Chapter 17 - 03 - Perform Network Monitoring for Suspicious Traffic - 02_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OCR
Tags
Related
- Lesson 4: Security Management System (SMS) PDF
- Chapter 17 - 03 - Perform Network Monitoring for Suspicious Traffic - 01_ocred_fax_ocred.pdf
- Chapter 17 - 03 - Perform Network Monitoring for Suspicious Traffic - 03_ocred_fax_ocred.pdf
- Chapter 17 - 03 - Perform Network Monitoring for Suspicious Traffic - 04_ocred_fax_ocred.pdf
- Chapter 18 - 01 - Understand Igging Concepts - 01_ocred_fax_ocred.pdf
- Chapter 18 - 04 - Discuss Various Log Management Tools_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician...
Certified Cybersecurity Technician 212-82 Exam 212-82 Network Traffic Monitoring Follow TCP Stream in Wireshark o o M Chemerd themerd - [s] x MMl Vireshark Vineshark. Follow Follow TCP Stream Stream (tep stream stresm eq 25) - Ethernetd Ethermetd - D (&) X Fie Fie [dn View [dn View GoGo Copture Cagture Andlyze Stotutcy Anslyze Statntcs Teleghony Telephony Vieeless Teols Weelenn Tools Melp Melp dmc0 b T s s sl s e To e\ - AR 0 IBRBQResmTLIEEQaqQn ARB A«*»ETLIL=EQRQQD L1 O DR NI TS (T i Wipavesneq 3 - o E——— x| [x]== == | K3}']l-unm'7‘0 Evessen. 4 o N tep atanog 35 '™ to, o, T Tow Sorce Snrcn Oestrnatin Oestrnation Pt Protocd Lengh Lengh Info Info 2974 B0« 00 « ADEDS 49808 [ACK) Seq=263421 Acksd17 Win=21017 Win=21017 | 1070 37.726884 17, 20884 10.10.10.19 10,10,10.19. D ©we we 974 [ACK) Seqe203421 Ack=917 LN 1071 12.027104 32,727104 10,10,10.10. N w°w e €0 40006 €0 40806 ++ 80 [ACK) Seqe017 80 [ACK) Ack=264141 Wine21022 Seqe017 Ack=264)41 Wine210227. Yov 1072 17,0247 1. 12187 nrre nre 143 HTTP/1.1 143 NTTR/1.Y 200 OK 200 CK (PNG) (PNO).0, 80K, 1073 37727304 17.727304 < pLd G€0 40006 40006 ++ 89 80 [ACK) [ACK] Saq=017 S0q=017 Ack=264410 Win=210227. Ack=2ed430 Win=210227, P R o b e LAY AP | FoFY SPECPT 110e e OFWL Veerse PLNT PP S RNl T TRTPP roof., e pasloclecgMeossolonsects s oB0sosite” sgflssnsasss sl 1177 1177 J0.40064) 1040064 10.10.10.10 10.10,10.10. 10 W10 ) WTTP NI BA7 POST / WTTP/E.1 MTTP/1.1 (application/x-www:form:urlenc (application/x-ww-fors:urlenc ~'0p Jes 1170 30.420066 10.10.10.19 10.10.10.19 10.10.10, 10.10.10.10 10 hisd [P Q.. M [ IE0D.0°.POST 100,87 M' // WTTP/L1.1 WITP/L 4 [Host: Host: waew.moviescope.com waw.moviescope.com > User-Agent: Mozilla/s.0 [User-Agent: Mozilla/s,0 (Windows NT 10,0; WinG4) Winod; x64; rv:’1.0) rv171.0) Gecko/20100101 |Firefox/71.0 Firefox/71.0 Keyi Koyt __VIEMSTATEGENERATOR __VIEMSTATEGERERATOR |Accept: Accept: text/htel,application/xhtmlexnl,application/wnl;q=0.9,%*q=0.8 Value: value: C2009200 C200%200 | Accept-Language: en-US,en;qe0.% ¥ Form ftem: *__EVENTVALIOATION® = */wEdAASRpur2ER01nhHOLeP item: °__EVENTVALIOATION® */wEdAASRpUr 2ER01A P IhBQLAR INDQLMEtriul L rRuT {902 {98 JO010C 1C0E10ENOO0CPOOILAN 000 POOZLAN eA xRa wlledut 6321Q3 2r 34 MMa |Accept-tacoding: Accept-tncoding: gzip, giip, deflate Keyi Keyi __EVENTVALIDATION __EVENTVALIDATION Content-Type: application/x-wws-form-urlencoded | Content«Type: application/x-wwi-form-urlencoded value: /wl value! ld&\#: Dlfll /wtdAdSApur hlol(’l'\’.chhll Auli9at 20RO LNhHOLCPIneQiMttrAut {90t SO0005 Q)23 Qe Squ7Iaf SquT RS, st [ Content-Lengthi Content-Length: 322 ¥v Form ftemi Form “tetusernave” = “ian® [tem: “tatusernase” [Orlgin: Orlgin: http://wes. http://war. moviescope.com movliescope.com Key: Keyi txtusername Txtusernses |Connection: Conmection: keep-alive valuer Value! sem sen !ldtrtr: Referer: htetp://waw.moviescope.com/ http://wew.moviescope. com/ ¥ Form item: “tatpmd” “tatped” = “test@il)® "test@il)® Upgrade-Insecure-Requests: Upgrade-Insecure-Requests: 1 Key! txtpwed value: testils 1_vuwsul(-\u-oowl.u:»-o:w)n.-ovah:mmuljvn:hs:vmcknul:Iduu:sulmlfau_ _VILWSTATE X2 wEPOWMULL P TE MOC M JQOTARZAGOY 141 JFevthS 2VPEOcOcP UL 2 1duRfeSikIMaL Food Vo Ease fenal Theatanta® o iaat " | VIEMSTATEGINERATOR VIEMSTATEGINERATOR=C2EEDADEA __EVENTVALIDATION=X2FWEdAASRpUr CIEEPADRA__EVENTVALIDATIONS! 28R 1nhHO1CPIROQIMML trRUTL l?'-ll-\iilpur)ll.lnmk’)hbell\fl!!rluli « » | PaE)00g10¢rOGGCPOOLAXISxRE 9381001 0crOGGCPOOILAXDaXGV RGN 1 25¥ I1 Mndiugakaa M ugakaa Jgx7zREqqENSE6asaTbE 400 Other Filters WP = frame muber < 30 Other Filters ‘ * ip.addr == 10.0.1.12 frame.number < 30 &&. iicmp && frame.number > 15 && * ip.src==205.153.63.30 or ip.dst==205.153.63.30 Copyright © by by EC-{ EC-{ cll. All Rights Reserved. Reproduction Reproduction Prohibited Is Strictly Prohibited. Display Filters in Wireshark Source: https://wiki.wireshark.org Wireshark features display filters that filter traffic on the target network by protocol type, IP address, port, etc. Display filters are used to change the view of packets in the captured files. To set up a filter, type the protocol name, such as arp, http, tcp, udp, dns, and ip, in the filter box of Wireshark. Wireshark can use multiple filters at a time. Some of the display filters in Wireshark are listed below: = Display Filtering by Protocol Example: Type the protocol in the filter box: arp, http, tcp, udp, dns, ip =* Monitoring the Specific Ports O tcp.port==23 O ip.addr==192.168.1.100 machine ip.addr==192.168.1.100 && tcp.port==23 = Filtering by Multiple IP Addresses O ip.addr == 10.0.0.4 or ip.addr == 10.0.0.5 =* Filtering by by IP Address 0O ip.addr ip.addr == 10.0.0.4 == 10.0.0.4 = Other Filters O ip.dst == 10.0.1.50 && frame.pkt_len > 400 O ip.addr == 10.0.1.12 && icmp && frame.number > 15 && frame.number < 30 O ip.src==205.153.63.30 or ip.dst==205.153.63.30 Module 17 Page 2048 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Traffic Monitoring Additional Wireshark Filters 14 ! (axrp or icmp or dns) o 1 l‘;lscpl.a f::fi;& t::lgl;;c. :::s::;"l I } o 6 Masks out arp, icmp, dns, or other protocols and ey i allows you to view traffic of your interest udp contains 33:27:58 tcp.port == 4000 (02 setsafilter for for the HEX values of 0x33 0x27 0x58 at (07 setsafilter for any TCP packet with 4000 as a any offset source or destination port 03 http.request 08 tcp.port eq 25 or icmp Displays all HTTP GET requests Displays only SMTP (port 25) and ICMP traffic ip.src==192.168.0.0/16 and 04 tcp.analysis. Retransmission 09 ip.dst==192.168.0.0/16 Displays all retransmissions in the trace Displays only trafficin the LAN (192.168.x.x), between workstations and servers — no Internet tcp contains traffic :s;:i :: xzmx xxxz :: e Displ nTce in th. ) p >5.i 05 ‘tl::"ai‘y; Sl ,:::,;Zf TCP pucints that contein contain the word 1 0 Filter by a protocol ( e.g., SIP ) and filter out unwanted IPs Additional Wireshark Filters Source: https.//wiki.wireshark.org Some examples of additional Wireshark filters are listed below: tcp.flags.reset==1 Displays all TCP resets udp contains 33:27:58 Sets a filter for the hex values of 0x33 0x27 0x58 at any offset http.request Displays all HTTP GET requests tcp.analysis.retransmission Displays all retransmissions in the trace tecp contains traffic Displays all TCP packets that contain the word “traffic” ! (arp or icmp or dns) Masks out arp, icmp, dns, or other protocols and allows you to view the traffic of your interest tcp.port == 4000 Sets a filter for any TCP packet with 4000 as a source or destination port Module 17 Page 2049 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Network Traffic Monitoring Traffic Monitoring ®" tcp.port eq 25 or icmp Displays only SMTP (port 25) and ICMP traffic " ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16 Displays only traffic in the LAN (192.168.x.x), between workstations and servers—no Internet "® ip.src != XXX.XXX.XXX.XXX XXX.XXX.XXX.XxXX && ip.dst != xxx.xXxx.xxx.xxx xxx.xxx.Xxx.xxx && sip Filters by a protocol (e.g., SIP) and filters out unwanted IPs Module 17 Page 2050 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.
