Embed Size (px)
DESCRIPTION
Interpreting Protocols. Wireshark smartness!. Wireshark can detect certain protocols and decode them for you from hex into plain text. The plain text needs to be interpreted. Ports. Ports handle certain services: 80 http 443 https 21 ftp control 20 ftp data 23 telnet 22 ssh 53 dns - PowerPoint PPT Presentation
Citation preview
INTERPRETING PROTOCOLS
Wireshark smartness!
Wireshark can detect certain protocols and decode them for you from hex into plain text. The plain text needs to be interpreted
Ports
Ports handle certain services: 80 http 443 https 21 ftp control 20 ftp data 23 telnet 22 ssh 53 dns On and on..ports 1-65535
Who can tell me the difference in port #’s < 1024 and > 1024
Ports can lie
Just because I see traffic on port 80 doesn’t mean it’s http IM traffic Proxy traffic for IPSEC over HTTP RPC over http or https Non standard services
SMTP Simple Mail Transport ProtocolS: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM:<[email protected]> S: 250 Ok C: RCPT TO:[email protected]: 250 Ok C: RCPT TO:<[email protected]> S: 250 Ok C: DATA S: 354 End data with <CR><LF>.<CR><LF> C: From: "Bob Example" <[email protected]> C: To: Alice Example <[email protected]> C: Cc: [email protected] C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the message body. C: Your friend, C: Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye {The server closes the connection}
HTTPGET / HTTP/1.1Host: www.anl.govUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-usAccept-Encoding: gzip, deflateCookie: __utma=103693648.3367326131694450000.1227753254.1232739749.1234987611.9;
iPlanetDirectoryPro=AQIC5wM2LY4SfczABGq8pvtr7jSP9Xy58PNPFrx9X5woMuw%3D%40AAJTSwAKLTc2MzQ3MjQ3OQACU0kAAjIwAAJTMQACMDE%3D%23; PHPSESSID=b6cf3579089354add2cb3bd474b00ea9
Connection: keep-alive
HTTP/1.1 200 OKServer: Sun-ONE-Web-Server/6.1Date: Thu, 12 Nov 2009 19:44:38 GMTContent-type: text/htmlTransfer-encoding: chunked
12d2<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><!-- InstanceBegin template="/Templates/fixedHomepage_new.dwt" codeOutsideHTMLIsLocked="false" --><head><link href="stylesheets/argonne_new.css" rel="stylesheet" type="text/css"><link href="stylesheets/news_feature.css" rel="stylesheet" type="text/css"><link href="http://www.anl.gov/favicon.ico" rel="shortcut icon"><script type="text/javascript" src="javascript/anlpublic.js"></script><script type="text/javascript" src="javascript/anlmain.js"></script><script type="text/javascript" src="javascript/jquery-1.3.2.min.js"></script><script type="text/javascript" src="javascript/jquery.cycle.all.min.js"></script><script type="text/javascript">$(function() { $('body pre code').each(function() { eval($(this).text()); });.$('#slide_holder') ...after('<div id="slide_nav">').cycle({ ..fx: 'fade', ……..</html>
DNS
FTP
220 Welcome to ftp.esat.netUSER anonymous331 Please specify the password.PASS Squid@230 Login successful.TYPE I200 Switching to Binary mode.CWD mirrors250 Directory successfully changed.CWD download.fedora.redhat.com250 Directory successfully changed.CWD pub250 Directory successfully changed.CWD fedora250 Directory successfully changed.CWD linux
250 Directory successfully changed.CWD releases250 Directory successfully changed.CWD 10250 Directory successfully changed.CWD Everything250 Directory successfully changed.CWD i386250 Directory successfully changed.CWD os250 Directory successfully changed.250 Directory successfully changed.213 20081030224131213 20250221 Goodbye.
You can see “some” encrypted information
SSL: Usually begins with a 16 03 hex as the start of the SSL or TLS handshake
SSH is similar. Wireshark will be able to tell you a bit
more:
SSH
SSH in the Main window
The unknown
When you can filter out the known you can then focus on the unknown!
Now you have an idea of how the pre-processors of SNORT actually work.
They interpret the RAW hex and report back on triggers of known strings that are malicious
Replay an attack
The replay skill You can detect the bleeding threat Replay an attack and find a unique string and
then create a rule to locate it! Now you know the secret!
