lecture materials for the john wiley & sons book: cyber security: managing networks, conducting...
TRANSCRIPT
Lecture Materials for the John Wiley & Sons book:
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
April 18, 2023 DRAFT 1
Chapter 6: Protocol Analysis and Network Programming
Networking Theory and Practice
•Open Systems Interconnection (OSI) defines the standard protocol stack
–Out of the 7 layers, only 4 are used in practice:
•Physical (Layer 1)•Data Link (Layer 2)•Network (Layer 3)•Transport (Layer 4)
–The successor to OSI is Reference Model for Open Distributed Processing (RM-ODP), we encountered in Chapter 3, Row 3.
04/18/23 DRAFT 2Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Frequently Encountered Network Protocols
•IEEE 802.3 Ethernet protocol L2•IEEE 802.11 wireless protocols
(commercially known as Wi-Fi) L2•Address Resolution Protocol (ARP) L2•IP Version 4 (IPv4) L3•IP Version 6 (IPv6) L3•Internet Control Message Protocol
(ICMP) L3•User Datagram Protocol (UDP) L4•Transmission Control Protocol (TCP) L4
04/18/23 DRAFT 3Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Network Protocol Analysis
•Network protocol analysis can be performed automatically by Wireshark
–Manual protocol analysis is outdated
•Each frame (L2) or packet (L3) has a header and a payload
–L3 header/payload are attached before and after L2 header/payload, i.e. encapsulate
–L4 headers/payload are attached before and after L3 header/payload
04/18/23 DRAFT 4Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Address Resolution Protocol (ARP) and Layer 2 Analysis
04/18/23 DRAFT 5Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
ARP Frame
04/18/23 DRAFT 6Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Internet Protocol (IP) Analysis
04/18/23 DRAFT 7Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Internet Control Message Protocol (ICMP)
04/18/23 DRAFT 8Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
User Datagram Protocol (UDP) Analysis
04/18/23 DRAFT 9Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Transmission Control Protocol (TCP) Analysis
04/18/23 DRAFT 10Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Network Programming: Bash•Bash is an available command line shell for Linux and
Unix systems–It is selected in the /etc/passwd file
•In network programming we are able to execute network commands in a script at the command line or from a script file
•During penetration tests, we frequently encounter raw shells (that do not support even backspace) where we can only submit 1 command line at a time
–Use network programming to build security tools such as ping scans and banner grabbers (i.e. when services self identify)
•Network programming remains a rare but very useful skill among security pros
04/18/23 DRAFT 11Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Linux/Unix Bash Basics: Standard Input, Output, Error, Pipes
•Sorting reverse numerical–# sort /tmp/alertIPs | uniq –c | sort –nr
•Append to file including standard error–mount error >> log.txt 2>&1
•Command sequence–# echo Hello Universe! > /tmp/tmp ; cd
/tmp ; ls ; cat tmp ; rm tmp ; ls ; cd ~
04/18/23 DRAFT 12Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Linux/Unix Bash for Basic Network Programming
•Ping an IP; returns ICMP response–# ping –c1 –w2 10.10.100.100
•To ping an address range, i.e. a scan–# for i in `echo {1..254}`; do ping -c1 -
w2 10.10.100.$i; done
04/18/23 DRAFT 13Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Linux/Unix Bash Network Sweep: Packaging a Script
•Package the ping sweep in a script file with Ctrl-C abort:
–#!/bin/bash–trap bashtrap INT–bashtrap() { echo "Bashtrap Punt!"; exit; }–for i in `echo {1..254}`; do ping -c1 -w2 10.10.100.$i;
done
•Use $1, $2, $3, … for command line arguments•Use if statement for conditionality, e.g.
–if $(test $# -eq 0 ); then network="10.10.100"; else network=$1; fi
04/18/23 DRAFT 14Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Linux/Unix Bash Network Scanning using While
•Read IP domains from a hosts file:–#!/bin/bash–trap bashtrap INT–bashtrap() { echo "Bashtrap Punt!"; exit; }–if $(test $# -eq 0 ); then
network="10.10.100"; else network=$1; fi–while read n; do echo -e "\nSCANNING
$network.$n"; nmap -O -sV --top-ports 9 --reason $network.$n; done < hosts
04/18/23 DRAFT 15Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Bash Banner Grabbing
#!/bin/bashtrap t INTfunction t { echo -e "\nExiting!"; exit; }if $(test $# -eq 0 ); then network="192.168.1"; else network=$1; fiwhile read host; do echo –e "\nTESTING $network.$host PORTS..."; while read port; do echo -n " $port"; echo "" | nc -n -v -w1 $network.$host $port; done < ports done < hosts
04/18/23 DRAFT 16Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Windows Command Line Scripting
•In Windows Command Line the concepts are very similar to Bash
•Use .bat suffix for script (batch) files•Batch file arguments are %1, %2, %3,…•Script file variables use %% prefix•for /L for to iterate through numbers (i.e.
counting)•for /F to iterate through a set or file
–Works like a while loop in Bash
04/18/23 DRAFT 17Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Windows Command Line : Standard IO, Pipes, and Sequences
•Example standard IO and pipes–C:\> type list.txt | sort /r >> sorted.txt &
dir /b /s & type sorted.txt
•Command sequence (&), conditional (&&)
–C:\> net use \\10.10.100.100 passw0rd /u:testuser && echo SUCCESS & net use \\10.10.100.100 /del
04/18/23 DRAFT 18Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Windows Command Line: Network Programming using For /L
•Ping sweep–set network=%1–for /L %%h in (2, 1, 255) do @ping –n 1
%network%.%%h | find “byte=” > /nul && echo Host at %network%.%%h
04/18/23 DRAFT 19Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Windows Command Line: Password Attack using For /F
set ipaddr=%1set usertarget=%2for /F %%p in (pass.txt) do @net use \\%ipaddr% %%p /u:%usertarget% 2> /nul && echo PASS=%p & net use \\%ipaddr% /del
04/18/23 DRAFT 20Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Python Scripting
•There are various categories of programming languages from command line (Bash, Windows CLI) to interpreted/compiled scripting (Python, Ruby) to systems programming (C, C++, C#)
–Categories vary by number of lines needed to implement a capability, typical multiplier is 8
–Lower levels provide more detailed accesses, faster execution
–Python’s advantage is that it is highly portable and has an extensive function library
04/18/23 DRAFT 21Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Python Programming for Accelerated Network Scanning
#!/usr/bin/python
import os
from threading import Thread
import time
start=time.ctime()
print start
scan="ping -c1 -w1 "
max=65
class threadclass(Thread):
def __init__ (self,ip):
Thread.__init__(self)
self.ip = ip
self.status = -1
def run(self):
result = os.popen(scan+self.ip,"r")
self.status=result.read()
threadlist = []
for host in range(1,max):
ip = "192.168.85."+str(host)
current = threadclass(ip)
threadlist.append(current)
current.start()
for t in threadlist:
t.join()
print "Status from ",t.ip,"is",repr(t.status)
print start
print time.ctime()
04/18/23 DRAFT 22Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Threaded scanning is about 60X faster than serial scans
REVIEW Chapter Summary
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
04/18/23 DRAFT 23