133630212-ECSAv4-Module-04-Advanced-Sniffing-Techniques-NoRestriction_2.pdf

Advanced ene ra on es ng and Security Analysis

Advanced Sniffing Techniques

EC-Council

Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 2004 EC-C EC-Council. ouncil. All rights reserve reserved d w orldwide.

Module Objective

This module will familiarize you with: • Wires iresha hark rk • Filters • IP Display Filters: • Editcap • Mergecap • Text2pcap

• Using Using Wireshark Wireshark for for Network Network Troublesh Troubleshootin ooting g • Network Network Troubl Troublesho eshooting oting Methodolo Methodology gy • Scan Scanni ning ng Tech Techni niqu ques es

EC-Council


Module Objective

This module will familiarize you with: • Wires iresha hark rk • Filters • IP Display Filters: • Editcap • Mergecap • Text2pcap

• Using Using Wireshark Wireshark for for Network Network Troublesh Troubleshootin ooting g • Network Network Troubl Troublesho eshooting oting Methodolo Methodology gy • Scan Scanni ning ng Tech Techni niqu ques es

EC-Council


What is Wireshark?

Wireshark is a network analyzer. It reads packets from the network, decodes them them,, and and pres presen ents ts them them in an easy easy-t -too-un unde ders rsta tand nd form format at..

Feat Fe atur ures es of Wire Wiresh shar ark k incl includ ude: e: • • • • • •

EC-Council

It is a distributed GPL. It is available for UNIX and WINDOWS. It works in romiscuous and non- romiscuous modes. It can capture data from the network or read from a capture file. It supp suppor orts ts tcpd tcpdum ump p form forma at capt captur uree filt filter ers. s. It can read capture files from rom over 25 diffe fferent pro products. . Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 2004 EC-C EC-Council. ouncil. All rights reserve reserved d w orldwide.

Wireshark: Screenshot

EC-Council

Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved w orldwide.

Wireshark: Filters Filtering packets helps you find a desired packet without sifting through all of them. . The capture filter syntax follows the same syntax that tcpdump uses rom e pcap rary. It is used on the command line or in the “Capture Filter” dialog . Display filters provide a powerful syntax to sort traffic that is . EC-Council


IP Display Filters

EC-Council


IP Display Filters (cont’d)

EC-Council


IP Display Filters (cont’d)

EC-Council


Example To see ust HTTP re uest ackets (e. . GET POST, HEAD and so on) t

e:

http.request Filter fields can also be com ared a ainst values such as http.request.method==“GET” to see only HTTP GET requests. The

comparison operators can be expressed using the following abbreviations and symbols: Abbreviations

Symbols 1

Symbols 2

Equal:

eq

==

Greater than

gt

>

Less Than

lt

<

Less than or equal to

le

<=

EC-Council


Wireshark: Tshark Tshark is the command-line version of Wireshark, which can be used to capture live

. By default, Tshark prints the summary line information to the screen. This is the same information contained in the top pane of the Wireshark GUI. TCP 1320 > t el net [ SYN] 1. 199008 192. 168. 100. 132 - > 192. 168. 100. 122 TCP e ne Seq=1102938967 Ack=0 Wi n=16384 Len=0 1. 199246 192. 168. 100. 132 - > 192. 168. 100. 122 Seq=1102938967 Ack=0 Wi n=16384 Len=0 1. 202244 192. 168. 100. 122 - 192. 168. 100. 132 TCP t el net 1320 [ SYN ACK] Seq=3275138168 Ack=1102938968 Wi n=49640 Len=0 1. 202268 192. 168. 100. 132 - > 192. 168. 100. 122 TCP 1320 > t el net [ ACK] Seq=1102938968 Ack=3275138169 Wi n=17520 Len=0 1. 202349 192. 168. 100. 132 - > 192. 168. 100. 122 TCP 1320 > t el net [ ACK]

EC-Council


Wireshark: Tcpdump

Tcpdump is a command line computer network debugging tool.

It is used as a substitute to Wireshark while capturing the packets at remote occasions. For ensuring the capture of the complete packet, use the following command line: • tcpdump -i -s 1500 -w • ^C command is necessary to terminate the packet capture

EC-Council


Wireshark: Capinfos Capinfos is a utility of Wireshark used for printing information about binary capture files. $ Capinfos -h Capinfos Prints information about capture files. Usage: capinfos[-t][-c][-s][-d][-u][-a][-e][-y][-i][-z][-h] where -t display the capture type of -c count the number of ackets -s display the size of the file -d display the total length of all packets in the file(in bytes) -u display the capture duration (in seconds) -e display the capture end time -y display average data rate (in bytes) -i display average data rate (in bits) -z display average packet size (in bytes) -h produces this help listing. If no data flags are given, default is to display all statistics

EC-Council


Wireshark: Idl2wrs

Idl2wrs is the command line tool that is used for creating dissectors

from CORBA IDL files where these IDL files are user specified.

It parses the data struct and generates get CDR xxx calls for decoding CORBA traffic.

Prerequisites for Idl2wrs are Python and omniidl.

EC-Council


Conversion of CORBA IDL

1. Writing C code to stdout • idl2wrs • E.g.: idl2wrs echo.idl

.

,

.

• idl2wrs echo.idl > packet-test-idl.c

.

,

.

4. Writing C code to stdout -p . - w res ar _ e
e.

>

5. For writing to a file, redirect the output. • omniidl -p ./ -b wireshark_be echo.idl > packet-test-idl.c EC-Council


Conversion of CORBA IDL File to ’ .

.

7. Edit two files to include the acket-test-idl.c • cp packet - t est - i dl . c / di r / wher e/ wi r eshar k/ l i ves/ • edi t Makef i l e. am •e a e e. nma e

8. Run the configure option. • . / conf i gur e ( or . / aut ogen. sh)

9. Code should be compiled. EC-Council


Wireshark: Dumpcap Dumpcap is a command line tool used for capturing data from the live

networ an copy ng t ose pac ets to a

e.

Capt ur e i nt er f ace: - i name or i dx of i nt er f ace ( def : f i r st oop ac - f packet f i l t er i n l i bpcap f i l t er synt ax - s packet snapshot l engt h ( def : 65535) - p don' t capt ur e i n pr omi scuous mode - y l i nk l ayer t ype ( def : f i r st appr opr i at e) - D pr i nt l i st of i nt er f aces and exi t - L pr i nt l i st of l i nk- l ayer t ypes of i f ace and exi t

none

St op condi t i ons: - c st op af t er n packet s ( def : i nf i ni t e) - a . . . dur at i on: NUM - st op af t er NUM seconds f i l esi ze: NUM - st op t hi s f i l e af t er NUM KB f i l es: NUM - st op af t er NUM i l es

EC-Council


Wireshark: Dumpcap ’ - w name of f i l e t o save ( def : t empf i l e) - b . . . dur at i on: NUM - swi t ch t o next f i l e af t er NUM secs f i l esi ze: NUM - swi t ch t o next f i l e af t er NUM KB f i l es: NUM - r i ngbuf f er : r epl ace af t er NUM f i l es Mi scel l aneous: - v pr i nt ver si on i nf or mat i on and exi t - h di spl ay t hi s hel p and exi t -

EC-Council


Wireshark: Editcap Editcap is used to remove

ackets from a file and to translate the format of

capture files.

t s s m ar to t e ave s eature. Editcap can rea a o t e same types o files that Wireshark can, and writes to the libpcap format by default. : Pr ogr am F es r es ar >e t cap -r -v snoop capt ur e capt ur e_ snoop 1- 5 Fi l e capt ur e i s a l i bpcap ( t cpdump Wi r eshar k et c. ) capt ur e f i l e Add_ Sel ect ed: 1- 5 nc us ve . . . 5 Recor d: 1 Recor d: 2 ecor :

EC-Council


Wireshark: Mergecap

Mergecap is used to combine multiple saved capture files into a single

output file. It can read all of the same types of files that Wireshark can and writes to the libpcap format by default. C: \ Pr ogr am mer ge_snoop capt ur e1

Fi l es\ Wi r eshar k>mer gecap

-v

-F

snoop

-w

capt ur e3 capt ur e4 mer gecap: capt ur e1 i s t ype l i bpcap ( t cpdump Wi r eshar k et c. ) mer gecap: capt ur e2 i s t ype l i bpcap ( t cpdump Wi r eshar k et c. )

EC-Council


Wireshark: Text2pcap

output file. It is capable of reading hexdumps containing multiple packets and building a capture file of multiple packets. It can also read hexdumps of application-level data by inserting dummy Ethernet

C: \ Pr ogr am Fi l es\ Wi r eshar k>t ext 2pcap hex_s ampl e. t xt l i bpcap_ out put I nput f r om: hex_sampl e. t xt u pu o: pcap_ ou pu Wr ot e packet of 168 byt es at 0 Read 1 pot ent i al packet s wr ot e 1 packet s

EC-Council


Upgrading Wireshark .

.

Below is the recommended upgrading process for Wireshark: • HTTP, DCP ETSI, SSL, DHCP/BOOTP, and MMS dissectors should be disabled. • Select Analyze. • Check Enabled Protocols from the menu. • , , , 3.0, FB/IPB GDS DB, HTTP, PPP, SSL are un-checked.

MEGACO,

NCP,

• Click Save. • Click OK.

EC-Council

Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. Al l ri ghts reserved w orldwide.

Protocol Dissection A protocol dissector is a dissector that allows Wireshark to break down the protoco s nto sma sect ons so as to ana yze t em.

Wireshark uses various dissectors for anal zin different rotocols.

It provides searching and filtering of the file at a time.

EC-Council


Protocol Dissection ’

EC-Council


Steps to Solve GNU/ Linux Server

command. C ec

or e au t route gateway IP.

Look for the IP address, network cables, and power supply. Check for firewall logs and ensure that correct ports are connecte . Perform a network analysis.

EC-Council


Using Wireshark for A good approach to network troubleshooting involves

• Recognize the symptoms.

2 3 4 5

• Define the problem. •

na yze

e pro em.

• Isolate the problem. • Identify and test the cause of the problem. • Solve the problem.

7 EC-Council

• Verify that the problem has been solved. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved w orldwide.

Network Troubleshooting

EC-Council


Using Wireshark

e as cs o t e

are:

• When a system needs to communicate with another system on the same subnet, and has an IP address for that system but not a MAC address, an ARP request is broadcast onto the Ethernet segment. • (e.g., a network with hosts 192.168.1.1 and 192.168.1.2 having MAC addresses 00:01:02:03:04:05 and 06:07:08:09:0a:0b) and issues the following command sequence through ARP:

00: 01: 02: 03: 04: 05 t o f f : f f : f f : f f : f f : f f Who has 192. 168. 1. 2? Tel l 192. 168. 1. 1 06: 07: 08: 09: 0a: 0b t o 00: 01: 02: 03: 04: 05 192. 168. 1. 2 i s at 06: 07: 08: 09: 0a: 0b

EC-Council


ARP Problems .

Wireshark can be used to check for the presence of this traffic on e ne wor .

There are several conditions of ARP that indicate specific pro ems. If there is no ARP traffic from the system on the network, either you are not capturing the traffic correctly or there are driver or OS issues preventing network communication. If the system is issuing ARP requests but there is no response from , .

EC-Council


ICMP Echo Request/Reply The type ICMP protocol field, which is a 1-byte field at the very beginning of the ICMP rotocol header indicates the t e of ICMP acket. If the type field is 8, the packet is an ICMP echo (ping) request.

If the type field is 0, the packet is an ICMP echo (ping) reply.

replies by retrieving the first byte: • icmp[0] == 8 or icmp[0] == 0

EC-Council


TCP Flags e ags e sa are used as separate fields.

e ,w c

s an n eger w ere

e n v ua

s

For example, the TCP flags field is an 8-bit integer field, but the bits in that integer represent independent fields that are either true or false (or 1 or 0).

EC-Council


TCP SYN Packet Flags Bit Field .

In this case onl the tc -s n bit is set therefore the value 0×02 can be tested, which is the value of tcp-syn: • tcp[tcpflag] == 0x02 • • tcp[tcpflag] == tcp-syn

EC-Council


TCP SYN Packet Flags Bit Field ’ In this packet TCP handshake (a Synchronize (SYN)/Acknowledge (ACK) packet), o e cp-syn an cp-ac s are se . To write a filter to test for the SYN bit, use the bitwise and operator to mask out all of the bits exce t for the SYN bit. tcp[tcpflag] & tcp-syn == 0x02

or -

EC-Council

-


Capture Filter: Examples

EC-Council


Scenario 1: SYN no SYN+ACK If your Wireshark capture shows that the client is sending a SYN packet, u no response s rece ve rom e server, e server s no process ng the packet. , that the server itself has a firewall running on it.

EC-Council


Scenario 2:

(RST) flag, the destination server is receiving the packet but there is no application bound to that port.

Make sure that your application is bound to the correct port on the correct IP address.

EC-Council


Scenario 3: SYN SYN+ACK ACK If your Wireshark capture shows that the TCP connection is established and that it mme a e y c oses, e es na on server may e re ec ng e c en s a ress due to security restrictions. On UNIX s stems check the tc wra ers file at etc hosts.allow and /etc/hosts.deny and verify that you haven’t inadvertently blocked communication.

Connection Closed

EC-Council


Tapping into the Wireshark’s TAP system is a dominant and flexible packets matching certain protocols.

Tapping system is divided into two parts: • Code in the actual dissectors to allow tapping of data. • received packets of data.

Wire tapping is the process of tapping the wired ne wor us ng sn ers.

Wireless ta in re uires s ecifications such as si nal strength and different wireless management packets. EC-Council


Tapping into the ’ Tapping into a hubbed network: • A hubbed network provides information on each data packet to the packet analyst. • This network provides slow network traffic with low bandwidth, and is rarely used.

Tapping into a switched network: • which the sniffer is plugged in. • This network captures the traffic from a targeted device by Port mirroring, ARP cache poisoning, and .

EC-Council


Using Wireshark for

reassembly , which allows us to see the contents of exchanged data. For protocols such as Telnet and FTP, Wireshark clearly displays e username an passwor or e connec on, w ou any reassembly. For unknown, custom, or otherwise obscure protocols, packet reassem y can e use . To use reassembly, capture the traffic through Wireshark or another tool and then load the capture file into Wireshark and right click on any packet in the connection.

Select the Follow TCP Stream option.

EC-Council


Detecting Internet Relay Chat Besides the policy implications of chat rooms, IRC is frequented by hackers and used as a . IRC normally uses TCP port 6667.

If you set Wireshark to detect traffic with destination port 6667, you will see IRC traffic that looks like the following:

Local cl i ent t o I RC ser ver por t 6667: USER user name l ocal syst em. exampl e. com i r c. exampl e. net : gai m Remot e I RC ser ver t o l ocal cl i ent : NOTI CE AUTH : * * * Looki ng up your host name. . . Local cl i ent t o I RC ser ver por t 6667: NI CK cl ever - ni ck- name Remot e I RC ser ver t o l ocal cl i ent : NOTI CE AUTH : * * * Checki ng i dent NOTI CE AUTH : ** * Found your host name EC-Council


Wireshark as a Detector for

If your company marks its confidential and proprietary information with a consistent phrase, there is no reason you cannot use Wireshark to detect the transmission of information.

You can use Wireshark to capture all outbound traffic on a span port and then use Wireshark’s Find Packet function.

EC-Council


Sniffer Detection When the interface is placed into promiscuous mode, the PROMISC eywor appears n t e attr utes sect on, as s own n t e examp e e ow:

EC-Council


Wireless Sniffing with Wireshark Wireshark has so histicated wireless rotocol anal sis su administrators troubleshoot wireless networks.

ort to hel

It can ca ture traffic “from the air” and decode it into a format that hel s administrators track down issues that are causing poor performance, intermittent connectivity, and other common problems. You will need to purchase and install AirPcap to be able to sniff Wireless traffic.

EC-Council


AirPcap CACE Technologies have introduced a commercial product called AirPcap. A com na on o a USB IEEE . g a apter, suppor ng r ver so ware, an a

client configuration utility.

Windows workstations at a reasonable cost.

AirPcap is available at www.cacetech.com

EC-Council


AirPcap (cont’d) If ou want to anal ze the traffic for a s ecific wireless AP or station, you must identify the channel or frequency used by the target device, and configure your wireless card to use the same channel before initiating your packet capture.

on a single frequency at any given time.

If you want to capture traffic from multiple channels simultaneously, you would need an additional wireless card for every channel you wanted to monitor.

EC-Council


Frequency

EC-Council


Using Channel Hopping , number that it is operating on?

One technique is to use the channel hopping command to rapidly scan through all available wireless channels until the appropriate channel number is identified.

Channel hopping will cause you to lose traffic, because you are rapidly switching channels.

If your wireless card is configured to operate on channel 11 and you hop to another channel, you will not be able to “hear” any traffic that is occurring on channel 11 until you return as part of the channel-hopping pattern.

EC-Council


Interference and Collisions

lost packets. Unlike an Ethernet network that can transmit and monitor the network simultaneously, wireless cards can only receive or transmit asynchronously.

Wireless networks must take special precautions to prevent multiple stations rom ransm ng a e same me.

While these collision-avoidance mechanisms work well it is still ossible to experience collisions between multiple transmitters on the same channel, or to experience collisions with wireless local area networks (LANs) and other devices using the same frequency (for example, cordless phones, baby monitors, , .

EC-Council


Recommendations for

Locate the ca ture station near the source: • When initiating a packet capture, locate the capture station close to the source of the wireless activity you are interested in (i.e., an AP or a wireless station).

Disable other nearby transmitters: • To achieve a more accurate packet capture, disable any built-in wireless transmitters on the capture station.

Reduce CPU utilization while capturing: • If our host ex eriences excessive CPU utilization durin a acket ca ture you may experience packet loss in the wireless capture (e.g., it is not a good idea to burn a DVD while capturing wireless traffic).

EC-Council


Analyzing Wireless Traffic

EC-Council


Analyzing Wireless Traffic ’

EC-Council


IEEE 802.11 Header

Following the frame statistics data, Wireshark starts to dissect the protocol information for the selected packet.

The IEEE 802.11 header is fairly complex; unlike a standard Ethernet header, it is between 24 and 30 bytes (compared to the standard Ethernet header of 14 bytes), has ree or our a resses compare o erne ’s wo a resses , an as many more fields to specify various pieces of information pertinent to wireless networks. Wireless frames can have additional protocols appended to the end of the IEEE 802.11 header, including encryption options, Quality of Service (QoS) options, and embedded protocol identifiers (IEEE 802.2 header), all before actually getting any data to represent the upper-layer Network layer protocols.

EC-Council


IEEE 802.11 Header Fields

EC-Council


IEEE 802.11 Header Fields ’

EC-Council


Filters Filter for a station MAC: • With the packet capture open, apply a display filter to display only traffic from the client station using the wlan.sa display field name. Assuming the station MAC address is 00:09:5b:e8:c4:03, the display filter would be applied as:

• wlan.sa eq 00:09:5b:e8:c4:03

Filter on BSSID: • w an. ss

eq

:

:

: e:c :

Filter on SSID: • We can apply a display filter to identify all packets that includes the SSID “NOWIRE” as shown below: • wlan_mgt.tag.interpretation eq "NOWIRE"

EC-Council


Filtering on Source MAC

EC-Council


Filtering on BSSID

EC-Council


Filter on SSID

EC-Council


Wireless Frame Types Filters

EC-Council


Unencrypted Data Traffic

wireless traffic that is unencrypted. This ma be in an effort to identif misconfi ured devices that could be disclosing sensitive information over the wireless network.

Most rogue devices are deployed without encryption.

Filters include: . . • wlan.fc.protected ne 1 and wlan.fc.type eq 2

EC-Council


Unencrypted Data Traffic ’

EC-Council


Identifying Hidden SSIDs , their SSIDs to anyone who asks.

When an AP wants to obscure the SSID of the network, it does not respond when it receives a request for the network name, and it removes the SSID advertisement from beacon frames. Because it is mandatory to include some indicator of the network name (whether legitimate or not) in beacon frames, vendors have adopted different conventions for obscuring the SSID by replacing it with one or more space characters or NULL bytes (one or more 0s) or an w a eng o .



Filter: 

In t is examp e, we see t at t e BSSID o t e networ is 00:0 :86:c2:a4:89



wlan.bssid eq 00:0b:86:c2:a4:89 and wlan.fc.type_subtype eq 0

EC-Council


Revealed SSID

EC-Council


Identifying EAP

Troubleshooting authentication problems on the wireless network can be challenging, and often requires a packet sniffer to determine if the failure is happening on the client or over the network.

Wireshark can assist in identifying EAP aut ent cat on a ure messages.



Filter 

EC-Council

eap.code eq 4


Identifying the EAP Type

EC-Council


Identifying Key

ome me o s nego a e a ranspor ayer ecur y unne before exchanging authentication information to protect weak authentication protocol data.

In order to establish the TLS tunnel, at least one digital certificate is transmitted from the AP to the station.



F ter: 

EC-Council

eap and ssl.handshake.type eq 11


EAP Identity Disclosure

EC-Council


Identifying WEP WEP is the most prevalent encryption mechanism used to protect wireless networks.

t is a so wi e y nown as an insecure protoco .

the 4-byte WEP header that follows the IEEE 802.11 header.

e can en y ra c y en y ng any rames the mandatory WEP Initialization Vector (IV).



EC-Council

a nc u e

wlan.wep.iv Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved w orldwide.

Identifying WEP (cont’d)

EC-Council


Identifying TKIP and CCMP TKIP is the successor to WEP, and is designed to be a software upgrade for hardware built ilt only to support WEP. TKIP TKIP was was desig esigne ned d to work work on leg legacy acy WEP WEP hard hardwa warre, it retai etaine ned d the use use of the same same unde underl rlyi ying ng enc encrypt ryptio ion n protoc protocol, ol, RC4. RC4. RC4 is still considered safe for current use; it is no longer an acceptable encryption mechan hanism ism for use by . . government agenc es. Another alternative is to use the CCMP protocol, which uses the Advanced Encryption System (AES) cipher. Like ike WEP, WEP, bot both TKIP TKIP and and CCMP use an encr encryp ypttion ion prot protoc oco ol head header er that that foll follow owss the the IEE IEEE 802. 802.111 hea header. der. This This head header er is mod modifie ified d from the legac egacy y WEP head header er,, allo allowi wing ng us to iden identi tiffy whet whethe herr TKIP TKIP or CC CCM MP are are in use, se, but but does oes not not allo allow w us to diff ifferen erenti tiat atee TKIP TKIP from rom CCMP. MP. We can only determine that one or the other is currently in use by looking at this header. We can use a dis la filter to identif this header b filterin on the extended IV field: • wlan.tkip.extiv • wlan.bssid eq 00:0f:66:e3:e4:03 and wlan.fc.type_subtype eq 8

EC-Council


Identifying TKIP or

EC-Council


Identifying IPsec/VPN

Wireshark can identify this type of encryption mechanism by use the standard IEEE 802.11 encryption mechanisms, instead opting for an upper-layer encryption mechanism, such as .

the associated IPsec protocols such as the Internet Security Association and Key Management Protocol (ISAKMP), the

To identify IPsec traffic, apply a display filter as follows: • isakmp or ah or esp

(ESP), or the Authentication Header (AH) protocol.

EC-Council


Identifying IPsec/VPN

EC-Council


Decrypting Traffic One of the challenges of wireless traffic analysis is the ability to insp inspec ectt the the cont conten ents ts of encr encryp ypte ted d data data fram frames es.. Wireshark offers some options to analyze WEP-encrypted data. When configured with the appropriate WEP key, Wireshark can automatically decrypt WEP-encrypted data and dissect the plai plaint ntex extt cont conten ents ts of thes thesee fram frames es.. In order for Wireshark to decryp rypt the contents of WEP-encrypted packets, it must be given the appropriate WEP key for the network. Wireshark does not assist you in breaking WEP keys or attacking the the WEP WEP prot protoc ocol ol.. It does does not not suppo upport rt decr decryp ypti tin ng TKIP TKIP or CC CCMP MP pac packet kets. EC-Council


Decrypting Traffic ’

EC-Council


Scanning e wor scann ng s use

o

en y ava a e ne wor resources.

Also known as discovery or enumeration, network scanning can be used to discover available hosts, ports, or resources on the network.

Once a vulnerable resource is detected, it can be exploited, and the device can be compromised.

Sometimes, an actual intruder is behind the scanning, and sometimes it is . EC-Council


TCP Connect Scan TCP connect scan is used to determine which ports are open and listening on a target device.

This type of scanning is the most basic because it completes the TCP three-way handshake with open ports and immediately closes them. An intruder sends a SYN packet and analyzes the response. A response set indicates that the port is closed.

a

s rece ve ,

n ca es

a

e por s open an

s en ng.

The intruder will then res ond with an ACK to com lete the connection followed by an RST/ACK to immediately close the connection. EC-Council


TCP Connect Scan (cont’d)

EC-Council


TCP Connect Scan (cont’d) The previous screenshot shows the attacker, 192.168.0.9, sending SYN packets to the arge , . . . Most ports respond with an RST/ACK packet; however, the highlighted packets show the domain name system (DNS) port. You will also notice that the intruder’s source port increases by one for each attempted connection.



You can find these by using a filter, such as tcp.flags.syn==1&&tcp.flags.ack==1 or tcp.flags==18

to view packets with the SYN and ACK flags set. 

The filter will show multiple responses for each port because several scanning methods were used.

EC-Council


TCP Connect Scan (cont’d)

EC-Council


SYN Scan It is also known as a half-open scan, because a full TCP connection is never completed. It is used to determine which ports are open and listening on a target device. n n ru er sen s a SYN pac e an ana yzes indicates that the port is closed.

e response.

an RST ACK s rece ve ,

If a SYN/ACK is received, it indicates that the port is open and listening. The intruder will then follow with an RST to close the connection. SYN scans are known as stealth scans because few devices will notice or log them.

EC-Council


SYN Scan (cont’d)

EC-Council


SYN Scan (cont’d) The previous figure shows that the attacker, 192.168.0.9, is sending SYN packets to the target, 192.1 .0.99

Most orts res ond with an RST ACK

acket.

The highlighted packets show the SYN/ACK response and the subsequent RST exchange on the https por .

,

EC-Council

.


XMAS Scan The XMAS scan determines which ports are open by sending packets with invalid flag settings to a target device.

It is considered a stealth scan because it may be able to bypass some firewalls and IDSes more easily than the SYN scans.

This XMAS scan sends packets with the Finish ( FIN) , Push ( PSH) , and Urgent ( URG) flags set.

Closed ports will respond with an RST/ACK, and open ports will drop the packet and not respond. This type of scan will not work against systems running Microsoft Windows, Cisco ey w a respon w , , , , an pac e s, . even from open ports. EC-Council


XMAS Scan (cont’d)

EC-Council


XMAS Scan (cont’d) The previous figure shows that the attacker, 192.168.0.9, is sending packets to the target, 192.168.0.99, with the FIN, PSH, and URG flags set. Most ports respond with an RST/ACK packet; however, the highlighted packet for the sunrpc port never receives a response.

This lack of a res onse indicates that the ort is o en and has dro

ed the acket.

You will also notice that the intruder is using decoy addresses of 192.168.0.1, . . . , . . . You will also notice that the intruder is using somewhat static source ports, 35964

EC-Council


Null Scan The null scan determines which ports are open by sending packets with invalid flag settings . It is considered a stealth scan because it may be able to bypass some firewalls and IDSes more easily than the SYN scans. This Null scan sends packets with all flags turned off. Closed ports will respond with an RST/ACK, and open ports will drop the packet and not respond. This type of scan will not work against systems running Microsoft Windows, Cisco IOS, BSDI, HP/UX, MVS, and IRIX.

ey w

EC-Council

a respon w

pac e s, even rom open por s.


Null Scan (cont’d)

EC-Council


Null Scan (cont’d) The previous figure shows that the attacker, 192.168.0.9, is sending packets to the arge . 192.168.0.99 has all flags turned off, as indicated by the empty brackets [ ]. Most ports respond with an RST/ACK packet. e g g te pac et or t e ttps port never rece ves a response, t ere y indicating that the port is open and has dropped the packet. ,

EC-Council

.


Remote Access Trojans Trojans are malicious programs that are often disguised as other programs such as jokes, games, networ uti ities, an sometimes even t e Trojan removal program itself.

Trojans are often used to distribute backdoor programs without the victims being aware that they are being installed.

Backdoors operate in a client-server architecture and allow the intruder to have complete control of a victim’s computer remotely over the network.

They give an intruder access to just about every function of the computer, including logging keystrokes, activating the webcam, logging passwords, and uploading and downloading files.

EC-Council


NetBus Analysis

It is easily detectable using antivirus software, many variations exist. The NetBus backdoor Trojan is also one of the older and more common Windows backdoor .

EC-Council

It runs over a TCP connection with default ports of 12345 and 12346.


NetBus Analysis (cont’d)

EC-Council


Trojan Analysis Example:

The previous figure shows that intruder is running the client on 192.168.1.1, which s connec e o e server on e v c m’s compu er a . . . . You will notice that the server is running on the default ports 12345 and 12346 and that data is being pushed between the client and server. The two separate source ports indicate two distinct TCP connections.

EC-Council


Wireshark DNP3 Dissector

Wireshark’s DNP3 dissector infinite loop vulnerability causes its process to enter n o e n n e oop. With infinite looping, an attacker masks other types of attacks. Below is the loop that appears due to this vulnerability:

• or

emp

=

;

emp

<

num_

ems;

emp

{

EC-Council


Time Stamps me s amp s

e po n o

me

e a a pac e s cap ure .

Libpcap or winPcap library provides time stamps to the Wireshark.

Timestamps are documented to be analyzed later. Wireshark internals: • Deal with the time dis la format of the timestam s. • The time display format can be adjusted by the user. • Depending upon the requirement, Wireshark converts the timestamp to capture either file format or Wireshark’s internal ormat. EC-Council


Time Stamps: Wireshark

EC-Council


Time Stamps (cont’d) aptur ng

e ormats:

• Time stamps are supported by each and every capture file format of . • File formats store the time stamps with a precision (e.g. nano sec or micro sec). • The Wireshark captures the file format supporting micro seconds resolution.

Accuracy: • Wireshark displays time stamps that are generated by its other resources (Libpcap/winPcap). • nce me s amps are us sp aye , e po n o accuracy s critical. EC-Council


Time Zones

Setting a computer’s time correctly:

• Set the time zone according to the current location. • Set the computer timings according to the local time. automatically adjust time of the computer automatically.

EC-Council


Packet Reassembling ac e reassem ng mec an sm s mp emen e n e res ar for finding, decoding, and displaying the large chunks of data.

when the data is large, it spreads data over multiple packets.

EC-Council


Checksums A checksum or redundancy checking is the process of checking the functionality of Wireshark. To ensure data integrity, checksums are used by the network protocols. Through checksum algorithms, simple errors can be solved. The algorithms that are applied for particular network protocol depends on the error rate, , , , . Packet loss and re-transmission: , the destination. • Transmitting the lose data packets again is called re-transmission. • Re-transmission occurs when there is loss of data packet or acknowledgement packet.

Note: Ensure that there is no presence of Ethernet duplex setting mismatch (this avoids packet loss and re-transmission).

EC-Council


Summary In this module, we reviewed network protocol analyzer Wireshark, its features • IP display filters.

, • Tshark. • Tcpdump. • Ca infos. • Idl2wrs. • Editcap. • Mergecap. • Text2pcap.

We have discussed the use of Wireshark in network troubleshooting. We have reviewed various scanning techniques. EC-Council


EC-Council


EC-Council


133630212-ECSAv4-Module-04-Advanced-Sniffing-Techniques-NoRestriction_2.pdf

Recommend Documents