Network Network sniffing sniffing packet capture and - - PDF document

network network sniffing sniffing packet capture and
SMART_READER_LITE
LIVE PREVIEW

Network Network sniffing sniffing packet capture and - - PDF document

Aug 26, 2023 195 likes •370 views

Network Network sniffing sniffing packet capture and analysis packet capture and analysis October 2, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab

slide-1
SLIDE 1

1

Network Network “ “sniffing sniffing” ”— — packet capture and analysis packet capture and analysis

October 2, 2020

Administrative Administrative – – submittal instructions submittal instructions

answer the lab assignment’s questions in written report

form, as a text, pdf, or Word document file (no obscure formats please)

deadline is start of your lab session the following week reports not accepted (zero for lab) if late submit via D2L

slide-2
SLIDE 2

2

Administrative Administrative – – script files reminder script files reminder

re-download the script files' zip to obtain the new vmconfigure scripts for this "sniffing" exercise

Lab calendar Lab calendar – – adjusted for midterm

adjusted for midterm

  • no earlier lab due exam week – packet sniffing is due 10/16 instead
  • no lab lecture exam week – I’m going fishing, will return on 10/16
slide-3
SLIDE 3

3

Packet sniffer Packet sniffer

A tool that captures, interprets, and stores

network packets for analysis

also known as

– network sniffer – network monitor – packet capture utility – protocol analyzer

is intimately “network-y”

Sniffing in security context Sniffing in security context

an introductory counterpoint an introductory counterpoint

conventional wisdom

– “hacking” is emblematic of popular security news – and is all about the outside menace – popular conculsion: “security is about networks”

reality

– the outside is there

but don’t forget, however

– the inside too!! does “security” vanish when net cable unplugged?

slide-4
SLIDE 4

4

Half of security Half of security unrelated unrelated to nets to nets

purely local dimensions

– physical security – BIOS/bootloader security – boot process security (TPM, MS Secure Boot) – filesystem permissions – execution jails – encrypted filesystems – application vulnerabilities – etc

network aspects

– packet sniffing – remote backup and logging – port scanning – tunnels

  • Wireshark

Wireshark product background product background

principal author Gerald Combs

– his 2019 product background Sharkfest keynote: https://sharkfestus.wireshark.org/sf19

  • pen source

equivalent linux, Windows, Apple versions

slide-5
SLIDE 5

5

Related software Related software

pcap – the underlying library – pcap captures the packets – Wireshark displays them (graphically) tcpdump – rides on pcap like Wireshark – displays what pcap captures (character mode) – very widespread

  • thers

– tshark, character mode version in Wireshark’s stable – Network Monitor - Microsoft – snoop - Sun Microsystems – ettercap – snort

Other software used in the lab Other software used in the lab

echo protocol – longstanding early diagnostic protocol netcat telnet ssh

slide-6
SLIDE 6

6

netcat netcat product background product background

a “general purpose” client and server there’s more than one (hobbit’s, GNU’s)

– different authors – different features – different syntax

cryptcat

– adds filestream en/de-cryption

for you to generate something to send a server

in this exercise

Ordinary client and server programs Ordinary client and server programs

  • - each contain 2 halves

each contain 2 halves

a client program

network application

application logic half

matching server program

network application

network

  • peration/access

half

slide-7
SLIDE 7

7

Two copies of Two copies of netcat netcat

network network

the network mechanism that clients and servers use, stand-alone and generic

no application logic

Marry them to Marry them to (non

(non-

  • network)

network) applications

applications

network local stdin an application

|

network local stdout a matching application

|

slide-8
SLIDE 8

8

ssh ssh – – secure shell secure shell

creates an encrypted network conversation for you to compare with an unencrypted one

in this exercise (using telnet instead)

by capturing both

Foundation concept: frames Foundation concept: frames

are what Wireshark is for capturing a.k.a. packets, datagrams, segments, protocol

data units

they come in nested groups

slide-9
SLIDE 9

9

Nesting / successive enveloping Nesting / successive enveloping

Russian laquer dolls

How data gets enveloped How data gets enveloped

Packets

slide-10
SLIDE 10

10

Packets have detailed structure Packets have detailed structure Packets have detailed structure Packets have detailed structure

Wireshark knows the structures for ~3000 protocols turns byte dump into intelligible decode,

in the details pane

slide-11
SLIDE 11

11

Wireshark Wireshark interface components interface components

packet list pane packet details pane packet bytes pane

packet 6’s details packet 6’s bytes

Stack Stack correlation correlation

network transport data link application physical

highest-layer protocol that each packet contains

slide-12
SLIDE 12

12

Wireshark Wireshark taps interfaces taps interfaces

probe takes measurement “where it is” sees whatever is at the interface (e.g, NIC) sees nothing else does not see “what’s on the network” limits value on host connected to a switch

(versus a hub)

It It’ ’s 70 s 70o

  • in L.A.

in L.A. No, it’s 70o right here

slide-13
SLIDE 13

13

There There’ ’s a port scan on the network s a port scan on the network

No, there’s a port scan right here

wire shark

Two what Two what-

  • to

to-

  • capture restrictions

capture restrictions

involuntary: can’t capture what doesn’t appear

  • n the interface in the first place

voluntary: packet filter expressions

slide-14
SLIDE 14

14

Packet filter expressions using Packet filter expressions using address primitives address primitives

host 200.2.2.1 src host 200.2.2.2 dst host 200.2.2.2 ‘ip[16]>=224’ ‘ip[2:2]>512’ ‘ether[0]&1=1’

Packet filter expressions using Packet filter expressions using protocol primitives protocol primitives

ip tcp udp icmp

slide-15
SLIDE 15

15

Booleans Booleans

and

  • r

not

2 different filters, 2 different syntaxes 2 different filters, 2 different syntaxes

capture filters (during capture)

– shares same syntax as tcpdump uses

display filters (after the fact)

– Wireshark’s own syntax – can auto-generate filter expression from a model packet (“give me the expression for a packet

like this one”)

slide-16
SLIDE 16

16

enter capture filter here before capturing enter display filter here while displaying

These syntaxes semantically same These syntaxes semantically same

info info

Wireshark Wireshark SSL decrypt feature SSL decrypt feature (given key!)

(given key!)

with key with key without key without key

… …but where do we get the key? but where do we get the key?

slide-17
SLIDE 17

17

If you want to see network traffic If you want to see network traffic besides your own besides your own

make sure NIC is in promiscuous mode

  • perate in a network with a hub, not a switch

– not your choice if you’re not net admin use a switch with a management/spanning

port that receives all traffic

capture there, analyze here sniff by remote command-line access on computers elsewhere in the network with e.g. tcpdump or tshark, save the capture to a file, transfer it to local Wireshark for analysis

info info

http://www.wireshark.org/ http://wiki.wireshark.org/ “Packet Sniffing In a Switched Environment”

https://www.sans.org/reading-room/whitepapers/networkdevs/packet- sniffing-switched-environment-244

“SSL/TLS: What's Under the Hood”

https://www.sans.org/reading- room/whitepapers/authentication/paper/34297