2. $WHOAMI
• Senior Security Engineer
• Developer turned Security Researcher - Web app security and network
pen-testing, exploit development and network forensic
• OSCP, GCIH, RHCE, CEH, ECSA, Cyber Crime Investigator
• Speaker at OWASP, NULLCON, C0C0N, CLUBHACK, ISACA conferences
• Winner of NULLCON 2010 “Battle Underground” hacking competition
3. • SANS Mentor for Sec 504:
Hacker Techniques, Exploits &
Incident handling course, SANS
Institute, USA.
• Core Member of NULL
community – www.null.co.in .
Facilitates NULL Bangalore
Chapter
• Member of - NASSCOM-DSCI,
HONEYNET, CLUBHACK, OWASP
etc.
$WHOAMI
8. • A million things can go wrong with a computer
network - from a simple spyware infection to a
complex router configuration error.
• Packet level is the most basic level where
nothing is hidden.
• Understand the network, who is on a network,
whom your computer is talking to, What is the
network usage, any suspicious
communication (DOS , botnet, Intrusion
attempt etc.)
• Find unsecured and bloated applications –
FTP sends clear text authentication data
• One phase of computer forensic - could reveal
data otherwise hidden somewhere in a 150
GB HDD.
WHY PACKET ANALYSIS?
17. NOW WHAT?
Think it like you are solving a mystery
• Where do we start?
• What questions to ask?
• What tools do we need?
• Once you have the traces - what then?
18. Capture
•Where, How, What, How long
Transfer
•Hash, split, distribute
Analyze
•IP, Protocol, Time, Delay, Duration,
pattern, graphs, charts, blah…
HOW DO WE DO IT?
22. MORE QUESTIONS BETTER ANALYSIS
• Are the servers in the same
locations or different
• Same subnet, different subnet
• Any suspicion - IP Address,
Application
• When did it start
• How and when did it get identified
• Why you were there – lack of
resource, time, expertise
23. WHAT NOT TO DO
• Do not scroll up and down and try
manually reading packets one by
one.
• Do not capture any and every
traffic just for the sake of
capturing.
• Do not ASSUME. You can have
thoughts, suspicions.
37. REFERENCE
• Wireshark University by Laura Chappell and Gerald Combs
• Sharkfest talks - Betty DuBois on Network Mysteries
• Securitytube.net by Vivek Ramchandran
• Picture courtesy Google. Not my property.