A program for analyzing a local network review. Network analyzers

Ministry of Education and Sciences of the Russian Federation

SEI "St. Petersburg State Polytechnic University"

Cheboksary Institute of Economics and Management (branch)

Department of Higher Mathematics and Information Technology

ESSAY

on the course "Information Protection".

on the topic: "Network analyzers"

Fulfilled

4th year student s/o 080502-51M

majoring in Management

at the enterprise of mechanical engineering"

Pavlov K.V.

checked

Teacher

Cheboksary 2011

INTRODUCTION

Ethernet networks have gained immense popularity due to their good bandwidth, ease of installation and acceptable cost installation of network equipment.
However, Ethernet technology is not without significant drawbacks. The main one is the insecurity of the transmitted information. Computers connected to an Ethernet network are able to intercept information addressed to their neighbors. The reason for this is the so-called broadcast message exchange mechanism adopted in Ethernet networks.

Combining computers in a network breaks the old axioms of information protection. For example, about static security. In the past, a system vulnerabilities could be discovered and fixed by the system administrator by installing the appropriate update, which could only check the functioning of the installed "patch" only after a few weeks or months. However, this "patch" could be removed by the user accidentally or during work, or by another administrator when installing new components. Everything is changing, and now information technology is changing so fast that static security mechanisms no longer provide complete system security.

Until recently, firewalls were the main mechanism for protecting corporate networks. However, firewalls designed to protect an organization's information resources are often themselves vulnerable. This is because system administrators create so many simplifications in the access system that in the end stone wall the protection system becomes full of holes, like a sieve. Firewall (FW) protection may not be appropriate for high-traffic corporate networks, as the use of many FWs can significantly impact network performance. In some cases, it's better to "leave the doors wide open" and focus on methods for detecting and responding to network intrusions.

For continuous (24 hours a day, 7 days a week, 365 days a year) monitoring of a corporate network to detect attacks, "active" protection systems - intrusion detection systems are designed. These systems detect attacks on corporate network nodes and react to them in the manner specified by the security administrator. For example, they interrupt the connection with the attacking host, inform the administrator, or enter information about the attack in the logs.

1. NETWORK ANALYZERS

1.1 IP - ALERT 1 OR FIRST NETWORK MONITOR

First, let's say a few words about local broadcasting. On an Ethernet network, the computers connected to it typically share the same cable, which serves as a medium for sending messages between them.

Anyone wishing to transmit any message on a common channel must first make sure that this channel is in this moment free time. Having started transmission, the computer listens to the carrier frequency of the signal, determining whether the signal has been distorted as a result of collisions with other computers that are transmitting their data at the same time. If there is a collision, the transmission is interrupted and the computer "silences" for a certain period of time in order to try to repeat the transmission a little later. If a computer connected to an Ethernet network does not transmit anything itself, it nevertheless continues to "listen" for all messages transmitted over the network by neighboring computers. Having noticed its network address in the header of the incoming data portion, the computer copies this portion to its local memory.

There are two main ways to connect computers to an Ethernet network. In the first case, the computers are connected using a coaxial cable. This cable is laid from computer to computer, connected to network adapters with a T-shaped connector and closed at the ends with BNC terminators. Such a topology is called a 10Base2 Ethernet network in the language of professionals. However, it can also be called a network in which "everyone hears everyone else." Any computer connected to a network is capable of intercepting data sent over that network by another computer. In the second case, each computer is connected by a twisted-pair cable to a separate port of the central switching device - a hub or switch. In these networks, called lOBaseT Ethernet networks, computers are divided into groups called collision domains. Collision domains are defined by hub or switch ports connected to a common bus. As a result, collisions do not occur between all computers on the network. and individually - between those of them that are included in the same collision domain, which increases the throughput of the network as a whole.

AT recent times in large networks, new types of switches began to appear that do not use broadcasting and do not close groups of ports to each other. Instead, all data transmitted over the network is buffered in memory and sent as soon as possible. However, there are still quite a few such networks - no more than 5% of the total number of Ethernet-type networks.

Thus, the data transfer algorithm adopted in the vast majority of Ethernet networks requires that each computer connected to the network continuously "listen" to all network traffic without exception. The access algorithms proposed by some people, when using which computers would be disconnected from the network while transmitting "foreign" messages, remained unrealized due to their excessive complexity, high cost of implementation and low efficiency.

What is IPAlert-1 and where did it come from? Once upon a time, the practical and theoretical research of the authors in the direction related to the study of network security led to the following idea: in the Internet, as in other networks (for example, Novell NetWare, Windows NT), there was a serious lack of software protection that implements complex control (monitoring) at the link level of the entire flow of information transmitted over the network in order to detect all types of remote influences described in the literature. A study of the Internet firewall software market revealed the fact that there were no such comprehensive remote impact detection tools, and those that did were designed to detect attacks of one specific type (for example, ICMP Redirect or ARP). Therefore, the development of an IP network segment control tool designed for use on the Internet and received the following name: network security monitor IP Alert-1 was started.

The main task of this tool, programmatically analyzing network traffic in the transmission channel, consists not in reflecting remote attacks carried out over the communication channel, but in their detection, logging (maintaining an audit file with logging in a form convenient for subsequent visual analysis of all events associated with remote attacks on this network segment) and immediate signaling to the administrator security in the event of a remote attack being detected. The main task of the network security monitor IP Alert-1 is to control the security of the corresponding segment of the Internet.

IP Alert-1 Network Security Monitor has the following functionality and allows, through network analysis, to detect the following remote attacks on the network segment controlled by it:

1. Control over the correspondence of IP and Ethernet addresses in packets transmitted by hosts located inside the controlled network segment.

On the IP Alert-1 host, the security administrator creates a static ARP table where he enters information about the corresponding IP and Ethernet addresses of hosts located inside the controlled network segment.

This feature allows you to detect unauthorized changes to the IP address or its substitution (the so-called IP Spoofing, spoofing, IP spoofing (jarg.)).

2. Control over the correct use of the remote ARP search mechanism. This function allows, using a static ARP table, to determine a remote "Rogue ARP server" attack.

3. Control over the correct use of the remote DNS lookup mechanism. This feature allows you to identify all possible types of remote attacks on the DNS service

4. Control over the correctness of remote connection attempts by analyzing transmitted requests. This function allows you to detect, firstly, an attempt to investigate the law of changing the initial value of the TCP connection identifier - ISN, secondly, a remote "denial of service" attack carried out by overflowing the connection request queue, and, thirdly, directed " a storm" of false connection requests (both TCP and UDP) leading also to a denial of service.

Thus, the network security monitor IP Alert-1 allows you to detect, notify and log most types of remote attacks. At the same time, this program is in no way a competitor to Firewall systems. IP Alert-1, using the features of remote attacks on the Internet, serves as a necessary addition - by the way, incomparably cheaper - to Firewall systems. Without a security monitor, most attempts to carry out remote attacks on your network segment will remain hidden from your eyes. None of the well-known Firewalls is engaged in such intellectual analysis of messages passing through the network in order to detect various kinds of remote attacks, limited, at best, to logging, which records information about password guessing attempts, port scanning and network scanning with using well-known remote search programs. Therefore, if the IP network administrator does not want to remain indifferent and be content with the role of a simple extra in remote attacks on his network, then it is advisable for him to use the IP Alert-1 network security monitor.

General information

Tools called network analyzers are named after Sniffer Network Analyzer. This product was released in 1988 by Network General (now Network Associates) and was one of the first devices that allowed managers to literally know what was happening in a large network from the comfort of their desk. The first parsers read the headers of messages in data packets sent over the network, thus providing administrators with information about sender and recipient addresses, file sizes, and other low-level information. And all this is in addition to checking the correctness of packet transmission. Using graphs and text descriptions, the analyzers helped network administrators diagnose servers, network links, hubs and switches, and applications. Roughly speaking, a network sniffer listens or "sniffs" packets on a specific physical network segment. This allows you to analyze traffic for some patterns, fix certain problems, and identify suspicious activity. A network intrusion detection system is nothing more than an advanced analyzer that matches every packet on the network against a database of known malicious traffic patterns, much like an antivirus program does with files on a computer. Unlike the tools described earlier, parsers operate at a lower level.

If we turn to the OSI reference model, then the analyzers check the two lower layers - the physical and the channel.

The physical layer is the actual physical wiring or other medium used to create the network. At the link layer, the initial encoding of data for transmission through a specific medium occurs. Link layer networking standards include 802.11 wireless, Arcnet, coaxial cable, Ethernet, Token Ring, and more. Analyzers are usually dependent on the type of network they operate on. For example, to analyze traffic on an Ethernet network, you must have an Ethernet analyzer.

There are commercial grade analyzers available from manufacturers such as Fluke, Network General and others. These are usually special hardware devices that can cost tens of thousands of dollars. While this hardware is capable of deeper analysis, it is possible to build an inexpensive network analyzer using open source software. source code and an inexpensive PC on the Intel platform.

Types of analyzers

Now many analyzers are produced, which are divided into two types. The first includes standalone products that are installed on a mobile computer. The consultant can take it with him when visiting the client's office and connect it to the network to collect diagnostic data.

Initially, portable devices designed to test the operation of networks were designed solely to check the technical parameters of the cable. However, over time, manufacturers have endowed their equipment with a number of protocol analyzer functions. Modern network analyzers are able to detect the widest range of possible problems - from physical damage to the cable to overloaded network resources.

The second type of analyzer is part of a broader category of network monitoring hardware and software that allows organizations to control their local and global network services, including the Web. These programs give administrators a holistic view of the health of the network. For example, with the help of such products, you can determine which applications are running at the moment, which users are registered on the network, and which of them generates the bulk of traffic.

In addition to identifying low-level network characteristics, such as the source of packets and their destination, modern analyzers decode the information received at all seven layers of the Open System Interconnection (OSI) network stack and often issue recommendations for resolving problems. If the analysis at the application level does not allow to give an adequate recommendation, the analyzers perform a study at a lower, network level.

Modern analyzers typically support remote monitoring standards (Rmon and Rmon 2) that provide automatic retrieval of key performance data, such as information about the load on available resources. Analyzers that support Rmon can regularly check the status of network components and compare the received data with the previously accumulated. If necessary, they will issue a warning that traffic levels or performance exceed the limits set by network administrators.

NetScout Systems has introduced the nGenius Application Service Level Manager, a system designed to monitor the response time in certain sections of the access channel to the Web site and determine the current performance of the servers. This application can analyze public network performance in order to recreate the overall picture on the user's computer. Danish firm NetTest (formerly GN Nettest) has begun offering Fastnet, a network monitoring system that helps e-business companies plan link capacity and troubleshoot network problems.

Analysis of converged (multiservice) networks

The spread of multi-service networks (converged networks) can have a decisive impact on the development of telecommunications and data transmission systems in the future. The idea to unite in a single network infrastructure based on a packet protocol, the possibility of transmitting both data, and voice streams, and video information, turned out to be very tempting for providers specializing in the provision of telecommunication services, because in an instant it is able to significantly expand the range of services they provide.

As corporations begin to realize the efficiency and cost advantages of IP-based converged networks, network tool vendors are actively developing appropriate analyzers. In the first half of the year, many firms introduced components for their network administration products designed for voice over IP networks.

"Convergence has created new challenges for network administrators to deal with," said Glenn Grossman, director of product management at NetScout Systems. -- Voice traffic is very sensitive to time delays. Analyzers can look at every bit and byte on the wire, interpret the headers, and automatically prioritize the data.”

The use of voice and data convergence technologies may spark a new wave of interest in analyzers as support for traffic prioritization at the IP packet level becomes essential to the operation of voice and video services. For example, Sniffer Technologies has released Sniffer Voice, a toolkit designed for multiservice network administrators. This product not only provides traditional diagnostic services for managing email, Internet, and database traffic, but also identifies network problems and provides recommendations for remediation to ensure that voice traffic is correctly transmitted over IP networks.

The downside of using analyzers

It should be remembered that there are two sides of the coin associated with analyzers. They help keep the network up and running, but they can also be used by hackers to look up usernames and passwords in data packets. To prevent password interception by analyzers, packet headers are encrypted (for example, using the Secure Sockets Layer standard).

In the end, there is no alternative to a network analyzer in those situations when it is necessary to understand what is happening in a global or corporate network. A good analyzer allows you to understand the state of the network segment and determine the amount of traffic, as well as determine how this volume varies throughout the day, which users create the largest load, in which situations there are problems with traffic distribution or lack of bandwidth. Thanks to the use of the analyzer, it is possible to obtain and analyze all data fragments in the network segment for a given period.

However, network analyzers are expensive. If you plan to purchase it, then first clearly articulate what you expect from it.

Features of the use of network analyzers

To use network analyzers ethically and productively, the following guidelines should be followed.

Permission is always needed

Network analysis, like many other security features, has the potential for misuse. intercepting everything data transmitted over the network, you can spy on passwords for various systems, the contents of email messages and other critical data, both internal and external, since most systems do not encrypt their traffic in local network. If such data falls into the wrong hands, it can obviously lead to serious security breaches. In addition, it can become a violation of the privacy of employees. First of all, you should obtain written permission from the management, preferably a higher one, before starting such an activity. Consideration should also be given to what to do with the data once it is received. In addition to passwords, this may be other sensitive data. As a general rule, network analysis protocols should be purged from the system unless they are needed for criminal or civil prosecutions. There are documented precedents where well-meaning system administrators have been fired for unauthorized interception of data.

Need to understand network topology

Before setting up the analyzer, you need to fully understand the physical and logical organization of this network. By conducting analysis in the wrong place in the network, you can get erroneous results or simply not finding what you need. It is necessary to check the absence of routers between the analyzing workstation and the place of observation. Routers will only forward traffic to a network segment if it is accessing a host located there. Similarly, on a switched network, you will need to configure the port you are connected to as a "monitor" or "mirror" port. Different manufacturers use different terminology, but in essence, you want the port to act as a hub, not a switch, because it needs to see all traffic going through the switch, not just that directed to the workstation. Without this configuration, the monitor port will only see what is directed to the port it is connected to and network broadcast traffic.

Strict search criteria must be used

Depending on what you want to find, using an open filter (that is, showing everything) will make the data output voluminous and difficult to analyze. It's better to use special search criteria to shorten the output that the parser produces. Even if you don't know exactly what to look for, you can still write a filter to limit the search results. If you want to find an internal machine, it is correct to set criteria to look only for source addresses within a given network. If you want to monitor a specific type of traffic, say FTP traffic, you can limit the results to only what comes in on the port used by the application. By doing so, significantly better analysis results can be achieved.

Setting the network reference state

Using a network analyzer during normal operation , and by recording the final results, a reference state is reached, which can be compared with the results obtained during attempts to isolate the problem. The Ethereal analyzer, discussed below, creates several convenient reports for this. Some data will also be obtained to track network usage over time. Using this data, you can determine when the network is saturated and what are the main reasons for this - an overloaded server, an increase in the number of users, a change in the type of traffic, etc. If there is a starting point, it is easier to understand who is to blame and for what.

Utility commview serves for collection and analysis of local network and Internet traffic. The program captures and decodes to the lowest level the data passing through the network, including the list of network connections and IP packets of more than 70 of the most common network protocols. commview maintains IP statistics, captured packets can be saved to a file for further analysis. Using a flexible filter system in the program, you can discard unnecessary to capture packages or intercept only necessary ones. The VoIP module included in the program allows for deep analysis, recording and playback of voice messages of SIP and H.323 standards. CommView allows you to see a detailed picture of the information traffic passing through a network card or a separate network segment.

Internet and LAN Scanner

As a network scanner, CommView is useful for system administrators, people working in the field of network security, programmers developing software using network connections. The utility supports the Russian language, has a friendly interface, includes a detailed and understandable help system for all the functions and features implemented in the program.

Key features of CommView

• Interception of Internet or local traffic passing through a network adapter or dial-up controller
• Detailed IP connection statistics (addresses, ports, sessions, hostname, processes, etc.)
• Recreating a TCP session
• Setting up event alerts
• Diagrams of IP protocols and upper layer protocols
• View captured and decoded packets in real time
• Search in the content of captured packets by strings or HEX data
• Saving packages to archives
• Loading and viewing previously saved packages when the connection is disconnected
• Export and import of archives with packages to (from) NI Observer or NAI Sniffer formats
• Getting information about the IP address
• Protocol support and decoding: ARP, BCAST, RTSP, SAP, SER, SIP, SMB, SMTP, SNA, SNMP, SNTP, BGP, BMP, CDP, DAYTIME, DDNS, DHCP, DIAG, DNS, EIGRP, FTP, G.723, GRE, H. 225, H.261, H.263, H.323, HTTP, HTTPS, 802.1Q, 802.1X, ICMP, ICQ, IGMP, IGRP, IMAP, IPsec, IPv4, IPv6, IPX, HSRP, LDAP, MS SQL, NCP , NDS, NetBIOS, NFS, NLSP, NNTP, NTP, OSPF, POP3, PPP, PPPoE, RARP, RADIUS, LDAP, MS SQL, NCP, NDS, NetBIOS, RDP, RIP, RIPX, RMCP, RPC, RSVP, RTP, RTCP, SOCKS, SPX, SSH, TCP, TELNET, TFTP, TIME, TLS, UDP, VTP, WDOG, YMSG.

Recently, when discussing in one chat the issue: how ofWiresharkpull file, the NetworkMiner utility popped up. After talking with colleagues and googling on the Internet, I concluded that not many people know about this utility. Since the utility greatly simplifies the life of a researcher / pentester, I am correcting this shortcoming and will tell the community about what NetworkMiner is.

network miner is a utility for intercepting and analyzing network traffic between hosts on a local network, written for Windows (but also works on Linux, Mac OS X, FreeBSD).

NetworkMiner can be used as a passive network packet sniffer, the analysis of which will reveal a fingerprint operating systems, sessions, hosts, and open ports. NetworkMiner also allows you to analyze PCAP files offline and recover transferred files and security certificates.

Official page of the utility: http://www.netresec.com/?page=Networkminer

And so, let's start reviewing.

The utility is available in two editions: Free and Professional (cost 700 USD).

The following options are available in the Free edition:

• traffic interception;
• parsing a PCAP file;
• receiving a PCAP file over IP;
• OS definition.

The Professional edition adds the following options:

• parsing PcapNG file,
• Port protocol definition,
• Export data to CSV / Excel,
• Checking DNS names on the site http://www.alexa.com/topsites ,
• IP localization,
• Command line support.

In this article, we will consider the option to parse a PCAP file received from Wireshark.

But first, let's install NetworkMiner on Kali Linux.

1. By default, Mono packages are already installed in KaliLinux, but if they are not installed, then we perform the following action:

sudo apt-get install libmono-winforms2.0-cil

1. Next, download and install NetworkMiner

wget sf.net/projects/networkminer/files/latest -O /tmp/nm.zip
sudo unzip /tmp/nm.zip -d /opt/
cd /opt/NetworkMiner*
sudo chmod +x NetworkMiner.exe
sudo chmod -R go+w AsscodebledFiles/
sudo chmod -R go+w Captures/

1. To start NetworkMiner use the following command:

mono NetworkMiner.exe

For information. Five minutes of intercepting traffic in my test network collected more than 30,000 different packets.

As you understand, analyzing such traffic is quite laborious and time-consuming. Wireshark has built-in filters and is quite flexible, but what to do when you need to quickly analyze traffic without studying the whole variety of Wireshark?

Let's try to see what information NetworkMiner will provide us.

1. Open the received PCAP in NetworkMiner. It took less than a minute to analyze a traffic dump of over 30,000 packets.

1. The Hosts tab contains a list of all hosts involved in traffic generation, with detailed information for each host:

1. On the Frames tab, traffic is presented in the form of packets with information on each layer of the OSI model (Link, Network and Transport).

1. The next Credentials tab will show the intercepted authorization attempts in plain text. This is how, having spent less than a minute, you can immediately get a login and password for authorization from a large traffic dump. I did this on the example of my router.

1. And another tab that makes it easier to get data from traffic is Files.

In our example, I came across a pdf file that you can immediately open and view.

But most of all I was surprised when I found a txt file in the traffic dump, as it turned out, from my DIR-620 router. So this router, when authorized on it, transmits all its settings and passwords in text form, including from WPA2.

As a result, the utility turned out to be quite interesting and useful.

To you, dear reader, I give this article for reading, and I went to buy a new router.

Each of the ][ team has their own preferences regarding software and utilities for
pen test. After consulting, we found out that the choice varies so much that you can
make a real gentleman's set of proven programs. On that and
decided. In order not to make a combined hodgepodge, we divided the entire list into topics - and in
this time we'll touch on utilities for sniffing and packet manipulation. Use on
health.

Wireshark

netcat

If we talk about data interception, then network miner take it off the air
(or from a pre-prepared dump in PCAP format) files, certificates,
images and other media, as well as passwords and other information for authorization.
A useful feature is the search for those data sections that contain keywords
(eg user login).

Scapy

Website:
www.secdev.org/projects/scapy

Must-have for any hacker, which is the most powerful tool for
interactive packet manipulation. Receive and decode the most packets
various protocols, respond to a request, inject a modified and
hand-made package - everything is easy! With it, you can perform a whole
a number of classic tasks like scanning, tracorute, attacks and detection
network infrastructure. In one bottle, we get a replacement for such popular utilities,
like: hping, nmap, arpspoof, arp-sk, arping, tcpdump, tetheral, p0f etc. At that
same time Scapy allows you to perform any, even the most specific
a task that will never be able to do already created by another developer
means. Instead of writing a whole mountain of lines in C, so that, for example,
generate the wrong packet and fuzz some daemon, it's enough
throw a couple of lines of code using Scapy! The program has no
graphical interface, and interactivity is achieved through the interpreter
Python. Get used to it a little, and it will not cost you anything to create incorrect
packets, inject the necessary 802.11 frames, combine different approaches in attacks
(say, ARP cache poisoning and VLAN hopping), etc. The developers insist
on the fact that the capabilities of Scapy are used in other projects. Connecting her
as a module, it is easy to create a utility for various kinds of local research,
search for vulnerabilities, Wi-Fi injection, automatic execution of specific
tasks, etc.

packeth

Website:
Platform: *nix, there is a port for Windows

An interesting development that allows, on the one hand, to generate any
ethernet packet, and, on the other hand, send sequences of packets to
throughput checks. Unlike other similar tools, packeth
It has GUI, allowing you to create packages in the most simple way
form. Further more. Especially worked out the creation and sending
packet sequences. You can set delays between sending,
send packets at maximum speed to test throughput
section of the network (yeah, this is where they will ddos) and, what is even more interesting -
dynamically change parameters in packets (for example, IP or MAC address).