WEBVTT 00:01.220 --> 00:02.570 Is this murder on windows? 00:03.110 --> 00:10.310 In contrast to Unix like systems, Windows implement its user mode network functions without direct 00:10.610 --> 00:11.390 system calls. 00:12.350 --> 00:19.240 So the networking stack is exposed through the driver and establishing a connection uses the file open, 00:19.260 --> 00:26.330 read and write system cars to configure network socket for use, even if windows support there facilities. 00:26.330 --> 00:33.710 Similar to stress, this implementation makes it more difficult to monitor network traffic at the same 00:33.710 --> 00:35.420 level as the other platforms. 00:36.200 --> 00:45.290 Windows, starting with Vista and later has supported an image generation framework that locks applications 00:45.410 --> 00:51.320 to a monitor network activity where I think our own implementation of this will be quite complex. 00:51.320 --> 00:56.420 But fortunately, someone has already written a tool to do it for you. 00:56.840 --> 01:00.680 This is the maker of Microsoft's process monitor tool. 01:01.050 --> 01:02.870 Let's don't this tool here. 01:04.310 --> 01:07.940 Just, uh, search in Google, as you know. 01:09.910 --> 01:15.220 Searching Google, uh, as Microsoft Process monitor tool. 01:16.200 --> 01:16.940 Actually, yes. 01:17.450 --> 01:19.340 Images of purchasing one or two. 01:46.110 --> 01:50.400 These internals, a process monitor. 01:53.820 --> 01:57.020 And click on the Microsoft Fed official website. 01:58.100 --> 02:00.270 Here and in the donut sections. 02:00.290 --> 02:01.370 Click on Download. 02:12.900 --> 02:13.290 OK. 02:14.910 --> 02:16.740 And extract from zip file. 02:37.570 --> 02:39.250 So as you can see here. 02:41.980 --> 02:42.550 Um. 02:44.200 --> 02:46.060 And two main interface here. 02:46.510 --> 02:52.720 Um, so selecting the filter here, as you can see here, filter. 02:54.420 --> 02:57.510 Process three include process three, high like filter here. 02:58.000 --> 02:59.160 Um, was. 03:00.780 --> 03:08.820 So this causes so selecting the filter that displays only events related to network connections from 03:08.820 --> 03:09.840 a monitoring process. 03:10.680 --> 03:17.580 It does include the hosting world as well as the protocol and port being used, although the capture 03:17.580 --> 03:21.240 doesn't provide any data associated with the connections. 03:21.510 --> 03:27.540 It does offer a valuable insight into network communications applications establishing. 03:28.690 --> 03:35.320 Horses Monitor can also capture the state of the current culling stack, which helps you to determine 03:35.320 --> 03:39.610 where in an application network connections are being made. 03:41.410 --> 03:48.040 Actually, this will become important in the next, um, lectures of our course when we start reverse 03:48.040 --> 03:51.880 engineering binaries to work out the network protocol. 03:53.690 --> 04:01.070 Here we have clumsier, as you can see here, time process name, porcini operation patch result and 04:01.070 --> 04:01.520 detail. 04:02.490 --> 04:05.350 So actually increase the size of it. 04:05.790 --> 04:07.370 Um, screen. 04:11.240 --> 04:14.870 No screen screen here, King screen resolution. 04:16.110 --> 04:17.660 Let's make it clear the. 04:19.240 --> 04:20.710 Scalable here. 04:24.770 --> 04:25.060 Oops! 04:25.440 --> 04:27.050 It's it's even worse now. 04:31.440 --> 04:31.740 So. 04:32.920 --> 04:42.640 As you can see here, we have columns here and there which this column time here, um, shows the name 04:42.640 --> 04:46.580 of the actually first we have to pronounce his name. 04:46.600 --> 04:48.340 Let's start with process name. 04:48.580 --> 04:54.730 This process name shows the name of the person that it published the connection and. 04:57.860 --> 05:05.720 This column, years of operation here, uh, shows the operation, which in the case is connected to 05:05.720 --> 05:15.790 a remote server here, as you can see here, uh, these three open key core key, uh, you know, rigid 05:15.800 --> 05:17.930 file lock file like that. 05:19.160 --> 05:19.700 And. 05:21.260 --> 05:28.910 We have Pat here as well as you can see here, uh, this Pat, uh, actually indicates the source and 05:28.910 --> 05:30.050 destination addresses. 05:30.320 --> 05:35.780 And this is a detail here, as you can see here, it's increased a little bit. 05:36.140 --> 05:43.190 So this is the, uh, this detail column provides more in-depth information about the of, uh, event, 05:43.760 --> 05:48.140 although this solution isn't as helpful as monitoring system calls on other platforms. 05:48.470 --> 05:54.230 It is still useful in windows, and you just want to determine the network protocols a particular application 05:54.230 --> 05:54.830 is using. 05:55.610 --> 06:01.010 You can capture data using this technique, but once you determine the protocols in use, you can add 06:01.010 --> 06:05.420 that information to your analysis before a more active network traffic capture. 06:07.080 --> 06:11.280 And now advantages and disadvantages of passive capture. 06:12.960 --> 06:18.170 So the greatest advantage of using passive capture is that it doesn't disrupt the client and server 06:18.180 --> 06:24.570 applications communication, so it will not change the destination or source address of traffic. 06:24.780 --> 06:30.210 And it doesn't require any modifications or reconfiguration of the applications. 06:30.850 --> 06:37.500 Passive caption might also be the only technology you can use when you don't have direct control over 06:37.500 --> 06:38.820 the client or the server. 06:39.420 --> 06:46.140 You can usually find a way to listen to the network traffic and capture it with a limited amount of 06:46.140 --> 06:46.650 effort. 06:47.460 --> 06:53.970 After you are collected your data, you can determine which active capture techniques to use and the 06:53.970 --> 06:56.970 best way to attack the protocol you want to analyze. 06:57.900 --> 07:04.830 One measure of passive network traffic capture is that capture techniques like packet sniffing around 07:05.040 --> 07:12.570 such a low level that it can difficult to interact to interpret what an application received to such 07:12.570 --> 07:15.150 Wireshark is certainly help. 07:15.150 --> 07:21.240 But if you are analyzing a custom protocol, it might not be possible to easily take apart the protocol 07:21.840 --> 07:23.910 without interacting with it directly. 07:24.450 --> 07:30.810 Passive capture also doesn't always make it easy to modify the traffic and application produites. 07:31.230 --> 07:37.800 So modifying trapping isn't always necessary, but it's useful when you encounter encrypted protocols 07:38.040 --> 07:43.320 and want to disable compression or need to change the traffic for exploitation. 07:43.950 --> 07:51.360 When analyzing, trapping and injecting new packages doesn't yield results. 07:51.780 --> 07:55.230 Switch tactics and try using active capture techniques. 07:57.610 --> 08:00.520 And we have active in the culture as well. 08:01.210 --> 08:05.920 So actually, I want to illustrate this here, uh. 08:07.400 --> 08:10.550 Let's change it to four years. 08:24.190 --> 08:30.460 So now, uh, we will, uh, firstly client application. 08:32.000 --> 08:37.450 Here and, yes, Target and we need. 08:38.690 --> 08:39.560 Brooks, see? 08:48.400 --> 08:48.820 Man. 08:52.050 --> 08:54.720 Men in the middle man. 08:58.290 --> 08:58.740 The. 08:59.930 --> 09:01.890 I mean, the proxy. 09:06.700 --> 09:07.030 See? 09:08.390 --> 09:10.580 So this is the attacker's proxy here. 09:13.520 --> 09:14.820 And it's. 09:16.470 --> 09:20.520 Here and we have actually. 09:22.210 --> 09:23.920 We have another proxy here. 09:25.150 --> 09:27.400 We just need several application server. 09:28.510 --> 09:29.320 Location. 09:31.410 --> 09:32.430 For example. 09:35.500 --> 09:35.860 This. 09:37.760 --> 09:39.650 This is the service, sir. 09:41.830 --> 09:44.650 And let's change this. 09:52.530 --> 09:53.010 Yeah. 09:58.270 --> 09:59.110 Here he is. 10:02.200 --> 10:12.040 So the capture of the active capture differs from passive in that you will try to influence the flow 10:12.040 --> 10:20.440 of the traffic, usually by using men in the middle, um, attack on the network, on the network communication 10:20.890 --> 10:22.330 as shown in this figure. 10:23.250 --> 10:30.760 They do device capturing traffic usually sits between the client and a client and server application, 10:31.840 --> 10:33.790 uh, acting as a bridge here. 10:34.450 --> 10:40.330 So this approach has several advantages, including the ability to modify traffic and disable features 10:40.870 --> 10:50.170 like encryption compression, which can make it easier to analyze and exploit and network protocol advantages. 10:50.380 --> 10:55.870 Actually, not the advantages and disadvantages of this approach is that it's usually more difficult 10:55.870 --> 10:59.950 because you need to reroute applications traffic through your active culture system. 11:00.520 --> 11:04.600 Active capture can also have unintended, undesirable effects. 11:05.050 --> 11:12.280 For example, if you change the network address of the server or client to the proxy, this can cause 11:12.280 --> 11:16.750 confusion, resulting in the application sending traffic to the wrong place. 11:17.200 --> 11:24.160 Despite these, user's active capture is probably the most valuable technique for analyzing and exploiting 11:24.160 --> 11:26.500 application network protocols. 11:27.340 --> 11:30.160 We have network proxies here as well. 11:31.360 --> 11:33.700 So, uh, what? 11:33.790 --> 11:39.910 Um, net of proxies does is, uh, we will learn in next lecture.