Transcript Document

Chapter 6: Protocol
Analysis and Network
Programming
Lecture Materials for the John Wiley & Sons book:
Cyber Security: Managing Networks, Conducting
Tests, and Investigating Intrusions
July 18, 2015 DRAFT
1
Networking Theory and
Practice
• Open Systems Interconnection (OSI)
defines the standard protocol stack
– Out of the 7 layers, only 4 are used in
practice:
•
•
•
•
Physical (Layer 1)
Data Link (Layer 2)
Network (Layer 3)
Transport (Layer 4)
– The successor to OSI is Reference Model
for Open Distributed Processing (RM-ODP),
we encountered in Chapter 3, Row 3.
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
2
Frequently Encountered
Network Protocols
• IEEE 802.3 Ethernet protocol L2
• IEEE 802.11 wireless protocols
(commercially known as Wi-Fi) L2
• Address Resolution Protocol (ARP) L2
• IP Version 4 (IPv4) L3
• IP Version 6 (IPv6) L3
• Internet Control Message Protocol
(ICMP) L3
• User Datagram Protocol (UDP) L4
• Transmission Control Protocol (TCP) L4
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
3
Network Protocol Analysis
• Network protocol analysis can be
performed automatically by Wireshark
– Manual protocol analysis is outdated
• Each frame (L2) or packet (L3) has a
header and a payload
– L3 header/payload are attached before and
after L2 header/payload, i.e. encapsulate
– L4 headers/payload are attached before and
after L3 header/payload
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
4
Address Resolution Protocol
(ARP) and Layer 2 Analysis
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
5
ARP Frame
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
6
Internet Protocol (IP) Analysis
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
7
Internet Control Message
Protocol (ICMP)
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
8
User Datagram Protocol
(UDP) Analysis
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
9
Transmission Control
Protocol (TCP) Analysis
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
10
Network Programming: Bash
• Bash is an available command line shell for Linux and
Unix systems
– It is selected in the /etc/passwd file
• In network programming we are able to execute
network commands in a script at the command line or
from a script file
• During penetration tests, we frequently encounter raw
shells (that do not support even backspace) where we
can only submit 1 command line at a time
– Use network programming to build security tools such as ping
scans and banner grabbers (i.e. when services self identify)
• Network programming remains a rare but very useful
skill among security pros
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
11
Linux/Unix Bash Basics: Standard
Input, Output, Error, Pipes
• Sorting reverse numerical
– # sort /tmp/alertIPs | uniq –c | sort –nr
• Append to file including standard error
– mount error >> log.txt 2>&1
• Command sequence
– # echo Hello Universe! > /tmp/tmp ; cd /tmp
; ls ; cat tmp ; rm tmp ; ls ; cd ~
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
12
Linux/Unix Bash for Basic
Network Programming
• Ping an IP; returns ICMP response
– # ping –c1 –w2 10.10.100.100
• To ping an address range, i.e. a scan
– # for i in `echo {1..254}`;
10.10.100.$i; done
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
do ping -c1 -w2
7/18/2015 DRAFT
13
Linux/Unix Bash Network
Sweep: Packaging a Script
• Package the ping sweep in a script file with
Ctrl-C abort:
– #!/bin/bash
– trap bashtrap INT
– bashtrap() { echo "Bashtrap Punt!"; exit; }
– for i in `echo {1..254}`; do ping -c1 -w2
10.10.100.$i; done
• Use $1, $2, $3, … for command line arguments
• Use if statement for conditionality, e.g.
– if $(test $# -eq 0 );
else network=$1; fi
then
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
network="10.10.100";
7/18/2015 DRAFT
14
Linux/Unix Bash Network
Scanning using While
• Read IP domains from a hosts file:
– #!/bin/bash
– trap bashtrap INT
– bashtrap() { echo "Bashtrap Punt!"; exit; }
– if $(test $# -eq 0 ); then
network="10.10.100"; else network=$1; fi
– while read n; do echo -e "\nSCANNING
$network.$n"; nmap -O -sV --top-ports 9 -reason $network.$n; done < hosts
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
15
Bash Banner Grabbing
#!/bin/bash
trap t INT
function t { echo -e "\nExiting!"; exit; }
if $(test $# -eq 0 ); then network="192.168.1";
else network=$1; fi
while read host; do
echo –e "\nTESTING $network.$host
PORTS...";
while read port; do
echo -n " $port";
echo "" | nc -n -v -w1 $network.$host $port;
done < ports
done < hosts
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
16
Windows Command Line
Scripting
• In Windows Command Line the concepts
are very similar to Bash
• Use .bat suffix for script (batch) files
• Batch file arguments are %1, %2, %3,…
• Script file variables use %% prefix
• for /L for to iterate through numbers (i.e.
counting)
• for /F to iterate through a set or file
– Works like a while loop in Bash
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
17
Windows Command Line :
Standard IO, Pipes, and
Sequences
• Example standard IO and pipes
– C:\> type list.txt | sort /r >> sorted.txt & dir /b
/s & type sorted.txt
• Command sequence (&), conditional (&&)
– C:\> net use \\10.10.100.100 passw0rd
/u:testuser && echo SUCCESS & net use
\\10.10.100.100 /del
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
18
Windows Command Line:
Network Programming using For
/L
• Ping sweep
– set network=%1
– for /L %%h in (2, 1, 255) do @ping –n 1
%network%.%%h | find “byte=” > /nul &&
echo Host at %network%.%%h
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
19
Windows Command Line:
Password Attack using For /F
set ipaddr=%1
set usertarget=%2
for /F %%p in (pass.txt) do @net use
\\%ipaddr% %%p /u:%usertarget% 2> /nul
&& echo PASS=%p & net use \\%ipaddr%
/del
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
20
Python Scripting
• There are various categories of
programming languages from command
line (Bash, Windows CLI) to
interpreted/compiled scripting (Python,
Ruby) to systems programming (C, C++,
C#)
– Categories vary by number of lines needed
to implement a capability, typical multiplier is 8
– Lower levels provide more detailed
accesses, faster execution
– Python’s advantage is that it is highly
portable and has an extensive function library
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
21
Python Programming for
Accelerated Network Scanning
#!/usr/bin/python
import os
from threading import Thread
import time
def run(self):
result = os.popen(scan+self.ip,"r")
self.status=result.read()
threadlist = []
for host in range(1,max):
start=time.ctime()
ip = "192.168.85."+str(host)
print start
current = threadclass(ip)
scan="ping -c1 -w1 "
threadlist.append(current)
max=65
current.start()
class threadclass(Thread):
def __init__ (self,ip):
Thread.__init__(self)
self.ip = ip
for t in threadlist:
t.join()
print "Status from ",t.ip,"is",repr(t.status)
print start
print time.ctime()
self.status = -1
Threaded scanning is about 60X faster than serial scans
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
7/18/2015 DRAFT
22
Cyber Security: Managing Networks,
Conducting Tests, and Investigating Intrusions
REVIEW CHAPTER SUMMARY
7/18/2015 DRAFT
23