Editor’s Note
09/2012 (09)
Dear Hakin9 Readers, team Editor in Chief: Ewa Dudzic ewa.dudzic@hakin9.org Managing Editor: Ewa Duranc ewa.duranc@hakin9.org Paweł Plocki pawel.plocki@hakin9.org Jakub Walczak jakub.walczak@hakin9.org Editorial Advisory Board: Arsen Darakdjian, Scott Paddock, Matthew Holley, Derek Thomas, Kishore P.V. Proofreaders: Ewa Duranc, Jakub Walczak, Arsen Darakdjian, Scott Paddoc Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 magazine.
We would like to welcome you all to the new Hakin9 on Demand. This month, we will take another shot at the renown protocol analyzer – Wireshark. For starters, Nitish Mehta will walk you through the tool itself. More advanced users will find RIFEC’s Massimiliano Sembiante focusing on analysis on storage area network, David Dodd will explain how to inspect deep packets, and Luciano Ferrari will guide you through listening to VoIP conversations. Also, due to rapidly growing popularity of smartphones, we asked Jukka Alanen, Arxan Technologies’ vice president, to analyze the more and more frequent attacks on mobile applications. If you are interested in cybersecurity, you will find something for yourselves as well. CISSP Terrance Stachowski will provide you with detalils on data mining and William F. Slater discusses cyberwarfare and cyberdeterrence strategies implemented by the U.S National Command Authorities. We hope that you will enjoy the magazine and that it will help you jump into deep waters of hacking. Have a nice read.
Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@hakin9.org Production Director: Andrzej Kuca andrzej.kuca@hakin9.org Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@hakin9.org DTP: Ireneusz Pogroszewski Marketing Director: Pawel Plocki pawel.plocki@software.com.pl Publisher: Hakin9 Media 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.hakin9.org/en Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes.
Ewa Duranc, Paweł Płocki, Jakub Walczak & the Hakin9 Team. Hakin9’s editorial team would like to give special thanks to the authors, betatesters, proofreaders and our editor in chief, Ewa Dudzic.
Conquer the Four Horsemen with Hakin9
As you all are aware, the Apocalypse is approaching. Want to hack the end of the world? You will need a lot of help... Don’t let the Four Horsemen get you – subscribe to Hakin9 and get PenTest and eForensic memberships FOR FREE! If you want to see season two of ‘The World” – join us! The offer is valid due to 21st December
All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by Mathematical formulas created by Design Science MathType™
DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
4
09/2012
CONTENTS
contents Open Letter from the Hakin9 Team By Hakin9 Team
06
2012 is nearly over. As usual, we have prepared something extraordinary for you. Some of you are new to our magazine and some are with us for months, even years. The end of the world approaches rapidly, so we decided that in exchange for your unmeasurable support, you deserve to know the best kept secret of the globe – how Hakin9 works. Let us tell you our story which should give you an insight into what we have been through this year.
LOOKING INTO THE OCEAN (FUNDAMENTALS) Wireshark Overview By Nitish Mehta
08
12
By Louis Corra
Certainly, your business is important to you, your employees, your stock holders and your customers. Your computer systems, servers, and netwo,rk storage devices contain tons of vital information such as inventory, tax records, payroll and, most importantly, your customers’ credit card information.
“You Are Here” A Guide to the Network Scanning
14
By Court Graham
Historically the term network scanning has been defined as a process which primarily takes place shortly after the information gathering phase of a hacking attempt or penetration test. In actuality, you never know when you will have to perform scanning activities.
EXPLORING DEEP WATERS (WIRESHARK ADVANCED)
Network Analysis On Storage Area Network Using Wireshark
By David J. Dodd
This article attempts to provide some detail into how to search through packet dump files or pcap files using Wireshark. I’ll give some useful information on using wireshark & tshark to do deep packet analysis.Intrusion detection devices such as Snort use the libpcap C/C++ library for network traffic capture.
Listening to a Voice over IP (VoIP) Conversation Using Wireshark
26
By Luciano Ferrari
Wireshark is a very popular tool mainly used to analyze network protocols. It has many other features as well but if you are new the program and you seek somebody to cover the basics, here is a brief tutorial on how to get started.
Spyware Your Business Cannot Afford It
Deep Packet Inspection with Wireshark 22
18
By Massimiliano Sembiante
Wireshark can be used during a proactive analysis to identify potential network bottleneck, to monitor “live” what is happening to data flow, and to decode packets in transit, displaying information in readable format. The tool can be installed on any computer connected to the network and equipped with a NIC card. Using specific API or libraries, such as WinPcap under Windows or libpcap for Unix, it enables data capture and allow to analyze packets travelling over the carrier.
Wireshark is a very powerful tool but did you know you can extract an RTP stream traffic from your VoIP packets, listen to, and even save an audio file of the conversation? In this article, you’ll find an overview and introduction to using Wireshark to analyze VoIP packets and also a stepby-step tutorial on how to extract and listen to a captured audio file.
NO STRINGS ATTACHED (MOBILE AND WIRELESS SECURITY) State of Security in the App Economy: 30 Mobile Apps under Attack By Jukka Alanen, vice president, Arxan Technologies
The proliferation of mobile devices has created an appcentric global marketplace, ushering in the App Economy that is driving innovation, new business models, and revenue streams across all industries. The app industry is growing at a staggering rate, with revenues approaching $60 billion worldwide.
WEAR A LIFE JACKET (CYBERSECURITY)
Integration of Cyberwarfare and 38 Cyberdeterrence Strategies into the U.S. CONOPS Plan to Maximize Responsible Control and Effectiveness by the U. S. National Command Authorities By William F. Slater, III
This paper deals with issues related to the present situation of lack of a clearly defined national policy on the use of cyberweapons and cyberdeterrence, as well as the urgent present need to include strategies and tactics for cyberwarfare and cyberdeterrence into the national CONOPS Plan, which is the national strategic war plan for the United States.
Social Engineering: The Art of Data Mining
50
Terrance J. Stachowski, CISSP, L|PT This article explores the art of data mining, a technique utilized build a dossier and profile of a targeted individual, network, or organization.
Hakin9 in 2012. Accomplishments and statistics Dear Hakin9 Readers, 2012 is nearly over. As usual, we have prepared something extraordinary for you. Some of you are new to our magazine and some are with us for months, even years. The end of the world approaches rapidly, so we decided that in exchange for your unmeasurable support, you deserve to know the best kept secret of the globe – how Hakin9 works. Let us tell you our story which should give you an insight into what we have been through this year. As for the first order of business, we shall discuss the statistics. This should help you visualize our work at the magazine and understand the process we have to undergo in order to meet your expectations.
Run forest, run! This year, we have published total of 49 Hakin9 issues – 3442 pages.
Although most of you are familiar with mathematics, I suppose you may not imagine the extent of what we are dealing with here. Let us portray it to you. 3442 pages equals 204,73 m2 of paper – this means that our articles could cover the floors of a large house. Can you imagine tripping over your child's toys and accidentally discovering the way to hack your BIOS password? Or fainting and waking up to learn how to solve the “attribution problem?” In such a situation, the popular proverb “you learn something new everyday” takes on a completely new meaning. Let us weigh in on an another measure. All the issues we published in 2012 put on the scale would show 137,12 pounds (51,18 kilos) – this is how heavy (or light) would your average girlfriend be. Have you ever thought of what would be the best thing in the world? We believe that a partner made of your passion would have significant chances in winning such a contest. Although, we are sorry, but we have to shatter your dreams – Hakin9 nowadays is released only
digitally. Unfortunately, you will have to find a real girlfriend :-). Nevertheless, we consider that fact our advantage. Even though you will not be able to wear Hakin9 on your soles, you can put your finger on it – on your smartphone or Kindle. This way, you can kill the time in long lines, during a layover at the airport, or in the mall while your wife is shopping for new shoes, at the same time learning many useful things. Moreover, the path we chose helps to restore the environment. Throughout the year, our subscribers base escalated 10 times – from slightly over 200 to 2000 readers. If all these pages were to be published in print, we would have to use almost 500 trees, which equals over 27 600 ft2. Thanks to you, we have saved an impressive park! Although we also miss the paper version of Hakin9, we have to greatly thank you for your interest in our digital magazines. You have helped to make the world a better place. We have to cherish it for it is the only one we have at the moment. You deserve a loud round of applause for not being discouraged. The forests are a bit safer now thanks to you.
Power in numbers As you are well aware, we are the number 1 IT security publication in the world. But to achieve such a status, it takes much more than this dignified single digit. This year, in order to give you the materials you had a chance to read, we were working over 250 days, which equals more than 2000 hours for each employee. These few pages you go through in a couple of hours on a monthly basis, have cost our experts almost a 1000 weeks to prepare. Our beta testers and proofreaders have spent a similar amount of time making sure that you will enjoy your reading. Finally, our graphic devoted 3000 hours designing the layout to appeal to your eyes. As you can see, a great amount of our lives was sacrificed to satisfying your needs. During our fight for your right to hack better, we have also suffered losses. As you may guess, our main weapon is the computer. Just like in every war, the equipment is exploited heavily and put through extreme situations. You may be sure that we have pushed our PCs to their absolute limits. We have overheated our processors, filled the hard drives, overused internet connection transfers, etc. Most of our inventory have survived, although we cannot deny there were casualties – 10 computer mice have passed away during the harsh battles for knowledge. Let them rest in peace. Finally, our battle cry – “HACKING”, has been used over 5 million times. Some of us (including one of the authors of this article) suffered severe throat damages due to that fact.
Where would we be... ...if it wasn't for you? Probably we would grow beards and stand in long cues for our welfare check. Or maybe in the psychiatrists' offices whining on how we are useless. As long as we have our precious readers, we have a purpose. We owe you a huge THANK YOU. Everything we do, we do with you in our minds. We are grateful for every comment and opinion, either positive or negative. We have analyzed every sign of your discontent and every time we were even more motivated to increase the quality of our product. Every word from you lets us improve Hakin9 and brings us closer to the ideal shape of our magazine, or shall we say – your magazine. Thank you Hakin9 fans for your invaluable support and contribution. We owe you one. Hakin9 Team
digest
Listening to a
Voice over IP (VoIP) Conversation Using Wireshark Wireshark is a very powerful tool but did you know you can extract an RTP stream traffic from your VoIP packets, listen to, and even save an audio file of the conversation? In this article, you’ll find an overview and introduction to using Wireshark to analyze VoIP packets and also a step-by-step tutorial on how to extract and listen to a captured audio file.
I
n order to benefit most from the article, you should possess the basic understanging of networks, voice over IP, and the protocol analyzer (Wireshark).
Figure 1. DTMF Frequencies
Understanding VoIP Traffic Flows
VoIP traffic can be divided in two main parts: signaling and transport. For example, SIP, H.323, and other Signaling Protocols are used to establish presence, locate the user, set up, modify, and tear down sessions. Session Initiation Protocol (SIP) can run over UDP or TCP on port 5060 but it's more common to see it implemented over UDP. Media Transport Protocols are used for transmitting audio/video packets, for example RTP, RTPC. Wireshark can play your Realtime Transport Protocol (RTP) stream conversation but cannot decrypt and play back secure VoIP traffic. Another protocol that is also commonly used is the Realtime Transport Control Protocol (RTCP). It can provide outof-band statistics and control information for RTP flows. RTP can run on any even port number and RTCP runs over the next higher odd port number
Figure 2. Place your sniffer as close as possible to IP Phone
8
09/2012
that RTP is using. So if RTP is running on 10018 port, RTCP will run on 10019. Dual-Tone Multi-Frequency (DTFM) are tones sent while you push a button on a phone during dialing a number. Sometimes those signals are sent through the voice channel in which case it's referred to as in-band signaling. During your analysis with Wireshark, sometimes you will come across DTMF signals. More often, you'll see separate con-
trol packets for DTMF which is called out-of-band signaling. Wireshark will be able to interpret out-ofband traffic also (Figure 1). When you are going to analyze VoIP traffic, place your sniffer to the VoIP phone as close as possible, so you will be able to get the round trip times and packet loss sensed by your phone. Figure 2 describes this situation. If you are using a phone application at your PC (Skype, Avaya Softphone, etc.), you can start capturing your traffic if Wireshark is installed on the computer (Figure 2). Sometimes Wireshark may not be able to see the signaling protocol. In such case, it will mark the conversation as UDP traffic in the protocol column of the Packet List pane. To fix that, you can select “Try to decode RTP outside of conversations” in the RTP preference settings. If you are sure the traffic is RTP, you can also right click on a packet and select “Decode As....” Select the UDP port option for “both” and choose RTP in the protocol list.
Examining SIP Traffic
Figure 3. Open Capture File
After you have captured your VoIP traffic open it in Wireshark. Start Wireshark and click File → Open to open the “Open Capture File” dialog box. Select the file you have captured and click “Open” as shown Figure 3. We are using an example of SIP and RTP traffic below. On your capture, examine the frame that contains the SIP/SDF request. As in the example
Figure 4. Session Initiation Protocol section
www.hakin9.org/en
9
digest
below, this is on Frame 1. Once Wireshark loads the capture file, select proper frame by clicking on the frame in the Packet List view. Next, Expand the Session Initiation Protocol section in the Packet Dissector View. This will reveal the three sections of the SIP packet, the Request Line, the Message Header, and the Message Body (Figure 4). Request Line: Note that the request line in this frame is “INVITE sip:francisco@bestel.com:55060.” This indicates that the caller is attempting to use the URI “francisco@bestel.com” to initiate the call. Note that the IP address 200.57.7.204 is not the IP address of the call recipient, but rather the IP address
of the registration server. SIP is a signaling protocol exchanged between two registration servers. Message Header: Expanding the message header line reveals additional details about the caller, including the “From” universal resource indicator (URI), the user-agent, an administrative contact URI (matching the URI in this case), date, allowed methods, and additional information. Message Body: Expanding the message body header and the session initialization protocol header will reveal additional configuration of the call, including supported CODEC's and other media attributes to be negotiated in the call.
Figure 5. Message Header
Figure 6. VoIP Calls option under Telephony menu
10
09/2012
There are many other details that can be obtained while analyzing the packet, although, we will not cover them in this article. Let's move on to the interesting part.
Listening to a VoIP Conversation
In order to listen to a VoIP conversation using Wireshark, follow the steps below. • Using the same capture file you have opened, select Telephony → VoIP Calls on the menu (Figure 6). • Click Select All → Player → Decode (Figure 7)
• Select the check box of the audio you want to listen to (you can select both as in this case) and click “Play.” You will be able to listen to the conversation. • Going further, you can save the RTP traffic to an audio file. Click Telephony → RTP → Show All (Figure 8). • Select the stream you want to save and click Analyze (Figure 9). • Click Save Payload and select the .au format. Choose the directory, select Forward for the channels selection, and enter the filename (don't forget to include the “.au” filename extension). Click OK and you are done. You can listen to your audio file using an audio player of your preference. You should remember to never try it on a system you are not authorized to do it on and make sure about privacy requirements as they may vary for different locations.
Summary
Figure 7. Decoding and Playing RTP traffic
Wireshark is a very powerful tool for troubleshooting complex network issues and is indispensable for IT security professionals. The amount of information it can provide is amazing. On other hand, you can imagine what it can do in the hands of a person with bad intentions. Troubleshooting VoIP issues is difficult but Wireshark can make it much easier for you to analyze and understand the real cause of the problem. Use it wisely!
Figure 8. RTP Stream to Analyze
Luciano Ferrari
Figure 9. RTP Streams – Forward Direction
www.hakin9.org/en
Luciano Ferrari has more than 15 years of experience in IT. He is a Brazilian living in the US and has bachelor’s degree in Microelectronics, post-graduate education in Computer Networks and an Executive Master of Business Administration (MBA). He specializes in Green IT, Computer Networks, IT Security, Risk Management, Cryptography, Project Management, and IT Management. Contact: lferrari@lufsec.com Blog: www.lufsec.com twitter: @lucianoferrari
11
RESEARCH INSTITUTE OF FORENSIC AND E-CRIME
Protection through Research RIFEC OFFER A FREE RISK ANALYSIS SERVICE CONTACT US FOR FURTHER INFORMATION
The growth of the internet and the massive use of new technologies has been the biggest social change of this lifetime. Increasing dependence on these technologies has brought new risks. RIFEC takes these risks seriously. In our laboratories we conduct researches to tackle these threats and develop our response. Our objective is to set strategies to reduce vulnerabilities and secure the benefits of a trusted digital environment for businesses and individuals.
Web: Twitter: Linkedin: Email:
www.rifec.com www.twitter.com/rifec www.linkedin.com/company/rifec info@rifec.com
op on o c s e h t t e G 013! 2 t in o P e r a Sh
Register Early and SAVE!
The Best ! g n i n i a r T t n i o P e r a Sh Choose from over 90 Classes & Workshops! Check out these NEW ! classes, taught by the industry’s best experts!
How to Install SharePoint 2013 Without Screwing It Up Todd Klindt and Shane Young
Creating Simple Dashboards Using Out-of-the-Box Web Parts Jennifer Mason
What IS SharePoint Development? Mark Rackley
Integrating SharePoint 2010 and Visual Studio Lightswitch Rob Windsor
SharePoint Performance: Best Practices from the Field Jason Himmelstein Creating a Great User Experience in SharePoint Marc Anderson Ten Best SharePoint Features You’ve Never Used Christian Buckley Understanding and Implementing Governance for SharePoint 2010 Bill English Building Apps for SharePoint 2013 Andrew Connell SharePoint Solutions with SPServices Marc Anderson
Check out more than 55 exhibiting companies! A BZ Media Event
Follow us: twitter.com/SPTechCon SPTechCon™ is a trademark of BZ Media LLC. SharePoint® is a registered trademark of Microsoft.
Lists: Used, Abused and Underappreciated Wes Preston Planning and Configuring Extranets in SharePoint 2010 Geoff Varosky
Solving Enterprise Search Challenges with SharePoint 2010 Matthew McDermott Getting Stuff Done! Managing Tasks with SharePoint Designer Workflows Chris Beckett SharePoint 2013 Upgrade Planning for the End User: What You Need to Know Richard Harbridge Ten Non-SharePoint Technical Issues That Can Doom Your Implementation Robert Bogue SharePoint MoneyBall: The Art of Winning the SharePoint Metrics Game Susan Hanley Intro to Branding SharePoint 2010 in the Farm and Online Randy Drisgill and John Ross How to Best Develop Requirements for SharePoint Projects Dux Raymond Sy
Lots more online!
www.sptechcon.com
[ GEEKED AT BIRTH. ]
[ IT'S IN YOUR PULSE. ] LEARN: Advancing Computer Science Artificial Life Programming Digital Media Digital Video Enterprise Software Development Game Art and Animation Game Design Game Programming Human-Computer Interaction Network Engineering
Network Security Open Source Technologies Robotics and Embedded Systems Serious Game and Simulation Strategic Technology Development Technology Forensics Technology Product Design Technology Studies Virtual Modeling and Design Web and Social Media Technologies
You can talk the talk. Can you walk the walk?
www.uat.edu > 877.UAT.GEEK PLEASE SEE WWW.UAT.EDU/FASTFACTS FOR THE LATEST INFORMATION ABOUT DEGREE PROGRAM PERFORMANCE, PLACEMENT AND COSTS.