SKILL CCNE009: Identify packet sniffing tools
SKILL CCNE010: Identify implications of network traffic captures
Objectives
CCNE009.001: Explain Using Berkley Packet Filters (BPF) with sniffing tools
CCNE009.002: Use BPFs to view multiple protocol types
CCNE009.003: Demonstrate packet decoding features of tools
CCNE009.004: Identify how sniffing and filtering relate to DNS protocol (poisoning/misuse)
CCNE010.001: Discuss security implications of major protocol traffic in base-lining
CCNE010.002: Explain why network monitoring tools are deployed
CCNE010.003: Explain the impact of network monitoring tools in exploitation operations
CCNE010.004: Explain the impact of network monitoring tools in DODIN operations
- Software vs. Hardware Sniffing
- Mirrored port vs. Tap
- NIC modes (Promiscuous or not)
You can use:
References:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
References:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
What is the next ip offset value?
- Reduce Resource consumption (CPU or Storage)
- Limit scope of catured traffic
- Target traffic capture down to the bit!
- Programs like TCPDump can use built-in 'Primitives', like 'net', 'port' etc and qualifiers like 'src' or 'dst' (Wireshark has it's own set of 'expressions' for this same purpose)
- Primitives are user-friendly shortcuts to BPF, but they can't target traffic as granularly as a pure BPF
Can you figure out what the filter is that produced this bytecode instruction?
# tcpdump -d '____ and ____'
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 5
(002) ldb [23]
(003) jeq #0x1 jt 4 jf 5
(004) ret #262144
(005) ret #0
Can you figure out what the filter is that produced this bytecode instruction?
# tcpdump -d 'arp'
(000) ldh [12]
(001) jeq #____ jt ___ jf ___
(002) ret #262144
(003) ret #0
Primitives like 'tcp port 53' can work for filtering, but a BPF can provide a more powerful mechanism for filtering using byte indexing.
For example: tcpdump 'ip[0] > 69' looks for any ip options used
To capture specific information, try masking:
tcpdump 'ip[ byte ] & mask condition'
tcpdump ‘ip[0] & 0x0F > 0x05’
Original - 0100 0110 (options set)
Mask - 0000 1111
Result - 0000 0110
tcpdump ‘tcp [ 13 ] & 18 !=0 && tcp [ 13 ] & 18 != 16’
[ byte offset ] mask condition
What does this filter show you?
Hint: An anagram for the TCP flags:
Unskilled Attackers Pester Real Security Folk
This means that the vulnerability that may have been noted in the older OS you identified has been patched!
References:
https://www.sans.org/reading-room/whitepapers/detection/ip-fragment-reassembly-scapy-33969
http://www.icir.org/vern/papers/activemap-oak03.pdf
Do packet injections by ISP’s used in seemingly benign ways put user at risk?
References:
https://www.blackhat.com/docs/us-16/materials/us-16-Nakibly-TCP-Injection-Attacks-in-the-Wild-A-Large-Scale-Study-wp.pdf
http://thehackernews.com/2016/02/china-hacker-malware.html
https://tools.ietf.org/html/rfc6108#page-13
https://www.techdirt.com/blog/?tag=packet+injection