Lab 7: Reverse Engineering

Objective

To experiment with using TShark to analyze how an unknown application is communicating, and what data it is sending and receiving.

TShark Filtering

When using TShark on the Google Cloud VM, there is a lot of extra "noise" caused by the fact that we are connected over SSH. The SSH client on your machine sends regular updates to the SSH server running on your VM.

In order to not have these show up, you can use the "not port 22" filter like this:

$ tshark -f "not port 22"

Now TShark will print all of the packets it gets, but not the ones coming in or going out on port 22 (which is the SSH port). There will still be some "noise" packets coming in, but it will be many less.

To see this, run this command in one window, and then connect a second SSH window to your VM. Run the following command in that window:

$ wget http://ianfinlayson.net/class/cpsc414/labs/07-reverse

This will download the HTML page for this lab to your VM. You should at that point see a flurry of packets coming in for the HTTP request.

Seeing Packet Data

So far we have only used TShark to print various packet fields at the different network layers. But we can also use it to print the data being sent in those packets. This can be done with the "-x" flag:

$ tshark -f "not port 22" -x

This will print packet data onto the screen in a format like this:

$ tshark -f "not port 22" -x
0000  42 01 0a 8e 00 01 42 01 0a 8e 00 03 08 00 45 00   B.....B.......E.
0010  00 34 3b cb 40 00 40 06 91 90 0a 8e 00 03 23 cf   .4;.@.@.......#.
0020  3f 09 cc 00 00 50 54 04 45 d6 89 74 53 37 80 11   ?....PT.E..tS7..
0030  01 45 6d 8f 00 00 01 01 08 0a fc ad f5 9c fa 6f   .Em............o
0040  fa 4d                                             .M

There are three main sections here:

The leftmost values are just index markers indicating which byte numbers are on this row.
The 16 hexadecimal numbers on each row give the raw byte values that are in the packets data section. So the first byte in this packet has the value 0x42 and the last has value 0x4d.
The values on the far right are the ASCII representations of each byte. If the byte corresponds to a printable ASCII value (like 0x42 is B), it will be printed. If not (like 0x01 is not printable) it will put a . These let you check if the data is readable text or not. Here, it's not.

Looking at the data can show you what an application is doing on the network. Try to run the wget command again. You should see the HTML text of the lab page show up in the TShark output.

Task

You will be doing some analysis on a network program called "prog". You can download it with the following command:

$ wget http://ianfinlayson.net/class/cpsc414/labs/prog

Then give it executable permissions so you can run it:

$ chmod +x prog

You should run this program in one window and TShark in another window, so you can see what packets it's sending and receiving.

You will need to get TShark to print some other information from packet headers, such as IPs and ports. If you leave off the "-x", then TShark will print this information for you. I recommend finding the IP and port first, then you can use "-f port XXXX" as a filter which will only print the packets for this program.

Questions

What IP address is this program communicating with?
What port on that IP is it communicating through?
How many packets are sent back and forth between the two machines when the program is run?
Is this program using TCP or UDP?
What text is being sent over the network between the two machines? Not all of the packets have text data (many are just TCP handshakes, ACKs, or FINs). Scan through the packet data and make a note of anything in readable text.
Why is it important that network applications use encryption for sensitive data?

Submitting

When you're finished, email your answers to ifinlay@umw.edu.