Watching the Wire

CCTC - Networking

Outcomes

SKILL CCNE009: Identify packet sniffing tools
SKILL CCNE010: Identify implications of network traffic captures

Objectives

CCNE009.001: Explain Using Berkeley Packet Filters (BPF) with sniffing tools

CCNE009.002: Use BPFs to view multiple protocol types

CCNE009.003: Demonstrate packet decoding features of tools

CCNE009.004: Identify how sniffing and filtering relate to DNS protocol (poisoning/misuse)

CCNE010.001: Discuss security implications of major protocol traffic in base-lining

CCNE010.002: Explain why network monitoring tools are deployed

CCNE010.003: Explain the impact of network monitoring tools in exploitation operations

CCNE010.004: Explain the impact of network monitoring tools in DODIN operations

Sniffing Basics



- Software vs. Hardware Sniffing

- Mirrored port vs. Tap

- NIC modes (Promiscuous or not)







  • Great for viewing detailed traffic information in a graphical format(not well suited for large pcaps)
  • Remote capture (Windows only)
    • Start a Remote Packet Capture Protocol (local service) on target (WinPCAP)
    • Connect remote interface on wireshark target IP:2002
  • Firewall rules
  • Exporting objects
  • Geo location
    • Download DBs from maxmind.com; Edit>preferences>name resolution

(Obj. 9.003 Demonstrate packet decoding features of tools)

Decrypting Traffic


  • Wireshark can only decrypt SSL/TLS packet data if RSA keys are used for key exchange.

  • If Diffie-Hellman Ephemeral (DHE) or RSA ephemeral cipher suite are used, the RSA keys are only used to secure the DH or RSA exchange, not encrypt the data.

You can use:

  • Server's Private Key
  • Pre-Master Secret

References:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

Decrypting Traffic

References:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

TCPDump


  • TCPDump can capture/parse large amounts of traffic

  • TCPDump can be run without providing a display of captured

  • -X provides Payload information (similar to the Hexadecimal/interpretation window in Wireshark

  • Header information can be displayed at various levels of detail (verbosity) with -v, -vv, or -vvv


Activity Time!



TCPDump Basics and Filters

What is Happening Here

Funny Traffic

Extracting Files

Why Filter Outputs?



- Reduce Resource consumption (CPU or Storage)

- Limit scope of catured traffic

- Target traffic capture down to the bit!







How do I Filter Outputs?



- Programs like TCPDump can use built-in 'Primitives', like 'net', 'port' etc and qualifiers like 'src' or 'dst' (Wireshark has it's own set of 'expressions' for this same purpose)

- Primitives are user-friendly shortcuts to BPF, but they can't target traffic as granularly as a pure BPF





Berkeley Packet Filters



  • BPF allows a user-space program (like TCPDump or IPTables) to attach a custom filter onto any socket

  • The filter code is sent to the kernel via the SO_ATTACH_FILTER option

  • Libpcap is how this happens using TCPDump for example.

  • The libpcap internal compiler takes the user input filter and generates a structure that can be loaded via SO_ATTACH_FILTER to the kernel.



Berkeley Packet Filters


Can you figure out what the filter is that produced this bytecode instruction?

# tcpdump -d '____ and ____'

(000) ldh [12]

(001) jeq #0x800 jt 2 jf 5

(002) ldb [23]

(003) jeq #0x1 jt 4 jf 5

(004) ret #262144

(005) ret #0

Berkeley Packet Filters


Can you figure out what the filter is that produced this bytecode instruction?

# tcpdump -d 'arp'

(000) ldh [12]

(001) jeq #____ jt ___ jf ___

(002) ret #262144

(003) ret #0



Berkeley Packet Filter with Indexing

Primitives like 'tcp port 53' can work for filtering, but a BPF can provide a more powerful mechanism for filtering using byte indexing.

For example: tcpdump 'ip[0] > 69' looks for any ip options used

To capture specific information, try masking:

tcpdump 'ip[ byte ] & mask condition'

tcpdump ‘ip[0] & 0x0F > 0x05’

Original - 0100 0110 (options set)

Mask - 0000 1111

 Result - 0000 0110



Berkeley Packet Filter (cont.)


tcpdump ‘tcp [ 13 ] & 18 !=0 && tcp [ 13 ] & 18 != 16

[ byte offset ] mask condition

What does this filter show you?

Hint: An anagram for the TCP flags:

Unskilled Attackers Pester Real Security Folk

Practice
Writing BPFs


Flow Analysis



  • netflow - Developed by Cisco, IP traffic only, aggregates “flows” and sends statistics to a collection point for analysis

  • sflow - Industry standard, not restricted to IP, can monitor interface statistics and performs sampling 1/n packets and sends to a collection point - built into ASIC




Server Identification



  • OS detection can be helpful in exploiting vulnerabilities in targets.

  • Many vulnerabilities require custom exploits to match the target OS and hardware architecture in order to be effective

  • Back-porting: Often vendors will take a fix/patch from a recent version of software and apply it to older versions.

This means that the vulnerability that may have been noted in the older OS you identified has been patched!

Signatures

  • TTL

    • DF - Don't Fragment bit (set/increment)
    • TOS - Type of Service bit (set/value)
    • IP Identification numbers (Cisco starts at 0 instead of randomizing)

  • TCP Options (Window Size/Scale/MSS etc)

  • Selective Acknowledgement (RFC 2018); commonly used by Windows/Linux, not by always by FreeBSD/Solaris


Fragmented Packet



  • IP Identification number is the same for each fragment IOT relate them
  • Byte Offset is represented as (data bytes/8) per RFC 791



Fragment Reassembly


  • First - Always accept the first value received for each offset in the packet

  • Last (RFC 791) - Always take the last value received for each offset in the packet

  • BSD - This policy left-trims fragments to existing fragments with an offset; overlapping fragments with a greater offset are discarded or trimmed

  • BSD-Right - This policy is similar to BSD, except fragments are right-trimmed (new fragments take precedence over those with a lesser or equal offset).

  • Linux - The Linux policy is almost the same as the BSD policy, except existing fragments with = offset will be overwritten, at least in part.

References: https://www.sans.org/reading-room/whitepapers/detection/ip-fragment-reassembly-scapy-33969
http://www.icir.org/vern/papers/activemap-oak03.pdf

Packet Injection


  • Edge and Core ISPs
  • Censorship, advertising, malware, notifications
  • Comcast released RFC in 2011 explaining their packet injection/redirection techniques

Do packet injections by ISP’s used in seemingly benign ways put users at risk?

References:
https://www.blackhat.com/docs/us-16/materials/us-16-Nakibly-TCP-Injection-Attacks-in-the-Wild-A-Large-Scale-Study-wp.pdf
http://thehackernews.com/2016/02/china-hacker-malware.html
https://tools.ietf.org/html/rfc6108#page-13
https://www.techdirt.com/blog/?tag=packet+injection

Network Monitoring




  • IDS/IPS

  • Packet analysis (Wireshark/TCPDump)

  • Log analysis

  • Sensors