Wireshark Filters

Wireshark is a freeware sniffer that can capture packets from a wired or wireless LAN connection. It is a very powerful tool which can provide network and upper layer protocol data captured on a network. Like a lot of other network programs, Wireshark uses the pcap network library to capture packets.
Wireshark was called Ethereal until 2006 when the main developer decided to change its name because of copyright reasons with the Ethereal name, which was registered by the company he decided to leave in 2006.
In Exercise 1 you installed and began capturing packets using Wireshark. To narrow down the amount of information gathered by Wireshark, you can use filters. These filters limit the amount of information captured or displayed.
Here are some examples of Wireshark filters:
  • ip.dst eq www.eccouncil.org This sets the filter to capture only packets destined for the web server www.eccouncil.org.
  • ip.src == This sets the filter to capture only packets coming from the host
  • eth.dst eq ff:ff:ff:ff:ff:ff This sets the filter to capture only Layer 2 broadcast packets.
  • host This sets the filter to capture only traffic to or from IP address
  • net This sets the filter to capture traffic to or from a range of IP addresses.
  • port 80 This sets the filter to capture traffic to destination port 80 (HTTP).
  • port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 This sets the filter to capture HTTP GET requests. The filter looks for the bytes "G", "E", "T", and " " (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length.
Exercise 1 shows you how to write filters in Wireshark.
Exercise 1: Create a Wireshark filter to capture only traffic to or from an IP address

  1. Open Wireshark.

  2. Click the active Network Interface to capture traffic.
  3. Click Capture, then select filters.

  4. Click the new button to create a new filter.
  5. Name the new filter in the filter name field.
  6. Type host IPaddress in the filter string field.
  7. Click OK.
  8. Select the capture menu and click start to begin the capture.
Repeat the above steps to create filters using the following strings:
  • net To capture traffic to or from a range of IP addresses.
  • src net To capture traffic from a range of IP addresses.
  • dst net To capture traffic to a range of IP addresses.
  • port 53 To capture only DNS (port 53) traffic.
  • host www.example.com and not (port 80 or port 25) To capture non-HTTP and non-SMTP traffic on your server.
  • port not 53 and not arp To capture all except ARP and DNS traffic.
  • tcp portrange 1501-1549 To capture traffic within a range of ports.
  • not broadcast and not multicast Capture only unicast traffic. Useful to get rid of noise on the network if you only want to see traffic to and from your machine.
Practice writing filters in Wireshark that capture only one type of protocol traffic or traffic from a specific source IP or MAC address. Use your PC's IP or MAC address to test that the filter is working.
It's important to understand how to create these filters before you attempt the CEH exam.

Bypassing the Limitations of Switches

Because of the way Ethernet switches operate, it is more difficult to gather useful information when sniffing on a switched network. Since most modern networks have been upgraded from hub to switches, it takes a little more effort to sniff on a switched network. One of the ways to do that is to trick the switch into sending the data to the hackers' computer using ARP poisoning.

How ARP Works

ARP allows the network to translate IP addresses into MAC addresses. When one host using TCP/IP on a LAN tries to contact another, it needs the MAC address or hardware address of the host it's trying to reach. It first looks in its ARP cache to see if it already has the MAC address; if it doesn't, it broadcasts an ARP request asking, "Who has the IP address I'm looking for?" If the host that has that IP address hears the ARP query, it responds with its own MAC address, and a conversation can begin using TCP/IP.
ARP poisoning is a technique that's used to attack an Ethernet network and that may let an attacker sniff data frames on a switched LAN or stop the traffic altogether. ARP poisoning utilizes ARP spoofing, where the purpose is to send fake, or spoofed, ARP messages to an Ethernet LAN. These frames contain false MAC addresses that confuse network devices such as network switches. As a result, frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or to an unreachable host (a denial-of-service, or DoS, attack). ARP spoofing can also be used in a man-in-the-middle attack, in which all traffic is forwarded through a host by means of ARP spoofing and analyzed for passwords and other information.

ARP Spoofing and Poisoning Countermeasures

To prevent ARP spoofing, permanently add the MAC address of the gateway to the ARP cache on a system. You can do this on a Windows system by using the ARP -scommand at the command line and appending the gateway's IP and MAC addresses. Doing so prevents a hacker from overwriting the ARP cache to perform ARP spoofing on the system but can be difficult to manage in a large environment because of the number of systems. In an enterprise environment, port-based security can be enabled on a switch to allow only one MAC address per switch port.
In Exercise 1 you will use Wireshark to sniff traffic.
Exercise 1: Use Wireshark to Sniff Traffic

  1. Download and install the latest stable version of Wireshark from www.wireshark.org.
  2. Click on the Capture menu and then select interfaces.

  3. Click the Start button next to the interface that shows packets being sent and received. If you have multiple interfaces with packet activity, choose one of them—preferably the interface with the most activity.
  4. Click on a packet to analyze that single packet. The detailed headers will be displayed beneath the packet capture screen.
  5. Expand each header (IP, TCP) of a packet and identify the address information.
This exercise will provide much more network traffic if performed on a hub rather than a switch. A wireless network can be used, as a wireless LAN is a shared network segment similar to how a hub operates.

How a Sniffer Works

Sniffer software works by capturing packets not destined for the sniffer system's MAC address but rather for a target's destination MAC address. This is known as promiscuous mode. Normally, a system on the network reads and responds only to traffic sent directly to its MAC address. However, many hacking tools change the system's NIC to promiscuous mode. In promiscuous mode, a NIC reads all traffic and sends it to the sniffer for processing. Promiscuous mode is enabled on a network card with the installation of special driver software. Many of the hacking tools for sniffing include a promiscuous-mode driver to facilitate this process. Not all Windows drivers support promiscuous mode, so when using hacking tools ensure that the driver will support the necessary mode.
Any protocols that don't encrypt data are susceptible to sniffing. Protocols such as HTTP, POP3, Simple Network Management Protocol (SNMP), and FTP are most commonly captured using a sniffer and viewed by a hacker to gather valuable information such as usernames and passwords.
There are two different types of sniffing: passive and active. Passive sniffing involves listening and capturing traffic, and is useful in a network connected by hubs; active sniffinginvolves launching an Address Resolution Protocol (ARP) spoofing or traffic-flooding attack against a switch in order to capture traffic. As the names indicate, active sniffing is detectable but passive sniffing is not detectable.
In networks that use hubs or wireless media to connect systems, all hosts on the network can see all traffic; therefore, a passive packet sniffer can capture traffic going to and from all hosts connected via the hub. A switched network operates differently. The switch looks at the data sent to it and tries to forward packets to their intended recipients based on MAC address. The switch maintains a MAC table of all the systems and the port numbers to which they're connected. This enables the switch to segment the network traffic and send traffic only to the correct destination MAC addresses. A switch network has greatly improved throughput and is more secure than a shared network connected via hubs.
Another way to sniff data through a switch is to use a span port or port mirroring to enable all data sent to a physical switch port to be duplicated to another port. In many cases, span ports are used by network administrators to monitor traffic for legitimate purposes.

Understanding Host-to-Host Communication

All Host-to-Host network communications is based upon the TCP/IP Data Communications Model. The TCP/IP Model is a 4 layer model. The TCP/IP Model maps to the older OSI model with 7 layers of data communication. Most applications use the TCP/IP suite for host-to-host data communications. See Figure 1.

Figure 1: TCP/IP Model
In normal network operations, the application layer data is encapsulated and a header containing address information is added to the beginning of the data. An IP header containing source and destination IP address are added to the data as well as a MAC header containing source and destination MAC addresses. IP addresses are used to route traffic to the appropriate IP network, and the MAC addresses ensure the data is sent to the correct host on the destination IP network. In this manner, traffic is sent from source host to destination host across the Internet and delivery to the correct host is ensured. The postal system works much the same way. Mail is routed to the appropriate area using the zip code, and then the mail is delivered within the zip code to the street and house number. The IP address is similar to the zip code to deliver mail to the regional area, and the street and house numbers are like the MAC address of that exact station on the network.
The address system ensures accurate delivery to the receiver. In normal network operations, a host should not receive data intended for another host as the data packet should only be received by the intended receiver. Simply said, the data should only be received by the station with the correct IP and MAC address. However, we know that sniffers do receive data not intended for them.
In addition to understanding network addresses, it is also important to understand the format of the TCP Header. Figure 2 shows the TCP Header format.

Figure 2: TCP Header Format
The TCP Header is comprised of the following fields:
  • Source Port: 16 bits The source port number.
  • Destination Port: 16 bits The destination port number.
  • Sequence Number: 32 bits The sequence number of the first data octet in this segment (except when SYN is present). If SYN is present the sequence number is the initial sequence number (ISN) and the first data octet is ISN+1.
  • Acknowledgment Number: 32 bits If the ACK control bit is set this field contains the value of the next sequence number the sender of the segment is expecting to receive.
  • Data Offset: 4 bits The number of 32 bit words in the TCP Header. This indicates where the data begins.
  • Reserved: 6 bits Reserved for future use. Must be zero.
  • Control Bits: 6 bits
    • URG: Urgent Pointer field significant
    • ACK: Acknowledgment field significant
    • PSH: Push Function
    • RST: Reset the connection
    • SYN: Synchronize sequence numbers
    • FIN: No more data from sender
  • Window: 16 bits The number of data octets beginning with the one indicated in the acknowledgment field which the sender of this segment is willing to accept.
  • Checksum: 16 bits The checksum field is a computation of all fields to ensure all data was received and the data was not modified in transit.
  • Urgent Pointer: 16 bits This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only be interpreted in segments with the URG control bit set.
  • Options: variable Options may occupy space at the end of the TCP header and are a multiple of 8 bits in length.
When referring to the length of the fields in the TCP Header, 8 bits comprises a single byte. A Nibble is less than a byte and a Word is more than a byte.
In the next section we will explore how a hacking tool manipulates normal network operations in order to capture traffic on a host that is not the intended receiver.

Virus Detection Methods

The following techniques are used to detect viruses:
  • Scanning
  • Integrity checking with checksums
  • Interception based on a virus signature
The process of virus detection and removal is as follows:
  1. Detect the attack as a virus. Not all anomalous behavior can be attributed to a virus.
  2. Trace processes using utilities such as handle.exelistdlls.exefport.exenetstat.exe, and pslist.exe, and map commonalities between affected systems.
  3. Detect the virus payload by looking for altered, replaced, or deleted files. New files, changed file attributes, or shared library files should be checked.
  4. Acquire the infection vector and isolate it. Then, update your antivirus definitions and rescan all systems.
In Exercise 1, we will create a test virus.
Exercise 1: Creating a Test Virus

A test virus can be created by typing the following code in Notepad and saving the file as EICAR.COM. Your antivirus program should respond when you attempt to open, run, or copy it.

Worms can be prevented from infecting systems in much the same way as viruses. Worms can be more difficult to stop because they spread on their own, meaning they do not need user intervention to install and continue to propagate the malware. Worms can be detected with the use of antimalware software that contains definitions for worms. Worms, most importantly, need to be stopped from spreading. In order to do this, an administrator may need to take systems off line. The best practice for cleaning worms off networked systems is to first remove the computer from the network and then run the security software to clean the worm.

Types of Viruses

Viruses are classified according to two factors: what they infect and how they infect. A virus can infect the following components of a system:
  • System sectors
  • Files
  • Macros (such as Microsoft Word macros)
  • Companion files (supporting system files like DLL and INI files)
  • Disk clusters
  • Batch files (BAT files)
  • Source code
A virus infects through interaction with an outside system. Viruses need to be carried by another executable program. By attaching itself to the benign executable a virus can spread fairly quickly as users or the system runs the executable. Viruses are categorized according to their infection technique, as follows:
  • Polymorphic Viruses These viruses encrypt the code in a different way with each infection and can change to different forms to try to evade detection.
  • Stealth Viruses These viruses hide the normal virus characteristics, such as modifying the original time and date stamp of the file so as to prevent the virus from being noticed as a new file on the system.
  • Fast and Slow Infectors These viruses can evade detection by infecting very quickly or very slowly. This can sometimes allow the program to infect a system without detection by an antivirus program.
  • Sparse Infectors These viruses infect only a few systems or applications.
  • Armored Viruses These viruses are encrypted to prevent detection.
  • Multipartite Viruses These advanced viruses create multiple infections.
  • Cavity (Space-Filler) Viruses These viruses attach to empty areas of files.
  • Tunneling Viruses These viruses are sent via a different protocol or encrypted to prevent detection or allow it to pass through a firewall.
  • Camouflage Viruses These viruses appear to be another program.
  • NTFS and Active Directory Viruses These viruses specifically attack the NT file system or Active Directory on Windows systems.
An attacker can write a custom script or virus that won't be detected by antivirus programs. Because virus detection and removal is based on a signature of the program, a hacker just needs to change the signature or look of the virus to prevent detection. The virus signature or definition is the way an antivirus program is able to determine if a system is infected by a virus. Until the virus is detected and antivirus companies have a chance to update virus definitions, the virus goes undetected. Additional time may elapse before a user updates the antivirus program, allowing the system to be vulnerable to an infection. This allows an attacker to evade antivirus detection and removal for a period of time. A critical countermeasure to virus infection is to maintain up-to-date virus definitions in an antivirus program.
One of the most longstanding viruses was the Melissa virus, which spread through Microsoft Word Macros. Melissa infected many users by attaching to the Word doc and then when the file was copied or emailed, the virus spread along with the file.
Virus Hoaxes are emails sent to users usually with a warning about a virus attack. The Virus Hoax emails usually make outlandish claims about the damage that will be caused by a virus and then offer to download a remediation patch from well-known companies such as Microsoft or Norton. Other Hoaxes recommend users delete certain critical systems files in order to remove the virus. Of course, should a user follow these recommendations they will most certainly have negative consequences. Some of the most common virus hoaxes are shown in Table 5.1:
Table 5.1: Common Virus Hoaxes
 Open table as spreadsheet
This is a hoax that warned about a supposed virus discovered by Microsoft and McAfee named "Antichrist", telling the user that it is installed via an email with the subject line: "SURPRISE?!!!!!!!!!!" after which it destroys the zeroth sector of the hard disk, rendering it unusable.
Budweiser Frogs
Supposedly would erase the user's hard drive and steal the user's screen name and password.
Goodtimes virus
Warnings about a computer virus named "Good Times" began being passed around among Internet users in 1994. The Goodtimes virus was supposedly transmitted via an email bearing the subject header "Good Times" or "Goodtimes," hence the virus's name, and the warning recommended deleting any such email unread. The virus described in the warnings did not exist, but the warnings themselves, were, in effect, virus-like.
Invitation attachment (computer virus hoax)
Allright now/I'm just sayin
The invitation virus hoax involved an email spam in 2006 that advised computer users to delete an email, with any type of attachment that stated "invitation" because it was a computer virus.
The jdbgmgr.exe virus hoax involved an email spam in 2002 that advised computer users to delete a file named jdbgmgr.exe because it was a computer virus. jdbgmgr.exe, which had a little teddy bear-like icon (The Microsoft Bear), was actually a valid Microsoft Windows file, the Debugger Registrar for Java (also known as Java Debug Manager, hence jdbgmgr).
Life is beautiful
Life is wonderful
The hoax was spread through the Internet around January 2001 in Brazil. It told of a virus attached to an email, which was spread around the Internet. The attached file was supposedly called "Life is beautiful.pps" or "La vita è bella.pps".
Olympic Torch
Postcard or Postcard from Hallmark
Olympic Torch is a computer virus hoax sent out by email. The hoax emails first appeared in February 2006. The "virus" referred to by the email does not actually exist. The hoax email warns recipients of a recent outbreak of "Olympic Torch" viruses, contained in emails titled "Invitation," which erase the hard disk of the user's computer when opened.
SULFNBK.EXE (short for Setup Utility for Long File Name Backup) is an internal component of the Microsoft Windows operating system (in Windows 98 and Windows Me) for restoring long file names. The component became famous in the early 2000s as the subject of an email hoax. The hoax claimed that SULFNBK.EXE was a virus, and contained instructions to locate and delete the file. While the instructions worked, they were needless and (in some rare cases, for example, when the long file names are damaged and need to be restored) can cause disruptions, as SULFNBK.EXE is not a virus, but instead an operating system component.
To find out whether an email regarding a virus is legitimate, review the list of virus hoaxes on the website home.mcafee.com/virusinfo.

Checking a System with System File Verification

Windows 2003 includes a feature called Windows File Protection (WFP) that prevents the replacement of protected files. WFP checks the file integrity when an attempt is made to overwrite a SYS, DLL, OCX, TTF, or EXE file. This ensures that only Microsoft-verified files are used to replace system files.
Another tool, sigverif, checks to see what files Microsoft has digitally signed on a system. In Exercise 1, we will use this tool.
Exercise 1: Signature Verification

We will run sigverif, a signature verification checker, and compare the results to the currently running processes in Task Manager:
  1. Press Ctrl+Alt+Del and select Start Task Manager.
  2. Click the Processes tab. Note any unusual processes and the amount of CPU time they are using. Any processes using a consistently high percentage of CPU time may indicate a virus or Trojan infection.

  3. Click the Performance tab in Task Manager to view the current CPU usage.

  4. Click Start ð Run.
  5. Type sigverif, and click Start.

  6. In the sigverif program, choose Advanced to see the signature verification report.

  7. Click the View Log button to see the report.

System File Checker is another command line–based tool used to check whether a Trojan program has replaced files. If System File Checker detects that a file has been overwritten, it retrieves a known good file from the Windows\system32\dllcache folder and overwrites the unverified file. The command to run the System File Checker issfc/scannow.

Trojan Countermeasures

Most commercial antivirus program have anti-Trojan capabilities as well as spyware detection and removal functionality. These tools can automatically scan hard drives on startup to detect backdoor and Trojan programs before they can cause damage. Once a system is infected, it's more difficult to clean, but you can do so with commercially available tools.
Although several commercially antivirus or Trojan removal tools are available, my personal recommendation is Norton Internet Security (Figure 1). Norton Internet Security includes a personal firewall, intrusion detection system, antivirus, antispyware, antiphishing, and email scanning. Norton Internet Security will clean most Trojans from a system as well.

Figure 1: Norton Internet Security
The security software works by having known signatures of malware, such as Trojans and viruses. The repair for the malware is made through the use of definitions of the malware. When installing and using any personal security software or antivirus and anti-Trojan software, you must make sure that the software has all the current definitions. To ensure the latest patches and fixes are available, you should connect the system to the Internet so the software can continually update the malware definitions and fixes.
It's important to use commercial applications to clean a system instead of freeware tools, because many freeware removal tools can further infect the system. In addition, a lot of commercial security software includes an intrusion detection component that will perform port monitoring and can identify ports that have been opened or files that have changed.
The key to preventing Trojans and backdoors from being installed on a system is to educate users not to install applications downloaded from the Internet or open email attachments from parties they don't know. Many system administrators don't give users the system permissions necessary to install programs on their system for that very reason. Proper use of Internet technologies should be included in regular employee security awareness training.

How the Netcat Trojan Works

Netcat is a Trojan that uses a command-line interface to open TCP or UDP ports on a target system. A hacker can then telnet to those open ports and gain shell access to the target system. Exercise 1 shows you how to use Netcat.
For the CEH exam, it's important to know how to use Netcat. Make sure you download the Netcat tool and practice the commands before attempting the exam.
Exercise 1: Using Netcat

Download a version of Netcat for your system. There are many versions of Netcat for all Windows OSs. Also, Netcat was originally developed for the Unix system and is available in many Linux distributions, including BackTrack.

Netcat needs to run on both a client and the server. The server side of the connection in enabled by the -l attribute and is used to create a listener port. For example, use the following command to enable the Netcat listener on the server:
      nc -L -p 123 -t -e cmd.exe
On the Netcat client, run the following command to connect to the Netcat listener on the server:
     nc <ip address of the server> <listening port on the server>
The client should then have a command prompt shell open from the server.

Unusual system behavior is usually an indication of a Trojan attack. Actions such as programs starting and running without the user's initiation; CD-ROM drawers opening or closing; wallpaper, background, or screen saver settings changing by themselves; the screen display flipping upside down; and a browser program opening strange or unexpected websites are all indications of a Trojan attack. Any action that is suspicious or not initiated by the user can be an indication of a Trojan attack.
Wrappers are software packages that can be used to deliver a Trojan. The wrapper binds a legitimate file to the Trojan file. Both the legitimate software and the Trojan are combined into a single executable file and installed when the program is run.
Generally, games or other animated installations are used as wrappers because they entertain the user while the Trojan in being installed. This way, the user doesn't notice the slower processing that occurs while the Trojan is being installed on the system—the user only sees the legitimate application being installed.

Popular Posts