Network Packet Analysis (basic)
Ahmad Muammar W.K. OSCP
Technical Workshop (25 Oktober 2012)
Tuesday, January 22, 13
Introduction
• A.K.A y3dips
• Pro. Bandwidth Hunter
• IT(Sec) Consultant/Pentester/py.Coder
• Founder echo.or.id, ubuntu-id, idsecconf
• @y3dips, [email protected]
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Packet Analysis
• Captured Network Traffic
• Analyze the protocols, carve out the files, search for strings
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
• Analyze fileds within protocols
• Analyze Protocols within packets
• Analyze Packets within streams
• Reconstruct higher-layer protocols
Packet Analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
• Too many stream packet
• Packet corrupted or truncated
• Contents encrypted at different layers
• Unstandard protocols
Issue Found
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
• Examination of one or more fields within the protocol’s data structure.
Protocol Analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
• Packet Analysis
Packet Analysis
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
WiresharkAhmad Muammar W.K. OSCP
Network Packet Analysis Technical Workshop (25 Oktober 2012)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
WireSharkAdvance Usage
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Wireshark Display
• Packet List
• Packet Details
• Packet Bytes
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Packet ListPacket List
Packet Details
Packet Bytes
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
WiresharkColoring Rules
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
WiresharkCapture Filters
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Capture Filtersfor the shake of the performance
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Capture/BPF syntax
• Type: host, net, port
• Direction: src, dst
• Proto: ether, ip, tcp, udp
• Logical oepration: &&, ||, !
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Capture Filters
• Filtering the host
• host ipv4/ipv6
• host hostname
• ether host mac (00-11-22-33-44-55)
• src/dst host 192.168.1.1
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Capture Filters
• Filtering the Protocol/Port
• port 443
• !port 443
• protocol name (e.g: icmp)
• !protocol name (e.g !icmp)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Capture Filters
• Protocol Field
• icmp[0] == 3 (unreachable)
• icmp[0] == 8 (echo request)
• tcp[13] & 4 == 4 (RST)
• tcp[13] & 1 == 1 (FIN)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Display FiltersSee only what you wanna see
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Display Filters
• !tcp.port=443
• tcp.flag.syn=1
• !arp
• tcp.port==21 || tcp.port==23
• smtp || pop || imap
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Packet AnalysisWrong Dissector
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Protocol Dissector
• Allow Wireshark to automatically break down into various section so that it can be analyzed
• Translator, decoder
• Not work for non-standard/default port.
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Wrong Dissector
• So its an SSL traffic
• But, why we able to see all info
• FTP Traffic using port 443?
• Decode it with FTP
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Packet AnalysisReconstruct File and Data
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Reconstruct Data
• nc -lv 110 > confidential.pdf
• nc -vv 192.168.1.222 110 < confidential.pdf
• non standard port send pdf and zip
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Packet AnalysisReconstruct PDF File
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Packet AnalysisReconstruct Zip File from NC file transfer
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Packet AnalysisReconstruct Zip File from FTP server
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Packet AnalysisDecrypting and decode ssl packet
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13
Network Packet Analysis
Ahmad Muammar W.K. OSCP
Technical Workshop (25 Oktober 2012)
Network Packet Analysis - Ahmad Muammar W.K. OSCPTuesday, January 22, 13