 Alright, cool. We're gonna get started. So, great seeing that a lot of people showed up. So, yeah, this will be an information session. It's gonna be split into two parts. Jacob will do the Wireshark presentation first, and then I will go over GDB. The GDB is gonna be focused primarily on Assignment 6, and hopefully it should help you with in-class CTF. I don't know, I haven't seen it yet. So, yeah, Jacob, we wanna get started. Yeah, alright, let me, everyone hear me alright? Let me share my screen. Yeah, so for the first part of this presentation, we're gonna go over Wireshark and some things that will be helpful to you for both the CTF and Assignment 6. Okay, so yeah, so first we're gonna go over a brief networking review, some basic concepts that you've already seen in class that you should definitely be aware of. We're also gonna look at, again, a review of the difference between TCP and UDP. And then we're gonna look at PCAP files, which we're gonna do in a minute. Okay, so the requirements, if you wanna follow along with the demo we're gonna do in a little bit, it's just gonna be, you need to have Wireshark downloaded and installed. And then also, you'll need to have the PCAP files that were linked on PiazzaPost as well. Alright, so we're gonna learn, again, we should go over some basic networking concepts, Wireshark and reading PCAPs. So what is Wireshark? Wireshark is a powerful packet analyzer tool, and it can serve a variety of different purposes. So some of the different purposes would include network troubleshooting, so you can look at network traffic in order to identify and solve different problems that you might be experiencing with your network or something like that. And then as well, you can do just general analysis on networks and it can also be used as a tool to help you develop different protocols that you might be working on. And so Wireshark is very, I don't know, tell me you might have used TCP done before. It's very similar, it offers similar functionality, it's just much easier to use. So why Wireshark? Well, it offers the ability to analyze traffic in real time and so because of this feature and how easy it is to use, it's really become the industry standard. Wireshark is available across all different operating systems and it's free for everyone to use. Okay, so if you recall, you went over this in class, I believe, the OSI model. So when we refer to packets, you can't just talk about data in general. So you can't expect people to know what you're talking about packets specifically because there are many different types of data that are involved in the OSI model. So if you want to learn more about this, it's a good thing to know, you can look it up and learn more about this model. Okay, so again, you guys have gone over this in lecture. It's a very important concept, so make sure you know the difference between TCP and UDP. So basically TCP, you want to remember the three-way handshake, the SIN, SINAC, ACK. TCP really is focused on air checking, making sure that the packets are actually delivered. So that's why it's good for things where you need to know if the message is like email, if the message has been sent to web, you've actually loaded the web page stuff like that. And then so UDP is more of a, not really focused on air checking. So with UDP, it's more, you can remember to just fire and forget you're sending the packets and basically forgetting you ever sent them because you don't care if they're really delivered. So it's good for things like video, video chatting and voice calling. Okay, so capturing packets refers to the act of capturing network traffic either over Wi-Fi or Ethernet. So since Wi-Fi is really just a radio frequency band, anyone within the range of that Wi-Fi signal can capture its packets without even having to be logged in or anything like that. So this little device on the right there is called the Ponogachi, and it is made from a Raspberry Pi and some other components. And really its function is to capture Wi-Fi packets and will capture Wi-Fi packets and the handshakes, which are the handshakes are what. So if you have like your phone or PC connecting to Wi-Fi network, the handshake is a process that allows devices to connect to a Wi-Fi network. So these devices actually look at the handshakes and then use some password cracking tool to try to steal the Wi-Fi password so that you can log into that network. So you've heard me talk about a PCAP. So basically, PCAP is short for packet capture. Basically a PCAP file is just a file containing the TCP, UDP, IP packets that have been captured from the network. So if you run Wireshark to capture packets, what you're going to get when you're done capturing packets is a PCAP file. Okay, I like I was talking about capturing packets or sniffing on Wireshark. So if you have the program installed, you can do this by clicking this button right up here and that will start capturing the packets for you. We're not going to go over this specifically in the demo, but you can definitely try it out at home, look up how to do it. It's not too hard at all. Okay, so this is the basic layout you're going to see when you open up Wireshark. I'm going to have up at the top here and I'll show you all the different categories and this is customizable so you can see like your source IP, source port, all that kind of stuff. Then top you got your toolbar, much different functions like this like capture packets, stop capturing, you can search through the packets all that kind of stuff. And each one of these is an individual packet. Yeah, each one of these listed here is an individual packet so you can click on these and once you do that you'll see all the data about the packet down here. Then the actual hexadecimal which is converted to ASCII for your slower portion. So this is a scenario we're going to use for the demo we're about to do. So imagine you're a student sniffing Wireshark packets at the Starbucks in the MU just because you're bored. You isolate the packets into a PCAP file that we talked about and name it MySite.PCAP. So you were assuming that students are attempting to log into their new website that they've created with their credentials that are sent in plain text and you hope to be able to log into that once in cash and before they offer their initial public offering. So just a disclaimer, it actually is against ASU's rules to do this to analyze network traffic and look for passwords so don't actually do it. Okay. If you don't know what the POST method is, it's basically what is used to send data from, I guess, a client over a website over to a server and it's a request to ask the server to store that data. So it is, if you don't use SSL certificate on your website, which was also something the professor to pay went over and lecture your this POST request will not be encrypted at all just spent as a regular HTTP request. So that's why you definitely need to use HTTPS so it is encrypted and no one can steal user information passwords like we're about to do. So, here's the demo. So once you have Wireshark open, you can select your PCAP file open or you can just drag it in. I'll just do this way. My site. Okay, then here you see you have all the packets from that file listed here for you. And the first method that we're going to use in order to find that POST request which is sending the user login information to the server is we're going to apply a filter here. So the filter we're going to use the HTTP. All right. So you will post. So you answer that in search for it and you get two packets here. So each one of these is a POST request. So from that, see all the information here. And here's the actual data within the packet. So you look through here, you can find what was, what was being sent. So we scroll through look through and you see down at the bottom here, you have a user, Billy, and then his password, right here is incorrect password. So we can we were able to see this now because this is just an HTTP request, not a GPS if this is an HTTPS this would all be encrypted and you wouldn't be able to read this. Similarly, we have another POST request here. We scroll the bottom again. You can see this time the user is an admin and log in with this password. And another way we can filter through these packets and try to find passwords is to search through the search bar and do a regular expression search. So you'll have to click the search bar, click the search button, I mean, and then select regular expression from the dropdown and enter in, you know, the expression search for in this case we're searching for passwords. So password and find you see here. This time there's a lot of different packets that come up when you do that search. But we're looking for a POST request so you can read through this little menu and try to find anything that has a POST request you see this one. Yep, it's right here. 48, same one we were on. You can see so that same packet with the admin and the password for that admin. So that's really the demo for Wireshark that we're going to go over. I mean obviously there's a lot more you can do with it but for right now this is really all you need to know about Wireshark and how to use. Yeah, and then all that all we just did is on the slides right here so if you want to do it yourself and you weren't flying along you can do that later. And so what we just learned just basics how to use Wireshark how to import peak app files, how to search through the different packets and find what you're looking for. I don't know anyone has any questions you can ask now about Wireshark and wait till later when Gabe is done with his presentation. I actually asked about the Wireshark questions now. But yeah it's it as you can see it's really fast most of it's pretty self explanatory. And it will help you with the assignment six if you understand what we just did. So anyone have questions. So the peak app file that we would be finding in what is it get password part in the assignment is that like how would we recognize that it is a peak app file is it just like the file extension or. Yes, have you actually logged on to check out the assignment. I logged in and I like grabbed the file but of course it's all encoded and I was having a hard time with the command to put it on my own server anyway so I think that's what I was having a problem with. Yes, so this peak app file it actually is just dot peak app it's a file extension. Okay. The thing you got to remember with a file extensions is I always I hammer this at my office hours I think a lot of people who show are kind of sick of it file extenders don't doesn't actually mean anything. It like right right so it here I'm trying I'm actually logged on to this CTS are right now to check our challenges. And then it's the fine pass. Right so in the Simon, I think, I think it's um it's actually just called network trace, and you can use it you can use like wire shark or you can use the other tour talk about earlier what my son you did. Okay. Okay. Yeah, so you can use wire shark or the other tool you're talking about. Yeah, TCP dump to look through to skim through it. It just called network trace but it just goes back to like file extensions doesn't really mean anything so like you can, if you see network, most likely it's probably a peak app and you could probably use wire shark to read it. And then so that's why he recommended you learn scp would just secure copy to copy it to your local machine. Okay. Any other any other questions. Sorry, did I actually answer your question or Yeah, for the most part I just figure out I need to figure out how to use the scp directly because it just wasn't recognizing my local, like domain name I guess. Okay, it's usually scp is a lot easier if you do it from your local machine and do a request to the server than the other way around just because like your own computer has like firewalls and stuff that prevents stuff from being sent to it so it's a lot easier to like do a pull request and is to do a push request from the server. Okay, got it. All right, cool. Thank you. All right, cool. Okay, so now we're going to move on to wait anyone have any final wire shark questions for move on to GDP because this one's a little more complicated. Also disclaimer like we're the stuff I'm going to go over is like a head and lecture, but it will help you a lot in assignment six so that's why I want to go through it now so you guys have like plenty of time to like actually understand the concepts and stuff. All right, cool. Okay, so I shall share my screen. Yeah, we'll present. So once again, I'm Gabe, and you guys know Jacob. So overview, we're going over GDP, some common commands, and then we're going to go over the stack which you guys went over and lecture. And then we're going to actually learn like what a buffer overflow is, and then why we're learning why we're still learning a buffer overflow like the vulnerability has been around since the 70s. Okay, so for this one, a lot of people keep get like a lot of people get around the whole like Linux machine requirement but this is actually going to matter. The server is using a boom to 1804 you can use basically any other Linux distribution, but, but yeah I'll get into why it actually does matter that you do use a Linux machine this time. So GDP is just the GNU debugger. It's portable, it helps analyze like your program execution. So like if you guys are taking CSC 340 this is a really helpful tool just so you can see where your program like dies. So once again the presentations were focused for the CTF and assignment six not so much in programming but it can be used in like programming. So the reason why you need a Linux machine is because we're analyzing 32 bit or you analyze a 32 bit executed like binaries so certain computers won't be able to analyze it just like if you try on a Mac you'll get these errors where like you get the kernel failure or you get an executable format error just because like my Mac can't read this 32 bit binary it's too old. So that's why you do need to actually have a Linux machine and then us check chat. What can we use what can we use for non Linux machines then you all because the windows has the boom to sub system and then you could just install virtual machine which I have right now. This is just a boom to server. And then I just like SSH into it. But like the assignment six you're on a Linux server so like you don't have to worry about four seven six but if you want to practice this stuff on your own, you're going to highly recommend using it a boot like a Linux machine like virtual machine just because it just makes it a little easier. So you won't fall long. You're already posted the downloads we're going over Pico CTF 2018 buffer flow zero. It's a really easy chat. It's one is supposed to be like the easiest easier challenge and I actually added comments to the code on that just so that we could speed up the learning process. Okay, so loading programs in GDP, you're like, how like everything is going to be command line based there's no gooey. So you're going to have like, that's why we've been hammering like that's our professor to be hammering bandit and stuff just because to get you comfortable with the command line. So it's pretty easy so you have your bone executable or and then you would just do the GDP command and then bone and then GDP is built into most Linux distributions so like you shouldn't have to download anything. And then make sure you target the executable not the source code. So the, the first command and easiest one is just are we just run. Obviously, like you just have to run the program itself and then so an assignment six the program is going to set command line argument just like the same challenge that we're going to go through. So as you can see like I just do run and then like five days and it looks like the program just takes in these five days and prints it back out so very slimmer to your assignment one where you just say command line argument and it just fits out to standard output. And then what else can you do a GDP we could disassemble which is one of the big ones we're going to be doing we get set breakpoints so like, you get set breakpoints at certain addresses in your program to see like, if your program crashes before that breakpoint it's really useful and debugging. And then they're stepping which is like going line by line in down your code. And that's why it's like a good debugger. So you would just use the diss ass command. And then so this is what it looks like so obviously every C program has a main function somewhere so does ass main is usually like pretty easy to do so like, and then you obviously get the x86 assembly for it. Don't worry, I don't know everything that's going on either. And to be honest, you don't actually have to for this you just need to focus on the certain registers we care about and we'll go over that in a little bit. And then there's the breakpoints which I just talked about like you just set certain breakpoints into your program, run it and then see like where it dies. It's really useful for 340 like they'll save you a ton of times then try to do a bunch of print statements try to figure out where your program dies or doesn't work. And then there's stepping which is like, you just go line, like next instruction like instruction by instruction. And so like, so you can see like where your program dies or like if it's actually jumping functions with supposed to and stuff like that. All right, so we're going to look at the code. So, see. So this is the code I posted and I actually added a lot of comments to it just to make it like easy to read. So, here's main. We really don't care about that stuff, because we already have the flag is just a text file and then this just reads that text file so anyone who didn't download what I'm talking about I'll just hold up. So I have. So what I posted was this gdb exercise, and then there's this bone dot see which is the code we're looking at the flag dot text which is like what it's reading to simulate. So the flag is just like a simulation to prove that you successfully exploited we're supposed to. It's just a way to like say oh actually was able to pull off a buffer or flow. The reason we use this is just because it just gives you feedback that like hey you actually did it. So that's what we're going to be doing on Thursday and for the in class CTF and very similar to your assignment six, and then you have the bone executable that or the, yeah, or the binary. So the thing with this is do not recompile this program on your own machine because like when they created this. There's a bunch of stuff that prevents buffer overflows like there's like canaries and like a SLR and a bunch of other tools and stuff that prevents like above overflow but because we're just learning the binary. Excuse me to give you is like it's vulnerable on purpose so that you can actually practice and learn from it. So don't do like gcc and output this bone dot see yourself like it's just going to mess it up like you're not going to actually pull it off. Okay, so anyways going moving on. So this is the important lines is so this one which is bone RGV. So you guys don't remember RGV and see is just the argument vector which is whatever the command the arguments are after you do like command line like we run your program there's like arguments afterwards. And so it causes bone right here bone functions and then this is like what the buffer is buffer overflow. And then so that lines actually we care about and then this line is what we care about to it's a signal. Signal thing and basically just says like the program seg faults is going to call this signal says v handler and that just prints out the flag. So essentially all this program is asking you to do is call a seg fault and you win. And like I said there's a really pretty easy assignment or I mean there's a pretty easy challenge and I'm just we're using this one as an example to teach you guys like a buffer overflow and how to help you on the two challenges for assignment six. So this is just reiterates like the important parts. So we only care about that portion. Don't worry about that. That portion and that line 46 like because your, your RGV is getting passed into this bone function. And then there's this character buffer, and then string copy the string, the reason why this is a vulnerable buffer is because of that string copy function. And we'll go into that later. So real fast we have to understand the stack which we just went over in lecture so I'm trying to go through this real fast unless you guys have questions or need me to slow down. So just remember the stack when he says that it starts some high address and builds down. So what he means like it builds down is it grows down towards the lower addresses, and then like you got your shared libraries or unused memory and then your heat that grows up, and then some other data stuff. So for this class, you're you only need to worry about the stack. So don't you don't have to worry about heat and stuff. That's like later more advanced stuff you really find this interesting. So the stack is going to stack frames. And then so this is the thing I was talking about earlier but like, I think he six is born but really really care about certain registers so the ESP is like one of the registers we actually do care about. And so like the stack frames are like separate like this where you have your stack pointer some buffer space, your base pointer and your instruction pointer, and that buffer space is actually like that character. Back in the code, like the actual like care buffer, because it's a gap in memory that you get to use. And that's why above for also such a big issue. So the EIP is what one of the registers we care about is because it is sorry about that. So it's awesome because it is the register that control that points to the next instruction so like if you can control the EIP, then you basically get to control the program. It's really cool. So move on. So like once again, the register we only we care about the EIP. And then so basically what a buffer overflow is we're doing is we're going to be writing a bunch of like gibberish. In this case, we're going to use capital A and you're writing a bunch of gibberish to fill the buffer space, overwrite the the base pointer and then into the EIP and once you overwrite the EIP. Now you get to control the program. And that's like the big picture. So you might ask me why do we use capital A. Well, capital A is just easy to read because an ASCII to hex is just represented by the number 41 and the command I'm going to be using to print a just so we can specify the amount of days that we're passing into our program is Python dash C print a time 17 and then print 17 days for you and then you just copy and paste it over. So we're good. So for this one. I was going to do a live demo but decided that I think this is easier to explain. So like this one you just we're just going to do 20 days just because well, the buffer here is 16 right so like let's if we overwrite the 16 maybe we could continue move on. So we do the 20 days and no cycle happens. So that means we didn't win, which is really is interesting right because you would think that you passed the 16 bytes that is in the buffer. So next we're going to do 26 days and we're going to use the info registers command in GDB. So as you can see we cause a second fault which is what we want because that's all the programs as we need to do and then you notice here when you type so on GDB you could type I did not put it oh info registers and GDB and you can see all the registers so like you can see e BP so like BP is just base pointer you notice that it's getting written by 4141. And then so if you remember earlier capital a is 4141 is for one so that means that the a's that you're throwing into the program is actually getting into the base pointer right now. And it's like it's like leaking into that register. So let's try 28 a's and then you see that 28 a's actually gets you the flag meaning that you want like you caused the set fall and you're able to get that flag. And so if we look at it in GDB you can see that the base pointer is getting over in by a's as you can see with the 4141 4141. So that's enough for this challenge. But for your homework assignment you're going to need to overwrite the instruction point to or yeah, yes. Instruction pointer. So we're going to keep moving on so like this one I'm putting 30 a's into the program and then once again you run a GDB you do info registers and you could see that the instruction point now has 4141 right here. So that means like your a's are slowly creeping into that instruction pointer. And if you remember earlier we want to overwrite the whole thing. So yeah we got the flag and we won but you still haven't written over in the EIP which you're going to need to do for assignment six. So we just tried 32 a's and then eventually we overwrite it like so. So now you see all the 4141 so that's why we just use capital a it's just an easy way to find out. Like if you're actually overwriting these registers like you're supposed to and then you could see like up here for the base pointer is also getting written by by capital a's. So like tips for assignment six. Oh, sorry got question chat. How do we know where that function was. Um, the, which one main or volume function. Skyler. How do we do all of them. Oh, it's because it's just printed out the flag like pico CTF sample flag. So if you so like this is the text file and then like you look at the program. It just if you cause a cycle it reads the flag and says, like you want. Okay, do you understand like the big ideas what happening so like the bone function right here is it this is the source code we're looking at. So like when you pass your argument vector like whatever the a's it gets thrown into that function which gets called to bone and then it takes in this input and then string copy takes the input and copies it into the character buffer. So that's why at first we just start with like 20 a's so like hope like you throw 20 a's into a buffer that's only supposed to have lost 16 characters like it should have caused a cycle but it did it because we still have like extra space and then that's why we look into the register. So the other example should be fine. Which example. Yeah. Yeah, so this is very similar to that your assignment six but it's not the full answer is just giving you a basic understand what you're doing, like what you're doing is you're using so your buffer space is that I think I guess it's a great point. I should get the memory address. You can also do like this as a bone as well, because you are normally given the source code for these types of challenges but the primary thing you need to do is you need to like we're trying to overwrite the whole like the stack frame and then once you get to control the program. So like once you overwrite that register that you register you can make it do whatever you want like you can make it jump to functions not supposed to like the addresses of functions not supposed to, or you can spawn like a shell. Once again, like we are jumping ahead and lecture because I want to get you guys like to understand what the basic overflow and advanced overflow is for the assignment. So yeah, you're not forecasting till the last minute that I'm sorry did that answer your question or you're still confused. Yeah, so yeah so like this character buffer is that buffer space and it doesn't have to be called like character buffer is just any part in code where like you have a blank space they could throw inputs into like hackers just love that like and then string copies is vulnerable because it copies an input into a buffer but the reason why string copies so vulnerable is because it doesn't sanitize user input like as you saw we were able to throw 30 As into this 16, like by array or a character array right which in like string copies doesn't check for that and that's why it's kind of important that it does. And another is interesting another one is also get gets. So like, if you do if you actually read the manual for gets it actually tells you never to use this function because it's also just very vulnerable that's why they changed f gets. This is the one. Yeah, so like if you go on the Linux you could actually read the description for like gets like never use this function is very funny like it's it's just like a legacy library function that's still there anyways moving on for a sidetrack too much. So yeah, so we got applied, we technically one for this specific challenge before your summit six you need to write the EIP so like it takes 32 days and you see that the EIP is now fully overwritten. So then afterwards now that you over you know that it's probably 32 and might be more or less we have you're gonna have to like play around with it. We can now since we overwritten EIP you can now control the program so like you can make it call functions is not supposed to and for and so forth. So, so some tips I have for this for basic overflows is the first thing you want to do is cause a segfault, and that's what that challenges to show you was like, if you could cause a segfault that means that you're able to perform memory corruption. Like, there's some like there's a reason why like, nothing stopped you from throwing 30 days into a 16 character array. Like, don't know why they didn't stop you but you're allowed to so there you go. And then, next I would actually focus on understanding why the segfault occurred so like string copy doesn't check the length of the how much characters are thrown into that buffer. And that's why and then find the offset which is the like memory address and override EIP and then once you control EIP control the program can do whatever you want with it. So, so you guys might have been bored out your mind and like whatever we learned in lecture and you're confused of like, Gabe, why did we learn this crap like this thing is back issue in the 70s it's 2020 why like why are we still this the thing. Well, unfortunately, it's actually in the real world and my one of my friends Joe Geer and did a top cactus con last December of him hacking security cameras so these are his slides that I pulled like partial his slides. So like, he did internet thing devices they're very vulnerable and as you know like their smart thermostats Amazon echoes ring doorbells are a huge one right now. So like, they're still fit there so like he targeted this camera company. And then he just basically showed you like how you found the vulnerabilities and of course guess what kind of vulnerabilities they are buffer overload so there you go so here's the string copy call and here's a buffer of 28. So that means you can, you have 16 bytes over right so that's just one and he found another. So and then another. And that was just the you PNP binary don't worry too much about that but basically he was able to just do a find and look for all the string copies and in the binary for this camera and he found over 1800. Like, it just goes to show like even in 2020 with smart cameras and stuff like buffer workflows are still a thing and that's why we're learning it. And, and then all and then there's like more stuff you could do like you can overflow like the file transfer protocol server and get like name port and pass username passwords. So yeah, like this is so really relevant it's pretty cool and then def con I think 23 someone posted did the talk on this, where he hacked like 14 iot devices. So they're still really relevant. And basically that's it for our information session. So like what we went over gdb buffer workflow and why they're still relevant. Anyone have any questions. I hope that wasn't talk wasn't too broad but and I hope it was also helpful for assignment six, Jacob and I will I'll be hanging out till for if you guys need help for like assignment six or something as well. Yeah, I can stay too. I can't. How do I see up participants. So yeah, okay. Anyways, if you guys are if you guys think this stuff is cool and like hacking out devices cool and stuff. Check out the two cybersecurity clubs at ASU there's the phone doubles and double sec. They do different things. I'll be posting these slides now that I did the presentation. And then these are the sources. So we just did the buffer flow zero for the Pico CTF. And then here's like an article about how to do a buffer overflow for windows. Here's this PowerPoint slide I found from a university helped explain the stack. And then here's that def con talk on top of hacking cameras and smart thermostats and stuff. So I hope you thought found our information session useful and we'll be here basically for office hours now. If you guys need help with assignment six.