Wireshark: Network Forensic Exercise by Fakrul Alam, Bangladesh CER
Dean Pemberton Network Startup Resource Center
[email protected]
These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/b-nc/4.0/!
What is Wireshark? ! Wireshark is a network "acket#"rotocol analy$er% & A network "acket analy$er will try try to to ca"ture ca"ture network "ackets and tries to dis"lay that "acket data as detailed as "ossible%
! Wireshark is "erha"s one o' the best o"en source "acket analy$ers a(ailable today 'or UNIX and Windows% Windows%
About Wireshark ! F o r m e r ly k n o w n
as
“
E t h e r e a l
”
& A u t h o r G e r a ld C o m b s q u it N e t w o r k I n t e g r a t io n S e r v ice s ,
& Free
! Re)uirement & Need to install win"ca" & *atest w ireshark installer contains w in"ca", don+t worry & -n W indows .ista/ Need Administrator 0ri(ilege to ca"tu ! 123 & 4ram atically im"ro(ed
Why Wireshark ! network administrators use it to troubleshoot network problems ! network security engineers use it to examine security problems ! de(elo"ers use it to debug protocol implementations ! "eo"le use it to learn network protocol internals ! Wireshark isn5t an intrusion detection system% ! Wireshark will not mani"ulate things on the network, it will only 6measure6 things 'rom it%
How to Install ! .ery straight 'orward ! 7ust double8click and 'ollow the instructions%
Capture
ashboard Menu Filter Capture Data
Raw Data
!ilters ! Ca"ture 'ilter & Ca"ture ra''ic that match ca"ture 'ilter rule & sa(e disk s"ace & "re(ent "acket loss ! 4is"lay 'ilter ! weak a""earance
Apply !ilters ! i"%addr 99 ;%;%;% <=ets a 'ilter 'or any "acket with ;%;%;%, as either ! ! ! ! ! ! !
the source or dest> i"%addr99;%;%;% ?? i"%addr99;%;%;%@
htt" or dns tc"%"ort99;;; tc"%'lags%reset99 htt"%re)uest tc" contains r(iews Dar" or icm" or dns/
!ollow "C# $tream
!ollow "C# $tream ! Build C0 =tream & =elect C0 0acket 8 Follow C 0 =tream
Use %$tatistics& ! What "rotocol is used in your network & =tatistics 8 0rotocol ierarchy
Use %$tatistics& ! Which host most chatty & =tatistics 8 Con(ersations
Use %$tatistics& ! ake gra"h & =tatistics 8 3- 1ra"h
Need CUI? ! 3' you stick to character based inter'ace, try tshark%exe ! C:G"rogram 'ilesGwiresharkGtshark%exe
"cpdump ' Wireshark ! tc"dum" 8i Hinter'ace 8s IJJKJ 8w Hsome8'ile
(xercise ! 3nstall Wireshark into your 0C ! Run wireshark and Ca"ture inbound#outbound tra''ic ! 4ownload ca"ture 'iles 'rom & Follow the instructor5s guide%
(xercise)* +ood ,ld "elnet ! File & telnet%"ca" ! Luestion & Reconstruct the telnet session%
! L: W ho logged into M@%I%;% & 2sername OOOOOO OOOO, 0assword OOOOOOOOOO % ! L@: A'ter logged in what did the user d oP & i" & telnet tra''ic is not secure
(xercise -* .assi/e "C# $0N ! File & massi(esyn%"ca" and massi(esyn@%"ca" ! Luestion & 0oint the di''erence w ith them %
! L: massi(esyn%"ca" is a OOOOOOOOO attem"t% ! L@: massi(esyn@%"ca" is a OOOOOOOOO attem"t% ! i" & 0ay attention to =rc 30
E x e r c i s e 3 : C o m p a r e t h e t r a f f i c ! =cenario ! Qou+re an 3 admin o' com"any % Qou had a re"ort that 7im a
new em"loyee/ can not browse or mail with his la"to"% A'ter researching you 'ound that Risa, sitting next to 7im, can brose without any "roblem% ! File & Risa%"ca", Sim%"ca"
! Luestion ! Com"are the ca"ture 'ile 'rom both machines and 'ind out why
7im+s machine is not online% & 7im must OOOOOOOOOOOOOOOOOOOOOOOOOOOOO %
! i" & 0ay attention to the 'irst ar" "acket%
(xercise 1* Chatty (m ployees ! File & chat%dm" ! Luestion ! L: What kind "rotocol is usedP OOOOOOO ! L@: his is con(ersation between
OOOOOT hotmail%com and OOOOO OThotm ail%com ! LK: What do they say about yousysadmin/P ! i" & Qour chat can be m onitored by network adm in%
(xercise 2* $uspicious !"# acti/ity ! File & 't"%"ca" ! Luestion & L: ;%@%U;%J is F0 OOOOOO % & L@: ;%@K%@J%@J is F0 OOOOO O % & LK: F0 Err Code JK; m eans OOOOOOOOOO % & L: ;%@K%@J%@J attem"t OOOOOOOO%
! i" & ow many login error occur within a minuteP
(xercise 3* Unidenti4ied "ra44ic ! File & Foobar%"ca" ! Luestion & L: see what+s going on with wireshark gui ! S t a t is t ic s - > C o n v e r s a t i o n Li s t - > T C P ( ) *
& L@: W hich a""lication use C 0#IKIP C heck the web%
(xercise 5* Co/ert channel ! File & co(ertin'o%"ca" ! Luestion & ake a closer lookD his is not a ty"ical 3C 0 Echo#Re"ly & L: W hat kind o' tool do they useP Check the w eb% & L@: Nam e other a ""lication w hich tunneling user tra''ic%