Packet analysis (Basic)

  • 1,043 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,043
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
146
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Network Packet Analysis (basic) Technical Workshop (25 Oktober 2012) Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 2. Introduction • A.K.A y3dips • Pro. Bandwidth Hunter • IT(Sec) Consultant/Pentester/py.Coder • Founder echo.or.id, ubuntu-id, idsecconf • @y3dips, me@ammar.web.id Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 3. Packet Analysis • Captured Network Traffic • Analyze the protocols, carve out the files, search for strings Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 4. Packet Analysis • Analyze fileds within protocols • Analyze Protocols within packets • Analyze Packets within streams • Reconstruct higher-layer protocols Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 5. Issue Found • Too many stream packet • Packet corrupted or truncated • Contents encrypted at different layers • Unstandard protocols Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 6. Protocol Analysis • Examination of one or more fields within the protocol’s data structure. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 7. Packet Analysis • Packet Analysis Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 8. WiresharkWorkshop Network Packet Analysis Technical (25 Oktober 2012) Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 9. WireShark Advance Usage Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 10. Wireshark Display • Packet List • Packet Details • Packet Bytes Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 11. Packet List Packet List Packet Details Packet Bytes Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 12. Wireshark Coloring Rules Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 13. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 14. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 15. Wireshark Capture Filters Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 16. Capture Filters for the shake of the performance Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 17. Capture/BPF syntax • Type: host, net, port • Direction: src, dst • Proto: ether, ip, tcp, udp • Logical oepration: &&, ||, ! Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 18. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 19. Capture Filters • Filtering the host • host ipv4/ipv6 • host hostname • ether host mac (00-11-22-33-44-55) • src/dst host 192.168.1.1 Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 20. Capture Filters • Filtering the Protocol/Port • port 443 • !port 443 • protocol name (e.g: icmp) • !protocol name (e.g !icmp) Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 21. Capture Filters • Protocol Field • icmp[0] == 3 (unreachable) • icmp[0] == 8 (echo request) • tcp[13] & 4 == 4 (RST) • tcp[13] & 1 == 1 (FIN) Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 22. Display Filters See only what you wanna see Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 23. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 24. Display Filters • !tcp.port=443 • tcp.flag.syn=1 • !arp • tcp.port==21 || tcp.port==23 • smtp || pop || imap Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 25. Packet Analysis Wrong Dissector Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 26. Protocol Dissector • Allow Wireshark to automatically break down into various section so that it can be analyzed • Translator, decoder • Not work for non-standard/default port. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 27. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 28. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 29. Wrong Dissector • So its an SSL traffic • But, why we able to see all info • FTP Traffic using port 443? • Decode it with FTP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 30. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 31. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 32. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 33. Packet Analysis Reconstruct File and Data Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 34. Reconstruct Data • nc -lv 110 > confidential.pdf • nc -vv 192.168.1.222 110 < confidential.pdf • non standard port send pdf and zip Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 35. Packet Analysis Reconstruct PDF File Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 36. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 37. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 38. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 39. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 40. Packet Analysis Reconstruct Zip File from NC file transfer Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 41. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 42. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 43. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 44. Packet Analysis Reconstruct Zip File from FTP server Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 45. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 46. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 47. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 48. Packet Analysis Decrypting and decode ssl packet Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 49. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 50. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 51. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 52. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  • 53. Network Packet Analysis Technical Workshop (25 Oktober 2012) Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13