Network Packet Analysis

  • 883 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
883
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
91
Comments
2
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Network Packet Analysis Technical Workshop (21 Desember 2012) Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 2. Agenda • Play with Captured Network File • Wireshark Feature • Packet Analysis Case Study • Another Packet Analysis Tools • Create Wireshark Dissector Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 3. Packet Analysis • Analyze fileds within protocols • Analyze Protocols within packets • Analyze Packets within streams • Reconstruct higher-layer protocols Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 4. Wireshark Statistics Usefull Feature for Analysis Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 5. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 6. Summary • Show Information About Data Capture • Contain: File Information, Time package captured, Capture Information, Display Filter used, Traffic Summary, show Captured, Displayed (if display filter is set) and Marked. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 7. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 8. Protocol Hierarchy • Display a hierarchical tree of protocol statistics • Tree of all protocols captured, able to expand and collapse the subtree. • We are able to get info about what is the most protocol in a network captured file and will be our hint. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 9. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 10. Conversations • Display a list of conversations (traffic between two endpoints) • Support: Protocol Specific Windows, Name Resolution and Limit to Display Filter Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 11. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 12. IO Graphs • Display user specified graphs (e.g number of pakets in the course of time) • Support: 5 differently colored graphs base on Display filter. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 13. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 14. Tuesday, January 22, 13
  • 15. Wireshark CASE FILE : SATU Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 16. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 17. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 18. Wireshark CASE FILE : DUA Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 19. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 20. Use Wireshark Analysis please :) Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 21. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 22. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 23. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 24. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 25. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 26. Let the packet tell the truths CASE FILE : TIGA Reference: Practical Packet Analysis http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 27. Summary • Victims received a targeted email from the attacker that appears to be legitimate, clicks a link within it, and sends a GET request to the attacke’s malicious site. • The attacker’s web server issues 302 redirection to the victim, and the victim’s browser issues a GET request to the redirected URL. http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 28. Summary • The Attacker’s Web Server transmits a web page containing obfuscated JavaScript code to the client that includes a vulnerability exploit and an iframe containing a link to a malicious GIF Image • The victim issues a GET Requests for the malicious image and downloads it from server http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 29. Summary • The javascript code transmitted earlier is deobfuscated using the malicious GIF, and the code executes on the victim’s machine, exploiting a vulnerability in Internet Explorer • Once it exploited, the payload hidden within the obfuscated code is executed, opening a new session from the victim to the attacker on port 4321 http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 30. Summary • A command Shell is spawned from the payload and shoveled back to the attacker. • And its called “Operation Aurora”. http://chrissanders.org/captures/aurora.pcapTuesday, January 22, 13
  • 31. Tuesday, January 22, 13
  • 32. Tuesday, January 22, 13
  • 33. Tuesday, January 22, 13
  • 34. Tuesday, January 22, 13
  • 35. Tuesday, January 22, 13
  • 36. Tuesday, January 22, 13
  • 37. Tuesday, January 22, 13
  • 38. Tuesday, January 22, 13
  • 39. Tuesday, January 22, 13
  • 40. Another tools for packet analysis Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 41. XPLICO • Xplico is an open source Network Forensic Analysis Tool (NFAT). • Extract from an internet traffic capture the applications data contained. From a pcap file to extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, etc. • xplico.org Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 42. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 43. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 44. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 45. Network Miner • NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD) • NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc • netresec.com Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 46. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 47. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 48. PCAP Sample • http://wiki.wireshark.org/SampleCaptures Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 49. Packet Analysis Creating Own Wireshark Dissector for Own/Others protocol Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 50. Wireshark Dissector • Allow Wireshark to automatically break down into various section so that it can be analyzed • Translator, decoder • Not work for non-standard/default port. • Creating With LUA Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 51. LUA • "Lua" (pronounced LOO-ah) means "Moon" in Portuguese • Lua is a powerful, fast, lightweight, embeddable scripting language. • Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 52. Download LUA • LUA for Windows • http://luaforwindows.luaforge.net/ • Install LUA Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 53. Simple LUA • code it: • echo “print("Hello World")” > hello.lua • run it: • prompt> lua hello.lua Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 54. Wireshark + LUA Check support and compatibility Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 55. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 56. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 57. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 58. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 59. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 60. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 61. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 62. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 63. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 64. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 65. Reference • Lua Support In Wireshark - http:// www.wireshark.org/docs/ wsug_html_chunked/wsluarm.html • http://wiki.wireshark.org/Lua Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 66. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 67. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 68. Network Packet Analysis Technical Workshop (21 Desember 2012) Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13