• About
• Blog
  • 2008
  • 2007
  • 2006
• Tutorials
• WordUp
• Library
• Photos
• Planet
• reBlog

edit

Hands On Troubleshooting and Security at the Packet Level (Laura Chappell)

• Wireshark University has lots of training videos and documentation.
• Pilot is an awesome looking new graphing front end for Wireshark (looks like it's Windows only, pah.)
• IronKey - USB thumb drive with built in encryption. After 10th password attempt it shreds the key. Recommended for carrying around unsanitised network traces.
• Lots of sample traces on the Laura's Lab Kit DVD, they show a wide range of interesting and broken behaviour. In the "LLK9 trace files" directory look for "tracefilelibrary2008.pdf" file which describes the traces and offers suggestions for learning from them.
• Apparently the latest Wireshark doesn't support plugins any more, additional functionality has to be compiled into the core (WTF?)
• CDP (Cisco Discovery Protocol) packets are multicast traffic, makes sense but I didn't realise that
• Multicast traffic always starts with 224-239.x.x.x
• IGMP is how hosts subscribe to multicast channels, allows switches to only forward traffic to ports which are interested
• Switched networks only show four types of traffic:
  • Broadcast
  • Multicast (if forwarded)
  • Traffic to/from your MAC address
  • Traffic to an unknown MAC address (hosts should always announce themselves when they boot up so they are typically in the switches arp table, this is a sign of weirdness)
• Switches forward packets to unknown MAC addresses to all ports in an attempt to find the unknown device. Switches won't quench packets to unknown MACs (really?)
• Macof is a network flooding tool (sends flood MAC addresses to an unknown MAC destination, eg. 88:88:88:88:88)
• Recommended debugging technique is plugging the users computer into a hub which you can share. Hubs are getting hard to find, most are switches these days.
• CACE is about to release a cheap gigabit network tap for capturing traffic from remote locations
• Turbocap - is a gig capable tap for a host (can forward packages to Pilot or Wireshark)
• Keep trace files under 20mb or Wireshark gets grumpy
• Most cards these days are in promiscuous mode by default (WTF?)
• Apparently Microsoft is internally getting rid of all network firewalls and third party firewall / anti-virus products because they are built into Vista's kernel. (WTF happened to defence in depth?)
• Wireshark colours things red as a warning that something is wrong. You can see what it is warning you about in the middle window underneath "Frame 1" in the "Colouring rules" tags.
• New tool called Wirebrush, makes it easy to sanitise traces (change's IPs to 10.x and changes passwords etc).
• Going to "View - Time Display Format - Seconds Since Previous Displayed Packet" ... really nice way of tracking latency in packets.
• Refusals which are normal (eg. trying to connect to a host/port on which there is nothing listening):
  • TCP port 80 - should get single RST packet
  • UDP port 53 - should get an ICMP destination/port unreachable
• Good list of protocol stuff at IANA: http://www.iana.org/protocols/
• A looped packet will have the same IP "Identification" header, a host which is spewing traffic will generate different "Identification" headers for each packet.
• Information in []'s is information from Wireshark, not from the actual trace.
• TCP Dup ACK is what you see when a packet is lost, it's the request for a retransmission. On high latency links it is normal to see many Dup ACKs before the server has a chance to reply.
• [Fast retransmission] is a misnomer, all it really means is that the retransmission happened within 20ms of the server response. It's going away because it implies a server centric POV and basically isn't useful.
• "Analyse - Expert Info Composite" has lots of cool summary information. Some of the decisions about what's an error/warning/note is a little wacky. They are trying to fix this now.
• By default in XP TCP window scaling is turned off. Turn it on for much improved download speeds (automatically resizes the window).
• TCP sequence numbers only increment when data is transmitted (eg. LEN>0), except for the first two and last two packets where there is a phantom byte and the sequence number increases even though no data was exchanged.
• There is a race condition in TCP, the final ACK packet doesn't have a phantom packet so the seq number doesn't get incremented. This means that if that final ACK gets lost on the way to the server, when the server sends a Dup ACK the client thinks it wants the first data packet (which has the same seq #) rather then the ACK. But the server won't accept data until it receives the ACK and the three way handshake is complete. SEE tcp-handshake-problem.pcap one the CD.
• ICMP type 13, 15 & 17 are very rarely used and are used for OS fingerprinting. Configure hosts to disable those types of ICMP to hinder fingerprinting.
• If you block all ICMP do not block ICMP type 3/code 4 (datagram too big) ... you'll end up with MTU issues.
• Hijack-this (www.spywarewarrior.com) is a good anti-spyware suite.
• ICMP redirects are unauthenticated and unpaired. Anybody can send an ICMP redirect to any other host and it will be honoured. Ettercap and Cain & Able are tools for doing this.
• Fragmentation happens at the IP level from MTU size mismatches. However the application can also segment the TCP traffic up into small pieces (eg. one byte per packet) in order to bypass firewall/IDS filters.

Good sites:

• http://www.remote-exploit.org/
• http://www.oxid.it/
• http://ettercap.sourceforge.net/
• http://www.usdoj.gov/criminal/cybercrime/