Chapter 17 - 03 - Perform Network Monitoring for Suspicious Traffic - 01_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Secure Firewall Implementation (Exam 212-82) PDF
- Chapter 17 - 01 - Understand the Need and Advantages of Network Traffic Monitoring_ocred_fax_ocred.pdf
- Chapter 17 Network Traffic Monitoring PDF
- Certified Cybersecurity Technician Network Traffic Monitoring PDF
- Chapter 17 - Network Monitoring for Suspicious Traffic - PDF
- Chapter 17 - Network Monitoring for Suspicious Traffic PDF
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Module Flow 0 Understand the Need and Advant...
Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Module Flow 0 Understand the Need and Advantages of Network Traffic Monitoring Determine Baseline Traffic Signatures for Normal and Suspicious Network Traffic 0 Perform Network Monitoring for Suspicious Traffic Perform Network Monitoring for Suspicious Traffic The objective of this section is to explain how to use Wireshark to perform network monitoring and analysis. It describes how to use Wireshark for monitoring and analyzing File Transfer Protocol (FTP) traffic, Telnet traffic, and Hypertext Transfer Protocol (HTTP) traffic. Module 17 Page 2039 EG-Council Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Wireshark -"-., & P * Q wireshark is a widely used network sniffer for network monitoring and analysis [« m 4 @ MIIRTE QeunEF § OQ ItIt captures and intelligently intelligently browses the traffic on a trafficon LT ‘E.. FillaxToglBar, network 018,10 LINE, 120 B3 AD,50, 140,197 HJ lu10,10,30.18 10,3016 \L& p. B3 16,10.10,10 um:w:: 90,100, 162 ch 3 [ b |m;rlumn|1 Aok nl ul 1020 l Lan M3 16.10.10.70 n72 1) (512 ] C Wine1054 3024 Lansh Lahed |s 412100393082 Tvals3030082 Thec T »FCA Fram 08 un lyl A an) wlie (mu {1y My III e h nflh‘un‘u T captured[lml 1088 BILs) B1L0) on o0 Intar dnlarfice fac 8 » Ethermt Ethermmt 31,31, 4 Microsol i 5313017 (0 n| I l Ricreaof reaot 53150 53130800e (W0:15:34183:30i0) ||ll‘ll'\-l.ll."‘lll i" on 4, rc: 30,10,S 1009, it HET 4 Mo byt bytes (3} PacketDetals fl Panal Iald Ged 1nlg Elfl (BP0 CU, 10N :!’l(l C1a, IEND MetoIgT) NetoICT) RacketiDetails Rane! ‘. IO 6 068 00 R 20 45 OCECC) W altve allve o i. o \ 6108R e20 61 a-Centro 1 waxene [ n u 20 6 a dr u u ©F 0 6a 343 20 40 db 1476 gonbe:Of dpinihte guese:Or Lgin: Racket Bytes Panel Panel TN TTIT € TH TH TS 2300 04 i Upisrwee eyt t 0 fe 72 63 6) 7% 02 65 M 026 le!nu-cmeimv " fl"""lnNHN uuwuuuuu estar 10 Conten O F 7 WP Contart-Lungth baister NI Contant-Lungth baistor (N, (N1p. Content_ogeh Costent_ngeh haadeel, 7424 lmu bptos Packets 945 - Dsplayud Packets: DXspliyd 948 945 G000%) (1000%) velibe Dulialt Welib: Dottt hetps.//www. wireshark.og wireshork.org Copyright ©© by Copyright by All All Rights Rights Reserved. Reserved. Reproduction Reproduction IsIs Strictly Strictly Prohibited Prohibited. Wireshark Source: https://www.wireshark.org Wireshark is a packet sniffer that can be used for network troubleshooting to investigate security issues and to analyze and understand network protocols. It can exploit information passed in plain text. = Features Wireshark has a rich feature set that includes the following: o ldentify poor network performance due to high path latency. Identify o Locate internetwork devices that drop packets. o Validate the optimal configuration of network hosts. o Analyze application functionality and dependencies. Optimize application behavior for best performance. O Analyze network capacity before application launch. O Verify application security during launch, login, and data transfer. O Identify unusual network traffic indicating potentially compromised hosts. o = Prerequisites for network packet capture Setting up Wireshark to capture packets for the first time can be tricky. The following are a few common problems that are encountered while capturing packets with Wireshark for the first time: o Special privileges are required to start a live capture. Module 17 Page 2040 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring o] The correct network interface must be chosen to capture packet data from. o] Network packets should be captured at the correct location in the network to view the desired traffic. = Wireshark network analysis activities Capturing live network data is one of the major features of Wireshark. The Wireshark capture engine enables security professionals to perform the following: o] Capture from different types of network hardware such as Ethernet and 802.11. o] Stop the capture based on different triggers such as the amount of captured data, elapsed time, or number of packets. o Simultaneously show decoded packets while capturing is in progress. o] Filter packets to reduce the amount of data to be captured. o Save packets in multiple files during a long capture. o] Simultaneously capture from multiple network interfaces. = First network packet capture using Wireshark To capture packets using Wireshark, first install and launch the tool on the target network. Select the appropriate network interface to capture traffic from. The following are the steps to start capturing packets with Wireshark: 1. Double-click on an interface in the main window. 2. An overview of the available interfaces can be obtained using the Capture Interface dialog box. 3. Start a capture from this dialog box using the Start button. 4. A capture can be immediately started using the current settings by selecting Capture -» Start or by clicking the first toolbar button. 5. If the name of the capture interface is known, Wireshark can be launched from the command line through the following command: $ wireshark -i eth0 —k Module 17 Page 2041 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring The Wireshark The Wireshark Network Analyzer e- CLE 0o x File 'Eile Edit Edit View View Go Go Capture Analyze Capture énalyze Statistics Statistics Telephony Telephony Wireless Wireless Tools Tools Help Help AR e mNRR dusomNRE e =EFs0E Qes*=zF s QAT Faaali ] [i|AppIyn a display (MTApply display filter filter... =3 -] Expression... =3 -] + Capture...using this filter: [[ [ [Enter..using Enter a capture filter ~ | |All interfaces shown ~= | fi. ocker0 !OCEQTO veth0Sa3dbf veth05a3dbf vethb6531e0 :gt\?ba O ca?df f b— —— Netwo Netwokk: Interfaces br-8ab3cbeSaa2a br-8ab3cb eSaa2a Interfaces AL UL A veth31391ed veth31391e4d —— Sc vethel7bcSc vethel7bc veth5aB889ds veth5a889d8 veth172de8e veth172de8e vethc41b1f9 vethca1b1f9 vethc2482d9 vethc2482d9 | veth98d0697 veth98d0697 |- any - Learn User's Guide - Wiki - Questions and Answers - Mailing Lists You are running Wireshark 2.6.6 (Git v2.6.6 packaged as 2.6.6-1~ubuntul6.04.0). 7 Ready to load or capture No Packets Profile: Default Figure 17.1: Wireshark Network Interfaces *etho —= L File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help AR O mNRE QesEFE_ SIS =S AQAQE QAQQT f 4 , P e [ a e. — ABdeom R Jem»EF (W [Rpply a display [i”\p;;])’ display filter filter..... -] Expression.. + No. Time Source Destination Protocol Lengtt Info j&a -o.16, SR.10.16. yslog slog 5 1. Sep | 3 0.600296296 0.000290296 10.10.10.1 16.10.10.1 10.10.16.16 Syslog Syslog 181 LOCALO.INFO: Sep 19 1. 4; 0.600291896 8.909291896 10.160.10.1 10.10.10.1 10.10.10.16 10.10.16.16 Syslog Syslog 181 LOCALO.INFO: Sep 19 1. 5 0.309229630.309229630 10.10.10.16 10.10.10.16 10.1 10.10.16.79 10.10.10.79 UopP uop 255 64410 -~ 1514 Len=213 3. 008 46.10.10. 0.10.10..10.16. 0.10.10.16 0g 0g 5 OCALO.INFO: T SepSep 19 8 1.000364763 1.600364763 10.10.10.1 10.10.10.16 Syslog 175 LOCALO.INFO: Sep 19 1. 9 2.000736625 10.10.10.1 10.10.10.16 Syslog 175 LOCALO.INFO: Sep 19 1. 10 2.000756825 10.10.10.1 10.10.10.16 Syslog 175 LOCALO.INFO: Sep 19 1. 11 3,001198487 3.001198487 10.10.10.1 10.10.10.1 10.10.10.16 Syslog Syslog 175 LOCALO.INFO: Sep 19 1. 12 3.001217587 10.10.10.1 10.10.10.16 Syslog 175 LOCALO.INFO: Sep 19 1. || » Frame 1: 175 bytes on wire (1400 bits), 175 bytes captured (1460 (1400 bits) on interface © » Ethernet II, Src: Microsof_53:39:3d (00:15:5d:53:39:3d), Dst: Microsof_53:39:47 (00:15:5d:53:39:47) vvwww » Internet Protocol Version 4, Src: 10.10.10.1, Dst: 10.10.10.16 » User Datagram Protocol, Src Port: 514, Dst Port: 514 » 69,,,12000,hnd,match,block, in,4,0x0,,128,653€ Syslog message: LOCALO.INFO: Sep 19 16:59:00 filterlog: 69,,,12000,hno,match,block, ‘4 »» 15 5d 53 39 47 06 00 15 15 5d 53 39 3 3d 08 60 60 45 00 +]S9G- - )S9=- ©]S9G- ]89=--E-E- -|a al 6d @d Oe 60 00 00 40 11 45 1a ©Ga Ga Oa 01 61 @a fa sesrerf) cocosffs Broveenn Eecoce. 10 62 02 62 62 62 660 8d d6 53 3c 3133 34 3e 53..o $8 70 20 31 39 20 31 36 3a 3539 3a 30 30 20 66 ep 19 16 :59:00 T 6c 74 65 72 6¢c 6¢c 6f 67 3a 20 36 67 3a 3 39 2c 2c 2c 31 ilterlog 1ilterlog : 69,,,1 30 30 30 2c 68 6e 30 2c 6d 61 74 63 68 2c 62 2000,hn® ,match,b 2000,hnO 6f 63 6b 2c 69 6e 2c 34 2c 30 787 30 2c 2c 2¢ 31 lock,1n, lock,in, 4,0x0,,1 38 2c 36 35 33 30 38 2c 30 2c 6eGe 6f 6e 65 2c 28,65308 ,0,none, 37 2c 75 64 70 2c 37 38 2c 31 39 32 2e 31 36 17,udp,7 8,192.16 |' 2e 30 2e 39 36 2c 31 39 32 2e 31 36 38 2e 2¢ 30 8.0.96,1 92.168.0 olo © 7 wireshark_eth0_20190919165858_50GI1D.pcapn¢ Packets: 161 - Displayed: 161 (100.0%) Profile: Profile: Default Figure 17.2: Capturing Traffic Module 17 Page 2042 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Wireshark components *etho — |File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help pfi- MenujBar, Amde mN R QewEF s = QQQ I === Tool8ar + (W[Apply a d emm— FEilter-Tool!Bar. -] Expression... No. Tim Source Destlnnhon “Protocol Lengtt Info ] / 2 Win=24 - 0.10.10.79 6 A 0 l.en "'~' e. 78 3. 10.10.10.79 216, 58 203 163 66 49836 443 [ACK] Saq 1 M: Win= 1024 Len=0 TSval= 59908134 TSecr=, 79 3..10.79 216.58,203.163 66 49834 - 443 [ACK Win= 1024 Len 0 TSvu 59908134 T! Cr=. ¢ 1t 70 A & F'anel = 1n=1024 Len=0 vn = 9 0,/ P A ] 1 seqme 4004. ACk=Z ¥ 0.90.189. vi. 8 Appiication Data. 40.90.189.152 10.10.10.16 TLSvi.2 180 Application Data. 10.10.10.16 40.90.189.152 TCP 54 1552 - 443 [ACK) Seq=75 Ack=127 Win=1026 Len=0. 10.10.10.79 172.217.166.42 TCP 66 47270 ‘ T T AT - 443 [ACK Seq=1 Ack=1 Win=1024 Len=0 TSval=2380393692 TSec. » Frame 96: 1321 bytes on wif‘o (10568 bits), 1321 bytes cnptfired (10568 bits) on interface & » Ethernet II, Src: Microsof_53:39:77 (©0:15:50:53:30:77), Dst: Microsofr_53:39:8e (00:15:50:53:39:8¢e) w« Internet Protocol Version 4, Src: 10.10.10.79, Dst: 10.10.10.16 0100.... = Version: 4.. 0101 = Header Length: 20 bytes (5) Racket|DetailsPanel » Differentiated Services Field: ©x00 (DSCP: CSO, ECN: Not-ECT) Total Length: 1307 “ 0080 61 Gc 69 76 65 od OA 43 6f 60 74 6 alive:. (LEIRNOS Oe 6/ 74 OB 3a 20 36 37 35 4 nc | 0 6d 61 78 20 6:| e-Contro max- 67 65 3(1 30 Gd Ba ar 72 69 67 69 Ge 3a 20 68 74 ge=0.-0r 1gln ht Packet(Bytes Panel 74 70 3a 20 20 77 77 77 2e 6C 75 78 75 72 79 74 tp://www.luxuryt 72 65 61 74 73 2¢ 63 6r 6¢ Od ©a 55 70 67 72 61 reats.co m--Upgra 64 65 2d 49 6e 73 65 63 75 72 65 20 52 65 71 75 de-Insec ure-Requ 65 73 74 73 3a 20 31 0d Oa 43 6f Ge 74 65 Ge 74 ests: 1. -Content (O 7 HTTP Content-Length header (http.content_length_header), 21 bytes Packets: 945 - Displayed: 945 (100.0%) Profile: Default Figure 17.3: Wireshark components The main menu of Wireshark contains the following items: = File: This menu contains items to open and merge, capture files, save, print, import and export capture files in whole or in part, and quit the Wireshark application. = Edit: This menu contains items to find a packet, time reference, and mark one or more packets. It handles configuration profiles and sets preferences. = View: This menu controls the display of the captured data, including the colorization of packets, font zoom, display of a packet in a separate window, and expanding and collapsing of the packet tree details. o Colorize packet list: This option allows security professionals to control whether Wireshark should colorize the packet list. Enabling colorization slows down the display of new packets while capturing and loading capture files. o Coloring rules: This option allows security professionals to color packets in the packet list pane according to the filter expressions of their choice. It can be very useful for spotting certain types of packets. o Colorize conversation: This menu item brings up a submenu that allows the color of the packets to be changed in the packet list pane based on the addresses of the currently selected packet. This makes it easy to distinguish packets belonging to different conversations. = Go: This menu contains options to navigate to a specific packet including a previous packet, the next packet, the corresponding packet, the first packet, and the last packet. Module 17 Page 2043 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring = Capture: This menu allows the security professionals to start, stop, and restart capture and to edit capture filters. o Capture filters: This option allows security professionals to create and edit capture filters. Filters can be named and saved for future use. = Analyze: This menu contains items to manipulate, display and apply filters, enable or disable the dissection of protocols, configure user-specified decodes, and follow a different stream including TCP, UDP, and Secure Sockets Layer (SSL). o Follow TCP stream: This option displays all the captured TCP segments that are on the same TCP connection as a selected packet. o Follow UDP stream: This option displays all the captured UDP segments that are on the same UDP connection as a selected packet. o Follow SSL stream: This option displays all the captured SSL segments that are on the same SSL connection as a selected packet. = Statistics: This menu contains options to display various statistic windows, including a summary of the packets that have been captured, display protocol hierarchy statistics, 10 graphs, and flow graphs. = Telephony: This menu contains options to display various telephony-related statistic windows including a media analysis, flow diagrams, and display protocol hierarchy statistics. = Wireless: This menu shows Bluetooth and IEEE 802.11 wireless statistics. = Tools: This menu contains various tools available in Wireshark including the creation of firewall access control list (ACL) rules and use of the Lua interpreter. o Firewall ACL rules: This tool can be used create command-line ACL rules for many different firewall products, including Cisco 10S, Linux Netfilter, OpenBSD and Windows Firewall. Rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and IPv4+port combinations are supported. It is assumed that the rules will be applied to an outside interface. o Lua: This tool includes options that allow security professionals to work with the built-in Lua interpreter of Wireshark. Wireshark uses Lua to write protocol dissectors. = Help: This menu contains items to help the user, including access to basic help manual pages for the various command-line tools, online access to some webpages, and the About Wireshark dialog. = Main toolbar: The main toolbar provides quick access to frequently used items from the menu. This toolbar cannot be customized by the user. If the space on the screen is needed to show more packet data, then the toolbar can be hidden using the View menu. As in the menu, only the items that can be used in the current program state will be available. The others will be greyed out. Module 17 Page 2044 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring = Filter toolbar: The filter toolbar allows security professionals to quickly edit and apply display filters. = Packet list panel: This panel displays a list of packets in the current capture file. It colors the packets based on the protocol. Each line in the packet list corresponds to one packet in the capture file. If a line in this pane is selected, more details will be displayed in the Packet Details and Packet Bytes panes. * The default columns show the following: o No: This column shows the number of the packets in the capture file. This number does not change, even if a display filter is used. o Time: This column shows the timestamp of the packet. The presentation format of this timestamp can be changed. o Source: This column shows the source address of the packet. o Destination: This column shows the destination address of the packet. o Protocol: This column shows the protocol name in the abbreviated form. o Info: This column shows additional information about the packet content. = Packet details panel: This panel displays the details of the selected packet. It includes the different protocols making up the layers of data in this packet. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed. Layers include the frame, Ethernet, IP, TCP, UDP, ICMP, and application protocols such as HTTP. = Packet bytes panel: This panel displays the packet bytes in a hex dump and American Standard Code for Information Interchange (ASCII) encodings. For a hex dump, the left side shows the offset in the packet data, and the middle of the packet data is shown in a hexadecimal representation. On the right, the corresponding ASCIl characters are displayed. = Status bar: The status bar displays informational messages. In general, the left side shows context-related information, the middle part shows the current number of packets, and the right side shows the selected configuration profile. The user can drag the handles between the text areas to change the size. Module 17 Page 2045 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.