Network Forensic Packet Analysis Using WiresharkPresentation Transcript
Network S niffing and P acket Analysis Using Wireshark C ombined null and O W A S P meet B angalore 1101/0011/1010 ta m a g hna .ba s u@g m a il.c om ta m a ha w k -tec hg uru.blo g s pot.c om tw itter.c om /tita nla m bda
• D ifficult to put all thesethings together• E xisting sessions – 100 –150 slides• Time C onstraint
Topics • Why? • What? • How ? • B as ic sniffing techniques • Intro to wireshark • C losure look at protocols • C ase S tudies
P rerequisite:• P atience• P atience• P atienceAND Or M ay be...
Why sniffing/packet analysis • Why you? • Why M e? • Why O thers?
P urpose of sniffing and packet analysis● A million different things can go wrong with a computer network,from a simple spyware infection to a complex router configurationerror.● P acket level is the most basic level where nothing is hidden.●Understand the network, who is on a network, whom yourcomputer is talking to, What is the network us age, any s uspiciouscommunication (D O S , botnet, Intrus ion attempt etc)●Find uns ecured and bloated applications – FTP sends cleartextauthentication data●O ne phase of computer forensic - could reveal data otherwisehidden s omewhere in a 150 G B HD D .
What is this?• Also known as packet sniffing, protocol analysis etc.• Three P hases - • C ollection – promiscuous mode • C onversion – UI based tools are better • Analysis – P rotocol level, setting rules etc• G et various data like text content, files, clear textauthentication details etc.• Tools •S niffer – wireshark, cain and abel, tcpdump (commnd line tool), networkminer • P acket Analysis – wireshark, networkminer, xplico etc
S niffing Techniques• P romiscuous mode• Hub environment• S witch environment • P ort mirroring • Hubbing out the target network/machine • AR P cache poisoning /AR P spoofing
Wireshark: History G erald C ombs , a computer science graduate ofthe University of M iss ouri at Kansas C ity,originally developed it out of necessity.The very firs t version of C ombs’ application,called E thereal, was releas ed in 1998 under theG NU P ublic Licens e (GP L).E ight years after releasing E thereal, C ombs lefthis job and rebranded the project as Wiresharkin mid-2006.
Wireshark: Features • GPL • Available in all platform • Both live and offline analysis • Understands almost all protocols, if not, add it – open source • Filter/search packets, E xperts comment, Follow TC P S tream, Flow G raph etc • P lenty of tutorials /documentation available • G et sample captured packets for study - http:/ wiki.wireshark.org/ ampleC aptures / S• D em o: L ets s ta rt ea ting . Feed yo ur bra in. :)
S tarters: P rotocol diagnosis • AR P • D HC P •HTTP / PTC • D NS • FTP • Telnet • IC M P • S M TP
D eserts: C ase S tudies • FTP C rack • B las ter worm • OS fingerprinting • P ort S canning • IC M P C overt C hannel • B rowser Hijacking - spyware
M outh Freshner: Honeynet C hallenge • C hallenge 1 • P roblem S tatement • Analysis • Tools used • S olution
M ainC ourse? ? ? ?“Tell me and I forget. Showme and I remember. Involveme and I understand.” -chinese proverb
Thank you for witnessing thishistorical moment...A ns w ers a nd D is c us s io ns ? ta m a g hna .ba s u@g m a il.c om ta m a ha w k -tec hg uru.blo g s pot.c om tw itter.c om /tita nla m bda