debugging applications with network security tools
DESCRIPTION
TRANSCRIPT
Debugging applications with network security tools
Kevin Bong
Johnson Financial Group
2
Kevin's Background?
• Web Developer for Kalmbach Publishing (Astronomy, Model Railroader, Discover, etc.)
• Webmaster for Johnson Financial Group
• Transition to Info Sec
• SANS Hacker Techniques, exploits, and incident handling
Today's Agenda
• Network Traffic Analysis with Wireshark
• Intercepting traffic with WebScarab
• Fuzzing with WebScarab
• Replay attacks with Netcat
Wireshark
• Network Packet Capture
• Protocol Analyzer
• Open source – Download from wireshark.org
• Runs on most operating systems
Getting started with wireshark
• Capture..Interfaces to select an interface
• Interface Options
• Capture filters use Berkeley Packet Filter syntax
• Promiscuous mode – capture all traffic at the interface, not just destined for the capture host
Wireshark User Interface
• Packet List
– Packet Summary scrolls in real time
• Packet Details
– Expand different protocols and decode
• Packet Bytes
– Hex and ASCII
Network traffic refresher
• Encapsulation
• UDP – e.g. DNS traffic
• TCP
– TCP three way handshake
– TCP source and destination ports
Disney capture example
• DNS lookup
• Three way handshake
• HTTP Redirect
• Follow TCP Stream feature
• Find Packet feature
• Packet 1261 gzip
Wireshark Filters
• Capture Filter syntax and display filter syntax is different
• Display filter understands lots more protocols
• Wizard to help with display filter syntax
PCAP files and TCPDump/WinDump
• Saves in libpcap file format
• Pcap files from other tools are treated just like network captures
• TCPDump/WinDump command line utilities great for creating pcap files
– Windump -D
– Windump -i1 -s0 -w filename.cap
Windump/TCP Dump uses
• Log traffic during beta test
– Can log at client, server, or span port on switch
• Cut data out of large pcap files
– bigcap.pcap....74.208
Troubleshooting Examples
• DNS Query details
• Proxies
• Different response with different browsers
• Performance and statistics
– http://192.168.30.128/simpsons.php
Other wireshark tips and tricks
• Services file
• TCP Checksum errors
• File...print to save as human readable text
• File...export...objects...http
Webscarab
• .jar file - Download and run
• Proxy config
• Proxy Intercept – modify traffic in transit
• Fuzzer
Netcat
• Hacker's swiss army knife
• Listen on a port
– nc -l -p 5678
• Connect to a port
– nc 192.168.8.101 5678
• Can pretend to be an HTTP, SMTP, etc. client.
Poor Man's load test with netcat
1) Capture and save HTTP request of the page(s) you want to load test.
2) Batch file to save running time, output if desired
3) Run multiple instances
echo %time% > results%1.txtfor /L %%i in (1,1,20) do nc 192.168.8.1 80 < getlog.txt > nulecho %time% >> results%1.txt
for /L %j in (1,1,5) do start loadtest.bat %i