網路攻擊與封包分析- Wireshark
0 likes610 views
This document summarizes a presentation on network security analysis and the packet analyzer Wireshark. It introduces network security analysis, explains who uses network analyzers like Wireshark, and covers the basics of Wireshark including how to position packet sniffers, Wireshark's features and interfaces, and some exercises analyzing FTP, malware, and HTTP traffic.
網路攻擊與封包分析- Wireshark
- 1. Security Camp 2012 網路攻擊與封包分析- Wireshark 講師:鄭毓芹 博士生 服務單位:國立成功大學電機系 E-mail:julia.yc.cheng@gmail.com
- 2. 2Security Camp 2012 Agenda n Basics n What is “Network Security Analysis” ? n How useful for your security activities? n Who Uses Network Analyzers n Tool Introduction n About Wireshark n Sniffer Positioning n Features & Panels n Exercise
- 3. 3Security Camp 2012 What is “Network Security Analysis” ? n Important activities for incident responders and security analyst n Currently data just travels around your network like a train. With a packet sniffer, get the ability to capture the data and look inside the packets to see what is actually moving along the tracks.
- 4. 4Security Camp 2012 What is “Network Security Analysis” ? n Related to many security activities n Network monitoring n To detect on-going incident n Network forensics: n To find evidence in the specific incident n Malware analysis: n To find capability of malware such as “sending important data to malicious servers” or “Bot command & control” n Process of capturing, decoding, and analyzing network traffic
- 5. 5Security Camp 2012 5 Who Uses Network Analyzers n System administrators n Understand system problems and performance n Intrusion detection n Malicious individuals (intruders) n Capture cleartext data n Passively collect data on vulnerable protocols n FTP, POP3, IMAP, SMATP, rlogin, HTTP, etc. n Capture VoIP data n Mapping the target network n Traffic pattern discovery n Actively break into the network (backdoor techniques)
- 6. 6Security Camp 2012 Network security analysis – Flow based n Feature n Focus on network flow/traffic instead of each packet n Good approach to get high level overview or accounting n Tools n Netflow / sFlow n MRTG/RRDTool
- 7. 7Security Camp 2012 Network security analysis – Packet based n Feature n Focus on each packet or group of packets n Can analyze thoroughly but high cost n Tools / Techniques n Tcpdump n Wireshark / tshark
- 8. 8Security Camp 2012 Network security analysis – Packet based (Cont.) n Capture packet n Don’t use Wireshark to capture packets n Avoid running Wireshark with root privilege n Use more simple program instead n E.g. tcpdump, dumpcap n Analyze packet: n Wireshark is the best friend for this purpose.
- 9. 9Security Camp 2012 Tool Introduction: About Wireshark n Wireshark is free and open-source tool n Run on many OSs n Windows / Linux / *BSD / Solaris and others n User Interface n GUI - Packet list / Packet details / Packet Bytes n CUI – tshark (Command line modes) n Many Features n Search / Filter/ Colorize / Statistics / others n Vulnerability: http://www.wireshark.org/security/
- 10. 10Security Camp 2012 10 n Decodes over 750 protocols n Compatible with many other sniffers n Plenty of online resources are available n Supports command-line and GUI interfaces n TSHARK (offers command line interface) has three components n Editcap n Mergecap n text2pcap Tool Introduction: About Wireshark (Cont.)
- 11. 11Security Camp 2012 11 Tool Introduction: Sniffer Positioning
- 12. 12Security Camp 2012 Hub Tool Introduction: Sniffer Positioning (Cont.)
- 13. 13Security Camp 2012 Switches Tool Introduction: Sniffer Positioning (Cont.)
- 14. 14 Wireshark (and WinPcap) Wireshark – Application for Sniffing Packets WinPcap – open source library for packet capture Operating System – Windows & Unix/Linux Network Card Drivers – Ethernet/WiFi Card Ethernet Card
- 15. 15Security Camp 2012 15 Getting Wireshark n Download the program from n www.wireshark.org/download.html n Requires to install capture drivers (monitor ports and capture all traveling packets) n Windows: winpcap (www.winpcap.org) n Linux: libpcap
- 16. 16Security Camp 2012 16 Running Wireshark
- 17. 17Security Camp 2012 Simple Capture
- 18. 18Security Camp 2012 Capture Options
- 19. 19Security Camp 2012 19 Details of the selected packet (#215) Raw data (content of packet # 215) Packet #215: HTTP packet
- 20. 20Security Camp 2012 Menu Bar
- 21. 21Security Camp 2012 Status Bar
- 22. 22Security Camp 2012 22 Filtering HTTP packets only
- 23. 23Security Camp 2012 Right Click Filtering
- 24. 24Security Camp 2012 Follow TCP Stream
- 26. 26Security Camp 2012 Protocol Hierarchy
- 27. 27Security Camp 2012 Protocol Hierarchy
- 30. 30Security Camp 2012 Expert Info
- 31. 31Security Camp 2012 Expert Info
- 32. 32Security Camp 2012 Capture Filter
- 33. Security Camp 2012 Exercise 1 FTP Traffic
- 34. 34Security Camp 2012 Exercise 1 : FTP Traffic n Q1: 封包擷取日期? n Q2: Protocol analysis ? n Q3. FTP server's IP address is n Q4. FTP client's IP address is n Q5. FTP Err Code 530 means n Q4. 10.234.125.254 attempt
- 35. Security Camp 2012 Exercise 2 Malware Communication Traffic
- 36. 36Security Camp 2012 Exercise 2: Malware Communication Traffic n Q1. What kind of malicious activity did this malware do? n Q2. What is the malicious server's IP address?
- 37. Security Camp 2012 Exercise 3 Malicious HTTP Traffic
- 38. 38Security Camp 2012 n Q1. Which site and which page were defaced? n site n page n Q2. Which URL looks malicious? n Q3. Which software seemed to be the target of this exploit? n Q4. What kind of malicioius activity was executed after exploit?
- 39. 39Security Camp 2012 HTTP Analysis
- 40. 40Security Camp 2012 HTTP Analysis – Load Distribution
- 41. 41Security Camp 2012 HTTP Analysis – Packet Counter
- 42. 42Security Camp 2012 HTTP Analysis – Requests
- 43. 43Security Camp 2012 Export HTTP Objects
- 44. 44Security Camp 2012 Packet Length
- 45. 45Security Camp 2012 Packet Length