The document outlines an agenda for a technical workshop on network packet analysis using Wireshark. The agenda includes playing with captured network files, examining Wireshark features, conducting packet analysis case studies, reviewing other packet analysis tools, and creating Wireshark dissectors. The workshop also demonstrates Wireshark statistics, protocol hierarchy, conversations, and IO graphs as useful features for analysis. It presents four case studies analyzing network packet captures and provides a summary of an attack called "Operation Aurora". Finally, it briefly introduces other packet analysis tools like Xplico and Network Miner.

1. Network Packet
Analysis
Technical Workshop (21 Desember 2012)
Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

2. Agenda
• Play with Captured Network File
• Wireshark Feature
• Packet Analysis Case Study
• Another Packet Analysis Tools
• Create Wireshark Dissector
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

3. Packet Analysis
• Analyze fileds within protocols
• Analyze Protocols within packets
• Analyze Packets within streams
• Reconstruct higher-layer protocols
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

4. Wireshark Statistics
Usefull Feature for Analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

5. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

6. Summary
• Show Information About Data Capture
• Contain: File Information, Time package
captured, Capture Information, Display
Filter used, Traffic Summary, show
Captured, Displayed (if display filter is
set) and Marked.
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

7. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

8. Protocol Hierarchy
• Display a hierarchical tree of protocol
statistics
• Tree of all protocols captured, able to
expand and collapse the subtree.
• We are able to get info about what is the
most protocol in a network captured file
and will be our hint.
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

9. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

10. Conversations
• Display a list of conversations (traffic
between two endpoints)
• Support: Protocol Specific Windows,
Name Resolution and Limit to Display
Filter
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

11. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

12. IO Graphs
• Display user specified graphs (e.g number
of pakets in the course of time)
• Support: 5 differently colored graphs base
on Display filter.
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

13. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

14. Tuesday, January 22, 13

15. Wireshark
CASE FILE : SATU
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

16. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

17. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

18. Wireshark
CASE FILE : DUA
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

19. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

20. Use Wireshark Analysis
please :)
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

21. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

22. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

23. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

24. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

25. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

26. Let the packet tell the
truths
CASE FILE : TIGA
Reference: Practical Packet Analysis
http://chrissanders.org/captures/aurora.pcap
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

27. Summary
• Victims received a targeted email from the
attacker that appears to be legitimate, clicks
a link within it, and sends a GET request to
the attacke’s malicious site.
• The attacker’s web server issues 302
redirection to the victim, and the victim’s
browser issues a GET request to the
redirected URL.
http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

28. Summary
• The Attacker’s Web Server transmits a web
page containing obfuscated JavaScript code
to the client that includes a vulnerability
exploit and an iframe containing a link to a
malicious GIF Image
• The victim issues a GET Requests for the
malicious image and downloads it from
server
http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

29. Summary
• The javascript code transmitted earlier is
deobfuscated using the malicious GIF, and the
code executes on the victim’s machine,
exploiting a vulnerability in
Internet Explorer
• Once it exploited, the payload hidden within
the obfuscated code is executed, opening a
new session from the victim to the attacker
on port 4321
http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

30. Summary
• A command Shell is spawned from the
payload and shoveled back to the attacker.
• And its called “Operation Aurora”.
http://chrissanders.org/captures/aurora.pcap
Tuesday, January 22, 13

31. Tuesday, January 22, 13

32. Tuesday, January 22, 13

33. Tuesday, January 22, 13

34. Tuesday, January 22, 13

35. Tuesday, January 22, 13

36. Tuesday, January 22, 13

37. Tuesday, January 22, 13

38. Tuesday, January 22, 13

39. Tuesday, January 22, 13

40. Another tools
for packet analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

41. XPLICO
• Xplico is an open source Network Forensic
Analysis Tool (NFAT).
• Extract from an internet traffic capture the
applications data contained. From a pcap file
to extracts each email (POP, IMAP, and SMTP
protocols), all HTTP contents, each VoIP call
(SIP), FTP, TFTP, etc.
• xplico.org
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

42. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

43. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

44. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

45. Network Miner
• NetworkMiner is a Network Forensic
Analysis Tool (NFAT) for Windows (but also
works in Linux / Mac OS X / FreeBSD)
• NetworkMiner can be used as a passive
network sniffer/packet capturing tool in
order to detect operating systems, sessions,
hostnames, open ports etc
• netresec.com
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

46. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

47. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

48. PCAP Sample
• http://wiki.wireshark.org/SampleCaptures
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

49. Packet Analysis
Creating Own Wireshark Dissector for Own/Others
protocol
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

50. Wireshark Dissector
• Allow Wireshark to automatically break
down into various section so that it can
be analyzed
• Translator, decoder
• Not work for non-standard/default port.
• Creating With LUA
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

51. LUA
• "Lua" (pronounced LOO-ah) means
"Moon" in Portuguese
• Lua is a powerful, fast, lightweight,
embeddable scripting language.
• Lua combines simple procedural syntax
with powerful data description constructs
based on associative arrays and extensible
semantics
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

52. Download LUA
• LUA for Windows
• http://luaforwindows.luaforge.net/
• Install LUA
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

53. Simple LUA
• code it:
• echo “print("Hello World")” > hello.lua
• run it:
• prompt> lua hello.lua
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

54. Wireshark + LUA
Check support and compatibility
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

55. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

56. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

57. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

58. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

59. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

60. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

61. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

62. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

63. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

64. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

65. Reference
• Lua Support In Wireshark - http://
www.wireshark.org/docs/
wsug_html_chunked/wsluarm.html
• http://wiki.wireshark.org/Lua
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

66. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

67. Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13

68. Network Packet
Analysis
Technical Workshop (21 Desember 2012)
Ahmad Muammar W.K. OSCP
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13