Wednesday, June 30, 2010

Wireshark as a network Sniffer or network analyzer

The last two posts(links at the end) on wireshark were about installation and using it for basic analysis and troubleshooting network traffic. This article explains why this software is so famous among hacker circles. Wireshark supports promiscuous mode which basically allows the host to view other hosts' traffic!

Detailed working of Wireshark


Nowadays Ethernet has emerged as the most widely used LAN data link and physical layer standard. To support hardware communication between many machines at the same time the concept of MAC addressing was introduced. When data is put on the cable for transmission all the other hosts receive that data and pass it to its NIC also known as the Ethernet card or LAN card. This data is then passed to its upper layer , the data link layer which checks whether the destination MAC /hardware address matches with its own (remember, MAC address of a machine is unique throughout the globe). If a match is found the packet is passed to the upper layer else the packet is discarded. Wireshark with the help of WinPcap library captures the frames from the interface (Ethernet, token ring networks are supported) regardless of the destintion MAC address therefore displaying packets meant for other hosts as well.

The only problem is that you might not capture any one's traffic if switched topology is being used instead of hubs. The reason lies in the way how switches and hubs propagate packets to end systems.

When a hub receives a packet on its physical interface is pushes out that packet through all of its other port. Consider this scenario


When the gateway sends a packet to the hub it forwards it to all its connected interfaces , as shown above.

Now consider a scenario in which a switch is being used instead of a hub


A switch silently learns the mac address of the end system and maps it to the physical port to which it is connected to. Therefore when a switch receives a packet it checks the destination MAC address and searches its table. If there is match, it forwards that packet through that particular port else floods it through all of the connected ports. It is clear that after a switch has built its table the packets are forwarded to the correct destination and the other connected hosts do not receive that packet. Therefore if Wireshark is run in a switched environment you will rarely be able to capture other's data. You might receive other hosts' data but that happens only when the switch has not completely built its table.

Here is an example of a switch's table where fa represents fastEthernet ports.


Finally, I tried to access my router's webpage through VMware XP running in bridged connection mode ( in bridging mode all the virtual pc's data is forwarded to the real machine which starts acting as a bridge) and ran Wireshark on my PC. Upon filtering data here is some juicy info


The authorization process has been captured by Wireshark; 'basic' implies that a very weak Base64 encoding has been applied. Decoding the string is very easy and can be done online , one such is link is provided at the bottom. The example above decodes to nando:nando which means a username and password of nando was entered.


Detection


Detecting this activity in a hub environment is nearly impossible and although a few tests can be done they are meant for older Windows versions ( 98,NT) and Linux kernels, therefore it is recommended that network administrators should implement switches as they not only provide security but also better network performance. Users should use encryption during important data communication.

NOTE
If you are not able to see others traffic make sure the promiscuous mode is set. Go to Capture->options , set the correct interface and tick the "capture in promiscuous mode field".


Also Windows users should ensure that npf be up and running, Linux users need to run wireshark with root privileges. If the problem persists then chances are that a switched network is being used.

To sniff a switched network a few more software and a deeper understanding of certain mechanisms is needed, which will be covered in some future article.

Wireshark has established itself as the leading packet sniffer software and a network analyzer. You can even use it to troubleshoot any DdoS attacks or malicious packets in your LAN. More on it in a future article.

Wireshark Installation
Configuring and using various options
Download Wireshark
Wireshark manual
Online Base64 encoder/decoder

Friday, June 25, 2010

What is Wireshark? A network or packet sniffer, Part 2

In this previous post basic download and installation of wireshark was discussed in Windows and Linux based Ubuntu.Today's article will cover the basic uses of wireshark, how one can use it to its maximum potential using various filters and other options. 
When you have configured wireshark to capture packets from the correct interface it will aptly show the frames being received and sent on that particular interface. You might get an output such as this ->





You can view the packet details by clicking on a packet. The details are displayed just like it is seen ie in the logically encapsulated form. So the ethernet frame would appear first then the ip header and so on.


Please note that Wireshark cannot capture wireless data and a special hardware (like a wireless usb adapter) is required to capture the wireless data.Cace Technologies have developed such a product called airPcap, links are at the bottom.
 

WIRESHARK FILTERS:


If you wish to see packets of a particular protocol , ip address or a port number and/or a variety of other parameters you can prepare a 'filter' ie a set of commands which would filter and display only the requested traffic.


Programmers especially C/C++ users will find it pretty easy to create filters because of the similarity in the syntax.
For example, if only TCP traffic is to be displayed simply enter tcp in the filter field and click on apply. If TCP is not required while all other protocols are append a ! before TCP. Almost all the major protocols are supported, atleast the upper layer protocols.


What if traffic from a particular ip address is required? Simply use the command ip.src or ip.dst command
Eg if traffic coming from 192.168.32.1 is to be filtered and displayed, then enter
ip.src==192.168.32.1 ; Note the use of two = signs



Suppose we want to view only tcp traffic coming from 192.168.32.1 ? Here we want two conditions to be satisfied simultaneously, therefore the && operator. The input to the filter field becomes


ip.src==192.168.32.1 && tcp


Furthermore, if we want to view tcp or udp traffic coming from 192.168.32.1 then we have a slight complex situation in which either the packet should be tcp and the source ip be 192.168.32.1 OR the protocol be udp and  source ip be 192.168.32.1, here the use of OR operatot ie || will also come to play. The filter will become:

ip.src==192.168.32.1 && (tcp || udp)

basically wireshark will check if ip.src is equal to 192.168.32.1 if true then it will further check if the protocol is tcp or udp if either comes out to be true the boolean output will be true and that particular packet will be displayed.


As a final example if we want tcp traffic with source port as 100 or 200 and destination port as 121 or 221 be displayed the filter will become:
ip.src==192.168.32.1 && tcp && ( tcp.srcport == 100 || tcp.port==200) && (tcp.dstport== 121 || tcp.dstport == 221 ) 



Follow a stream



One of the best features of Wireshark is the ability to "follow" a stream. When a TCP connection is established a two way virtual channel is created and the two end points then communicate. This feature displays the ongoing application layer data being exchanged in a strict chronological order. This can be very useful to analyze what kind of data is being exchanged at the application layer. 



Searching data


With the find packet option one can search for a particular string in the captured packets. The option is neatly tucked up in Find packet and string radio button.





Promiscuous mode


Another superb feature which made this software one of the most popular network analyzing tool and sniffer (earlier it was known as Ethereal). These two exciting topics deserve a proper explanation and a fresh page!


Download Wireshark
WinPcap Homepage
Airpcap Homepage

Monday, June 7, 2010

An SQL injection how to and preventing it

SQL injection attack is probably one of the most widely used attacks to hack or take control over a site. In the earlier days hacking/cracking was mainly done by exploiting the vulnerabilities in the Operating System. For example Ping Of Death was possible due to the fact that Windows kernel was not able to handle big sized ping packets and therefore the attacked computer would freeze or shutdown! Windows and Linux based OS have "patched" up most of the vulnerabilities that have been found, nowadays the focus has shifted to finding flaws in application and loosely written codes.Another reason for the gaining popularity is the fact that it is relatively easier than other techniques such as buffer overflow or heap overflow exploits. One such type of application layer exploit is the SQL injection attack which exploits which user input is not properly "sanitised" and is interpreted incorrectly by the database language, in this case SQL. For example suppose the SQL statement is

SELECT name FROM USERS where user= '[user input]' AND password='[user input]'

If the programmer has not taken proper measures it can create a big security hole,continuing with our example if the user gives "matrix" as the username and 1' OR '1=1 as the password the server will read it as

SELECT user FROM USERS where user= 'matrix' AND password=' 1' OR '1=1 '

Now it will search for the user matrix in the table and then check out if the password '1' OR '1=1' is true. Obviously the latter part of the statement is true and therefore authorization will be validated!
Note: In this case I somehow managed to know the username , there are techniques in which specially crafted SQL statements are input which can reveal all the usernames in the database tables.
This video illustrates how easy this technique is-


A very basic SQL injection attack, used to gain account access within minutes! from Nando Nachi on Vimeo.

This is probably the shortest article on SQL injection ever written. The aim is to create awareness on how lethal this flaw is and can be exploited by even an average computer user. Of course this is only one command and it is said that most of the SQL based servers are vulnerable and can be exploited with some form of complex command. That is why nowadays they have divided the SQL injection techniques to two groups- Basic and Advanced. Basic techniques deal with access to account using simple 'Queries' ie the user types in a command which will ask the database server to fetch details. Advanced techniques use complex and long SQl commands which can not only grant access but can be used to modify the database itself (eg deleting an account)! This was a very 'jugadoo' way of doing things and in no way is complete( I did not even mention the effects of using '--' which is used for commenting in SQL)

Preventing SQL injection
It's quite clear that if the user input is filtered of any harmful statements the vulnerability can be fixed.  Moreover the SQL software should be constantly updated.

I hope this post gave you a brief sql injection how to and described the fundamentals behind it.

These links are immensely helpful
SQL injection on Wikipedia
Preventing SQL on Microsoft SQL serverShare