DOC PREVIEW
USC CSCI 530 - lab-sniffing-greyscale

This preview shows page 1-2-3-4-5 out of 16 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1Network Network ““sniffingsniffing””——packet capture and analysispacket capture and analysisOctober 3, 2014Administrative Administrative ––submittal instructionssubmittal instructions answer the lab assignment’s 13 questions in numbered list form, in a Word document file. (13thresponse is to embed a screenshot graphic.) email to [email protected] exact subject title must be “snifflab” deadline is start of your lab session the following week reports not accepted (zero for lab) if– late– you did not attend the lab (except DEN or prior arrangement)– email subject title deviates2DETER preparationsDETER preparations coming soon– next lecture topic will be done on DETER– so will 3 of the 4 remaining thereafter you have an account– created Wednesday late afternoon– you received an advisory email at that time to-do for you in next 24 hours– read your advisory email and note changes it requests you make within 72 hours (from Weds, 24 hours from now)Dateline Friday 9/26/14Dateline Friday 9/26/14while we were busy discussing exploits herewhile we were busy discussing exploits here……**media drumbeat plagues usmay be more sesationalized than necessary (or, maybe not)* footnote to last week* footnote to last week’’s s ““app securityapp security””topictopic3Client unexgate gets server dmorgan.usClient unexgate gets server dmorgan.us’’s s passwd filepasswd fileextraneous textwould return passwd file if executedPacket snifferPacket sniffer A tool that captures, interprets, and stores network packets for analysis also known as – network sniffer– network monitor– packet capture utility– protocol analyzer is intimately “network-y”4Sniffing in security contextSniffing in security contextan introductory counterpointan introductory counterpoint conventional wisdom– “hacking” is emblematic of poplular security talk– and is all about the outside menace– popular conculsion: “security is about networks” reality– the outside is therebut don’t forget– the inside too!!does “security” vanish when net cable unplugged?Half of security Half of security unrelatedunrelatedto netsto nets purely local dimensions– physical security– BIOS/bootloader security– filesystem permissions– execution jails– encrypted filesystems– etc network aspects– packet sniffing– remote backup and logging– port scanning– tunnelsbuttoday’s topicis in the network category5WiresharkWiresharkproduct backgroundproduct background principal author Gerald Combs original name “ethereal”(changed 2006, legal reasons) open source equivalent linux and Windows versionsRelated softwareRelated software pcap– the underlying library– pcap captures the packets– Wireshark displays them (graphically) tcpdump– rides on pcap like Wireshark– displays what pcap captures (character mode)– very widespread others– tshark, character mode version in Wireshark’s stable– Network Monitor - Microsoft– snoop - Sun Microsystems– ettercap– snort6netcatnetcatproduct backgroundproduct background a “general purpose” client and server there’s more than one (hobbit’s, GNU’s)– different authors– different features– different syntax cryptcat– adds filestream en/de-cryption for you to generate something to send a server in this exercisesshssh––secure shellsecure shell creates an encrypted network conversation for you to compare with an unencrypted one in this exercise by capturing both7Foundation concept: framesFoundation concept: frames are what Wireshark is for capturing a.k.a. packets, datagrams, segments, protocol data units they come in nested groupsNesting / successive envelopingNesting / successive envelopingRussian laquer dolls8How data gets envelopedHow data gets envelopedPacketsPackets have detailed structurePackets have detailed structure9Packets have detailed structurePackets have detailed structureWireshark knows the structuresfor ~1400 protocolsturns byte dump into intelligible decode,in the details paneWiresharkWiresharkinterface componentsinterface componentspacketlistpanepacketdetailspanepacketbytespanepacket 6’s detailspacket 6’s bytes10StackStackcorrelationcorrelationnetworktransportdata linkapplicationphysicalhighest-layer protocol thateach packet containsWiresharkWiresharktaps interfacestaps interfaces probe takes measurement “where it is” sees whatever is at the interface (e.g, NIC) sees nothing else does not see “what’s on the network” limits value on host connected to a switch (versus a hub)11ItIt’’s 70s 70o o in L.A.in L.A.No, it’s 70oright hereThereThere’’s a port scan on the networks a port scan on the networkNo, there’s a port scanright herewireshark12Two whatTwo what--toto--capture restrictionscapture restrictions Involuntary: can’t capture what doesn’t appear on the interface in the first place Voluntary: packet filter expressionsPacket filter expressions using Packet filter expressions using address primitivesaddress primitives host 200.2.2.1 src host 200.2.2.2 dst host 200.2.2.2 ‘ip[16]>=224’ ‘ip[2:2]>512’ ‘ether[0]&1=1’13Packet filter expressions using Packet filter expressions using protocol primitivesprotocol primitives ip tcp udp icmpBooleansBooleans and or not142 different filters, 2 different syntaxes2 different filters, 2 different syntaxes capture filters (during capture)– shares same syntax as tcpdump uses display filters (after the fact)– Wireshark’s own syntax– can auto-generate filter expression from model packetenter capturefilter here beforecapturingenter displayfilter here whiledisplayingThese syntaxes semantically sameThese syntaxes semantically same15infoinfoWireshark SSL decrypt feature Wireshark SSL decrypt feature (given key!)(given key!)with keywith keywithout keywithout key……but where do we get the key?but where do we get the key?If you want to see network trafficIf you want to see network trafficbesides your ownbesides your own make sure NIC is in promiscuous mode operate in a network with a hub, not a switch– not your choice if you’re not net admin use a switch with a management port that receives all traffic sniff by remote access on computers at other places in the network, save the capture to a file, transfer the file


View Full Document

USC CSCI 530 - lab-sniffing-greyscale

Download lab-sniffing-greyscale
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view lab-sniffing-greyscale and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view lab-sniffing-greyscale 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?