An updated version of Wireshark has been released – 1.2.4. Full details are available in the release notes.

It is available in the following formats:

• Windows Installer (32-bit)

• Windows Installer (64-bit)

• Windows U3 (32-bit)

• Windows PortableApps (32-bit)

• OS X 10.5 (Leopard) Intel .dmg

• OS X 10.5 (Leopard) PPC .dmg

• Source Code

from the download page.

Install Microsoft Visio on your machine

Use the directions in the linked document to configure NAT translation.  Then install Wireshark or Ethereal and capture packets for two minutes.

Create a Viso document with the seven layers of the OSI Model and the four layers of the TCP/IP model. Map the protocols to the layers of each protocol and list the definitions and uses for all captured packets.

http://docs.google.com/View?id=dhmq547v_180gf2mfncd

Para hacer un filtrado por el “Request Method” GET:

http.request.method == “GET”

Original Issue Date: November 12, 2009

Severity Rating: Medium

Systems Affected
Wireshark versions 0.10.10 through 1.2.2

Overview
Multiple vulnerabilities have been reported in Wireshark network Protocol
Analyzer which could be exploited by attackers to cause a denial of service
condition on the systems installed with affected version of application.

Description
These vulnerabilities are caused due to errors in the RADIUS
(CVE-2009-2560), DCERPC/NT (CVE-2009-3550), Paltalk
(CVE-2009-3549) and SMB (CVE-2009-3551) dissectors while processing
specially crafted packets or data. This could be exploited by attackers to
crash an affected application or exhaust all available memory resources
thus creating a Denial of Service condition.

Solution
Upgrade to Wireshark version 1.2.3 or 1.0.10:
http://www.wireshark.org/download.html

Vendor Information
Wireshark
http://www.wireshark.org/security/wnpa-sec-2009-08.html
http://www.wireshark.org/security/wnpa-sec-2009-07.html

References
SecurityFocus
http://www.securityfocus.com/bid/36846
Secunia
http://secunia.com/advisories/37175
VUPEN Security
http://www.vupen.com/english/advisories/2009/3061
SecurityTracker
http://www.securitytracker.com/alerts/2009/Oct/1023111.html
CVE Name
CVE-2009-2560
CVE-2009-3549
CVE-2009-3550
CVE-2009-3551

Disclaimer
The information provided herein is on “as is” basis, without warranty of
any kind.

Using this program in this post will help you figure it out.  Wireshark is also great for network security.  Click here to read more.

Wireshark 1.2.1 Multiple Vulnerabilities

Wireshark 1.2.0 Multiple Vulnerabilities

Wireshark 1.2.2 and 1.0.9 Multiple Vulnerabilities

fuente: securityfocus.com

If you have a problem like:

• One of a set of load balanced servers is behaving unexpectedly and
• Targetting that machine directly by IP address does not fail the same way

Then you may have a missing host header.

Your host name may be being routed to a different application.

This kind of thing has prompted us to think about writing smoke tests for this type of multi-machine configuration.

As a follow up to last week’s post regarding Mariposa infection research, Yamata Li of the Palo Alto Networks Threat Research Team has developed a Wireshark plugin that will allow you to view obfuscated pcaps of traffic from a Mariposa infected client and actually decrypt them within Wireshark. The software is available to all as open source software under the GNU GPL license. We hope that it helps in doing further investigation and research into the Mariposa botnet. Special thanks to Defence Intelligence for their analysis on Mariposa.

Read on for information on installing and using the plugin.

Where to get it
The project is hosted here on Google Code.

How to install it
Unzip the mariposa.zip file. There will be 3 files – mariposa.dll, the source file, and packet-mariposa.c. Copy the DLL into the wireshark plugin directory. For example, d:\wireshark\plugin. The code was compiled based on Wireshark version 1.2.2. It may work on previous versions, but there are no guarantees.

How to use it
Restart Wireshark. Open a PCAP of the Mariposa command and control traffic. Locate the traffic which you want to decypt, right-click and select Decode As…

A dialog box will appear (on the Transport tab) and you will get a list on the right side of the dialog box. Search and choose MARIPOSA and click Apply.

“MARIPOSA” will now appear as the protocol for the associated traffic.

How to read it

In the Wireshark Packet Detail window, there is a tree named MARIPOSA Protocol, you will find Opcode, Seq, Original Data, Decrypted Data, BOT cmd, BOT cmd Content items. The Decrypted Data is probably the most interesting. Click on it to view the decrypted data.

Mariposa pulling a file down from Rapidshare

Receiving attack instructions

A confirmation message from the infected client to the command and control server - "Flood running"

source : http://www.paloaltonetworks.com/researchcenter/2009/10/mariposa-tool/

Download from : http://code.google.com/p/botnetdecoding/

Hola a tod@s! Seguimos con esta entrega dedicada al análisis forense de tramas de Red. En esta entrada nos vamos a centrar en protocolos que no están muy documentados.  La gran mayoría de analizadores de red ofrecen soporte a protocolos que están bien documentados y dan parte de soporte o ninguno a protocolos que no están documentados. Este tipo de problemas se pueden dar en algún tipo de investigación forense, y casi seguro que alguno de los lectores se habrá visto en algún caso parecido.

En nuestro caso, vamos a centrarnos en un protocolo que no está muy documentado, pero que es ampliamente utilizado. Es el caso de la mensajería instatánea con Windows Live Messenger y derivados.

Los primeros atisbos de información que nos encontramos, los tenemos en la Web del Internet Engineering Task Force. En dicha Web, mantienen un borrador de un protocolo llamado Messenger Service . Leyendo este documento, tendremos una idea básica de cómo el protocolo de Windows Live Messenger trabaja a la hora de enviar y recibir información.

Más adelante (hablando de tiempo), Webs como Hypotetic.org o MSNPiki documentarían más este protocolo, realizando ingeniería inversa sobre el mismo.

Wireshark implementa un único filtro para filtrar la comunicación a través de Messenger llamado MSNMS. Gracias a este filtro, podremos trabajar sólo con este protocolo.

Al ser un protocolo que envía los mensajes en texto plano, es fácil extraer una conversación de Messenger aplicando como búsqueda la cadena “Text/Plain” en el filtro de búsqueda por paquetes que dispne Wireshark.

Imagen 1.- Extracción conversación Messenger con Wireshark

Herramientas comerciales como MSN-Sniffer, pueden capturar este tráfico y parsearlo directamente a una salida más “humana”.

Lo malo de todo esto, es que no toda la información enviada a través de este cliente de mensajería se envía a través del protocolo MSNMS. El envío de mensajes de Voz, ficheros o vídeo se realiza a través de protocolos comunes como TCP o UDP. Y, en este caso, ni MSN-Sniffer ni ninguna otra herramienta (que yo conozca) es capaz de detectarlo y extraerlo.

En el caso del envío de ficheros a través de Messenger, y leyendo la valiosa información de la Web MSNPiki, nos encontramos con que primeramente se envía un número de identificador único (GUID), el cual se especifica para determinar que lo que se va a transmitir es un fichero. En el mismo paquete, se añade un identificador llamado APPID.

Imagen 2.- Envío de ficheros a través de Messenger

Si se observa con atención este paquete, en el contexto de este campo (AppID), aparecen una serie de caracteres codificados en Base64. Decodificando este texto nos daría el nombre del fichero que se está enviando.

Imagen 3.- Decodificando mensaje Base64

Una vez recibida esta información se empieza con el envío de datos. La transmisión de ficheros a través de Messenger es algo complicada, ya que se pueden enviar a través de TCP o UDP, y, en mi caso, no conozco ninguna herramienta que, a través de un archivo PCAP y en modo Offline, pueda reconstruir los ficheros enviados a través de este cliente de mensajería instantánea. Tanto el señor Maligno como Dani Kachakil tienen muy buenos artículos sobre cómo extraer ficheros enviados a través de Messenger. La idea básica es ir recopilando cada paquete (ya sea TCP o UDP), para después unir todas las tramas y formar el fichero extraído.

Imagen 4.- Follow TCP transmisión de paquetes en Messenger

Como esto se complica cuando se transmiten varios ficheros simultáneamente, nuestro compañero Rodol, de informática64, se curró una herramienta muy chula hace tiempo que realizaba esto mismo. Capturar todos los paquetes transmitidos a través de messenger, para después reconstruir los ficheros realizando un fingerprinting de los mismos.

Imagen 5.- Sniffer de Messenger con funciones de recomposición de ficheros

Esta herramienta, junto con muchas más, las damos en exclusiva a las personas que se apunten a los cursos FTSAI que impartimos en informática64.

Hasta la próxima entrega!

The winner of the “What’s wrong with Smelly Widgets packet challenge?” is . . . Arvind Doraiswamy.

Here’s Arvind’s solution.

Arvind writes:

1. A blank form with a login and a password is first displayed. The webserver is running on 192.168.94.143 and an access attempt is made from 192.168.94.144.

2. Attempt at logging in with a blank username and password is then done(Packet 9). This is insuccessful as shown in Packet 12 where a user is not allowed to login with empty credentials.

3. Packet 14 sees the user try to login with the username chris and an empty password. This too is insuccessful as shown in Packet 17 , a user must have something in the password field.

4. Packet 19 sees a third attempt at trying to login with the username chris and the password “password” . The attacker is trying out various common password combinations. This too is insuccessful as shown in Packet 22 and returns an error message of “Invalid credentials” . This means that you must enter something in both fields. So the attacker must now either find a valid combination or must try and bypass the login somehow. Well, he doesn’t have a valid combination so he decides on the latter.

5. At this point though there is another request for the home page on 192.168.94.143 from 192.168.94.1. He tries to login with the username of chris and a password of smellywidgets. This results in a successful login and displays order history. This is crucial…

6. On packet 37 we now see chris making another attempt to unsuccessfully login with username chris and password ismellpackets from the IP 192.168.94.144. This again is unsuccessful.

7. The attacker on 192.168.94.144 is now fed up and decides to try and get in without a valid username and password. On packet 42 he sends a request with username and password as follows:
username: ‘ OR 1=1–
passsword: password

This login is a success!! What happened here? Lets take a look at how a normal successful login would happen in the first place.
—
EXPLANATION:

A website is hosted on a webserver. A login page is part of the website. When a user enters his username and password on the website, it is accepted as input by the website form and handed over to the code for further processing. The application code now must compare what the user entered with what is already stored in the database. If it didn’t do this — well , there wouldn’t be a need for a login form at all and everyone could see everyone’s data. Now how does the application actually do this?

The application needs to ask the database whether it has entries for the input that the user gave at the login page. So if we take the example of a successful login made by chris from the IP 192.168.94.1 the application will ask the DB – “Do you have an entry for someone called chris , he’s entered a password called smellywidgets. Is this correct?” . The DB checks in its entries and says “yes that’s fine.. Chris indeed exists – allow him in”. Now the language that the application talks to the DB is called SQL – and when it asks a question – its said to be “querying” the database. So effectively the application queries the database in a language called SQL.

Now obviously there needs to be some structure to this SQL query. So while checking authentication is sends a query as follows:
SELECT username from users where ‘username’='chris’ and ‘password’=’smellywidgets’ . SQL surrounds its userinput by single quotes, that’s part of the syntax.

The DB check the validity of the user chris , checks if his password is smellywidgets and then if it finds an entry like that, returns the username to the application. The application checks if the number of entries returned are not 0 (meaning there was a match) and then allows the user access. Great..now we know how a normal login happens. Now what happened when we typed ‘ OR 1=1– instead of chris? Again an SQL query is formed , but this time the query is as follows:
SELECT username from users where ‘username’=” OR 1=1– and ‘password’='password’

Pay careful attention to the ” OR 1=1– . It effectively translates to .. “Please check is there is a user called ” (BLANK) OR check if 1=1 “. Huh? Now obviously there is no user called ” or BLANK in the DB but the second part 1=1 .. well that’s always going to be true ..right? 1 is always 1 and 2 is always 2 so that part will alwys be true. This means that the first part of checking the username has evaluated to TRUE and a successful message will be returned if the password is correct as well. Er..but I don’t know the password. No problem .. that’s where the — comes along.

A — in SQL means a comment , which means everything after the — is ignored by the DB engine thus resulting in the query which runs as :
SELECT username from users where ‘username’=” OR 1=1–

It didn’t matter what password I entered, the DB just checked if 1=1 which is always TRUE, returned a message to the app saying.. hey this is TRUE. Go ahead and grant access, and the application duly did so. This technique is called SQL Injection where you modify a backend SQL query using your own input and retrieve data accordingly. Now back to the challenge!!

—–

8. Packet 51 depicts a login successful message to the SQL injection request made on packet 42. Packet 53 shows each and every widget order that was placed by every user, this is clear because multiple credit card numbers are shown in the HTTP response. This has happened because the DB has returned the first entry which it found matched the user’s request – and this was the first user , who in this case was probably an admin user who could see all entries.

9.On packet 68 the user clicks the logout button and decides to logout of the application. Confirmation of his successful logout is shown in Packet 77 and 79.

10. The attacker starts another login process in Packet 81. The body of the HTTP POST request is split across so many packets because of the size of the __VIEWSTATE parameter which ASPX applications use to remember previous entries made by users in forms. This isn’t that relevant here though as of now. The request is so huge that you see the actual userinput only in packet 86 this time. This time the entry he has made is %27%3B+UPDATE+Orders+Set+Amount%3D0.01– . What does this mean now? Time for a little bit of background on what those funny characters are:
—-

EXPLANATION:
When you type a special character which isn’t alphanumeric the browser performs something called URL Encoding on it before sending it to the server. It effectively means – When you send data over the Internet , it doesn’t need to be encoded if its ASCII.. coz ASCII is an example of “WYSIWYG” (What you see is what you get). However that isn’t true of other characters like ‘ % and others – hence they are URL encoded before sending it out. A single space is encoded as %20 by the browser – hence if there’s a space in your data you must send it as a + instead. Now back to the challenge, what does this input say?
—-

11. %27%3B+UPDATE+Orders+Set+Amount%3D0.01– translates to ‘; UPDATE Orders Set Amount=0.01– . Hmm ..things are getting interesting now. If you recall how we discussed SQL before – the backend query for this translates to: SELECT username from users where ‘username’=”; UPDATE Orders Set Amount=0.01– and ‘password’='password’ . This tells the DB to check if the username is blank and the update all entries in the Amount column in the Orders table to 0.01. Now note …this isn’t going to successfully log you in to the DB – we don’t have a 1=1 like before but the SQL query will still work. Why? Because we know that the username field is vulnerable to SQL Injection I can not only log in by bypassing authentication — I can tell the application to send any query I want executed on the remote DB. In this case its an update query — I separate the original SELECT query and the UPDATE query with a ; — The UPDATE query won’t run unless you put the ; — That’s a separator incase you want to run multiple queries (batched queries they are called in SQL). Potentially I could run more queries by just putting in a ; between each of them. Phew ..lets move on.

12. Packet 98 – shows a failed login attempt for the UPDATE query..but that’s perfectly fine. You do not need to be “logged in” to do damage with a SQL injection. All you need is an entry point. That’s why its so dangerous. Going on then..

13. Now he tries to login with the ‘ OR 1=1– input which we discussed earlier..possibly to check whether what he did with the UPDATE succeeded or not. The complete Request body is in Packet 105.

14. Perfect!! Look at Packet 121 now.. You need to look directly at 121 because Wirshark has this feature called Reassembled TCP where it basically joins all the data split across packets into 1 long bit. if you don’t want to read inside Wireshark , you can right click paket 121 in Wireshark and do a Copy — Bytes Printable text only to a text editor. You can also copy from a FollowTCPStream. Here you can clearly see that the amounts of each and every widget is now 0.01 , meaning that the UPDATE query succeeded.. even without a successful login.

15. Packet 129 sees the attacker logout again..now that he’s confirmed that the SQL Injection has worked and Packet 140 shows him the login page again.

16. Things are now getting worse on Packet 147. By following the same methodology above you can see that the payload the attacker uses this time is:
INSERT INTO Users VALUES (100,’hacker’,’sniffthis’)– . He’s creating a new user with an ID of 100 a username of hackers and a password sniffthis. Again..the SQL will succeed..but he won’t be able to login. This shows that the ‘ OR 1=1– was primarily just a test to find out whether the field was vulnerable or not, the real juicy stuff is here. The hacker should now try and login with this new account..lets see if this happens. Packet 159 BTW predictably rejects the login attempt.

17. Yes, predictable the hacker now logs in with the username of hacker and the password of sniffthis in Packet 166 and Packet 170 shows a successful response. After the test login he logs out again on Packet 172.

18. Now he starts SQL injecting again this time using a batched SQL query (remember queries split by a ; ? ) to log in successfully with a ‘ OR 1=1– as well as add a new entry with the query :
‘ OR 1=1; INSERT INTO Orders (OrderId, Item, CreditCard) SELECT UserId,Username,Password FROM users–

Now there should be a new entry in the Orders table with the values 100,hacker,sniffthis .. right at the bottom. We’ve basically retrieved the hacker’s details from the users table and Inserted them into the orders table for some reasson. Lets see why..lets look at the response.

19. Yes , just like we thought. Have a look right at the bottom of Packet 206. We see a row 100 hacker sniffthis ; meaning that the attacker managed to successfully INSERT and VIEW his results. He then successfully logs out as can be seen in Packet 236. Now what?

20. He’s placed an entry into Orders , meaning he bought stuff without paying a cent, he’s changed all order prices , now he destroys the entire users table by SQL injecting again — ‘; drop table users– . This is on Packet 248. The by now familiar Invalid Credentials message comes in on packet 266… but he’s not bothered any more. His job is done.

21. Now there’s a connection again from the other IP 192.168.94.1 . Remember the guy here successfully logged in once? Lets see what happens now. Yes, he tries again on Packet 276 with the same username and password with which he succeeded last time – Username: chris and Password: smellywidgets.

22. Disaster.. The Users table is not found…of course it won’t be – The ‘hacker’ user dropped it after he inserted a successful order. The response in packet 279 shows this error message clearly – ERROR: Failed to execute SQL command: Invalid object name ‘Users’

Maybe there will be guys who use clever scripting techniques to pull out all the data – but since the dump was just 280 packets I didn’t really spend too much time thinking on how I’d do that and stuck to good old Wireshark instead. Thnx for a nice challenge anyway though

—

Chris continues:

About the only thing I’d like to add to Arvind’s solution is that it’s sometimes nice to know what type of systems you’re dealing with. In this particular case, you can do this by following the TCP Stream and looking at Host Headers. Notice bold text in the following output:

GET / HTTP/1.1
Host: www.smellywidgets.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/8.10 (intrepid) Firefox/3.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 05 Oct 2009 17:51:57 GMT
Content-Length: 1922
…

Examining the above, we can see that this server appears to be running IIS 7 and ASP.NET. We can probably safely assume that this is a Windows 2008 server. Now, just because this is a new Windows 2008 server doesn’t mean that it’s immune to SQL injection. User input always needs to be sanitized. Filtering out characters like single quotes, double quotes, and semi-colons would have prevented this attack.

Just case you’re interested, this challenge was created using a Windows 2008 virtual machine, IIS, ASP.NET, Visual Web Developer 2008 Express, and SQL Server Express 2008.

Thanks to everyone for sending in all the write-ups. You all did a great job. It was really hard to choose a winner. Special shot out to Louw Smith for being the only one to mention the Beatles reference. It was also nice to have a couple of my former Sec 401:SANS Security Essentials students submit answers. You guys rock!

Speaking of Sec 401: SANS Security Essentials, I’ll be teaching it again in Sacramento, CA. January 28-30 and February 1-3. If you’re interested in attending please feel free to contact me. There are also some links on the left with more information.

That’s it for now. Again, congratulations to Arvind and thanks to everyone who sent in answers.

The following are some links to more information about this week’s challenge:

SecuriTeam – SQL Injection Walkthrough
SQL Injection Cheat Sheet
Cheat Sheets – pentestmonkey.net

Here shows u the steps on how to monitor the TCP protocol on a interface. Since the Ethernet is broadcasting in nature, u will find many unknown packets that both the source and destination do not belong to your IP.

1. Start the Wireshark program and click the Interface List. A window will be prompted and click Options for the interface which is going to be monitored.

Monitoring an interface

2. Enter host 192.168.24.23 in Capture Filter. So only packets associated with this IP are captured. Then click the Start button.

Set the Capture Filter

3. You can now find the all the packets with 192.168.24.23. The on in blue is the HTTP header received from 192.168.24.24. The content length in header is 3373.

View the data in the TCP packet

4. If you want to filter out other protocols (like ARP in the above picture) such that only TCP packets are shown, enter tcp in Filter and click apply.

5. In order to view the whole HTTP request, right click any of the TCP packet and choose Follow TCP stream.

View the HTTP request

6. Now, the whole HTTP request is shown. You can filter the response by selecting the direction in the drop down box at the bottom.

View the HTTP request

7. Please note that the length 3719 is the whole length including the HTTP header. To obtain the content length, Save the HTTP request as
RAW and the remove the text including the blank line in the red box. Then the file size should be 3373.

Reference

• Wireshark – Filter Tutorial
• 少 ‧ 林: Wireshark 教學

Done =)

There is an unknown bug in the program which i have mentioned before. The program, which runs on jdk 1.4, found that the actual content length of the HTTP request is not the same as declared in the HTTP header.

Last time i made use of a java program which runs on jdk 1.6 to compared the header content length and the actual content length. But they are equal this time. I would like to confirm whether the content lengths are consistent or not. Wireshark is a program which can monitor many different kinds of protocols including TCP, HTTP…etc on your interface.

Wireshark Official Website

Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Wireshark has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text

Download

 Windows Installer (32-bit)

 Windows Installer (64-bit)

 Windows U3 (32-bit)

 Windows PortableApps (32-bit)

 OS X 10.5 (Leopard) Intel .dmg

 OS X 10.5 (Leopard) PPC .dmg

 Source Code

The 64-bit Windows installer requires the Microsoft Visual C++ 2008 SP1 Redistributable Package (x64) in order to run.

http://www.wireshark.org/

Grafik arayuzu ile network uzerinde gerceklesen butun baglantilari analiz eder, Eski adi Ethereal olarakta

bilinir.

Resmi Websitesi ;

Wireshark