![Page 1: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/1.jpg)
Wireshark: Are You Under Attack?
Kyle FeuzSchool of Computing
![Page 2: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/2.jpg)
Introduction
• Download Wireshark and capture files
– https://www.wireshark.org/download.html
– http://icarus.cs.weber.edu/~kfeuz/downloads/saintcon2016_captures.zip
• Know the law (and company policy)
• Skills needed and skills covered
![Page 3: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/3.jpg)
Outline
• Introduction
• Where and How to sniff
• Having a baseline
• Finding the Needle
• Network Reconnaissance
• ARP/IP spoofing
• Malware/tool specific signatures
• Putting it all together
![Page 4: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/4.jpg)
![Page 5: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/5.jpg)
SSL Decryption
• Private key
• Symmetric key (SSLKEYLOGFILE)
• SSL Proxy (MITM)
![Page 6: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/6.jpg)
Live Demo/Practice
• Files
– ssl_saintcon
– ssl_saintcon_key
– ssl_weber
– ssl_weber_key
![Page 7: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/7.jpg)
Outline
• Introduction
• Where and How to sniff
• Having a baseline
• Finding the Needle
• Network Reconnaissance
• ARP/IP spoofing
• Malware/tool specific signatures
• Putting it all together
![Page 8: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/8.jpg)
Baselining
• What does “normal” look like
• Protocols used and percentage of traffic
• Common hosts and percentage of traffic
• Varies by network and over time
![Page 9: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/9.jpg)
Live Demo/Practice
• Compare
– baseline.pcapng
– double_time.pcapng
![Page 10: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/10.jpg)
Merge multiple files
• File -> Merge
• Drag-and-Drop
• Mergecap
![Page 11: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/11.jpg)
Live Demo/Practice
• Merge the files by appending
– baseline.pcapng
– double_time.pcapng
• Merge the capture files by timestamp
– NAT_front.pcapng
– NAT_back.pcapng
![Page 12: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/12.jpg)
Outline
• Introduction
• Where and How to sniff
• Having a baseline
• Finding the Needle
• Network Reconnaissance
• ARP/IP spoofing
• Malware/tool specific signatures
• Putting it all together
![Page 13: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/13.jpg)
Custom Profiles
• Capture Filters
• Display Filters
• Coloring Rules
• Etc.
![Page 14: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/14.jpg)
Live Demo/Practice
• Create a new profile for Demo
• Create a new profile for NetworkRecon
• Create a new profile for Spoofing Attacks
![Page 15: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/15.jpg)
Finding the Needle
• Capture filters
– More efficient capture
– Limit what is seen
– Cannot recover what has been filtered
– Use sparingly
![Page 16: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/16.jpg)
Finding the Needle
• Display Filters
– Limit packets currently displayed
– Great for focusing
– No efficiency boost
– Can export packets
– Use generously
![Page 17: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/17.jpg)
Display Filters
• Presets
– Using
– Modifying
• Freeform
• Expression Builder
• Shortcut buttons
• IO Graphs
![Page 18: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/18.jpg)
Live Demo/Practice
• Load baseline.pcapng
• Which host is an ssh server?
• What UDP protocols are used?
• Which IP address is associated with MAC Address: XXX
![Page 19: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/19.jpg)
Finding the Needle
• Coloring Rules
– All data is still visible
– Make certain data stand out or fade
– Use Generously
– Setup different configurations
![Page 20: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/20.jpg)
Live Demo/Practice
• Load baseline.pcapng
• Color all SSH traffic
• Color all traffic on port 443
![Page 21: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/21.jpg)
Outline
• Introduction
• Where and How to sniff
• Having a baseline
• Finding the Needle
• Network Reconnaissance
• ARP/IP spoofing
• Malware/tool specific signatures
• Putting it all together
![Page 22: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/22.jpg)
Network Reconnaissance
• Host Scanning
• Port Scanning
• OS Detection
![Page 23: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/23.jpg)
Host Scanning
• DNS
• ARP
• ICMP
• TCP/UDP
![Page 24: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/24.jpg)
![Page 25: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/25.jpg)
Live Demo/Practice
• Create coloring rules and filters
• Files
– nmap_sL*
– nmap_sn*
– nmap_external_*
![Page 26: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/26.jpg)
Port Scanning
• Half-open
• Full-connect
• Null scan, Xmas, FIN, ACK scansProtocol Port Protocol Port
FTP 21 DNS 53
SSH 22 DHCP 67,68
Telnet 23 SNMP 161,162
SMTP 25 NetBIOS 137,139
HTTP 80
HTTPS 443
![Page 27: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/27.jpg)
Live Demo/Practice
• Create coloring rules and filters
– nmap_half*
– nmap_full*
– nmap_null*
– nmap_xmas*
– nmap_fin*
– nmap_ack*
– nmap_udp*
![Page 28: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/28.jpg)
OS Detection
• OS respond differently to different packets
• ICMP type 8 no payload
• ICMP type 8 unusual code (i.e. non-zero)
• ICMP type 13, 15, 17
• TCP with unusual flag/option settings
![Page 29: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/29.jpg)
Live Demo/Practice
• Create coloring rules and filters
– nmap_os*
![Page 30: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/30.jpg)
Others
• Traceroute
• Zombie scan
• IP Protocol scans
![Page 31: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/31.jpg)
![Page 32: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/32.jpg)
Live Demo/Practice
• Create Coloring Rules and Filters
– nmap_idle*
– nmap_sO*
– traceroute*
![Page 33: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/33.jpg)
Outline
• Introduction
• Where and How to sniff
• Having a baseline
• Finding the Needle
• Network Reconnaissance
• ARP/IP spoofing
• Malware/tool specific signatures
• Putting it all together
![Page 34: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/34.jpg)
ARP Spoofing
• Hide true source
• DOS
• MITM
• Force “Hub” behavior
![Page 35: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/35.jpg)
![Page 36: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/36.jpg)
Live Demo/Practice
• Create coloring rules and filters
– nmap_spoofed_mac
– macof_flood
– arp_poison
![Page 37: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/37.jpg)
IP Spoofing
• Hide true source
• DOS
![Page 38: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/38.jpg)
Live Demo/Practice
• Create coloring rules and filters
– nmap_idle
– nmap_spoofed_ip
![Page 39: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/39.jpg)
Outline
• Introduction
• Where and How to sniff
• Having a baseline
• Finding the Needle
• Network Reconnaissance
• ARP/IP spoofing
• Malware/tool specific signatures
• Putting it all together
![Page 40: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/40.jpg)
Scan/Probe Tools
• Nmap
• NetScanTools Pro
• Xprobe
![Page 41: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/41.jpg)
Live Demo/Practice
• Which tool was used?
– Probe1.pcapng
– Probe2.pcapng
![Page 42: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/42.jpg)
IRC Bots
• Standard IRC Ports
• Large number of DNS responses
![Page 43: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/43.jpg)
Heartbleed
• Malformed SSL Heartbeat message
• Payload length invalid
![Page 44: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/44.jpg)
Live Demo/Practice
• Create coloring rules and capture filters
– heartbleed_encrypted
– heartbleed_decrypted
![Page 45: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/45.jpg)
Outline
• Introduction
• Where and How to sniff
• Having a baseline
• Finding the Needle
• Network Reconnaissance
• ARP/IP spoofing
• Malware/tool specific signatures
• Putting it all together
![Page 46: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/46.jpg)
Live Demo/Practice
• Sharkfest 13 Challenges
– 1 challengescan
– 2 challengewhatsup
– 4 challengeattack
– 7 challengeboyscout
![Page 47: Wireshark: Are You Under Attack? - icarus.cs.weber.edukfeuz/downloads/saintcon16.pdf · Outline •Introduction •Where and How to sniff •Having a baseline •Finding the Needle](https://reader035.vdocuments.mx/reader035/viewer/2022070618/5e13753d62dfcd3332148623/html5/thumbnails/47.jpg)
Thank You!