2. Kevin's Background?
• Web Developer for Kalmbach Publishing
(Astronomy, Model Railroader, Discover, etc.)
• Webmaster for Johnson Financial Group
• Transition to Info Sec
• SANS Hacker Techniques, exploits, and incident
handling
2
3. Today's Agenda
• Network Traffic Analysis with Wireshark
• Intercepting traffic with WebScarab
• Fuzzing with WebScarab
• Replay attacks with Netcat
4. Wireshark
• Network Packet Capture
• Protocol Analyzer
• Open source – Download from wireshark.org
• Runs on most operating systems
5. Getting started with wireshark
• Capture..Interfaces to select an interface
• Interface Options
• Capture filters use Berkeley Packet Filter syntax
• Promiscuous mode – capture all traffic at the
interface, not just destined for the capture host
6. Wireshark User Interface
• Packet List
– Packet Summary scrolls in real time
• Packet Details
– Expand different protocols and decode
• Packet Bytes
– Hex and ASCII
7. Network traffic refresher
• Encapsulation
• UDP – e.g. DNS traffic
• TCP
– TCP three way handshake
– TCP source and destination ports
8. Disney capture example
• DNS lookup
• Three way handshake
• HTTP Redirect
• Follow TCP Stream feature
• Find Packet feature
• Packet 1261 gzip
9. Wireshark Filters
• Capture Filter syntax and display filter syntax is
different
• Display filter understands lots more protocols
• Wizard to help with display filter syntax
10. PCAP files and TCPDump/WinDump
• Saves in libpcap file format
• Pcap files from other tools are treated just like
network captures
• TCPDump/WinDump command line utilities great
for creating pcap files
– Windump -D
– Windump -i1 -s0 -w filename.cap
11. Windump/TCP Dump uses
• Log traffic during beta test
– Can log at client, server, or span port on switch
• Cut data out of large pcap files
– bigcap.pcap....74.208
12. Troubleshooting Examples
• DNS Query details
• Proxies
• Different response with different browsers
• Performance and statistics
– http://192.168.30.128/simpsons.php
13. Other wireshark tips and tricks
• Services file
• TCP Checksum errors
• File...print to save as human readable text
• File...export...objects...http
14. Webscarab
• .jar file - Download and run
• Proxy config
• Proxy Intercept – modify traffic in transit
• Fuzzer
15. Netcat
• Hacker's swiss army knife
• Listen on a port
– nc -l -p 5678
• Connect to a port
– nc 192.168.8.101 5678
• Can pretend to be an HTTP, SMTP, etc. client.
16. Poor Man's load test with netcat
1) Capture and save HTTP request of the page(s)
you want to load test.
2) Batch file to save running time, output if desired
echo %time% > results%1.txt
for /L %%i in (1,1,20) do nc 192.168.8.1 80 < getlog.txt > nul
echo %time% >> results%1.txt
3) Run multiple instances
for /L %j in (1,1,5) do start loadtest.bat %i