6/19/18

1

Issue Date:

Revision:

Wireshark

1

25-29 June 2018PacNOG 22, Honiara, Solomon IslandsSupported by:

Why we need to capture packet & how it’s related to security?

6/19/18

2

tcpdump Definition

tcpdump is a utility used to capture and analyze packets on network interfaces. Details about these packets can either be displayed to the screen or they can be saved to a file for later analysis. tcpdump utilizes the libpcap library for packet capturing.

tcpdump command example

# tcpdump –nni eth0

# tcpdump –nni eth0 host 10.10.10.10

# tcpdump –nni eth0 dst host 10.10.10.10 and proto tcp

# tcpdump –nni eth0 src net 10.10.10.0/24 and port tcpand portrange 1-1024

-nn = don’t use DNS to resolve IPs and display port no-i = interface to watchdst = watch only traffic destined to a net, host or portsrc = watch only traffic whose src is a net, host or portnet = specifies networkhost = specifies hostport = specifies a portproto = protocol ie tcp or udp

6/19/18

3

tcpdump command example

# tcpdump –nni eth0 –s0

# tcpdump –nni eth0 not port 22 –s0 –c 1000

# tcpdump –nni eth0 not port 22 and dst host 10.10.10.10 and not src net 10.20.30.0/24

-s0 = setting samples length to 0 means use the required length to catch whole packet-c = no to packets

tcpdump pcaps

# tcpdump –nni eth0 -w capture.pcap –vv –c 1000

# tcpdump –nni eth0 –r capture.pcap and port 80

-w capture.pcap = save capture packet to capture.pcap–vv = display number of packet captured-r caputre.pcap = read capture file-c = no to packets

6/19/18

4

tcpdump Output

IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 53:106, ack 1, win 67, options [nop,nop,TS val854797891 ecr 376933204], length 53

IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack106, win 4092, options [nop,nop,TS val 376934736 ecr854797891], length 0

IP 199.59.148.139.443 > 192.168.1.8.54343: Flags [P.], seq 106:159, ack 1, win 67, options [nop,nop,TS val854797891 ecr 376933204], length 53

IP 192.168.1.8.54343 > 199.59.148.139.443: Flags [.], ack159, win 4091, options [nop,nop,TS val 376934736 ecr854797891], length 0

What is Wireshark?

• Wireshark is a network packet/protocol analyzer. – A netw ork packet analyzer w ill try to capture netw ork packets and

tries to d isp lay that packet data as deta iled as possib le .

• Wireshark is perhaps one of the best open source packet analyzers available today for UNIX and Windows.

6/19/18

5

About Wireshark

• Formerly known as “Ethereal”– Author, G era ld C om bs quit N etw ork In tegration Services– Free

• Requirement– N eed to insta ll w inpcap– Latest w ireshark insta ller conta ins w inpcap, don’t w orry

– (O n W indow s Vista) N eed Adm in istra tor P riv ilege to capture

• GUI– D ram atica lly im proved

Why Wireshark

• network administrators use it to troubleshoot network problems

• network security engineers use it to examine security problems

• developers use it to debug protocol implementations• people use it to learn network protocol internals

• Wireshark isn't an intrusion detection system.• Wireshark will not manipulate things on the network, it will

only "measure" things from it.

6/19/18

6

How to Install

• Very straight forward• Just double-click and follow the instructions.

• https://www.wireshark.org/download.html

Capture

6/19/18

7

DashboardMenu

Filter

Capture Data

Raw Data

Filters

• Capture filter– C apture Traffic that m atch capture filter ru le– save d isk space

– prevent packet loss

• Display filter• Tweak appearance

6/19/18

8

Apply Filters

• ip .addr == 10.0.0.1 [Sets a filte r for any packet w ith 10.0.0 .1 , as e ither the source or dest]

• ip .addr==10.0.0.1 && ip .addr==10.0.0.2 [sets a conversation filte r betw een the tw o defined IP addresses]

• h ttp or dns [sets a filte r to d isp lay a ll h ttp and dns]

• tcp.port==4000 [sets a filte r for any TC P packet w ith 4000 as a source or dest port]

• tcp.flags.reset==1 [d isp lays a ll TC P resets]

• h ttp .request [d isp lays a ll H TTP G ET requests]• tcp conta ins rv iew s [d isp lays a ll TC P packets that conta in the w ord

‘rv iew s’. Excellent w hen search ing on a specific string or user ID ]

• !(arp or icm p or dns) [m asks out arp, icm p, dns, or w hatever o ther protoco ls m ay be background no ise. A llow ing you to focus on the tra ffic o f in terest]

Follow TCP Stream

6/19/18

9

Follow TCP Stream

• Build TC P S tream

– Select TCP Packet -> Follow TCP Stream

Use “Statistics”

• What protocol is used in your network– Statistics -> P rotoco l H ierarchy

6/19/18

10

Use “Statistics”

• Which host most chatty– Statistics -> C onversations

Need CLI?

• If you stick to character based interface, try tshark.exe• C:\program files\wireshark\tshark.exe

6/19/18

11

Tcpdump & Wireshark

• tcpdump -i <interface> -s 65535 -w <some-file>

Exercise

• Install Wireshark into your PC• Run wireshark and Capture inbound/outbound traffic• Download capture files from

– Follow the instructor's gu ide.

6/19/18

12

Exercise 1: Good Old Telnet

• File– te lnet.pcap

• Question– R econstruct the te lnet session.

• Q1: Who logged into 192.168.0.1– U sernam e __________, Passw ord __________ .

• Q2: After logged in what did the user do?– Tip

– te lnet tra ffic is not secure

Exercise 2: Massive TCP SYN

• File– m assivesyn1.pcap and m assivesyn2.pcap

• Question– Point the d ifference w ith them .

• Q1: massivesyn1.pcap is a _________ attempt.• Q2: massivesyn2.pcap is a _________ attempt.• Tip

– Pay attention to S rc IP

6/19/18

13

Exercise 3: Chatty Employees

• File– chat.dm p

• Question• Q1: What kind protocol is used? _______• Q2: This is conversation between _____@hotmail.com and

______@hotmail.com• Q3: What do they say about you(sysadmin)?

• Tip– Your chat can be m onitored by netw ork adm in.

Exercise 4: Suspicious FTP activity

• File– ftp1.pcap

• Question– Q 1: 10.121.70.151 is FTP ______ .

– Q 2: 10.234.125.254 is FTP ______ .– Q 3: FTP E rr C ode 530 m eans __________ .

– Q 4: 10.234.125.254 attem pt ________.

• Tip– H ow m any log in error occur w ith in a m inute?

6/19/18

14

Exercise 5: Unidentified Traffic

• File– Foobar.pcap

• Question– Q 1: see w hat’s go ing on w ith w ireshark gui

• Statistics -> Conversation List -> TCP (*)

– Q 2: W hich application use TC P/6346? C heck the w eb.

Exercise 6: Covert channel

• File– covertin fo .pcap

• Question– Take a c loser look! Th is is not a typ ica l IC M P Echo/R eply…

– Q 1: W hat k ind of too l do they use? C heck the w eb.– Q 2: N am e other application w hich tunneling user tra ffic .

6/19/18

15

Exercise 7: SIP

• File– sip_chat.pcap

• Questions:– Q 1: C an w e lis ten to S IP vo ice?

– Q 2: H ow !!

Virustotal

• https://www.virustotal.com/• Checking virus

30This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version.

6/19/18

16

LAB

32

6/19/18

17

Defense and Mitigation – Community

• You can’t do it all alone!

33

Defense and Mitigation – Community

• … and luckily, there is a great community providing services/tools, such as– Security @ APN IC https://w w w.apnic.net/security

– Passive D N S by cert.a t– Panopticon Shared P roxy by c irc l.lu et a l.

– openresolverpro ject.com / w w w.openresolver.n l– n6 R eports by cert.p l

– C AP R eports by Team C ym ru– phishtank.com , spam cop.net

– C ontacts contacts contacts– … and m any m ore – w hat e lse do you know / o ffer?

34

6/19/18

18

Issue Date:

Revision:

www.facebook.com/APNIC

www.twitter.com/apnic

www.youtube.com/apnicmultimedia

www.flickr.com/apnic

www.weibo.com/APNICrir

3636

Thank You!END OF SESSION