Network

security
Content

TCP/IP Protocol Architecture

Sniffing
Traffic Analysis
Wireshark
TCP/IP Protocol
Architecture
Sniffing

 Listening to the network conversations that are not intended for you
 Network interface card (NIC) can be set to promiscuous mode to get all packets
from network
 Packet sniffers intercept and log network traffic that they can see via the NIC
How is Network Conversation Carried out?
• Network conversation is carried out by
nodes exchanging messages according
to network protocols.
• A protocol is a set of rules or
conventions that allow peer layers to
communicate
• The key features of a protocol are:
• Syntax: format of data block
• Semantics: control information for
coordination and error handling
• Timing: speed matching and
sequencing
TCP/IP Protocol Architecture
Application SMTP (Email)
FTP (file transfer)
Provides access to the
SSH (remote access) PCs, tablets,
TCP/IP environment for smart phones
HTTP (web), SIP (VoIP),
users and distributed DNS (name service) etc
information services
Transport TCP (connection-
Transfer of data between oriented)
end points. May provide UDP
error control, flow control, (connectionless)
congestion control
Internet IP v4, IP v6,
Mobile IP
Shield higher layers from OSPF, BGP, RIP
details of physical network ARP, ICMP, Router
configuration. Provides
routing and forwarding
Network access CSMA/CD (Ethernet)
MACAW (WiFi),
Logical interface to PCF, DCF,
network hardware. 802.15.4 (IoT) Switch
Medium access control
Twisted pair, optical
Physical fiber, satellite,
Transmission of bit stream
radio Modulation
Peer Layers in TCP/IP Protocol Architecture
Application Application
Provides access to the Application byte stream Provides access to the
TCP/IP environment for TCP/IP environment for
users and distributed users and distributed
information services information services
Transport Transport
Transfer of data between TCP/UDP segment Transfer of data between
end points. May provide end points. May provide
Bob error control, flow control, error control, flow control,
congestion control congestion control Alice
Internet IP packet Internet
Shield higher layers from Shield higher layers from
details of physical network details of physical network
configuration. Provides configuration. Provides
routing and forwarding routing and forwarding
Network access MAC frame Network access
Logical interface to Logical interface to
network hardware. network hardware.
Medium access control Medium access control

Physical Physical bit stream Physical

Transmission of bit stream Transmission of bit stream
Networking Example

Browsing to [Link]

Browser established a TCP connection with [Link] server

Browser asked for the index webpage using HTTP command GET

Browser displayed the page on the screen

Sending to Network - Encapsulation
Application

HTTP HTTP user data

Transpor Send to network - encapsulation

t TCP:
Src port =2500 TCP HTTP user data
Dest port = Header
80

Interne
t IP v4: IP TCP HTTP user data
Src addr = Bob Header Header
Dest addr =
Web server

Network access
CSMA/CD MAC IP TCP HTTP user data
Src MAC addr =Bob Header Header Header
Dest MAC addr =
gateway face 0

Physical
Twisted
pair
Receiving from Network - Decapsulation
Application

HTTP

Send to network - encapsulation

Default
Transpor
t TCP: gatewa
Src port =2500 y
Dest port =
80

Receive from network -decapsulation

Interne Interne
t IP v4: t IP v4:
Src addr = Bob IP TCP HTTP user data Src addr = Bob
Dest addr = Header Header Dest addr =
Web server Web server

Network access Network access

CSMA/CD CSMA/CD
MAC IP TCP HTTP user data Src MAC addr =Bob
Src MAC addr =Bob Header Header Header
Dest MAC addr = Dest MAC addr =
gateway face 0 gateway face 0

Physical Physical
Twisted Twisted
pair pair 9
 Routing and Sending to Network again

Default
gatewa Routing Router 1 Routing
y table table

Routing Routing
Receive from network -decapsulation

Receive from network -decapsulation

Interne

Send to network - encapsulation

Send to network - encapsulation

Interne Interne Interne
t IP v4:
t IP v4: t IP v4: t IP v4:
Src addr = Bob
Src addr = Bob Src addr = Bob Src addr = Bob Dest addr =
Dest addr = Dest addr = Dest addr = Web server
Web server Web server Web server

Network access Network access Network access Network access

802.11, Src MAC
CSMA/CD 802.11, Src MAC 802.11, Src MAC addr =router 1 face 1
Src MAC addr =Bob addr =Gateway face1 addr = Gateway inter Dest MAC addr
Dest MAC addr = Dest MAC addr Dest MAC addr router 2 face 0
gateway face 0 router 1 face0 router 1 face0
Physical Physical Physical Physical
Twisted
Twisted Twisted Twisted
pair
pair 10 pair pair 10
Receiving the Destination – Decapsulation
Application

HTTP user data HTTP

Router N Transpor
t TCP:
TCP HTTP user data Src port =2500
Header Dest port =
Routing 80

Receive from network -decapsulation

Send to network - encapsulation

Interne Interne
t IP v4: IP TCP HTTP user data t IP v4:
Header Header Src addr = Bob
Src addr = Bob Dest addr =
Dest addr = Web server
Web server
Network access Network access
802.11, Src MAC MAC IP TCP HTTP user data 802.11, Src MAC
addr=Router N face1
addr=Router N face1 Header Header Header Dest MAC addr Web
Dest MAC addr Web server
server
Physical Physical
Twisted Twisted
pair 11
pair
Sniffing
Sniffing

 Attacker: listening to network traffic that are not intended for them
 Network and security professional: network debugging and diagnostics
Physical layer

Wire Fiber
Air

Switch Router
Physical interception

 How to get information in transit in physical layer?

 Different depending on:
 We are in a network or not
 The attack is passive or active
Passive interception – promiscuous mode
 Two working modes for a network interface care (NIC)
 Non-promiscuous mode: drops unintended traffic
 Promiscuous mode: gets all packets from network
 Works for networks with broadcasting medium
 Hubs
 WiFi networks

Switch

 It does not work for networks using switches

 A switch has separated broadcasting domain
Active Interception – port mirroring
 Port mirroring is also known as SPAN (Switch Port ANalyser)
 Switch sends a copy of network packets seen on one port (or an
entire VLAN) to the SPAN ports.
 Switch SPAN port mirrors all traffic through the switch

 Good purpose: network diagnostics, intrusion detection

 Malicious behaviour: if an attacker plugs into the port, they could
see all traffic but it requires physical access to the switch
Active interception: network tapping
 A hardware device inserted at a specific point in a network where data can
be accessed for testing or troubleshooting purposes
 TAP = Traffic Access Point or Test Access Point is a layer 1 device

Router Switch Router Switch

Original connection Network

TAP
Sniffing
device
Connection after the tap is inserted

A network TAP
[Link]
Vampire taps
 Pierce the shielding of copper wires in order to provide access to the
signal within.
 This may bring down the link
Vampire taps under the oceans?

 400 fiber-optic cables stretching across the world's oceans.

 620,000 miles of fiber-optic cable running under the sea, enough to loop around the earth nearly 25 times
 These subsea cables carry most of world's calls, emails and texts
1971: Operation Ivy Bells
 The Secret Mission to Tap Soviet Undersea Cables

 [Link]
2008: Submarine cable disruption
 Search google using the key words: “2008 undersea cable cut”

[Link]
2018: Dutch foiled Russian 'cyber-attack' on OPCW
WarXin
g

Warwalking Wardriving

There are several tools that do this

Warflying drone
Rogue Access Point
 A rogue access point is a wireless access point that has been installed
on a network without explicit authorisation from a local network
administrator
 Types:
 Hardware: a wireless router
 Software: a computer/laptop with virtual one
Rogue Access Point: example
 They are usually open
and try to mimic a
known WiFi network ID
 Victims are not aware
that they are
connecting to a rogue
AP
Traffic Analysis
Data Acquisition

 We have chunks of bytes from the physical layer after sniffing

 Data acquisition is the process of understanding the meaning of the
captured traffic
 Who is talking to whom about what?

 Network conversations are carried out through network protocols

 That is: we need to understand the messages exchanged by protocols
Data is encapsulated by protocols
Application

HTTP
HTTP user data

Transpor
t TCP:
TCP HTTP user data Src port =2500
Header Dest port =
80

Receive from network -decapsulation

Interne
IP TCP HTTP user data t IP v4:
Header Header Src addr = Bob
Dest addr =
Web server

Network access
MAC IP TCP HTTP user data 802.11, Src MAC
addr=Router N face1
Header Header Header Dest MAC addr Web
server

Physical
Twisted
pair 34
Sniffing tools

Tcpdump Wireshark Snort Bro

PCAP (libpcap)
Libpcap: library of packet capture
 Libpcap is an API for capturing live network traffic
 Written in C
 libpcap, developed by the tcpdump team, for Linux and Linux like OS
 Npcap, for windows (Winpcap is unmaintained since 2013)
 Although it is called packet capture, it actually captures frames, which include
all data from data link layer to the application layer, due to the nature of
encapsulation
MAC IP TCP HTTP user data
Header Header Header

 Network sniffers or analysers capture network traffic and save them in .pcap
files
 Network sniffers or analyser are able to open .pcap files created by other
tools
 Network traffic dataset can be pcap files
Libpcap – how does it work
 The core of Libpcap is BPF, Berkeley packet filter
 BPF was proposed by Steve McCanne and Van Jacobson in 1992
 To solve the problem of inefficiency in packet capturing at the time
 Problem:
 Packet filter module sits on top of packet capture module
 Each packet received is copied always, to a buffer, which is then
sent upstream to the packet filter, which may decide to discard the
packet.
 Many CPU cycles will be wasted copying unwanted packets
 BPF solution:
 Filter the packet before buffering the required parts of it
 The filter is defined by users (which are network sniffers here)
 100 times faster than the existing packet capture tool at the time
Tcpdum
p  A powerful packet analyser running in command line interface, developed by Berkeley with
libpcap [Link]
 Use the command tcpdump –list-interfaces to see which interfaces are available for capture
 Tcpdump –D
 Capture all packets in any interface: sudo tcpdump --interface any
 Capture only packets of the icmp protocol: sudo tcpdump -i eth0 icmp
 Saving captures to a pcap file: sudo tcpdump -i any -w [Link] port 80
Wireshark
Wireshark
 A powerful packet analyser with a GUI (graphic user interface)
 [Link]
 Capture only packets of the icmp protocol
 Open the [Link] file

 How to use wirelshark https://

[Link]/docs/wsug_html_chunked/[Link]
Traffic analysis
 Types of traffic analysis
 Protocol analysis: analyse individual protocol inside a packet
 Packet analysis: analyse protocols of different layers inside a set of
packets
 Flow analysis: analyse a flow composed of multiple packets
Protocol analysis
 Tons of different network protocols
 IP, TCP,UDP, HTTP, HTTPS, SMTP, ….
Protocol analysis
 Why do we need protocol analysis?
 To understand the semantics of the information being transmitted
 To interpret the information
 The specification of many protocols is public
 IETF Request for Comment (RFC) documents
 RFC 791 – IP v4
 RFC 793 – TCP v4
 RCC 2613 –HTTP v.1
 List of RFCs [Link]
 Support for public protocols is usually implemented in tools like
Wireshark
 Wireshark shows headers, flags, content in a more user-friendly and
navigable way
Protocol analysis - Wireshark
Packet analysis
 Why do we need packet analysis?
 To inspect the protocols within a set of packets transmitted
 To identify packets of interest using packet analysis techniques
 What does packet analysis do?
 If you are network professionals
 Monitor the health of a network
 If you are security professionals
 Passive network vulnerability assessment
 If you are an attacker
 Passive attack tool
 Steal information such as passwords
Packet analysis: frames
 The word packet is misleading
 Frames are actually captured and analysed
 Frames are link layer PDU (processing data unit), Internet layer packet is
the payload of frames
Packet analysis techniques
 Pattern matching
 Identify packets of interest by matching specific values in the
packet capture
 E.g., if source IP address = foo
 Parsing protocol fields
 Extract the contents of particular protocol fields
 E.g., Wireshark shows the contents of each field in an IP
packet
 Packet filtering
 Separate packets based on the values of fields in protocol
metadata
 E.g., showing ICMP packet only
Flow analysis
 Flow analysis is the practice of examining related groups of packets.

 Why do we need flow analysis?

 Identify patterns (e.g., repeated communications)
 Isolate suspicious activity and discard irrelevant data
 Analyse higher-layer protocols (e.g., reconstructing TCP segments and
get the full picture of the protocol encapsulation in it: HTTP, SSL …)
 Extract data (e.g., a binary file to be analysed)
Flow analysis: Wireshark
 Use Wireshark “Follow TCP Stream” feature
 Select any packet inside a TCP stream
 Choose menu Analyse->Follow->TCP Stream
 Wireshark reconstructs the full duplex contents of that stream from
beginning to end
 Conversations, transactions and file transfers that span multiple
packets in a stream can be reconstructed in their entirety
 Include only info that is contained within the packet capture

 Use Wireshark “Follow HTTP/UDP/ Stream” feature

Flow analysis: Follow TCP Stream
Flow analysis techniques
 List conversations and flows
 List all conversations and/or flows within a packet capture or only
specific flows based on their characteristics
 Export a flow
 Isolate a flow or multiple flows, and store the flow(s) of interest to
disk for further analysis
 File and data carving
 Extract files or other data of interest from the reassembled flow
Summary

TCP/IP Protocol Architecture

Sniffing
Traffic Analysis
Wireshark