1
00:00:00,150 --> 00:00:01,210
‫What is going on, guys?

2
00:00:01,230 --> 00:00:05,300
‫My name is Hussein, and welcome to another episode of Wireshark Them All.

3
00:00:05,550 --> 00:00:09,780
‫And today we're watching a shocking Postscripts database.

4
00:00:09,930 --> 00:00:13,060
‫We're going to see how it does a look behind the curtain.

5
00:00:13,230 --> 00:00:18,390
‫We're going to make a connection through from a Narges client to a post office database that I spun

6
00:00:18,390 --> 00:00:19,340
‫up in the cloud.

7
00:00:19,890 --> 00:00:22,260
‫This is using a LFN sequel.

8
00:00:22,290 --> 00:00:25,770
‫It's a very easy service that I they are not a sponsor of.

9
00:00:25,770 --> 00:00:31,080
‫This is just literally I love this service is just literally took me two minutes to spin up a post because

10
00:00:31,090 --> 00:00:32,740
‫this is so I can do this video.

11
00:00:33,060 --> 00:00:34,560
‫So how about we jump into a guy?

12
00:00:34,570 --> 00:00:36,150
‫So here's what I'm going to do.

13
00:00:36,820 --> 00:00:44,080
‫I'm using Narges Posterous and I made a video on how to connect to Upholsterers database from Analagous

14
00:00:44,100 --> 00:00:44,590
‫Client.

15
00:00:44,820 --> 00:00:46,500
‫Check out this video if you're interested.

16
00:00:46,680 --> 00:00:52,050
‫But what we're going to do here is literally I have already established a Posterous database.

17
00:00:52,170 --> 00:00:56,670
‫I created a table called employees and I added some rows.

18
00:00:56,820 --> 00:00:59,060
‫And this client does the phone.

19
00:00:59,220 --> 00:01:04,530
‫It connects to the database when it issues a query select store from employees.

20
00:01:04,770 --> 00:01:10,310
‫And then once it does, returns the result and immediately closes the connection.

21
00:01:10,470 --> 00:01:11,250
‫That's what it does.

22
00:01:11,430 --> 00:01:12,260
‫Nothing else.

23
00:01:12,870 --> 00:01:13,130
‫Right.

24
00:01:13,380 --> 00:01:17,170
‫How about we jump into an end run of this client and see what it does?

25
00:01:17,820 --> 00:01:23,130
‫So we're going to do a node, I believe I called it the query dojos.

26
00:01:23,790 --> 00:01:25,560
‫When I do, that is what I get.

27
00:01:26,410 --> 00:01:34,330
‫It just prints a beautiful table of whatever is in that cloud database that I created, Rick Admon Hosain,

28
00:01:34,330 --> 00:01:37,360
‫all of those people are employees in the state.

29
00:01:37,600 --> 00:01:39,280
‫So let's look at the Wireshark.

30
00:01:40,560 --> 00:01:43,650
‫For Wireshark, here's exactly what we did right now.

31
00:01:43,680 --> 00:01:47,790
‫These are all the packets, it's not as much as I thought, to be honest.

32
00:01:47,800 --> 00:01:48,110
‫Right.

33
00:01:48,330 --> 00:01:54,650
‫And I use the quick filter based on my client IP address and the server IP address.

34
00:01:54,840 --> 00:02:01,200
‫So I just literally pinged that ruby whatever the server I got and I got the IP address and they used

35
00:02:01,200 --> 00:02:04,590
‫it in Warshak to actually see what happens behind the scenes.

36
00:02:04,600 --> 00:02:10,650
‫How about we do how about we actually look at this guy's first beautiful three request?

37
00:02:10,660 --> 00:02:18,100
‫Sene Sinak ask why we're establishing DCB Connection, both because users who knew, right?

38
00:02:18,450 --> 00:02:20,290
‫So what if that was a DCB connection?

39
00:02:20,430 --> 00:02:26,850
‫So there is no escape of these Puppis unless you're doing a of which I which I talked about on this

40
00:02:26,850 --> 00:02:27,410
‫channel as well.

41
00:02:28,290 --> 00:02:33,750
‫And here's the thing was the first was the first person to make a request if the client says, OK,

42
00:02:34,050 --> 00:02:41,250
‫I'm going to send you this thing and here's what it does send hey, here's my version protocol.

43
00:02:41,280 --> 00:02:43,920
‫Here's my user, the parameters user.

44
00:02:44,010 --> 00:02:47,250
‫I'm going to send another parameter database's this same database.

45
00:02:47,430 --> 00:02:51,090
‫So the user username is this, the database is this and this is the client encoding.

46
00:02:51,090 --> 00:02:53,280
‫I support UTF eight and.

47
00:02:54,620 --> 00:02:58,860
‫You noticed that we didn't send the password for some reason, despite that, it is in the connection

48
00:02:58,880 --> 00:03:01,210
‫strength by look at this, the president is right there.

49
00:03:01,220 --> 00:03:02,180
‫That's the whole password.

50
00:03:02,510 --> 00:03:02,980
‫I don't care.

51
00:03:02,990 --> 00:03:05,540
‫You can take it because I'm going to destroy this innocence after this video.

52
00:03:06,500 --> 00:03:07,180
‫But look at that.

53
00:03:07,580 --> 00:03:08,510
‫We don't see the password.

54
00:03:08,510 --> 00:03:15,470
‫And I'm always curious why the server says acknowledge I got a request, but here's the response.

55
00:03:16,520 --> 00:03:17,310
‫What is the response?

56
00:03:17,310 --> 00:03:20,570
‫Says, OK, I'm going to authenticate you.

57
00:03:21,020 --> 00:03:23,270
‫I found that this username exists.

58
00:03:23,420 --> 00:03:29,930
‫You can access me from this database, from from this user, from this client, from this IP address,

59
00:03:30,230 --> 00:03:33,190
‫and just send me the password hash.

60
00:03:33,530 --> 00:03:34,670
‫Let's go ahead and send it to me.

61
00:03:35,720 --> 00:03:37,460
‫And this is not encrypted.

62
00:03:37,640 --> 00:03:43,520
‫That's why it's very important for guys to encrypt Polska connection, pretty much everything.

63
00:03:43,820 --> 00:03:45,740
‫But we're learning here.

64
00:03:45,770 --> 00:03:49,640
‫That's why it's actually a good thing that this is going to click so we can see what's behind the scene.

65
00:03:50,210 --> 00:03:55,730
‫So the service says, OK, the client says acknowledge and now the client is the P.

66
00:03:56,860 --> 00:04:04,630
‫Catesby, which is a this is my M.D. five affordance, what is forty one character and so is the whole

67
00:04:04,630 --> 00:04:06,400
‫thing is 40 character and the length of the.

68
00:04:06,430 --> 00:04:13,120
‫And that's my password hash, I'm sure obviously is not going to save us here because the whole thing

69
00:04:13,120 --> 00:04:23,410
‫is decrypted is unencrypted services you acknowledge and the server says, OK, look at this authentication

70
00:04:23,410 --> 00:04:24,490
‫request success.

71
00:04:24,490 --> 00:04:30,910
‫I have been able to authenticate you and here's a bunch of stuff now.

72
00:04:31,540 --> 00:04:33,130
‫The application value, right.

73
00:04:33,280 --> 00:04:38,920
‫What kind what kind of data type we use for integers, what kind of data type we use for dates, what

74
00:04:38,920 --> 00:04:42,790
‫kind of data types you should talk to me on in case of super user.

75
00:04:42,940 --> 00:04:49,900
‫There is no super user in this connection because of course, you're not supposed to be a super user

76
00:04:50,200 --> 00:04:51,280
‫connected through the cloud.

77
00:04:51,280 --> 00:04:51,550
‫Right.

78
00:04:52,360 --> 00:04:53,710
‫At least in this connection.

79
00:04:53,710 --> 00:04:53,940
‫Right.

80
00:04:55,060 --> 00:04:56,050
‫What's the server version?

81
00:04:56,050 --> 00:04:57,220
‫I'm using Ubuntu.

82
00:04:57,220 --> 00:04:57,880
‫Oh, look at this.

83
00:04:58,150 --> 00:05:01,560
‫Eleven point eight Polska eleven point eight.

84
00:05:01,570 --> 00:05:02,980
‫I'm running on Ubuntu.

85
00:05:02,980 --> 00:05:07,570
‫I don't know if it's eleven point eight Oberndorf Postgres because there is a Postgres eleven.

86
00:05:08,290 --> 00:05:09,010
‫That's interesting.

87
00:05:09,730 --> 00:05:15,190
‫No, I didn't see any version of Bosco's here, but yeah, it just sends a bunch of things and there

88
00:05:15,190 --> 00:05:15,910
‫is the last thing.

89
00:05:16,270 --> 00:05:19,960
‫I'm ready to receive your queries, maybe send me those queries.

90
00:05:21,090 --> 00:05:28,230
‫All right, the client says, yo, I acknowledge your thing, I got it right, guys, I think that if

91
00:05:28,230 --> 00:05:31,500
‫we can just delay a little bit and kind of just.

92
00:05:32,540 --> 00:05:37,070
‫I guess, no, we cannot delay the act in this case because we don't know when the client is going to

93
00:05:37,070 --> 00:05:38,150
‫issue that way.

94
00:05:40,660 --> 00:05:41,390
‫What is this now?

95
00:05:41,390 --> 00:05:43,130
‫So like several employees, we are.

96
00:05:44,540 --> 00:05:55,010
‫Finished from the step, that step was literally that one line of code was all those, I guess up to

97
00:05:55,010 --> 00:05:59,240
‫here, up to this packet, here is the query.

98
00:05:59,900 --> 00:06:03,260
‫That's why the carriage queue and we're here now.

99
00:06:03,440 --> 00:06:07,240
‫We're selecting select staff from employees and we just send it as plaintext.

100
00:06:07,910 --> 00:06:08,190
‫Right.

101
00:06:08,570 --> 00:06:14,630
‫And I wonder if the if the if the queries too long like E to select start and blah blah blah blah,

102
00:06:14,630 --> 00:06:16,070
‫blah, blah, that's too long.

103
00:06:17,030 --> 00:06:19,250
‫I don't wonder how many packets we're going to break this thing.

104
00:06:19,580 --> 00:06:24,240
‫I guess it depends on the TCP window and all that stuff, but yeah, it's services.

105
00:06:24,320 --> 00:06:27,800
‫I acknowledge they I received your query but I don't have a response for you yet.

106
00:06:28,520 --> 00:06:29,550
‫But this is just an ACH.

107
00:06:29,600 --> 00:06:36,010
‫So hey, I received your query and this is very important for the client to start unblock and do it

108
00:06:36,020 --> 00:06:37,910
‫or it's async stuff.

109
00:06:37,910 --> 00:06:38,240
‫Right.

110
00:06:39,230 --> 00:06:45,050
‫And the thing I love that Warshak just recognize pretty much everything then.

111
00:06:45,050 --> 00:06:46,000
‫I love this stuff.

112
00:06:46,010 --> 00:06:48,200
‫And this is a toy that I just discovered.

113
00:06:48,250 --> 00:06:49,610
‫I'm just in love with it.

114
00:06:49,910 --> 00:06:50,180
‫All right.

115
00:06:50,180 --> 00:06:53,450
‫So there's the actual content, just the three hundred bytes.

116
00:06:53,600 --> 00:06:54,680
‫No, I take it back.

117
00:06:54,680 --> 00:06:57,530
‫Two hundred thirty seven is the actual content.

118
00:06:57,530 --> 00:07:04,520
‫Three hundred bytes is the whole with the garbage of the TCP stack that all that Oldfield's this is

119
00:07:04,520 --> 00:07:06,830
‫rec, this is whatever all the content.

120
00:07:06,830 --> 00:07:07,070
‫Right.

121
00:07:07,070 --> 00:07:07,940
‫Data roll.

122
00:07:09,230 --> 00:07:10,220
‫That's the data.

123
00:07:10,550 --> 00:07:11,450
‫Look at that.

124
00:07:15,370 --> 00:07:20,710
‫These are actual actual numbers, the content is numbers, and they are converted into a, I guess,

125
00:07:20,710 --> 00:07:24,010
‫right to ASCII strength or UTF strings.

126
00:07:24,310 --> 00:07:24,700
‫Awesome.

127
00:07:24,820 --> 00:07:32,800
‫So that clients will say, yo, I acknowledge your your result and then what is X as a termination so

128
00:07:32,820 --> 00:07:36,400
‫that I'm done, son, I'm done now.

129
00:07:36,400 --> 00:07:36,940
‫We're here.

130
00:07:38,050 --> 00:07:44,900
‫Right, because this is just Clines right now, we're here, we're killing that connection, we're calling

131
00:07:44,900 --> 00:07:50,540
‫the connection to the client says, yo, I want to close and immediately.

132
00:07:51,690 --> 00:07:58,490
‫After that doesn't even wait for an acknowledgement she's savaged client man.

133
00:07:58,920 --> 00:08:05,070
‫All right, so the client just say, all right, I'm going to finish Accu, I'm going to fin and act

134
00:08:05,070 --> 00:08:07,140
‫whatever we had before.

135
00:08:07,320 --> 00:08:13,350
‫So the client just initiated the connection in this case to me.

136
00:08:13,610 --> 00:08:21,870
‫If I what if it was me to avoid the TCP Waite's, I will actually have the server initiate the fennec

137
00:08:22,110 --> 00:08:26,310
‫so that that client and the TCP wait.

138
00:08:26,460 --> 00:08:30,180
‫So that's just like you don't have all this garbage DCPI weight stacks.

139
00:08:30,990 --> 00:08:36,660
‫I might be wrong, there might be not possible in this case, but yeah I would avoid me avoid is on

140
00:08:36,660 --> 00:08:37,140
‫the protocol.

141
00:08:37,140 --> 00:08:38,060
‫I would flip this.

142
00:08:38,310 --> 00:08:38,730
‫Yeah.

143
00:08:38,850 --> 00:08:41,520
‫Since the client is initiating the closing this case.

144
00:08:42,160 --> 00:08:42,600
‫Right.

145
00:08:42,870 --> 00:08:46,380
‫We can actually respond with a fennec from the server.

146
00:08:46,380 --> 00:08:53,520
‫So we wait a little bit from the client, but it really depends on the how the client is designed because

147
00:08:53,520 --> 00:08:55,550
‫the in this case, the client PJI.

148
00:08:56,250 --> 00:08:58,550
‫I think Brian forgot his last name.

149
00:08:58,560 --> 00:09:04,020
‫Sorry, Brian, but yeah, he's the one who built this was Chris Norges Library.

150
00:09:04,020 --> 00:09:06,690
‫So it depends on how the client is built as well.

151
00:09:06,690 --> 00:09:07,140
‫So, yeah.

152
00:09:08,040 --> 00:09:08,400
‫Yeah.

153
00:09:08,400 --> 00:09:14,970
‫Vannak, the server says, acknowledge your fin and this is my fin and then I fin defen and then we're

154
00:09:15,010 --> 00:09:15,690
‫Fanfani.

155
00:09:16,020 --> 00:09:16,440
‫That's it.

156
00:09:16,440 --> 00:09:16,950
‫We're done.

157
00:09:17,820 --> 00:09:23,670
‫All right, let's clean this thing and let's throw in a monkey wrench where.

158
00:09:23,670 --> 00:09:24,330
‫I don't know.

159
00:09:24,480 --> 00:09:26,160
‫Let's add a bad.

160
00:09:28,810 --> 00:09:32,180
‫Battling where the passion is standing is just wrong.

161
00:09:32,630 --> 00:09:33,490
‫Why do this now?

162
00:09:34,390 --> 00:09:35,230
‫I'm going to get another.

163
00:09:36,220 --> 00:09:42,520
‫This is like a bogus error when things are wrong and you want bogus errors from the server as much as

164
00:09:42,520 --> 00:09:48,190
‫possible because you don't want server gives you a hint, oh, the password is is good, but the username

165
00:09:48,190 --> 00:09:49,750
‫is wrong or the user name is good.

166
00:09:49,750 --> 00:09:51,820
‫But I never do this at the back.

167
00:09:51,820 --> 00:09:57,550
‫An engineer never give B as ambiguous as you can to that client.

168
00:09:58,330 --> 00:10:06,880
‫And I understand this is not a good user experience, but leave it you for security reasons be as ambiguous

169
00:10:06,880 --> 00:10:07,870
‫and as.

170
00:10:08,830 --> 00:10:16,390
‫And that what is that, because the word ambiguous is as confusing as possible, don't give that hacker

171
00:10:16,390 --> 00:10:20,350
‫or someone clues to what is missing in their request.

172
00:10:21,250 --> 00:10:27,640
‫I understand gives you bad user experience, but you need for security reasons to go back.

173
00:10:28,090 --> 00:10:29,470
‫Look at those beautiful things.

174
00:10:29,920 --> 00:10:32,820
‫Beautiful, beautiful, beautiful.

175
00:10:32,820 --> 00:10:35,980
‫Tsipi connection through a handshake, all that jazz.

176
00:10:36,250 --> 00:10:37,540
‫We talked about a three way handshake.

177
00:10:37,840 --> 00:10:45,520
‫That guy says, yo, I minimum version is three and a minor version is what is this exactly is I still

178
00:10:45,520 --> 00:10:46,240
‫don't understand.

179
00:10:46,270 --> 00:10:52,480
‫And three point zero major is that maybe this is the Chris version.

180
00:10:53,500 --> 00:10:59,140
‫I don't even know which which I'm using, which version, and it's not really clear how.

181
00:11:01,530 --> 00:11:09,060
‫Never acknowledged, and the services cannot eat, I mean, Adara, I literally just found out, by

182
00:11:09,060 --> 00:11:16,650
‫the way, and says, yeah, whatever the message that the server receives that Klein just printed it

183
00:11:16,650 --> 00:11:17,040
‫for us.

184
00:11:17,040 --> 00:11:17,220
‫Right.

185
00:11:17,240 --> 00:11:18,720
‫Just like this is exactly what we got.

186
00:11:18,720 --> 00:11:19,860
‫We got two thousand.

187
00:11:20,160 --> 00:11:21,150
‫It's fatal.

188
00:11:22,020 --> 00:11:23,340
‫And when it's fatal.

189
00:11:24,240 --> 00:11:25,690
‫You got to close the connection.

190
00:11:25,710 --> 00:11:29,150
‫There's no bigger contract for ba ba ba ba ba ba user this.

191
00:11:29,630 --> 00:11:32,670
‫That's the bogus user and database.

192
00:11:32,670 --> 00:11:33,320
‫Ba ba ba.

193
00:11:33,330 --> 00:11:36,090
‫So at all.

194
00:11:36,360 --> 00:11:37,200
‫Well, that's not good.

195
00:11:38,670 --> 00:11:40,650
‫Really, we're sending the code.

196
00:11:42,230 --> 00:11:46,500
‫It's not really the code, but still you like which file of the code, I didn't know that.

197
00:11:46,950 --> 00:11:48,260
‫Even the line number.

198
00:11:48,870 --> 00:11:50,490
‫Oh, come on.

199
00:11:51,970 --> 00:11:53,080
‫That can be good.

200
00:11:54,590 --> 00:12:00,100
‫I don't know about you, man, I think this is a little bit shady, OK?

201
00:12:00,230 --> 00:12:00,930
‫It's an error.

202
00:12:00,950 --> 00:12:06,920
‫Like I don't think we should send as just send the stack trace Cheesus.

203
00:12:07,160 --> 00:12:08,680
‫I don't think this is a good idea.

204
00:12:09,410 --> 00:12:13,070
‫Ach, fine acc oh OK.

205
00:12:13,100 --> 00:12:19,280
‫We're where the client is acknowledging the settler the error and then that.

206
00:12:19,640 --> 00:12:21,470
‫Oh look at that, this case.

207
00:12:21,470 --> 00:12:22,970
‫The server is Fenning.

208
00:12:24,220 --> 00:12:25,840
‫The server is fenning the connection.

209
00:12:26,750 --> 00:12:30,770
‫So, like Fennec and the client will ask.

210
00:12:31,930 --> 00:12:33,070
‫And then.

211
00:12:34,140 --> 00:12:36,090
‫Oh, this is a mess right now.

212
00:12:36,270 --> 00:12:44,040
‫We already established closing the connection, but the client this is a bug to me and the the client

213
00:12:44,040 --> 00:12:45,120
‫code, right?

214
00:12:45,540 --> 00:12:51,660
‫Because we clearly the server already established a connection, but we are sending it data.

215
00:12:52,320 --> 00:12:59,540
‫And that's why we really need to this is one use case of the TCP waithe right.

216
00:12:59,790 --> 00:13:04,650
‫Where it's actually waits for more packets to come to clean things up.

217
00:13:04,890 --> 00:13:09,080
‫Obviously the client was the server will just immediately drop this connection.

218
00:13:09,090 --> 00:13:10,980
‫So we're sending it for nothing.

219
00:13:11,340 --> 00:13:14,010
‫And that's that probably explains the receipt.

220
00:13:14,250 --> 00:13:14,510
‫Right.

221
00:13:15,000 --> 00:13:17,700
‫So that's a bug, in my opinion.

222
00:13:17,700 --> 00:13:19,980
‫I think it's a bug in the client code.

223
00:13:19,980 --> 00:13:23,280
‫So it's a bug in here in the big package.

224
00:13:23,580 --> 00:13:23,990
‫Right.

225
00:13:24,720 --> 00:13:33,900
‫And basically, the the fix could be that if you receive a client or don't attempt to do and terminate

226
00:13:33,900 --> 00:13:34,440
‫because.

227
00:13:36,020 --> 00:13:39,180
‫Because the server will terminated for you, apparently.

228
00:13:41,000 --> 00:13:46,520
‫I might be missing something, yeah, that explains the resets that we have here because like something

229
00:13:46,520 --> 00:13:50,600
‫went out of sync and you started sending me packets while I'm trying to close.

230
00:13:50,990 --> 00:13:57,900
‫Obviously, the client did essentially establish that close buddy and my guys that was like the postscripts

231
00:13:58,250 --> 00:13:58,870
‫was shocking.

232
00:13:58,880 --> 00:14:00,670
‫Bosco's the guys in the next one.

233
00:14:00,710 --> 00:14:01,520
‫You guys stay awesome.

234
00:14:01,520 --> 00:14:03,880
‫That lets us just what should I want to talk next?

235
00:14:03,890 --> 00:14:05,300
‫And I'm going to see you in the next one.

236
00:14:05,320 --> 00:14:07,330
‫Guys, say goodbye.