Time
14 minutes
Difficulty
Intermediate

Video Transcription

00:05
Hello, everyone. Welcome back to the latest episode of Breaking Stuff With Joe. I is always in your eponymous host, Joe Perry on the director of research here at Psy Berry. And I'm the guy with the Dragon Tattoo. Have you never seen these videos? Heard we make stupid references to my tattoos before a quick rundown of what breaking stuff, Joe actually is.
00:23
This is a Siri's of standalone episode where we're gonna take each one
00:26
and we're gonna pick a tool for each episode, and we just kind of walk through it. We find out what that calls before we find out what it could do. We figure out what kind of ants could be used to invoke it with arguments it might take. And then we walk through a practical example of using that tool. Previous videos have been a password. Crackers have been on dis assemblers and the buggers.
00:44
Today's video is going to be on the phenomenally powerful network analysis tool
00:48
End grip now and grab might sound familiar to you. It sounds like another linens utility called grip, and the reason for that is because it's built on a very similar engine. Grip is used for text analysis for pattern matching and files and strings. What end grip has done to what end grip is used for is doing that same sort of pattern magic,
01:06
but against captured or sniffed network traffic.
01:08
So any grip is a network analysis tool forced captured apartments. It can capture the back, it's itself or can operate on pea cap files. So it's sort of a middle ground between wire shark and grip. So over the course of the next 15 to 30 minutes, we're gonna talk about three things. One we just finish talking about, which is what in grip is and what it's for.
01:27
Second thing we're gonna do is we're gonna see how you use it. We're gonna show you how to invoke it.
01:30
We're gonna walk for some of the arguments on the help documentation, and then finally, and most importantly, we're going to use an actual practical example of and grab, and we're gonna analyze a little bit of network traffic and see what we can see. So I'm excited to have your Hopefully you're excited to be here learning about this really, really useful tool.
01:48
I was always again. I'm your instructor Joe Perry. I'm happy to have you here,
01:51
and I hope that you enjoy this lesson here on breaking stuff with Joe on Cyber Eri on. So let's go ahead and get started as usual. Arena working out of our new bun to 64 bit VM If you're working on your bare metal machine, that's also totally an option. Totally okay. But in this case, I'm working out of a VM just because it makes me feel a little bit safer.
02:08
It's important to note that if you're working with a B M, you need to make sure that your network connection is enabled
02:15
with that B M. So you're actually able to see traffic passing over the network. Otherwise, this network analysis tool is not going to be very interesting or useful to you,
02:22
so we want to run and grab. But unfortunately, unlike a lot of the tools that we do, videos on end Grip does not come installed. Fortunately, it's pretty easy to get on a no bundu system. All you have to do here is type pseudo,
02:35
uh, out
02:37
install
02:38
and grab
02:39
and give your password, which we know from previous videos. Mind is extremely secure,
02:46
and it's gonna take a little time and load that up. It's a pretty quick it's not a huge program. It doesn't take terribly long to install. It is worth noting that you can get end grip on pretty much any UNIX based system so you can actually use it their insults for Mac os Debian or Santos.
03:01
So now that we've installed and grab, we can check and make sure that it installed correctly just by running this command and grab, and you can see we don't have permission to capture. As with most packet capturing tools, you're generally gonna have to run. This is route just because of the fact that
03:15
access to sockets without it here, with you, no control and being able to pull information off of them is a definite security threat. So you have to ensure that you're a user with correct permissions.
03:29
So actually, running and grabbing words could do a real quick and grab help.
03:32
You can do all sorts of different commands you can see here. Now we're gonna walk through just a couple of them, and it's worth remembering as we as we go through this, that Engram is based on grab and therefore is really, really focused on using regular expressions and on using sort of text searching. So
03:50
one of the things you can do to really get familiar with and get effective in using
03:53
ah tool like end up using specifically the tool and grab is kind of working on your regular expression because this isn't a regular expression course, we're not going to spend a ton of time figuring out what each of them are. We're just gonna kind of show the tools utility. But understanding how to use regular expressions with *** will give you a lot of utility out of this particular, uh, this particular.
04:15
So we're gonna go ahead and run a very simple command here. We're going to end grip
04:18
and then with quotes, H g H T T p. We're gonna see what happened.
04:24
First. Nothing's gonna happen because we need to pseudo that.
04:27
There we go and you can see that it's running and nothing is happening because there's no http traffic happening. So very easy. Way to get some started is just by loading up our Web browser,
04:35
it'll take just a second cause I don't have a lot of memory of this B m
04:40
and you can see we're just close it again.
04:44
We just got a whole bunch of traffic. Now, this is a little bit tough to read, especially in your command line You can design. You can set it up to output to a pea cap file. But what you're doing right now isn't really that much different than just running a TCP dump. You're just getting every packet and all of its contents. And that's not really
05:01
It's not fair to say that that's not useful, but it's definitely gonna give you more information than you doesn't necessarily want to be working with right now.
05:09
So what we can do is
05:12
what just sent to the control. See, uh,
05:15
we're gonna clear this up. What we can do with this is run end grip. With this tactic, you option and tak you is is the quiet option If we look at the help
05:26
Oh,
05:29
where is it? Back up here, if you will.
05:31
There we go.
05:32
Tak you be quiet. Don't don't print the packet reception hash marks. It actually also shows. It also has a little bit Maur that is protecting you from when you were on the quiet mode. It's basically just gonna show you the headers and relevant payloads, and we can see that just by running again pseudo and grab Tak e. Q.
05:50
If t t p
05:54
and let that run, and then we're just gonna boot up our
05:56
what browser Once more,
06:01
a good day. You can see we still have a lot of data, but now it's just a little bit less. It's a little bit more manageable, and there's a lot less of this sort of done here. The bottom, this junk. There's a lot less of it. And the reason for that pretty simply, is because the fact that in Graf is now just looking for
06:17
payloads that it's designed to recognize as useful is giving you the actual information
06:23
without quite as much junk data. There's still a little bit of junk data. Just because that's that's in those payloads that it's identified is important, but it is substantially easier to interpret.
06:32
Now that's pretty useful. But what if we're going to set this up to run into pipe into a file and we want to leave it running for a while and we don't really. We're not gonna come back to it, maybe for a couple hours. And we want to have a context for when this traffic is happening. There's a really useful and grip command that we can give it and grab tak Q t.
06:51
And again we're just gonna say, http,
06:56
and again, we're going to sue. Do it. I'm probably gonna make that mistake another 15 or 16 times. You can see here that now, as its printing these out, you can see that it's got an actual time stamp associated with it. So that's a really easy way to organize your file, and it's gonna make it a lot easier to track a CZ. You're as you're running
07:13
or as you're reviewing a file that was created.
07:15
So this is just a nice little utility toe. Add whatever you're running this, you're gonna kill it again
07:21
and talk a little bit about the ways that we can extend our use of end grab. So we saw earlier with en Gruppe tact, age. We have a bunch of different command line arguments we can give it, and we can determine the way it sort of interacts with packets and what it does. But
07:33
better than that, the thing that really makes anger obsession effective tool is that grab half where we're able to perform matching against specific contents of our packets. And this is making use of a technique called Berkeley Packet Filter, which is itself based on the idea that all of the Internet all based all core protocols of the Internet TCP U to p ay scampi
07:54
are all based on that fundamental Berkeley package design.
07:57
So Berkeley Packet Filtering is looking for fields that we know will be present in a given packet because of the design that they're inheriting. And we've actually already been doing this to some extent with our pseudo end grab
08:11
our commands that we've been running so far. The packet filtering there is the actual http string, and you can see that that's the filter simply by running it and noticing that this third line here says match Http. Additionally, above that, you can see that it's also filter. Specifically, the filters are only being applied against i p an I p six
08:30
on the V lin.
08:31
And so what's really useful to understand here is that it's it's on Lee looking for specific pieces of traffic rather than looking for everything is performing this pattern matching against very specific filter traffic. But what's cool about this is that it doesn't just have to be http. We could be both more and less granular in our searching.
08:50
So, for example, we might want to say, instead of
08:52
looking for all things that are, Http might say, We just want to see if this person's trying to connect to Google and we could do sudo and grab attack you
09:01
cool
09:07
and you can see that the match now is just looking for that particular string, and we can have a look. We'll go ahead and split this panel really fast.
09:15
Have a look here.
09:20
We're just Ping
09:22
www dot google dot com,
09:26
and you can see that those packets are showing up there. So it's not just a GDP is not just Internet it well, it is Internet in the sense that the Internet is all connections between these computer systems. But it's not just, you know, normal Internet traffic. Anything that matches that string that's being passed in clear text, you're going to be able to make use of
09:43
now. It is worth noting that I just said clear text
09:46
unless you're using another utility to crack SSL, which will be tools that we talked about in the future. There are tools for man in the middle or for attacking us to sell. But unless you're doing that, you're only going to get clear. Text when you're using this particular tool and grab doesn't it doesn't actually break into the traffic. So it's important to note
10:05
you may miss things. That's one of the reasons why when I have the http up,
10:07
we only got some practical first connected in sight, and we didn't continue to get traffic constantly. But that's just worth noting.
10:18
So we're a screen up a little bit here
10:20
Now we want to look at a little bit, not necessarily contrived, but just an example of one of the things you might be able to do within grab. Now that we understand, you know we can apply filters we can use rejects, we can use strings to match. One of the other things that we can do here is we can actually use and grow up to kill connections and one of the really useful ways of doing that
10:39
that you might want to make use of is doing pseudo and grab.
10:43
Thank you. Because we always wanted to be a little bit quiet. We don't want to get a bunch of junk messages. And then the easiest way to use end grip effectively is using this tack a option on what tap Kate does. And you can see that in the help if you go to it, it actually sends reset packets based on if a packet matches the filter.
10:58
This number one here is how many reset packets descent. So we could send one week 10. Whatever.
11:03
General speaking one's gonna be good enough on this is gonna interject into that stream and say, you know, for whatever reason, that connection is bad. You can't do it anymore.
11:13
And so we're gonna have a look at this. We're actually gonna perform a little bit of packet filtering here. This is our sort of actual example of using in grabs. We've got n Grabbe qtac a one and we're just going to filter were going to kill anything
11:26
that we see. That includes the string
11:28
bread it we're trying to keep. Our users were trying to keep our our team from going to read it and spending their whole day looking at pictures of cats. And so we're gonna run this. Hopefully it'll work, right? Sure does. And we can see here that it's now matching for read it.
11:41
And then we're just gonna go to our browser over here, and we're gonna try and connect to that website
11:48
and you can see that we got a network protocol error. It experienced a protocol violation that could not be repaired. Now, this is a really handy because one of the nice things about error messages in a properly secure environment is that they're informative to the developers, but not necessarily to the end users. So the end user thinks that there's something wrong with Reddit. They don't realize that in reality,
12:07
here we see that we got some attempts to connect to it,
12:11
and we just sent reset packets and killed them. Is one of the really awesome ways that you could make use of end grip and you can do that again. You can use that with filtering against much more or much less granular package. If you want to just turn off someone's Internet
12:24
you say no more, Http. They can't make those initial connections to set up the handshakes to even try and connect the websites anymore. You can just essentially disable their ability to make use of the Internet
12:35
so that end grip. This is a bit of a shorter tool video than a lot of the ones we've done. And simple reason for that is because most of using end grip isn't actually learning about the different commands. It's just learning how to apply the filters that you want to apply. It is worth remembering. The end grip is only for use against clear text network protocols.
12:52
It's not something that you're gonna be able to break into SSL with just end grab. You're gonna need more tools to do that.
12:58
That said, over the course is video. We learned what end grip is, what it's for. We looked at a couple of the simple commands for using it. We looked at how you can actually install and invoke and grab, and then we got an example of an actual use case for a pen tester for ah Red Team blue team. Really anybody who's involved with monitoring or controlling network traffic
13:16
and grip is a useful tool.
13:18
One of the ways have actually seen and refuse, just as we're on our way out. Was actually by assist admen who discovered that there was someone was using Tell it on the network. And while they were trying to figure out who it waas, they just killed all telling that traffic on the network just by using in grip on using that kill command that we saw earlier.
13:35
So there are a lot of use cases for it. Hopefully, you can find some in your day to day life.
13:39
I just wanted it as always, you know, with breaking stuff. Joe, we just want to introduce this to will show you how I can use it and give you just enough information to be dangerous and run off and really have some fun. So thank you for watching. I appreciate it. As always, I have been your host, Joe Perry. I'm thrilled that you joined us here for our end grip tool video on. I hope to see you back
13:58
in the future breaking stuff with Joe videos here on Cyber Eri

How to Use NGrep (BSWJ)

Network Grep (NGREP) is a useful network analysis tool which performs operations based upon the Grep engine, allowing for the use of regular expressions and text pattern matching.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor