230 likes | 393 Vues
Chapter 6: Protocol Analysis and Network Programming. Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions. Networking Theory and Practice. Open Systems Interconnection (OSI) defines the standard protocol stack
E N D
Chapter 6: Protocol Analysis and Network Programming Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Networking Theory and Practice • Open Systems Interconnection (OSI) defines the standard protocol stack • Out of the 7 layers, only 4 are used in practice: • Physical (Layer 1) • Data Link (Layer 2) • Network (Layer 3) • Transport (Layer 4) • The successor to OSI is Reference Model for Open Distributed Processing (RM-ODP), we encountered in Chapter 3, Row 3. Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Frequently Encountered Network Protocols • IEEE 802.3 Ethernet protocol L2 • IEEE 802.11 wireless protocols (commercially known as Wi-Fi) L2 • Address Resolution Protocol (ARP) L2 • IP Version 4 (IPv4) L3 • IP Version 6 (IPv6) L3 • Internet Control Message Protocol (ICMP) L3 • User Datagram Protocol (UDP) L4 • Transmission Control Protocol (TCP) L4 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Network Protocol Analysis • Network protocol analysis can be performed automatically by Wireshark • Manual protocol analysis is outdated • Each frame (L2) or packet (L3) has a header and a payload • L3 header/payload are attached before and after L2 header/payload, i.e. encapsulate • L4 headers/payload are attached before and after L3 header/payload Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Address Resolution Protocol (ARP) and Layer 2 Analysis Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
ARP Frame Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Internet Protocol (IP) Analysis Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Internet Control Message Protocol (ICMP) Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
User Datagram Protocol (UDP) Analysis Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Transmission Control Protocol (TCP) Analysis Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Network Programming: Bash • Bash is an available command line shell for Linux and Unix systems • It is selected in the /etc/passwd file • In network programming we are able to execute network commands in a script at the command line or from a script file • During penetration tests, we frequently encounter raw shells (that do not support even backspace) where we can only submit 1 command line at a time • Use network programming to build security tools such as ping scans and banner grabbers (i.e. when services self identify) • Network programming remains a rare but very useful skill among security pros Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Linux/Unix Bash Basics: Standard Input, Output, Error, Pipes • Sorting reverse numerical • # sort /tmp/alertIPs | uniq –c | sort –nr • Append to file including standard error • mount error >> log.txt 2>&1 • Command sequence • # echo Hello Universe! > /tmp/tmp ; cd /tmp ; ls ; cat tmp ; rm tmp ; ls ; cd ~ Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Linux/Unix Bash for Basic Network Programming • Ping an IP; returns ICMP response • # ping –c1 –w2 10.10.100.100 • To ping an address range, i.e. a scan • # for i in `echo {1..254}`; do ping -c1 -w2 10.10.100.$i; done Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Linux/Unix Bash Network Sweep: Packaging a Script • Package the ping sweep in a script file with Ctrl-C abort: • #!/bin/bash • trap bashtrap INT • bashtrap() { echo "Bashtrap Punt!"; exit; } • for i in `echo {1..254}`; do ping -c1 -w2 10.10.100.$i; done • Use $1, $2, $3, … for command line arguments • Use if statement for conditionality, e.g. • if $(test $# -eq 0 ); then network="10.10.100"; else network=$1; fi Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Linux/Unix Bash Network Scanning using While • Read IP domains from a hosts file: • #!/bin/bash • trap bashtrap INT • bashtrap() { echo "Bashtrap Punt!"; exit; } • if $(test $# -eq 0 ); then network="10.10.100"; else network=$1; fi • while read n; do echo -e "\nSCANNING $network.$n"; nmap -O -sV --top-ports 9 --reason $network.$n; done < hosts Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Bash Banner Grabbing #!/bin/bash trap t INT function t { echo -e "\nExiting!"; exit; } if $(test $# -eq 0 ); then network="192.168.1"; else network=$1; fi while read host; do echo –e "\nTESTING $network.$host PORTS..."; while read port; do echo -n " $port"; echo "" | nc -n -v -w1 $network.$host $port; done < ports done < hosts Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Windows Command Line Scripting • In Windows Command Line the concepts are very similar to Bash • Use .bat suffix for script (batch) files • Batch file arguments are %1, %2, %3,… • Script file variables use %% prefix • for /L for to iterate through numbers (i.e. counting) • for /F to iterate through a set or file • Works like a while loop in Bash Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Windows Command Line : Standard IO, Pipes, and Sequences • Example standard IO and pipes • C:\> type list.txt | sort /r >> sorted.txt & dir /b /s & type sorted.txt • Command sequence (&), conditional (&&) • C:\> net use \\10.10.100.100 passw0rd /u:testuser && echo SUCCESS & net use \\10.10.100.100 /del Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Windows Command Line: Network Programming using For /L • Ping sweep • set network=%1 • for /L %%h in (2, 1, 255) do @ping –n 1 %network%.%%h | find “byte=” > /nul && echo Host at %network%.%%h Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Windows Command Line: Password Attack using For /F set ipaddr=%1 set usertarget=%2 for /F %%p in (pass.txt) do @net use \\%ipaddr% %%p /u:%usertarget% 2> /nul && echo PASS=%p & net use \\%ipaddr% /del Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Python Scripting • There are various categories of programming languages from command line (Bash, Windows CLI) to interpreted/compiled scripting (Python, Ruby) to systems programming (C, C++, C#) • Categories vary by number of lines needed to implement a capability, typical multiplier is 8 • Lower levels provide more detailed accesses, faster execution • Python’s advantage is that it is highly portable and has an extensive function library Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Python Programming for Accelerated Network Scanning #!/usr/bin/python import os from threading import Thread import time start=time.ctime() print start scan="ping -c1 -w1 " max=65 class threadclass(Thread): def __init__ (self,ip): Thread.__init__(self) self.ip = ip self.status = -1 def run(self): result = os.popen(scan+self.ip,"r") self.status=result.read() threadlist = [] for host in range(1,max): ip = "192.168.85."+str(host) current = threadclass(ip) threadlist.append(current) current.start() for t in threadlist: t.join() print "Status from ",t.ip,"is",repr(t.status) print start print time.ctime() Threaded scanning is about 60X faster than serial scans Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions REVIEW Chapter Summary