 Welcome back, thanks for joining us at the Cyber Underground. I'm Dave Stevens, your host, and today we're going to continue with How to Be a Hacker. And we're still looking at recon and enumeration of hosts on the network and how to look at what's on your network by looking at what's flying around inside the network on a binary level. We're going to look at packet analysis today. Thanks for joining us. Today I have my guest, assistant professor, Hal Cochran from Kapiolani Community College, part of the University of Hawaii system. And you teach this stuff. This is your field. Yeah. You do the networking classes. I'm really excited to be. I've been teaching networking for some time and I'm looking forward to... Not just teaching. I mean doing. And doing, yes. So bring us up to speed on your history of networking. You have an ICS background, right? Where'd you start out? I'm a graduate of the University of Rhode Island. I got my bachelor's end. My master's there. I started out on the help desk as a Mac and a Unix guy. And then after a year I went into Linux and Unix sysadmin, which included a lot of networking at the time. We didn't have a lot of specializations, so everybody kind of had a... You were the IT guy. Right. Yeah. Now we specialize, yeah. And when I decided to come out to Hawaii, I came out here for a job as a network admin at Honolulu CC. And so I was a network admin there for three years before I moved over to Kapiolani CC to teach. And you've been there with six years, seven years? I'm going on eight years. Going on eight years now. And that's... Hawaii 12 years and going on eight years at Kapiolani. Yeah. I'm glad to have you. Okay. I'm really excited to be here. Let's do this. We're going to talk about practical packet analysis. And we've got a couple of books here. If you guys want out there in the YouTube land to look at what the books look like for these, we're going to give you a screenshot of these books. And this will get you up to speed, Wireshark 101 will get you from ground zero up to where you're using the tool right. And then the practical packet analysis, how that teaches us a little bit more about how you apply this in several different arenas, security and what else. Yeah. The first book here is like a reference manual. How do I specifically do this and that? The second book is how do I apply this to the real world? How can I use this on my network? How can I use it to analyze my network, to hold you by network? Or if I'm so inclined to use it to capture other people's information on my network? In Wireshark, this is an open source tool. This is one of the absolute best tools that you will ever get for free. It's right up there with Cali and some of those other open source free projects that the Apache web server that are just amazing and out there under the open source license. Well, Wireshark is one of those tools. And it's got an incredible community supporting it. People make tools and plugins for this stuff all the time. Exactly. And a lot of support out there. So besides books that you can purchase, there's all kinds of sites and information out there because it's open source, there's communities and tutorial websites and all sorts of information out there that you can just get for free if you want to really drill down into how to use Wireshark. And you can really take Wireshark to a real high level if you really want to dig into it. No, this runs on Mac and Windows and Linux, whatever you're running. I haven't seen it run on a Mac, but it definitely runs on a Mac. Yeah, you'll see one of the screenshots in here is actually on a Mac. Great! It runs great on a Mac. I haven't used it. Two bars a little different, but it works great. Yeah? It works on just for any version of Windows. It runs on Linux. The newer versions not only can sniff Ethernet, they can do wireless, and there are even new modules that can sniff USB, so you can see traffic moving across on USB interfaces. Well, let's talk about what that traffic is in a second, but where do I get Wireshark? How do I get that? You can just download it from the site, I believe it's just Wireshark.org, and it's a free download. Download it and install it, and there's a library that we want to install called, I think it's the PCAP library that is kind of the low level calls that actually do the capture of the network traffic as they're coming through your network interface card. So there's really two things to install. And as you're installing Wireshark, it will usually interrupts and say, do you want to install this PCAP library as well, and if you don't have it already installed, then you should choose yes. Now the PCAP is the extension of the files when you save a capture, that's what they end with you. Exact PCAP. These are the libraries that do the capture and format it in such a way that Wireshark and other tools can then analyze them and present them to you in such a way that you can seal the packets and the other very good parts of the network traffic. It works on a wireless network. Let's put up that first screen shot. We're going to take a look at what the screen looks like. This is what you see when you start capturing traffic on your network. Now what we mean by that is what? What are we doing when we capture traffic and then what are we looking at on a screen right now? The way that Ethernet networks work is that all of the traffic goes out on the network identified by a number called the MAC address that tells you which device on the network is it meant for. But everybody sees it. That's a physical address identifying that piece of hardware that is a physical address that is burned into a chip on a network interface card. So when the data goes out on the network it has that address in it. But all of the devices, all of the computers see the traffic. It's only the one that has that address is the one that takes it and processes it. I think you can do something with it. It receives the message. So now you can tell Wireshark will go into what's called promiscuous mode. In other words, look at everybody's traffic. Everything that comes by, capture it and let me see it. And that's what we're looking at here. We're looking at promiscuous mode. We're looking at a stream of everything that the network interface card sees and there are a variety of different protocols that are running on any network. You see TCP, which is Transmission Control Protocol. Well, so what's a protocol? That sounds like a language, right? A protocol, exactly. It's a set of rules for communicating. So one of the examples I used is if you're just speaking Chinese and I'm speaking Russian, we're not going to be able to understand each other, right? We have to be speaking the same language, so we're using the same rules so that we can talk to each other. Right. Well, so we have these open standard protocols that no matter what manufacturer makes a network device, they use the same standards, the same rules, the same protocols so that they can talk to each other. Now, that's only recent. That's within like the last 20, 30, 40 years we've been developing these protocols. In the beginning, your computer could only talk to one other computer or two other computers because you all programmed that same language, but you didn't make that available to the general public. There was a time when Max couldn't talk to Windows machines and some microsystems machines couldn't talk to others. Everybody had their own proprietary thing. There was Novel and there was Apple Talk and there was NetBios and everybody had and so no one could interact. But thankfully, they realized that that was a huge mistake and they got together and made these open standards so that everybody is using the same rules so no matter what brand or what manufacturer we use the same internet, we can talk to each other, we can even exchange files now and it's much more interoperable than ever was. It helps third parties like, say, Amazon makes their Alexa device and they want to put it on everybody's network. Well, now they have the ubiquitous protocol that they can just plug it into someone's wireless network and it works with everybody's network because they all speak the same language. Otherwise, you'd have a version for this kind of network, a version for that and it wouldn't be a nightmare. So in that screenshot, we were looking at the source and destination and there are two groups of numbers in there. Those are IP addresses, right? Can you describe those IP addresses? Those are IP addresses. So those are IP version four addresses and that's primarily what's still being used on the internet but we are moving to a new version called IP version six addresses. Which looks drastically different considerably different than those IP. But these are groups of three numbers. They're all called octets, they're all between zero and 255 and they represent a unique address on that particular network or subnet. So those sources and the destinations, they're referring to the transmission from a source device to a destination device and you're capturing what protocol we're using. We see TCP is highlighted there. And what else can we see there over on the right in the info column? In the info column, we can see some of the flags or the different options that are set within the packet. So like that very first one we see, that's a TCP packet with a SYN bit. So that's the first SYNC message from, we're communicating and we have to do a three-way handshake. Exactly. So I have to send out a SYNC packet, you send back, the next one we're highlighting there is SYN comma ACK. So that's the, I'm acknowledging your SYNC, right? And send that back and the final one would be an ACK, the final acknowledgement. So it's exactly like these saying, I want to set up a connection to talk to you. You respond, I acknowledge that you've made that request and I respond, I acknowledge that you acknowledge, so now let's stop. Now we're all on the same page and we can start talking. Now we're all synced up and ready to go, let's start transferring data. So in that example on Wireshark, what we're looking at is that three-way handshake between two devices and you know there's a conversation about to start and you can track that conversation. You can capture and follow the entire thread of that conversation with Wireshark and see exactly, if it's unencrypted you can see exactly what's being said between those two devices. So let's see the second screenshot now with the traffic that's unencrypted and we're looking at a Wireshark screen and I highlighted this and I also spoke German apparently when I did, but you can see the protocol being used is HTTP and there's no S on that, which means there's no security. This is unencrypted on a website and those are the two devices that are sending smetches back and forth. Now Hal, we have three separate pieces of the screen. I've highlighted HTTP and down we have two more sections to talk about. Can you tell me what's going on in these other two sections and why they're important in this case? Yes, so each of those lines is like one piece of the larger conversation. That's a packet. Yes. And we break down the packet? We have an HTTP conversation where a client is requesting a web page, but it gets broken down into a number of smaller pieces. It gets broken into packets and then those packets get sent out on the internet and then the service and they'll be reconstructed to recreate the original request. So it gets chopped down or broken down into smaller pieces, sent out and then reconstructed on the other. So the middle part of the screen, that's the pieces of the packet that we can see? This is that, yeah, and the details of each part of the packet. So you can actually see, I can see this is a Mozilla browser. Yes. So this is a Windows machine. This is part of the HTTP protocol that we're seeing here. These are the actual requests and the information and the headers that are being sent to the HTTP server as part of the request. Now on the bottom we actually see the actual data being sent in the packet and the important piece we're showing you now is since this is HTTP, it's unencrypted. It's not secure. You didn't do HTTPS, obviously. But down below you can see there is a password equals and I etched it out so you guys can't see what the password was. But you can tell if I was just looking at some traffic going across the web in an unencrypted form, I can now see someone's password and username being passed to the website and then I can get your login credential. So this might make people think about going to Starbucks and hooking up to the free Wi-Fi because there might be someone sitting there with this watching all the traffic going back and forth and waiting for that first careless person not to use HTTPS. If you're using these plain text protocols like straight HTTP or FTP and Telnet, then you're vulnerable to this. I mean someone can capture this and they can see everything that you sent. They can see username. They can see password. So if we use encryption, as you said, HTTPS and there's a replacement for Telnet that's a secure shell SSH that uses encryption. I can use a VPN. So that's virtual private network. Or you can use a VPN. Or you can use a secure version of FTP instead of the unencrypted SFTP. So those are all protocols that we use for different functions. Now let's talk about ports, student. The port, it's a doorway to a computer and you have a number of these doorways to any given computer. But there's certain port numbers, I think zero to 1,024, they're so common. Pretty much everybody knows these first 1,000 ports and what they're used for. For instance, HTTP, you're going to get most of the time it's going to be port 80. That's mainly what it is and it's port 443 for HTTPS. So when we're looking at Wireshark, does a port matter too? Absolutely. A port is how you identify a service that's running and listening on a server. So a single server can have a single IP address but it can run multiple servers. It can be running a web server and an email server and a file server all at the same time. So when a packet arrives at that server's network interface card, how does it know whether it belongs to the mail server, whether it should be going to the web server, whether it should be going to the file server? Well, it's because of those services run on different ports. So what happens is it's something called... We're going to have to take a break. We're going to come back. We're going to pay some bills and then we'll talk more about what you can do with Wireshark until then, stay safe. And keeping our community safe. Every day we move in and out of each other's busy lives. It's easy to take for granted all the little moments that make up our every day. Some are good, others not so much. But that's life. It's when something doesn't seem quite right that it's time to pay attention. Because only you know what's not supposed to be in your every day. So protect your every day. If you see something suspicious, say something to local authorities. Welcome back to Cyber Underground. Sorry, I'm here with Professor Hal Kolker and we're talking about Wireshark and how to be a hacker and of course, Hal, this is one of those tools where you could use it for nefarious purposes and you could use it for good. And we're talking about both ways we can do this, but right now we're just talking about how we identify connections between computers and we have a couple of different identifying pieces of information that the computer needs to know and send in that packet so the receiving computer knows what to do with it, right? We're talking about has to have a port, has to have the right protocol. And we haven't discussed services yet. So try to describe for me in plain layman's terms how I'm going to address this port so the computer knows I'm the computer supposed to receive that. It's supposed to go in this door and I'm supposed to do this with it. So the packet shows up at the server with an IP address and a port number attached to it. Pick up the IP address is like the street address that gets you to the building. Port number tells you which apartment. Okay. Or it should be. So you can have multiple apartments, so you can have multiple services on a single IP address and that's how you can have web servers and mail servers and coexisting on a single IP address. They're all listening in a different part. They're all listening on different ports. Yeah, okay, I understand that. And there are somewhere around 65,000 usable ports on any internet. So we've got a wide range of ports to choose from. Yes. Which is a big security hole, right? If you first turn on a machine, if all those ports are open and listening, that would be definitely a big problem. So most people, when they get a server up, they will lock down any port that's not actually being actively used. That's the best security. If it's a web server, you need 80 and 443 open and not much else. So you can eliminate tens of thousands of addresses from your repertoire of listening ports. That's right. So an open listening port is a door which could possibly be forced open by hacker to get into your system. So does it need to be open? Close it up. So when we're talking about passing packets back and forth and having Wireshark in promiscuous mode or the Wireshark tells the network card to be in promiscuous mode and we start capturing traffic. And we're looking at just a ton of traffic. How do we facilitate a conversation between two systems? We can do filtering. Okay. So how do we filter? What do we filter on? So along the top bar of the Wireshark capture, there is a filter area where you can enter in, there's a fairly simple expression language where you can specify what you want to filter on. You can filter on IP addresses. You can filter on certain ports and protocols. So you can isolate that conversation so you can just see just those two computers talking and try to gather that information. So if we could put that screenshot up whenever we have a chance, we're going to look at the filter options up there at the top. So up there in the top left-hand corner, you see TCP port double equals. And in the most of C++ languages for programming, double equals means we're comparing. So when the TCP port actually is port 80 and the UDP port is port 80, then give me that traffic and that's what we're looking at in there is just that port number in there. The expressions are actually really easy and I've gone to a Wireshark.org and they've got them all listed out there and it tells you exactly how to filter on what you're looking for. So it takes a little bit of practice for some of the more complicated ones but it's actually pretty intuitive. Now we use this in hacking to identify traffic. Well, some people do. But I mean you use it for a legitimate purpose as a network diagnostics and trying to keep up with what's going on on your network. How do you use it as a network? All the time. This is a network is best tool. This is the way you can actually see what's happening on your network. If you have problems with latency, with drop packets, any kind of network issues. Latency just means that things are going too slowly. It means that there's some kind of delay on your network. So your network seems slow. You're getting error messages or timeouts or something. Now Wireshark will identify the really bad stuff with a black background and orange letters. You can filter right away. That's bad. So what are some of the bad things that would flag in those colors? Well, for example, there's something called in the TCP protocol there's something called a reset. A reset is like an emergency shutdown. I've got a major error. I'm not going to talk to you anymore. Go away and that's what the reset is. And that never happens on the normal circumstances. On the normal circumstances, you have the SIN and the SIN Act to set up and then they have a nice controlled shutdown. But the reset is like an emergency. You have the SIN and the SIN Act, which is the normal type of shutdown. The reset is just like an emergency pull the plug. If you're seeing resets, then that's clearly a signal that something is wrong. Or if you see a lot of recent packets, if packets aren't getting through and they're getting lost and you see a lot of things being recent, Wireshark will also identify those. We're talking about dropped packets. If you're dropping a lot of packets, that shows you that something's not right. So how would you identify and say someone's doing what they call a SIN attack? This is a stealth attack when they're just looking for that first response from the server. I'm setting out a SIN on your acknowledgement, but then I never reply back to complete the conversation hookup. There's only two of the three steps. You would just see, in your capture, you would just see SIN after SIN after SIN after SIN without the SIN Act act. So it never completes. They just keep sending SIN so they keep using up port numbers, using up resources, while ever completing the three-way handshake. It's kind of like, aha, I'll pull the handshake back. And I leave you hanging. If I leave you hanging 65,000 times, then you completely run out of ports, and then the next valid connection can't take place because there's no empty ports left. Right, right, right, right. So until you reset it or something like that. And if you see port scans, sometimes you'll see something, you'll just see ports in order from one up to 65,000. You'll just see like a probe to each port. That's clearly someone scanning to see if there's any open ports that they might be able to poke at and try to get in through. So that's part of the reconnaissance that hopefully ethical hackers will do. And they should let you know in advance I'm going to be port scanning. It could be pentesting, or it could be somebody unauthorized trying to find a hole in your network. Now there's a bigger danger we were talking about that some objects that are being sent across the wire can be captured and reproduced. So we've got a third screenshot here of one of those captures. We're doing a capture and then we look at the details of it. And in this capture we can see in the blue content the third line image gif. So we're actually trying to recreate an image from bytes going across. We captured this in one of our captures and if I wanted to I could save that as well they selected raw here but if you change it to like a JPEG or a GIF you can usually recreate the image rather handily. And it says GIF so if I recreate the image I'll just tag it with .gif and I should be able to see the image that was transferred across the wire. And again if you're sitting at Starbucks you're sending pictures to somebody. Watch out because if I capture that traffic I got your pictures which is kind of dangerous. Well depending what kind of pictures they are. It could be very dangerous. It could be very dangerous. So objects being transferred across could be reproduced and not just pictures. Any type of contact. Web pages. Spreadsheets. Yes. Spreadsheets. Files. PDFs. People send PDFs of things. Email messages. Emails. Anything that goes across that network could be captured and could be recreated. So when I get a capture in Wireshark I have the opportunity to save it as a .pcap file which means I can go into my little treasure trove of PCAPs and double click on one and Wireshark will pop up and it'll show me that conversation. I can search filtering and searching through this stuff and I really want to geek out and I can start capturing traffic. You can start saving conversations. And this was the conversation from Starbucks on April 16th at 4 o'clock in the afternoon. Let me see what people were doing. Now if people want to know more we've got about a minute left. So let's wrap this up with we do this at Kepulani Community College in the UH system and we teach the networking, ethical hacking, network security, cyber security fundamentals. This whole range of classes. And we have an IT and a cyber security program with certificates of achievement and we articulate that means we let people start their undergraduate degree out of the community college system at UH West which has bachelors in information assurance. Anything you want to say about your program? Wireshark is one of the tools that we would use extensively in the networking class, in the network security class, ethical hacking. We use it again. We really try to emphasize real world tools and how to do this stuff hands on. We also have an ICT club that does the ethical hacking penetration testing for companies in our local area which is really great too. Okay, thanks for being with us everybody. That's the Cyber Underground for this week. Join us next week and until then stay safe.