1 / 23

Chapter 6: Protocol Analysis and Network Programming

Chapter 6: Protocol Analysis and Network Programming. Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions. Networking Theory and Practice. Open Systems Interconnection (OSI) defines the standard protocol stack

brynne-fernandez
Download Presentation

Chapter 6: Protocol Analysis and Network Programming

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 6: Protocol Analysis and Network Programming Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  2. Networking Theory and Practice • Open Systems Interconnection (OSI) defines the standard protocol stack • Out of the 7 layers, only 4 are used in practice: • Physical (Layer 1) • Data Link (Layer 2) • Network (Layer 3) • Transport (Layer 4) • The successor to OSI is Reference Model for Open Distributed Processing (RM-ODP), we encountered in Chapter 3, Row 3. Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  3. Frequently Encountered Network Protocols • IEEE 802.3 Ethernet protocol L2 • IEEE 802.11 wireless protocols (commercially known as Wi-Fi) L2 • Address Resolution Protocol (ARP) L2 • IP Version 4 (IPv4) L3 • IP Version 6 (IPv6) L3 • Internet Control Message Protocol (ICMP) L3 • User Datagram Protocol (UDP) L4 • Transmission Control Protocol (TCP) L4 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  4. Network Protocol Analysis • Network protocol analysis can be performed automatically by Wireshark • Manual protocol analysis is outdated • Each frame (L2) or packet (L3) has a header and a payload • L3 header/payload are attached before and after L2 header/payload, i.e. encapsulate • L4 headers/payload are attached before and after L3 header/payload Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  5. Address Resolution Protocol (ARP) and Layer 2 Analysis Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  6. ARP Frame Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  7. Internet Protocol (IP) Analysis Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  8. Internet Control Message Protocol (ICMP) Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  9. User Datagram Protocol (UDP) Analysis Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  10. Transmission Control Protocol (TCP) Analysis Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  11. Network Programming: Bash • Bash is an available command line shell for Linux and Unix systems • It is selected in the /etc/passwd file • In network programming we are able to execute network commands in a script at the command line or from a script file • During penetration tests, we frequently encounter raw shells (that do not support even backspace) where we can only submit 1 command line at a time • Use network programming to build security tools such as ping scans and banner grabbers (i.e. when services self identify) • Network programming remains a rare but very useful skill among security pros Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  12. Linux/Unix Bash Basics: Standard Input, Output, Error, Pipes • Sorting reverse numerical • # sort /tmp/alertIPs | uniq –c | sort –nr • Append to file including standard error • mount error >> log.txt 2>&1 • Command sequence • # echo Hello Universe! > /tmp/tmp ; cd /tmp ; ls ; cat tmp ; rm tmp ; ls ; cd ~ Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  13. Linux/Unix Bash for Basic Network Programming • Ping an IP; returns ICMP response • # ping –c1 –w2 10.10.100.100 • To ping an address range, i.e. a scan • # for i in `echo {1..254}`; do ping -c1 -w2 10.10.100.$i; done Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  14. Linux/Unix Bash Network Sweep: Packaging a Script • Package the ping sweep in a script file with Ctrl-C abort: • #!/bin/bash • trap bashtrap INT • bashtrap() { echo "Bashtrap Punt!"; exit; } • for i in `echo {1..254}`; do ping -c1 -w2 10.10.100.$i; done • Use $1, $2, $3, … for command line arguments • Use if statement for conditionality, e.g. • if $(test $# -eq 0 ); then network="10.10.100"; else network=$1; fi Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  15. Linux/Unix Bash Network Scanning using While • Read IP domains from a hosts file: • #!/bin/bash • trap bashtrap INT • bashtrap() { echo "Bashtrap Punt!"; exit; } • if $(test $# -eq 0 ); then network="10.10.100"; else network=$1; fi • while read n; do echo -e "\nSCANNING $network.$n"; nmap -O -sV --top-ports 9 --reason $network.$n; done < hosts Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  16. Bash Banner Grabbing #!/bin/bash trap t INT function t { echo -e "\nExiting!"; exit; } if $(test $# -eq 0 ); then network="192.168.1"; else network=$1; fi while read host; do echo –e "\nTESTING $network.$host PORTS..."; while read port; do echo -n " $port"; echo "" | nc -n -v -w1 $network.$host $port; done < ports done < hosts Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  17. Windows Command Line Scripting • In Windows Command Line the concepts are very similar to Bash • Use .bat suffix for script (batch) files • Batch file arguments are %1, %2, %3,… • Script file variables use %% prefix • for /L for to iterate through numbers (i.e. counting) • for /F to iterate through a set or file • Works like a while loop in Bash Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  18. Windows Command Line : Standard IO, Pipes, and Sequences • Example standard IO and pipes • C:\> type list.txt | sort /r >> sorted.txt & dir /b /s & type sorted.txt • Command sequence (&), conditional (&&) • C:\> net use \\10.10.100.100 passw0rd /u:testuser && echo SUCCESS & net use \\10.10.100.100 /del Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  19. Windows Command Line: Network Programming using For /L • Ping sweep • set network=%1 • for /L %%h in (2, 1, 255) do @ping –n 1 %network%.%%h | find “byte=” > /nul && echo Host at %network%.%%h Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  20. Windows Command Line: Password Attack using For /F set ipaddr=%1 set usertarget=%2 for /F %%p in (pass.txt) do @net use \\%ipaddr% %%p /u:%usertarget% 2> /nul && echo PASS=%p & net use \\%ipaddr% /del Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  21. Python Scripting • There are various categories of programming languages from command line (Bash, Windows CLI) to interpreted/compiled scripting (Python, Ruby) to systems programming (C, C++, C#) • Categories vary by number of lines needed to implement a capability, typical multiplier is 8 • Lower levels provide more detailed accesses, faster execution • Python’s advantage is that it is highly portable and has an extensive function library Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  22. Python Programming for Accelerated Network Scanning #!/usr/bin/python import os from threading import Thread import time start=time.ctime() print start scan="ping -c1 -w1 " max=65 class threadclass(Thread): def __init__ (self,ip): Thread.__init__(self) self.ip = ip self.status = -1 def run(self): result = os.popen(scan+self.ip,"r") self.status=result.read() threadlist = [] for host in range(1,max): ip = "192.168.85."+str(host) current = threadclass(ip) threadlist.append(current) current.start() for t in threadlist: t.join() print "Status from ",t.ip,"is",repr(t.status) print start print time.ctime() Threaded scanning is about 60X faster than serial scans Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

  23. Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions REVIEW Chapter Summary

More Related