In the previous chapters, we learned more about protocols and their analysis techniques. In this chapter, we will learn how Wireshark helps us perform a security analysis and try to cover the security aspects in these area application and network by covering these topics:
- The Heartbleed bug
- DoS SYN flood/mitigation
- DoS ICMP flood/mitigation
- Scanning the network
- ARP duplicate IP detection (MITM)
- DrDoS introduction
- BitTorrent source identification
- Wireshark endpoints and protocol hierarchy
The Heartbeat protocol (RFC6520) runs on top of the Record layer protocol (the Record layer protocol is defined in SSL).
The Heartbleed bug (CVE-2014-0160) exists in selected OpenSSL versions (1.0.1 to 1.0.1f) that implement the Heartbeat protocol.
This bug is a serious vulnerability that allows attackers to read larger portions of memory (including private keys and passwords) during Heartbeat response.
The Heartbeat protocol runs on top of the Record layer identified as record type (24) in SSL/TLS. In Wireshark, a display filter ssl.record.content_type == 24 can be used to show the HeartBeat message. Heartbeat messages are Heartbeat Request and HeartBeat Response.
Open the heartbleed.pcap packet capture file in Wireshark and set the display filter to ssl.record.content_type == 24.
Wireshark will display only encrypted heartbeat messages. The first one is the Heartbeat Request message. In this message, the length (ssl.record.length == 112) of the Heartbeat Request is set to 112 bytes, as shown in the screenshot:
Whenever a Heartbeat Request message is send to the server, the server answers with a corresponding Heartbeat Response message.
In the given packet, the Heartbeat Response length (ssl.record.length == 144) is set to 144, which means the server has returned more data (32-bytes more) than expected. This extra information is known as the heartbleed; this bleed may contain sensitive information such as passwords and private keys:
To test the heartbleed, use the following steps:
- Install OpenSSL version (1.0.1c) from the
openssllibrary:[bash ]# openssl version OpenSSL 1.0.1c 10 May 2012
- Create a self-signed SSL certificate:
[bash #]openssl req -sha256 -new -newkey rsa:2048 -nodes -keyout ./server.key -out ./server.csr -subj "/C=PU/ST=Anish/L=Test/O=Security Analysus /OU=Heartbleed/CN=myhost.com" [bash #]openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.pems
- Start the TLS server using the affected version of OpenSSL:
[bash ]# openssl s_server -www -cipher AES256-SHA -key ./server.key -cert ./server.pem -accept 443 - Start the packet capture:
[bash ]# tcpdump port 443 –s0 –w heartbleed.pcap &
If the SSL/TLS server is reachable through the public network, online filippo can be used. Other tools (such as Heartbeat Detector, which is a shell script) can also be used for this purpose:
- Heartbleed Detector: https://access.redhat.com/labsinfo/heartbleed
- Heartbleed online test: https://filippo.io/Heartbleed/