Introduction to Packet Analysis - Part 1: Network Protocols

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to the packet analysis workshop we're going to get started by taking a look at network packets and protocols we'll work through some common protocols such as TCP UDP IP and some helper protocols later on we're going to take a look at specific tools Wireshark and network miner along with TCP done with TCP dump we can capture packets and then do the analysis with Network minor and Wireshark in a lot of the cases we'll be able to solve the problems with either of the tool but using different techniques and we'll try to cover both then later we're going to work on a lab we have 25 questions to answer and the answers are available but try not to look at those until the end and we'll walk through answering each of the questions later on in the course to start with we're going to use the OSI model to represent our network it's based on the idea of layers but sometimes it's better to think of these as Lego blocks each layer is responsible for doing a job a very specific job and typically this layer is very good at doing that exact job but it's not very good at doing any of the other layers jobs the exception as we'll see will be the application layer Communications is split into discrete packets this is a fixed amount of information that travels across the network so if you have a message that's too large to fit in a particular packet we'll need to break that message up send it across the network in different packets and then put those packets back together at the other side we'll see you later that depending on whether you use TCP or UDP greatly affects how and when these packets are reassembled important thing to remember so far is that each layer is responsible for moving the packet a part of the way across the total journey a protocol is just an agreement on how we're going to represent information for example a P or the Internet Protocol has a very specific structure and the fields are laid out in an exact order in each field has an exact length and an exact representation some tails are integers some fields are bits but each field has an exact way that we're to interpret it no matter what kind of piece of equipment were using no matter who manufactured it or other variables now sometimes there are protocols that are complicated and they will actually combine together different layers into the single protocol so for example HTTP is capable of representing the application layer but it can also represent the presentation layer and the session layer layer seven is the application layer and that's the language that the HTTP messages are carried back and forth usually the HTTP protocol carries things like HTML web pages in other words JavaScript style sheets so JSON and rest messages but when you think about an HTTP based application you also see that HTTP can handle the presentation layer for example it can encode the data with gzip so that the data is compressed before sent across the internet also HTTP packets can travel on top of TLS East we known as SSL if we're transmitting via HTTPS or HTTP over SSL and SSL itself is going to replace by TLS in recent years but the name stuck presentation is how the date is formatted gzip is compression that's a format encryption itself like using TLS or HTTPS is also a format those are all layer six and anyone who uses a website for any time realizes that websites have sessions stored in cookies there can be other information stored cookies as well but certainly our login information our session token' is one of the most common across lots of different websites so a protocol is an agreement on how we're going to send a particular packet the OSI model has these seven traditional layers the lowest layer the physical layer is how we transmit the signal in real life it's the only layer that actually exists in the physical world starting at the data link layer and moving up all the way through the stack to the application layer those are all logical or conceptual layers there are ways of organizing information and agreement on how each side is going to handle the communications but they don't actually exist in real life the physical layer on the other hand is how we actually transmit the information so for example we might transmit over radio waves in a Wi-Fi network or using electrons flowing through a cable if we're using an Ethernet cable jacks and plugs also there can be more advanced communications fiber-optic cables for example a lot of times in municipalities you'll see packets carried underground or over the wires in the city with fiber optics even where telephone cable perhaps but when it gets to the house they'll be converted into the more traditional Ethernet and a lot of us have used Wi-Fi networks and of course those are radio waves the OSI model sometimes struggles to represent modern protocols because of protocols like HTTP that encapsulate more than one layer in the OSI model so it may be easier to think about the layers as application transport that would be TCP or UDP in most cases the network layer like the Internet Protocol and the link layer such as Ethernet because if you think about a lot of traffic it has a tendency to be Ethernet carrying Internet Protocol which is carrying TCP which is carrying the application layer a lot of times this is web FTP your email so especially if you're developing software this model may be a easier representation to Matt to what is going on conceptually inside of the software when the data is traveling over the media for example down the wire the information the bits they're actually traveling in a row in one long stream or a line one behind the other when we look at diagrams later we're going to look at the diagrams more like tables we're going to have 32 bits of information in each row and then we'll have a row for each line in the table representing more information down the protocol but in when the data is actually transmitted it's not transmitted as a table or in 32-bit chunks or anything like that it's actually transmitted all at once in a long line now each packet is transmitted individually but that entire packet is sent all at once so later on when we look at the tables that represent these protocols and their structure don't get confused that the packet is broken up when it's sent it's actually sent all at once now internet protocol does allow more than one internet protocol packet to be sent but that's a feature of that particular protocol still any given packet is transmitted all at once in a burst also note that the direction of travel is from the link layer through the application layer so the link layer information is sent and then followed immediately by the internet protocol TCP protocol or UDP protocol session presentation and application layers they're all sent back to back there is no separation between them immediately after the last bit of the previous protocol the next protocol starts the first layer is the physical layer the only layer that we can actually represent in real life so this again is going to be things like rj45 or cables this rj45 specifies the construction of these cables for example they have eight wires made up of four twisted pairs that terminate it pins or at the end of the cable in a specific order and there's also radio wave transmission that are known as Wi-Fi and of course you can also transmit over other kinds of radio waves for example cellular is very popular and these are not the only media there's fiber optics satellite communications all kinds of other media but generally speaking for today we're just going to talk about rj45 or traditional network cable cat5 or cat6 and then we'll also talk a little bit about Wi-Fi but we'll just kind of assume that those are the two most common that we run into in everyday life in our houses and our businesses and that that will cover the majority of the audience the first layer we're going to talk about today is the logical link layer often this is going to be Ethernet Ethernet is by far the most popular in regular homes and businesses there are special situations where other layer two protocols can be used though which is that we tend to run into Ethernet in a typical scenario the ethernet layer is responsible for allowing computers that are on the same network subnet to talk to one another in other words there's no concept of routers or routing at this lair you can have two computers they're in the same room or they can be separated by a little bit of distance but in general all these computers are going to be connected together through the same switch used to be that we've connect these together with hubs but that was haven't been around for a while because they had problems where they would both leak information and also they caused a lot of collisions with the hubs you would plug all the computers into the same hub and when one computer would talk that message will get broadcast to all the other computers can actually the hub obviously this is very wasteful but it also increased the amount of network traffic quite a bit so it made it a lot more likely that two computers would happen to send a message at the same time and call the collision later on when security became more important was also recognized that when one computer spoke all the other computers heard with the computer what the first computer said this isn't secure and switches gained popularity for both reasons switches listened on each individual plug or port for a computer to send a message when the message is sent the switch takes that message and inspects it looking at the layer to packet to see who the destination is and that's based on the MAC address the MAC address is the address of the network interface or typically the network card when the cards are manufactured they're given this unique serial number the left-hand side or the first three Achatz represent the manufacturer who created the card because it's called the organizational unique identifier and this is going to be common on any of the cards that were manufactured under that name on the right-hand side the next three bits represents the unique ID for that particular card it's supposed to be unique every once in a while you'll see a car that accidentally has the same number but this is rare that only occurs if someone has cloned the card or if one manufacturer is trying to steal another manufacturers IDs so switches and hosts use MAC addresses to refer to one another at layer two and MAC addresses are only good at layer two they can't be used at the other layers because they don't have any meaning outside of layer two so for example if one computer is sitting in network a and it want to talk to another computer and network B but network B is halfway around the world over layer two those two computers are not going to speak with one another because they're not on the same subnet so what will end up happening in those situations is layer two will at least get the message from computer a to the switch and the router the router will have to help the message get all the way across the internet by routing the information over over several routers to reach the destination router when the packet makes it all the way to the final network where the computer B resides the one that's going to get the message then the MAC address of computer B will be determined at that point so computer a doesn't know the MAC address of the of that long-distance computer because it's not on the same subnet and it can't ask what the MAC address is all they would know would be the @p so here's an example of a layer two packet this is a good idea to time to open up Wireshark and look at the packets open up any of the pcaps they're all Ethernet so any packet will work click on any packet and then you can click on the Ethernet line and Wireshark if you notice the Ethernet bits are the very first bits in the packet this is the very first of the logical layer and looking back at the protocol the first 24 bits are going to be the UI and the second 24 are going to be this unique number of this particular network interface or network card if you want to think of it that way so the first three packets 0 0 0 C 29 those refer to the vendor that manufactured this particular first network card in this case it's going to be the leftmost 24 bits and then it's followed up by B 0 8 D 62 you can actually see that up in this Wireshark mock up here so B 0 8 D 62 that's the unique number for the VMware card the destination address after the first 6 hex digits starts another network card and this one starts with 0 0 20 170 and now represents Dell and the EGH member on that card is 44 fa e now it takes all six of those hex digits to represent the entire MAC address it's just that the MAC address just happens to be broken up into two halves the manufacturer of the card and the ID of the card itself but the whole thing is used by the switch to figure out which card to send the information to now when we're talking about Ethernet specifically we really say that the information is going to the network interface or the network card not technically the computer because a given computer can have more than one network interface in it and each one of them is going to have to have a MAC address over on the right-hand side is just the raw information that's in the packet we can see that this particular packet happens to be ultimately carrying in HTTP and it does so from Ethernet carrying Internet Protocol or IP which is carrying a TCP packet which is carrying an HTTP packet and all of those are represented simultaneously on the screen here now notice at the very end of the ethernet information the IP information the next protocol begins immediately there's no marker or space the only way that we actually know that this is the end of Ethernet and beginning of IP is because we looked at the protocol in the protocol very specifically totus exactly how to interpret this information and that's the importance of protocols is both sides of the communication have to agree on exactly how to interpret this information because if you looked at it literally it would just be ones and zeros being transmitted across the media another thing about these numbers before we go on is these numbers are hex digits and XML is a little bit different than base 10 that we're used to normally when we count to 10 we would say 0 1 2 3 4 5 6 7 8 9 but then we run out of digits we have to start over to get to 10 so in order to get to 10 we zero out the ones position and then we put a 1 in the tens position so the number 10 interpreted very literally is we have 1 10 and 0 ones in other words 1 0 or 10 seems obvious to us because we use it every day but when you start to try to read hex numbers you realize you kind of have to think through exactly how digital at the hex digit 21 here it looks like our number 21 but it's not it's actually 1 1 and then 2 16 because in hexadecimal there's 15 digits it's 0 1 2 3 5 7 8 9 but then it goes ABCDEF there's six extra digits unlike base ten that's why it's called basic steam it's based on 16 digits so if you want to count in hexadecimal to 21 you would say 0 and 25 6 8 9 ABCDEF and then you would say 10 because you would zero out the ones and then you would have one 16 or but it would look like our number 10 even though it represents 16 in base 10 so 21 hex is not 21 in our numbers it's 2 16 and 1 1 2 16 is 32 plus 1 is 33 this number here in base 10 is actually 33 it's not 21 so when reading these digits and wireshark be careful because they are base 16 or hexadecimal and that's why they have letters in them sometimes now the letters will only be a through F again because once you run out at F you start over at 0 and add 1 to the next column over to the left the next protocol we're going to look at is Internet Protocol and again we're going to represent these protocols in tabular form makes them easier to read and also it helps us divide up how long all these packet fields are but again the data will be transmitted just in one long stream so the first field is the version and for a pv 4 this will be 4 for ipv6 this will be 6 so this field is pretty easy and it can kind of help us figure out where the end of the MAC address is since we know what the number is going to be in advance the IHL is internet header length it's how long is the IP packet not counting the data and it's also interesting to note down here in this data area that from Internet protocols point of view data in this example is going to be TCP the IP protocol doesn't really know that this is such thing as a TCP it just knows that it's carrying data how that data is organized is to turn by another protocol so in our example TCP determines how this purple data area down here is organized the next field is the type of service and then followed by the total length so the total length would be the length of the data plus the length of the IHL it's the total length from a peas point of view it doesn't count the Ethernet because IP doesn't have a concept of the Ethernet frame so those bytes aren't counted in the total length because this is total length only as internet protocol sees it the internet protocol recognizes itself plus it recognizes this carrying all this data so this is a good point to look at how long these these fields are so the total length of this entire row from right to left is 32 bits so the version field we can see over here on the left would be 4 4 bits halfway is 16 bits half of 32 half again is 8 bits and then half again is 4 bits so the version field and the IHL or Internet header length field are only 4 bits each and the type of service is 8 bits and the total length is 16 bits identification field is 16 bits and we have the flags there's only three of those flags and then we have the fragment offset so the flags is a little bit funny because there's only three of them let's take a look at what some of the other fields do the identification is the name of this particular now it's actually going to be a number but think of it as the name or the identifier of this particular packet the flags tell us if whether or not we're fragmenting the packet and they also tell us whether or not if in the case that we are fragmenting if this is the last packet or not the fragment offset is just going to be the number of the packet so let's say for example that this happy packet were fragment into three parts the end of the identification would be the same in all three packets it's just the identifier that names this particular group of packets if it was fragmented then the don't fragment bit would be zero and for the first packet it would not be marked as the last packet of course because it's the first and the fragment offset would just be marked as the first packet then the second packet would have the exact same ID it would not be marked as the last packet and it would have a fragment offset indicating it's the second packet and then finally the third packet would have the exact same ID it would be marked as the last packet in the flags and the fragment offset would indicate it's the third packet so when the router at the other end of the stream gets this packet it could put it all back together because it knows the order of the packets it knows which one is the last one so that it can stop waiting for fragments and it knows which packets should actually be grouped together because they would all have the same name or identification the time to live is how many hops this packet is going to run around networks before finally some router gives up and drops the packet the time to live on Linux systems is typically going to be about 64 but on Windows it should be right about 128 other systems use other numbers for example ours might use 255 so in other words a Linux packet with an initial time to live on 64 can make 64 hops or in other words be transmitted to 64 routers in a row before the time to live is finally going to expire and that last router would just drop the packet every time the IP packet passes through a router that router is going to decrement the time to live by one the protocol here is not the IP protocol news that's the version field this protocol here is what's being carried so in our example we're carrying the TCP protocol so TCP would be entered as the protocol here there's a header checksum and then then finally the source and destination addresses notice these are 32 bits that the longest two fields in the IP packet usually there's not options but there is a space for the options to be present and then after the options there's going to be some padding to make sure that we end on a 32-bit boundary this is where the IHL comes in the IHL is not represented in bytes or bits it's actually representative words a word is 32 bits or four bytes so this top row with version through total length is one word in the length and in this packet assuming there's no options there would be one two three four five words represented by the five first rows in this table so if we were to see this particular happy packet with no options the first two numbers would be version 4 internet header length 5 or 45 if we take a look at the representation of a nappy packet we can see that that 45 will often start right here and it helps us mark the beginning of the a Pete packet and then the remaining fields go from there remember the version field was only four bits so it's represented by one hex digit the IHL was also four bits and it's represented by one hex digit and Wireshark because Wireshark always shows the hex digits and pairs in other words it shows one byte at a time those two numbers are right next to one another there was no space between them each of these two pairs of hex digits is one byte the biggest number you can have would be F F which is 255 which is the biggest value of a byte by byte being 8-bit biggest but you can have would be eight ones in a row which is 255 it's just two different representations so in fact we have three representations that we're probably switching back and forth on the biggest that a byte can be as an integer is 255 the biggest that a byte can be in hexadecimal two digits is FF and the biggest that bi can be in binary is eight ones in a row we can look at some of the other fields as well particularly important ones include the source and destination addresses these are the IP addresses or Internet Protocol addresses so notice that the packets each have two addresses there's the MAC address that's going to be used on the local subnet when the packet is being transmitted locally without any kind of routing as soon as the packet needs to leave our current network and go on to some destination network it's going to start using the a P address but all of these packets are going to have both addresses the address of the network card itself within the subnet and the a P address of the packet indicating which host it belongs to and you can see that this Internet Protocol packet is carrying a TCP packet so if we look at some of these fields there was version IHL and the type of service the total length of the packet identification the flags and the fragment at the time to live protocol checksum source and destination address what you'll see is that Wireshark will represent these and lines so in Wireshark click the triangle symbol on the left to open an Internet Protocol pack it up and you can look at all these different fields interpreted for you also if you click on one of the fields it'll turn that area down here in the hexadecimal string blue and it will also turn the raw data on the right hand side blue the raw data is not really useful for the first couple of protocols but later on when we see asking protocols like HTTP you can actually start to read the HTTP on the right over in the raw stream TCP is another protocol that we're going to look at today along with UDP these are the layer 4 packets or the transport layer packets we're talking about TCP and UDP things really start to get very conceptual when we look at MAC addresses we know those are the address of the network interface typically a network card when we talk about IP address that's the address of the host and when we talk about TCP though we're talking about ports which gets to be a little bit more of an ethereal concept a port is a number assigned to a program programs run on operating systems and most of the time the program just runs locally on that particular operating system doesn't talk to the rest of the world but there are special processes that are allowed to use the network interface to communicate outside of that host when one of these special processes starts it has to ask the operating system permission to talk on the network interface well the operating system will grant this access if the process is set up correctly but the operating system is going to have a big problem there's going to be a bunch of processes they're all using that exact network interface these messages are coming in quickly and the operating system has to know which process or which program running program is supposed to get that message so what the operating system does is when the when the program is instantiated it is run as a process in the operating system the operating system will assign to it a number this is the port number that represents that process when a layer four packet arrives so for example by default FTP programs or FTP servers will have a tendency to get port 21 assigned to them or number 21 as their listening port when a message comes in if the destination port in the tcp packet in our example happens to be 21 the operating system is going to know that that message is intended for that ftp program it's not going to give it to the web server or to some other program that's running it realizes that by the port number that's the assignment so transport layer packets will have the source port the program that sent the message and a destination port the program is going to receive the message and so what these ports do is they map the message itself to the program that's supposed to get the message the source port of the destination port and TCP protocol are the first two fields and they're both sixteen bits long that means that port numbers can be between 0 and 65535 so port numbers are pretty broad port numbers that are between 0 & 1 0 2 3 4 10 20 30 are typically reserved for services running on the operating system that are common and that also has privileges above user whatever a user program is running and it's reaching out typically it's going to pick a port number that's higher than 102 3 it's going to pick a number often that's probably five digits long even could be anything it might be something like thirty five one two three but generally speaking if the port number is relatively note low that is typically given to a listening service or a program listening for messages to come in and if the port number is relatively high and typically it's a client program that's sending a message to a service or to a server so TCP also has sequence numbers and acknowledgement numbers because TCP as we'll see later actually cares about the order of the packets and whether or not they arrive so the sequence numbers help TCP keep the packets in the right order if two packets are sent they go across the network or the internet and they get to the destination but they got flip-flopped in other words the second packet are wrapped first the receiving computer can look at the sequence numbers and realize that they're out of order and put them back into order the acknowledgement number is used by the system that's receiving the message to acknowledge that it got the packet because in TCP if that acknowledgment is not received by the sender and a certain amount of time the sender is going to resend that packet obviously on noisy networks or poor bandwidth networks there can be congestion and packets may not arrive or they may arrive too slowly and not be acknowledged in time and so in TCP networks you can see packets retransmitted we'll see later that UDP doesn't do this other fields in TCP or the header and the flags the window checksum and urgent pointer now the most important fields besides the ports the sequencing Ignazio number is the flags so what we'll see later is that in TCP there are flags like synchronize acknowledgement finish urgent push and others that help determine what kind of TCP packet it is and those help manage the TCP communications so the two computers can get on the same page and talk to one another the flags will be looked at in detail later so looking at a TCP packet in Wireshark we can see that it starts here just after the end of the IP packet again there's no barrier between them the next bit after the last bit of the IP is TCP and it starts off with the port and in the destination port so the first port 0 4 f 9 is the hexadecimal representation of port 1 2 7 3 in decimal in other words for F 9 and hexadecimal is equal to 12 73 in base 10 we see that the destination port is represented as 50 which is 80 in our regular base 10 numbers so 55 0 is 5 16 +0 ones 5 times 16 can be figured out by taking 5 times 10 is 50 and 5 times 6 is 30 and 50 and 30 is 80 in other words 50x decimal is equal to 80 so the most important fields are the port's sequence and acknowledgement numbers and the flags

Info

Channel: webpwnized

Views: 90,564

Rating: undefined out of 5

Keywords: tutorial, Information, Security, demo, OSCP, Wireshark, method, TCP, introduction, Miner, UDP, penetration, Kali, basic, intro, analysis, How To, hacker, Help, online, ISSA, Windows, techniques, methods, Learn, simple, tools, workshop, how, Windows 10, overview, testing, Network Miner, beginner, webpwnized, example, practice, learn, Helpful, protocol, guide, technique, pen, course, examples, tcpdump, basics, IP, free, HTTP, explained, beginners, Linux, InfoSec, 101, TCPIP, Overview, process, easy, tool, network, training

Id: visrNiKIP3E

Channel Id: undefined

Length: 39min 55sec (2395 seconds)

Published: Fri Nov 18 2016