Chapter 17 - 03 - Perform Network Monitoring for Suspicious Traffic - 01_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

Module Flow

0 Understand the Need and Advantages
of Network Traffic Monitoring

Determine Baseline Traffic Signatures for
Normal and Suspicious Network Traffic

0 Perform Network Monitoring
for Suspicious Traffic

Perform Network Monitoring for Suspicious Traffic
The objective of this section is to explain how to use Wireshark to perform network monitoring
and analysis. It describes how to use Wireshark for monitoring and analyzing File Transfer
Protocol (FTP) traffic, Telnet traffic, and Hypertext Transfer Protocol (HTTP) traffic.

Module 17 Page 2039 EG-Council
Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

Wireshark
-"-.,
& P
*
Q wireshark is a widely used network sniffer for
network monitoring and analysis [« m 4 @ MIIRTE QeunEF §
OQ ItIt captures and intelligently
intelligently browses the traffic on a
trafficon LT ‘E.. FillaxToglBar,
network

018,10 LINE, 120
B3 AD,50, 140,197
HJ lu10,10,30.18
10,3016 \L& p.
B3 16,10.10,10 um:w::
90,100, 162 ch 3 [ b |m;rlumn|1
Aok nl ul 1020 l Lan
M3 16.10.10.70 n72 1) (512 ] C Wine1054
3024 Lansh
Lahed |s 412100393082
Tvals3030082 Thec
T
»FCA
Fram 08 un lyl A an) wlie (mu {1y My III
e h nflh‘un‘u T captured[lml
1088 BILs)
B1L0) on
o0 Intar
dnlarfice
fac 8
» Ethermt
Ethermmt 31,31, 4 Microsol
i 5313017 (0 n| I l Ricreaof
reaot 53150
53130800e (W0:15:34183:30i0)
||ll‘ll'\-l.ll."‘lll
i" on 4, rc: 30,10,S 1009, it HET
4
Mo byt
bytes (3} PacketDetals
fl Panal
Iald Ged
1nlg Elfl (BP0 CU, 10N
:!’l(l C1a, IEND MetoIgT)
NetoICT) RacketiDetails Rane!
‘.
IO 6
068 00 R 20 45
OCECC)
W altve
allve o
i.
o \ 6108R
e20 61 a-Centro 1 waxene
[ n u 20 6 a dr u u ©F 0 6a 343 20 40
db 1476 gonbe:Of dpinihte
guese:Or Lgin: Racket Bytes Panel
Panel
TN TTIT € TH TH TS 2300 04 i
Upisrwee eyt t
0 fe 72 63 6) 7% 02 65 M 026 le!nu-cmeimv
" fl"""lnNHN uuwuuuuu estar 10 Conten
O F
7 WP Contart-Lungth baister
NI Contant-Lungth baistor (N,
(N1p. Content_ogeh
Costent_ngeh haadeel, 7424 lmu
bptos Packets 945 - Dsplayud
Packets: DXspliyd 948
945 G000%)
(1000%) velibe Dulialt
Welib: Dottt
hetps.//www. wireshark.og
wireshork.org

Copyright ©© by
Copyright by All
All Rights
Rights Reserved.
Reserved. Reproduction
Reproduction IsIs Strictly
Strictly Prohibited
Prohibited.

Wireshark
Source: https://www.wireshark.org
Wireshark is a packet sniffer that can be used for network troubleshooting to investigate
security issues and to analyze and understand network protocols. It can exploit information
passed in plain text.
= Features
Wireshark has a rich feature set that includes the following:
o ldentify poor network performance due to high path latency.
Identify
o Locate internetwork devices that drop packets.
o Validate the optimal configuration of network hosts.
o Analyze application functionality and dependencies.
Optimize application behavior for best performance.
O

Analyze network capacity before application launch.
O

Verify application security during launch, login, and data transfer.
O

Identify unusual network traffic indicating potentially compromised hosts.
o

= Prerequisites for network packet capture
Setting up Wireshark to capture packets for the first time can be tricky. The following
are a few common problems that are encountered while capturing packets with
Wireshark for the first time:
o Special privileges are required to start a live capture.

Module 17 Page 2040 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

o] The correct network interface must be chosen to capture packet data from.

o] Network packets should be captured at the correct location in the network to view
the desired traffic.
= Wireshark network analysis activities

Capturing live network data is one of the major features of Wireshark. The Wireshark
capture engine enables security professionals to perform the following:

o] Capture from different types of network hardware such as Ethernet and 802.11.

o] Stop the capture based on different triggers such as the amount of captured data,
elapsed time, or number of packets.
o Simultaneously show decoded packets while capturing is in progress.

o] Filter packets to reduce the amount of data to be captured.
o Save packets in multiple files during a long capture.

o] Simultaneously capture from multiple network interfaces.
= First network packet capture using Wireshark

To capture packets using Wireshark, first install and launch the tool on the target
network. Select the appropriate network interface to capture traffic from. The following
are the steps to start capturing packets with Wireshark:
1. Double-click on an interface in the main window.

2. An overview of the available interfaces can be obtained using the Capture Interface
dialog box.

3. Start a capture from this dialog box using the Start button.

4. A capture can be immediately started using the current settings by selecting Capture
-» Start or by clicking the first toolbar button.
5. If the name of the capture interface is known, Wireshark can be launched from the
command line through the following command: $ wireshark -i eth0 —k

Module 17 Page 2041 Certified Cybersecurity Technician Copyright © by EC-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

The Wireshark
The Wireshark Network Analyzer e- CLE
0o x
File
'Eile Edit
Edit View
View Go
Go Capture Analyze
Capture énalyze Statistics
Statistics Telephony
Telephony Wireless
Wireless Tools
Tools Help
Help

AR e mNRR
dusomNRE e =EFs0E
Qes*=zF s QAT
Faaali

]
[i|AppIyn a display
(MTApply display filter
filter... =3 -] Expression...
=3 -] +

Capture...using this filter: [[ [ [Enter..using Enter a capture filter ~ | |All interfaces shown ~= |

fi.
ocker0
!OCEQTO
veth0Sa3dbf
veth05a3dbf
vethb6531e0
:gt\?ba
O ca?df f b—
—— Netwo
Netwokk:
Interfaces
br-8ab3cbeSaa2a
br-8ab3cb eSaa2a Interfaces
AL UL A
veth31391ed
veth31391e4d ——
Sc
vethel7bcSc
vethel7bc
veth5aB889ds
veth5a889d8
veth172de8e
veth172de8e
vethc41b1f9
vethca1b1f9
vethc2482d9
vethc2482d9 |
veth98d0697
veth98d0697 |-
any -
Learn
User's Guide - Wiki - Questions and Answers - Mailing Lists
You are running Wireshark 2.6.6 (Git v2.6.6 packaged as 2.6.6-1~ubuntul6.04.0).

7 Ready to load or capture No Packets Profile: Default

Figure 17.1: Wireshark Network Interfaces

*etho —= L
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help

AR O mNRE QesEFE_
SIS =S AQAQE
QAQQT
f 4 , P e [ a e. —

ABdeom R Jem»EF
(W [Rpply a display
[i”\p;;])’ display filter
filter..... -] Expression.. +
No. Time Source Destination Protocol Lengtt Info j&a

-o.16,
SR.10.16. yslog
slog 5 1. Sep |
3 0.600296296
0.000290296 10.10.10.1
16.10.10.1 10.10.16.16 Syslog
Syslog 181 LOCALO.INFO: Sep 19 1.
4; 0.600291896
8.909291896 10.160.10.1
10.10.10.1 10.10.10.16
10.10.16.16 Syslog
Syslog 181 LOCALO.INFO: Sep 19 1.
5 0.309229630.309229630 10.10.10.16
10.10.10.16
10.1 10.10.16.79
10.10.10.79 UopP
uop 255 64410 -~ 1514 Len=213

3. 008 46.10.10.
0.10.10..10.16.
0.10.10.16 0g
0g 5
OCALO.INFO: T SepSep 19
8 1.000364763
1.600364763 10.10.10.1 10.10.10.16 Syslog 175 LOCALO.INFO: Sep 19 1.
9 2.000736625 10.10.10.1 10.10.10.16 Syslog 175 LOCALO.INFO: Sep 19 1.
10 2.000756825 10.10.10.1 10.10.10.16 Syslog 175 LOCALO.INFO: Sep 19 1.
11 3,001198487
3.001198487 10.10.10.1
10.10.10.1 10.10.10.16 Syslog
Syslog 175 LOCALO.INFO: Sep 19 1.
12 3.001217587 10.10.10.1 10.10.10.16 Syslog 175 LOCALO.INFO: Sep 19 1. ||
» Frame 1: 175 bytes on wire (1400 bits), 175 bytes captured (1460
(1400 bits) on interface ©
» Ethernet II, Src: Microsof_53:39:3d (00:15:5d:53:39:3d), Dst: Microsof_53:39:47 (00:15:5d:53:39:47)
vvwww

» Internet Protocol Version 4, Src: 10.10.10.1, Dst: 10.10.10.16
» User Datagram Protocol, Src Port: 514, Dst Port: 514
» 69,,,12000,hnd,match,block, in,4,0x0,,128,653€
Syslog message: LOCALO.INFO: Sep 19 16:59:00 filterlog: 69,,,12000,hno,match,block,

‘4 »»
15 5d 53 39 47 06
00 15
15 5d 53 39
3 3d 08 60
60 45 00 +]S9G- - )S9=-
©]S9G- ]89=--E-E- -|a
al 6d
@d Oe 60
00 00 40 11 45 1a ©Ga Ga Oa 01
61 @a fa sesrerf)
cocosffs Broveenn
Eecoce.
10 62 02
62 62 62 660 8d d6 53 3c 3133 34 3e 53..o $8
70 20 31 39 20 31 36 3a 3539 3a 30 30 20 66 ep 19 16 :59:00 T
6c 74 65 72 6¢c
6¢c 6f 67 3a 20 36
67 3a 3 39 2c 2c 2c 31 ilterlog
1ilterlog : 69,,,1
30 30 30 2c 68 6e 30 2c 6d 61 74 63 68 2c 62 2000,hn® ,match,b
2000,hnO
6f 63 6b 2c 69 6e 2c 34 2c 30 787 30 2c 2c
2¢ 31 lock,1n,
lock,in, 4,0x0,,1
38 2c 36 35 33 30 38 2c 30 2c 6eGe 6f 6e 65 2c 28,65308 ,0,none,
37 2c 75 64 70 2c 37 38 2c 31 39 32 2e 31 36 17,udp,7 8,192.16 |'
2e 30 2e 39 36 2c 31 39 32 2e 31 36 38 2e
2¢ 30 8.0.96,1 92.168.0 olo

© 7 wireshark_eth0_20190919165858_50GI1D.pcapn¢ Packets: 161 - Displayed: 161 (100.0%) Profile:
Profile: Default

Figure 17.2: Capturing Traffic

Module 17 Page 2042 Certified Cybersecurity Technician Copyright © by EC-Council
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

Wireshark components

*etho —
|File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help pfi- MenujBar,

Amde mN R QewEF s = QQQ I === Tool8ar
+
(W[Apply a d emm— FEilter-Tool!Bar. -] Expression...
No. Tim Source Destlnnhon “Protocol Lengtt Info
] / 2 Win=24
- 0.10.10.79 6 A 0 l.en "'~' e.
78 3. 10.10.10.79 216, 58 203 163 66 49836 443 [ACK] Saq 1 M: Win= 1024 Len=0 TSval= 59908134 TSecr=,
79 3..10.79 216.58,203.163 66 49834 - 443 [ACK Win= 1024 Len 0 TSvu 59908134 T! Cr=.
¢ 1t 70 A
& F'anel =
1n=1024 Len=0 vn = 9
0,/ P A ] 1 seqme 4004. ACk=Z ¥
0.90.189. vi. 8 Appiication Data. 40.90.189.152 10.10.10.16 TLSvi.2 180 Application Data. 10.10.10.16 40.90.189.152 TCP 54 1552 - 443 [ACK) Seq=75 Ack=127 Win=1026 Len=0. 10.10.10.79 172.217.166.42 TCP 66 47270
‘ T T AT - 443 [ACK Seq=1 Ack=1 Win=1024 Len=0 TSval=2380393692 TSec.

» Frame 96: 1321 bytes on wif‘o (10568 bits), 1321 bytes cnptfired (10568 bits) on interface &
» Ethernet II, Src: Microsof_53:39:77 (©0:15:50:53:30:77), Dst: Microsofr_53:39:8e (00:15:50:53:39:8¢e)
w« Internet Protocol Version 4, Src: 10.10.10.79, Dst: 10.10.10.16
0100.... = Version: 4.. 0101 = Header Length: 20 bytes (5) Racket|DetailsPanel
» Differentiated Services Field: ©x00 (DSCP: CSO, ECN: Not-ECT)
Total Length: 1307
“

0080 61 Gc 69 76 65 od OA 43 6f 60 74 6 alive:.
(LEIRNOS Oe 6/ 74 OB 3a 20 36 37 35 4 nc
| 0 6d 61 78 20 6:| e-Contro max-
67 65 3(1 30 Gd Ba ar 72 69 67 69 Ge 3a 20 68 74 ge=0.-0r 1gln ht Packet(Bytes Panel
74 70 3a 20 20 77 77 77 2e 6C 75 78 75 72 79 74 tp://www.luxuryt
72 65 61 74 73 2¢ 63 6r 6¢ Od ©a 55 70 67 72 61 reats.co m--Upgra
64 65 2d 49 6e 73 65 63 75 72 65 20 52 65 71 75 de-Insec ure-Requ
65 73 74 73 3a 20 31 0d Oa 43 6f Ge 74 65 Ge 74 ests: 1. -Content

(O 7 HTTP Content-Length header (http.content_length_header), 21 bytes Packets: 945 - Displayed: 945 (100.0%) Profile: Default

Figure 17.3: Wireshark components

The main menu of Wireshark contains the following items:

= File: This menu contains items to open and merge, capture files, save, print, import and
export capture files in whole or in part, and quit the Wireshark application.
= Edit: This menu contains items to find a packet, time reference, and mark one or more
packets. It handles configuration profiles and sets preferences.
= View: This menu controls the display of the captured data, including the colorization of
packets, font zoom, display of a packet in a separate window, and expanding and
collapsing of the packet tree details.
o Colorize packet list: This option allows security professionals to control whether
Wireshark should colorize the packet list. Enabling colorization slows down the
display of new packets while capturing and loading capture files.
o Coloring rules: This option allows security professionals to color packets in the
packet list pane according to the filter expressions of their choice. It can be very
useful for spotting certain types of packets.
o Colorize conversation: This menu item brings up a submenu that allows the color of
the packets to be changed in the packet list pane based on the addresses of the
currently selected packet. This makes it easy to distinguish packets belonging to
different conversations.

= Go: This menu contains options to navigate to a specific packet including a previous
packet, the next packet, the corresponding packet, the first packet, and the last packet.

Module 17 Page 2043 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

= Capture: This menu allows the security professionals to start, stop, and restart capture
and to edit capture filters.
o Capture filters: This option allows security professionals to create and edit capture
filters. Filters can be named and saved for future use.

= Analyze: This menu contains items to manipulate, display and apply filters, enable or
disable the dissection of protocols, configure user-specified decodes, and follow a
different stream including TCP, UDP, and Secure Sockets Layer (SSL).

o Follow TCP stream: This option displays all the captured TCP segments that are on
the same TCP connection as a selected packet.
o Follow UDP stream: This option displays all the captured UDP segments that are on
the same UDP connection as a selected packet.
o Follow SSL stream: This option displays all the captured SSL segments that are on
the same SSL connection as a selected packet.

= Statistics: This menu contains options to display various statistic windows, including a
summary of the packets that have been captured, display protocol hierarchy statistics,
10 graphs, and flow graphs.

= Telephony: This menu contains options to display various telephony-related statistic
windows including a media analysis, flow diagrams, and display protocol hierarchy
statistics.

= Wireless: This menu shows Bluetooth and IEEE 802.11 wireless statistics.

= Tools: This menu contains various tools available in Wireshark including the creation of
firewall access control list (ACL) rules and use of the Lua interpreter.
o Firewall ACL rules: This tool can be used create command-line ACL rules for many
different firewall products, including Cisco 10S, Linux Netfilter, OpenBSD and
Windows Firewall. Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and
IPv4+port combinations are supported. It is assumed that the rules will be applied to
an outside interface.

o Lua: This tool includes options that allow security professionals to work with the
built-in Lua interpreter of Wireshark. Wireshark uses Lua to write protocol
dissectors.
= Help: This menu contains items to help the user, including access to basic help manual
pages for the various command-line tools, online access to some webpages, and the
About Wireshark dialog.
= Main toolbar: The main toolbar provides quick access to frequently used items from the
menu. This toolbar cannot be customized by the user. If the space on the screen is
needed to show more packet data, then the toolbar can be hidden using the View
menu. As in the menu, only the items that can be used in the current program state will
be available. The others will be greyed out.

Module 17 Page 2044 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

= Filter toolbar: The filter toolbar allows security professionals to quickly edit and apply
display filters.

= Packet list panel: This panel displays a list of packets in the current capture file. It colors
the packets based on the protocol. Each line in the packet list corresponds to one packet
in the capture file. If a line in this pane is selected, more details will be displayed in the
Packet Details and Packet Bytes panes.
* The default columns show the following:
o No: This column shows the number of the packets in the capture file. This number
does not change, even if a display filter is used.

o Time: This column shows the timestamp of the packet. The presentation format of
this timestamp can be changed.

o Source: This column shows the source address of the packet.
o Destination: This column shows the destination address of the packet.
o Protocol: This column shows the protocol name in the abbreviated form.

o Info: This column shows additional information about the packet content.

= Packet details panel: This panel displays the details of the selected packet. It includes
the different protocols making up the layers of data in this packet. The protocols and
fields of the packet are displayed using a tree, which can be expanded and collapsed.
Layers include the frame, Ethernet, IP, TCP, UDP, ICMP, and application protocols such
as HTTP.
= Packet bytes panel: This panel displays the packet bytes in a hex dump and American
Standard Code for Information Interchange (ASCII) encodings. For a hex dump, the left
side shows the offset in the packet data, and the middle of the packet data is shown in a
hexadecimal representation. On the right, the corresponding ASCIl characters are
displayed.

= Status bar: The status bar displays informational messages. In general, the left side
shows context-related information, the middle part shows the current number of
packets, and the right side shows the selected configuration profile. The user can drag
the handles between the text areas to change the size.

Module 17 Page 2045 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.