Wireshark TLS and Pcap Puzzles with Sake Blok

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] so [Music] [Music] this [Music] hmm [Music] hello everyone where am i oh no more problems oh boy someone got out someone got a green screen so you know what we're taking this up a notch baby we're taking this up a notch um so that was fun this is the first time i've used the new the new fancy youtube live stream uh dashboard and i did a test the other night just to make sure and everything went perfect no problems at all guess what guess what uh this time i send i send my live stream from my computer up to youtube and i can see it it's there and i'm like oh great and then i go check my laptop you know because you gotta be monitoring nothing commence three minutes of panicked scrambling turns out there's a new button up in the corner that says actually go live that's new okay great look thanks for coming uh yes i have a new green screen um why not why not um i just got off a call with some executives from my company in which i was presenting and i thought oh well i'm gonna have a live stream directly after this um after this meeting i'll go ahead and do the the green screen on the zoom call you know what it'll be cool well um you know in this one this software i can zoom i can crop and only show you know because you can't right i'm only showing a little box here and zoom it gives you the whole thing and i have a really wide angle lens so you see me uh a space field just behind me and then around the edges you just see my bedroom so that was cool uh we had a we had good fun with that but you know what i owned it we went for it it was fun ah what are we doing um trying to get my heart to calm down so um i'm basically right now on the point uh in san francisco where i have to decide between sweating to death or smoke inhalation um we don't have air conditioners in this part of the country um open the window that's the air conditioner and honestly here it works pretty well there's only a few days a year that even that doesn't really get the job done i do that now and then i just smell wildfires maybe you've seen the news it's not great um very scary and the the sky when you wake up and you you look at the sky it's like i don't know into the world apocalypse red skies the sun looks really angry so you know hey i hope that we can get some things figured out on that and then uh aspire stopped and i believe a lot of them started due to a like lightning storm that came through the bay area i'm from mississippi i'm used to thunderstorms and like angry rain uh just loud wake you up shake the house thunder and like rain just beating down on you like trying to beat you into the earth here rain is more apologetic it's like sorry i'm so sorry that i don't mean to get you wet just a little sprinkle here and there but it happens you know more often but it never there's never thunder there's never lightning and so i wake up at 4 a.m and i see light flashes of lightning you know going across the window through you know the window into the bedroom heard a little rumbling it's like wow and then now we have um yes i've got we're all getting 20 20 han song i mean oh good grief it's like what's the only thing that hasn't seemed to come to fruition yet but don't don't mark it off the list is murder hornets um i'm sure it's it's going to be a thing anytime real soon so that's what's going on uh i am looking for a new apartment i i am i've decided the space is too small um honestly there's so little space with my desk in the bed and this green screen if i breathe too hard the green screen will just fall over which ah it's magic don't be scared don't be scared it's not real magic it's just technology it's not real magic okay um why don't we get into it because i think we've got a lot to talk about today um a lot of good stuff with our our our our guest this week sake block a longtime shark fest wire shark expert um he's got a lot that we're gonna talk about he's got this escape room game that just blew my mind the first time i saw it um happy to say that i was in the inaugural shark fest that it came and my team won i'm not saying it was me i was this is the shark fest that you were limited to two beers so i was going around trying to find extra beer um if you guys remember that one so without further ado we're going to jump into it um let's hope i pressed the right button and everything goes smoothly ladies and gentlemen welcome sake blog [Applause] all right aaron too yay i i picked a two shirts i packed i picked a shirt at random in my well not totally random i mean i have a stack that i haven't worn yet as i've talked about on this you know i've been working my way through the shirts i grabbed this one next one this i popped this one off the stack our shark 17 what you got what you got look at that great minds great minds there will be debates what are we coordinated yeah yeah the background music is still on that's true but it should be fairly soft is it is it too loud let me know in the chat um okay so here we are we're gonna talk about wireshark and packets and tls and things so let's let's start as we do with our guests how did you well first first question i hear lots of people pronounce your name different ways how do you pronounce your name it's actually saka saka yeah a little well a little flavor to it saka yeah not soccer but no i listen to all kinds of variations because it's it's no use trying to the fun the football was i was sitting in at your presentation i think it was in in the europe one and estrella the first one and i was you were doing your stuff and i i kind of did something probably prepare the uh presentation or anything and then i heard like cycle block in the in the in the speaker like what is he talking about me and then it turned out we were talking about the sec block it must be my accent yeah it sounds very similar so yeah fair enough fair enough well i'm glad we got that out of the way everyone please take note i'm sure i could ask the same question to a number of folks that we have on um so let's start how do you go how did you what does your career path look like to go to get to the point where you're you know a packet head wireshark guy well where did i start plus back in 1933 yeah all right yeah well i'm not that old my grandfather yeah yeah no no my father is he's doing something different but he's doing analysis too so in a way we are doing the same kind of job looking at stuff analyzing it and then trying to draw completion so that's that's nice but for me it started actually it started not in my first year because then i was working at an isp and i have never heard of packet analysis so um for me started when i was working for large bank in holland and i needed to troubleshoot some issues and they had simpler pro and and nothing was sniffer or cisco switz probes or something like that to analyze the token ring uh infrastructure that was still there and um yeah i got fascinated by by looking at the packets and and really seeing what's going on on the network right and like everyone probably does and then one day this this colleague of mine looking at fresh meat is all ethereal or ethereal depends on how you pronounce it yeah yeah like this yeah i'm that old yeah no i can't i know all right so he showed me ethereal and i i downloaded it and i installed on my laptop and then wow i was just taking blown away like okay i can look at effects on my own laptop so that was first i was able to filter on all kinds of fields that you weren't able to filter on with snifferpro because you can only filter on specific specific data specific offsets so i was immediately taken like this is this is going to help me a lot so i was using that a lot on on the problems that i needed to analyze and then i left that uh left at bank and we went to work for a reseller he sold the load balancers of firewalls to this bank and uh so i was called in a lot for troubleshooting for this customer and also other banks and other customers in holland and while doing that i was missing features so yeah what do you do what do you do you i mean clearly you just go on on twitter and complain or whatever or wait use net and complain right yeah twitter was not there yet well i i joined the mailing list of course yeah i think it was back in 2006 i turned into mailing lists and i started answering questions i'm not sure if i ever asked questions but i started answering questions got blown away by a guy harris twice that i answered was not complete so that really triggered me into okay whenever i'm answering a question it needs to be guy proof so i that's a good rule that's just a good rule for life i think yeah yeah yeah make your life guy proof that's that's yeah yeah guy harris is is he's core developer right yeah he's a core developer he's retired he worked at apple and he's very meticulous whenever you ask a question he first corrects your question and then starts answering the corrected version i love it i love it so so he twice he he corrected my answer or completed it more or less and i thought okay this is if this is the level of expertise in this group i need to step up my game a bit and yeah i started really investigating when i was whenever i was answering a question i started investigating it properly so whenever i did give an answer it was complete and i wouldn't complain so that helped me a lot actually because that's how i really turned into a troubleshooter and a researcher like okay what is really going on here and you learn really a lot by answering somebody else's question question that way yeah yeah for sure if you can explain it then you you know uh here's to you buddy plenty of times like yeah i mean i mean i get something and then i have to explain i go oh wait no no i don't no i don't um so is that how you started tinkering with wireshark itself the code or how did you get into that gig yeah well we as we were having lots of traffic over load balancer where we have an exported four fields on the back end i needed to match sessions on the front and in the back end and there wasn't a field explorer and four in the http sector so at first i don't mean this why not ask for it and then i thought well this is open source how hard can it be let's let's see if if i can find it out myself so i downloaded the source code created the linux development machine uh compiled my first wireshark it worked yay and then i started looking in the source spot where i'm okay where can i find the code that does the hp desector so i browsed around the source code found http sector looked at how it worked or at least looked at how other fields were were dissected and then i discovered that it's it's there's like a gun well i can't remember it's like two 13 years ago but there's um there was a certain pattern that i recognized okay this is pretty easy i just have to add a couple of lines of code right and it will do it for me so i did that it worked and i sent it in and then somebody complained like okay there's so many hd fields why would we need this one oh no it's gonna it's not gonna work i said well because this is this oh okay i agree and then it was added and that gave like a very nice feeling because that's the first contribution to the open source that i did yeah yeah did you have a background in programming or this was just on as needed basis or i have a background in hobby programming so i'm not i don't call myself a programmer i'm a very intelligent copy and paster yeah that's that's me all the way yeah so yeah i i wrote that little piece of code and then i and another customer i encountered some um multiple spending three packets of uh the pre standards or the cisco standards that was the pre i triple e standards i'm not sure if it's actually but at least the standard came afterwards and wires are getting dissected properly or e3 at the time i think it was still so i wrote the detector for that edited and and then off i went like oh i'm missing this oh i'm running it oh i'm missing this oh i'm writing it right and yeah and then and the bad part was that i uh i was using wire circle my or e3 on my windows laptop that i was developing on my linux laptop so whenever i build a feature i couldn't use it on my laptop because it needed to be in the automated build section first so i was really back then we were having the system that that you send in your patch through the the mailing list and then somebody needed to pick it up well that took like a couple of days every every time and so i started remembering like hey i sent the dispatch okay please edit so probably they got annoyed by that and asked me to join the core team because they didn't want to be bigger with my whining anymore oh okay so i was getting my next question was well how you know there are if you look there are hundreds of names of contributors to wireshark my name is in there i'm proud to say my i guess my only contribution to open source but how do you go from that what to to core developer it sounds like if you just annoy them enough or what does that look like well i think i've seen other people being added over the years of course and it's mostly that and somebody is in a certain time frame ending a lot of patches yeah that are good quality wise that are helping the project further and you see a certain momentum at that person um in contributing and and it's nice to uh acknowledge that and and invite them to the team like hey you're you're doing precious work for the team let's uh let's do it a little more inside first yeah yeah i am i i'm sure you're not allowed to talk about it but you know the the induction ceremony were there robes candles or um special t-shirts [Laughter] definitely can't talk about it yeah that's fair okay so let's talk about as i mentioned at the top in the intro about the pcap escape uh i know it's got a it's got a very cool name um speaking it reads better than it it reads better than it sounds it's just escape with an extra feet yeah so you know i assume people are familiar with escape rooms i've only done it like once but you're thrown into a room maybe you have an initial clue but you just stumble around onto different clues you don't know if you're doing it in the right order but the point is to get to the end goal of us you know escaping the room how does that what does this look like how does it work is that similar yeah it's kind of yeah well there's a couple of things that are similar of course you're not escaping any room so so it's not really an escape room but i see a tendency in in there in escape room world as well that there's lots of challenges that are called escape rooms or or references to escape rooms there are just time-based challenges with businesses i think that's the main that's the main characteristic of an escape game and the fun part is that once a game is timed there's a stress level that it's like like a screen in front of your your way to think so that that gives a certain feeling to a challenge and like the first one that i built i i really put like a lot of effort in that one and i put a lot of effort in everyone but uh since it was the first one i had to build the website for the the scoring system also and so there was a lot of work involved and i was looking like okay how can i make challenges in a pickup file what can i do and and the first one was actually more escape room like because i created like a chess board with letters on it so there was a picture that means downloading you need to combine it with data from pink packets and there was uh well the one that you like the most and actually i think that's still the the most beautiful part of any of those is the the text inside this uh steam stream graph of stevens yeah yeah so for people who don't know you know steven's graph is just you know graphing the the bytes over time or the the sequence number over time right so it's you normally we're looking at it as throughput you want to see a line sloping up and to the right if it dips if it has gaps we use it to troubleshoot throughput but you managed to manipulate the sequence numbers in such a way that it spelled something out i think yeah right oh it was it was amazing yeah the fun part is that that normally it's like an increase and like a monotonously increasing line because the sequence number never drops right right and have re-transmissions to i guess to make that yeah a picture but since it's plotting sequence numbers across time so plotting uh y values over x you can use the the timing and the sequence numbers to right yeah you could just anywhere in the picture it should be in the middle yeah yeah there are maybe is is is there a pica museum museum already well if we ever have shark fest back at the one in mountain view the computer history museum we'll we'll print it out and tape it somewhere yeah pcapp machine yeah so nobody will know what it is like this is the date in the ground what is the portal so you you you're looking through you're finding clues you're given a pcap i think one of them was you know finding a a voip stream and listening to the audio that gave you another clue and that unlocks the next step and the next step until yeah ideally you unlock the last one in the time frame i know no one in the first one made it all the way through in the time that we had since then you've done it a few times has someone made it all the way through yeah yeah the first one we actually gave extra time and then still people didn't finish like like whenever i have these id's i get carried away like oh this is nice and i can do this and this and this and then since you're you're in the process it feels that it's not difficult but that if you look at the presley from from another point of view that it is difficult so i need i needed to adjust my my enthusiasm into like okay don't don't make it too difficult right uh get some extra hints and i'm not sure i whether i did that for the first run but i did unlike a test run with the company here in my neighborhood that they're they're they're networking companies so they they're they're pretty efforts uh on analyzing pcat files they're good at networking but they don't analyze speaker files that much so i use them as a reference okay if they can find it then and then it's then it's okay if they have problems with it at least i know where to put hints in and stuff so i mean we're talking about something that i guess very few people have had the opportunity to experience is this something you think because i think it's one it's just fun it's a good team building exercise it's a good you know event thing to have but also just for training and getting better you know people like puzzles you know people like those kinds of things and it really you have to use a lot of of your analytical skills and things in wireshark you might not have used before um is it something you think it could you know be done on a wider basis i mean i guess you take a lot of work on your end but yeah it's been on my mind to to create like a varsity training program that uses these kind of challenges as a study material yeah um i endorse that now it seems like too much to do but we all know that we all know that um and so probably yeah yeah um well let's let's talk about let's start to ease into um encryption uh tls you know obviously we're going to talk about the class that you have coming up uh prior to shark fest um but how you know you have obviously an interest is this just something that your career has taken you in the direction of that you have to look at these kind of these kinds of problems a lot or you just have a personal interest yeah i think it was one specific project here uh when i was working for this for the reseller is we had like the dutch healthcare system they wanted to have um like a patience dossier for for everyone and the way that was built is that they put like a central location they put like a switchboard and whenever uh one medical employee needs one doctor that needs some information about this person this patient from another hospital or and then the request comes into the central point and and goes forward to the information system in the hospital that has the information so they were building this up and uh it needed uh as a tls or ssl because cds wasn't i don't think as the cell tds was there yet um they needed like ssl connections to uh to secure all the traffic and they asked our company to build a system because there was like 20 000 healthcare institutions that need to be addressed and you don't want to administer 20 000 healthcare institutions so you need to have a system that does that automatically that you can get information from a certain healthcare information system without having to configure that and we did it first with one type of one vendor and then we ended up using uh f5 network equipment with a scripting language and when i started the project i knew nothing about ssl i the only thing i knew was like hey it encrypts stuff i didn't know there was like authentication in it i didn't know that there was a ca involved i knew nothing and in that project i really went from a to z like how does tls work or how does ssl work and since we needed to uh yeah tune into the nitty gritty stuff of the of ssl yeah that taught me a lot about ssl and like in 2009 circus 2009 second shark fest i presented on how to analyze ssl with with wireshark right and that presentation has been referenced quite a bit because it was the first extensive online video of how to uh how ssl works and uh how to troubleshoot with garage sure so i mean things you know obviously have changed over the years um then versus now you know i know that we've you've been able to decrypt traces with a private key you've been able to do it with session keys if you configure the browser are all those are those things still relevant can we still use them are are they is the end of that being useful coming up and changes in encryption well the end of usefulness for using private keys to do decryption is coming up because uh even with t as 1.1 or 1.2 at least you should you should be using one or two at the moment or 1.3 but with tds 1.2 you're still able to use rsa key exchanges which mean that the keying material is encrypted with the public key from the certificate which means you can decrypt it with the private key belonging to the certificate and the problem is if you have a capture file of 10 years ago and you somehow find the the private key that the server is using at that time you can still decrypt the traffic from 10 years ago and that's something you want to prevent that's what perfect forwarding secrecy comes in and that's when you don't use the public key from the certificate to to encrypt the key material but you use a tiffy helmet key exchange and that means that only one of the two endpoints is able to decrypt the traffic because those are the key material to to decide for the the session keys so in the future if you want to do decryption you need to have the session keys because tls103 doesn't allow any rsa key exchange anymore so whenever we move to 103 the the the rsi key exchanges are gone no use in using private keys anymore okay for decryption so yeah but as long as you get from either the server or the client you get the session keys then you're able to decrypt but that's something that that's a challenge for every vendor [Music] that needs to do decryption it's a challenge for every web server to provide us those keys there will be challenges sure sure okay well what are you what are you going to be covering uh in your class on tls troubleshooting well there i think there's two parts of troubleshooting tls traffic the first part is setting up a proper cls channel like making sure that you're connected and especially like if you're going to a bank you don't authenticate yourself so it's just um you authenticate the bank and that's it and that pretty much always works and people don't have problems with that but as soon as you start to do mutual tls where you have to present the client certificates people get confused because you have like a certificate on one side you have a certificate on the other side then you have like the the the trust store on one side the truster on the other side and those are across closely connected so yeah people get confused so and then you have like the uh is a certificate still valid is there is it revoked or not is it using are we using a compatible set of cypher suites are class versions compatible all those kinds of things they can prevent or make a connection go bad or not or come to completed phases and that's that's that's part one of what i'm gonna teach in the class okay how do you troubleshoot the connection setup and the second part of the class will be once you have a good connection what if you need to analyze the application data inside the connection so how do you decrypt the traffic or what can you do in analysis of the traffic when it's not decrypted because you can see the the packet sizes you can see repeating patterns and so there are some things you can do even when the traffic is still encrypted but of course it's much better if you can decrypt so i'm going to teach how to do decrypt with based on the private key as it can still be useful but most importantly how to decrypt using session keys and how to get to those assessing keys in certain specific situations yeah this is you know and more and more things are encrypted i mean this this yeah this knowledge and skill set becomes more and more relevant and valuable yeah yeah and and it's good that there's a tendency to to uh towards privacy like like in dls-103 the certificate that's been exchanged is in the encrypted phase of the connection so you can't see the certificate anymore so you like in in in tls 102 and earlier you can see the the certificate so you know yeah what certificate site is using in tls103 it's in the encrypted phase already so you can't see it and there's only one part that is not encrypted and that's the the client hello and in the one of three by default it's still uh it has an s so a server name indication which means it tells server i'm trying to get to this site please present me a certificate for this specific site right and a lot of devices like like mexican firewalls can filter on that sni field whether a site is allowed or not and now there's uh also work being done to encrypt even that field so from a privacy standpoint from from user standpoint nobody will be able to see where you're going except for the site that you're going to which is a good thing for privacy wise troubleshooting wise and management for enterprises that's a good challenge okay it's a challenge yeah well do you want to um we want to switch over and you show us some packets and and and talk about some of this or profiles or yeah i can do that all right i think you're already i think we're already set up and good to go let's oh let's take a shot and see if this works i had some problems with uh showing my screen and not having my cpu overloaded but i think i'm doing okay now yeah so all right so what this actually is well of course it's wireshark for people that don't recognize it but um this is uh the first part of the the spk challenge from last year [Music] i built it in two parts one part you can already do during the conference and the second part you needed to do at the actual event or the the evening event and the first part was something that was uh because there was a sponsor that had um long-term capture devices and days and they they sponsored the pcap challenge so we made sure that there was something on their box and so people needed to extract it from the box first so they have a little bit of extra exposure that way so this this was the first part of the challenge so you get a pickup file and the only thing that you know is you need to extract a qr code from this so qr code is a two-dimensional uh barcode and uh that's some somewhere hidden in this file so the the thing is okay once you have this file how do you proceed to get that information out of this file and i'm not sure this will work because the first steps that i always take when i'm doing wireshark analysis is i uh let me move this window out of the way the first thing i always do is like look at the uh when was this capture taken like looking at captive properties i'm not sure whether this shows on the screen probably not no it doesn't show i guess no we just see this main window yeah okay well um i i usually look at the statistics and capture captive properties because there can be comments in the file not many people are using comments i endorse people to use more comments right but and then you see them in the in the properties how do you know where do you put where do you put a comment like if i want to put a comment on a packet where do you put that in the capture proper properties or you can like here on the in the status bar you have this little document with the pencil it's a comment for the the file as a whole not like not per packet yeah you can also add per packet comments and but they'll there they will also be shown in the capture file properties um i think there needs to be like i'm not sure if there's an announcement request for that already but there needs to be a pop-up well people hate pop-ups there needs to be some kind of message to the user that uh that the file has comments so it will the user will look at it that's it that makes sense if only we knew a developer yeah maybe there's one yes let's check all right no i yeah i need to like i haven't developed much like i think i did like two or three patches in the last couple of years so i need to do stuff myself again but we moved to c-plus plus we moved to garrett we moved to cute instead of gtk at least for the gui codes it's c plus plus now so for me it's like a big yeah i need to spend some time and and hopefully yeah i hope i can do those things myself again and add those kinds of things but okay let's uh let's the second thing i i would do if i get a capture for that i don't know what the contents are is look at the protocol hierarchy and for this file we'll show you that it has some dns some mail and some dls traffic so that's interesting and the other part that i look at is conversations because then you see who is communicating with who and what protocols are well i can't show you that because the screen share doesn't work that way but since i know that there's email traffic let's let's first start with the email traffic and see what's in there so there was you looked at the protocol hierarchy under statistics and you saw there was email traffic so you're gonna you're gonna have a look at that yeah because i know email is unencrypted and the http traffic was encrypted so for me like okay start with unencrypted stuff and see what happens right 425 smtp unencrypted okay yep exactly and and actually you see that i have a profile selected my tcp profile it's it's it shows like the three-way handshake it shows it in green for the thin packets and i have the blue on the green for the synagogue and i have like a grayed out packets for bare eggs so i don't get distracted by them that much that's it that's a good i think that's uh i don't know if i've seen people use that one too much but i think that's good because there's so much data in the bear apps many times you know if you're doing this long enough you you skip over them anyways but this would help you at least on a visual basis kind of focus in on things that really matter yeah that's a good tool yeah and i have like the blue for thin necks for fins and red for resets so there's there's a couple of color colors i have like a couple of buttons filter buttons that you can use but it's really interesting buttons they can be really helpful like if i clear the screen or clear the filter and i still go back to the first package and i oh let's oh this is introspective let's see what the whole stream is i just click on the button stream and it will look at that stream for me instead of doing uh follow tcp stream and then clicking away there we go uh you know it's funny i was i was talking with someone recently on a zoom and walking him through this and i typed that in to show him how to do it and just to verify for myself and it didn't work for me but it worked for him it was uh i didn't know if it was a bug in mine or a bug in my head but anyway this is yeah it's a great great button filter yeah yeah so actually this this um when i've talked about profiles if you really want to know more about profiles go to betty's pre-conference class before shark fest because he's doing a whole day class on on creating a perfect profile that's right yeah you get out of it right buddy the perfect profile yeah exactly well the perfect profile for anybody because my perfect profile not your perfect profile that's the first lesson of profiles create your own profiles um so and and create profiles for different tasks like for this task i'm i'm not looking at all the the sequence numbers and etc so i'm gonna just skip to my default symbit profile because that's a little less less messy and i can just use my keyboard shortcuts too oh by the way i've got uh it's a link is in the um below the video i've got the keyboard shortcuts sheets oh i usually hand them out with shark fest but since we have a virtual circus this year i can't hand them out which is a shame but next year probably i will be handing out these again but for now you can just download it and bring it out yourself if you want to they're they're all the keyboard shortcuts and i'm trying to familiarize myself with using them because it can certainly make your troubleshooting more efficient so okay well let's go back to the to the t last track sorry the mail traffic so i'll click on one mill packet i have a button here again for the tp stream equals tcp stream and actually i do want to do follow this stream here because i want to look at the content of this um stream oh again this will not show on your screen no it will not pop up so yeah we're using a mac is that so no it's because i that's because i selected because it i selected like this particular window because uh during the test i selected the whole screen and that didn't work very well so this is why i just do it like this well um in the stream you will see um the mail packets uh there's a there's an attachment in it so it's better to use like file export objects you can just export the whole email file imf internet mail format i think it's uh abbreviation for so whenever i do that i get a pop-up again you won't see it and then i can say i can save the email to my system and if i open that email it has a little bit of text uh of course the text of the email and there's a pdf and then i open the pdf and it's password protected well that's that's what how these games work everything that you do there's a password on the zip file there's a password on the pdf and you need to find the password so right but just to recap that piece of it you found the smtp stream you right click follow tcp stream you know so you can see what what's in there on the data and then you can go under file and you can export the objects that are in that smtp stream and one of those is an attachment which is a pdf well actually you you say you save the whole email so you get a mine based email file and you can open it in your email brow email program yeah and then you will see the pdf and some of them say oh you save it as a just the email file open an email program okay we're giving away all the secrets to escaping the room but but it's good tips yeah well these are tips not only for these kind of yeah like if you're handling stuff and and somebody's complaining like the mail's not working properly you can use these these tools as well that's that's what i like about creating these challenges is i want to not only create a fun experience but i also wanna um because i do hints as well and i walk around when the game is running and whenever people are struggling i give them tips on how to do stuff on how to use wireshark i don't give away clues for the game but i i teach them how to use wireshark at the same time i heard i heard that with enough beer you were bribable is that is that true i can't comment on that there's not enough beer all right fair enough i'm jake i'm drinking water uh yeah actually actually it's it's like almost eight o'clock in the evening here so i was doubting should i have a beer because it's not a beer time yeah but then like it's for you in the morning and this video will be west all on the old time zones and and later it will be bought at different times and maybe it's not so nice to dream beer while doing the presentation so i'm doing i'm getting a beer afterwards all right so um so this is the first part like you that you okay you get you extract the pdf you you you so now you know you need the password so so where can i find the password well there's the tls traffic so let's see so maybe if i do tls there's a very simple tls conversation and actually i usually don't have name resolution on but for by accident i do have main resolution so you see that this is something that goes to www.passwordrandom.com and that's the site that creates random passwords so hey i need a password there's a site that creates passwords maybe those are connected maybe not who knows but the problem is the data is encrypted how can i view what password was generated by this site i can't based on on this traffic but maybe something is hinting like where can i find the uh the password so there was like if you look at the tcp streams i can do like psp screen equals zero actually if i start with two i go backwards this was the email one was the the tls traffic and zero is something else on port one three three seven well people that are in the security business they they are immediately triggered by one three three seven not sure if you are but 137 yeah that's leads and that's usually the backdoor it's a backdoor to a system and if you look at the ip address 172.666 that's a little fun for my part it's like an evil system so this probably does something evil and let's and tcp.length greater than zero let's look at only the data packets and if i go through them normally i would show like the follow tsp stream but here yeah even xor ls min 1 instruction pdf message europe next year yes so kilo file is key hey there's something oh yes yeah you're triggered like sso keylog file is the file that that firefox and chrome users to uh store session keys to the session keys and like we discussed earlier tsp session tli session keys are the ones that you need to do decryption hey since we went to passwords password generating site with dls maybe and the session key for this session is saved in in this file somewhere so if you look at the rest of the command it's a curl command and curl has been like a cube compiler yourself i don't i don't think the the standard version does it already but if you compile uh curl yourself with the ssl open ssl library and you enable the slp doc file um feature then it will look at the sock log file environment variable and store all the session keys in this file so based on this uh what you can see is it's retrieving a password from the site and it puts that into the file password okay so again that's the echo and there's a lot of things happening and so now we're like a couple layers deep right we got we got a um a pdf which is password protected we went and found some activity that maybe is password related we go to that it's that you know there's then there's ssl now we need a session key so we're kind of like we're keep pushing pushing task onto the stack that we're going to have to then pop off later so now exactly now we're chasing ssl uh key keys right that word yeah yeah exactly and well if you if you look at the yeah i can try to no let's let's not do that because they will probably end up uh hitting each other um the yeah if you look at the the follow tsp stream you see all the commands that were given and one of the commands was to uh you you and c or the base 64 encodes the the session key from the uh the chassis log file and put it in uh an email header like you have in the email text you have like a headers like the subject the date the recipient and there's also the possibility to add extra headers and and there's an x minus secure something header that i created so now you need to go back to the uh to the email so let's do tcp con things and i think it was like secrets this is but this is like case sensitive so i need to so tcp contains what is that searching the tcp payload it will search actually i think we'll search the whole tcp protocol including the header including the header okay yeah i think it was secret i think it was secure no okay and that's maybe contains x minus that that you work yeah so let's see this is in the uh here in the email you see that there's uh here x-men secure oh there's see yeah and there's the base64 encoded um if you look at the the lead session the the the reverse shell you can see that that this is actually should be the base64 encoded entry for the uh the session key so you can now use like if i go to i'm not sure whether you will see right click information probably not no i don't think so um if you right click on this field you can do show packet guides and then in that window of show packet bytes you can select the part that's base64 encoded you can decode it with two normal text and then you will see the recession key if you saved it to a file and let me just do that [Music] show picket bytes you're not seeing this but i'm just going to extract you're extracting those bytes uh yeah that is that header to just to a file on your machine yeah i'm going to extract it to a file so save as let me see where's my window there it is i'll do here tls.key save close and now when i go back to tls tls and now i'm going to put in the protocol preferences which you probably don't see next time we need to do this differently because this is fair enough well so what you're doing so you what you found there was a key yeah we followed this trail we're trying now we're trying to go back and decrypt the the password to the pdf exactly we follow this track well actually we don't know if it's a password to the pdf well right we don't know we're going to decrypt the the tls traffic and as you can see i added the key and now you can see that there's a hp query on top of or below the tls so the decryption works and if i look at the response then i will see that here is some random string which is probably the password that was uh created by this this website right and that actually it is true this is the password to the pdf file so so the the yeah the fun part for me is like um you create several elements in the pcap file and people need to find the relationship between those elements combine them and then they find something and if you put this into the pdf file you get a qr code and the qr code gives you access to the second level of the game right i mean this is you know this is excellent this touch is sort of everything about right i mean we're talking you have to understand what's happening in the package you need to understand protocols you need to understand how to find things you know if you're doing a security yeah malware you know this is great practice for that is i've never done a ctf but is this sort of in the spirit of a ctf um type no competition not really no no not really they're like i've done a couple of ctfs well i tried a couple of cts because i'm not the security i like security information security things but i'm not good at it and i'm not yeah it's not my expertise but um i tried a couple of gtf's and usually there is one or two challenges with the pcap file and those i can solve every time because the level of expertise needed for those challenges is usually not that much it's usually find some base64 encoded data and then just base base64 decode it and then you have the the flag so it's not really right interesting so this is certain around pcaps so yeah yeah yeah and and usually the ctfs on on a security event are reverse engineering uh some cryptology uh some more web traffic that you need to hack into either by i don't know by uh sql injection or well all the normal on the normal escape or the um yeah okay so uh what is there so something else you want to show us here we'll kind of spend a few more minutes here and then we'll maybe switch over to some q a but i can i can i can i can load well i know i can't load up because i don't need to uh no i can't yeah i can load up the file that has the uh um uh the password in the stevens graph oh yeah maybe you can do it later and uh take a screenshot and put it on twitter okay people can see that work of art what i can show is how the packets are being built up like you can see that that the delta times are very strict like four milliseconds yeah for every backup and there's uh i think actually some packets have the same timestamp and then when you browse downwards you you will see like a whole block that has retransmission because now i'm putting the sequence number back to something that was already there and i see the timestamps are all the same so i'm putting different packets on the same timestamp so they will be stacked up in the in the stream graph and that's how how this yeah uh this graph was created right i mean yeah this makes sense you would use steven's graph since we already established you were old um yeah there's a joke for han song as he said uh i you know no regrets i'm making that comment back in the day but um i just want to do point out that the point is steven's graph versus tcp trace same thing applies to the profiles right you when you're starting out well it's for the use case right it's it's the use case what you're trying to accomplish more data is not always better no of course and um yeah i only use a tcp trace uh stream graph i don't use the stevens one right uh but steven yeah stephen is the one that first thought of okay let's plot the sequence of mercury across time and uh have an idea of what the tcp session is doing and then tcp trace extended on that and added some more data into the graph which makes analysis a lot easier so yeah and there's an actually go yeah actually in the current version of wireshark if you use the stevens one uh it's been changed there's there's more information in it now um and so the graph doesn't show up as as nicely as it does in the uh speed trace one so yeah yeah but i'm i'm i will uh i will post tweet references a video and that would be very cool there's there's one above it's not in wireshark it's a separate tool i think it's paid for i don't remember what it's called so i'm sure someone knows what it is in the chat or maybe you know um i think maybe just one person wrote it but it's it's tcp trace on super duper steroids um i'm sure it has i've never used it but i've seen videos i've seen some screenshots of it i'm sure it has an incredible learning curve um but it uh yeah you mean is it net data that sounds right that sounds right yeah i think it's called net data it's a guy from australia that made it and but it's a commercial product it's pretty expensive yeah is it okay i've just seen this yeah it's a it's subscription based because i look at it because it i think it can do a lot but for my one-man shop because i yeah i have my own troubleshooting uh company um yeah it's a one-man shop i i'm not able to buy that license uh so yeah fair enough no i like i said i as a fan of that tool i mean that if anyone has watched any of my performance videos i mean like third step is to go to tcp trace and uh and to use it and so i i saw a video where a guy had used it to solve a problem i was just like blown away at the amount of information in there but anyway um okay so [Music] let's um yeah i think we're done with wireshark yeah i mean uh so folks oh there is oh phillips story hi philip he says there is a free version that he can provide um maybe we need to get phillip on here to to give us a a walk through of net data yeah if there's a free version that would be cool um philip i don't know if i have your if if we're on twitter or anything but if you want to send me an email uh carrietpackabomb.com that would be great let's go back to um all right folks so uh we've got i hope you enjoyed hearing about um the the pcapp thing and the you know the the it covers the full range of skills um it's really fun and you know i i don't know if you know obviously we probably won't be doing anything like that at shark fist this year but there's always the future and maybe maybe at some point uh there'll be some sort of way to to to get that from you and work and work with you on that you know as the training tools you know if you have a if you have some training opportunities in the future uh i think that that would be a fantastic portion actually yeah actually i've used in some trainings that i gave that i uh as the end at the end of the second day i gave them the i think a challenge from 2018 and they uh yeah people like it to do it right yeah it's fun actually for for the virtual starfish i'm setting up a ctf oh so okay yeah i'm uh exploring the ctf platform um because we want to combine like the individual package challenges with the group challenge more or less so we we're going to have challenges in in a ctf kind of format um that people can do during the event and then uh yeah there will be prices more or less prizes prices fun prizes um okay well guys if um please if you have questions first um saka please put it in the the chat i've got one to kick off with uh this was a question that came up i was talking to someone uh if i'm looking for a particular protocol and i know wireshark supports it but i've got a big pcap i'm not sure you know how to find it maybe i don't even know the port name or whatever it is what i'm trying to understand is i know a dissector will tell wireshark here's my display filter string so tls is tls right that one's easy some of them aren't intuitive or you know the the protocol name is three words long is there a place you can go or a place you can look to determine what the display filter is for each dissector yes this almost sounds like a trust for the a team right there you go i poked around i didn't i mean i looked in a couple of places in the preferences i didn't see it um actually yeah what's your i watched your video that you did wednesday what's it this morning yeah and you asked that question in this video so i put it on on discord i gave you an answer already oh you did i missed it yeah yeah the actual the the the answer is you can do the t shark you can do t sharp minus capital g and then vertical and then it will show you all the protocols with all the names and you can graph on it or you can put it in whatever okay there you go folks t-shark is well worth everyone's time to learn the basics of it's a powerful tool you know you can do a lot of a lot of very cool stuff with shark i think you've done some command line stuff at shark fest in the past um yeah so it was my first circus presentation was on command and stuff and i repeated that over the years like i changed the format a little bit but uh yeah it's been there are several uh presentations and videos of me doing that yeah okay yeah and so and and if people want to see more of your content like that um the retrospectives right go to sharkville's website go to the retrospectives look look for you in the last few years they've been really good about putting videos of everyone i think you back up three or four years the video availability is hit and miss but um yeah you know or just or just go to the what i assume they're all on youtube right if you go to shark fest youtube channel search your name on the channel that they'll find they'll find every video that sharkfest has of you and of course don't miss are we doing are we doing the live doctors we i mean we have the technology should we do a the doctors are in for the shark fest this year yeah i like yeah i like those settings the best when i'm at sarcastic for the people that don't don't know it it's um it's putting picats like like myself and jasper and and christian and chris and hansen on stage and then giving giving the audience the opportunity to drop an uh picket found and and just look at them freshly and what we used to do with jacques is we don't tape it because there can be sensitive information and so people need to make sure that the audience is able to see it but it's not like on internet um this time because it's it's virtual and sessions will be recorded yeah and people can record the session themselves we can't use any pkp files from from customers yeah so we're discussing how to do that but the the thing that we're uh that i suggested or that we discussed already was why not create picket files or anonymized pico files in such a way that there there's nothing um pointing back to a customer and then um one guy gives the other one or one person gives the other person uh if you could follow okay this is new to you go let's see what you yeah yeah what what what everybody needs is is how do i start where do i start when i get a new file and when whenever you see a shark first presentation on how to analyze something the analyst has looked at it for like a thousand hours before and then with the top of the iceberg like hey this is what i found right this is how i found it but it's not the actual process of how to come to that conclusion that is that's a very good point i mean i think we all talk about how it's like a cooking show we walk you through the recipe but at the end of it we just bring the casserole out of the oven and show it to you but this is an opportunity to really see what that process looks like when you're looking at something fresh for the first time and you know you you you chase red herrings dead ends you you talk about your process so it's it's uh yeah so uh i mean jasper has confirmed that we're going to do it i mean you guys please bring me in um i'm happy you know to help either host uh as the live or or to do the hosting on the virtual side because i can have multiple people in here right now and we can easily share screens back and forth anyway bring me in if you guys want to talk about how to pull off the we will that part of it yeah uh find the chart kerry mentioned on twitter oh so we may already have are the okay yeah so phil story's got the chart on twitter uh all right and spoiler alert um next i guess coming up very soon it's gonna be uh our good friend jasper coming soon to you on the live stream so anything else um we're we're moving to get lab on sunday everyone so just be aware how does that affect the um okay so wiki and bugs will be in a different different location i did see some chatter on the mailing list about sorting out some wiki things um oh there's a very important question in the chat from simon i'm not sure if you can see the chat i'll let you read it well i don't see a question from simon it's probably way back okay no it just hit it says when was the last time you ass bombed a jacuzzi full of people simon simon asking the hard-hitting questions yeah okay well i know i know one person that's not amused by that question all right all right so i understand you guys have a barbecue coming up must be nice to get together with your friends i don't know what that's like um please enjoy your yeah if if all the regulations sound like in holland we have an increase in cases of go fit so there's uh i hope i can still go to germany and like it's in three weeks time or so so you're in in the netherlands uh harlem right next to amsterdam is that right yeah that's right yeah very cool one of my favorite cities to visit for sure there beautiful um all right so folks there are links in the description below this video probably i mean again i've only used this this the first time using this dashboard and everything's different about it it'll go better next time uh but links to saki and his stuff are there in the description sign up for his wireshark course on tls uh that's as we've discussed an important thing to know about going forward uh and i believe if you're in a class then you're guaranteed attendance to the currently full waitlist only sharkfest conference that's true yeah it's an extra bonus yeah all right well uh thank you so much for coming on sharing your expertise and knowledge with everyone it's very much appreciated um i will we'll wrap this up i'll hop in the chat see if there's anything we missed and we'll see everybody next time thank you yeah thanks for having me carrie all right see you next time my so [Music] [Music] [Music] foreign

Info

Channel: PacketBomb

Views: 755

Rating: undefined out of 5

Keywords:

Id: UmL5KunyfYE

Channel Id: undefined

Length: 67min 38sec (4058 seconds)

Published: Fri Aug 21 2020