SlideShare a Scribd company logo

Network Packet Analysis

Ammar WK
Ammar WKProfessional Bandwidth hunter at Inside your Machine
Network Packet
                              Analysis
                          Technical Workshop (21 Desember 2012)
                                     Ahmad Muammar W.K. OSCP




Tuesday, January 22, 13
Agenda

                    • Play with Captured Network File
                     • Wireshark Feature
                     • Packet Analysis Case Study
                    • Another Packet Analysis Tools
                    • Create Wireshark Dissector

                                            Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Packet Analysis

                    • Analyze fileds within protocols
                    • Analyze Protocols within packets
                    • Analyze Packets within streams
                     • Reconstruct higher-layer protocols

                                            Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Wireshark Statistics
                              Usefull Feature for Analysis




                                                Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Summary

                          • Show Information About Data Capture
                          • Contain: File Information, Time package
                            captured, Capture Information, Display
                            Filter used, Traffic Summary, show
                            Captured, Displayed (if display filter is
                            set) and Marked.


                                                  Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Protocol Hierarchy
                          • Display a hierarchical tree of protocol
                            statistics
                          • Tree of all protocols captured, able to
                            expand and collapse the subtree.
                          • We are able to get info about what is the
                            most protocol in a network captured file
                            and will be our hint.


                                                   Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Conversations

                          • Display a list of conversations (traffic
                            between two endpoints)
                          • Support: Protocol Specific Windows,
                            Name Resolution and Limit to Display
                            Filter



                                                   Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
IO Graphs

                          • Display user specified graphs (e.g number
                            of pakets in the course of time)
                          • Support: 5 differently colored graphs base
                            on Display filter.




                                                  Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Tuesday, January 22, 13
Wireshark
                           CASE FILE : SATU




                                       Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Wireshark
                           CASE FILE : DUA




                                      Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Use Wireshark Analysis
                           please :)




                                       Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
                           Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
                           Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
                           Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
                           Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
                           Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Let the packet tell the
                              truths
                                        CASE FILE : TIGA
                               Reference: Practical Packet Analysis
                          http://chrissanders.org/captures/aurora.pcap




                                                    Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Summary
                • Victims received a targeted email from the
                          attacker that appears to be legitimate, clicks
                          a link within it, and sends a GET request to
                          the attacke’s malicious site.
                • The attacker’s web server issues 302
                          redirection to the victim, and the victim’s
                          browser issues a GET request to the
                          redirected URL.

 http://chrissanders.org/captures/aurora.pcap        Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Summary
                • The Attacker’s Web Server transmits a web
                          page containing obfuscated JavaScript code
                          to the client that includes a vulnerability
                          exploit and an iframe containing a link to a
                          malicious GIF Image
                • The victim issues a GET Requests for the
                          malicious image and downloads it from
                          server

 http://chrissanders.org/captures/aurora.pcap        Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Summary
                • The javascript code transmitted earlier is
                          deobfuscated using the malicious GIF, and the
                          code executes on the victim’s machine,
                          exploiting a vulnerability in
                          Internet Explorer
                • Once it exploited, the payload hidden within
                          the obfuscated code is executed, opening a
                          new session from the victim to the attacker
                          on port 4321
 http://chrissanders.org/captures/aurora.pcap        Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Summary


                    • A command Shell is spawned from the
                          payload and shoveled back to the attacker.
                    • And          its called “Operation Aurora”.




 http://chrissanders.org/captures/aurora.pcap
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Tuesday, January 22, 13
Another tools
                            for packet analysis




                                          Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
XPLICO
                • Xplico is an open source Network Forensic
                          Analysis Tool (NFAT).
                • Extract from an internet traffic capture the
                          applications data contained. From a pcap file
                          to extracts each email (POP, IMAP, and SMTP
                          protocols), all HTTP contents, each VoIP call
                          (SIP), FTP, TFTP, etc.
                • xplico.org
                                                   Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Miner
                • NetworkMiner is a Network Forensic
                          Analysis Tool (NFAT) for Windows (but also
                          works in Linux / Mac OS X / FreeBSD)
                • NetworkMiner can be used as a passive
                          network sniffer/packet capturing tool in
                          order to detect operating systems, sessions,
                          hostnames, open ports etc
                • netresec.com
                                                   Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
PCAP Sample


                    • http://wiki.wireshark.org/SampleCaptures



                                             Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Packet Analysis
                    Creating Own Wireshark Dissector for Own/Others
                                       protocol




                                               Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Wireshark Dissector
                          • Allow Wireshark to automatically break
                            down into various section so that it can
                            be analyzed
                          • Translator, decoder
                          • Not work for non-standard/default port.
                          • Creating With LUA
                                                  Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
LUA
                    • "Lua" (pronounced LOO-ah) means
                          "Moon" in Portuguese
                    • Lua is a powerful, fast, lightweight,
                          embeddable scripting language.
                    • Lua combines simple procedural syntax
                          with powerful data description constructs
                          based on associative arrays and extensible
                          semantics

                                                  Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Download LUA

                    • LUA for Windows
                    • http://luaforwindows.luaforge.net/
                    • Install LUA


                                              Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Simple LUA

                    • code it:
                     • echo “print("Hello World")” > hello.lua
                    • run it:
                     • prompt> lua hello.lua

                                             Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Wireshark + LUA
                           Check support and compatibility




                                               Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Reference

                    • Lua Support In Wireshark - http://
                          www.wireshark.org/docs/
                          wsug_html_chunked/wsluarm.html
                    • http://wiki.wireshark.org/Lua

                                              Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
Network Packet
                              Analysis
                          Technical Workshop (21 Desember 2012)
                                     Ahmad Muammar W.K. OSCP




                                                       Network Packet Analysis - Ahmad Muammar W.K. OSCP
Tuesday, January 22, 13
1 of 68

Network Packet Analysis

Download to read offline
Ammar WK
Ammar WKProfessional Bandwidth hunter at Inside your Machine

Recommended

Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)Ammar WK
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Web Hacking (basic)
Web Hacking (basic)Web Hacking (basic)
Web Hacking (basic)Ammar WK
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with WiresharkJim Gilsinn
 
from 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootfrom 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootAmmar WK
 
Metasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdMetasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdAli Hussain
 

More Related Content

Viewers also liked

Informationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessInformationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessHans Pich
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]Ammar WK
 
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleStatic PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleBrent Cook
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerShellmates
 
Metasploit for information gathering
Metasploit for information gatheringMetasploit for information gathering
Metasploit for information gatheringChris Harrington
 
Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"Roberto Soares
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with PythonThomas Gregory
 
Scrum Überblick Teil 1
Scrum Überblick Teil 1Scrum Überblick Teil 1
Scrum Überblick Teil 1Christof Zahn
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
backdooring workshop
backdooring workshopbackdooring workshop
backdooring workshopAmmar WK
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 

Viewers also liked (20)

Penetration test
Penetration testPenetration test
Penetration test
 
Informationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessInformationssicherheit im Übersetzungsprozess
Informationssicherheit im Übersetzungsprozess
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
 
Tranning-2
Tranning-2Tranning-2
Tranning-2
 
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleStatic PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
 
Webinar Metasploit Framework - Academia Clavis
Webinar Metasploit Framework - Academia ClavisWebinar Metasploit Framework - Academia Clavis
Webinar Metasploit Framework - Academia Clavis
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
Metasploit for information gathering
Metasploit for information gatheringMetasploit for information gathering
Metasploit for information gathering
 
Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with Python
 
Scrum Überblick Teil 1
Scrum Überblick Teil 1Scrum Überblick Teil 1
Scrum Überblick Teil 1
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
Cyborgs
CyborgsCyborgs
Cyborgs
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
iCrOSS 2013_Pentest
iCrOSS 2013_PentestiCrOSS 2013_Pentest
iCrOSS 2013_Pentest
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
backdooring workshop
backdooring workshopbackdooring workshop
backdooring workshop
 
Metasploit Basics
Metasploit BasicsMetasploit Basics
Metasploit Basics
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 

Similar to Network Packet Analysis

Capacity Planning with Free Tools
Capacity Planning with Free ToolsCapacity Planning with Free Tools
Capacity Planning with Free ToolsAdrian Cockcroft
 
Exploring the Possibilities of Sencha and WebRTC
Exploring the Possibilities of Sencha and WebRTCExploring the Possibilities of Sencha and WebRTC
Exploring the Possibilities of Sencha and WebRTCGrgur Grisogono
 
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issues
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issuesNetwork analysis Using Wireshark Lesson 12 - bandwidth and delay issues
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issuesYoram Orzach
 

Similar to Network Packet Analysis (7)

Capacity Planning with Free Tools
Capacity Planning with Free ToolsCapacity Planning with Free Tools
Capacity Planning with Free Tools
 
Exploring the Possibilities of Sencha and WebRTC
Exploring the Possibilities of Sencha and WebRTCExploring the Possibilities of Sencha and WebRTC
Exploring the Possibilities of Sencha and WebRTC
 
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issues
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issuesNetwork analysis Using Wireshark Lesson 12 - bandwidth and delay issues
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issues
 
Optical Networks
Optical NetworksOptical Networks
Optical Networks
 
Optical Networks
Optical NetworksOptical Networks
Optical Networks
 
Optical Networks
Optical NetworksOptical Networks
Optical Networks
 
20090309berkeley
20090309berkeley20090309berkeley
20090309berkeley
 

More from Ammar WK

Vvdp-fgd-bssn
Vvdp-fgd-bssnVvdp-fgd-bssn
Vvdp-fgd-bssnAmmar WK
 
Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?Ammar WK
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
Cybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryCybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryAmmar WK
 
Bugbounty vs-0day
Bugbounty vs-0dayBugbounty vs-0day
Bugbounty vs-0dayAmmar WK
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
Hacker? : it's not about Black or White
Hacker? : it's not about Black or WhiteHacker? : it's not about Black or White
Hacker? : it's not about Black or WhiteAmmar WK
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingAmmar WK
 
Burp suite
Burp suiteBurp suite
Burp suiteAmmar WK
 
Network security
Network securityNetwork security
Network securityAmmar WK
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security ProfessionalAmmar WK
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsAmmar WK
 
Layer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigationLayer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigationAmmar WK
 
How To Become A Hacker
How To Become A HackerHow To Become A Hacker
How To Become A HackerAmmar WK
 
y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?Ammar WK
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkAmmar WK
 
Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008Ammar WK
 
Attacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and ProfitAttacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and ProfitAmmar WK
 

More from Ammar WK (20)

Vvdp-fgd-bssn
Vvdp-fgd-bssnVvdp-fgd-bssn
Vvdp-fgd-bssn
 
Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!
 
Cybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryCybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industry
 
Bugbounty vs-0day
Bugbounty vs-0dayBugbounty vs-0day
Bugbounty vs-0day
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent Threat
 
Hacker? : it's not about Black or White
Hacker? : it's not about Black or WhiteHacker? : it's not about Black or White
Hacker? : it's not about Black or White
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Network security
Network securityNetwork security
Network security
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security Professional
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dips
 
Layer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigationLayer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigation
 
How To Become A Hacker
How To Become A HackerHow To Become A Hacker
How To Become A Hacker
 
y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008
 
Attacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and ProfitAttacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and Profit
 

Recently uploaded

Fundamentals of BI Report Testing - Module 1
Fundamentals of BI Report Testing - Module 1Fundamentals of BI Report Testing - Module 1
Fundamentals of BI Report Testing - Module 1MichaelCalabrese20
 
2023 Web 3.0 market overview .pdf
2023 Web 3.0 market overview .pdf2023 Web 3.0 market overview .pdf
2023 Web 3.0 market overview .pdfLiveplex
 
Forms for All: Building Accessibility into UiPath App Design
Forms for All: Building Accessibility into UiPath App DesignForms for All: Building Accessibility into UiPath App Design
Forms for All: Building Accessibility into UiPath App DesignDianaGray10
 
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdfISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdfHaris Chughtai
 
Cybersecurity Fundamental Course by Haris Chughtai.pdf
Cybersecurity Fundamental Course by Haris Chughtai.pdfCybersecurity Fundamental Course by Haris Chughtai.pdf
Cybersecurity Fundamental Course by Haris Chughtai.pdfHaris Chughtai
 
solution Challenge design and flutter day.pptx
solution Challenge design and flutter day.pptxsolution Challenge design and flutter day.pptx
solution Challenge design and flutter day.pptxGoogleDeveloperStude22
 
Leveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxLeveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxChristian Bassey
 
Fundamentals of BI Report Testing - Module 5
Fundamentals of BI Report Testing - Module 5Fundamentals of BI Report Testing - Module 5
Fundamentals of BI Report Testing - Module 5MichaelCalabrese20
 
Introduction to FORBLUE FLEMION F-9060.pptx
Introduction to FORBLUE FLEMION F-9060.pptxIntroduction to FORBLUE FLEMION F-9060.pptx
Introduction to FORBLUE FLEMION F-9060.pptxAGC Chemicals Americas
 
2024 January Patch Tuesday
2024 January Patch Tuesday2024 January Patch Tuesday
2024 January Patch TuesdayIvanti
 
5 Must-know Functionalities Of Sharepoint Intranet.pdf
5 Must-know Functionalities Of Sharepoint Intranet.pdf5 Must-know Functionalities Of Sharepoint Intranet.pdf
5 Must-know Functionalities Of Sharepoint Intranet.pdfMoreyeahs
 
Empowering Currency Risk Mastery: Key Features of CorpHedge FX Management Sof...
Empowering Currency Risk Mastery: Key Features of CorpHedge FX Management Sof...Empowering Currency Risk Mastery: Key Features of CorpHedge FX Management Sof...
Empowering Currency Risk Mastery: Key Features of CorpHedge FX Management Sof...corphedge274
 
Fundamentals of BI Report Testing - Module 2
Fundamentals of BI Report Testing - Module 2Fundamentals of BI Report Testing - Module 2
Fundamentals of BI Report Testing - Module 2MichaelCalabrese20
 
Salesforce Developer Toolkit - Salesforce Impact Hackathon
Salesforce Developer Toolkit - Salesforce Impact HackathonSalesforce Developer Toolkit - Salesforce Impact Hackathon
Salesforce Developer Toolkit - Salesforce Impact Hackathonrohitasare71
 
Fundamentals of BI Report Testing - Module 3
Fundamentals of BI Report Testing - Module 3Fundamentals of BI Report Testing - Module 3
Fundamentals of BI Report Testing - Module 3MichaelCalabrese20
 
Career Talk Series: Session 1 - Transitioning from RPA to AI automation profe...
Career Talk Series: Session 1 - Transitioning from RPA to AI automation profe...Career Talk Series: Session 1 - Transitioning from RPA to AI automation profe...
Career Talk Series: Session 1 - Transitioning from RPA to AI automation profe...DianaGray10
 
Introduction about Graphics Software
Introduction about Graphics SoftwareIntroduction about Graphics Software
Introduction about Graphics SoftwareAayush358079
 
Empathic AI: Human Factors, System Assessment and Standardisation
Empathic AI: Human Factors, System Assessment and StandardisationEmpathic AI: Human Factors, System Assessment and Standardisation
Empathic AI: Human Factors, System Assessment and StandardisationAladdin Ayesh
 
Fundamentals of BI Report Testing - Module 7
Fundamentals of BI Report Testing - Module 7Fundamentals of BI Report Testing - Module 7
Fundamentals of BI Report Testing - Module 7MichaelCalabrese20
 
Custom Software Development Company in California | Ditstek
Custom Software Development Company in California | DitstekCustom Software Development Company in California | Ditstek
Custom Software Development Company in California | DitstekDitstekInnovations
 

Recently uploaded (20)

Fundamentals of BI Report Testing - Module 1
Fundamentals of BI Report Testing - Module 1Fundamentals of BI Report Testing - Module 1
Fundamentals of BI Report Testing - Module 1
 
2023 Web 3.0 market overview .pdf
2023 Web 3.0 market overview .pdf2023 Web 3.0 market overview .pdf
2023 Web 3.0 market overview .pdf
 
Forms for All: Building Accessibility into UiPath App Design
Forms for All: Building Accessibility into UiPath App DesignForms for All: Building Accessibility into UiPath App Design
Forms for All: Building Accessibility into UiPath App Design
 
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdfISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
 
Cybersecurity Fundamental Course by Haris Chughtai.pdf
Cybersecurity Fundamental Course by Haris Chughtai.pdfCybersecurity Fundamental Course by Haris Chughtai.pdf
Cybersecurity Fundamental Course by Haris Chughtai.pdf
 
solution Challenge design and flutter day.pptx
solution Challenge design and flutter day.pptxsolution Challenge design and flutter day.pptx
solution Challenge design and flutter day.pptx
 
Leveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptxLeveraging logging for threat detection.pptx
Leveraging logging for threat detection.pptx
 
Fundamentals of BI Report Testing - Module 5
Fundamentals of BI Report Testing - Module 5Fundamentals of BI Report Testing - Module 5
Fundamentals of BI Report Testing - Module 5
 
Introduction to FORBLUE FLEMION F-9060.pptx
Introduction to FORBLUE FLEMION F-9060.pptxIntroduction to FORBLUE FLEMION F-9060.pptx
Introduction to FORBLUE FLEMION F-9060.pptx
 
2024 January Patch Tuesday
2024 January Patch Tuesday2024 January Patch Tuesday
2024 January Patch Tuesday
 
5 Must-know Functionalities Of Sharepoint Intranet.pdf
5 Must-know Functionalities Of Sharepoint Intranet.pdf5 Must-know Functionalities Of Sharepoint Intranet.pdf
5 Must-know Functionalities Of Sharepoint Intranet.pdf
 
Empowering Currency Risk Mastery: Key Features of CorpHedge FX Management Sof...
Empowering Currency Risk Mastery: Key Features of CorpHedge FX Management Sof...Empowering Currency Risk Mastery: Key Features of CorpHedge FX Management Sof...
Empowering Currency Risk Mastery: Key Features of CorpHedge FX Management Sof...
 
Fundamentals of BI Report Testing - Module 2
Fundamentals of BI Report Testing - Module 2Fundamentals of BI Report Testing - Module 2
Fundamentals of BI Report Testing - Module 2
 
Salesforce Developer Toolkit - Salesforce Impact Hackathon
Salesforce Developer Toolkit - Salesforce Impact HackathonSalesforce Developer Toolkit - Salesforce Impact Hackathon
Salesforce Developer Toolkit - Salesforce Impact Hackathon
 
Fundamentals of BI Report Testing - Module 3
Fundamentals of BI Report Testing - Module 3Fundamentals of BI Report Testing - Module 3
Fundamentals of BI Report Testing - Module 3
 
Career Talk Series: Session 1 - Transitioning from RPA to AI automation profe...
Career Talk Series: Session 1 - Transitioning from RPA to AI automation profe...Career Talk Series: Session 1 - Transitioning from RPA to AI automation profe...
Career Talk Series: Session 1 - Transitioning from RPA to AI automation profe...
 
Introduction about Graphics Software
Introduction about Graphics SoftwareIntroduction about Graphics Software
Introduction about Graphics Software
 
Empathic AI: Human Factors, System Assessment and Standardisation
Empathic AI: Human Factors, System Assessment and StandardisationEmpathic AI: Human Factors, System Assessment and Standardisation
Empathic AI: Human Factors, System Assessment and Standardisation
 
Fundamentals of BI Report Testing - Module 7
Fundamentals of BI Report Testing - Module 7Fundamentals of BI Report Testing - Module 7
Fundamentals of BI Report Testing - Module 7
 
Custom Software Development Company in California | Ditstek
Custom Software Development Company in California | DitstekCustom Software Development Company in California | Ditstek
Custom Software Development Company in California | Ditstek
 

Network Packet Analysis

  • 1. Network Packet Analysis Technical Workshop (21 Desember 2012) Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 2. Agenda • Play with Captured Network File • Wireshark Feature • Packet Analysis Case Study • Another Packet Analysis Tools • Create Wireshark Dissector Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 3. Packet Analysis • Analyze fileds within protocols • Analyze Protocols within packets • Analyze Packets within streams • Reconstruct higher-layer protocols Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 4. Wireshark Statistics Usefull Feature for Analysis Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 5. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 6. Summary • Show Information About Data Capture • Contain: File Information, Time package captured, Capture Information, Display Filter used, Traffic Summary, show Captured, Displayed (if display filter is set) and Marked. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 7. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 8. Protocol Hierarchy • Display a hierarchical tree of protocol statistics • Tree of all protocols captured, able to expand and collapse the subtree. • We are able to get info about what is the most protocol in a network captured file and will be our hint. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 9. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 10. Conversations • Display a list of conversations (traffic between two endpoints) • Support: Protocol Specific Windows, Name Resolution and Limit to Display Filter Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 11. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 12. IO Graphs • Display user specified graphs (e.g number of pakets in the course of time) • Support: 5 differently colored graphs base on Display filter. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 13. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 15. Wireshark CASE FILE : SATU Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 16. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 17. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 18. Wireshark CASE FILE : DUA Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 19. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 20. Use Wireshark Analysis please :) Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 21. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 22. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 23. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 24. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 25. Network Packet Analysis - Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 26. Let the packet tell the truths CASE FILE : TIGA Reference: Practical Packet Analysis http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 27. Summary • Victims received a targeted email from the attacker that appears to be legitimate, clicks a link within it, and sends a GET request to the attacke’s malicious site. • The attacker’s web server issues 302 redirection to the victim, and the victim’s browser issues a GET request to the redirected URL. http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 28. Summary • The Attacker’s Web Server transmits a web page containing obfuscated JavaScript code to the client that includes a vulnerability exploit and an iframe containing a link to a malicious GIF Image • The victim issues a GET Requests for the malicious image and downloads it from server http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 29. Summary • The javascript code transmitted earlier is deobfuscated using the malicious GIF, and the code executes on the victim’s machine, exploiting a vulnerability in Internet Explorer • Once it exploited, the payload hidden within the obfuscated code is executed, opening a new session from the victim to the attacker on port 4321 http://chrissanders.org/captures/aurora.pcap Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 30. Summary • A command Shell is spawned from the payload and shoveled back to the attacker. • And its called “Operation Aurora”. http://chrissanders.org/captures/aurora.pcap Tuesday, January 22, 13
  • 40. Another tools for packet analysis Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 41. XPLICO • Xplico is an open source Network Forensic Analysis Tool (NFAT). • Extract from an internet traffic capture the applications data contained. From a pcap file to extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, etc. • xplico.org Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 42. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 43. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 44. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 45. Network Miner • NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD) • NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc • netresec.com Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 46. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 47. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 48. PCAP Sample • http://wiki.wireshark.org/SampleCaptures Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 49. Packet Analysis Creating Own Wireshark Dissector for Own/Others protocol Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 50. Wireshark Dissector • Allow Wireshark to automatically break down into various section so that it can be analyzed • Translator, decoder • Not work for non-standard/default port. • Creating With LUA Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 51. LUA • "Lua" (pronounced LOO-ah) means "Moon" in Portuguese • Lua is a powerful, fast, lightweight, embeddable scripting language. • Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 52. Download LUA • LUA for Windows • http://luaforwindows.luaforge.net/ • Install LUA Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 53. Simple LUA • code it: • echo “print("Hello World")” > hello.lua • run it: • prompt> lua hello.lua Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 54. Wireshark + LUA Check support and compatibility Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 55. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 56. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 57. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 58. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 59. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 60. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 61. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 62. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 63. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 64. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 65. Reference • Lua Support In Wireshark - http:// www.wireshark.org/docs/ wsug_html_chunked/wsluarm.html • http://wiki.wireshark.org/Lua Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 66. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 67. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 68. Network Packet Analysis Technical Workshop (21 Desember 2012) Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13