Tips for an Information Security Analyst/Pentester career - Episode 5: Wireshark basics (part 1)
Wireshark is the most popular protocol analyzer and an essential tool for both Information Security Analysts and pentesters.
It's a free software available for Windows, Mac and Linux, but very powerful and scalable.
It's based on Lua programming language, like Nmap, and can be integrated with other tools, such as tcpdump and tshark (the latter is basically Wireshark command line version).
Performing a network capture
Wireshark GUI is very straightforward.
When opening the software, you're presented with a list of all available network interfaces.
When opening the software, you're presented with a list of all available network interfaces.
Before starting capturing, you need to make sure the interface you want to use is set in promiscuous mode.
This is important because allows us to capture all the traffic going through the network and not only the traffic intended for that specific interface (as it would normally happen otherwise).
Once we do that, we select the network interface to be used and press the fin-shaped icon (which will become blue, at this point) to start capturing.
After authorizing the above operation, we can start creating some network traffic, by running an Nmap scan and surfing the web at the same time.
Filtering traffic - the basics
We can then stop the capture.
At that point, we're going to have a bunch of network packets to analyze and this whole interface will look like a gigantic mess. How to filter out what we need from all this?
That's when filters come into play.
Wireshark supports very powerful filters allowing to sift through the traffic based on protocol, source port and destination port.
If we want to filter by protocol, we can simply enter it in the filter field.
If the filter we enter is correct, we'll get a green background, otherwise we'll get a red one.
If we want to analyze HTTPS outbound traffic only, for example, we can use the following basic filter:
tcp.dstport==443
NOTE: The format is protocol.destinationport (or sourceport)==portnumber.
If we wanted to filter by source port, we would have tcp.srcport there. If we wanted, instead, to filter out both inbound and outbound traffic to port 443, we could use the following filter:
tcp.srcport==443 && tcp.dstport==443.
We notice an encrypted session was established by using TLS v.1.2 (the latest TLS version at this time) and the first packet was transmitted from source port 47920 TCP (a dynamic port) to destination port 443 TCP (the HTTPS port).
Follow TCP stream
An interesting thing we can do with Wireshark is to follow a TCP conversation between two endpoints.
If we select the first ACK packet when the conversation gets started and right-click it, we can choose Follow/TCP Stream to view the whole conversation.
In the above case, the client request is highlighted in red and the server's response in purple.
Most of the conversation is a bunch of gibberish, as encryption is in place, which shows very clearly why encryption is important.
However, we can decypher this stream with Wireshark, as explained here or also here.
However, we can decypher this stream with Wireshark, as explained here or also here.
If we monitor an unencrypted session on a website using HTTP instead of HTTPS, we might be able to see all traffic in clear text, including any usernames and passwords entered, by simply sniffing the traffic with Wireshark.
An Information Security Analyst in action - analysis of an Nmap scan
If we filter the traffic based on TCP protocol, we can dig further into our Nmap scan by analyzing the whole 3-way handshake process.
In the above case, the connection was reset, as we performed a stealth scan.
If you're a network analyst and you notice a bunch of such packets, that might raise a red flag.
Either there's something wrong with that specific computer's configuration, leading to so many packets getting dropped, or you're up with a port-scanning attack, as it's the case here, or even with a DoS attack.
At that point, you might want to tweak your firewall/NIPS rules by dropping all the traffic coming from that IP altogether.
Validation of a network capture
Validation of the network packets captured with Wireshark is important from a forensic standpoint (especially in case of an ongoing criminal investigation where law enforcement needs to be involved) but also to prove the credibility of your analysis to your boss or your customer(s).
You might need to defend your position through bombproof arguments. Validation of network packets is the main challenge we face in Network Forensics because we deal with data in motion, getting seamlessly changed and we can't avoid to alter data somehow while capturing traffic.
You can't use a write-blocking device or a read-only mode Live CD as you'd do when analyzing an operating system.
You can't use a write-blocking device or a read-only mode Live CD as you'd do when analyzing an operating system.
However, there's a way to obtain a signature for captured packets by using hashing algorithms. This can be done in all operating systems, by using native commands (UNIX/Linux), third-party programs and online tools (Windows).
If the concepts related to hashing algorithms are unclear to you, I'd recommend you to have a look at my previous post Mattia's Dummies' Corner - What's a hash value?
In Linux, you can have two different commands for that purpose: md5sum (returning an MD5 hash) and shasum (returning a SHA hash).
As both MD5 and SHA1 were cracked, here I'm going to use the strongest SHA algorithm available, SHA-512.
You want to calculate a hash on the capture file before starting your analysis and to repeat the operation at the end of it.
If you did everything correctly, the two hashes must match, meaning you didn't in any way change or tamper with that file.
In the video, I performed this operation twice, by saving the resulting hashes to two different files (initialhash and finalhash) and finally I compared the two files through the diff command to find any differences between them that would indicate loss of integrity.
The two files matched perfectly, which proves our analysis was correctly conducted.
This could allow both for our findings to be admissible in court and to prove their validity to our boss and/or customers.
You're an analyst and your findings must be solidly grounded in facts.
The stronger your foundation, the better.
The stronger your foundation, the better.
Wrap-up
Wireshark is a very powerful protocol analyzer and can be used to capture and analyze network traffic in order to know more about the network and identify anomalies.
Wireshark can also be used maliciously, to gain reconnaissance on a possibile attack target.
Here we barely scratched the surface, but in coming posts we'll delve much more into Wireshark functionalities.
More fun is on the way.
Comments
Post a Comment