Wireshark Network Analysis Week 1 - Black Girls Hack

Wireshark Network Analysis
         Week 1

Schedule
           •   Week 1 – Chapters 1-3 | Tennisha | June 5
           •   Week 2 – Chapters 4-6 | Tennisha | June 12
           •   Week 3 – Chapters 7-9 | Tennisha | June 19
           •   Week 4 – Chapters 10-12 | Tennisha | June 26
           •   Week 5 – Chapters 13-14 | Tennisha July 10
           •   Week 6 – Chapters 15-17 | Tennisha | July 17
           •   Week 7 – Chapters 18-20 | Arun | July 24
           •   Week 8 – Chapters 21-22 | Tennisha | July 31
           •   Week 9 – Chapters 23 – 25 | Arun | August 7
           •   Week 10 – Chapters 26-28 | Tennisha | August 14
           •   Week 11 – Chapters 29 – 31 | Arun | August 21
           •   Week 12 – Chapters 32 – 33 | Tennisha | August 28

Chapter 1 Exam Objectives

• Define Network Analysis
• Troubleshooting Tasks for the Network Analyst
• Security Tasks for the Network Analyst
• Optimization Tasks for the Network Analyst
• Application Analysis Tasks for the Network Analyst
• Be aware of Legal Issues of Listening to Network Traffic
• Overcome the “Needle in the Haystack” issue
• Review a Checklist of Analysis Tasks
• Understand Network Traffic Flows

Files Used in this exercise

                         • http-wireshark-slow.pcapng

Network Analysis

• Definition: Network analysis is the process of listening to and analyzing network traffic. Network
  analysis, sometimes called protocol analysis, is a process used to monitor network performance and
  security.
• Network analysis requires three basic skills:
    • A solid understanding of TCP/IP communications
    • Comfort using Wireshark
    • Familiarity with packet structures and packet flows
• Process for analysis includes the following
    • Capture packets at the appropriate location
    • Apply filters to focus on traffic of interest
    • Review and identify anomalies in the traffic

TCP Connection Steps

• If your system supports ipv4 and ipv6 you see two DNS requests, one, an IPv4 (A record) (packet 1)
  and one for IPv6 (AAAA record) (packet 5)
• System requests the ip address of wireshark.org (packet 10)
• System responds with 200 OK (packet 14)

wget

OK

Troubleshooting using wireshark

• Troubleshooting is the most common real world use of wireshark and is typically used to locate the
  source of unacceptable performance of the network, an application, a host or other element of
  network communications. Common tasks used for troubleshooting with wireshark include:
    •   Locate faulty network devices
    •   Identify device or software misconfigurations
    •   Measure high delays along a path
    •   Locate the point of packet loss
    •   Identify network errors and service refusals
    •   Graph queuing delays

Security Tasks using Wireshark

• Security tasks can be proactive or reactive and are typically used to identify processes or breaches on
  the networks. Security tasks include
    •   Perform intrusion detection
    •   Identify and define malicious traffic signatures
    •   Passively discover hosts, OSs and services
    •   Log traffic for forensic examination
    •   Capture traffic as evidence
    •   Test firewall blocking
    •   Validate secure login and data traversal

Legal Issues

• Have you ever heard the terms wiretapping or electronic surveillance? Wireshark provides the ability
  to eavesdrop on network communications so if you’re using wireshark on a network you should
  either :
     • Own it
     • Have Written Permission
     • Work for the company that owns it
• Title 1 of the Electronic Communications and Privacy Act (Wiretap Act) prohibits the intentional,
  actual, or attempted interception, use, disclosure, or procurement of any other person to intercept or
  endeavor to intercept any wire, oral, or electronic communications
          >>>i.e. this isn’t the party trick you want to show your friends to demonstrate your hacking
ability

Network Traffic Flows

• Switches forward packets based on the destination MAC address
    • Switches do not change the MAC or IP addresses in packets
• When the packet arrives at a switch, the switch checks the packet to ensure it has the correct
  checksum. If its correct, its good, if its incorrect it’s deemed bad and the packet is discarded
• Switches typically maintain error counters to indicate how many packets they have discarded because
  of bad checksums
• If the checksum is good, the switch examines the destination MAC address and it checks its MAC
  address table to determine if it knows which switch port leads to the host using that MAC address
• If the switch doesn’t have the target, it will send it out to all switch ports in hopes of discovering the
  target when it answers
• If the switch does have the target it forwards it to that switch port

Routing Overview

• Routers forward packets based on the destination IP address in the IP header
• When a packet is sent to the MAC address to the router, the router examines the checksum to ensure
  the packet is valid.
• If the packet is valid, the router strips the MAC header and examines the IP header to examine the
  Time to Live and destination of the packet
• If the packet is not valid, the packet is dropped
• If the packet has exceeded its Time to Live value, the router discards the packet and sends an ICMP
  Time to Live Exceeded message back to the sender
• If the packet is not too old, the router consults the routing tables to determine if the destination IP
  network is known
• If the router is connected, it is sent the packet if it is not known to it, the router decrements the Time
  to Live value, apples a new MAC header and then forwards it to the next hop router
• Routers can contain rules that block or permit packets based on the addressing information

Proxy, Firewall and NAT/PAT Overview

• Firewalls are created to examine the traffic and allow/disallow communications based on a set of
  rules
• Basic firewalls operate at Layer 3 of the OSI model (network layer)
• Firewalls fire traffic that is not blocked by the firewall rules
• Firewall prepends a new MAC header on the packet before forwarding it
• If the system has Network Address Translation capabilities, the NAT system alters the IP address to
  hide the client’s private IP address
• NAT alters the source and destination IP address of the packet and tracks the connection
  relationships in a table
• Port Address Translation (PAT) alter the port information and use this as a method for demuliplexing
  multiple internal connections so the IP address on one side of a PAT will not match the IP addresses
  on the other side.

Questions for Chapter 1

• What is the hardware address of the client that is browsing to maps.google.com?
• What is the IP address of the DNS server (which is also the router)?
• What is the hardware address of the DNS server/router?
• What IP addresses are associated with maps.google.com?

Chapter 2 Exam Objectives

• Wireshark Creation and Maintenance
• Obtain the Latest Version of Wireshark
• Compare Wireshark Release and Development Versions
• Report A Wireshark Bug or Submit an Enhancement
• Capture Packets on Wired or Wireless Networks
• Open Various Trace File Types
• Understand How Wireshark Processes Packets
• Use the Start Page
• Identify the Nine GUI Elements
• Navigate Wireshark’s Main Menu
• Use the Main Toolbar for Efficiency
• Focus Faster with the Filter Toolbar
• Make the Wireless Toolbar Visible
• Work Faster Using Right-Click Functionality
• Functions of the Menus and Toolbars

Files Used in this exercise

• ftp-dir.enc

Types of Packet Capture

• Libpcap – capture traffic on NIX hosts
• WInPcap – capture traffic on windows port of the libpcap link-layer interface
• AirPcap - Link-layer interface and network adapter to capture wireless traffic on windows

Expert Info Button & File Information

Expert Info Button

• Red – Highest Level is Errors
• Yellow – Highest level is Warnings
• Cyan – Highest level is Notes
• Blue – Highest level is Chats
• Green – There are packet comments, but no Errors, Warning or Notes
• Grey – No Expert Info items

File Information

Packet Information and Profile

File & Edit Menus

Edit

• Mark Packets (Can be done for a single packet or a group of packets) (CTRL-M)
• Ignore Packets
• Time Shift (Say if you want to view all the packets from EST instead of default)
• Edit or Add Packet Comments

View Menu

View Menu

• View timestamp in Relative, Absolute, Absolute with Date, Delta …
• View Name Resolution at MAC layer, Network layer, and transport layer resolution (by default
  wireshark resolves the first three bytes of MAC addresses and the port number in use)
• View coloring rules

Coloring Rules

Go menu

• Go to corresponding packet
• Next Packet
• First or Last
• Packets in Conversation

Analyze Menu

• Follow TCP Stream UDP Stream or SSL Streams
• Display Filters
• Apply as a Filter
• Decode as (to use a specific dissector on the traffic)
• Expert Info

Expert Info

Statistics

• Summary
• Endpoints
• Conversations
• Protocol Hierarchy (Things like %
  of traffic)
• Conversations and Endpoints (to
  check out conversations between
  specific communications)
• Packet Lengths
• IP Addresses and Destinations
• HTTP Statistics

Tools

• Firewall ACL Rules (Access control lists)

Finding a
Packet
• Control –F
• Search based on filter value,
  hex value or an ASCII string
• Search in packet lists, packet
  details or packet bytes

Filter Toolbar

Questions Chapter 2

• What is the purpose of WinPcap?
• Open the ftp-dir.enc file
• What is the highest level of expert information contained in this trace file
• What profile has been applied
• What is the time display format setting
• Did wireshark resolve IP addresses to names
• Hint: Each of these items can be determined through the Wireshark status bar or Main Menu system

Chapter 3 Exam Objectives

•   Know Where to Tap into the network
•   Run Wireshark Locally
•   Capture Traffic on Switched Networks
•   Use a Test Access Port (TAP) on Full-Duplex Networks
•   Set up Port Spanning/Port Mirroring on a Switch
•   Analyze Routed Networks
•   Analyze Wireless Networks
•   Capture at Two Locations
•   Select the Right Capture Interface
•   Capture on Multiple Adapters Simultaneously
•   Interface Details (Windows)
•   Capture Traffic Remotely
•   Automatically Save Packets to one or more files
•   Optimize Wireshark to Avoid Dropping Packets
•   Conserve Memory with Command-Line Capture

Files Used in this Exercise

Know Where to Tap Into the Network

• Consider the network diagram
  shown to the right. Client A is
  complaining
• We’d want to place our network
  analyzer as close to Client A as
  possible to identify traffic issues
  from A’s perspective
• If Everyone on Router A is
  complaining you can place it closer
  to that device

Run Wireshark Locally

• One option is to run it from the system that you want to capture traffic to or from
• However sometimes that is not possible due to the security measures needed to get wireshark
  installed on the user machine
• Portable Wireshark can be installed onto a portableApps-enabled device

Capture Traffic on Switched Networks

• Using a switch to help control and isolate network traffic
• When you connect wireshark to a switch port, you will only see up to four types of traffic by default
    •   Broadcast traffic
    •   Multicast traffic
    •   Traffic to and From your Own Hardware Address
    •   Traffic to an unknown hardware address

Using Analyzer Agents for Remote Capture

• Analyzer agents are used by distributed analyzers
• Analyze agents enable you to manage switched traffic from a central location

Analyze Routed Networks

• Routers isolate traffic based on the network address such as IP address
• If you place wireshark on one side of a router, you will only see traffic that is destined to or coming
  from that network

Analyze Wireless Network

• Start from the bottom and move through the protocol stack when analyzing wlan environment.
• Wireshark cannot identify unmodulated rf energy or interference.
• Use a spectrum analyzer to identify these problems
• Wireshark’s location on a wireless network is similar to the location in a wired network – start as
  close as possible to the complaining user
• Once you have determined the interference is not an issue, move up to the packet level to examine
  the wlan traffic

Dual Captures

• It may be necessary to capture traffic on two or more systems. This is called dualed capture
• Traffic can be captured using t shark or wireshark
• Both analyzer systems should be time synched
• Mergecap can be used to combine the trace files

Capture Traffic Remotely

• There may be times when you want to capture traffic remotely but analyze it locally
• Some switches offer remote spanning capability
• You can also use the remote capture abilities in tools like winpcap

Questions

• If you connect a Wireshark host directly into a switch, what traffic can you expect to see by default?
• What is the difference between monitor mode and promiscuous mode