10 minute read
Three Tools to Help You Protect Your Network
by Hiba Dweib
The network administrator's constant fear is a compromised network due to hackers or unauthorised access. This article describes the use of Wireshark, NetworkMiner and Snort, three popular open source packet analysis tools that help to analyse hacking or cracking attempts on a network.
The task of monitoring and administering networks has become both important and difficult due to the huge amount of information flowing through different transmission channels. In any organisation, it's a challenging task for network administrators to analyse the financial, military, educational or social information passing through their networks. Network crackers are very keen to access the confidential data running inside a target’s network. Hence, there is the need for very effective tools that can analyse hacking or cracking attempts. Generally, crackers analyse the opponents’ networks and capture the information in their records. This task is classically known as network sniffing, by which the information flowing through a network is repeatedly analysed.
Advertisement
There are a number of software products available in the technology market that provide network sniffer modules, using which, the systems administrator can analyse the packets. Packet capturing is the procedure of capturing and logging movement. The packet analyser is also referred to as a network analyser, protocol analysis tool or protocol analyser, packet sniffer, Ethernet sniffer or, simply, a wireless sniffer. Such software is technically a program that intercepts, seizes and logs the traffic passing through a network infrastructure. As information streams over the system, the sniffer catches every packet and, if required, translates the packet's crude information, demonstrating the qualities of different fields in the parcel.
Active and passive sniffing
Sniffing is a technique for fetching network information by capturing network packets. There are two types of packet sniffing in networks—active sniffing and passive sniffing. In active sniffing, the packet sniffing tool or software sends the requests over the network and then, in response, calculates the packets passing through the network. Passive sniffing does not rely on sending requests. This technique scans the network traffic without being detected on the network. It can be useful in places where networks are running critical
systems in the realm of process control, radar systems, medical equipment or telecommunications.
Features of packet tracing/ analysis tools
There are a number of applications for which packet analysers or sniffers can be used in a constructive way. Given below is a list of the benefits of packet tracing tools: Analyse network problems Detect network intrusion attempts Detect network misuse by internal and external users Document regulatory compliance by logging all perimeter and endpoint traffic Gain information on network intrusion Isolate exploited systems Monitor WAN bandwidth utilisation Monitor network usage (including internal and external users and systems) Monitor data-in-motion Monitor WAN and endpoint security status Gather and report network statistics Filter suspect content from network traffic Serve as the primary data source for day-to-day network monitoring and management Spy on other network users and collect sensitive information such as login details or users’ cookies (depending on any content encryption methods that may be in use) Reverse engineer proprietary protocols used over the network Debug client/server communications Debug network protocol implementations Verify adds, moves and changes Verify the internal control system’s effectiveness (firewalls, access control, Web filter, spam filter, proxy, etc)
The open source packet analysis tools available are Wireshark, NetworkMiner and Snort.
Figure 1: Selecting the interface list for packet analysis Figure 2: List of packets and related information analysed by Wireshark
Wireshark
Wireshark is a free and open source network packet analysis tool. It is used for network troubleshooting, dissection, programming and communications protocol research, development and training. Initially, it was called Ethereal, and in May 2006, the venture was renamed Wireshark because of trademark issues. Wireshark is cross-platform. It runs on different UNIX-like frameworks including GNU/Linux, OS X, BSD and Solaris, and even on Microsoft Windows.
There is, likewise, a terminal-based (non-GUI) form called Tshark. Wireshark, and alternate projects distributed
Figure 3: View enabled protocols for analysis
with it, like Tshark, are free software, released under the GNU General Public License.
Figure 4: List of protocols with the options displayed by Wireshark
Figure 5: Analysing individual packets by right-clicking
Figure 6: Individual packet information
Wireshark has also won some industry awards and recognition over the years, from the following: eWeek Infoworld Insecure.org system security devices survey Sourceforge Project of the Month in August 2010 McAfee SiteAdvisor Network Protocol Analysis Award VoIP Monitoring Award
Wireshark is a specialised tool that automatically understands the structure and format of different networking protocols. It can intelligently parse and show the fields, along with their descriptions specified by assorted networking protocols. Wireshark makes use of pcap to capture the packets. This tool is able to capture packets on the types of networks that pcap supports.
Wireshark has a rich set of features including: Detailed as well as deep inspection of hundreds of protocols. Live capturing of packets as well as offline investigation. It’s a cross-platform tool that can run on Windows, Linux,
OS X, Solaris, FreeBSD, NetBSD, and many others, without any specific configuration. The captured network packets and data can be viewed via a
GUI, or via the TTY-mode T Shark utility. It has VoIP support and analysis. VoIP calls in the captured traffic can be analysed and detected. Captured files compressed with gzip can be decompressed, on the fly. Live data can be read from Ethernet, IEEE 802.11, PPP/
HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay,
FDDI, and others (depending on your platform). It has decryption support for many protocols, including
IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and
WPA/WPA2. Colouring rules can be applied to the packet list for quick, intuitive analysis. It has the output export feature to XML, PostScript, CSV or plain text. Data can be captured from a live network connection or can be read from a file of already-captured packets. Live data can be analysed from many types of networks including Ethernet, IEEE 802.11, PPP, and loopback. The captured data can be edited or converted via commandline switches to the ‘editcap’ tool. The refinement in the data display can be implemented using the display filter. Plug-ins can be implemented and developed for new protocols. Raw traffic related to USB can be captured easily.
The online manual of Wireshark is available at http://www. wireshark.org/docs/wsug_html_chunked/index.html.
NetworkMiner
NetworkMiner is a famous network forensic analysis tool (NFAT) that can detect various system parameters including OS, hostname and open ports of network hosts through packet sniffing or by parsing a pcap file. The tool can extract the transmitted files from network traffic. NetworkMiner
Figure 7: Flow graph generation for the analysed packets
is classically used as a passive network sniffer/ packet capturing tool to detect the operating systems, sessions, hostnames, open ports and related information without placing any traffic on the network.
Using NetworkMiner
The GUI of NetworkMiner Figure 8: Flow graph generation options is divided into tabs. Each for the analysed packets tab has a different approach towards analysing information of the captured data.
The followings steps are used to analyse network traffic.
First, select the network interface for which the data has to be captured.
By default, the Hosts tab is selected. You can sort hosts on the basis of IP address, MAC address, hostname, operating system, etc.
Press the Start button to begin the sniffing process.
Snort
Snort is an open source tool written in C, used as a network intrusion prevention and detection system (IDS/IPS) and has been developed by Sourcefire. It offers an excellent combination of benefits like signature, protocol and anomaly-based inspection. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.
Snort can implement protocol analysis and content investigation with a number of other features including detection of a variety of attacks and probes such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more. Snort makes use of a flexible rules language to explain the traffic that it should collect or pass, as well as a detection engine that has a
Figure 9: Analysis of all packets
modular plug-in architecture.
Snort can be configured in three different modes: sniffer, packet logger and network intrusion detection. In sniffer mode, the tool reads the network packets and displays them on the console. In packet logger mode, the tool implements the logging of the packets to the disk. In intrusion detection mode, the tool monitors the network traffic and analyses it against a rule set defined by the user.
The main configuration file is /etc/snort/snort.conf. In this configuration file, the actual information of the network or system that is under investigation is specified. All values and parameters are commented in the file so that the changes can be done very easily.
Some of the extracts from the configuration file are:
# Setup the network addresses you are protecting ipvar HOME_NET any # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET any # List of DNS servers on your network ipvar DNS_SERVERS $HOME_NET # List of SMTP servers on your network ipvar SMTP_SERVERS $HOME_NET # List of web servers on your network ipvar HTTP_SERVERS $HOME_NET # List of sql servers on your network ipvar SQL_SERVERS $HOME_NET # List of telnet servers on your network ipvar TELNET_SERVERS $HOME_NET # List of ssh servers on your network ipvar SSH_SERVERS $HOME_NET # List of ftp servers on your network ipvar FTP_SERVERS $HOME_NET # List of sip servers on your network ipvar SIP_SERVERS $HOME_NET # List of ports you run web servers on portvar HTTP_PORTS [36,80,81,82,83,84,85,86,87,88,89,90,311,3 83,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,17 41,1830,2231,2301,2381,2809,3029,3037,3057,3128,3443,3702,400 0,4343,4848,5117,5250,6080,6173,6988,7000,7001,7144,7145,7510 ,7770,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,
8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8509,8800,8 888,8899,9000,9060,9080,9090,9091,9111,9443,9999,10000,11371, 12601,15489,29991,33300,34412,34443,34444,41080,44449,50000,5 0002,51423,53331,55252,55555,56712] # List of ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 # List of ports you might see oracle attacks on portvar ORACLE_PORTS 1024: # List of ports you want to look for SSH connections on: portvar SSH_PORTS 22 # List of ports you run ftp servers on portvar FTP_PORTS [21,2100,3535] # List of ports you run SIP servers on portvar SIP_PORTS [5060,5061,5600] # List of file data ports for file inspection portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] # List of GTP ports for GTP preprocessor portvar GTP_PORTS [2123,2152,3386] # other variables, these should not be modified ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24 ,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24, 205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/ 24,205.188.248.0/24]
Basic commands of Snort
The simplest way to start Snort and see what it does is to use the following command:
snort -v -i eth0
This command instructs Snort to be verbose and display the results to the console using the eth0 interface (Ethernet).
192.168.1.2 -> 192.168.1.1 ICMP TTL:64 TOS:0x0 ID:275 ID:63745 Seq:0 ECHO 192.168.1.1 -> 192.168.1.2 ICMP TTL:255 TOS:0x0 ID:2323 ID:63745 Seq:0 ECHO REPLY
The output contains a lot of information that you may find useful. Here you can tell that there is an ICMP packet coming from 192.168.1.2 and going to 192.168.1.1, and that it is an ECHO packet. This is the result of what you might find from a ping to this address. Then there's the ECHO REPLY from your machine sent to 192.168.1.2. The packets also contain the date stamp so you can see when something happened. When you stop Snort, using CONTROL-C, you will see the following output:
Snort received 10 packets and dropped 0(0.000%) packets
The breakdown, on the basis of protocols, is as follows:
TCP: 0 (0.000%) Figure 10: NetworkMiner options menu
Figure 11: Sorting options on Hosts
UDP: 0 (0.000%) ICMP: 2 (100.000%) ARP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%)
Application layer data
You can display the application layer data using Snort. This data is related to the data packets being transmitted across the network, and is also used to sniff the passwords flowing in the network. You can implement it by adding ‘-d’ to the command:
snort -d -v -i eth0
Ethernet information
To check the Ethernet information, you can use ‘-e’:
snort -d -v -e -i eth0
