Network “ Network “sniffing sniffing” ”— — packet capture and analysis packet capture and analysis October 2, 2020 Administrative – – submittal instructions submittal instructions Administrative � answer the lab assignment’s questions in written report form, as a text, pdf, or Word document file (no obscure formats please) � deadline is start of your lab session the following week � reports not accepted (zero for lab) if late � submit via D2L 1
Administrative – – script files reminder script files reminder Administrative � re-download the script files' zip � to obtain the new vmconfigure scripts for this "sniffing" exercise Lab calendar – – adjusted for midterm Lab calendar adjusted for midterm � no earlier lab due exam week – packet sniffing is due 10/16 instead � no lab lecture exam week – I’m going fishing, will return on 10/16 2
Packet sniffer Packet sniffer � A tool that captures, interprets, and stores network packets for analysis � also known as – network sniffer – network monitor – packet capture utility – protocol analyzer � is intimately “network-y” Sniffing in security context Sniffing in security context an introductory counterpoint an introductory counterpoint � conventional wisdom – “hacking” is emblematic of popular security news – and is all about the outside menace – popular conculsion: “security is about networks” � reality – the outside is there but don’t forget, however – the inside too!! does “security” vanish when net cable unplugged? 3
Half of security unrelated unrelated to nets to nets Half of security � purely local dimensions – physical security – BIOS/bootloader security – boot process security (TPM, MS Secure Boot) – filesystem permissions – execution jails � – encrypted filesystems � � ��� � � � – application vulnerabilities � � � � � � � � � � � � � � � – etc � � � � � � � � � � � � network aspects � � � ���� � – packet sniffing – remote backup and logging – port scanning – tunnels Wireshark product background product background Wireshark � principal author Gerald Combs – his 2019 product background Sharkfest keynote: https://sharkfestus.wireshark.org/sf19 � open source � equivalent linux, Windows, Apple versions 4
Related software Related software � pcap – the underlying library – pcap captures the packets – Wireshark displays them (graphically) � tcpdump – rides on pcap like Wireshark – displays what pcap captures (character mode) – very widespread � others – tshark, character mode version in Wireshark’s stable – Network Monitor - Microsoft – snoop - Sun Microsystems – ettercap – snort Other software used in the lab Other software used in the lab � echo protocol – longstanding early diagnostic protocol � netcat � telnet � ssh 5
netcat product background netcat product background � a “general purpose” client and server � there’s more than one (hobbit’s, GNU’s) – different authors – different features – different syntax � cryptcat – adds filestream en/de-cryption � for you to generate something to send a server in this exercise Ordinary client and server programs Ordinary client and server programs -- each contain 2 halves each contain 2 halves -- a client program matching server program application network network application network operation/access half application logic half 6
Two copies of netcat netcat Two copies of network network the network mechanism that clients and servers use, stand-alone and generic no application logic Marry them to (non network) applications applications Marry them to (non- -network) a matching application an application | | local stdin network network local stdout 7
ssh – ssh – secure shell secure shell � creates an encrypted network conversation � for you to compare with an unencrypted one in this exercise (using telnet instead) � by capturing both Foundation concept: frames Foundation concept: frames � are what Wireshark is for capturing � a.k.a. packets, datagrams, segments, protocol data units � they come in nested groups 8
Nesting / successive enveloping Nesting / successive enveloping Russian laquer dolls How data gets enveloped How data gets enveloped Packets 9
Packets have detailed structure Packets have detailed structure Packets have detailed structure Packets have detailed structure � Wireshark knows the structures � for ~3000 protocols � turns byte dump into intelligible decode, in the details pane 10
Wireshark interface components Wireshark interface components packet list pane packet details pane packet 6’s details packet bytes pane packet 6’s bytes Stack Stack correlation correlation application transport network data link physical highest-layer protocol that each packet contains 11
Wireshark taps interfaces Wireshark taps interfaces � probe takes measurement “where it is” � sees whatever is at the interface (e.g, NIC) � sees nothing else � does not see “what’s on the network” � limits value on host connected to a switch (versus a hub) s 70 o o in L.A. It’ ’s 70 in L.A. It No, it’s 70 o right here 12
There’ ’s a port scan on the network s a port scan on the network There wire shark No, there’s a port scan right here Two what- -to to- -capture restrictions capture restrictions Two what � involuntary: can’t capture what doesn’t appear on the interface in the first place � voluntary: packet filter expressions 13
Packet filter expressions using Packet filter expressions using address primitives address primitives � host 200.2.2.1 � src host 200.2.2.2 � dst host 200.2.2.2 � ‘ip[16]>=224’ � ‘ip[2:2]>512’ � ‘ether[0]&1=1’ Packet filter expressions using Packet filter expressions using protocol primitives protocol primitives � ip � tcp � udp � icmp 14
Booleans Booleans � and � or � not 2 different filters, 2 different syntaxes 2 different filters, 2 different syntaxes � capture filters (during capture) – shares same syntax as tcpdump uses � display filters (after the fact) – Wireshark’s own syntax – can auto-generate filter expression from a model packet (“give me the expression for a packet like this one”) 15
These syntaxes semantically same These syntaxes semantically same enter display filter here while displaying enter capture filter here before capturing Wireshark SSL decrypt feature SSL decrypt feature (given key!) Wireshark (given key!) without key without key …but where do we get the key? … but where do we get the key? with key with key info info 16
If you want to see network traffic If you want to see network traffic besides your own besides your own � make sure NIC is in promiscuous mode � operate in a network with a hub, not a switch – not your choice if you’re not net admin � use a switch with a management/spanning port that receives all traffic � capture there, analyze here sniff by remote command-line access on computers elsewhere in the network with e.g. tcpdump or tshark, save the capture to a file, transfer it to local Wireshark for analysis info info � http://www.wireshark.org/ � http://wiki.wireshark.org/ � “Packet Sniffing In a Switched Environment” https://www.sans.org/reading-room/whitepapers/networkdevs/packet- sniffing-switched-environment-244 � “SSL/TLS: What's Under the Hood” https://www.sans.org/reading- room/whitepapers/authentication/paper/34297 17
Recommend
More recommend
