1 / 13

Interpreting Protocols

Interpreting Protocols. Wireshark smartness!. Wireshark can detect certain protocols and decode them for you from hex into plain text. The plain text needs to be interpreted. Ports. Ports handle certain services: 80 http 443 https 21 ftp control 20 ftp data 23 telnet 22 ssh 53 dns

zorana
Download Presentation

Interpreting Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interpreting Protocols

  2. Wireshark smartness! • Wireshark can detect certain protocols and decode them for you from hex into plain text. • The plain text needs to be interpreted

  3. Ports • Ports handle certain services: • 80 http • 443 https • 21 ftp control • 20 ftp data • 23 telnet • 22 ssh • 53 dns • On and on..ports 1-65535 • Who can tell me the difference in port #’s < 1024 and > 1024

  4. Ports can lie • Just because I see traffic on port 80 doesn’t mean it’s http • IM traffic • Proxy traffic for IPSEC over HTTP • RPC over http or https • Non standard services

  5. SMTP • Simple Mail Transport Protocol S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM:<bob@example.org> S: 250 Ok C: RCPT TO:alice@example.com S: 250 Ok C: RCPT TO:<theboss@example.com> S: 250 Ok C: DATA S: 354 End data with <CR><LF>.<CR><LF> C: From: "Bob Example" <bob@example.org> C: To: Alice Example <alice@example.com> C: Cc: theboss@example.com C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the message body. C: Your friend, C: Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye {The server closes the connection}

  6. HTTP GET / HTTP/1.1 Host: www.anl.gov User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: __utma=103693648.3367326131694450000.1227753254.1232739749.1234987611.9; iPlanetDirectoryPro=AQIC5wM2LY4SfczABGq8pvtr7jSP9Xy58PNPFrx9X5woMuw%3D%40AAJTSwAKLTc2MzQ3MjQ3OQACU0kAAjIwAAJTMQACMDE%3D%23; PHPSESSID=b6cf3579089354add2cb3bd474b00ea9 Connection: keep-alive HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 12 Nov 2009 19:44:38 GMT Content-type: text/html Transfer-encoding: chunked 12d2 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html><!-- InstanceBegin template="/Templates/fixedHomepage_new.dwt" codeOutsideHTMLIsLocked="false" --> <head> <link href="stylesheets/argonne_new.css" rel="stylesheet" type="text/css"> <link href="stylesheets/news_feature.css" rel="stylesheet" type="text/css"> <link href="http://www.anl.gov/favicon.ico" rel="shortcut icon"> <script type="text/javascript" src="javascript/anlpublic.js"></script> <script type="text/javascript" src="javascript/anlmain.js"></script> <script type="text/javascript" src="javascript/jquery-1.3.2.min.js"></script> <script type="text/javascript" src="javascript/jquery.cycle.all.min.js"></script> <script type="text/javascript"> $(function() { $('body pre code').each(function() { eval($(this).text()); }); .$('#slide_holder') ...after('<div id="slide_nav">').cycle({ ..fx: 'fade', …….. </html>

  7. DNS

  8. FTP 220 Welcome to ftp.esat.net USER anonymous 331 Please specify the password. PASS Squid@ 230 Login successful. TYPE I 200 Switching to Binary mode. CWD mirrors 250 Directory successfully changed. CWD download.fedora.redhat.com 250 Directory successfully changed. CWD pub 250 Directory successfully changed. CWD fedora 250 Directory successfully changed. CWD linux 250 Directory successfully changed. CWD releases 250 Directory successfully changed. CWD 10 250 Directory successfully changed. CWD Everything 250 Directory successfully changed. CWD i386 250 Directory successfully changed. CWD os 250 Directory successfully changed. 250 Directory successfully changed. 213 20081030224131 213 20250 221 Goodbye.

  9. You can see “some” encrypted information • SSL: Usually begins with a 16 03 hex as the start of the SSL or TLS handshake • SSH is similar. • Wireshark will be able to tell you a bit more:

  10. SSH

  11. SSH in the Main window

  12. The unknown • When you can filter out the known you can then focus on the unknown! • Now you have an idea of how the pre-processors of SNORT actually work. • They interpret the RAW hex and report back on triggers of known strings that are malicious

  13. Replay an attack • The replay skill • You can detect the bleeding threat • Replay an attack and find a unique string and then create a rule to locate it! • Now you know the secret!

More Related