1
00:00:01,560 --> 00:00:08,920
Finally we'll take a look at a few examples of computer scans in remote operating system detection we'll

2
00:00:08,920 --> 00:00:16,780
start at the lowest layer with the IP scan above you can see a capture file you'd never like to register

3
00:00:16,780 --> 00:00:18,910
in your network.

4
00:00:18,990 --> 00:00:26,500
We see here this same IP protocol packets were sent in any packet of other protocols we're dealing with

5
00:00:26,500 --> 00:00:29,080
scanning in the third layer of the OS model

6
00:00:33,760 --> 00:00:37,590
detector tries to probe the network infrastructure in this way.

7
00:00:37,720 --> 00:00:42,150
They want to see which protocols are supported by which network devices.

8
00:00:42,220 --> 00:00:51,280
This is called the IPs scan only IP packets are sent in the IP header that contain information which

9
00:00:51,280 --> 00:00:53,610
protocol should be above.

10
00:00:53,830 --> 00:00:57,060
Then you wait for a response from a given device.

11
00:00:58,300 --> 00:01:01,430
It will tell you whether the device supports the protocol or not.

12
00:01:02,810 --> 00:01:06,980
The IP scan is used to check out the infrastructure of network devices.

13
00:01:06,980 --> 00:01:10,390
This is how the IPs scan is presented in Wireshark.

14
00:01:10,640 --> 00:01:17,800
Let's see how the port scan looks like we see the TCAP packets sent by the computer identified by the

15
00:01:17,800 --> 00:01:29,810
address 10 1 0 2 to a computer identified by the address 10 out 1 0 1.

16
00:01:29,840 --> 00:01:31,810
This is very chaotic.

17
00:01:32,060 --> 00:01:37,380
If we look at the destination port it appears that each packet is sent to a different port.

18
00:01:39,730 --> 00:01:45,340
Everywhere a connection request is addressed to a different port and each time the destination computer

19
00:01:45,340 --> 00:01:49,610
responds with the reset.

20
00:01:49,830 --> 00:01:53,520
If the port is closed the R T packet is sent.

21
00:01:54,000 --> 00:01:56,850
That's how the TCAP scan works.

22
00:01:56,850 --> 00:02:04,340
If the port is opened it either won't respond or the response will be definite.

23
00:02:04,350 --> 00:02:10,410
However if you receive an R S T response it means that the port was closed the scan failed.

24
00:02:11,660 --> 00:02:15,660
We can see that in our case most of the ports were closed.

25
00:02:16,600 --> 00:02:24,440
However if the port was open the server responded with a send in act packets the port wasn't behind

26
00:02:24,440 --> 00:02:25,490
the firewall.

27
00:02:25,670 --> 00:02:30,730
It tried to establish it TCAP session just as we've discussed it before.

28
00:02:32,590 --> 00:02:38,380
In this case we can analyze successful and failed attempts to establish a session through a standard

29
00:02:38,380 --> 00:02:39,040
scan

30
00:02:43,920 --> 00:02:48,970
let's examine UDP scan because UDP is a stateless protocol.

31
00:02:49,230 --> 00:02:51,670
We do not expect a positive response.

32
00:02:53,870 --> 00:02:55,940
This is a broadcast protocol.

33
00:02:56,210 --> 00:03:00,470
The packets are sent but there's no certainty whether they got through and are received

34
00:03:04,160 --> 00:03:09,450
in accordance with the R-S.C. after receiving a packet at a closed port.

35
00:03:09,710 --> 00:03:17,670
The computer should notify the sender by sending the ICMP packet destination unreachable port unreachable

36
00:03:19,290 --> 00:03:22,550
informing them that the packet was sent to the wrong address.

37
00:03:25,190 --> 00:03:32,230
In the UDP scan no response means that you have come across to an open port at the same time.

38
00:03:32,270 --> 00:03:36,310
We expect the error message if a packet reached a close port.

39
00:03:37,460 --> 00:03:40,570
How such a scan proceeds is shown in the picture below.

40
00:03:46,720 --> 00:03:50,760
Finally let's see how you can identify a remote operating system.

41
00:03:54,760 --> 00:03:58,470
In this case the ICMP protocol was used.

42
00:03:58,900 --> 00:04:06,460
We see the attackers computer with IP 10 does 0 0 0 data 29 and the tests computer with the address

43
00:04:06,490 --> 00:04:10,850
10 that 0 does 0.2.

44
00:04:10,880 --> 00:04:15,210
The process begins with sending an echo packet and waiting for the response.

45
00:04:16,490 --> 00:04:21,610
This is repeated several times because the ping command sends several packets.

46
00:04:21,860 --> 00:04:28,880
In this step we want to identify a computer existing in the network then we formulate different ICMP

47
00:04:28,880 --> 00:04:30,010
requests.

48
00:04:30,320 --> 00:04:33,950
We look at what the requests and how the server will reply.

49
00:04:35,750 --> 00:04:43,280
If someone responds to the time stamp request giving away the time stamp or not depends on a particular

50
00:04:43,280 --> 00:04:46,240
version of the device and the operating system

51
00:04:49,190 --> 00:04:57,630
older Windows systems readily allowed to synchronize their clocks after their request we see the response

52
00:04:58,290 --> 00:05:04,090
someone shared with us his time stamp then we ask about other things.

53
00:05:04,180 --> 00:05:13,320
For example the IP version 4 address mask we can receive the response or not the response may also contain

54
00:05:13,320 --> 00:05:14,820
the default values.

55
00:05:16,640 --> 00:05:22,760
The process which has been previously presented and used quietly in a certain program for example in

56
00:05:22,790 --> 00:05:30,770
and map to identify victims operating system boils down to posing a typical or atypical request and

57
00:05:30,770 --> 00:05:38,290
observing responses individual responses are compared with a list of predefined schemata.

58
00:05:38,530 --> 00:05:41,580
Certain systems respond to one kind of questions.

59
00:05:41,770 --> 00:05:50,030
Other systems to another kind after you've used up all the 60 questions you can quite accurately determine

60
00:05:50,030 --> 00:05:55,500
what system you're dealing with details such as version and service pack included.

61
00:06:00,110 --> 00:06:06,000
Functionalities We've tried out are only a part of the full capabilities of Wireshark.

62
00:06:06,040 --> 00:06:14,310
We had the opportunity to capture some data configure that display filter's in a nutshell.

63
00:06:14,380 --> 00:06:21,470
We went through the features such as visualization statistics packet coloring and creating custom profiles.

64
00:06:22,930 --> 00:06:28,570
The range of possibilities offered by wireshark that we got to know is sufficient to monitor user activity

65
00:06:28,660 --> 00:06:30,420
in the network in real time.

66
00:06:32,590 --> 00:06:38,340
It allows you to detect unusual behavior of hosts and users and react to accordingly.

67
00:06:38,560 --> 00:06:47,330
For example by recording a certain operation if you'd like to analyze save capture files wireshark files

68
00:06:47,330 --> 00:06:54,200
are used by various network services for example programs for tracking Wi-Fi network passwords.

69
00:06:55,680 --> 00:07:01,560
If you have some spare money turn on wireshark for a while and send someone a file to a certain web

70
00:07:01,560 --> 00:07:03,710
page the next day.

71
00:07:03,720 --> 00:07:10,810
You'll get an email with a password for the Wi-Fi network whose packets you captured as you see.

72
00:07:10,810 --> 00:07:16,840
Wireshark has a very broad application before you use the capture files as a proof.

73
00:07:17,030 --> 00:07:25,320
You need to sign them a couple of modules before we mentioned how important data integrity is.

74
00:07:25,420 --> 00:07:32,140
You should sign the file with the shell one or the five key in that way you can make sure that the data

75
00:07:32,140 --> 00:07:36,700
someone extracts from the file will be the data that you have provided to them.

76
00:07:38,060 --> 00:07:43,140
At this point I would like to end the presentation of Wireshark.

77
00:07:43,170 --> 00:07:44,550
Thank you for your attention.