarize you with:

• Wireshark• Filters• IP Display Filters:

• Tshark• Tshark• Editcap• Mergecap• Text2pcap

h k f k bl h• Using Wireshark for Network Troubleshooting• Network Troubleshooting Methodology• Scanning Techniques



What is Wireshark?

Wireshark is a network analyzer. It reads packets from the network, decodesthem, and presents them in an easy-to-understand format.

Features of Wireshark include:

• It is a distributed GPL.• It is available for UNIX and WINDOWS.• It works in promiscuous and non-promiscuous modes.p p• It can capture data from the network or read from a capture file.• It supports tcpdump format capture filters.• It can read capture files from over 25 different products.• It can filter and search the packets



• It can filter and search the packets.

Wireshark: Screenshot



Wireshark: Filters

Filtering packets helps you find a desired packet without siftingthrough all of them.

Wireshark has the ability to use both capture and display filters.Wireshark has the ability to use both capture and display filters.

The capture filter syntax follows the same syntax that tcpdumpf th lib libuses from the libpcap library.

It is used on the command line or in the “Capture Filter” dialogbox to capture certain types of trafficbox to capture certain types of traffic.

Display filters provide a powerful syntax to sort traffic that isalready captured



already captured.

IP Display Filters



IP Display Filters (cont’d)



IP Display Filters (cont’d)



Example

To see just HTTP request packets (e.g., GET POST, HEAD, and so on) type:j q p ( g , , , ) yphttp.request

Filter fields can also be compared against values such as p ghttp.request.method==“GET” to see only HTTP GET requests. The comparison operators can be expressed using the following abbreviations and symbols:

Abbreviations Symbols 1 Symbols 2

Equal: eq ==

Not equal: ne neNot equal: ne ne

Greater than gt >

Less Than lt <

Greater than or equal to ge >=



Greater than or equal to ge >=

Less than or equal to le <=

Wireshark: Tshark

Tshark is the command-line version of Wireshark, which can be used to capture livepackets from the wire or to read saved capture filespackets from the wire or to read saved capture files.

By default, Tshark prints the summary line information to the screen.

This is the same information contained in the top pane of the Wireshark GUI.

TCP 1320 > telnet [SYN] 1.199008 192.168.100.132 -> 192.168.100.122 TCP1320 > t l t [SYN]1320 > telnet [SYN]Seq=1102938967 Ack=0 Win=16384 Len=01.199246 192.168.100.132 -> 192.168.100.122Seq=1102938967 Ack=0 Win=16384 Len=01.202244 192.168.100.122 -> 192.168.100.132 TCP telnet > 1320 [SYNACK] Seq=3275138168 Ack=1102938968 Win=49640 Len=01.202268 192.168.100.132 -> 192.168.100.122 TCP 1320 > telnet [ACK]Seq=1102938968 Ack=3275138169 Win=17520 Len=01.202349 192.168.100.132 -> 192.168.100.122 TCP 1320 > telnet [ACK]Seq=1102938968 Ack=3275138169 Win=17520 Len=0



Seq=1102938968 Ack=3275138169 Win=17520 Len=0

Wireshark: Tcpdump

Tcpdump is a command line computer network debugging tool.

It is used as a substitute to Wireshark while capturing the packets atremote occasions.

For ensuring the capture of the complete packet, use the followingcommand line:

•tcpdump -i <interface> -s 1500 -w <some-file>•^C command is necessary to terminate the packet capture



Wireshark: Capinfos

Capinfos is a utility of Wireshark used for printing information about binary capture files.

$ Capinfos -hCapinfos

Prints information about capture files.Usage: capinfos[-t][-c][-s][-d][-u][-a][-e][-y][-i][-z][-h]

<capfile>where

-t display the capture type of <capfile>-c count the number of packetsc count the number of packets-s display the size of the file-d display the total length of all packets in the file(in

bytes)-u display the capture duration (in seconds)-a display the capture start time-a display the capture start time-e display the capture end time-y display average data rate (in bytes)-i display average data rate (in bits)-z display average packet size (in bytes)h d hi h l li i



-h produces this help listing.If no data flags are given, default is to display all statistics

Wireshark: Idl2wrs

Idl2wrs is the command line tool that is used for creating dissectorsfrom CORBA IDL files where these IDL files are user specified.

It parses the data struct and generates get CDR xxx calls fordecoding CORBA traffic.

Prerequisites for Idl2wrs are Python and omniidl.



Conversion of CORBA IDL File to Wireshark DissectorFile to Wireshark Dissector

1. Writing C code to stdout

•idl2wrs <your file.idl>• E.g.: idl2wrs echo.idl

2 For writing to a file redirect the output2. For writing to a file, redirect the output.

•idl2wrs echo.idl > packet-test-idl.c

3 Use shell script wrapper; if not go to step 4 or step 53. Use shell script wrapper; if not, go to step 4 or step 5.

4. Writing C code to stdout

iidl / b i h k b fil idl•Usage: omniidl -p ./ -b wireshark_be <your file.idl>•E.g. omniidl -p ./ -b wireshark_be echo.idl

5. For writing to a file, redirect the output.



•omniidl -p ./ -b wireshark_be echo.idl > packet-test-idl.c

Conversion of CORBA IDL File to Wireshark Dissector (cont’d)Wireshark Dissector (cont d)

6 Copy the resultant C code to Wireshark src directory6. Copy the resultant C code to Wireshark src directory.

7. Edit two files to include the packet-test-idl.c7 p

•cp packet-test-idl.c /dir/where/wireshark/lives/•edit Makefile.am

dit M k fil k•edit Makefile.nmake

8. Run the configure option.

•./configure (or ./autogen.sh)



9. Code should be compiled.

Wireshark: Dumpcap

Dumpcap is a command line tool used for capturing data from the livek d i h k filnetwork and copying those packets to a file.

Capture interface:-i <interface> name or idx of interface (def: first nonel b k)loopback)-f <capture filter> packet filter in libpcap filter syntax-s <snaplen> packet snapshot length (def: 65535)-p don't capture in promiscuous mode-B <buffer size> size of kernel buffer (def: 1MB)B <buffer size> size of kernel buffer (def: 1MB)-y <link type> link layer type (def: first appropriate)-D print list of interfaces and exit-L print list of link-layer types of iface and exit

Stop conditions:-c <packet count> stop after n packets (def: infinite)-a <autostop cond.> ... duration:NUM - stop after NUM secondsfilesize:NUM - stop this file after NUM KB



files:NUM - stop after NUM files

Wireshark: Dumpcap(cont’d)(cont d)

Output (files): Output (files): -w <filename> name of file to save (def: tempfile) -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs filesize:NUM - switch to next file after NUM KB files:NUM - ringbuffer: replace after NUM files

Miscellaneous: -v print version information and exit -h display this help and exit Ctrl-C to stop capturing at any time Ctrl C to stop capturing at any time



Wireshark: Editcap

Editcap is used to remove packets from a file and to translate the format ofp pcapture files.

I i i il h S A f d ll f h fIt is similar to the Save As feature. Editcap can read all of the same types offiles that Wireshark can, and writes to the libpcap format by default.

C \ il \ i h k diC:\Program Files\Wireshark>editcap -r -v -F snoop capturecapture_snoop 1-5File capture is a libpcap (tcpdump Wireshark etc.) capture fileAdd_Selected: 1-5I l i 1Inclusive ... 15Record: 1Record: 2R d 3



Record: 3

Wireshark: Mergecap

Mergecap is used to combine multiple saved capture files into a singleoutput file.

It can read all of the same types of files that Wireshark can and writes tothe libpcap format by default.

C:\Program Files\Wireshark>mergecap -v -F snoop -wmerge_snoopcapture1capture2capture2capture3 capture4mergecap: capture1 is type libpcap (tcpdump Wireshark etc.)mergecap: capture2 is type libpcap (tcpdump Wireshark etc.)



Wireshark: Text2pcap

Text2pcap reads in ASCII hexdump captures and writes the data into a libpcapText2pcap reads in ASCII hexdump captures and writes the data into a libpcapoutput file.

It is capable of reading hexdumps containing multiple packets and building acapture file of multiple packets.

It can also read hexdumps of application-level data by inserting dummy EthernetIP and User Datagram Protocol (UDP) or TCP headers.IP and User Datagram Protocol (UDP) or TCP headers.

C:\Program Files\Wireshark>text2pcap hex_sample.txt libpcap_outputInput from: hex_sample.txtO t t t lib t tOutput to: libpcap_outputWrote packet of 168 bytes at 0Read 1 potential packetswrote 1 packets



Upgrading Wireshark

The latest version of Wireshark is 0 99 8The latest version of Wireshark is 0.99.8

Below is the recommended upgrading process forWireshark:

• HTTP, DCP ETSI, SSL, DHCP/BOOTP, and MMS, , , ,dissectors should be disabled.

• Select Analyze.• Check Enabled Protocols from the menu.

Ensure ANSI MAP BTSDP DCP (ETSI) DNP• Ensure ANSI MAP, BTSDP, DCP (ETSI), DNP3.0, FB/IPB GDS DB, HTTP, MEGACO, NCP,PPP, SSL are un-checked.

• Click Save.



• Click OK.

Protocol Dissection

A protocol dissector is a dissector that allows Wireshark to break down thel i ll i l hprotocols into small sections so as to analyze them.

Wireshark uses various dissectors for analyzing different protocols.y g p

It provides searching and filtering of the file at a time.



Protocol Dissection (cont’d)(cont d)



Steps to Solve GNU/ Linux Server Network Connectivity IssuesNetwork Connectivity Issues

Ensure the use of ping and tracerouteEnsure the use of ping and traceroutecommand.

Ch k f d f l /Check for default route / gateway IP.

Look for the IP address, network cables, and,power supply.

Check for firewall logs and ensure that correctdports are connected.

Perform a network analysis.



Using Wireshark forNetwork TroubleshootingNetwork Troubleshooting

A good approach to network troubleshooting involves the following seven steps:the following seven steps:

1• Recognize the symptoms.

1

2• Define the problem.

A l th bl3

• Analyze the problem.

4• Isolate the problem.

5• Identify and test the cause of the problem.

6• Solve the problem.



6

7• Verify that the problem has been solved.

Network Troubleshooting MethodologyMethodology



Using Wiresharkfor System Administrationfor System Administration

Th b i f h ARP

• When a system needs to communicate with another system on the samesubnet, and has an IP address for that system but not a MAC address, an ARP

The basics of the ARP are:

yrequest is broadcast onto the Ethernet segment.

• (e.g., a network with hosts 192.168.1.1 and 192.168.1.2 having MAC addresses00:01:02:03:04:05 and 06:07:08:09:0a:0b) and issues the followingcommand sequence through ARP:

00:01:02:03:04:05 to ff:ff:ff:ff:ff:ff Who has 192.168.1.2? Tell 192.168.1.1

06:07:08:09:0a:0b to 00:01:02:03:04:05 192.168.1.2 is at 06:07:08:09:0a:0b



ARP Problems

ARP traffic is a necessary precursor to normal network traffic.ARP traffic is a necessary precursor to normal network traffic.

Wireshark can be used to check for the presence of this traffic onth t kthe network.

There are several conditions of ARP that indicate specificblproblems.

If there is no ARP traffic from the system on the network, eitheryou are not capturing the traffic correctly or there are driver or OSy p g yissues preventing network communication.

If the system is issuing ARP requests but there is no response fromthe host it may not be on the network



the host, it may not be on the network.

ICMP Echo Request/Reply Header LayoutHeader Layout

The type ICMP protocol field, which is a 1-byte field at the very beginning of the ICMPprotocol header, indicates the type of ICMP packet.p , yp p

If the type field is 8, the packet is an ICMP echo (ping) request.

If the type field is 0, the packet is an ICMP echo (ping) reply.

This capture filter tests for packets that are either ICMP ping requests or ICMP pingThis capture filter tests for packets that are either ICMP ping requests or ICMP pingreplies by retrieving the first byte:

• icmp[0] == 8 or icmp[0] == 0



TCP Flags

Th TCP fl fi ld i bit fi ld hi h i i t h th i di id l bitThe TCP flags field is a bit field, which is an integer where the individual bitsare used as separate fields.

For example, the TCP flags field is an 8-bit integer field, but the bits in thatinteger represent independent fields that are either true or false (or 1 or 0).



TCP SYN Packet Flags Bit Field

The TCP flags field can have a multiple bits setThe TCP flags field can have a multiple bits set.

In this case, only the tcp-syn bit is set; therefore, the, y tcp sy b ; ,value 0×02 can be tested, which is the value of tcp-syn:

•tcp[tcpflag] == 0x02• or:• or:

•tcp[tcpflag] == tcp-syn



TCP SYN Packet Flags Bit Field (cont’d)(cont d)

In this packet TCP handshake (a Synchronize (SYN)/Acknowledge (ACK) packet), b th th t d t k bit tboth the tcp-syn and tcp-ack bits are set.

To write a filter to test for the SYN bit, use the bitwise and operator to mask out all of the bits except for the SYN bit.the bits except for the SYN bit.

tcp[tcpflag] & tcp-syn == 0x02or

tcp[tcpflag] & tcp syn == tcp syntcp[tcpflag] & tcp-syn == tcp-syn



Capture Filter: Examples



Scenario 1: SYN no SYN+ACK

If your Wireshark capture shows that the client is sending a SYN packet,b t i i d f th th i t ibut no response is received from the server, the server is not processingthe packet.

It could be that a firewall between the two hosts is blocking the packet orIt could be that a firewall between the two hosts is blocking the packet, orthat the server itself has a firewall running on it.



Scenario 2:SYN Immediate Response RSTSYN Immediate Response RST

If your Wireshark capture shows that the server is responding with the resetIf your Wireshark capture shows that the server is responding with the reset(RST) flag, the destination server is receiving the packet but there is noapplication bound to that port.

Make sure that your application is bound to the correct port on the correct IPaddress.



Scenario 3: SYN SYN+ACK ACK

If your Wireshark capture shows that the TCP connection is established and that iti di t l l th d ti ti b j ti th li t’ IP ddimmediately closes, the destination server may be rejecting the client’s IP addressdue to security restrictions.

On UNIX systems, check the tcpwrappers file at etc/hosts.allow andy , p pp //etc/hosts.deny and verify that you haven’t inadvertently blockedcommunication.

Connection ClosedClosed



Tapping into the NetworkNetwork

Wireshark’s TAP system is a dominant and flexibleprocess for providing event driven notification forprocess for providing event driven notification forpackets matching certain protocols.

Tapping system is divided into two parts:

• Code in the actual dissectors to allow tapping of data.Event driven code that registers a tap listener and processes• Event driven code that registers a tap listener and processesreceived packets of data.

Wire tapping is the process of tapping the wiredt k i iffnetwork using sniffers.

Wireless tapping requires specifications such as signal



pp g q p gstrength and different wireless management packets.

Tapping into the Network (cont’d)Network (cont d)

• A hubbed network provides information on each

Tapping into a hubbed network:

data packet to the packet analyst.• This network provides slow network traffic with

low bandwidth, and is rarely used.

A switched network limits tapping to the port on

Tapping into a switched network:

• A switched network limits tapping to the port onwhich the sniffer is plugged in.

• This network captures the traffic from a targeteddevice by Port mirroring, ARP cache poisoning, andhubbing out



hubbing out.

Using Wireshark forSecurity AdministrationSecurity Administration

One of the most popular and useful Wireshark features is packetOne of the most popular and useful Wireshark features is packetreassembly, which allows us to see the contents of exchanged data.

For protocols such as Telnet and FTP, Wireshark clearly displaysthe sername and pass ord for the connection itho t anthe username and password for the connection, without anyreassembly.

For unknown, custom, or otherwise obscure protocols, packetbl b dreassembly can be used.

To use reassembly, capture the traffic through Wireshark or anothertool and then load the capture file into Wireshark and right click onany packet in the connection.

Select the Follow TCP Stream option.



Detecting Internet Relay Chat ActivityActivity

Besides the policy implications of chat rooms, IRC is frequented by hackers and used as acommand and control mechanismcommand and control mechanism.

IRC normally uses TCP port 6667.

If you set Wireshark to detect traffic with destination port 6667, you will see IRC traffic that lookslike the following:

Local client to IRC serverport 6667:USER username localsystem.example.com irc.example.net :gaimRemote IRC server to local client:NOTICE AUTH :*** Looking up your hostname...g p yLocal client to IRC serverport 6667:NICK clever-nick-nameRemote IRC server to local client:



NOTICE AUTH :*** Checking identNOTICE AUTH :*** Found your hostname

Wireshark as a Detector for Proprietary Information TransmissionProprietary Information Transmission

If your company marks its confidential and proprietary information with aconsistent phrase, there is no reason you cannot use Wireshark to detect thetransmission of information.

You can use Wireshark to capture all outbound traffic on a span port and then useWireshark’s Find Packet function.



Sniffer Detection

When the interface is placed into promiscuous mode, the PROMISCk d i h ib i h i h l b lkeyword appears in the attributes section, as shown in the example below:



Wireless Sniffing with Wireshark

Wireshark has sophisticated wireless protocol analysis support to helpp p y pp padministrators troubleshoot wireless networks.

It can capture traffic “from the air” and decode it into a format that helpsp padministrators track down issues that are causing poor performance,intermittent connectivity, and other common problems.

You will need to purchase and install AirPcap to be able to sniff Wirelesstraffic.



AirPcap

CACE Technologies have introduced a commercial product called AirPcap. Abi ti f USB IEEE 802 11b/ d t ti d i ft dcombination of a USB IEEE 802.11b/g adapter, supporting driver software, and a

client configuration utility.

AirPcap provides a simple mechanism to capture wireless traffic in monitor mode onAirPcap provides a simple mechanism to capture wireless traffic in monitor mode onWindows workstations at a reasonable cost.

AirPcap is available at www.cacetech.com



AirPcap (cont’d)

If you want to analyze the traffic for a specificy y pwireless AP or station, you must identify thechannel or frequency used by the target device,and configure your wireless card to use thesame channel before initiating your packetcapture.

This is because wireless cards can only operateThis is because wireless cards can only operateon a single frequency at any given time.

If you want to capture traffic from multiplechannels simultaneously, you would need anadditional wireless card for every channel you



wanted to monitor.

Frequency



Using Channel Hopping

If you want to capture traffic for a specific station how do you locate the channelIf you want to capture traffic for a specific station, how do you locate the channelnumber that it is operating on?

One technique is to use the channel hopping command to rapidly scan through allavailable wireless channels until the appropriate channel number is identified.

Channel hopping will cause you to lose traffic, because you are rapidly switchingchannels.

If your wireless card is configured to operate on channel 11 and you hop to anotherchannel, you will not be able to “hear” any traffic that is occurring on channel 11 untilyou return as part of the channel-hopping pattern.



Interference and Collisions

Another challenge of sniffing wireless networks is the risk of interference andAnother challenge of sniffing wireless networks is the risk of interference andlost packets. Unlike an Ethernet network that can transmit and monitor thenetwork simultaneously, wireless cards can only receive or transmitasynchronously.

Wireless networks must take special precautions to prevent multiple stationsf t itti t th tifrom transmitting at the same time.

While these collision-avoidance mechanisms work well, it is still possible toWhile these collision avoidance mechanisms work well, it is still possible toexperience collisions between multiple transmitters on the same channel, or toexperience collisions with wireless local area networks (LANs) and otherdevices using the same frequency (for example, cordless phones, baby monitors,microwave ovens and so on)



microwave ovens, and so on).

Recommendations for Sniffing Wireless TrafficSniffing Wireless Traffic

Locate the capture station near the source:

• When initiating a packet capture, locate the capture station close to the sourceof the wireless activity you are interested in (i.e., an AP or a wireless station).

p

• To achieve a more accurate packet capture, disable any built-in wirelesstransmitters on the capture station.

Disable other nearby transmitters:

• If your host experiences excessive CPU utilization during a packet capture,

Reduce CPU utilization while capturing:

y p g p p ,you may experience packet loss in the wireless capture (e.g., it is not a goodidea to burn a DVD while capturing wireless traffic).

Match channel selection



Match channel selection

Analyzing Wireless Traffic



Analyzing Wireless Traffic (cont’d)(cont d)



IEEE 802.11 Header

Following the frame statistics data, Wireshark starts to dissect the protocol informationfor the selected packet.

The IEEE 802.11 header is fairly complex; unlike a standard Ethernet header, it isbetween 24 and 30 bytes (compared to the standard Ethernet header of 14 bytes), hasth f dd ( d t Eth t’ t dd ) d hthree or four addresses (compared to Ethernet’s two addresses), and has many morefields to specify various pieces of information pertinent to wireless networks.

Wireless frames can have additional protocols appended to the end of the IEEE 802.11header, including encryption options, Quality of Service (QoS) options, and embeddedprotocol identifiers (IEEE 802.2 header), all before actually getting any data torepresent the upper-layer Network layer protocols.



IEEE 802.11 Header Fields



IEEE 802.11 Header Fields (cont’d)(cont d)



Filters

Filter for a station MAC:

• With the packet capture open, apply a display filter to display only traffic from theclient station using the wlan.sa display field name. Assuming the station MACaddress is 00:09:5b:e8:c4:03, the display filter would be applied as:

• wlan.sa eq 00:09:5b:e8:c4:03

Filter on BSSID:

lan bssid eq 00 11 92 6e cf 00• wlan.bssid eq 00:11:92:6e:cf:00

Filter on SSID:

• We can apply a display filter to identify all packets that includes the SSID“NOWIRE” as shown below:

• wlan_mgt.tag.interpretation eq "NOWIRE"



Filtering on Source MAC Address and BSSIDAddress and BSSID



Filtering on BSSID



Filter on SSID



Wireless Frame Types Filters



Unencrypted Data Traffic

Another common analysis technique is to identifyAnother common analysis technique is to identifywireless traffic that is unencrypted.

This may be in an effort to identify misconfigureds ay be a e o t to de t y sco gu eddevices that could be disclosing sensitive informationover the wireless network.

Most rogue devices are deployed without encryption.

Filters include:

• wlan fc protected ne 1



• wlan.fc.protected ne 1• wlan.fc.protected ne 1 and wlan.fc.type eq 2

Unencrypted Data Traffic (cont’d)(cont d)



Identifying Hidden SSIDs

Many organizations have adopted SSID cloaking which prevents their APs from advertising Many organizations have adopted SSID cloaking, which prevents their APs from advertising their SSIDs to anyone who asks.

When an AP wants to obscure the SSID of the network, it does not respond when it receives a request for the network name, and it removes the SSID advertisement from beacon frames.

Because it is mandatory to include some indicator of the network name (whether legitimate or not) in beacon frames, vendors have adopted different conventions for obscuring the SSID by replacing it with one or more space characters or NULL bytes (one or more 0s) or

SSID ith l th f 0

Filter:I hi l h h BSSID f h k i b 86 8

an SSID with a length of 0.



In this example, we see that the BSSID of the network is 00:0b:86:c2:a4:89wlan.bssid eq 00:0b:86:c2:a4:89 and wlan.fc.type_subtype eq 0

Revealed SSID



Identifying EAP Authentication FailuresAuthentication Failures

Troubleshooting authentication problemson the wireless network can be challenging,and often requires a packet sniffer todetermine if the failure is happening on theclient or over the network.

Wireshark can assist in identifying EAPh i i f ilauthentication failure messages.

Filter



eap.code eq 4

Identifying the EAP Type



Identifying Key Negotiation PropertiesNegotiation Properties

S EAP th d ti t T t L S it (TLS) t lSome EAP methods negotiate a Transport Layer Security (TLS) tunnelbefore exchanging authentication information to protect weakauthentication protocol data.

In order to establish the TLS tunnel, at least one digital certificate istransmitted from the AP to the station.transmitted from the AP to the station.

ilFilter:

eap and ssl.handshake.type eq 11



EAP Identity Disclosure



Identifying WEP

WEP is the most prevalent encryption mechanism used to protectp yp pwireless networks.

I i l id l k i lIt is also widely known as an insecure protocol.

Wireshark uniquely identifies WEP encrypted traffic by decodingWireshark uniquely identifies WEP-encrypted traffic by decodingthe 4-byte WEP header that follows the IEEE 802.11 header.

W id tif WEP t ffi b id tif i f th t i l dWe can identify WEP traffic by identifying any frames that includethe mandatory WEP Initialization Vector (IV).

Filter:



Filter:wlan.wep.iv

Identifying WEP (cont’d)



Identifying TKIP and CCMP

TKIP is the successor to WEP, and is designed to be a software upgrade for hardware built only to supportWEP.

TKIP was designed to work on legacy WEP hardware, it retained the use of the same underlying encryptionprotocol, RC4.

RC4 is still considered safe for current use; it is no longer an acceptable encryption mechanism for use byU S iU.S. government agencies.

Another alternative is to use the CCMP protocol, which uses the Advanced Encryption System (AES)cipher.

Like WEP, both TKIP and CCMP use an encryption protocol header that follows the IEEE 802.11 header.

This header is modified from the legacy WEP header, allowing us to identify whether TKIP or CCMP are inuse, but does not allow us to differentiate TKIP from CCMP.

We can only determine that one or the other is currently in use by looking at this header.

We can use a display filter to identify this header by filtering on the extended IV field:



p y y y g

•wlan.tkip.extiv•wlan.bssid eq 00:0f:66:e3:e4:03 and wlan.fc.type_subtype eq 8

Identifying TKIP or CCMP TrafficCCMP Traffic



Identifying IPsec/VPN

Some wireless networks will not

Wireshark can identify this type of encryption mechanism by

applying a display filter for any of

To identify IPsec traffic, apply a display filter as follows:Some wireless networks will not

use the standard IEEE 802.11 encryption mechanisms, instead

opting for an upper-layer encryption mechanism, such as

IPsec

applying a display filter for any of the associated IPsec protocols such as the Internet Security

Association and Key Management Protocol (ISAKMP), the

Encapsulating Security Payload

p y•isakmp or ah or esp

IPsec. Encapsulating Security Payload (ESP), or the Authentication

Header (AH) protocol.



Identifying IPsec/VPN



Decrypting Traffic

One of the challenges of wireless traffic analysis is the ability toinspect the contents of encrypted data frames.

Wireshark offers some options to analyze WEP-encrypted data.

When configured with the appropriate WEP key, Wireshark canautomatically decrypt WEP-encrypted data and dissect theplaintext contents of these frames.p

In order for Wireshark to decrypt the contents of WEP-encryptedpackets, it must be given the appropriate WEP key for thenetwork.

Wireshark does not assist you in breaking WEP keys or attackingthe WEP protocol.



It does not support decrypting TKIP or CCMP packets.

Decrypting Traffic (cont’d)(cont d)



Scanning

N t k i i d t id tif il bl t k Network scanning is used to identify available network resources.

Also known as discovery or enumeration, network scanning can be used to discover available hosts, ports, or resources on the network.

Once a vulnerable resource is detected, it can be exploited, and the device can be compromised.

Sometimes, an actual intruder is behind the scanning, and sometimes it is a result of worm activity



a result of worm activity.

TCP Connect Scan

TCP connect scan is used to determine which ports are open andlistening on a target device.

This type of scanning is the most basic because it completes the TCPyp g pthree-way handshake with open ports and immediately closes them.

An intruder sends a SYN packet and analyzes the response. A responsepacket with the Reset (RST) and Acknowledgment (ACK) flagspacket with the Reset (RST) and Acknowledgment (ACK) flagsset indicates that the port is closed.

If SYN/ACK i i d it i di t th t th t i d li t iIf a SYN/ACK is received, it indicates that the port is open and listening.

The intruder will then respond with an ACK to complete the connection



p pfollowed by an RST/ACK to immediately close the connection.

TCP Connect Scan (cont’d)




The previous screenshot shows the attacker, 192.168.0.9, sending SYN packets to thet t 192 168 0 99target, 192.168.0.99

Most ports respond with an RST/ACK packet; however, the highlighted packets show theSYN/ACK response and the subsequent ACK followed by the RST/ACK exchange on theSYN/ACK response and the subsequent ACK followed by the RST/ACK exchange on thedomain name system (DNS) port.

You will also notice that the intruder’s source port increases by one for each attempted

You can find these by using a filter, such as

connection.

tcp.flags.syn==1&&tcp.flags.ack==1 or tcp.flags==18

to view packets with the SYN and ACK flags set.

The filter will show multiple responses for each port because several scanning methods



p p p gwere used.




SYN Scan

It is also known as a half-open scan, because a full TCP connection is never completed.

It is used to determine which ports are open and listening on a target device.

A i t d d k t d l th If / i i d itAn intruder sends a SYN packet and analyzes the response. If an RST/ACK is received, itindicates that the port is closed.

If a SYN/ACK is received, it indicates that the port is open and listening.

The intruder will then follow with an RST to close the connection.

SYN scans are known as stealth scans because few devices will notice or log them.



SYN Scan (cont’d)



SYN Scan (cont’d)

The previous figure shows that the attacker, 192.168.0.9, is sending SYN packets to the target, 192 168 0 99

Most ports respond with an RST/ACK packet.

192.168.0.99

The highlighted packets show the SYN/ACK response and the subsequent RST exchange on the https t

p p / p

You will also notice that the intruder is using somewhat static source ports, 52198 and 52199.

port.

You will also notice that the intruder is using somewhat static source ports, 52198 and 52199.



XMAS Scan

The XMAS scan determines which ports are open by sending packets with invalid flagsettings to a target device.

It is considered a stealth scan because it may be able to bypass some firewalls and IDSesmore easily than the SYN scans.

This XMAS scan sends packets with the Finish (FIN), Push (PSH), and Urgent (URG)flags set.

Closed ports will respond with an RST/ACK, and open ports will drop the packet and notp p , p p p prespond.

This type of scan will not work against systems running Microsoft Windows, CiscoIOS BSDI HP/UX MVS d IRIX They will all respond with RST k t



IOS, BSDI, HP/UX, MVS, and IRIX. They will all respond with RST packets,even from open ports.

XMAS Scan (cont’d)



XMAS Scan (cont’d)

The previous figure shows that the attacker, 192.168.0.9, is sending packets to thep g g ptarget, 192.168.0.99, with the FIN, PSH, and URG flags set.

Most ports respond with an RST/ACK packet; however, the highlighted packetf hfor the sunrpc port never receives a response.

This lack of a response indicates that the port is open and has dropped the packet.p p p pp p

You will also notice that the intruder is using decoy addresses of 192.168.0.1,192 168 0 199 and 192 168 0 254192.168.0.199, and 192.168.0.254

You will also notice that the intruder is using somewhat static source ports, 35964and 35965.



and 35965.

Null Scan

The null scan determines which ports are open by sending packets with invalid flag settingsto a target device.to a target device.

It is considered a stealth scan because it may be able to bypass some firewalls and IDSesmore easily than the SYN scans.

This Null scan sends packets with all flags turned off.

Closed ports will respond with an RST/ACK, and open ports will drop the packet and notrespond.p

This type of scan will not work against systems running Microsoft Windows, CiscoIOS, BSDI, HP/UX, MVS, and IRIX.

Th ill ll d ith RST/ACK k t f tThey will all respond with RST/ACK packets, even from open ports.



Null Scan (cont’d)



Null Scan (cont’d)

The previous figure shows that the attacker, 192.168.0.9, is sending packets to thet ttarget.

192.168.0.99 has all flags turned off, as indicated by the empty brackets [ ].

Most ports respond with an RST/ACK packet.

Th hi hli h d k f h h i h bThe highlighted packet for the https port never receives a response, therebyindicating that the port is open and has dropped the packet.

Notice that the intruder is using somewhat static source ports 42294 and 42295Notice that the intruder is using somewhat static source ports, 42294 and 42295.



Remote Access Trojans

Trojans are malicious programs that are oftendisguised as other programs such as jokes, games,

k ili i d i h jnetwork utilities, and sometimes even the Trojanremoval program itself.

Trojans are often used to distribute backdoorprograms without the victims being aware that theyare being installed.

Backdoors operate in a client-server architectureand allow the intruder to have complete control of avictim’s computer remotely over the network.

They give an intruder access to just about everyfunction of the computer, including logging



keystrokes, activating the webcam, loggingpasswords, and uploading and downloading files.

NetBus Analysis

It is easily detectable using antivirus software,

many variations exist.

The NetBus backdoor Trojan is also one of the older and more common

Windows backdoor Trojans

It runs over a TCP connection with default

ports of 12345 and 12346.Trojans.



NetBus Analysis (cont’d)



Trojan Analysis Example:NetBus AnalysisNetBus Analysis

The previous figure shows that intruder is running the client on 192.168.1.1, whichis connected to the ser er on the ictim’s computer at 192 168 1 200is connected to the server on the victim’s computer at 192.168.1.200.

You will notice that the server is running on the default ports 12345 and 12346 andthat data is being pushed between the client and server.g p

The two separate source ports indicate two distinct TCP connections.



Wireshark DNP3 Dissector Infinite Loop VulnerabilityInfinite Loop Vulnerability

Wireshark’s DNP3 dissector infinite loop vulnerability causes its process to enteri t th i fi it linto the infinite loop.

With infinite looping, an attacker masks other types of attacks.

Below is the loop that appears due to this vulnerability:

f (t 16 0 t 16 < it t 16++)•for (temp16 = 0; temp16 < num_items; temp16++){



Time Stamps

A ti t i th i t f ti th d t k t i t dA time stamp is the point of time the data packet is captured.

Libpcap or winPcap library provides time stamps to the Wireshark.

Timestamps are documented to be analyzed later.

• Deal with the time display format of the timestamps.

Wireshark internals:

Deal with the time display format of the timestamps.• The time display format can be adjusted by the user.• Depending upon the requirement, Wireshark converts the

timestamp to capture either file format or Wireshark’s internal f



format.

Time Stamps: Wireshark Internals Internals



Time Stamps (cont’d)

C t i fil f t

• Time stamps are supported by each and every capture file format ofWireshark

Capturing file formats:

Wireshark.• File formats store the time stamps with a precision (e.g. nano sec or

micro sec).• The Wireshark captures the file format supporting micro seconds

lresolution.

Accuracy:

• Wireshark displays time stamps that are generated by its otherresources (Libpcap/winPcap).Since time stamps are just displayed the point of accuracy is



• Since time stamps are just displayed, the point of accuracy iscritical.

Time Zones

• Set the time zone according to the currentlocation.

• Set the computer timings according to thelocal time.

• Use NTP (Network Time Protocol) to

Setting a computer’s time correctly:

• Use NTP (Network Time Protocol) toautomatically adjust time of the computerautomatically.

y



Packet Reassembling

Packet reassembling mechanism is implemented in the WiresharkPacket reassembling mechanism is implemented in the Wiresharkfor finding, decoding, and displaying the large chunks of data.

Network protocols handle the chunk boundaries in such a way thatNetwork protocols handle the chunk boundaries in such a way thatwhen the data is large, it spreads data over multiple packets.



Checksums

A checksum or redundancy checking is the process of checking the functionality ofWireshark.

To ensure data integrity, checksums are used by the network protocols.

Through checksum algorithms, simple errors can be solved.

The algorithms that are applied for particular network protocol depends on the error rate,error detection ability of the processor performance of the checksum etcerror detection, ability of the processor, performance of the checksum, etc.

Packet loss and re-transmission:

• Packet loss is the error condition where data packets are transmitted correctly but without reaching• Packet loss is the error condition where data packets are transmitted correctly, but without reachingthe destination.

• Transmitting the lose data packets again is called re-transmission.• Re-transmission occurs when there is loss of data packet or acknowledgement packet.



Note: Ensure that there is no presence of Ethernet duplex setting mismatch (this avoids packet loss and re-transmission).

Summary

In this module, we reviewed network protocol analyzer Wireshark, its features and working:and working:

• IP display filters.

We have discussed various commands used in Wireshark, such as:We have discussed various commands used in Wireshark, such as:

• Tshark.• Tcpdump.• Capinfos.p• Idl2wrs.• Editcap.• Mergecap.• Text2pcap.

We have discussed the use of Wireshark in network troubleshooting.



We have reviewed various scanning techniques.







ECSAv4 Module 04 Advanced Sniffing Techniques_NoRestriction

Documents

program files wireshark

invalid flag settings

previous figure shows

rights reserved worldwide

num kb files

static source ports

ip display filters

standard ethernet header