377_Eth2e_FM.qxd 11/14/06 1:23 PM Page i Visit us at w w w . s y n g r e s s . c o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at [email protected] for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at [email protected] for more information. 377_Eth2e_FM.qxd 11/14/06 1:23 PM Page ii 377_Eth2e_FM.qxd 11/14/06 1:23 PM Page iii Jay Beale's Open Source Security Series Wireshark & Ethereal Network Protocol Analyzer Toolkit Angela Orebaugh Gilbert Ramirez OOppeenn SSoouurrccee Josh Burke Larry Pesce Joshua Wright SSeeccuurriittyy TToooollss Greg Morris && SSccrriippttss 377_Eth2e_FM.qxd 11/14/06 1:23 PM Page iv Syngress Publishing,Inc.,the author(s),and any person or firm involved in the writing,editing,or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind,expressed or implied,regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights,which vary from state to state. In no event will Makers be liable to you for damages,including any loss of profits,lost savings,or other inci- dental or consequential damages arising out from the Work or its contents.Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages,the above limitation may not apply to you. You should always use reasonable care,including backup and other appropriate precautions,when working with computers,networks,data,and files. Syngress Media®,Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,”and “Hack Proofing®,”are registered trademarks of Syngress Publishing,Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,”and “The Only Way to Stop a Hacker is to Think Like One™”are trademarks of Syngress Publishing,Inc.Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 HPPPLEEEWY 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing,Inc. 800 Hingham Street Rockland,MA 02370 Wireshark & Ethereal Network Protocol Analyzer Toolkit Copyright © 2007 by Syngress Publishing,Inc.All rights reserved.Except as permitted under the Copyright Act of 1976,no part of this publication may be reproduced or distributed in any form or by any means,or stored in a database or retrieval system,without the prior written permission of the publisher,with the exception that the program listings may be entered,stored,and executed in a computer system,but they may not be reproduced for publication. 1 2 3 4 5 6 7 8 9 0 ISBN-10:1-59749-073-3 ISBN-13:978-1-59749-073-3 Publisher:Andrew Williams Page Layout and Art:Techne Group Acquisitions Editor:Erin Heffernan Copy Editor:Judy Eby Technical Editor:Angela Orebaugh,Gilbert Ramirez Indexer:Richard Carlson Cover Designer:Michael Kavish Distributed by O’Reilly Media,Inc.in the United States and Canada. For information on rights,translations,and bulk sales,contact Matt Pedersen,Director of Sales and Rights,at Syngress Publishing;email [email protected] fax to 781-681-3585. 377_Eth2e_FM.qxd 11/14/06 1:23 PM Page v Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible. A special thank you to Mike Rash and Deapesh Misra for contributing their expertise to the case studies used in Chapter 7 of this book. Syngress books are now distributed in the United States and Canada by O’Reilly Media,Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly,Laura Baldwin,Mark Brokering,Mike Leonard,Donna Selenko,Bonnie Sheehan,Cindy Davis,Grant Kikkert,Opol Matsutaro,Steve Hazelwood,Mark Wilson,Rick Brown,Tim Hinton,Kyle Hart,Sara Winge,Peter Pardo,Leslie Crandell,Regina Aggio Wilkinson,Pascal Honscher,Preston Paull,Susan Thompson,Bruce Stewart,Laura Schmier,Sue Willing,Mark Jacobsen,Betsy Waliszewski,Kathryn Barrett,John Chodacki, Rob Bullington,Kerry Beck,Karen Montgomery,and Patrick Dirden. The incredibly hardworking team at Elsevier Science,including Jonathan Bunkell,Ian Seager,Duncan Enright,David Burton,Rosanna Ramacciotti, Robert Fairbrother,Miguel Sanchez,Klaus Beran,Emma Wyatt,Krista Leppiko,Marcel Koppes,Judy Chappell,Radek Janousek,Rosie Moss,David Lockley,Nicola Haden,Bill Kennedy,Martina Morris,Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee,Nadia Balavoine,and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland,Marie Chieng,Lucy Chong,Leslie Lim,Audrey Gan,Pang Ai Hua,Joseph Chan,June Lim,and Siti Zuraidah Ahmad of Pansing Distributors for the enthusiasm with which they receive our books. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue,Bec Lowe,Mark Langley,and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea,Fiji,Tonga,Solomon Islands,and the Cook Islands. v 377_Eth2e_FM.qxd 11/14/06 1:23 PM Page vi About the CD Most of the tools covered in this book are Open Source and are there- fore constantly evolving.If you are deploying any of these tools to your live network,please be sure to download the most recent versions. Wherever possible,we have indicated sites where downloads are gener- ally available.Please look for the CD Icon in the margins to indicate applications or captures contained on the CD. For convenience,and to allow for consistency in the examples used,we have included Wireshark release 0.99.4;it is the most current stable release of Wireshark as of the printing of this book. For installation on Win 32 systems,the “Windows Installer”folder contains the file wireshark-setup-0.99.4.exe.This Nullsoft Scriptable Install System file prompts you through the installation of Wireshark and WinPcap.Once installed,the programs are run via Start | Programs. The Source Files folder contains the file wireshark-0.99.4.tar.gz for installation on non Windows systems. You will also find folders containing the filters discussed in the book and folder containing captures used in the exercises in Chapters 4,6 and 7. Note:This CD contains packet captures of the Code Red Virus and has “strings”in it that your AntiVirus software will detect.In order to continue,you may need to disable real time protections.These files do not contain viruses,just the harmless fingerprints. Wireshark is subject to U.S.export regulations.Take heed.Consult a lawyer if you have any questions vi 377_Eth2e_FM.qxd 11/14/06 1:23 PM Page vii Lead Author Angela Orebaugh is an industry-recognized security technology visionary and scientist,with over 12 years hands-on experience.She currently performs leading-edge security consulting and works in research and development to advance the state of the art in infor- mation systems security.Angela currently participates in several security initiatives for the National Institute of Standards and Technology (NIST).She is the lead scientist for the National Vulnerability Database and author of several NIST Special Publications on security technologies.Angela has over a decade of experience in information technology,with a focus on perimeter defense,secure network design,vulnerability discovery,penetration testing,and intrusion detection systems.She has a Masters in Computer Science,and is currently pursuing her Ph.D.with a con- centration in Information Security at George Mason University. Angela is the author of the Syngress best seller Ethereal Packet Sniffing (ISBN:1932266828).She has also co-authored the Snort Cookbook and Intrusion Prevention and Active Response:Deploying Network and Host IPS (Syngress,ISBN:193226647X).Angela is a researcher,writer,and speaker for SANS Institute and faculty for The Institute for Applied Network Security and George Mason University.Angela has a wealth of knowledge from industry, academia,and government from her consulting experience with prominent Fortune 500 companies,the Department of Defense, dot-com startups,and universities.She is a frequently invited speaker at a variety of conferences and security events. Current research interests:intrusion detection,intrusion preven- tion,data mining,attacker profiling,user behavior analysis,network forensics vii 377_Eth2e_FM.qxd 11/14/06 1:23 PM Page viii Technical Editor and Contributing Author Gilbert Ramirez was the first contributor to Ethereal after it was announced to the public and is known for his regular updates to the product.He has contributed protocol dissectors as well as core logic to Ethereal.He is a Technical Leader at Cisco Systems,where he works on tools and builds systems.Gilbert is a family man,a linguist,a want-to-be chef,and a student of tae kwon do.He is co-author of Syngress Publishing’s popular Ethereal Packet Sniffing (ISBN:1932266828). Contributing Authors Josh Burke (CISSP) is an independent information security consultant in Seattle,Washington.He has held positions in networking,systems,and security over the past seven years in the technology,financial,and media sectors.A graduate of the business school at the University of Washington, Josh concentrates on balancing technical and business needs for companies in the many areas of information security.He also promotes an inclusive, positive security philosophy for companies,which encourages communi- cating the merits and reasons for security policies,rather than educating only on what the policies forbid. Josh is an expert in open-source security applications such as Snort, Ethereal,and Nessus.His research interests include improving the security and resilience of the Domain Name System (DNS) and the Network Time Protocol (NTP).He also enjoys reading about the mathematics and history of cryptography,but afterward often knows less about the subject than when he started. Larry Pesce (CCNA,GCFA Silver,GAWN Silver) is the Manager for Information Services Security at Care New England,a mid-sized health- care organization in New England.In the last 13 years in the computer viii 377_Eth2e_FM.qxd 11/14/06 1:23 PM Page ix industry,Larry has become a jack of all trades;PC repair,Network Engineering,Web Design,Non-Linear Audio and Video production,and Computer Security.Larry is also gainfully employed as a Penetration Tester / Ethical Hacker with Defensive Intuition,a Rhode Island-based security consulting company.A graduate of Roger Williams University in Compute Information Systems,Larry is currently exploring his options for graduate education. In addition to his industry experience,Larry is also a Security Evangelist for the PaulDotCom Security Weekly podcast at www.pauldotcom.com.Larry is currently completing a work with his PaulDotCom Security Weekly co-host,Paul Asadoorian on hacking the Linksys WRT54G.More of Larry’s writing,guides,and rants can be found on his blog at www.haxorthematrix.com. Greg Morris (5-CNA,5-CNE,3-MCNE,Linux+,LPIC-1) is a Senior Resolution Engineer for Novell Technical Services in Provo,UT. Originally from Oklahoma,Greg has spent over 25 years in the computer industry.Although Greg has a degree in management,his passion is to be creative.This is what the software development process provides.His vast experience includes hardware and software troubleshooting on mainframe, midrange,and PC computers.Greg’s early roots in software development was in database technologies,dabbling in C and assembly,but mostly working with a language called Clipper by Nantucket.Greg’s work on Ethereal began in November of 2000.Since that time he has made a sig- nificant number of contributions to the Ethereal (now Wireshark) project. This would include new dissectors (NCP,NDS,NDPS) as well as new features (Extended Find capabilities).Greg has made a number of modifi- cations to many other dissectors and is currently developing Novell Modular Authentication Services (NMAS),Novell SecretStore Services (SSS),Novell International Cryptographic Infrastructure (NICI),and a host of other Novell specific decodes.Greg has actively developed cus- tomer and internal training programs for a number of different Novell products.One of his most unique programs was developed to teach internal users the skills necessary to analyze packet traces.Greg started working with packet traces many years ago with Novell’s LANalyzer product.From there Greg migrated to Network Associates Sniffer product. But,since working with Ethereal to add complete Novell NCP/NDS packet support,Greg would use nothing else.He currently develops on Windows 2000 with Microsoft’s Visual C++,but has plans to move to SuSe Linux and the GNU compiler for future Wireshark development. ix