1
00:00:00,720 --> 00:00:04,400
Until now the basic statistics have been sufficient.

2
00:00:04,470 --> 00:00:07,050
Now let's examine the application letter.

3
00:00:07,050 --> 00:00:17,550
Let's open the file with the captured telnet session.

4
00:00:17,560 --> 00:00:20,400
This is a protocol that's very easy to interpret.

5
00:00:20,500 --> 00:00:27,150
It's easy for us humans to read what the client sent to the server and how the server responded.

6
00:00:27,190 --> 00:00:33,490
We can see that two computers exchange communication the first three packets visible were responsible

7
00:00:33,490 --> 00:00:38,180
for a proper establishment of the CCP session or a three way handshake.

8
00:00:39,700 --> 00:00:45,790
Below you can see that the tone that was turned on however it's difficult to tell how the communication

9
00:00:45,790 --> 00:00:46,900
proceeded.

10
00:00:46,930 --> 00:00:48,960
We won't analyze a packet after packet

11
00:00:54,630 --> 00:00:59,040
clicking on any of the telnet packets with the right mouse button open in the context menu with the

12
00:00:59,040 --> 00:01:00,540
follow stream option.

13
00:01:01,330 --> 00:01:08,350
Follow TCAP stream follow UDP stream follow as the cell Stream we will choose.

14
00:01:08,350 --> 00:01:12,490
Follow TCAP string.

15
00:01:12,590 --> 00:01:18,970
It allows us to see the whole of communication unpacked from the headers of the lower layer packets.

16
00:01:19,130 --> 00:01:20,930
We now see the raw data.

17
00:01:21,550 --> 00:01:25,890
We can see the data that the client contributed or how the server responded.

18
00:01:29,250 --> 00:01:36,660
In our case we see the original conversation the user has logged in with telnet in the fourth row from

19
00:01:36,660 --> 00:01:37,120
the top.

20
00:01:37,140 --> 00:01:38,730
Everything is doubled.

21
00:01:38,760 --> 00:01:44,900
This means that the program captured echo after the user pressed a keyboard button a character appeared

22
00:01:44,900 --> 00:01:45,980
on the screen.

23
00:01:46,750 --> 00:01:52,570
The server sent back the echo of the buttons the user pressed after typing the password and logging

24
00:01:52,570 --> 00:01:53,240
in.

25
00:01:53,260 --> 00:02:00,220
Please note that there is no echos of the password some information on the remote server was displayed

26
00:02:00,220 --> 00:02:07,300
in the client logged out followed TCAP stream allows you to trace this kind of communication.

27
00:02:07,340 --> 00:02:13,040
If we do use this feature earlier with the TTP server it would have pointed to a communication between

28
00:02:13,040 --> 00:02:23,130
the browser and the Web site.

29
00:02:23,130 --> 00:02:26,170
Now let's look at something more related to security.

30
00:02:26,170 --> 00:02:33,330
We open another capture file it presents a situation you would not ever want to have in your network.

31
00:02:33,440 --> 00:02:38,120
Just looking at the main window you can more or less get what's going on.

32
00:02:38,130 --> 00:02:41,680
First you can see the TCAP session establishment.

33
00:02:41,790 --> 00:02:48,930
Then there's an attempt to log in to the FCP server as an administrator with a random password by clicking

34
00:02:48,930 --> 00:02:51,570
on the selected packet with the right mouse button.

35
00:02:51,870 --> 00:02:56,790
We can choose follow a TCAP stream.

36
00:02:56,920 --> 00:03:04,330
We see that someone tried to guess the administrators password.

37
00:03:04,410 --> 00:03:09,480
We would like wireshark to highlight issues like this one at once to do this.

38
00:03:09,510 --> 00:03:12,550
You should first prepare your own profile.

39
00:03:12,580 --> 00:03:17,970
It can be called for example SEC like in security.

40
00:03:18,120 --> 00:03:21,330
From now on will perform every action in the new profile

41
00:03:24,310 --> 00:03:28,710
will now create coloring rules or filtering rules for specific packets.

42
00:03:29,900 --> 00:03:36,650
The point of that is to enable you to choose a preconfigured profile management security etc. Whenever

43
00:03:36,650 --> 00:03:45,790
you turn wireshark on we're now checking on the T-P protocol Let's see how the user tried to guess the

44
00:03:45,790 --> 00:03:47,610
password.

45
00:03:47,830 --> 00:03:50,960
Remember that any piece of data can be used as a filter.

46
00:03:53,130 --> 00:04:00,960
If we applied the filter the request command equals equals user we would be shown only logging requests

47
00:04:01,260 --> 00:04:05,830
to the FTB server.

48
00:04:06,020 --> 00:04:12,250
If we only wanted to see the failed attempts we should select the password not accepted packet.

49
00:04:12,300 --> 00:04:20,620
Click on it with the right mouse button and choose the options apply as filter or selected.

50
00:04:20,660 --> 00:04:22,970
Let's now create a coloring rule.

51
00:04:22,970 --> 00:04:26,830
We would like to color a situation in which the password was not accepted.

52
00:04:26,900 --> 00:04:30,710
Right mouse key colorize with filter new coloring rule

53
00:04:37,010 --> 00:04:38,110
we will call the new rule.

54
00:04:38,120 --> 00:04:41,040
Bad FTB pass.

55
00:04:41,170 --> 00:04:43,380
Now choose the background color.

56
00:04:46,180 --> 00:04:48,600
I suggest you choose a really annoying one.

57
00:04:49,630 --> 00:04:54,820
There are already a few coloring rules in Wireshark because the rules are applied in sequence.

58
00:04:54,820 --> 00:04:59,810
It's more important that our rule is first.

59
00:04:59,960 --> 00:05:04,670
From now on we'll be able to spot the packets we would never like to see in the file.

60
00:05:04,670 --> 00:05:10,620
In this way we've created our own intrusion detection system.

61
00:05:10,640 --> 00:05:14,240
Let's look at the attempt to guess the password to another service.

62
00:05:16,720 --> 00:05:19,330
Will open another capture file.

63
00:05:19,330 --> 00:05:26,020
The protocol used to communicate with the Microsoft as Cuil servers is the tedious tabular data stream

64
00:05:26,050 --> 00:05:26,760
protocol

65
00:05:30,150 --> 00:05:30,960
as you can see.

66
00:05:30,960 --> 00:05:34,800
Wireshark correctly interprets the data of this protocol.

67
00:05:34,800 --> 00:05:42,340
Not only did it show that such a protocol was used but it also properly interpreted its header wireshark

68
00:05:42,340 --> 00:05:45,240
correctly interprets a large set of protocols.

69
00:05:45,430 --> 00:05:47,930
Virtually all of them.

70
00:05:48,180 --> 00:05:54,780
If it doesn't manage to do so it means that someone uses a really strange protocol or an unusual port

71
00:05:55,300 --> 00:06:03,020
and that you'll have to manually decode the data usually all data are properly interpreted by wireshark

72
00:06:07,170 --> 00:06:23,500
will filter data according to the TADS protocol to see if there are any troubling messages.

73
00:06:23,570 --> 00:06:31,100
We see that someone has tried to use the server name SA to connect to the computer named s y d as 21

74
00:06:31,280 --> 00:06:37,880
ESX I with a server with a visible IP address and listening on port 14:30 3

75
00:06:42,780 --> 00:06:48,120
filtering the data sent by the server according to IP addresses would be faster but it would give the

76
00:06:48,120 --> 00:06:56,230
same result we have the error message reported by the Cuil server which is understandable even for people

77
00:06:56,290 --> 00:06:59,860
unfamiliar with databases.

78
00:06:59,950 --> 00:07:05,050
It contains information that as Cuil server reports an error when someone tries to log in with the wrong

79
00:07:05,050 --> 00:07:12,740
password the error message number is 1 8 4 5 6.

80
00:07:12,830 --> 00:07:17,590
We can use the error number as a filter or as a coloring rule.

81
00:07:17,770 --> 00:07:23,280
We can check how many times someone tried to log into the server.

82
00:07:23,440 --> 00:07:28,260
We would like to know how frequently these attempts were in the table above.

83
00:07:28,290 --> 00:07:33,780
We can see the total time since beginning of capture.

84
00:07:33,920 --> 00:07:40,460
You can change this to the time elapsed since the last capture.

85
00:07:40,470 --> 00:07:43,470
Now it's easier for us to analyze the data.

86
00:07:43,830 --> 00:07:50,160
We can see that someone sitting at a computer with the IP address displayed source tried to log into

87
00:07:50,160 --> 00:07:54,480
the bascule server more often than every thirty nine milliseconds.

88
00:07:57,150 --> 00:08:02,760
Either this is a person who types really fast or uses a brute force program to acquire unauthorized

89
00:08:02,760 --> 00:08:03,930
access to the server.