Network Packet Analysis

1,817 views

Published on

Published in: Technology

Network Packet Analysis

  1. 1. Network Packet Analysis Technical Workshop (21 Desember 2012) Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  2. 2. Agenda • Play with Captured Network File • Wireshark Feature • Packet Analysis Case Study • Another Packet Analysis Tools • Create Wireshark Dissector Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  3. 3. Packet Analysis • Analyze fileds within protocols • Analyze Protocols within packets • Analyze Packets within streams • Reconstruct higher-layer protocols Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  4. 4. Wireshark Statistics Usefull Feature for Analysis Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  5. 5. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  6. 6. Summary • Show Information About Data Capture • Contain: File Information, Time package captured, Capture Information, Display Filter used, Traffic Summary, show Captured, Displayed (if display filter is set) and Marked. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  7. 7. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  8. 8. Protocol Hierarchy • Display a hierarchical tree of protocol statistics • Tree of all protocols captured, able to expand and collapse the subtree. • We are able to get info about what is the most protocol in a network captured file and will be our hint. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  9. 9. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  10. 10. Conversations • Display a list of conversations (traffic between two endpoints) • Support: Protocol Specific Windows, Name Resolution and Limit to Display Filter Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  11. 11. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  12. 12. IO Graphs • Display user specified graphs (e.g number of pakets in the course of time) • Support: 5 differently colored graphs base on Display filter. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  13. 13. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  14. 14. Tuesday, January 22, 13
  15. 15. Wireshark CASE FILE : SATU Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  16. 16. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  17. 17. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  18. 18. Wireshark CASE FILE : DUA Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  19. 19. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  20. 20. Use Wireshark Analysis please :) Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  21. 21. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  22. 22. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  23. 23. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  24. 24. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  25. 25. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  26. 26. Let the packet tell the truths CASE FILE : TIGA Reference: Practical Packet Analysis http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  27. 27. Summary • Victims received a targeted email from the attacker that appears to be legitimate, clicks a link within it, and sends a GET request to the attacke’s malicious site. • The attacker’s web server issues 302 redirection to the victim, and the victim’s browser issues a GET request to the redirected URL. http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  28. 28. Summary • The Attacker’s Web Server transmits a web page containing obfuscated JavaScript code to the client that includes a vulnerability exploit and an iframe containing a link to a malicious GIF Image • The victim issues a GET Requests for the malicious image and downloads it from server http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  29. 29. Summary • The javascript code transmitted earlier is deobfuscated using the malicious GIF, and the code executes on the victim’s machine, exploiting a vulnerability in Internet Explorer • Once it exploited, the payload hidden within the obfuscated code is executed, opening a new session from the victim to the attacker on port 4321 http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  30. 30. Summary • A command Shell is spawned from the payload and shoveled back to the attacker. • And its called “Operation Aurora”. http://chrissanders.org/captures/aurora.pcapTuesday, January 22, 13
  31. 31. Tuesday, January 22, 13
  32. 32. Tuesday, January 22, 13
  33. 33. Tuesday, January 22, 13
  34. 34. Tuesday, January 22, 13
  35. 35. Tuesday, January 22, 13
  36. 36. Tuesday, January 22, 13
  37. 37. Tuesday, January 22, 13
  38. 38. Tuesday, January 22, 13
  39. 39. Tuesday, January 22, 13
  40. 40. Another tools for packet analysis Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  41. 41. XPLICO • Xplico is an open source Network Forensic Analysis Tool (NFAT). • Extract from an internet traffic capture the applications data contained. From a pcap file to extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, etc. • xplico.org Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  42. 42. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  43. 43. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  44. 44. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  45. 45. Network Miner • NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD) • NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc • netresec.com Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  46. 46. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  47. 47. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  48. 48. PCAP Sample • http://wiki.wireshark.org/SampleCaptures Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  49. 49. Packet Analysis Creating Own Wireshark Dissector for Own/Others protocol Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  50. 50. Wireshark Dissector • Allow Wireshark to automatically break down into various section so that it can be analyzed • Translator, decoder • Not work for non-standard/default port. • Creating With LUA Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  51. 51. LUA • "Lua" (pronounced LOO-ah) means "Moon" in Portuguese • Lua is a powerful, fast, lightweight, embeddable scripting language. • Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  52. 52. Download LUA • LUA for Windows • http://luaforwindows.luaforge.net/ • Install LUA Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  53. 53. Simple LUA • code it: • echo “print("Hello World")” > hello.lua • run it: • prompt> lua hello.lua Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  54. 54. Wireshark + LUA Check support and compatibility Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  55. 55. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  56. 56. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  57. 57. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  58. 58. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  59. 59. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  60. 60. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  61. 61. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  62. 62. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  63. 63. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  64. 64. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  65. 65. Reference • Lua Support In Wireshark - http:// www.wireshark.org/docs/ wsug_html_chunked/wsluarm.html • http://wiki.wireshark.org/Lua Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  66. 66. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  67. 67. Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
  68. 68. Network Packet Analysis Technical Workshop (21 Desember 2012) Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13

×