mod6mod6Course Conclusionlinks../mod6/assets/coursemap.swfcourseMenuBtnCourse menu. Select this button to access the course menu.MainMenuButtonClickedmoduleMapBtnLesson Map. Select this button to access the lesson map.CourseMapButtonClickedglossaryBtnGlossaryGlossary. Select this button open the glossary.GlossaryButtonClickedresourcesBtnResources. Select this button open the resources.ResourcesButtonClickedexitBtnExit. Select this button to exit the course.ExitButtonClickedreplayBtnReplay. Select this button to replay the current screen.ReplayButtonClickedpauseBtnPause. Select this button to pause the course.PauseButtonClickedresumeBtnResume. Select this button to resume the course.ResumeButtonClickedpreviousPgBtnPrevious PagePrevious. Select this button to go to the previous screen.PreviousButtonClickednextPgBtnNext PageNext. Select this button to go to the next screen.NextButtonClickedSummary and ConclusionSummaryidsal6_011In this Course Conclusion we will review what you have learned. The Sniffers lesson presented an overview of sniffers, packet capture and display filters, and how strings can be used for packet analysis. The Wireshark and the Analysis Process lesson discussed how Wireshark works as a sniffer, the three primary display panes, and some of Wireshark's sniffing options. The lesson also covered basic packet capture filters, basic and advanced display filters, and analysis techniques to look for malicious traffic in packet captures. The Client-Side Attacks lesson presented information on client-side attacks, why they are increasing in number and severity, the different types of attack surfaces, and how client-side attacks turn firewalls inside out. The lesson also discussed attack vectors, how attackers evade detection, and the role of social engineering in propagating malicious code. And finally, the Bots and Botnets lesson discussed bot and botnet capabilities, infection vectors, botnet architecture and the relationship between infection vectors and the client-side attack surface. Select each lesson to review a summary of key points. Summaryidsal6_01_011 [no audio] SniffersPopup 1 of 4. Popup title: Sniffers. 8 key points are displayed as follows: One, Network sniffers are tools that capture network traffic. Two, two basic types of sniffers are command line and graphical user interface. Three, examples of command line sniffers are T C P dump, win dump, snort, and T shark. Four, Wireshark is a graphical sniffer and protocol analyzer. Five, sniffers use a packet capture, or P cap, library for reading and writing data. There are two primary P cap libraries: lib P cap and win P cap. Six, lib P cap and win P cap implement Berkeley Packer Filters, or B P Fs, to focus packets captures based on layer two through four header fields. B P Fs are built from primitives which are shortcuts for specifying contents of header fields. Primitives can be combined using logical operators to add another layer of filtering. Seven, command line options can be used to narrow down and focus sniffing output. Eight, Strings is an analysis tool that searches binary p cap files looking for A S C I I printable characters. Rollover 1 of 15. Rollover title: Network Sniffers. A network sniffer is a tool that listens to or sniffs the traffic traveling between networked devices. It is also called a packet analyzer or protocol analyzer. Rollover 2 of 15. Rollover title: Command Line. Command-line Sniffer Advantages are that it is available as open source, has fewer vulnerabilities, operates fairly quickly to capture packets, and quickly writes data to a file for later analysis. Disadvantages are shows only some header fields and requires knowledge of how to read packet data. Rollover 3 of 15. Rollover title: Graphical User Interface Sniffer. Advantages are available as open source, capable of complex analysis of protocols, identifies header fields for intrusion detection, and analyzes data payload. Disadvantage, is susceptible to coding errors. Rollover 4 of 15. Rollover title: T C P Dump. T C P dump is an open source command line packet analyzer for Linux and some UNIX systems. It reads and writes network packet data and provides limited protocol dissection. Rollover 5 of 15. Rollover title: Win Dump. Win Dump is an open source command line packet analyzer for Windows environments. It is the Windows version of T C P Dump. Rollover 6 of 15. Rollover title: T Shark. T Shark is the command line version of Wireshark. It uses the packet capture filtering mechanism of T C P Dump and has some of the analysis capabilities of Wireshark. Rollover 7 of 15. Rollover title: Snort. A free, open source network intrusion detection and prevention system. Rollover 8 of 15. Rollover title: WireShark. Wireshark is a free complex protocol analyzer that uses a graphical user interface, or gooey, to display analysis results. It can identify header fields for intrusion detection and analyze data payload. It was formerly known as Ethereal. Rollover 9 of 15. Rollover title: Packet Capture, or P C A P, Library. P cap provides the framework for sniffing packets and presents a raw packet left in its original, unmodified form in a standard binary file format. Rollover 10 of 15. Rollover title: Lib P Cap. Lib P Cap is a portable C C plus plus packet capture, or P Cap, library that provides the framework for reading and writing data in a standard format for T C P dump. It is used with UNIX like platforms. Lib P Cap is maintained by the T C P Dump Group. For more information, access w w w dot t c p dump dot org. Rollover 11 of 15. Rollover title: Win P Cap. Win P cap provides the framework for reading and writing data in a standard format for Win Dump. It is based on the lib p cap model and Berkeley Packet Filters, or B P Fs, for UNIX and runs on Win thirty two and Win sixty four platforms. Win P cap is maintained by the Win P cap Group. For more information, access w w w dot win p cap dot org. Rollover 12 of 15. Rollover title: Primitives. Berkeley Packet Filters are built from primitives which are shortcuts for specifying contents of header fields. Seven examples of primitives display as follows. One, host 1 9 2 dot 1 6 8 dot 1 dot 2 looks for packets with source or destination I P address 1 9 2 dot 1 6 8 dot 1 dot 2. Two, S R C host 1 9 2 dot 1 6 8 dot 1 dot 3 captures all packets coming from address 1 9 2 dot 1 6 8 dot 1 dot 3. Three, D S T host 1 9 2 dot 1 6 8 dot 1 dot 4 captures all packets going to address 1 9 2 dot 1 6 8 dot 1 dot 4. Four, T C P captures only T C P packets. Five, U D P captures only U D P packets. Six, I C M P captures only I C M P packets. Seven, Port fifty three looks for T C P or U D P packets with source or destination port of fifty three. Rollover 13 of 15. Rollover title: Logical Operators. Primitives can be combined with the logical operators and, not, and or to add another layer of filtering. Three examples of logical operations display as follows. One, host 1 9 2 dot 1 6 8 dot 1 dot 5 and port eighty. The word and instructs the sniffer to capture all T C P port eighty packets going to and from the address. Two, host 1 9 2 dot 1 6 8 dot 1 dot 5 and not I C M P. The words and and not together instruct the sniffer to looks for all traffic that is going to or from the address, but not the I C M P traffic. Three, port eight or port four forty three. The word or instructs the sniffer to capture either H T T P traffic traveling through port eighty or H T T P S traffic traveling through port four forty three. Rollover 14 of 15. Rollover title: Command Line Options. Command line options, also called flags, can be used to narrow down and focus sniffing output. Nine examples of command line options display as follows. One, dash D lists interfaces available to sniff. Two, dash I pound tells which interface to sniff when you replace the pound with a number. Three, dash N means do not resolve host, or D N S names. Four, dash S sets the snap length, that is the amount of data collected in bytes. Five, dash W followed by file name is the write to P Cap file. Six, dash R followed by file name is the read from P Cap file. Seven, dash V means be verbose when printing to screen. Eight, V V means be very verbose when printing to screen. Nine, dash X means print data in hexadecimal and A S C I I. Rollover 15 of 15. Rollover title: Strings. Strings is a tool you can use during a first pass analysis of packet data. This tool searches binary p cap files looking for A S C I I printable characters. Example, strings dash n 8 file 1 dot p cap.Summaryidsal6_01_021 [no audio] Wireshark and the Analysis ProcessPopup 2 of 4. Popup title: Wireshark and the Analysis Process. Six key point display as follows. One, Wireshark is an open source, network protocol analyzer. Two, Wiresharks capabilities are that it captures packets in real time and captures packets to analyze at a later time. Three, sniffing tools capture Interfaces window shows a list of available interfaces to sniff on. Capture Options window contains options for configuring a capture session using capture packets in promiscuous mode, by displaying packets as collected in real-time, and by entering Berkeley Packet Filters to specify types of packets to capture. Four, the three display panes are packet list, packet display, and packet bytes. Five, display filters can be used to specify a protocol or field within particular protocol headers, search for port traffic, filter out traffic with comparison operators such as greater than, example: T C P dot S R C Port is greater than or equal to 1 0 2 4, less than, example: T C P dot S R C Port is less than or equal to 1 0 2 4, and not equal to, example: I P dot A D D R space exclamation point equal sign 1 dot 2 dot 3 dot4. Display filters can also refine packet filtering with Boolean operators. Six, the analysis options include Expert Info Composite, follow T C P Stream, follow U D P Stream, strings, intrusion detection by analyzing header fields, analyzing data payload and running a dirty word search. Rollover 1 of 17. Rollover title: Wireshark. Wireshark has a multitude of capabilities. It can be used to analyze and dissect protocols, identify header fields, and analyze data payloads. It can be also be used for network traffic analysis, network troubleshooting tool, and security analysis. Rollover 2 of 17. Rollover title: Promiscuous Mode. Capturing packets using promiscuous mode will capture all traffic arriving at the network interface and requires administrator or root level privileges. Rollover 3 of 17. Rollover title: Berkeley Packet Filters. Berkeley Packet Filter, or B P F, expressions are built from primitives which are shortcuts for specifying the desired contents of header fields. Rollover 4 of 17. Rollover title: Packet List. The packet list pane displays all packets captured and analyzed by Wireshark. Information contained in the pane includes a number indicating chronological order in which packet was captured, the relative time stamp starting at zero for first packet captured, the source and destination I P and MAC addresses, and the highest level protocol interpreted by Wireshark. Rollover 5 of 17. Rollover title: Packet Details Pane. The packet details pane displays the analysis results for protocol fields selected in the packet list pane. Data is presented in a tree format. Information contained in the pane includes frame section contains information, headers for layers two, the Ethernet, layer three, the I P header, layer four the U D P header, and layer seven Net BIOS Name Service. By selecting any of the fields in the packet details pane, the corresponding hexadecimal and A S C I I data will display in the packet bytes pane. Rollover 6 of 17. Rollover title: Packet Bytes. The packet bytes pane displays the hexadecimal format and the A S C I I interpretation of these bytes for the packet selected in the packet list pane. Rollover 7 of 17. Rollover title: Specify a Protocol or Field. Simple display filters like T C P, U D P, and I C M P can be used to display one particular protocol of the captured traffic. Other filters can be used to specify fields within particular protocol headers. Three examples follow. One, display packets with a specific source address, for example I P dot S R C equal sign equal sign 1 9 2 dot 1 6 8 dot 1 dot 1. Two, display packets with a specific destination address, for example I P dot D S T space E Q space 1 0 dot 1 7 dot 8 dot 9 where E Q is the equivalent of the double equal sign. Three, display packet with a specific source or destination address, for example I P dot A D D R double equal sign 1 0 dot 10 dot 10 dot 10. Rollover 8 of 17. Rollover title: Port Traffic. Filters can refine the types of data you want to search for in a packet capture log. An example is traffic going to or coming from a specific port. Four examples follow. One, display traffic going to or coming from a port, for example T C P dot port double equal sign twenty two. Two, display traffic going to a port, for example U D P dot D S T port double equal sign fifty three. Three, display traffic coming from a port, for example T C P dot S R C port double equal sign twenty. Four, display traffic from an ephemeral port, for example T C P dot S R C port greater than or equal to sign 1 0 2 4. Rollover 9 of 17. Rollover title: Not Equal To. The exclamation point equal sign comparison operator can be used to filter for packets with either a source or destination address. The operator does not always provide desired results though. Recommendation is to invert another expression. For example, exclamation point parentheses I P dot A D D R double equal sign 1 dot 2 dot 3 dot 4. Rollover 10 of 17. Rollover title: Boolean Operators. Combining simple filters with Boolean operators and, or, and not allows for more detailed filtering of packets. Three examples follow. One, display layer 3 and layer 4 protocols: T C P and I P dot S R C double equal signs 1 9 2 dot 1 6 8 dot 2 dot 1 1 7. Two, display all H T T P or H T T P S traffic using standard ports: T C P dot port double equal sign eighty or T C P dot port double equal sign 4 4 3. Three, display all frames except A R P traffic: Use expression not a r p. Rollover 11 of 17. Rollover title: Expert Info Composite. Expert info composite shows additional details about a packet or series of packets and provides big picture view without having to look at every packet. The option is available in the Analyze Menu. Rollover 12 of 17. Rollover title: Follow T C P Stream. Follow T C P Stream decodes an entire stream of traffic, consolidates data into one view and has two ways to follow a stream, by clicking on packet and choosing Follow T C P Stream option from the Analyze menu or by right clicking a packet and choosing Follow T C P Stream option. To use this option, select Expert Info Composite in the Analyze Menu. Select a packet of interest in resulting display and then select the Follow T C P Stream option in the Analyze drop down menu. You can also right click a packet and choose the Follow T C P Stream option from the contextual menu. Rollover 13 of 17. Rollover title: Follow U D P Stream. Follow U D P connects related U D P packets, for example T F T P file transfers, and treats U D P as a stream so you can follow the connection. To use this option, select the Expert Info Composite in the Analyze Menu. Select a packet of interest in resulting display and then select the Follow U D P Stream option in the Analyze drop down menu. Rollover 14 of 17. Rollover title: Strings. The strings option enables you to search the data by specifying a string. Wireshark will search through the packet for you. To use this tool, you need to know what to look for, including the particular type of traffic and the specific command. To use this option, select Edit in the tool bar of the main Wireshark screen and then select Find Packet. In the Find Packet window, type the string you want to look for, for example, join, in the filter field, select the String option, and then select the Find button. Rollover 14 of 17. Rollover title: Analyze Header Fields. During analysis look for key indicators of a malicious activity in the header fields in layers three and four. Key indicators are ports, type of service, and H T T P server or S M T P server. Four examples of indicators follow. One, I P addresses to or from certain foreign countries. Two, protocols running on non standard ports like I R C. Three, addresses or protocols used by previous attackers and four, encrypted or encoded content on ports not normally encrypted like the F T P command channel port. Rollover 14 of 17. Rollover title: Analyze Data Payload. During analysis look for key indicators of a malicious activity in layer 7 data including unique bytes that indicate exploit was sent to target and identify a response from target. Two examples of unique bytes follow. One, signs of stage 2 Windows executables like, this program cannot be run in DOS mode. Two, signs of I R C command and control traffic like join # channel # password. Rollover 14 of 17. Rollover title: Dirty Word. A dirty word list is a forensic term describing a list of content a forensic investigator believes is related to a case. To run a search, open a Wireshark packet capture, or P Cap log, apply display filter to filter out routine traffic, and review connections by looking for dirty words, looking for unusual connections, and identifying I P addresses for unusual traffic.Summaryidsal6_01_031 [no audio] Client Side AttacksPopup 3 of 4. Client Side Attacks. Six key points display as follows. One, Client-side attacks are common way to carry out, spam, data theft, and botnet infections. Two, attackers leverage social engineering to inject malware in responses to outbound traffic. Three, an attack surface is an entry point into a system, network, or application. Any application that parses or processes data or files is at risk for compromise, including office productivity software, third party applications, and web browser extensions. There are human vulnerabilities as well. Attackers use social engineering tactics to exploit users. Search Engine Optimization is another attack surface. Four, attack vectors are method used to deliver malicious code. There are technical methods including code injection, cross-site scripting, or X S S, and drive by downloads. Two primary client side attack vectors are email campaign exploits and malware hosting. Five, attackers evade detection by blending in with normal web and email traffic, using encrypted channels, using rootkit style functionality to hide malware, and creating sophisticated malware to evades anti virus software. Six, prevention of client side attacks requires modifying user behavior including awareness training and education about security issues, defining security policies, and achieving one hundred per cent patch coverage of the operating system and all applications. Rollover 1 of 9. Rollover title: Application. Examples of applications vulnerable to client-side attacks include office productivity software, third party applications, and web browser extensions. Rollover 2 of 9. Rollover title: Application. Social Engineering Tactics. Client side attacks typically require human interaction and often play on a persons inherent tendency toward trust. Attackers exploit this trust using various tactics such as phishing, spear phishing, and hijacking accounts on social networking sites. A recent trend, similar to phishing, is smishing. Smishing utilizes Short Message Service, or S M S, text messaging. Attackers send text messages that appear to be from a reputable source, such as a bank. Rollover 3 of 9. Rollover title: Search Engine Optimization. Search engine optimization, or S E O, is a collection of techniques used to achieve higher search rankings for a given website. Rollover 4 of 9. Rollover title: Code Injection. Code injection in the insertion of custom code, typically malicious, directly into a program, script, or application to be rendered or processed by that process as a method to exploit the victim machine. Rollover 5 of 9. Rollover title: Cross Site Scripting. Cross site scripting, or X S S, attacks insert or modify scripts, such as Java Script, H T M L, Flash, Active X, or V B Script, that are embedded on a web page and are executed on the client side, in the users browser. Rollover 6 of 9. Rollover title: Drive by Download. A user visits a web page that contains malicious code. Simply visiting the web page installs malicious code on the client machine. Drive by downloads often install keyloggers to steal passwords and login information. A drive by download can also be accomplished through script injection. An example is cross site scripting, or X S S. Rollover 7 of 9. Rollover title: Email Campaign Exploits. There are various ways to deliver malicious content via email including sending a malicious executable or script as an attachment, embedding an executable or script in an attached document, and attempting a file format attack. File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code. Rollover 8 of 9. Rollover title: Malware Hosting. This type of exploit is often accomplished by hijacking a persons web page. The attacker adds a link to the page that directly a user to a malicious server. By clicking the link, the user unwittingly installs malicious software on the client machine. This could be a keylogger or backdoor program. Rollover 9 of 9. Rollover title: Sophisticated Malware. Attackers can create malware that evades signature based antivirus software. Some techniques include using compilers and custom packers to hide strings and thwart reverse engineering of malware, leveraging polymorphic malware that can rapidly change to render recently created signatures as outdated, and sending an attack over heavily fragmented or segmented traffic. Summaryidsal6_01_041 [no audio] Bots and BotnetsPopup 4 of 4. Popup title: Bots and Botnets. 7 key points display as follows. One, a botnet is a network of bot zombie computers infected with a bot. Two, the botnet process uses a botnet herder which deploys a bot. The bot exploits vulnerability in a computer, downloads code from Internet, executes code locally, and attempts to modify the kernel. The infected computer becomes bot zombie or drone which connects zombie computer to C&C server and notifies the bot herder that it is ready for orders. Three, botnets are often created using commercial tools. Four, bot capabilities include hosting malicious content, acting as a DNS server, searching hard drives for sensitive information, monitoring and recording key strokes to steal data, sending spam email with link to malicious code, launching denial of service, or D O S, attacks, poisoning search results to spread infection, and exploiting smartphone technology to create smartphone botnets. Five, an attack surface is an entry point into a system, network, or application. Six, infection vectors are methods used to deliver malicious code. Seven, bot detection uses analysis of D L L and A P I calls to provide clues to the functionality of the code. Examples of calls that might indicate malicious activity include kernel thirty two dot D L L and load library. Rollover 1 of 15. Rollover title: Network. A network of bot zombie computers is called a botnet or zombie network. The botnet has a hierarchical structure that is controlled by one person or a group of people, called a bot herder or bot master. Rollover 2 of 15. Rollover title: Bot. Bots are a type of code commonly used for repetitive tasks and automated actions. A bot can be used for malicious purposes. Rollover 3 of 15. Rollover title: Kernel. The bot attempts to modify the kernel in order to gain access privileges to vital system functions. Rollover 4 of 15. Rollover title: C and C, Command and Control. The bot herder sends the orders to the zombie computers through a command and control, or C and C, channel, often made up of one or more malicious servers. The C and C servers send the bot herders commands to the bot zombies. The bot herder does not communicate directly with the zombie computers. Rollover 5 of 15. Rollover title: Commercial Tools. A botnet can be created by purchasing malware from third parties. One type of malware an attacker can purchase is a rootkit. A rootkit is a set of tools used by an attacker after gaining access to a host to conceal the attackers activities on the host and permit the attacker to maintain this access. Rollover 6 of 15. Rollover title: DNS Server, or domain name system server. A Zombie computer can direct new victims to download malicious content from the computer hosting the content. Rollover 7 of 15. Rollover title: Monitor Key Strokes. Bots can monitor key strokes and user actions for trigger events. User action triggers the bot to create screen shots to capture information on screen or to turn on webcam or microphone to record a conversation. Examples of triggers are a domain name appearing in browser U R L bar, for example a bank name, and something that appears on screen like classified label information. Rollover 8 of 15. Rollover title: Record Key Strokes. Bots can record key strokes to steal data like login credentials to email, bank accounts and more. Rollover 9 of 15. Rollover title: Smartphone Botnets. Attackers can use smartphone botnets to launch spam using Short Message Service, or S M S and to attempt a D O S attack using text messages when the goal is to overwhelm airways and prevent users from making calls. Rollover 10 of 15. Rollover title: Attack Surface. Examples of attack surfaces are routers, S M T P and F T P servers, and peripheral and wireless devices that communicate with the client machine. Rollover 11 of 15. Rollover title: Infection Vectors. Common botnet infection vectors are operating system vulnerabilities, browsers, email and email attachments, files downloaded from Internet, and other infected machines. Advanced botnet vectors include mobile devices that connect to Internet such as Why Fi connectors for video game consoles, wireless communication devices and networks like cell phones and voice over I P or voip. Rollover 12 of 15. Rollover title: D L L. Dynamic link library. Rollover 13 of 15. Rollover title: A P I. Application programming interface. Rollover 14 of 15. Rollover title: Kernel thirty two dot D L L. Kernel thirty two dot D L L is needed so the exploit can interface with devices, memory, C P U, and other resources controlled by the kernel. Kernel thirty two dot D L L also conveniently provides access to the Load Library A P I. The presence of Kernel thirty two dot D L L could mean a bot is attempting to alter the kernel. Rollover 14 of 15. Rollover title: Load Library. The Load Library A P I is useful for executing malicious code, injecting malicious code into D L Ls, and providing access to D L Ls.For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 3. Lesson title: Course Conclusion. Topic title: Summary and Conclusion. Screen title: Summary. Four images are displayed. The first image, labeled Sniffers, shows a grid labeled Sniffer between to desktop computers. The second image, labeled Wireshark and the Analysis Process, shows the Wireshark graphical interface as described in the audio. The third image, labeled Client Side Attacks, shows a malicious origination host server and a destination host server with a firewall between the two servers. The fourth and final image shows the bots and botnets architecture diagram with the attacker at the top, the bot command and control drone in the middle and the bots at the bottom. The four labels to the images become selectable as a popup. A text box displays that states: References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service or agency for guidance on the use of these products. Conclusionidsal6_022Congratulations! You have completed the DoD Intrusion Detection System Analysis course, Part 2. You should now be able to identify the basic types of sniffers and filter constructs. You should also be able to explain the use of Wireshark and the capture and display filters available, as well as, explain the process for analyzing malicious traffic. Lastly, you should be able to explain the variables in client-side attacks and identify bot and botnet network capabilities and traffic. Screen 2 of 3. Lesson title: Course Conclusion. Screen title: Conclusion. Text, Congratulations displays. Course objectives display in support of audio.