Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 14, 2015 DRAFT1 Chapter 6: Protocol Analysis and Network Programming

Networking Theory and Practice Open Systems Interconnection (OSI) defines the standard protocol stack –Out of the 7 layers, only 4 are used in practice: Physical (Layer 1) Data Link (Layer 2) Network (Layer 3) Transport (Layer 4) –The successor to OSI is Reference Model for Open Distributed Processing (RM-ODP), we encountered in Chapter 3, Row 3. 4/14/2015 DRAFT2 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Frequently Encountered Network Protocols IEEE Ethernet protocol L2 IEEE wireless protocols (commercially known as Wi-Fi) L2 Address Resolution Protocol (ARP) L2 IP Version 4 (IPv4) L3 IP Version 6 (IPv6) L3 Internet Control Message Protocol (ICMP) L3 User Datagram Protocol (UDP) L4 Transmission Control Protocol (TCP) L4 4/14/2015 DRAFT3 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Network Protocol Analysis Network protocol analysis can be performed automatically by Wireshark –Manual protocol analysis is outdated Each frame (L2) or packet (L3) has a header and a payload –L3 header/payload are attached before and after L2 header/payload, i.e. encapsulate –L4 headers/payload are attached before and after L3 header/payload 4/14/2015 DRAFT4 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Address Resolution Protocol (ARP) and Layer 2 Analysis 4/14/2015 DRAFT5 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

ARP Frame 4/14/2015 DRAFT6 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Internet Protocol (IP) Analysis 4/14/2015 DRAFT7 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Internet Control Message Protocol (ICMP) 4/14/2015 DRAFT8 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

User Datagram Protocol (UDP) Analysis 4/14/2015 DRAFT9 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Transmission Control Protocol (TCP) Analysis 4/14/2015 DRAFT10 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Network Programming: Bash Bash is an available command line shell for Linux and Unix systems –It is selected in the /etc/passwd file In network programming we are able to execute network commands in a script at the command line or from a script file During penetration tests, we frequently encounter raw shells (that do not support even backspace) where we can only submit 1 command line at a time –Use network programming to build security tools such as ping scans and banner grabbers (i.e. when services self identify) Network programming remains a rare but very useful skill among security pros 4/14/2015 DRAFT11 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Linux/Unix Bash Basics: Standard Input, Output, Error, Pipes Sorting reverse numerical –# sort /tmp/alertIPs | uniq –c | sort –nr Append to file including standard error –mount error >> log.txt 2>&1 Command sequence –# echo Hello Universe! > /tmp/tmp ; cd /tmp ; ls ; cat tmp ; rm tmp ; ls ; cd ~ 4/14/2015 DRAFT12 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Linux/Unix Bash for Basic Network Programming Ping an IP; returns ICMP response –# ping –c1 –w To ping an address range, i.e. a scan –# for i in `echo {1..254}`; do ping -c1 -w $i; done 4/14/2015 DRAFT13 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Linux/Unix Bash Network Sweep: Packaging a Script Package the ping sweep in a script file with Ctrl-C abort: –#!/bin/bash –trap bashtrap INT –bashtrap() { echo "Bashtrap Punt!"; exit; } –for i in `echo {1..254}`; do ping -c1 -w $i; done Use $1, $2, $3, … for command line arguments Use if statement for conditionality, e.g. –if $(test $# -eq 0 ); then network=" "; else network=$1; fi 4/14/2015 DRAFT14 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Linux/Unix Bash Network Scanning using While Read IP domains from a hosts file: –#!/bin/bash –trap bashtrap INT –bashtrap() { echo "Bashtrap Punt!"; exit; } –if $(test $# -eq 0 ); then network=" "; else network=$1; fi –while read n; do echo -e "\nSCANNING $network.$n"; nmap -O -sV --top-ports 9 -- reason $network.$n; done < hosts 4/14/2015 DRAFT15 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Bash Banner Grabbing #!/bin/bash trap t INT function t { echo -e "\nExiting!"; exit; } if $(test $# -eq 0 ); then network=" "; else network=$1; fi while read host; do echo –e "\nTESTING $network.$host PORTS..."; while read port; do echo -n " $port"; echo "" | nc -n -v -w1 $network.$host $port; done < ports done < hosts 4/14/2015 DRAFT16 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Windows Command Line Scripting In Windows Command Line the concepts are very similar to Bash Use.bat suffix for script (batch) files Batch file arguments are %1, %2, %3,… Script file variables use % prefix for /L for to iterate through numbers (i.e. counting) for /F to iterate through a set or file –Works like a while loop in Bash 4/14/2015 DRAFT17 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Windows Command Line : Standard IO, Pipes, and Sequences Example standard IO and pipes –C:\> type list.txt | sort /r >> sorted.txt & dir /b /s & type sorted.txt Command sequence (&), conditional (&&) –C:\> net use \\ passw0rd /u:testuser && echo SUCCESS & net use \\ /del 4/14/2015 DRAFT18 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Windows Command Line: Network Programming using For /L Ping sweep –set network=%1 –for /L %h in (2, 1, 255) –n 1 %network%.%h | find “byte=” > /nul && echo Host at %network%.%h 4/14/2015 DRAFT19 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Windows Command Line: Password Attack using For /F set ipaddr=%1 set usertarget=%2 for /F %p in (pass.txt) use \\%ipaddr% %p /u:%usertarget% 2> /nul && echo PASS=%p & net use \\%ipaddr% /del 4/14/2015 DRAFT20 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Python Scripting There are various categories of programming languages from command line (Bash, Windows CLI) to interpreted/compiled scripting (Python, Ruby) to systems programming (C, C++, C#) –Categories vary by number of lines needed to implement a capability, typical multiplier is 8 –Lower levels provide more detailed accesses, faster execution –Python’s advantage is that it is highly portable and has an extensive function library 4/14/2015 DRAFT21 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Python Programming for Accelerated Network Scanning #!/usr/bin/python import os from threading import Thread import time start=time.ctime() print start scan="ping -c1 -w1 " max=65 class threadclass(Thread): def __init__ (self,ip): Thread.__init__(self) self.ip = ip self.status = -1 def run(self): result = os.popen(scan+self.ip,"r") self.status=result.read() threadlist = [] for host in range(1,max): ip = " "+str(host) current = threadclass(ip) threadlist.append(current) current.start() for t in threadlist: t.join() print "Status from ",t.ip,"is",repr(t.status) print start print time.ctime() 4/14/2015 DRAFT22 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions Threaded scanning is about 60X faster than serial scans

REVIEW CHAPTER SUMMARY Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/14/2015 DRAFT23