Está en la página 1de 41

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni PHN TCH GI TIN VI WIRESHARK MC LC Gii thiu 1.Th no l phn tch gi tin?

2.Cc bc nghe gi tin I. Cc cch thc nghe gi tin trn mng 1.Living Promiscuously (ch bt tt c cc gi tin i qua) 2.Nghe trong mng c Hub 3.Nghe trong mng Switched - Port Mirroring - Hubbing Out - ARP Cache Poisoning 4.Nghe trong mng s dng Router Network Maps II. Gii thiu WireShark Mt s tnh nng nng cao ca Wireshark 1.Name Resolution 2.Protocol Dissection 3.Following TCP Streams 4.Ca s thng k phn cp giao thc 5.Xem cc Endpoints 6.Ca s th IO

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Gii thiu

Hng ngy, c hng triu vn li trong mt mng my tnh, t vic n gin l nhim Spyware cho n vic phc tp nh li cu hnh router, v cc vn ny khng th c x l tt c lp tc. Tt nht l chng ta c th hi vng thc hin cng vic bng cch chun b y cc kin thc v cc cng c tng ng vi cc vn . Tt c cc vn trn mng u xut pht mc gi, ni m khng c g c che du i vi chng ta, ni m khng c th g b n i bi cc cu trc menu, cc hnh nh bt mt hoc l cc nhn vin khng ng tin cy. Khng c g b mt y, v chng ta c th iu khin c mng v gii quyt cc vn . y chnh l th gii ca phn tch gi tin. 1. Th no l phn tch gi tin? Phn tch gi tin, thng thng c quy vo vic nghe cc gi tin v phn tch giao thc, m t qu trnh bt v phin dch cc d liu sng nh l cc lung ang lu chuyn trong mng vi mc tiu hiu r hn iu g ang din ra trn mng. Phn tch gi tin thng c thc hin bi mt packet sniffer, mt cng c c s dng bt d liu th trn ang lu chuyn trn ng dy. Phn tch gi tin c th gip chung ta hiu cu to mng, ai ang trn mng, xc nh ai hoc ci g ang s dng bng thng, ch ra nhng thi im m vic s dng mng t cao im, ch ra cc kh nng tn cng v cc hnh vi ph hoi, v tm ra cc ng dng khng c bo mt. C mt vi kiu chng trnh nghe gi tin, bao gm c min ph v sn phm thng mi. Mi chng trnh c thit k vi cc mc tiu khc nhau. Mt vi chng trnh nghe gi tin ph bin nh l tcpdump (a command-line program), OmniPeek, v Wireshark (c hai u l chng trnh c giao din ho). Khi la chn chng trnh nghe gi tin, ta cn phi quan tm n mt s vn : cc giao thc m chng trnh cn h tr, tnh d s dng, chi ph, h tr k thut v chng trnh h tr cho h iu hnh no.

2. Cc bc nghe gi tin: Qu trnh nghe gi tin c chia lm 3 bc: thu thp d liu, chuyn i d liu v phn tch.

Thu thp d liu: y l bc u tin, chng trnh nghe gi tin chuyn giao din mng c la chn sang ch Promiscuous. Ch ny cho php card mng c th nghe tt c cc gi tin ang lu chuyn trn phn mng ca n. Chng trnh nghe gi s dng ch ny cng vi vic truy nhp mc thp bt cc d liu nh phn trn ng truyn.

Chuyn i d liu: trong bc ny, cc gi tin nh phn trn c chuyn i thnh cc khun dng c th c c. Phn tch: phn tch cc gi tin c chuyn i. Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

C vi chng trnh khc nhau v nghe gi tin, trong tiu lun ny, chng ti xin gii thiu mt chng trnh in hnh vi nhiu tnh nng mnh h tr vic bt v phn tch gi tin. l WireShark. Ni dung cc phn chnh:

Phn I: Cc cch thc nghe gi tin trn mng Phn II: Gii thiu WireShark Phn III: Cc tnh hung vi WireShark Phn IV: X l cc tnh hung mng vi WireShark

I. Cc cch thc nghe gi tin trn mng thc hin vic bt cc gi tin trn mng, ta phi ch ra nhng v tr tng ng t my nghe vo h thng ng truyn ca mng. Qu trnh ny n gin l t my nghe vo ng v tr vt l no trong mt mng my tnh. Vic nghe cc gi tin khng n gin ch l cm mt my xch tay vo mng v bt gi. Thc t, nhiu khi vic t my nghe vo mng kh hn vic phn tch cc gi tin. Thch thc ca vic ny l ch l c mt s lng ln cc thit b mng phn cng c s dng kt ni cc thit b vi nhau. L do l v 3 loi thit b chnh (hub, switch, router) c nguyn l hot ng rt khc nhau. V iu ny i hi ta phi nm r c cu trc vt l ca mng m ta ang phn tch. Chng ta s nghin cu mt s mng thc t ch ra cch tt nht bt cc gi tin trong tng mi trng mng s dng Hub, Switch v Router. 1. Living Promiscuously (ch bt tt c cc gi tin i qua) Trc khi nghe cc gi tin trn mng, ta cn mt card mng c h tr ch Promiscuous. Ch Promiscuous cho php card mng nhn thy tht c cc gi tin i qua h thng dy mng. Khi mt card mng khng ch ny, n nhn thy mt s lng ln cc gi tin trn mng nhng khng gi cho n, n s hu (drop) cc gi tin ny. Khi n ch Promiscuous, n bt tt c cc gi tin v gi ton b ti CPU. 2. Nghe trong mng c Hub Vic nghe trong mt mng c hub l mt iu kin trong m cho vic phn tch gi tin. C ch hot ng ca Hub cho php gi tin c gi tt c cc cng ca hub. Hn na, phn tch mt my tinh trn mt hub, tt c cc cng vic m bn cn lm l cm my nghe vo mt cng cn trng trn hub. Bn c th nhn thy tt c cc thng tin truyn v nhn t tt c cc my ang kt ni vi hub , ca s tm nhn ca bn khng b hn ch khi m my nghe ca bn c kt ni vi mt mng hub. 3. Nghe trong mng Switched

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

Mt mi trng switched l kiu mng ph bin m bn lm vic. Switch cung cp mt phng thc hiu qu vn chuyn d liu thng qua broadcast, unicast, multicast. Switch cho php kt ni song cng (full-duplex), c ngha l my trm c th truyn v nhn d liu ng thi t switch. Khi bn cm mt my nghe vo mt cng ca switch, bn ch c th nhn thy cc broadcast traffic v nhng gi tin gi v nhn ca my tnh m bn ang s dng.

C 3 cch chnh bt c cc gi tin t mt thit b mc tiu trn mng switch: port mirroring, ARP cache poisoning v hubbing out. Port Mirroring Port mirroring hay cn gi l port spanning c th l cch n gin nht bt cc lu lng t thit b mc tiu trn mng switch. Vi cch ny, bn phi truy cp c giao din dng lnh ca switch m my mc tiu cm vo. Tt nhin l switch ny phi h tr tnh nng port mirroring v c mt port trng bn c th cm my nghe vo. Khi nh x cng, bn copy ton b lu lng i qua cng ny sang mt cng khc.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

Hubbing Out Mt cch n gin khc bt cc lu lng ca thit b mc tiu trong mt mng switch l hubbing out. Hubbing out l k thut m trong bn t thit b mc tiu v my nghe vo cng mt phn mng bng cch t chng trc tip vo mt hub.

Rt nhiu ngi ngh rng hubbing out l la di, nhng n tht s l mt gii php hon ho trong cc tnh hung m bn khng th thc hin port mirroring nhng vn c kh nng truy cp vt l ti switch m thit b mc tiu cm vo. Trong hu ht cc tnh hung, hubbing out s gim tnh nng song cng ca thit b mc tiu (full to haft). Trong khi phng thc ny khng phi l cch sch s nht nghe, v n thng c bn s dng nh l mt la chn khi m switch khng h tr port mirroring. Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

Khi hubbing out, chc chn rng bn s dng mt ci hub ch khng phi l mt switch b gn nhm nhn. Khi m bn s dng hub, hy kim tra chc chn rng n l mt hub bng cch cm 2 my tnh vo n v nhn xem ci mt my c th nhn thy lu lng ca ci cn li khng. ARP Cache Poisoning a ch tng 2 (a ch MAC) c s dng chung vi h thng h thng a ch tng 2. Tt c cc thit b trong mt mng lin lc vi nhau thng qua a ch IP. Do switch lm vic ti tng 2, v vy n phi c kh nng phin dch a ch tng 2 (MAC) sang a ch tng 3 (IP) hoc ngc li c th chuyn tip gi tin ti thit b tng ng. Qu trnh phin dch c thc hin thng qua mt giao thc tng 3 l ARP (Address Resolution Protocol). Khi mt my tnh cn gi d liu cho mt my khc, n gi mt yu cu ARP ti switch m n kt ni. Switch s gi mt gi ARP broadcast ti tt c cc my ang kt ni vi n hi. Khi m my ch nhn c gi tin ny, n s thng bo cho switch bng cch gi a ch MAC ca n. Sau khi nhn c gi tin phn hi, Switch nh tuyn c kt ni ti my ch. Thng tin nhn c c lu tr trong ARP cache ca switch v switch s khng cn phi gi mt thng ip ARP broadcast mi mi ln n cn gi d liu ti my nhn. ARP cache poisoning l mt k thut nng cao trong vic nghe ng truyn trong mt mng switch. N c s dng ph bin bi hacker gi cc gi tin a ch sai ti my nhn vi mc tiu nghe trm ng truyn hin ti hoc tn cng t chi dch v, nhng ARP cache poisoning ch c th phc v nh l mt cch hp php bt cc gi tin ca my mc tiu trong mng switch. ARP cache poisoning l qu trnh gi mt thng ip ARP vi a ch MAC gi mo ti switch hoc router nhm mc ch nghe lu lng ca thit b mc tiu. C th s dng chng trinh Cain & Abel thc hin vic ny (http://www.oxid.it).

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni 4. Nghe trong mng s dng Router

Tt c cc k thut nghe trong mng switch u c th c s dng trong mng router. Ch c mt vic cn quan tm khi m thc hin vi mng router l s quan trng ca vic t my nghe khi m thc hin x l mt vn lin quan n nhiu phn mng. Broadcast domain ca mt thit b c m rng cho n khi n gp router. Khi , lu lng s c chuyn giao sang dng d liu router tip theo v bn s mt lin lc vi cc gi tin cho n khi bn nhn c mt ACK ca cc my nhn tr v. Trong tnh hng ny, d liu s lu chuyn qua nhiu router, v vy rt quan trng thc hin phn tch tt c lu lng trn cc giao din ca router. V d, lin quan n vn lin kt, bn c th gp phi mt mng vi mt s phn mng c kt ni vi nhau thng qua cc router. Trong mng , mt phn mng lin kt vi mt phn mng vi mc ch lu tr v tham chiu d liu. Vn m chng ta ang c gng gii quyt l phn mng D khng th kt ni vi cc thit b trong phn mng A.

Khi m bn nghe lu lng ca mt thit b trong phn mng D. Khi , bn c th nhn thy r rng lu lng truyn ti phn mng A, nhng khng c bin nhn (ACK) no c gi li. Khi bn Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

nghe lung lu lng phn mng cp trn tm ra nguyn nhn vn , bn tm ra rng lu lng b hu bi router phn mng B. Cui cng dn n vic bn kim tra cu hnh ca router, nu ng, hy gii quyt vn ca bn. l mt v d in hnh l do v sao cn nghe lu lng ca nhiu thit b trn nhiu phn mng vi mc tiu xc nh chnh xc vn .

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Network Maps

quyt nh vic t my nghe u, cch tt nht l bn phi bit c mt cch r rng mng m bn nh phn tch. Nhiu khi vic xc nh vn chim na khi lng cng vic trong vic x l s c. II. Gii thiu WireShark WireShark c mt b dy lch s. Gerald Combs l ngi u tin pht trin phn mm ny. Phin bn u tin c gi l Ethereal c pht hnh nm 1998. Tm nm sau k t khi phin bn u tin ra i, Combs t b cng vic hin ti theo ui mt c hi ngh nghip khc. Tht khng may, ti thi im , ng khng th t c tho thun vi cng ty thu ng v vic bn quyn ca thng hiu Ethereal. Thay vo , Combs v phn cn li ca i pht trin xy dng mt thng hiu mi cho sn phm Ethereal vo nm 2006, d n tn l WireShark. WireShark pht trin mnh m v n nay, nhm pht trin cho n nay ln ti 500 cng tc vin. Sn phm tn ti di ci tn Ethereal khng c pht trin thm. Li ch Wireshark em li gip cho n tr nn ph bin nh hin nay. N c th p ng nhu cu ca c cc nh phn tch chuyn nghip v nghip d v n a ra nhiu tnh nng thu ht mi i tng khc nhau. Cc giao thc c h tr bi WireShark: WireShark vt tri v kh nng h tr cc giao thc (khong 850 loi), t nhng loi ph bin nh TCP, IP n nhng loi c bit nh l AppleTalk v Bit Torrent. V cng bi Wireshark c pht trin trn m hnh m ngun m, nhng giao thc mi s c thm vo. V c th ni rng khng c giao thc no m Wireshark khng th h tr.

Thn thin vi ngi dng: Giao din ca Wireshark l mt trong nhng giao din phn mm phn tch gi d dng nht. Wireshark l ng dng ho vi h thng menu rt r rng v c b tr d hiu. Khng nh mt s sn phm s dng dng lnh phc tp nh TCPdump, giao din ho ca Wireshark tht tuyt vi cho nhng ai tng nghin cu th gii ca phn tch giao thc.

Gi r: Wireshark l mt sn phm min ph GPL. Bn c th ti v v s dng Wireshark cho bt k mc ch no, k c vi mc ch thng mi. H tr: Cng ng ca Wireshark l mt trong nhng cng ng tt v nng ng nht ca cc d n m ngun m. H iu hnh h tr Wireshark: Wireshark h tr hu ht cc loi h iu hnh hin nay.

Mt s tnh nng nng cao ca Wireshark 1. Name Resolution

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

10

D liu truyn trong mng thng qua mt vi h thng a ch, cc a ch ny thng di v kh nh (V d: MAC). Phn gii ich ch l qu trnh m mt giao thc s dng chuyn i mt a ch loi ny thnh mt a ch loi khc n gin hn. Chng ta c th tit kim thi gian bng cch s dng mt vi cng c phn gii a ch file d liu ta bt c d c hn. V d nh l chng ta c th s dng phn gii tn DNS gip nh danh tn ca mt my tnh m ta ang c gng xc nh nh l ngun ca cc gi c th. Cc kiu cng c phn gii tn trong Wireshark: c 3 loi

MAC Name Resolution: phn gii a ch MAC tng 2 sang a ch IP tng 3. Nu vic phn gii ny li, Wireshark s chuyn 3 byte u tin ca a ch MAC sang tn hng sn xut c IEEE c t, v d: Netgear_01:02:03.

Network Name Resolution: chuyn i a ch tng 3 sang mt tn DNS d c nh l MarketingPC1. Transport Name Resolution: chuyn i mt cng sang mt tn dch v tng ng vi n, v d: cng 80 l http.

2. Protocol Dissection Mt protocol dissector cho php Wireshark phn chia mt giao thc thnh mt s thnh phn phn tch. ICMP protocol dissector cho php Wireshark phn chia d liu bt c v nh dng chng nh l mt gi tin ICMP. Bn c th ngh rng mt dissector nh l mt b phin dch gia dng d liu trn ng truyn v chng trnh Wireshark. Vi mc ch h tr mt giao thc no , mt dessector cho giao thc phi c tch hp trong Wireshark. Wireshark s dng ng thi vi dissector phin dch mi gi tin. N quyt nh dissector no c s dng bng cch s dng phn tch lgic c ci t sn v thc hin vic d on. Tht khng may l Wireshark khng phi lc no cng ng trong vic la chn dissector ph hp cho mt gi tin. Tuy nhin, ta c th thay i vic la chn ny trong tng trng hp c th. 3. Following TCP Streams Mt trong nhng tnh nng hu ch nht ca Wireshark l kh nng xem cc dng TCP nh l tng ng dng. Tnh nng ny cho php bn phi hp tt c cc thng tin lin quan n cc gi tin v ch cho bn d liu m cc gi tin ny hm cha ging nh l ngi dng cui nhn thy trong ng dng. Cn hn c vic xem cc d liu ang c truyn gia my trm v my ch trong mt m hn n, tnh nng ny sp xp d liu c th xem mt cch n gin. Bn c th s dng cng c ny bt v gii m mt phin instant messages c gi bi mt ngi lm thu (ngi ny ang b nghi ng pht tn cc thng tin ti chnh ca cng ty). 4. Ca s thng k phn cp giao thc

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

11

Khi bt c mt file c kch thc ln, chng ta cn bit c phn b cc giao thc trong file , bao nhiu phn trm l TCP, bao nhiu phn trm l IP v DHCP l bao nhiu phn trm,... Thay v phi m tng gi tin thu c kt qu, chng ta c th s dng ca s thng k phn cp giao thc ca Wireshark. y l cch tuyt vi kim th mng ca bn. V d, nu bn bit rng 10% lu lng mng ca bn c s dng bi cc lu lng ARP, v mt ngy no , bn thy lu lng ARP ln ti 50%, bn hon ton c th hiu rng ang c mt ci g khng n xy ra. 5. Xem cc Endpoints Mt Endpoint l ch m kt ni kt thc trn mt giao thc c th. V d, c hai endpoint trong kt ni TCP/IP: cc a ch IP ca cc h thng gi v nhn d liu, 192.168.1.5 v 192.168.0.8. Mt v d tng 2 c th l kt ni gia hai NIC vt l v a ch MAC ca chng. Cc NIC gi v nhn d liu, cc MAC to nn cc endpoint trong kt ni.

Khi thc hin phn tch gi tin, bn c th nhn ra rng bn khoanh vng vn ch cn l mt enpoint c th trong mng. Hp thoi Wireshark endpoints ch ra mt vi thng k hu ch cho mi endpoint, bao gm cc a ch ca tng my cng nh l s lng cc gi tin v dung lng c truyn nhn ca tng my.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

12

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni 6. Ca s th IO

13

Cch tt nht hnh dung hng gii quyt l xem chng di dng hnh nh. Ca s th IO ca Wireshark cho php bn v th lu lng d liu trn mng. Bn c th s dng tnh nng ny tm kim cc t bin hoc nhng thi im khng c d liu truyn ca cc giao thc c th m bn ang quan tm. Bn c th v ng thi 5 ng trn cng mt th cho tng giao thc m bn quan tm bng cc mu khc nhau. iu ny gip bn d dng hn thy s khc nhau ca cc th.

III. X l cc tnh hung thc t vi WireShark 1. Mt s tnh hung c bn Trong phn ny chng ta s cp n vn c th hn. S dng Wireshark v phn tch gi tin gii quyt mt vn c th ca mng. Chng ti xin a ra mt s tnh hung in hnh. A Lost TCP Connection (mt kt ni TCP) Mt trong cc vn ph bin nht l mt kt ni mng.Chng ta s b qua nguyn nhn ti sao kt ni b mt, chng ta s nhn hin tng mc gi tin. V d: Mt v truyn file b mt kt ni: Bt u bng vic gi 4 gi TCP ACK t 10.3.71.7 n 10.3.30.1.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Hnh 3.1-1: This capture begins simply enough with a few ACK packets. Li bt u t gi th 5, chng ta nhn thy xut hin vic gi li gi ca TCP.

14

Hnh 3.1-2: These TCP retransmissions are a sign of a weak or dropped connection. Theo thit k, TCP s gi mt gi tin n ch, nu khng nhn c tr li sau mt khong thi gian n s gi li gi tin ban u. Nu vn tip tc khng nhn c phn hi, my ngun s tng gp i thi gian i cho ln gi li tip theo.

Nh ta thy hnh trn, TCP s gi li 5 ln, nu 5 ln lin tip khng nhn c phn hi th kt ni c coi l kt thc. Hin tng ny ta c th thy trong Wireshark nh sau:

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Hnh 3.1-4: Windows will retransmit up to five times by default.

15

Kh nng xc nh gi tin b li i khi s gip chng ta c th pht hin ra mu trt mng b mt l do u.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Unreachable Destinations and ICMP Codes (khng th chm ti im cui v cc m ICMP)

16

Mt trong cc cng c khi kim tra kt ni mng l cng c ICMP ping. Nu may mn th pha mc tiu tr li li iu c ngha l bn ping thnh cng, cn nu khng th s nhn c thng bo khng th kt ni ti my ch. S dng cng c bt gi tin trong vic ny s cho bn nhiu thng tin hn thay v ch dung ICMP ping bnh thng. Chng ta s nhn r hn cc li ca ICMP.

Hnh 3.1-5: A standard ping request from 10.2.10.2 to 10.4.88.88 Hnh di y cho thy thng bo khng th ping ti 10.4.88.88 t my 10.2.99.99. Nh vy so vi ping thng thng th ta c th thy kt ni b t t 10.2.99.99. Ngoi ra cn c cc m li ca ICMP, v d : code 1 (Host unreachable)

Hnh 3.1-6: This ICMP type 3 packet is not what we expected. Unreachable Port (khng th kt ni ti cng)

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

17

Mt trong cc nhim v thng thng khc l kim tra kt ni ti mt cng trn mt my ch. Vic kim tra ny s cho thy cng cn kim tra c m hay khng, c sn sang nhn cc yu cu gi n hay khng. V d, kim tra dch v FTP c chy trn mt server hay khng, mc nh FTP s lm vic qua cng 21 ch thng thng. Ta s gi gi tin ICMP n cng 21 ca my ch, nu my ch tr li li gi ICMP loi o v m li 2 th c ngha l khng th kt ni ti cng .s

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Fragmented Packets

18

Hnh 3.1-7: This ping request requires three packets rather than one because the data being transmitted is above average size. y c th thy kch thc gi tin ghi nhn c ln hn kch thc gi tin mc nh gi i khi ping l 32 bytes ti mt my tnh chy Windows. Kch thc gi tin y l 3,072 bytes. Determining Whether a Packet Is Fragmented (xc nh v tr gi tin b phn on) No Connectivity (khng kt ni) Vn : chng ta c 2 nhn vin mi Hi v Thanh v c sp ngi cnh nhau v ng nhin l c trang b 2 my tnh. Sauk hi c trang b v lm cc thao tc a 2 my tnh vo mng, c mt vn xy ra l my tnh ca Hi chy tt, kt ni mng bnh thng, my tnh ca Thanh khng th truy nhp Internet. Mc tiu : tm hiu ti sao my tnh ca Thanh khng kt ni c Internet v sa li .

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Cc thng tin chng ta c


19

C 2 my tnh u mi C 2 my u c t IP v c th ping n cc my khc trong mng

Ni tm li l 2 my ny c cu hnh khng c g khc nhau. Tin hnh Ci t Wireshark trc tip ln c 2 my. Phn tch Trc ht trn my ca Hi ta nhn thy mt phin lm vic bnh thng vi HTTP. u tin s c mt ARP broadcast tm a ch ca gateway tng 2, y l 192.168.0.10. Khi my tnh ca Hi nhn c thng tin n s bt tay vi my gateway v t c phin lm vic vi HTTP ra bn ngoi.

Hnh 3.1-12: His computer completes a handshake, and then HTTP data transfer begins. Trng hp my tnh ca Thanh

Hnh 3.1-13: Thanhs computer appears to be sending an ARP request to a different IP address. Hnh trn cho thy yu cu ARP khng ging nh trng hp trn. a ch gateway c tr v l 192.168.0.11. Nh vy c th thy NetBIOS c vn .

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

20

NetBIOS l giao thc c n s c thay th TCP/IP khi TCP/IP khng hot ng. Nh vy l my ca Thanh khng th kt ni Internet vi TCP/IP. Chi tit yu cu ARP trn 2 my : My Hi

My Thanh

Kt lun : my Thanh t sai a ch gateway nn khng th kt ni Internet, cn t li l 192.168.0.10. The Ghost in Internet Explorer (con ma trong trnh duyt IE)

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

21

Hin tng : my tnh ca A c hin tng nh sau, khi s dng trnh duyt IE, trnh duyt t ng tr n rt nhiu trang qung co. Khi A thay i bng tay th vn b hin tng thm ch kh ng li my cng vn b nh th. Thng tin chng ta c

A khng tho v my tnh lm My tnh ca A dng Widows XP, IE 6

Tin hnh V hin tng ny ch xy ra trn my ca A v trang home page ca A b thay i khi bt IE nn chng ta s tip hnh bt gi tin t my ca A. Chng ta khng nht thit phi ci Wireshark trc tip t my ca A. Chng ta c th dng k thut Hubbing Out .

Phn tch

Hnh 3.1-16: Since there is no user interaction happening on As computer at the time of this capture, all of these packets going across the wire should set off some alarms. Chi tit gi tin th 5:

Hnh 3.1-17: Looking more closely at packet 5, we see it is trying to download data from the Internet.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni T my tnh gi yu cu GET ca HTTP n a ch nh trn hnh.

22

Hnh 3.1-18: A DNS query to the weatherbug.com domain gives a clue to the culprit. Gi tin tr li bt u c vn : th t cc phn b thay i. Mt s gi tip theo c s lp ACK.

Sau mt lot cc thay i trn th c truy vn DNS n deskwx.weatherbug.com y l a ch A khng h bit v khng c nh truy cp.

Nh vy c th l c mt process no lm thay i a ch trang ch mi khi IE c bt ln. Dng mt cng c kim tra process n v d nh Process Explore v thy rng c tin trnh weatherbug.exe ang chy. Sau khi tt tin trnh ny i khng cn hin tng trn na. Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Thng thng cc tin trnh nh weatherbug c th l virus, spyware. Giao din Process Explore

23

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Li kt ni FTP

24

Tnh hung : c ti khon FTP trn Windows Server 2003 update service packs va ci t xong, phn mm FTP Server hon ton bnh thng, khon ng nhng khng truy nhp c. Thng tin chng ta c

FTP lm vic trn cng 21

Tin hnh Ci t Wireshark trn c 2 my. Phn tch Client:

Hnh 3.1-19: The client tries to establish connection with SYN packets but gets no response; then it sends a few more. Client gi cc gi tin SYN bt tay vi server nhng khng c phn hi t server.

Server :

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

25

Hnh 3.1-20: The client and server trace files are almost identical. C 3 l do c th dn n hin tng trn

FTP server cha chy, iu ny khng ng v FTP server ca chng ta chy nh kim tra lc u Server qu ti hoc c lu lng qu ln khin khng th p ng yu cu. iu ny cng khng chnh xc v server va mi c ci t. Cng 21 b cm pha clien hoc pha server hoc c 2 pha. Sau khi kim tra v thy rng pha Server cm cng 21 c chiu Incoming v Outgoing trong Local Security Policy

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

26

Kt lun i khi bt gi tin khng cho ta bit trc tip vn nhng n hn ch c rt nhiu trng hp v gip ta a ra suy on chnh xc vn l g. 2. X l cc tnh hung v bng thng mng Anatomy of a Slow Download (ct li ca vic download chm) Tnh hung: c mng download rt chm Tin hnh : t wireshark lng nghe ton b u ra ca mng Phn thch : hnh nh di y cho thy c rt nhiu kt ni TCP,HTTP iu ny c ngha l c rt nhiu kt ni HTTP download d liu v nn chim bng thng ca mng.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

27

Hnh 3.2-1: We need to filter out all of this HTTP and TCP traffic. M ca s Alalyze->Expert Infos thy thm thng tin.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

28

Hnh 3.2-2: The Expert Infos window shows us chats, warnings, errors, and notes. Mc nh Expert Infos hin th tt c cc thng tin. Nu ch hin th Error+Warn+Note th ta s c cc thng tin sau.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

29

Hnh 3.2-3: The Expert Infos window (sans chats) summarizes all of the problems with this download. Hnh trn cho thy:

C rt nhiu kt ni TCP do chng trnh Window update m C hin tng TCP Previous segment lost packets v cc gi tin TCP gi i b lp ACK v b drop, khin TCP phi gi li gi tin.

C th 2 nguyn nhn trn chim bng thng ca mng v lm gim tc download. Kho st tip cc thng tin theo hng ny ta nhn c cc thng tin cc hnh pha di.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

30

Hnh 3.2-4: Previous segment lost packets indicate a problem.

Hnh 3.2-5: A fast retransmission is seen after a packet is dropped. Statistics >TCP Stream Graph > Round Trip Time Graph

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

31

Hnh 3.2-6: The round trip time graph for this capture Cc hnh cho thy d on bc trn l chnh xc. Cc file s khng th c download v nu thi gian ln hn 0.1 s, thi gian l tng l 0,04s. Kt lun : nguyn nhn do download chm l c nhiu chng trnh Windows update (c th cc my auto update) v hin tng mt gi tin. Nh vy cn tt bt cc chng trnh Windows update. Did That Server Flash Me? Tnh hung : anh Thanh phn nn rng khng th truy cp vo mt phn website Novell download mt s phn mm cn thit. Mi ln truy cp vo site trnh duyt u ti vi ti nhng c g hn th na. Mng c vn g khng ? Thng tin chng ta c: sau khi kim tra s b th tt c cc my tnh u bnh thng tr my tnh ca anh Thanh. Nh vy vn nm my tnh ca anh Thanh. Tin hnh: ci Wireshark v bt gi tin khi truy cp website Novell trn my ca Thanh Phn thch: Thng tin nhn c khi bt u c kt ni HTTP n website Novell:

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

32

Hnh 3.2-18: The capture begins with standard HTTP communication. T pha client gi gi tin RST kt thc kt ni HTTP:

Hnh 3.2-19: Packets 28 and 29 present a problem. L do g khin client gi gi tin RST ? S dng mt trong cc tnh nng cao cp ca Wireshark l Follow TCP Stream thy chi tit ni dung m pha server Novell tr v khi dng hm GET ca HTTP.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

33

Hnh 3.2-20: This Flash request is the source of our problem. Nh vy c th nhn thy, phn Flash c m di dng PopUp nhng Thanh khng thy g. Kim tra th thy trnh duyt kha tnh nng PopUP. Kt lun : trnh duyt block popup POP Goes the Email Server Tnh hung : gi th chm trong cng domain v khc domain. Thi gian nhn c th t khi gi t 510 pht. Thng tin chng ta c:

Mail ca cng ty s dng mt mail server ring. Mail server dng Post Office Protocol (POP) nhn

Tin hnh: Bt gi tin ti my mail server Phn thch: Thng tin v giao thc POP qua Wireshark

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

34

Hnh 3.2-25: This capture includes a lot of POP packets.

Hnh 3.2-26: Changing the time display format gives us an idea of how much data we are receiving in what amount of time. S dng Follow TCP Stream xem ni dung th c file nh km th nhn thy nh sau:

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

35

Hnh 3.2-27: The details of packet 1 show information about the email being sent. File nh km c chn rt nhiu k t ging nhau vo tng kch thc file nh km, kim tra tip s lng mail nh th ny th thy s lng ln. C th i n kt lun mail server b spam lm cho nng lc x l cc yu cu gi n b gim xung, tng t nh tn cng t chi dch v. Hng gii quyt : tm v pht hin ngun ca th rc, c th dng blacklist cm cc a ch gi th rc. Kt lun : spam mail vi file attach ln 3. Mt s tnh hung an ninh mng c bn OS Fingerprinting (Nhn dng OS) OS Fingerprinting l mt k thut ph bin c cc haker s dng thu thp cc thng tin v server t xa, t c nhng thng tin hu ch thc hin cc bc tn cng tip theo.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Nh xc nh cc li c th c vi server mc tiu, chun b cc cng c ph hp cho cuc tn cng. Mt trong cc k thut x dng l gi cc gi tin ICMP t thng dng.

36

S dng ICMP traffic,dng ping s khng b cnh bo S dng traffic like Timestamp request/reply, Address mask request, Information request khng ph bin lm.

Hnh 3.3-1: This is the kind of ICMP traffic you dont want to see. Dng cc ICMP request khng ph bin nh trn i khi s nhn c nhng thng tin t mc tiu phn hi li. Nu cc request c chp nhn th c th dng ICMP-based OS fingerprinting scans qut th. X l : v cc traffic thng thng s khng bao gi thy cc gi ICMP loi 13,15,17 do chng ta c th to ra b lc lc cc gi ny. V d : icmp .type==13 || icmp .type==15 || icmp .type==17. A Simple Port Scan (qut cng dng n gin) Mt trong cc chng trnh qut port nhanh v ph bin nht l : nmap Mc tiu ca ngi tn cng:

tm cc port m xc nh cc tunnel b mt

Chng ta c th nhn dng vic qut cng bng cch t my nghe trn my ch cn bo v theo di.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

37

Hnh 3.3-2: A port scan shows multiple connection attempts on various ports. Nh trn hnh c th nhn ra rng c nhng kt ni rt ng nghi ng gia my 10.100.25.14 (local machine) v my 10.100.18.12 (remote computer). Log file cho thy my tnh t xa (remote computer) gi gi tin n rt nhiu cng khc nhau trn my local v d cng 21,1028 Nhng c bit l nhng cng nhy cm nh telnet (22), microsoft-ds, FTP (21), v SMTP (25) nhng cng ny c gi s lng gi tin ln hn v y l nhng cng c kh nng xm nhp cao do li ca nhng ng dng s dng cng ny. Cc gi tin c th l cc on m khai thc.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni Blaster Worm (Su Blaster)

38

Hin tng: My tnh pha client hin th ca s thng bo shutdown my trong vng 60s. Cc thng bo ny xut hin lin tc. Thng tin chng ta c:

my tnh client ci chng trnh dit virus mi nht ti thi im

Tin hnh: Ci t Wireshark trn my c virus. Phn tch: Mn hnh Wireshark th hin cc hnh vi c nguy hi n my tnh ca virus Blaster, c th hin bng mu , en.

Hnh 3.3-9: We shouldnt see this level of network activity with only the timer running on this machine. Mt trong cc kinh nghim pht hin virus l xem d liu cc gi tin dng th (raw), rt c th s c nhng thng tin hu ch.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

39

Hnh 3.3-10: No useful information can be discerned from packet 1. Sau khi tm mt s gi tin th thy c gi tin mang li thng tin hu ch. Hnh 3.3-11, chng ta thy c a ch tr n th mc C:\WINNT\System32. Th mc ny l mt trong nhng th mc quan trong nht ca h iu hnh Windows.

Hnh 3.3-11: The reference to C:\WINNT\System32 means something might be accessing our system files. Tip tc tm thng tin theo cch trn, pht hin ra tn chng trnh ca su Blaster nh hnh 3.3-12.

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

40

Hnh 3.3-12: Packet 4 shows a reference to msblast.exe. Khi xc nh c v tr file ca virus ta s c nhiu cch gii quyt theo cc mc ch khc nhau. i vi ngi dng thng thng th tt tin trnh c tn sau xa cc file virus i Trong khun kh tiu lun chng ti nu ra mt s vn c bn c th x l bng cch s dng Wireshark v k nng phn tch gi tin. Ngoi ra cn c rt nhiu tnh hung khc v cc tnh hung nng cao hn tuy nhin chng ti khng cp y. Cc vn khc bn c c th tham kho thm qua ti liu chng ti nu phn ph lc. Ph lc Ti liu tham kho

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net

ITB2 - K29 - CNTT - i hc Bch Khoa H Ni

41

[1]. Chris Sanders, PRACTICAL PACKET ANALYSIS, Using Wireshark to Solve Real-World Network Problems- No Startch Press,2007

[2]. Angela Orebaugh,Gilbert Ramirez,Josh Burke,Larry Pesce,Joshua Wright,Greg Morris, Wireshark & Ethereal Network Protocol Analyzer Toolkit- Syngress Publishing,2007

[3]. Angela Orebaugh, Ethereal Packet Sniffing - Syngress Publishing,2004

Design by MrQu - Mobile: 0983127983 Email:Quynx.hnue.hut@gmail.com;Quynx@IT4r.net