Network-Based Attacks

Course Topic Overview

Network Attacks

  • Service related
  • Man in the Middle (MITM)

Packet analysis

Labs

Learning Objectives

Describe network attacks.

Identify network traffic.

Perform analysis on captured traffic.

Perform Man-in-the-Middle attack.

Lesson Overview

What is a Network-Based Attack?

Network Services

  • ARP
  • DHCP
  • SMB
  • FTP
  • Telnet
  • SSH

Network-Based Attacks - Part 1

1
2
ip a
inet 192.112.112.2/24
1
nmap 192.112.112.0/24 -sn
1
nmap 192.112.112.1-4 -A

File->Save as->pcapng

View->Name Resolution->Resolve Physical Addresses

View->Name Resolution->Resolve Network Addresses

View->Name Resolution->Resolve Transport Addresses

View->Colorize Packet List

View->Coloring Rules

Capture->Options

Statistics->Protocol Hierarchy

Statistics->Conversations, check Name resolution

Statistics->Endpoints, check Name resolution

Statistics->HTTP

Time column, Right-click->Edit Column

View->Time Display Format->Seconds Since Beginning of Capture, the most common is UTC Date and Time of Day

Tshark

What version of TShark do we have:

1
tshark -v
1
tshark -h | more
1
2
3
Capture interface:
-i <interface>  name or idx of interface (def: first non-loopback)
-D              print list of interfaces and exit

Take an input from a file. If we had saved a PCAP or a PCAP NG, we can look at it with -r.

1
2
3
Input file:
-r <infile>     set the filename to read from (- to read from stdin)
-z <statistics> various statistics, see the man page for details

What interfaces can we interact on.

1
tshark -D

We’re not sudoer or root.

1
tshark -i eth0
1
2
ls
HTTP_traffic.pcap
1
2
tshark -r HTTP_traffic.pcap
tshark -r HTTP_traffic.pcap | wc -l

-z: statistics.

io,phs: protocol hierarchy.

1
tshark -r HTTP_traffic.pcap -z io,phs -q

入门:Tshark

概述

Tshark是 Wireshark 团队创建的命令行工具,与 Wireshark 共享强大的解析引擎。它能够完成我们喜欢 Wireshark 的大多数事情,但具有“从命令行”的优势。这使其成为流量分析任务的批量分析、离线处理和日常自动化的理想选择。在本课程中,我们将探索其中的许多功能。假设您具有 Wireshark 和流量分析的基本工作知识。我们在 Pentester Academy 上创建了关于 Wireshark 的详细课程。在这一系列实验中,我们将教你如何有效地使用 Tshark!那么,让我们开始吧! 问题: A组:

  1. 实验室安装的是哪个版本的 Tshark?
  2. 查找所有 Tshark 支持的网络接口进行监控
  3. Tshark 嗅探 eth0 的命令是什么?为什么这个命令失败了?

B组:

  1. Tshark 支持 PCAP 文件。实验室环境有一个示例文件:HTTP_traffic.pcap。如何在 Tshark 中读取此文件并在控制台上显示数据包列表?
  2. 怎样才能找到 HTTP_traffic.pcap 中的数据包总数?
  3. Tshark 命令仅从 HTTP_traffic.pcap 读取前 100 个数据包?
  4. 打印 HTTP_traffic.pcap 中的协议列表

解决方案

此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-1.pdf

tshark

wireshark

我自己的思路

Tshark is a command line tool created by the Wireshark team and shares the same powerful parsing engine as Wireshark. It is capable of doing most things we’ve come to love Wireshark for, but with the “from command line” advantage. This makes it ideal for batch analysis, offline processing and routine automation of traffic analysis tasks. In this course, we will explore many of these capabilities. It is assumed you have a basic working knowledge of Wireshark and traffic analysis. We have created a detailed course on Wireshark on Pentester Academy. In this series of labs, we will teach you how to use Tshark effectively! So, let’s get started! Questions: Set A:

  1. Which version of Tshark is installed in the lab?
1
2
3
4
-h|--help
Print the version and options and exit.
-v|--version
Print the version and exit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
student@attackdefense:~$ tshark -v
TShark (Wireshark) 2.6.1 (Git v2.6.1 packaged as 2.6.1-0ubuntu2~16.04.0)

Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.48.2, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.7.1, with LZ4, with Snappy, with libxml2 2.9.3.

Running on Linux 5.4.0-125-generic, with AMD EPYC 7642 48-Core Processor
        (with SSE4.2), with 96566 MB of physical memory, with locale C, with
libpcap version 1.7.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with zlib 1.2.8,
binary plugins supported (13 loaded).

Built using gcc 5.4.0 20160609.
  1. Find all Tshark supported network interfaces for monitoring
1
2
3
4
5
6
-D|--list-interfaces
Print a list of the interfaces on which TShark can capture, and exit. For each network interface, a number and an interface name, possibly followed by a text description of the interface, is printed. The interface name or the number can be supplied to the -i option to specify an interface on which to capture.

This can be useful on systems that don’t have a command to list them (UNIX systems lacking ifconfig -a or Linux systems lacking ip link show). The number can be useful on Windows systems, where the interface name might be a long name or a GUID.

Note that "can capture" means that TShark was able to open that device to do a live capture. Depending on your system you may need to run TShark from an account with special privileges (for example, as root) to be able to capture network traffic. If tshark -D is not run from such an account, it will not list any interfaces.
1
2
3
4
5
6
-D|--列表接口
打印TShark可以捕获并退出的接口列表。对于每个网络接口,都会打印一个编号和一个接口名称,可能后跟接口的文本描述。可以将接口名称或编号提供给-i选项以指定要在其上捕获的接口。

这在没有列出它们的命令的系统(缺少ifconfig -a的 UNIX 系统或缺少 ip link show的 Linux 系统)上很有用。该数字在 Windows 系统上很有用,其中接口名称可能是长名称或 GUID。

请注意,“可以捕获”意味着TShark能够打开该设备进行实时捕获。根据您的系统,您可能需要从具有特殊权限的帐户(例如,root)运行TShark才能捕获网络流量。如果tshark -D不是从这样的帐户运行,它不会列出任何接口。
1
2
3
4
5
6
7
8
9
10
11
student@attackdefense:~$ tshark -D
1. eth0
2. any
3. lo (Loopback)
4. ip_vti0
5. nflog
6. nfqueue
7. ciscodump (Cisco remote capture)
8. randpkt (Random packet generator)
9. sshdump (SSH remote capture)
10. udpdump (UDP Listener remote capture)
  1. What is the Tshark command to sniff on eth0? Why did this command fail?
1
2
3
4
5
6
7
8
9
10
11
12
-i|--interface <capture interface> | -
Set the name of the network interface or pipe to use for live packet capture.

Network interface names should match one of the names listed in "tshark -D" (described above); a number, as reported by "tshark -D", can also be used. If you’re using UNIX, "netstat -i", "ifconfig -a" or "ip link" might also work to list interface names, although not all versions of UNIX support the -a option to ifconfig.

If no interface is specified, TShark searches the list of interfaces, choosing the first non-loopback interface if there are any non-loopback interfaces, and choosing the first loopback interface if there are no non-loopback interfaces. If there are no interfaces at all, TShark reports an error and doesn’t start the capture.

Pipe names should be either the name of a FIFO (named pipe) or "-" to read data from the standard input. On Windows systems, pipe names must be of the form "\\.\pipe\pipename". Data read from pipes must be in standard pcapng or pcap format. Pcapng data must have the same endianness as the capturing host.

"TCP@<host>:<port>" causes TShark to attempt to connect to the specified port on the specified host and read pcapng or pcap data.

This option can occur multiple times. When capturing from multiple interfaces, the capture file will be saved in pcapng format.
1
2
3
4
5
6
7
8
9
10
11
12
-i|--interface <捕获接口> | -
设置用于实时数据包捕获的网络接口或管道的名称。

网络接口名称应与“ tshark -D ”(如上所述)中列出的名称之一匹配;也可以使用“ tshark -D ”报告的数字。如果您使用的是 UNIX,“ netstat -i ”、“ ifconfig -a ”或“ ip link ”也可以列出接口名称,尽管并非所有版本的 UNIX 都支持ifconfig的-a选项。

如果不指定接口,则TShark搜索接口列表,如果有非环回接口,则选择第一个非环回接口,如果没有非环回接口,则选择第一个环回接口。如果根本没有接口, TShark会报错并且不会开始抓包。

管道名称应该是 FIFO(命名管道)的名称或“-”以从标准输入读取数据。在 Windows 系统上,管道名称的格式必须为“\\.\pipe\ pipename ”。从管道读取的数据必须是标准 pcapng 或 pcap 格式。Pcapng 数据必须与捕获主机具有相同的字节序。

" TCP@ <host>:<port>" 使TShark尝试连接到指定主机上的指定端口并读取 pcapng 或 pcap 数据。

此选项可以出现多次。从多个接口捕获时,捕获文件将以 pcapng 格式保存。

student is a non-privileged user and it doesn’t have permission to capture on that device.

1
2
3
4
5
6
7
8
9
student@attackdefense:~$ tshark -i eth0
Capturing on 'eth0'
tshark: The capture session could not be initiated on interface 'eth0' (You don't have permission to capture on that device).
Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.
0 packets captured
student@attackdefense:~$ whoami
student
student@attackdefense:~$ groups student
student : student

Set B:

  1. Tshark supports PCAP files. The lab environment has a sample file: HTTP_traffic.pcap. How can you read this file in Tshark and display the packet list on the console?
1
2
-r|--read-file <infile>
Read packet data from infile, can be any supported capture file format (including gzipped files). It is possible to use named pipes or stdin (-) here but only with certain (not compressed) capture file formats (in particular: those that can be read without seeking backwards).
1
2
-r|--read-file <infile>
从infile读取数据包数据,可以是任何支持的捕获文件格式(包括 gzip 文件)。可以在此处使用命名管道或标准输入 (-),但仅限于某些(未压缩的)捕获文件格式(特别是:那些无需向后搜索即可读取的文件格式)。
1
2
3
student@attackdefense:~$ ls
HTTP_traffic.pcap
student@attackdefense:~$ tshark -r HTTP_traffic.pcap
  1. How can you find the total number of packets in HTTP_traffic.pcap?
1
tshark -r file.pcap -R <filter> | wc -l
1
2
student@attackdefense:~$ tshark -r HTTP_traffic.pcap | wc -l
30418
  1. Tshark command to read the first 100 packets only from HTTP_traffic.pcap?
1
2
-c <capture packet count>
Set the maximum number of packets to read when capturing live data. If reading a capture file, set the maximum number of packets to read. This includes any packets that do not pass the display filter, so it may differ from -a packets:<capture packet count>.
1
2
-c <捕获数据包计数>
设置捕获实时数据时要读取的最大数据包数。如果读取捕获文件,请设置要读取的最大数据包数。这包括任何未通过显示过滤器的数据包,因此它可能不同于-a 数据包: <捕获数据包计数>。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
student@attackdefense:~$ tshark -r HTTP_traffic.pcap -c 100
    1   0.000000 192.168.252.128 ? 192.168.252.2 DNS 83 Standard query 0x55cd A g-ecx.images-amazon.com
    2   0.000096 192.168.252.128 ? 192.168.252.2 DNS 83 Standard query 0x989e AAAA g-ecx.images-amazon.com
    3   0.001097 192.168.252.128 ? 192.168.252.2 DNS 83 Standard query 0xfffd A g-ecx.images-amazon.com
    4   0.035787 192.168.252.2 ? 192.168.252.128 DNS 210 Standard query response 0x989e AAAA g-ecx.images-amazon.com CNAME d1ge0kk1l5kms0.cloudfront.net SOA ns-1553.awsdns-02.co.uk
    5   0.106961 192.168.252.2 ? 192.168.252.128 DNS 254 Standard query response 0x55cd A g-ecx.images-amazon.com CNAME d1ge0kk1l5kms0.cloudfront.net A 52.84.108.157 A 52.84.108.185 A 52.
84.108.225 A 52.84.108.136 A 52.84.108.11 A 52.84.108.71 A 52.84.108.210 A 52.84.108.100
    ...
   95   4.730055 52.84.108.71 ? 192.168.252.128 TCP 60 80 ? 60369 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460
   96   4.730090 192.168.252.128 ? 52.84.108.71 TCP 54 60369 ? 80 [ACK] Seq=1 Ack=1 Win=29200 Len=0
   97   4.762558 192.168.252.2 ? 192.168.252.128 DNS 217 Standard query response 0x85f8 A d1y6jrbzotnyjg.cloudfront.net A 52.84.108.196 A 52.84.108.123 A 52.84.108.110 A 52.84.108.162 A 52.84.108.107 A 52.84.108.217 A 52.84.108.98 A 52.84.108.142
   98   4.770841  54.239.32.8 ? 192.168.252.128 TCP 2934 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   99   4.770859 192.168.252.128 ? 54.239.32.8  TCP 54 54330 ? 80 [ACK] Seq=851 Ack=23647 Win=64240 Len=0
  100   4.770889  54.239.32.8 ? 192.168.252.128 TCP 1494 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  1. Print the list of protocols in HTTP_traffic.pcap
1
2
3
4
5
6
-z <statistics>
Get TShark to collect various types of statistics and display the result after finishing reading the capture file. Use the -q option if you’re reading a capture file and only want the statistics printed, not any per-packet information.

Statistics are calculated independently of the normal per-packet output, unaffected by the main display filter. However, most have their own optional filter parameter, and only packets that match that filter (and any capture filter or read filter) will be used in the calculations.

Note that the -z proto option is different - it doesn’t cause statistics to be gathered and printed when the capture is complete, it modifies the regular packet summary output to include the values of fields specified with the option. Therefore you must not use the -q option, as that option would suppress the printing of the regular packet summary output, and must also not use the -V option, as that would cause packet detail information rather than packet summary information to be printed.
1
2
3
4
5
6
-z <统计>
获取TShark收集各种类型的统计数据,并在读取完捕获文件后显示结果。如果您正在读取捕获文件并且只想打印统计信息而不是任何每个数据包的信息,请使用-q选项。

统计数据的计算独立于每个数据包的正常输出,不受主显示过滤器的影响。但是,大多数都有自己的可选过滤器参数,并且只有与该过滤器(以及任何捕获过滤器或读取过滤器)匹配的数据包才会用于计算。

请注意,-z proto选项不同 - 它不会在捕获完成时收集和打印统计信息,它会修改常规数据包摘要输出以包含使用该选项指定的字段的值。因此,您不能使用-q 选项,因为该选项会禁止打印常规数据包摘要输出,并且也不能使用-V选项,因为这会导致打印数据包详细信息而不是数据包摘要信息。
1
2
3
4
-z io,phs[,filter]
Create Protocol Hierarchy Statistics listing both number of packets and bytes.

This option can be used multiple times on the command line.
1
2
3
4
-z io,phs[,过滤器]
创建列出数据包数和字节数的协议层次统计信息。

该选项可以在命令行中多次使用。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
student@attackdefense:~$ tshark -r HTTP_traffic.pcap -z io,phs -q

===================================================================
Protocol Hierarchy Statistics
Filter:

eth                                      frames:30418 bytes:24643014
  ip                                     frames:30413 bytes:24642732
    udp                                  frames:1882 bytes:228368
      dns                                frames:1882 bytes:228368    tcp                                  frames:28531 bytes:24414364
      http                               frames:1455 bytes:1705881
        data-text-lines                  frames:189 bytes:362230
          tcp.segments                   frames:102 bytes:259949
        image-jfif                       frames:165 bytes:444708
          tcp.segments                   frames:145 bytes:343160
        image-gif                        frames:75 bytes:44670
          tcp.segments                   frames:6 bytes:7911
        ocsp                             frames:73 bytes:62621
          tcp.segments                   frames:5 bytes:2451
        media                            frames:120 bytes:217932
          tcp.segments                   frames:79 bytes:158145
        png                              frames:61 bytes:113354
          tcp.segments                   frames:30 bytes:62520
        json                             frames:29 bytes:35164
          tcp.segments                   frames:5 bytes:7115
          data-text-lines                frames:3 bytes:1744
            tcp.segments                 frames:1 bytes:917
        tcp.segments                     frames:2 bytes:490        xml                              frames:3 bytes:3533
        urlencoded-form                  frames:2 bytes:4234
      ssl                                frames:4583 bytes:8154499
        tcp.segments                     frames:1573 bytes:4463000          ssl                            frames:1395 bytes:4069707
      tcp.segments                       frames:6 bytes:360
        http                             frames:6 bytes:360
          data-text-lines                frames:3 bytes:180
          json                           frames:3 bytes:180
            data-text-lines              frames:3 bytes:180
  arp                                    frames:5 bytes:282
===================================================================