Network Security: Workshop

(1)

Network Security:

Workshop

(2)

2

Protocol Analyzer

Network analysis is the process of Network analysis is the process of capturing network capturing network

traffic

traffic and inspecting it closely to determine what is and inspecting it closely to determine what is happening on the network

happening on the network

decodesdecodes, or , or dissectsdissects, the data packets of common , the data packets of common

protocols and displays the network traffic in human protocols and displays the network traffic in human- -readable format

readable format

Can be a standalone hardware device with specialized Can be a standalone hardware device with specialized

software, or it can simply be

software, or it can simply be software that you install software that you install on your desktop or laptop

(3)

WireShark

what is it good for

Troubleshooting problems on the networkTroubleshooting problems on the network

Analyze performance to discover bottlenecksAnalyze performance to discover bottlenecks

Network intrusion detectionNetwork intrusion detection

Logging network traffic for forensics and evidenceLogging network traffic for forensics and evidence

Analyzing the operations of applicationsAnalyzing the operations of applications

Discovering a faulty network cardDiscovering a faulty network card

Discovering the origin of a Denial of Service (DoSDiscovering the origin of a Denial of Service (DoS) attack) attack

Detecting Detecting spywarespyware..

Detecting a compromised computerDetecting a compromised computer

Validating compliance with company policyValidating compliance with company policy

(4)

4

WireShark

What not so good about it

Capturing clearCapturing clear--text usernames and passwordstext usernames and passwords

Compromising proprietary information Compromising proprietary information

Capturing and replaying Voice over IP Capturing and replaying Voice over IP telephone conversations

telephone conversations

Mapping a networkMapping a network

(5)

(6)

6

Ethernet historic assumptions

All computers on the local network segment All computers on the local network segment

share the same cable

share the same cable –– broadcast_broadcast

Each packet has a Each packet has a

header

, which is like an , which is like an

envelope

containing the addresses of both

the destination and source machine

(7)

Ethernet historic assumptions

All of the other computers on the network All of the other computers on the network

segment see each packet, but if they are not the segment see each packet, but if they are not the intended receiver

intended receiver

They will disregard and discard it, They will disregard and discard it, unlessunless a a

computer is running a sniffer computer is running a sniffer

Promiscuous mode –Promiscuous mode –NIC captures NIC captures

all of the

traffic on the segment regardless of who it is

being sent to

(8)

8

Ethernet Today

Most Ethernet today do not share bus .Most Ethernet today do not share bus .

Each computer in the network gets it own Each computer in the network gets it own

intended packets (and broadcasts) intended packets (and broadcasts)

(9)

So who's who ?

Each network component has a unique Media Each network component has a unique Media

Access Control (MAC) address Access Control (MAC) address

MAC is the individual identifier of each MAC is the individual identifier of each

component component

MAC are (supposed) to be hard codedMAC are (supposed) to be hard coded

48 bits 48 bits 12 digit hexadecimal number12 digit hexadecimal number

24 first bits identify the vendor24 first bits identify the vendor

(10)

10

A little hardware

Hub Hub ––

blindly forwards the information to all other computers blindly forwards the information to all other computers

connected to it

This creates oneThis creates one--large broadcast (collision) domainlarge broadcast (collision) domain

Creates performance issue and sniffing very easyCreates performance issue and sniffing very easy

SwitchSwitch ––

looks at the packet header to locate the destination MAC looks at the packet header to locate the destination MAC

address

Maintains a list of all MAC addressesMaintains a list of all MAC addresses

It can forward packets to specific portsIt can forward packets to specific ports

This narrows the collision domainThis narrows the collision domain, or broadcast, or broadcast

(11)

Lets not forget

Port mirroring/spanningPort mirroring/spanning

To mirror ports, you need to configure the To mirror ports, you need to configure the

switch to

duplicate the traffic from a port

you you want to monitor

want to monitor

to another port

you are you are connected to with your sniffer

connected to with your sniffer

(12)

Lets get down to

business

Wireshark down and dirty Wireshark down and dirty

(13)

WireShark

FKA Ethereal

GNU General Public License (GPL)GNU General Public License (GPL)

It works in It works in

promiscuous and non

promiscuous modes

Captures data from Network or fileCaptures data from Network or file

Displays Data in ASCII/hex/C arrayDisplays Data in ASCII/hex/C array

Multi platformMulti platform

Supports hundreds of protocolsSupports hundreds of protocols

(14)

14

Capture and display filters

The The capture filtercapture filter syntax follows the same syntax follows the same

syntax that

syntax that TcpdumpTcpdump uses from the uses from the libpcaplibpcap library

library

Display filtersDisplay filters provide a powerful syntax to provide a powerful syntax to

sort on traffic that is already captured sort on traffic that is already captured

(15)

Capture and display filters

EqEq ==== NeNe !=!= GtGt >> Lt <Lt < GeGe >=>= Le <=Le <=

And &&And && Or ||Or || XorXor ^^^^ Not !Not !

[[i:ji:j] i = ] i = start_offsetstart_offset, j = length , j = length

[i[i-j-j] i = ] i = start_offset, j = start_offset, j = end_offset, inclusive. end_offset, inclusive.

[i] i = [i] i = start_offsetstart_offset, length = 1 , length = 1

[:j] [:j] start_offsetstart_offset = 0, length = j = 0, length = j

(16)

(17)

Filter Bar

The Filter bar allows you to enter a filter string The Filter bar allows you to enter a filter string

restricting which packets are displayed in the Summary restricting which packets are displayed in the Summary Window

Window

To apply a filter, you have to enter the desired string To apply a filter, you have to enter the desired string

into the

into the _“_“Filter:Filter:_”_” text field and press text field and press Enter Enter (or click (or click the

the Apply Apply button)button)

Filter strings are caseFilter strings are case--sensitivesensitive

Previously used filters can be easily recalled using the Previously used filters can be easily recalled using the

drop

(18)

18

Summary Window Columns

Frame number within the capture.

The time from beginning of the capture to the time when the packet was

captured (in seconds). Highest level source address. This will

frequently be the IP (Internet

Protocol) source address, but may also be the Media Access Control (MAC)

address for layer 2 (L2) Ethernet protocols, or other address types for other

protocols (IPX, AppleTalk, etc ).

Highest level destination address. This will frequently be the IP destination

address, but may also be the MAC address for L2 Ethernet protocols, or other address types for other protocols (IPX, AppleTalk, etc).

Typically the highest level protocol decoded. Examples include user level protocols such as HyperText Transfer Protocol (HTTP), File Transfer

Protocol (FTP), Simple Mail Transfer Protocol (SMTP).

This field contains information that was determined by the highest level

decode to be useful or informative as part of a summary for this packet.

(19)

Protocol tree window

For each protocol there is a tree node For each protocol there is a tree node

summarizing the protocol, which can be summarizing the protocol, which can be expanded to provide the values in that expanded to provide the values in that protocol

protocol’’s fields. _{s fields.}

The Protocol tree window allows you to The Protocol tree window allows you to

examine the tree created by wireshark from examine the tree created by wireshark from decoding a packet.

(20)

(21)

Data view window

Each row begins with a four-Each row begins with a four-digit number representing the digit number representing the

number of bytes the first octet in that row is offset from the number of bytes the first octet in that row is offset from the beginning of the packet

beginning of the packet

An octet is eight bits or one byte or two hexadecimal An octet is eight bits or one byte or two hexadecimal –– also also

known as

known as hex hex –– digits_digits

The offset is then followed by sixteen twoThe offset is then followed by sixteen two--character hexadecimal character hexadecimal

bytes bytes

The last item in each row is a series of sixteen ASCII characterThe last item in each row is a series of sixteen ASCII characters s

representing the same 16 bytes from the packet. Not all bytes ar representing the same 16 bytes from the packet. Not all bytes are e conveniently displayable in ASCII. For those bytes a period (.) conveniently displayable in ASCII. For those bytes a period (.) is is substituted as a placeholder.

(22)

22

Bytes nr (in hex) between

First Octet in Row and the

Packet Beginning

(23)

We sniffed, captured

and now what ?

StatisticsStatistics StatisticsStatistics StatisticsStatistics

(24)

24

Statistics

Summary Summary

Show information about the data capturedShow information about the data captured

Protocol hierarchyProtocol hierarchy

Display a hierarchical tree of protocol statisticsDisplay a hierarchical tree of protocol statistics

ConversationsConversations

Display a list of conversations (traffic between two endpoints)Display a list of conversations (traffic between two endpoints)

EndpointsEndpoints

Display a list of endpoints (traffic to/from an address)Display a list of endpoints (traffic to/from an address)

IO graphIO graph

Display user specified graphs (e.g. the number of packets in theDisplay user specified graphs (e.g. the number of packets in the course of course of

time)

(25)

Statistics

Conversation ListConversation List

Display a list of conversationsDisplay a list of conversations

Endpoint ListEndpoint List

Display a list of endpointsDisplay a list of endpoints

Service Response TimeService Response Time

Display the time between a request and the Display the time between a request and the

corresponding response corresponding response

ANSI, BOOTPANSI, BOOTP--DHCPDHCP……

(26)

26

Summary

(27)

Protocol Hierarchy

(28)

28

Conversation

A network conversation is the traffic between two A network conversation is the traffic between two

specific endpoints. specific endpoints.

For example, an IP conversation is all the traffic For example, an IP conversation is all the traffic

between two IP addresses. between two IP addresses.

(29)

End

-

_-

point

_point

For each supported protocol, a tab is shown in this For each supported protocol, a tab is shown in this

window. window.

The tab labels shows the number of endpoints captured. The tab labels shows the number of endpoints captured.

If no endpoints of a specific protocol were captured, If no endpoints of a specific protocol were captured,

the tab label will be grayed out the tab label will be grayed out

Each row in the list shows the statistical values for Each row in the list shows the statistical values for

exactly one endpoint. exactly one endpoint.

(30)

30

IO graph

User configurable graph of the captured User configurable graph of the captured

network packets. network packets.

You can define up to five differently colored You can define up to five differently colored

graphs. graphs.

(31)

What now?

homework

Download the dump filesDownload the dump files

Follow the instructionsFollow the instructions

Explain what is in each dump?Explain what is in each dump?