130 likes | 343 Views
Interpreting Protocols. Wireshark smartness!. Wireshark can detect certain protocols and decode them for you from hex into plain text. The plain text needs to be interpreted. Ports. Ports handle certain services: 80 http 443 https 21 ftp control 20 ftp data 23 telnet 22 ssh 53 dns
E N D
Wireshark smartness! • Wireshark can detect certain protocols and decode them for you from hex into plain text. • The plain text needs to be interpreted
Ports • Ports handle certain services: • 80 http • 443 https • 21 ftp control • 20 ftp data • 23 telnet • 22 ssh • 53 dns • On and on..ports 1-65535 • Who can tell me the difference in port #’s < 1024 and > 1024
Ports can lie • Just because I see traffic on port 80 doesn’t mean it’s http • IM traffic • Proxy traffic for IPSEC over HTTP • RPC over http or https • Non standard services
SMTP • Simple Mail Transport Protocol S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM:<bob@example.org> S: 250 Ok C: RCPT TO:alice@example.com S: 250 Ok C: RCPT TO:<theboss@example.com> S: 250 Ok C: DATA S: 354 End data with <CR><LF>.<CR><LF> C: From: "Bob Example" <bob@example.org> C: To: Alice Example <alice@example.com> C: Cc: theboss@example.com C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the message body. C: Your friend, C: Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye {The server closes the connection}
HTTP GET / HTTP/1.1 Host: www.anl.gov User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: __utma=103693648.3367326131694450000.1227753254.1232739749.1234987611.9; iPlanetDirectoryPro=AQIC5wM2LY4SfczABGq8pvtr7jSP9Xy58PNPFrx9X5woMuw%3D%40AAJTSwAKLTc2MzQ3MjQ3OQACU0kAAjIwAAJTMQACMDE%3D%23; PHPSESSID=b6cf3579089354add2cb3bd474b00ea9 Connection: keep-alive HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Thu, 12 Nov 2009 19:44:38 GMT Content-type: text/html Transfer-encoding: chunked 12d2 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html><!-- InstanceBegin template="/Templates/fixedHomepage_new.dwt" codeOutsideHTMLIsLocked="false" --> <head> <link href="stylesheets/argonne_new.css" rel="stylesheet" type="text/css"> <link href="stylesheets/news_feature.css" rel="stylesheet" type="text/css"> <link href="http://www.anl.gov/favicon.ico" rel="shortcut icon"> <script type="text/javascript" src="javascript/anlpublic.js"></script> <script type="text/javascript" src="javascript/anlmain.js"></script> <script type="text/javascript" src="javascript/jquery-1.3.2.min.js"></script> <script type="text/javascript" src="javascript/jquery.cycle.all.min.js"></script> <script type="text/javascript"> $(function() { $('body pre code').each(function() { eval($(this).text()); }); .$('#slide_holder') ...after('<div id="slide_nav">').cycle({ ..fx: 'fade', …….. </html>
FTP 220 Welcome to ftp.esat.net USER anonymous 331 Please specify the password. PASS Squid@ 230 Login successful. TYPE I 200 Switching to Binary mode. CWD mirrors 250 Directory successfully changed. CWD download.fedora.redhat.com 250 Directory successfully changed. CWD pub 250 Directory successfully changed. CWD fedora 250 Directory successfully changed. CWD linux 250 Directory successfully changed. CWD releases 250 Directory successfully changed. CWD 10 250 Directory successfully changed. CWD Everything 250 Directory successfully changed. CWD i386 250 Directory successfully changed. CWD os 250 Directory successfully changed. 250 Directory successfully changed. 213 20081030224131 213 20250 221 Goodbye.
You can see “some” encrypted information • SSL: Usually begins with a 16 03 hex as the start of the SSL or TLS handshake • SSH is similar. • Wireshark will be able to tell you a bit more:
The unknown • When you can filter out the known you can then focus on the unknown! • Now you have an idea of how the pre-processors of SNORT actually work. • They interpret the RAW hex and report back on triggers of known strings that are malicious
Replay an attack • The replay skill • You can detect the bleeding threat • Replay an attack and find a unique string and then create a rule to locate it! • Now you know the secret!