SlideShare a Scribd company logo

Packet analysis (Basic)

Ammar WK
Ammar WK
1 of 53
Download to read offline
Network Packet Analysis (basic) Technical Workshop (25 Oktober 2012) Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Introduction • A.K.A y3dips • Pro. Bandwidth Hunter • IT(Sec) Consultant/Pentester/py.Coder • Founder echo.or.id, ubuntu-id, idsecconf • @y3dips, me@ammar.web.id Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Packet Analysis • Captured Network Traffic • Analyze the protocols, carve out the files, search for strings Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Packet Analysis • Analyze fileds within protocols • Analyze Protocols within packets • Analyze Packets within streams • Reconstruct higher-layer protocols Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Issue Found • Too many stream packet • Packet corrupted or truncated • Contents encrypted at different layers • Unstandard protocols Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Protocol Analysis • Examination of one or more fields within the protocol’s data structure. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Packet Analysis • Packet Analysis Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
WiresharkWorkshop Network Packet Analysis Technical (25 Oktober 2012) Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
WireShark Advance Usage Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Wireshark Display • Packet List • Packet Details • Packet Bytes Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Packet List Packet List Packet Details Packet Bytes Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Wireshark Coloring Rules Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Wireshark Capture Filters Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Capture Filters for the shake of the performance Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Capture/BPF syntax • Type: host, net, port • Direction: src, dst • Proto: ether, ip, tcp, udp • Logical oepration: &&, ||, ! Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Capture Filters • Filtering the host • host ipv4/ipv6 • host hostname • ether host mac (00-11-22-33-44-55) • src/dst host 192.168.1.1 Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Capture Filters • Filtering the Protocol/Port • port 443 • !port 443 • protocol name (e.g: icmp) • !protocol name (e.g !icmp) Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Capture Filters • Protocol Field • icmp[0] == 3 (unreachable) • icmp[0] == 8 (echo request) • tcp[13] & 4 == 4 (RST) • tcp[13] & 1 == 1 (FIN) Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Display Filters See only what you wanna see Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Display Filters • !tcp.port=443 • tcp.flag.syn=1 • !arp • tcp.port==21 || tcp.port==23 • smtp || pop || imap Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Packet Analysis Wrong Dissector Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Protocol Dissector • Allow Wireshark to automatically break down into various section so that it can be analyzed • Translator, decoder • Not work for non-standard/default port. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Wrong Dissector • So its an SSL traffic • But, why we able to see all info • FTP Traffic using port 443? • Decode it with FTP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Packet Analysis Reconstruct File and Data Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Reconstruct Data • nc -lv 110 > confidential.pdf • nc -vv 192.168.1.222 110 < confidential.pdf • non standard port send pdf and zip Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Packet Analysis Reconstruct PDF File Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Packet Analysis Reconstruct Zip File from NC file transfer Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Packet Analysis Reconstruct Zip File from FTP server Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Packet Analysis Decrypting and decode ssl packet Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
Network Packet Analysis Technical Workshop (25 Oktober 2012) Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13

Recommended

Network Packet Analysis
Network Packet AnalysisNetwork Packet Analysis
Network Packet AnalysisAmmar WK
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalM.Syarifudin, ST, OSCP, OSWP
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journeyM.Syarifudin, ST, OSCP, OSWP
 
Playin with Password
Playin with PasswordPlayin with Password
Playin with PasswordAmmar WK
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Web Hacking (basic)
Web Hacking (basic)Web Hacking (basic)
Web Hacking (basic)Ammar WK
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 

Recommended

Network Packet Analysis
Network Packet AnalysisNetwork Packet Analysis
Network Packet AnalysisAmmar WK
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalM.Syarifudin, ST, OSCP, OSWP
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journeyM.Syarifudin, ST, OSCP, OSWP
 
Playin with Password
Playin with PasswordPlayin with Password
Playin with PasswordAmmar WK
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareAmmar WK
 
Web Hacking (basic)
Web Hacking (basic)Web Hacking (basic)
Web Hacking (basic)Ammar WK
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux EnvironmentEnrico Scapin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
from 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootfrom 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootAmmar WK
 
webhacking
webhackingwebhacking
webhackingAmmar WK
 
eMAPT
eMAPTeMAPT
eMAPTAndrii Holovchenko
 
Take a REST!
Take a REST!Take a REST!
Take a REST!Vladimir Tsukur
 
Informationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessInformationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessHans Pich
 
Metasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdMetasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdAli Hussain
 
Penetration test
Penetration testPenetration test
Penetration testDigicomp Academy AG
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]Ammar WK
 
Tranning-2
Tranning-2Tranning-2
Tranning-2Ali Hussain
 
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleStatic PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleBrent Cook
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with PythonThomas Gregory
 
Webinar Metasploit Framework - Academia Clavis
Webinar Metasploit Framework - Academia ClavisWebinar Metasploit Framework - Academia Clavis
Webinar Metasploit Framework - Academia ClavisClavis Segurança da Informação
 
PTES: PenTest Execution Standard
PTES: PenTest Execution StandardPTES: PenTest Execution Standard
PTES: PenTest Execution StandardSource Conference
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerShellmates
 
Metasploit for information gathering
Metasploit for information gatheringMetasploit for information gathering
Metasploit for information gatheringChris Harrington
 
Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"Roberto Soares
 
Penetrasi Jaringan
Penetrasi JaringanPenetrasi Jaringan
Penetrasi JaringanDigital Echidna
 
Vvdp-fgd-bssn
Vvdp-fgd-bssnVvdp-fgd-bssn
Vvdp-fgd-bssnAmmar WK
 
Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?Ammar WK
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 

More Related Content

Viewers also liked

Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux EnvironmentEnrico Scapin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
from 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootfrom 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootAmmar WK
 
webhacking
webhackingwebhacking
webhackingAmmar WK
 
Informationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessInformationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessHans Pich
 
Metasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdMetasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdAli Hussain
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]Ammar WK
 
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleStatic PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleBrent Cook
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with PythonThomas Gregory
 
PTES: PenTest Execution Standard
PTES: PenTest Execution StandardPTES: PenTest Execution Standard
PTES: PenTest Execution StandardSource Conference
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerShellmates
 
Metasploit for information gathering
Metasploit for information gatheringMetasploit for information gathering
Metasploit for information gatheringChris Harrington
 
Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"Roberto Soares
 

Viewers also liked (19)

Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
from 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootfrom 33 to 0 - A journey to be root
from 33 to 0 - A journey to be root
 
webhacking
webhackingwebhacking
webhacking
 
eMAPT
eMAPTeMAPT
eMAPT
 
Take a REST!
Take a REST!Take a REST!
Take a REST!
 
Informationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessInformationssicherheit im Übersetzungsprozess
Informationssicherheit im Übersetzungsprozess
 
Metasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdMetasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-Ltd
 
Penetration test
Penetration testPenetration test
Penetration test
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
 
Tranning-2
Tranning-2Tranning-2
Tranning-2
 
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleStatic PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with Python
 
Webinar Metasploit Framework - Academia Clavis
Webinar Metasploit Framework - Academia ClavisWebinar Metasploit Framework - Academia Clavis
Webinar Metasploit Framework - Academia Clavis
 
PTES: PenTest Execution Standard
PTES: PenTest Execution StandardPTES: PenTest Execution Standard
PTES: PenTest Execution Standard
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
Metasploit for information gathering
Metasploit for information gatheringMetasploit for information gathering
Metasploit for information gathering
 
Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"
 
Penetrasi Jaringan
Penetrasi JaringanPenetrasi Jaringan
Penetrasi Jaringan
 

More from Ammar WK

Vvdp-fgd-bssn
Vvdp-fgd-bssnVvdp-fgd-bssn
Vvdp-fgd-bssnAmmar WK
 
Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?Ammar WK
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsAmmar WK
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
Cybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryCybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryAmmar WK
 
Bugbounty vs-0day
Bugbounty vs-0dayBugbounty vs-0day
Bugbounty vs-0dayAmmar WK
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
Hacker? : it's not about Black or White
Hacker? : it's not about Black or WhiteHacker? : it's not about Black or White
Hacker? : it's not about Black or WhiteAmmar WK
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingAmmar WK
 
Burp suite
Burp suiteBurp suite
Burp suiteAmmar WK
 
Network security
Network securityNetwork security
Network securityAmmar WK
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security ProfessionalAmmar WK
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsAmmar WK
 
Layer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigationLayer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigationAmmar WK
 
How To Become A Hacker
How To Become A HackerHow To Become A Hacker
How To Become A HackerAmmar WK
 
y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?Ammar WK
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkAmmar WK
 
Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008Ammar WK
 
Attacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and ProfitAttacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and ProfitAmmar WK
 

More from Ammar WK (20)

Vvdp-fgd-bssn
Vvdp-fgd-bssnVvdp-fgd-bssn
Vvdp-fgd-bssn
 
Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!
 
Cybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryCybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industry
 
Bugbounty vs-0day
Bugbounty vs-0dayBugbounty vs-0day
Bugbounty vs-0day
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent Threat
 
Hacker? : it's not about Black or White
Hacker? : it's not about Black or WhiteHacker? : it's not about Black or White
Hacker? : it's not about Black or White
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Network security
Network securityNetwork security
Network security
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security Professional
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dips
 
Layer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigationLayer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigation
 
How To Become A Hacker
How To Become A HackerHow To Become A Hacker
How To Become A Hacker
 
y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008
 
Attacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and ProfitAttacking Blackberry For Phun and Profit
Attacking Blackberry For Phun and Profit
 

Packet analysis (Basic)

  • 1. Network Packet Analysis (basic) Technical Workshop (25 Oktober 2012) Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 2. Introduction • A.K.A y3dips • Pro. Bandwidth Hunter • IT(Sec) Consultant/Pentester/py.Coder • Founder echo.or.id, ubuntu-id, idsecconf • @y3dips, me@ammar.web.id Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 3. Packet Analysis • Captured Network Traffic • Analyze the protocols, carve out the files, search for strings Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 4. Packet Analysis • Analyze fileds within protocols • Analyze Protocols within packets • Analyze Packets within streams • Reconstruct higher-layer protocols Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 5. Issue Found • Too many stream packet • Packet corrupted or truncated • Contents encrypted at different layers • Unstandard protocols Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 6. Protocol Analysis • Examination of one or more fields within the protocol’s data structure. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 7. Packet Analysis • Packet Analysis Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 8. WiresharkWorkshop Network Packet Analysis Technical (25 Oktober 2012) Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 9. WireShark Advance Usage Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 10. Wireshark Display • Packet List • Packet Details • Packet Bytes Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 11. Packet List Packet List Packet Details Packet Bytes Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 12. Wireshark Coloring Rules Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 13. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 14. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 15. Wireshark Capture Filters Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 16. Capture Filters for the shake of the performance Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 17. Capture/BPF syntax • Type: host, net, port • Direction: src, dst • Proto: ether, ip, tcp, udp • Logical oepration: &&, ||, ! Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 18. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 19. Capture Filters • Filtering the host • host ipv4/ipv6 • host hostname • ether host mac (00-11-22-33-44-55) • src/dst host 192.168.1.1 Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 20. Capture Filters • Filtering the Protocol/Port • port 443 • !port 443 • protocol name (e.g: icmp) • !protocol name (e.g !icmp) Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 21. Capture Filters • Protocol Field • icmp[0] == 3 (unreachable) • icmp[0] == 8 (echo request) • tcp[13] & 4 == 4 (RST) • tcp[13] & 1 == 1 (FIN) Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 22. Display Filters See only what you wanna see Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 23. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 24. Display Filters • !tcp.port=443 • tcp.flag.syn=1 • !arp • tcp.port==21 || tcp.port==23 • smtp || pop || imap Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 25. Packet Analysis Wrong Dissector Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 26. Protocol Dissector • Allow Wireshark to automatically break down into various section so that it can be analyzed • Translator, decoder • Not work for non-standard/default port. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 27. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 28. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 29. Wrong Dissector • So its an SSL traffic • But, why we able to see all info • FTP Traffic using port 443? • Decode it with FTP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 30. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 31. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 32. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 33. Packet Analysis Reconstruct File and Data Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 34. Reconstruct Data • nc -lv 110 > confidential.pdf • nc -vv 192.168.1.222 110 < confidential.pdf • non standard port send pdf and zip Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 35. Packet Analysis Reconstruct PDF File Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 36. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 37. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 38. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 39. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 40. Packet Analysis Reconstruct Zip File from NC file transfer Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 41. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 42. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 43. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 44. Packet Analysis Reconstruct Zip File from FTP server Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 45. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 46. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 47. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 48. Packet Analysis Decrypting and decode ssl packet Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 49. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 50. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 51. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 52. Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13
  • 53. Network Packet Analysis Technical Workshop (25 Oktober 2012) Ahmad Muammar W.K. OSCP Network Packet Analysis - Ahmad Muammar W.K. OSCP Tuesday, January 22, 13