- ホーム
- > 洋書
- > 英文書
- > Computer / General
Full Description
Master Wireshark to solve real-world security problems
If you don't already use Wireshark for a wide range of information security tasks, you will after this book. Mature and powerful, Wireshark is commonly used to find root cause of challenging network issues. This book extends that power to information security professionals, complete with a downloadable, virtual lab environment.
Wireshark for Security Professionals covers both offensive and defensive concepts that can be applied to essentially any InfoSec role. Whether into network security, malware analysis, intrusion detection, or penetration testing, this book demonstrates Wireshark through relevant and useful examples.
Master Wireshark through both lab scenarios and exercises. Early in the book, a virtual lab environment is provided for the purpose of getting hands-on experience with Wireshark. Wireshark is combined with two popular platforms: Kali, the security-focused Linux distribution, and the Metasploit Framework, the open-source framework for security testing. Lab-based virtual systems generate network traffic for analysis, investigation and demonstration. In addition to following along with the labs you will be challenged with end-of-chapter exercises to expand on covered material.
Lastly, this book explores Wireshark with Lua, the light-weight programming language. Lua allows you to extend and customize Wireshark's features for your needs as a security professional. Lua source code is available both in the book and online. Lua code and lab source code are available online through GitHub, which the book also introduces. The book's final two chapters greatly draw on Lua and TShark, the command-line interface of Wireshark.
By the end of the book you will gain the following:
Master the basics of Wireshark
Explore the virtual w4sp-lab environment that mimics a real-world network
Gain experience using the Debian-based Kali OS among other systems
Understand the technical details behind network attacks
Execute exploitation and grasp offensive and defensive activities, exploring them through Wireshark
Employ Lua to extend Wireshark features and create useful scripts
To sum up, the book content, labs and online material, coupled with many referenced sources of PCAP traces, together present a dynamic and robust manual for information security professionals seeking to leverage Wireshark.
Contents
Introduction xiii
Chapter 1 Introducing Wireshark 1
What Is Wireshark? 2
A Best Time to Use Wireshark? 2
Avoiding Being Overwhelmed 3
The Wireshark User Interface 3
Packet List Pane 5
Packet Details Pane 6
Packet Bytes Pane 8
Filters 9
Capture Filters 9
Display Filters 13
Summary 17
Exercises 18
Chapter 2 Setting Up the Lab 19
Kali Linux 20
Virtualization 22
Basic Terminology and Concepts 23
Benefits of Virtualization 23
Virtual Box 24
Installing VirtualBox 24
Installing the VirtualBox Extension Pack 31
Creating a Kali Linux Virtual Machine 33
Installing Kali Linux 40
The W4SP Lab 46
Requirements 46
A Few Words about Docker 47
What Is GitHub? 48
Creating the Lab User 49
Installing the W4SP Lab on the Kali Virtual Machine 50
Setting Up the W4SP Lab 53
The Lab Network 54
Summary 55
Exercises 56
Chapter 3 The Fundamentals 57
Networking 58
OSI Layers 58
Networking between Virtual Machines 61
Security 63
The Security Triad 63
Intrusion Detection and Prevention Systems 63
False Positives and False Negatives 64
Malware 64
Spoofing and Poisoning 66
Packet and Protocol Analysis 66
A Protocol Analysis Story 67
Ports and Protocols 71
Summary 73
Exercises 74
Chapter 4 Capturing Packets 75
Sniffing 76
Promiscuous Mode 76
Starting the First Capture 78
TShark 82
Dealing with the Network 86
Local Machine 87
Sniffing Localhost 88
Sniffing on Virtual Machine Interfaces 92
Sniffing with Hubs 96
SPAN Ports 98
Network Taps 101
Transparent Linux Bridges 103
Wireless Networks 105
Loading and Saving Capture Files 108
File Formats 108
Ring Buffers and Multiple Files 111
Recent Capture Files 116
Dissectors 118
W4SP Lab: Managing Nonstandard HTTP Traffic 118
Filtering SMB Filenames 120
Packet Colorization 123
Viewing Someone Else's Captures 126
Summary 127
Exercises 128
Chapter 5 Diagnosing Attacks 129
Attack Type: Man-in-the-Middle 130
Why MitM Attacks Are Effective 130
How MitM Attacks Get Done: ARP 131
W4SP Lab: Performing an ARP MitM Attack 133
W4SP Lab: Performing a DNS MitM Attack 141
How to Prevent MitM Attacks 147
Attack Type: Denial of Service 148
Why DoS Attacks Are Effective 149
How DoS Attacks Get Done 150
How to Prevent DoS Attacks 155
Attack Type: Advanced Persistent Threat 156
Why APT Attacks Are Effective 156
How APT Attacks Get Done 157
Example APT Traffic in Wireshark 157
How to Prevent APT Attacks 161
Summary 162
Exercises 162
Chapter 6 Offensive Wireshark 163
Attack Methodology 163
Reconnaissance Using Wireshark 165
Evading IPS/IDS 168
Session Splicing and Fragmentation 168
Playing to the Host, Not the IDS 169
Covering Tracks and Placing Backdoors 169
Exploitation 170
Setting Up the W4SP Lab with Metasploitable 171
Launching Metasploit Console 171
VSFTP Exploit 172
Debugging with Wireshark 173
Shell in Wireshark 175
TCP Stream Showing a Bind Shell 176
TCP Stream Showing a Reverse Shell 183
Starting ELK 188
Remote Capture over SSH 190
Summary 191
Exercises 192
Chapter 7 Decrypting TLS, Capturing USB, Keyloggers, and Network Graphing 193
Decrypting SSL/TLS 193
Decrypting SSL/TLS Using Private Keys 195
Decrypting SSL/TLS Using Session Keys 199
USB and Wireshark 202
Capturing USB Traffic on Linux 203
Capturing USB Traffic on Windows 206
TShark Keylogger 208
Graphing the Network 212
Lua with Graphviz Library 213
Summary 218
Exercises 219
Chapter 8 Scripting with Lua 221
Why Lua? 222
Scripting Basics 223
Variables 225
Functions and Blocks 226
Loops 228
Conditionals 230
Setup 230
Checking for Lua Support 231
Lua Initialization 232
Windows Setup 233
Linux Setup 233
Tools 234
Hello World with TShark 236
Counting Packets Script 237
ARP Cache Script 241
Creating Dissectors for Wireshark 244
Dissector Types 245
Why a Dissector Is Needed 245
Experiment 253
Extending Wireshark 255
Packet Direction Script 255
Marking Suspicious Script 257
Snooping SMB File Transfers 260
Summary 262
Index 265
