Network Forensics: Packet Analysis Using Wireshark


Published on

Talk on the recent IE8 exploit for pwn2own 2010

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network Forensics: Packet Analysis Using Wireshark

  1. 1. Network S niffing and P acket Analysis Using Wireshark C ombined null and O W A S P meet B angalore 1101/0011/1010 ta m a g hna .ba s u@g m a il.c om ta m a ha w k -tec hg uru.blo g s pot.c om tw itter.c om /tita nla m bda
  2. 2. • D ifficult to put all these things together • E xisting sessions – 100 – 150 slides • Time C onstraint
  3. 3. Topics • Why? • What? • How ? • B as ic sniffing techniques • Intro to wireshark • C losure look at protocols • C ase S tudies
  4. 4. P rerequisite: • P atience • P atience • P atience AND Or M ay be...
  5. 5. Why sniffing/packet analysis • Why you? • Why M e? • Why O thers?
  6. 6. P urpose of sniffing and packet analysis ● A million different things can go wrong with a computer network, from a simple spyware infection to a complex router configuration error. ● P acket level is the most basic level where nothing is hidden. ●Understand the network, who is on a network, whom your computer is talking to, What is the network us age, any s uspicious communication (D O S , botnet, Intrus ion attempt etc) ●Find uns ecured and bloated applications – FTP sends cleartext authentication data ●O ne phase of computer forensic - could reveal data otherwise hidden s omewhere in a 150 G B HD D .
  7. 7. What is this? • Also known as packet sniffing, protocol analysis etc. • Three P hases - • C ollection – promiscuous mode • C onversion – UI based tools are better • Analysis – P rotocol level, setting rules etc • G et various data like text content, files, clear text authentication details etc. • Tools •S niffer – wireshark, cain and abel, tcpdump (commnd line tool), networkminer • P acket Analysis – wireshark, networkminer, xplico etc
  8. 8. S niffing Techniques • P romiscuous mode • Hub environment • S witch environment • P ort mirroring • Hubbing out the target network/machine • AR P cache poisoning /AR P spoofing
  9. 9. Wireshark: History G erald C ombs , a computer science graduate of the University of M iss ouri at Kansas C ity, originally developed it out of necessity. The very firs t version of C ombs’ application, called E thereal, was releas ed in 1998 under the G NU P ublic Licens e (GP L). E ight years after releasing E thereal, C ombs left his job and rebranded the project as Wireshark in mid-2006.
  10. 10. Wireshark: Features • GPL • Available in all platform • Both live and offline analysis • Understands almost all protocols, if not, add it – open source • Filter/search packets, E xpert's comment, Follow TC P S tream, Flow G raph etc • P lenty of tutorials /documentation available • G et sample captured packets for study - http:/ ampleC aptures / S • D em o: L et's s ta rt ea ting . Feed yo ur bra in. :)
  11. 11. S tarters: P rotocol diagnosis • AR P • D HC P •HTTP / PTC • D NS • FTP • Telnet • IC M P • S M TP
  12. 12. D eserts: C ase S tudies • FTP C rack • B las ter worm • OS fingerprinting • P ort S canning • IC M P C overt C hannel • B rowser Hijacking - spyware
  13. 13. M outh Freshner: Honeynet C hallenge • C hallenge 1 • P roblem S tatement • Analysis • Tools used • S olution
  14. 14. M ainC ourse? ? ? ? “Tell me and I forget. Show me and I remember. Involve me and I understand.” - chinese proverb
  15. 15. Thank you for witnessing this historical moment... A ns w ers a nd D is c us s io ns ? ta m a g hna .ba s u@g m a il.c om ta m a ha w k -tec hg uru.blo g s pot.c om tw itter.c om /tita nla m bda