1. Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Lisa Bock Pennsylvania College of Technology
Monday October 5, :00am - 12:15am
Track AF | Level 1 | Atlantic VI

2. Learning Objectives Examine common protocols such as Evaluate
TCP, HTTP, DNS, and FTP
Evaluate
TCP/IP protocol stack vulnerabilities
Common passive attack signatures
Common active attack and malware signatures

3. Explore the Wireshark interface

4. Once you open a capture you will see three panes:
Capture Packets
Once you open a capture you will see three panes:
Top: packet list of all of the packets received during the capture session
Middle: details of a single frame
Bottom: the bytes of a single frame
Lisa Bock

5. ICMP

6. Internet Control Message Protocol
Used to send error messages and query the network
No data is exchanged

7. A Scout for IP!
ICMP is actually an integral part of IP, and must be implemented by every IP module.

8. Internet Control Message Protocol
ICMP is used by ping
It can generate echo-request/echo-reply query messages.
Four types of query messages generated by the ping command

9. ICMP Message

10. Start with ICMP

11. Tracert to Generate ICMP Traffic

12. An ICMP Example Shows the ICMP packets tracing the route to COMMON.org
Filter icmp
You will see the entire tracert communication
With a few errors!

13. ICMP-Destination Unreachable

14. ICMP within an IP Packet
When an ICMP error message is sent, the message always contains the IP header and the first 8 bytes of the IP datagram that caused the ICMP error to be generated.
ICMP messages are transmitted within IP datagrams
IP is unreliable and doesn't guarantee delivery, so it is important to notify the sender when something goes wrong. ICMP is used to give feedback about network problems that are preventing packet delivery.
When an ICMP error message is sent, the message always contains the IP header and the first 8 bytes of the IP datagram that caused the ICMP error to be generated. This lets the receiving ICMP module associate the message with one particular protocol (TCP or UDP from the protocol field in the IP header) and one particular user process (from the TCP or UDP port numbers that are in the TCP or UDP header contained in the first 8 bytes of the IP datagram).

15. ICMP Error Codes Type 3 Destination Unreachable Codes
0 - Net Unreachable
1 - Host Unreachable
2 - Protocol Unreachable

16. You should not allow fragmentation on your network!
ICMP Error Codes
Type 11 Time Exceeded Codes
0 – TTL Exceeded
1 - Fragment Reassembly Time Exceeded
You should not allow fragmentation on your network!

17. The only essential ICMP traffic
Which ICMP do you allow?
The only essential ICMP traffic
Type 3 Destination unreachable
Type 4 Source quench
Optional
0 Echo Reply
8 Echo
11 Time Exceeded (traceroute)
Optional
0 Echo Reply [RFC792]
8 Echo [RFC792]
11 Time Exceeded [RFC792]
Frame 5 Destination unreachable port unreachable snmp 161
A response with a nested packet
We have the IP header to send the packet to the target
After the destination unreachable message returns it sends back the IP header and 64 bits of original datagram
ICMP is used in reconnaissance by Kali Linux

18. ICMP Attacks Can be altered for evil purposes.
ICMP is used in reconnaissance by Kali Linux
Denial of Service
Covert Channel

19. Network Scans
Nmap is a tool used to discover hosts and services on a network
Creates a "map" of the network

20. Network Scans It can be used to quickly scan thousands of ports
To see ports in open or closed states.
By default, Nmap performs a SYN Scan

21. Nmap
Scanning can be used as a passive attack in the form of reconnaissance.
After running a scan, the software will output results from the IP range you selected

22. Nmap Output Ports | Hosts The results of the port scan
Including the well-known services for those ports.

24. Nmap Output Topology Host Details
an interactive view of the connections between hosts in a network.
Host Details
Details such as the number of ports, IP addresses, hostnames, operating systems, and more.

25. DDOS
Go to

26. Normal Three Way Handshake

27. Port Scan An Ack Reset sent in response to a Syn frame
Sent to acknowledge the receipt of the frame
Lets the client know that the server cannot allow the connection on that port.

28. Port Scan Same source and destination IP address
Only the SYN flag is set
The destination port numbers of each packet changes as it tries every port

29. Port Scan Packets 14, 15 and 16 we see an actual connection
Then it continues to attempt another connection in Packet 18, 19, 20
Enable SYN flood protection

30. SEC-Bittorrent BitTorrent - peer-to-peer file sharing
Uses a distributed sloppy hash table (DHT) for storing peer contact information for "trackerless" torrents
Consists of a number of different queries and corresponding responses.
Ping G used to check if a peer is available.

31. SEC-Bittorrent
Find_node G used to find the contact information for a peer.
Get_peers G requests a list of peers which have pieces of the content.
Announce_peer G announces the contact information for the peer to the network.

32. Right click on packet 22 and follow UDP Stream
SEC-Bittorrent
Right click on packet 22 and follow UDP Stream

33. Advice Understand attacks Take steps to defend your iSeries device
National Cyber Awareness System
Keep system patched and updated
Monitor

34. WEP and why it is weak - Demo
GO TO
Software such as Kali Linux or Aircrack can recover the key used
After intercepting and analyzing only a small amount of WEP traffic.
28:E6:6B:E9:D3:B6:20:95:DD:E9:2F:BE:37

35. Questions?
Lisa Bock

36. More Resources
For more Packet Captures go to
Wireshark Network Analysis, by Laura Chappell, Chappell Binding
Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, by Chris Sanders, No Starch Press, Incorporated

37. Lynda.com See my course on Lynda.com!
Troubleshooting your Network with Wireshark