1Network Network ““sniffingsniffing””——packet capture and analysispacket capture and analysisOctober 3, 2014Administrative Administrative ––submittal instructionssubmittal instructions answer the lab assignment’s 13 questions in numbered list form, in a Word document file. (13thresponse is to embed a screenshot graphic.) email to [email protected] exact subject title must be “snifflab” deadline is start of your lab session the following week reports not accepted (zero for lab) if– late– you did not attend the lab (except DEN or prior arrangement)– email subject title deviates2DETER preparationsDETER preparations coming soon– next lecture topic will be done on DETER– so will 3 of the 4 remaining thereafter you have an account– created Wednesday late afternoon– you received an advisory email at that time to-do for you in next 24 hours– read your advisory email and note changes it requests you make within 72 hours (from Weds, 24 hours from now)Dateline Friday 9/26/14Dateline Friday 9/26/14while we were busy discussing exploits herewhile we were busy discussing exploits here……**media drumbeat plagues usmay be more sesationalized than necessary (or, maybe not)* footnote to last week* footnote to last week’’s s ““app securityapp security””topictopic3Client unexgate gets server dmorgan.usClient unexgate gets server dmorgan.us’’s s passwd filepasswd fileextraneous textwould return passwd file if executedPacket snifferPacket sniffer A tool that captures, interprets, and stores network packets for analysis also known as – network sniffer– network monitor– packet capture utility– protocol analyzer is intimately “network-y”4Sniffing in security contextSniffing in security contextan introductory counterpointan introductory counterpoint conventional wisdom– “hacking” is emblematic of poplular security talk– and is all about the outside menace– popular conculsion: “security is about networks” reality– the outside is therebut don’t forget– the inside too!!does “security” vanish when net cable unplugged?Half of security Half of security unrelatedunrelatedto netsto nets purely local dimensions– physical security– BIOS/bootloader security– filesystem permissions– execution jails– encrypted filesystems– etc network aspects– packet sniffing– remote backup and logging– port scanning– tunnelsbuttoday’s topicis in the network category5WiresharkWiresharkproduct backgroundproduct background principal author Gerald Combs original name “ethereal”(changed 2006, legal reasons) open source equivalent linux and Windows versionsRelated softwareRelated software pcap– the underlying library– pcap captures the packets– Wireshark displays them (graphically) tcpdump– rides on pcap like Wireshark– displays what pcap captures (character mode)– very widespread others– tshark, character mode version in Wireshark’s stable– Network Monitor - Microsoft– snoop - Sun Microsystems– ettercap– snort6netcatnetcatproduct backgroundproduct background a “general purpose” client and server there’s more than one (hobbit’s, GNU’s)– different authors– different features– different syntax cryptcat– adds filestream en/de-cryption for you to generate something to send a server in this exercisesshssh––secure shellsecure shell creates an encrypted network conversation for you to compare with an unencrypted one in this exercise by capturing both7Foundation concept: framesFoundation concept: frames are what Wireshark is for capturing a.k.a. packets, datagrams, segments, protocol data units they come in nested groupsNesting / successive envelopingNesting / successive envelopingRussian laquer dolls8How data gets envelopedHow data gets envelopedPacketsPackets have detailed structurePackets have detailed structure9Packets have detailed structurePackets have detailed structureWireshark knows the structuresfor ~1400 protocolsturns byte dump into intelligible decode,in the details paneWiresharkWiresharkinterface componentsinterface componentspacketlistpanepacketdetailspanepacketbytespanepacket 6’s detailspacket 6’s bytes10StackStackcorrelationcorrelationnetworktransportdata linkapplicationphysicalhighest-layer protocol thateach packet containsWiresharkWiresharktaps interfacestaps interfaces probe takes measurement “where it is” sees whatever is at the interface (e.g, NIC) sees nothing else does not see “what’s on the network” limits value on host connected to a switch (versus a hub)11ItIt’’s 70s 70o o in L.A.in L.A.No, it’s 70oright hereThereThere’’s a port scan on the networks a port scan on the networkNo, there’s a port scanright herewireshark12Two whatTwo what--toto--capture restrictionscapture restrictions Involuntary: can’t capture what doesn’t appear on the interface in the first place Voluntary: packet filter expressionsPacket filter expressions using Packet filter expressions using address primitivesaddress primitives host 200.2.2.1 src host 200.2.2.2 dst host 200.2.2.2 ‘ip[16]>=224’ ‘ip[2:2]>512’ ‘ether[0]&1=1’13Packet filter expressions using Packet filter expressions using protocol primitivesprotocol primitives ip tcp udp icmpBooleansBooleans and or not142 different filters, 2 different syntaxes2 different filters, 2 different syntaxes capture filters (during capture)– shares same syntax as tcpdump uses display filters (after the fact)– Wireshark’s own syntax– can auto-generate filter expression from model packetenter capturefilter here beforecapturingenter displayfilter here whiledisplayingThese syntaxes semantically sameThese syntaxes semantically same15infoinfoWireshark SSL decrypt feature Wireshark SSL decrypt feature (given key!)(given key!)with keywith keywithout keywithout key……but where do we get the key?but where do we get the key?If you want to see network trafficIf you want to see network trafficbesides your ownbesides your own make sure NIC is in promiscuous mode operate in a network with a hub, not a switch– not your choice if you’re not net admin use a switch with a management port that receives all traffic sniff by remote access on computers at other places in the network, save the capture to a file, transfer the file
View Full Document