Debugging applications with network security tools

Kevin Bong

Johnson Financial Group

2

Kevin's Background?

• Web Developer for Kalmbach Publishing (Astronomy, Model Railroader, Discover, etc.)

• Webmaster for Johnson Financial Group

• Transition to Info Sec

• SANS Hacker Techniques, exploits, and incident handling

Today's Agenda

• Network Traffic Analysis with Wireshark

• Intercepting traffic with WebScarab

• Fuzzing with WebScarab

• Replay attacks with Netcat

Wireshark

• Network Packet Capture

• Protocol Analyzer

• Open source – Download from wireshark.org

• Runs on most operating systems

Getting started with wireshark

• Capture..Interfaces to select an interface

• Interface Options

• Capture filters use Berkeley Packet Filter syntax

• Promiscuous mode – capture all traffic at the interface, not just destined for the capture host

Wireshark User Interface

• Packet List

– Packet Summary scrolls in real time

• Packet Details

– Expand different protocols and decode

• Packet Bytes

– Hex and ASCII

Network traffic refresher

• Encapsulation

• UDP – e.g. DNS traffic

• TCP

– TCP three way handshake

– TCP source and destination ports

Disney capture example

• DNS lookup

• Three way handshake

• HTTP Redirect

• Follow TCP Stream feature

• Find Packet feature

• Packet 1261 gzip

Wireshark Filters

• Capture Filter syntax and display filter syntax is different

• Display filter understands lots more protocols

• Wizard to help with display filter syntax

PCAP files and TCPDump/WinDump

• Saves in libpcap file format

• Pcap files from other tools are treated just like network captures

• TCPDump/WinDump command line utilities great for creating pcap files

– Windump -D

– Windump -i1 -s0 -w filename.cap

Windump/TCP Dump uses

• Log traffic during beta test

– Can log at client, server, or span port on switch

• Cut data out of large pcap files

– bigcap.pcap....74.208

Troubleshooting Examples

• DNS Query details

• Proxies

• Different response with different browsers

• Performance and statistics

– http://192.168.30.128/simpsons.php

Other wireshark tips and tricks

• Services file

• TCP Checksum errors

• File...print to save as human readable text

• File...export...objects...http

Webscarab

• .jar file - Download and run

• Proxy config

• Proxy Intercept – modify traffic in transit

• Fuzzer

Netcat

• Hacker's swiss army knife

• Listen on a port

– nc -l -p 5678

• Connect to a port

– nc 192.168.8.101 5678

• Can pretend to be an HTTP, SMTP, etc. client.

Poor Man's load test with netcat

1) Capture and save HTTP request of the page(s) you want to load test.

2) Batch file to save running time, output if desired

3) Run multiple instances

echo %time% > results%1.txtfor /L %%i in (1,1,20) do nc 192.168.8.1 80 < getlog.txt > nulecho %time% >> results%1.txt

for /L %j in (1,1,5) do start loadtest.bat %i