Watching the Wire

CCTC - Networking

Outcomes

SKILL CCNE009: Identify packet sniffing tools
SKILL CCNE010: Identify implications of network traffic captures

Objectives

CCNE009.001: Explain Using Berkley Packet Filters (BPF) with sniffing tools

CCNE009.002: Use BPFs to view multiple protocol types

CCNE009.003: Demonstrate packet decoding features of tools

CCNE009.004: Identify how sniffing and filtering relate to DNS protocol (poisoning/misuse)

CCNE010.001: Discuss security implications of major protocol traffic in base-lining

CCNE010.002: Explain why network monitoring tools are deployed

CCNE010.003: Explain the impact of network monitoring tools in exploitation operations

CCNE010.004: Explain the impact of network monitoring tools in DODIN operations

Sniffing Basics



- Software vs. Hardware Sniffing

- Mirrored port vs. Tap

- NIC modes (Promiscuous or not)







  • Great for viewing detailed traffic information in a graphical format(not well suited for large pcaps)
  • Remote capture (Windows only)
    • Start a Remote Packet Capture Protocol (local service) on target (WinPCAP)
    • Connect remote interface on wireshark target IP:2002
  • Firewall rules
  • Exporting objects
  • Geo location
    • Download DBs from maxmind.com; Edit>preferences>name resolution

(Obj. 9.003 Demonstrate packet decoding features of tools)

Decrypting Traffic


  • Wireshark can only decrypt SSL/TLS packet data if RSA keys are used for key exchange.

  • If Diffie-Hellman Ephemeral (DHE) or RSA ephemeral cipher suite are used, the RSA keys are only used to secure the DH or RSA exchange, not encrypt the data.

You can use:

  • Server's Private Key
  • Pre-Master Secret

References:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

Decrypting Traffic

References:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

TCPDump

  • TCPDump can capture/parse large amounts of traffic

  • TCPDump can be run without providing a display of captured

  • -X provides Payload information (similar to the Hexadecimal/interpretation window in Wireshark

  • Header information can be displayed at various levels of detail (verbosity)


What is the next ip offset value?

Activity Time!



TCPDump Basics and Filters

What is Happening Here

Funny Traffic

Extracting Files

Why Filter Outputs?



- Reduce Resource consumption (CPU or Storage)

- Limit scope of catured traffic

- Target traffic capture down to the bit!







How do I Filter Outputs?



- Programs like TCPDump can use built-in 'Primitives', like 'net', 'port' etc and qualifiers like 'src' or 'dst' (Wireshark has it's own set of 'expressions' for this same purpose)

- Primitives are user-friendly shortcuts to BPF, but they can't target traffic as granularly as a pure BPF





Berkley Packet Filters



  • BPF allows a user-space program (like TCPDump or IPTables) to attach a custom filter onto any socket

  • The filter code is sent to the kernel via the SO_ATTACH_FILTER option

  • Libpcap is how this happens using TCPDump for example.

  • The libpcap internal compiler takes the user input filter and generates a structure that can be loaded via SO_ATTACH_FILTER to the kernel.



Berkley Packet Filters


Can you figure out what the filter is that produced this bytecode instruction?

# tcpdump -d '____ and ____'

(000) ldh [12]

(001) jeq #0x800 jt 2 jf 5

(002) ldb [23]

(003) jeq #0x1 jt 4 jf 5

(004) ret #262144

(005) ret #0

Berkley Packet Filters


Can you figure out what the filter is that produced this bytecode instruction?

# tcpdump -d 'arp'

(000) ldh [12]

(001) jeq #____ jt ___ jf ___

(002) ret #262144

(003) ret #0



Berkley Packet Filter with Indexing

Primitives like 'tcp port 53' can work for filtering, but a BPF can provide a more powerful mechanism for filtering using byte indexing.

For example: tcpdump 'ip[0] > 69' looks for any ip options used

To capture specific information, try masking:

tcpdump 'ip[ byte ] & mask condition'

tcpdump ‘ip[0] & 0x0F > 0x05’

Original - 0100 0110 (options set)

Mask - 0000 1111

 Result - 0000 0110



Berkley Packet Filter (cont.)


tcpdump ‘tcp [ 13 ] & 18 !=0 && tcp [ 13 ] & 18 != 16

[ byte offset ] mask condition

What does this filter show you?

Hint: An anagram for the TCP flags:

Unskilled Attackers Pester Real Security Folk

Flow Analysis



  • netflow - Developed by Cisco, IP traffic only, aggregates “flows” and sends statistics to a collection point for analysis

  • sflow - Industry standard, not restricted to IP, can monitor interface statistics and performs sampling 1/n packets and sends to a collection point - built into ASIC




Server Identification



  • OS detection can be helpful in exploiting vulnerabilities in targets.

  • Many vulnerabilities require custom exploits to match the target OS and hardware architecture in order to be effective

  • Back-porting: Often vendors will take a fix/patch from a recent version of software and apply it to older versions.

This means that the vulnerability that may have been noted in the older OS you identified has been patched!

Signatures

  • TTL

    • DF - Don't Fragment bit (set/increment)
    • TOS - Type of Service bit (set/value)
    • IP Identification numbers (Cisco starts at 0 instead of randomizing)

  • TCP Options (Window Size/Scale/MSS etc)

  • Selective Acknowledgement (RFC 2018); commonly used by Windows/Linux, not by always by FreeBSD/Solaris


Fragmented Packet



  • IP Identification number is the same for each fragment IOT relate them
  • Byte Offset is represented as (data bytes/8) per RFC 791



Fragment Reassembly


  • First - Always accept the first value received for each offset in the packet

  • Last (RFC 791) - Always take the last value received for each offset in the packet

  • BSD - This policy left-trims fragments to existing fragments with an offset; overlapping fragments with a greater offset are discarded or trimmed

  • BSD-Right - This policy is similar to BSD, except fragments are right-trimmed (new fragments take precedence over those with a lesser or equal offset).

  • Linux - The Linux policy is almost the same as the BSD policy, except existing fragments with = offset will be overwritten, at least in part.

References: https://www.sans.org/reading-room/whitepapers/detection/ip-fragment-reassembly-scapy-33969
http://www.icir.org/vern/papers/activemap-oak03.pdf

Packet Injection


  • Edge and Core ISPs
  • Censorship, advertising, malware, notifications
  • Comcast released RFC in 2011 explaining their packet injection/redirection techniques

Do packet injections by ISP’s used in seemingly benign ways put user at risk?

References:
https://www.blackhat.com/docs/us-16/materials/us-16-Nakibly-TCP-Injection-Attacks-in-the-Wild-A-Large-Scale-Study-wp.pdf
http://thehackernews.com/2016/02/china-hacker-malware.html
https://tools.ietf.org/html/rfc6108#page-13
https://www.techdirt.com/blog/?tag=packet+injection

Network Monitoring




  • IDS/IPS

  • Packet analysis (Wireshark/TCPDump)

  • Log analysis

  • Sensors