Showing posts with label Wireshark. Show all posts
Showing posts with label Wireshark. Show all posts

Wednesday, July 4, 2012

Bittorrent: Detection Mechanisms

Bittorrent is a Peer to Peer(P2P) protocol used to share files and data in internet. In this article we are going to see what are the different mechanisms which can be used to detect and block Bittorrent communication across network.

Below snapshot shows HTTP request which Bittorrent Client uses to communicate with Bittorrent Servers. In the request we can see different parameters like client id, port number.


We can observe that Bittorrent client uses different User Agent request headers like BTWebClient, Bittorrent etc.



UDP is using Source port as 24615, which is being communicated to Bittorrent Server as HTTP Request.


So we can detect or block Bittorrent based on HTTP Request URI or User-Agent header strings or UDP protocol communication.

Below are few Signatures which we can use to detect Bittorrent.

alert udp any any -> any any ( msg: "Bit Torrent UDP"; content:"41 02"; offset:0; depth:2; content:"38"; offset:13;depth:1; content:"08"; offset:21;depth:1; sid:8888881; rev: 1; )
alert udp any any -> any any ( msg: "Bit Torrent Protocol"; content:"|13|bittorrent|20|protocol";  offset:0; sid:8888882; rev: 1; )
alert udp any any -> any any ( msg: "Bit Torrent UDP Communication"; content:"d1|3a|ad2|3a|id20|3a|"; sid:8888883; rev: 1; )  
 

Below Signature triggers and alerts when the content is seen in HTTP Request URI
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP Request"; content:"info_hash=";  pcre:"/announce\?info_hash=/Ui"; sid:8888884; rev: 1; )


Observed following User-Agent strings as part of HTTP Requests
        User-Agent: BitTorrent/7610(27328)
        User-Agent: BTWebClient/7610(27328)
which can be detected using following Signatures
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP User Agent 1"; content:"User-Agent: BitTorrent";  sid:8888885; rev: 1; ) 
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP User Agent 2"; content:"User-Agent: BTWebClient";  sid:8888886; rev: 1; ) 

Posts related to Snort IDS/IPS which might be of interest to you.
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html
http://darshanams.blogspot.in/2010/06/snort-preprocessors-and-alerts.html
http://darshanams.blogspot.in/2012/05/installing-snort-from-source-as-ips.html

To know about Google Talk Jabber protocol communication
http://darshanams.blogspot.in/2008/11/deciphering-google-talk-jabber.html

For Zebra/Bittorrent protocol communication
http://darshanams.blogspot.in/2009/03/i-was-just-checking-my-mails.html

P.S Signatures given above are neither tested nor fine tuned. Just an 
idea how to detect Bit Torrent communication.
Posted by at 11 comments:
Labels: , ,

Monday, November 29, 2010

Wireshark: Remote Packet Capture, bit of Security

Wireshark/Ethereal is one of the best open source tools we have. I don't think there will be individuals working in Networking domain (especially into IDS/IPS, Firewalls etc.) and don't know Wireshark/tcpdump. Please I wanna see u guys/gals ;-)

There are many features available in Wireshark, we are going to focus on remote packet capture.

Need Wireshark Version 1.4.2 with the new WinPcap available inbuilt with it. Install this on bothe the machines, where you are going to take capture (client) and on the machine where we want to sniff the traffic(server). On Server we need to start "Remote Packet Capture Protocol v.0 (experimental)" service, which will open TCP Port 2002 on the Server.


Once the service is started, run wireshark on the Client machine. Goto Capture->Options. Clicking Options will pop up a window shown below.


In this window we can see Interface field on the top left corner which has drop down menu, from this menu select "Remote" option which will pop one more window asking for details like Host: (Enter IP Address), Port:, enter 2002 here.

Authentication:

For logging onto Server to take packet capture we need to successfully authenticate to server.



Under Authentication, opt for Password authentication, Null authentication is not supported which might throw below error.


Once the Authentication is successfull you can select one of the interfaces on the Server if there are multiple for sniffing.



Security:

Well, this is one of the awesome features Wireshark has given to its users. But the downside is, log in credentials traversing the network in clear text. Atleast they would have provided basic encryption/ encoding techniques to hide password.


Exposing all the interfaces of a multi homed Server, it's IP Addresses etc.


Hope this post and feature will be very helpful for you :-)

Following articles might be of your interest
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html
http://darshanams.blogspot.in/2011/09/portable-document-files.html
http://darshanams.blogspot.in/2010/09/forensics-1-extracting-image.html
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html
Posted by at 9 comments:
Labels: ,

Saturday, March 28, 2009

ZEBRA Protocol and BitTorrent !

I was just checking my mails. Got bored, started Wireshark!!!

To my surprise I saw packets with Zebra Protocol over TCP port 27756.


I didn't understand which application is using this protocol. I googled for the same which said that Zebra is a routing protocol, I was not convinced with the result.

I further analyzed the Packet Capture and used netstat, Task Manager etc. from which I came to know that BitTorrent is using Zebra Protocol. One more thing to add, BitTorrent also uses "BitTorrent" Protocol for communication over TCP.


Further analysis of the PCAP and googling gave information like Zebra is a streaming protocol for P2P communication.

To know about Google Talk Jabber protocol communication with wireshark captures follow below link
http://darshanams.blogspot.in/2008/11/deciphering-google-talk-jabber.html

For Bittorrent detection signatures
http://darshanams.blogspot.in/2012/07/bittorrent-useragents-and-detection.html
Posted by at No comments:
Labels: ,

Wednesday, November 19, 2008

Deciphering Google Talk's Jabber Communication

Google Talk communicates through HTTPS (TCP Port 443) and Jabber (TCP Port 5222) Protocols. Google talk initially communicates through HTTPS and switches to Jabber. When 5222 is blocked using firewall Google Talk works on port 443 (HTTPS). Suppose HTTPS, port 443 is blocked and port 5222 is allowed in this case Google Talk doesn't work.

When the communication is through TCP Port 5222 for Google Talk we can see Octal (OCT) pattern in the pay load. We can see Description and Hex pattern in the payload of HTTPS communication.

Below payload is seen in “Client Hello” packet which is sent after three way handshake on port 443 and three way handshake on port 5222 if both the ports are allowed. This is the mapping between Octal and Hex Patterns.

Oct/Jabber Hex/HTTPS Description
--------------- --------------- -------------------------------------
\200L 804c Length: 76
\001 01 Handshake Message Type: Client Hello (1)
\003\001 0301 Version: TLS 1.0 (0x0301)
\0003 0033 Cipher Spec Length: 51
\000\000 0000 Session ID Length: 0
\000\020 0010 Challenge Length: 16
\000\000\004 000004 Cipher Specs: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
\000\000\005 000005 Cipher Specs: TLS_RSA_WITH_RC4_128_SHA (0x000005)
\000\000\n 00000a Cipher Specs: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
\001\000\200 010080 Cipher Specs: SSL2_RC4_128_WITH_MD5 (0x010080)
\a\000\300 0700c0 Cipher Specs: SSL2_ DES_192_ EDE3_CBC_WITH_MD5 (0x0700c0)
\003\000\200 030080 Cipher Specs: SSL2_RC2_CBC_128_CBC_WITH _MD5 (0x030080)
\000\000\t 000009 Cipher Specs: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
\006\000@ 060040 Cipher Specs: SSL2_DES_64_CBC_WITH _MD5 (0x060040)
\000\000d 000064 Cipher Specs: TLS_RSA_WITH_RC4_128_MD5 (0x000064)
\000\000b 000062 Cipher Specs: TLS_RSA_ EXPORT1024_WITH_DES_CBC_SHA (0x000062)
\000\000\003 000003 Cipher Specs: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
\000\000\006 000006 Cipher Specs: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
\002\000\200 020080 Cipher Specs: SSL2_RC4_128_ EXPORT40_WITH_MD5 (0x020080)
\004\000\200 040080 Cipher Specs: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
\000\000\023 000013 Cipher Specs: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
\000\000\022 000012 Cipher Specs: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
\000\000c 000063 Cipher Specs: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x000063)
e72b7909ff36880aa266262537c83988 Challenge

Google Talk communication through gmail uses "User Agent: Google Talk\r\n" which can be seen through Ethereal/Wireshark capture.

For Bittorrent detection signatures
http://darshanams.blogspot.in/2012/07/bittorrent-useragents-and-detection.html 

For Zebra protocol
http://darshanams.blogspot.in/2009/03/i-was-just-checking-my-mails.html
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)