![Page 1: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/1.jpg)
Debugging applications with network security tools
Kevin Bong
Johnson Financial Group
![Page 2: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/2.jpg)
2
Kevin's Background?
• Web Developer for Kalmbach Publishing (Astronomy, Model Railroader, Discover, etc.)
• Webmaster for Johnson Financial Group
• Transition to Info Sec
• SANS Hacker Techniques, exploits, and incident handling
![Page 3: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/3.jpg)
Today's Agenda
• Network Traffic Analysis with Wireshark
• Intercepting traffic with WebScarab
• Fuzzing with WebScarab
• Replay attacks with Netcat
![Page 4: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/4.jpg)
Wireshark
• Network Packet Capture
• Protocol Analyzer
• Open source – Download from wireshark.org
• Runs on most operating systems
![Page 5: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/5.jpg)
Getting started with wireshark
• Capture..Interfaces to select an interface
• Interface Options
• Capture filters use Berkeley Packet Filter syntax
• Promiscuous mode – capture all traffic at the interface, not just destined for the capture host
![Page 6: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/6.jpg)
Wireshark User Interface
• Packet List
– Packet Summary scrolls in real time
• Packet Details
– Expand different protocols and decode
• Packet Bytes
– Hex and ASCII
![Page 7: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/7.jpg)
Network traffic refresher
• Encapsulation
• UDP – e.g. DNS traffic
• TCP
– TCP three way handshake
– TCP source and destination ports
![Page 8: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/8.jpg)
Disney capture example
• DNS lookup
• Three way handshake
• HTTP Redirect
• Follow TCP Stream feature
• Find Packet feature
• Packet 1261 gzip
![Page 9: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/9.jpg)
Wireshark Filters
• Capture Filter syntax and display filter syntax is different
• Display filter understands lots more protocols
• Wizard to help with display filter syntax
![Page 10: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/10.jpg)
PCAP files and TCPDump/WinDump
• Saves in libpcap file format
• Pcap files from other tools are treated just like network captures
• TCPDump/WinDump command line utilities great for creating pcap files
– Windump -D
– Windump -i1 -s0 -w filename.cap
![Page 11: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/11.jpg)
Windump/TCP Dump uses
• Log traffic during beta test
– Can log at client, server, or span port on switch
• Cut data out of large pcap files
– bigcap.pcap....74.208
![Page 12: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/12.jpg)
Troubleshooting Examples
• DNS Query details
• Proxies
• Different response with different browsers
• Performance and statistics
– http://192.168.30.128/simpsons.php
![Page 13: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/13.jpg)
Other wireshark tips and tricks
• Services file
• TCP Checksum errors
• File...print to save as human readable text
• File...export...objects...http
![Page 14: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/14.jpg)
Webscarab
• .jar file - Download and run
• Proxy config
• Proxy Intercept – modify traffic in transit
• Fuzzer
![Page 15: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/15.jpg)
Netcat
• Hacker's swiss army knife
• Listen on a port
– nc -l -p 5678
• Connect to a port
– nc 192.168.8.101 5678
• Can pretend to be an HTTP, SMTP, etc. client.
![Page 16: Debugging applications with network security tools](https://reader037.vdocuments.us/reader037/viewer/2022100323/54bde6de4a795970018b4651/html5/thumbnails/16.jpg)
Poor Man's load test with netcat
1) Capture and save HTTP request of the page(s) you want to load test.
2) Batch file to save running time, output if desired
3) Run multiple instances
echo %time% > results%1.txtfor /L %%i in (1,1,20) do nc 192.168.8.1 80 < getlog.txt > nulecho %time% >> results%1.txt
for /L %j in (1,1,5) do start loadtest.bat %i