DailyBread

{{ SECURITY Network packet Forensic }} 

Chapter 9-1 : Port scan and Packet analysis

For TCP scan, 3-way handshaking will be used to check the opened ports.

Fro UDP scan, if some ports are opened then there will be no response. So in this case, you can checked 'ICMP unreachable' message for the closed ports.

From [Conversation] menu, you can estimate the port scan tries with following patterns. If you use [Follow Stream] button, there will be no information.

To check more detail for each conversion, apply filter for that conversations.

The first conversation has [RST] response from [192.168.0.15] with port [1] for the [SYN] request of [192.168.0.112]. That means the requested port[1] is closed.

But, the port 25 has some information with [220 Welcome trinitysoft] string.

Unlike the 1st conversation for port [1], this has TCP 3 way Handshaking. And right after that, there is session close procedure. From this procedure, you can notice that the port [25] has been opened.

Please also note that the data has been sent with [PSH,ACK] flag. And then there is [ACK] response from the peer.

To check the opened ports only, try TCP flag filtering. Set value [1] for [==] relation for [tcp.flags.syn] field name.

Then you can add more condition in Filter input box.

For failed port open, you can modify the filter as [tcp.flags.reset == 1 && tcp.flags.ack == 1].

{{ SECURITY Network packet Forensic }} 

Chapter 8 : Regarding port 587

SMTP by default uses TCP port 25. The protocol for mail submission is the same, but uses port 587. SMTP connections secured by SSL, known as SMTPS, default to port 465 (nonstandard, but sometimes used for legacy reasons).

From following example, the red box is indicating the 1) server connection and 2) Authentication procedure for the login. The login account and the password are encoded as base64 format. After that, you can see 3) the mail transfer procedure

Finally, there will be the disconnection procedure as following.

Here is the example commands of SMTP protocol.

From [Follow TCP Stream] menu, sometimes you can see the included content information. From file-name field, you can notice the name and the type of the attached files. To extract the attachment, try simply copy and past the contents as text file first. After decoding the file with some base64 decoder, you can get the real attachment.

Reference :

https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

{{ SECURITY Network packet Forensic }} 

Chapter 7 : Analysis HTTP Contents

WireShark supports exporting HTTP object from following menu.

Or, you can use following tool to extract the data from html packets.

- https://sourceforge.net/projects/networkminer/

{{ SECURITY Network packet Forensic }} 

Chapter 6 : File Magic Number

If there are only session establishment and termination, this could be an port scan procedure.
From following example 192.168.1.2 seems to try the port scan for port 80 of 192.18.1.157.

From Conversation popup, you can see the data stream with [Following Stream...] button.

The result of [Follow TCP Stream] can be changeable to the different data format.

From above example, the stream has OFT2 character in the head of the contents which is using for "AOL Instant messenger". In the middle of some packets, there is a magic number with 'PK' string. (zip file format)

- http://garykessler.net/library/file_sigs.html

After changing 'Show data as' to RAW format, you can save the 'Follow TCP Stream' as a file.

Reference 

• http://www.parkjonghyuk.net/lecture/2014-1st-lecture/networksecurity/chap06.pdf
  

• https://wiki.wireshark.org/Development/LibpcapFileFormat

• https://mh-nexus.de/en/hxd/

• 
  

{{ SECURITY Network packet Forensic }} 

Chapter 5. Telnet (Telecommunication Network Protocol) packet analysis

Before checking the telnet PCAP log, let's see what is {TCP KEEP ALIVE} packet means.
This packet is normally using to check for dead peers or prevent the disconnection due to network inactivity.

Normally a null packet with ACK flag will send to peer. But in our example, it has a duplicated packet data from previous sent packet with [PSH, ACK].

• TCP KEEP ALIVE
• http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/overview.html

Following is an example of TCP connection. [using Follow TCP Stream menu]

Step 1 has negotiation of sub-options procedure for the telnet connection. After that there is a login prompt as like Step 2. Login has echo characters for the input, but password has no echo characters. Step 3. is an exit the telnet connection.

At the first time, there will be a 3 way handshaking procedure like before for TCP session establishment for port 23 of the destination.

• SYN > SYNC,ACK > ACK

And for disconnection, there are FIN,ACK procedure like below.

Reference

• 1969 beginning with RFC 15, extended in RFC 854