Security Camp 2012

網路攻擊與封包分析- Wireshark

講師：鄭毓芹 博士生

服務單位:國立成功大學電機系

E-mail：julia.yc.cheng@gmail.com

2 Security Camp 2012

Agenda

n  Basics n What is “Network Security Analysis” ? n How useful for your security activities? n Who Uses Network Analyzers

n  Tool Introduction n About Wireshark n Sniffer Positioning n Features & Panels

n  Exercise

3 Security Camp 2012

What is “Network Security Analysis” ?

n  Important activities for incident responders and security analyst

n  Currently data just travels around your network like a train. With a packet sniffer, get the ability to capture the data and look inside the packets to see what is actually moving along the tracks.

4 Security Camp 2012

What is “Network Security Analysis” ?

n  Related to many security activities n Network monitoring

n To detect on-going incident n Network forensics:

n To find evidence in the specific incident n Malware analysis:

n To find capability of malware such as “sending important data to malicious servers” or “Bot command & control”

n  Process of capturing, decoding, and analyzing network traffic

5 Security Camp 2012 5

Who Uses Network Analyzers n  System administrators

n  Understand system problems and performance n  Intrusion detection

n  Malicious individuals (intruders) n  Capture cleartext data n  Passively collect data on vulnerable protocols

n  FTP, POP3, IMAP, SMATP, rlogin, HTTP, etc. n  Capture VoIP data

n  Mapping the target network n  Traffic pattern discovery

n  Actively break into the network (backdoor techniques)

6 Security Camp 2012

Network security analysis –Flow based

n  Feature n Focus on network flow/traffic instead of each packet

n Good approach to get high level overview or accounting

n  Tools n Netflow / sFlow n MRTG/RRDTool

7 Security Camp 2012

Network security analysis –Packet based

n  Feature n Focus on each packet or group of packets n Can analyze thoroughly but high cost

n  Tools / Techniques n Tcpdump n Wireshark / tshark

8 Security Camp 2012

Network security analysis –Packet based (Cont.) n  Capture packet

n Don’t use Wireshark to capture packets n Avoid running Wireshark with root privilege n Use more simple program instead

n E.g. tcpdump, dumpcap

n  Analyze packet: n Wireshark is the best friend for this purpose.

9 Security Camp 2012

Tool Introduction: About Wireshark

n  Wireshark is free and open-source tool n  Run on many OSs

n Windows / Linux / *BSD / Solaris and others n  User Interface

n GUI - Packet list / Packet details / Packet Bytes n CUI – tshark (Command line modes)

n  Many Features n Search / Filter/ Colorize / Statistics / others

n  Vulnerability: http://www.wireshark.org/security/

10 Security Camp 2012 10

n  Decodes over 750 protocols n  Compatible with many other sniffers n  Plenty of online resources are available n  Supports command-line and GUI interfaces

n  TSHARK (offers command line interface) has three components

n  Editcap n  Mergecap n  text2pcap

Tool Introduction: About Wireshark (Cont.)

11 Security Camp 2012 11

Tool Introduction: Sniffer Positioning

12 Security Camp 2012

Hub

Tool Introduction: Sniffer Positioning (Cont.)

13 Security Camp 2012

Switches

Tool Introduction: Sniffer Positioning (Cont.)

14

Wireshark (and WinPcap) Wireshark – Application for Sniffing Packets

WinPcap – open source library for packet capture

Operating System – Windows & Unix/Linux

Network Card Drivers – Ethernet/WiFi Card

Ethernet Card

15 Security Camp 2012 15

Getting Wireshark

n  Download the program from n www.wireshark.org/download.html

n  Requires to install capture drivers (monitor ports and capture all traveling packets)

n Windows: winpcap (www.winpcap.org) n Linux: libpcap

16 Security Camp 2012 16

Running Wireshark

17 Security Camp 2012

Simple Capture

18 Security Camp 2012

Capture Options

19 Security Camp 2012 19

Details of the selected packet (#215)

Raw data (content of packet # 215)

Packet #215: HTTP packet

20 Security Camp 2012

Menu Bar

21 Security Camp 2012

Status Bar

22 Security Camp 2012 22

Filtering HTTP packets

only

23 Security Camp 2012

Right Click Filtering

24 Security Camp 2012

Follow TCP Stream

25 Security Camp 2012

26 Security Camp 2012

Protocol Hierarchy

27 Security Camp 2012

Protocol Hierarchy

28 Security Camp 2012

Conversations

29 Security Camp 2012

Conversations

30 Security Camp 2012

Expert Info

31 Security Camp 2012

Expert Info

32 Security Camp 2012

Capture Filter

Security Camp 2012

Exercise 1

FTP Traffic

34 Security Camp 2012

Exercise 1 : FTP Traffic

n  Q1: 封包擷取日期？ n  Q2: Protocol analysis ? n  Q3. FTP server's IP address is n  Q4. FTP client's IP address is n  Q5. FTP Err Code 530 means n  Q4. 10.234.125.254 attempt

Security Camp 2012

Exercise 2

Malware Communication Traffic

36 Security Camp 2012

Exercise 2: Malware Communication Traffic

n  Q1. What kind of malicious activity did this malware do?

n  Q2. What is the malicious server's IP address?

Security Camp 2012

Exercise 3

Malicious HTTP Traffic

38 Security Camp 2012

n  Q1. Which site and which page were defaced?

n  site n  page

n  Q2. Which URL looks malicious? n  Q3. Which software seemed to be the target

of this exploit? n  Q4. What kind of malicioius activity was

executed after exploit?

39 Security Camp 2012

HTTP Analysis

40 Security Camp 2012

HTTP Analysis – Load Distribution

41 Security Camp 2012

HTTP Analysis – Packet Counter

42 Security Camp 2012

HTTP Analysis – Requests

43 Security Camp 2012

Export HTTP Objects

44 Security Camp 2012

Packet Length

45 Security Camp 2012

Packet Length