Wireshark - A GUI Packet Analyzer

Wireshark

Wireshark is a FLOSS (Free Libre Open Source Software) package for network troubleshooting and analysis which runs on Linux, Windows, MacOS, BSD, Solaris and Unix type systems. With this tool home users, governments, and multinational corporations have the ability to view minute details of their network traffic.

You can obtain Wireshark for your operating system through normal channels or through Linux distro repos. While obtaining Wireshark is quite simple, running it on a network such as at work is most assuredly forbidden unless you have written permission. Insure you protect yourself from prosecution for using a network scanner and verify you have said document in hand before proceeding. You have been warned!

Capturing Packets 

Launching the program is quite simple and you can start capturing packets provided you have permission to do so within your operating system. On most Linux distributions you will need to add your user account to the wireshark user group. Completing this task is relatively simple:

      $sudo gpasswd -a  username wireshark

Once this task has been accomplished, you can capture packets on any interface you have on your system whether you wish to analyze wired or wireless networks. Simply click the interface listed on the front splash page to begin capture. Normally Wireshark will capture any packets sent to or from your system, but often the preferred analyst method is to enable promiscuous mode and capture all packets which appear on the network.

Wireshark will colorize the capture data to allow you to better visualize potential problems on your network. By default TCP is a light purple, UDP a light blue, HTTP a light green, errors and bad traffic black. You can customize the parameters and colors using the View, Coloring Rules… menu option.

Wireshark Filters

When you first start up Wireshark you’ll notice (unless your network is very quiet) plenty of traffic which quickly becomes far too vast an amount to analyze by any reasonable human capacity. Fortunately Wireshark has Filters to allow you to search the packet capture and find exactly what you want to review. You can access example filters at https://wiki.wireshark.org/DisplayFilters

 

TIP: Pause or stop the capture scrolling to better view packets (dropdown button arrow on toolbar).

Click the bookmark/filter symbol on the left of the filter dialog above the capture window. You can choose from multiple filter types such as TCP only:tcp, UDP only:udp, HTTP:http, etc. This will narrow the window to the specifics you choose. You can also generate your own filters and use the examples Wireshark provides to learn and expand your knowledge of filters. 

To build your own filter, you can simply type in the parameter such as tcp, udp, dns or http in the dialog box. You’ll only see the type of packets you specify in the capture window.

Wireshark has done an exceptional job of creating a user friendly method of filtering. Clicking the Analyze, Display Filters to choose from the default filters. You can add your own custom filters to this list and use them at any future date. You can review Wireshark’s display filtering language on their building display filter expressions page

Stepping through the packets in stream mode is a top feature of Wireshark. Simply right-click any packet and select the menu item Follow, TCP Stream. You’ll see the TCP (or UDP) conversation between the server and the client or attacker and target. Often this information will be encrypted, but some amount of information can be gleaned to help in your analysis.

Click any single packet to view the details of that packet. For example, search for http packets by entering http in the filter dialog box and click the Apply button. 

This filtered traffic can be drilled down further by IP address. In this example, assuming you have an IP network of 192.168.1.0/24 and you want to evaluate only traffic only originating from host 192.168.1.5, enter:

ip.src==192.168.1.5&&http

You are presented with a nice view of just that traffic. When you want to inspect the same traffic, but to a destination address such as google, enter the following:

ip.dst==74.125.197.100&&http

Assuming you have a MySQL server or service running on your computer, server, or network, you could review that traffic and potentially associated https (TCP port 8080) traffic with the following filter:

tcp.port==8080||tcp.port==3306

Another useful filter is to exclude packets you may not wish to see. In the example above, you may not want to see all MySQL traffic on your network should you have multiple servers. In this case, you would enter the following assuming your other server is at 192.168.1.10.

!(ip.src==192.168.1.10)||tcp.port==3306

Eventually you will realize you have far too much traffic on your network to analyze and further filtering will be necessary. Given the plethora of IoT devices, smartphones, smart light bulbs and computers everyone has in their homes, filtering out all Internet destined traffic can be a useful tool. Here I’ve outlined how to create such a filter.

ip.src==192.168.1.0/24 and ip.dst==192.168.1.0/24

This filters for only traffic on the local network and excludes all other traffic.

Note: All filters can be combined or joined to create the ideal filtering structure for analysis of your traffic. The choices are yours to make with this powerful tool.

Following at TCP Stream:

Assuming you have been keeping up with the information above, you can also trace down traffic between hosts with the Follow TCP Stream option. This allows investigation of packet or data exchange. 

Simply right-click on a packet and pick the Follow TCP Stream to view the event data contents in a dialog window. All HTTP headers will be present if viewing web traffic and any plain-text passwords or logins. Quite useful tool in the old days of unencrypted internet traffic.

Wireshark Packet Capture Files

Given the massive amount of data you can collect, it will be necessary to save the packet capture for future evaluation. Fortunately Wireshark provides a tool to do so along with the ability to import and manipulate your collected date. Chose File, Export to save a file and File, Import menu options to import and view, filter and analyze.

Notes:

Wireshark is not designed to be an Intrusion Detection System as it doesn’t provide any warning of misbehavior on your network. That said, you can use it to determine if something amiss is going on within your network.

Some concerns regarding data or traffic leaks: Wireshark does perform DNS lookups on the data it captures and could potentially cause red-flags within IDS software. Fortunately, this feature can be disabled to protect your activity. 

Warning:

Insure you protect yourself from prosecution for using a network scanner and verify you have said document in hand before proceeding. You have been warned!

Linux Host Hardening

Linux systems are quite secure out of the box however, there are myriad ways to ratchet down the security to achieve near NSA level protections on your system. Whether you are running a server on your own network or your own personal laptop, you are the administrator and security manager of your domain. Keep this in mind as I present some of the options to secure your systems below. 

File Transfer Options

Encryption is your friend in the digital age and Linux has you covered. Services such as ssh, sftp, or rsync have encryption built in and the connection and data transfer is protected from prying eyes or interception. With the server version of these services enabled on your home network along with port forwarding on your router, you can securely access your systems and data from most any location on the planet. Of course, such access is heavily dependent upon the permissions and security level of the network you are using (cell provider, work network*, etc). *Be sure to verify you have permission and access rights before attempting to connect to your home network from your workplace.

Linux also has the widely used OpenVPN package available for installation and use as a client and a server. Connections to VPN service providers such as NordVPN, UnlimitedVPN, etc. provide encryption to allow anonymity and prevent snooping and interception of packet data by your ISP(s). The OpenVPN server package can be used on your own hardware such as a Raspberry Pi or router to allow you to securely access your own home network from a coffee shop, hotel or personal cell phone. 

Locking Down Insecure Services

Most Linux systems shipping today do not include insecure services by default, but they are available to install and make your system insecure. These include rsh, ftp, xinetd, and telnet and allow interception of unencrypted traffic on the network by anyone with access to your network. Below are the steps to remove them from the most common Linux distros available today.

On Red Hat, CentOS or Fedora systems, you can simply execute these commands to remove or verify telnet, rsh, rlogin and ftp are not installed.

               yum erase xinetd ypserv tftp-server telnet-server rsh-server

On an Arch linux system you will be secure in knowing these packages are not installed by default however, you can verify they are removed with the following command:

               sudo pacman –Rc xinetd, ypserv, tftpd, inetutils

Debian or Ubuntu systems the following command will verify the commands are removed from your system:

sudo apt remove --purge rsh-redone-server, xinetd, yp-tools, tftpd, telnetd, rsh-server, atftpd, tftpd-hpa, nis

Removing Unused Software or Services

Some Linux distros install far too many services or open too many network ports or sockets on a system by default. To help insure your system is safe, try to remove the number of services such as web services down to the minimum you require. 

One Linux distro preferred by many knowledgeable geeks is Arch Linux. Arch provides the keep it simple approach to package installation and keeps things down to the bare minimum: i.e. you install just what you need from the start and maintain your system in a much more secure manner.

Review your system list of packages installed:

Arch Linux systems: sudo pacman -Qe

Debian-based Linux systems: dpkg --list

Red Hat based Linux systems: yum list installed

Maintain Updates:

All Linux systems should be updated to include all security and patch updates as often as possible. Linux has all the tools to support and maintain your software and provides software repositories (repos) to keep them updated. Certain updates will require a system reboot, however there are newer options from Red Hat, OpenSuSE, and Ubuntu to allow reloading of the kernel without rebooting. 

               Arch Linux systems: sudo pacman –Syu

               Debian-based systems: apt update && apt upgrade

               Red Hat based systems: yum update && yum upgrade

Many Linux distro today will also provide a tool to inform you of available updates in the desktop panel. Do not ignore patches when they become available and insure you install and complete any steps provided by said patches to insure your system is as up-to-date as possible.

User Accounts and Strong Passwords:

One of the easiest methods crackers use to gain access to a system is a weak password. You as the administrator choose to use a week or a strong password. Strong passwords are made up of at least 2 upper, to lower, 2 numbers and to special characters.

Linux also provides the pam.d pam_cracklib.so library service to insure compliance with password policies. Configuration of this tool to force security on your system is as follows for these popular distros:

               Arch Linux, Red Hat, CentOS, Debian, Ubuntu:

               $ sudo vi  /etc/pam.d/system-auth

               Append or modify the following line:

     password required pam_cracklib.so retry=2 minlen=10 difok=6 dcredit=2   ucredit=2 lcredit=2 ocredit=2

These parameters will insure your password is different from the old one (difok=6), has the required number of numbers, upper and lower case characters, and special characters. Logins will be restricted to 2 times. These restrictions only apply to normal users and not the root account, which can allow for manual bypassing of these restrictions on user accounts should the need arise.

Setting password reuse limits:

$sudo vi /etc/pam.d/system-auth (or /etc/pam.d/common-password on debian systems)

             Add (or edit) the password line to append remember=13 which prevents reuse of the last 13 passwords:

               # password sufficient pam_unix.so use_authtok md5 shadow remember=13

Note that some systems used pam_unix2.so instead of pam_unix.so library.

Linux Password Aging:

Most Linux distros do not set user accounts to expire after a certain time period. To remedy this, the chage command is used to set expiration dates or time periods. Each system also contains the /etc/login.defs file with parameters to control expiration policy.

To set a user account to not expire:

               $sudo chage -M 99999 username

Or to set a user account to expire in 60 days:

               $sudo chage -M 60 username

Additional options to insure you do not forget to change your password should be applied. The following command will provide 60 days, 7 days notification and 7 days warning before expiring the account.

               $sudo chage -M 60 username –m 14 –w 14 username

Enable password aging in the /etc/login.defs with:

               $ PASS_MIN_DAYS=14

Most systems will have the /etc/security/opasswd file, but if it doesn’t exist it should be created. You create it if necessary using the following command:

               $ sudo touch /etc/security/opasswd

Computer Security - Part 2

Malware - Backdoors ...

Backdoors are methods of bypassing normal security or authentication on a system or within software which is often hidden or built-in by some malicious or non-malicious actor or programmer. Rootkits are often the method of choice for backdoors into Linux systems, but Windows systems are not left out of the party. The more apt definition often is an undocumented method to gain access to a computer system or its data.

Backdoors were formerly known as trapdoors, but standards and definitions have changed since initial discussions and publications discussing the issue in 1970. Yes, 1970 is when these were first mentioned in a paper by J.P. Anderson and D.J. Edwards through ARPA sponsorship (1).

Proprietary software can often contain backdoors which are most often than not never realized until an exploit or hacker group discovers them. Open Source on the other hand is by nature open and the source code freely available for peer review; This is the nature of closed versus open (I'll save this for a future discussion).

Back Orifice is a famous backdoor from way back in 1998 where it debuted at DEF CON. This software's purpose was to show how insecure Microsoft Windows 98 was at the time, but it was used to remote control systems globally. It used a client-server method similar to that of today's server/client methods used for normal daily operations (i.e. cloud services). It can be installed without the user having any knowledge of it's existence and is very simple to install.

Other examples of programs which include backdoors are the computer worms Sobig, MyDoom and the Sony / BMG rootkit, each of which were designed to steal data or gather informaton on  the user. In the case of Sony & BMG, their rootkit was delivered via music CD media to customers for the purpose of so-called DRM, but in fact the purpose was to spy on their very customers.

Backdoors come in several types - symmetric, object code & asymmetric.

In the case of symmetric, any user who comes across this type of backdoor can take advantage of it while the asymmetric version uses cryptography to prevent anyone else utilizing it other than the holder of the private key or the author. If the code is made public, the installation cannot be utilized on a target system without the private key. This second method of attack is very difficult to detect and prevent as it utilizes some of the very same data security measures commercially utilized to protect our data.

Object code backdoors are much harder to inspect and often detect as they are designed to be machine readable and not human readable. These can be added to the code on disk, during compiling, linking through assembly code or loading directly into memory. Often the only method to detect these is to have the source code and perform hashing of the source vs the resulting code.

Even cryptographic algorithms are subject to vulnerabilities created by asymmetric backdoors as demonstrated through an experimental backdoor in RSA key generation of an OpenSSL RSA backdoor designed by Young and Yung (2).

Samsung Android phones and tablets such as the Galaxy devices contained a backdoor to provide access to all data stored on the device. The software containing the backdoor in this instance is responsible for controlling the modem via RFS (remote file server) commands to allow the attacker to take on a myriad number of tasks, even controlling the microphone or camera without any indication on the affected system (3).

1 - https://en.wikipedia.org/wiki/RAND_Corporation 2 - http://www.cryptovirology.com/cryptovfiles/newbook.html 3 - https://en.wikipedia.org/wiki/Backdoor_(computing)