Welcome to cyber ery. I'm Raymond Evans, and I will be your subject matter. Expert for cyber is by application penetration. Testing course.
In this video, we'll be discussing packets.
What are they? So what will be covered? Or we're gonna
discuss what a packet is what makes up a packet?
Different fields that make up the packet.
why don't we need to worry about packets? Exactly. So
let's get started. What is a packet?
Well, a packet is a unit of data which is transported across networks to facilitate communications between hosts.
So what exactly does that mean? We'll pack? It is how we browse the Web, stream movies on text messages and do everything else on the Internet.
Send email all kind of stuff. Packets.
They're how machines communicate. It's how they talk
symbols that packets come in TCP and UDP and
both look very different
TCP in UDP because they both facilitate different kinds of communications.
connection oriented communications, whereas UDP deals with connection lists oriented communications. And and I discussed that and another video. So what makes a packet?
we're gonna be discussing this packet here. This image that I snapped. This was a
simple packet that was captured via wire shark.
I followed the TCP stream to get the packet information all the TCP stream. So we're gonna be breaking down the fields in this image here that are the important field that you need to know about. Information like this can be acquired through any kind of packet capture
programs such as TCP dump or wire shark.
TCP dump is better to use f
you were doing packing analysis over a large period of time.
Wire shark is good to use if you are analyzing the packets on the fly and just need to look at things for for a quick minute.
If you continue to run wire shark for an extended period of time, it will eat up. A lot of resource is so the first part we're gonna discuss here is that that top portion of that image, which is the get packet.
So the get packet is somebody going out to the Internet and saying, Hey, I want a view this website. So what This get packages doing here in the first line?
This is giving us the directory
of where that resource is that's trying to get from the server. And it also shows us that we're using http 1.1
and save https. It says, Right there issue to be next.
We have our host, so that is the website that we're trying to get to. I tried to get to it
rather than the U. R L.
you were going to a normal website, you would see the Earl of the website
Next is the user agent string, So the user agent string is what
is telling the server what you are. So there are user agent changers that you can have as an adult into your Web browser. And with those different user agent changers, you can get all kinds of different views of Web pages, and in fact, you can actually get
access to certain pages on
servers that you shouldn't be able to get access to based on different user agents.
For example, the Google bought
goes around and will
index all the Web pages on the Internet
except for what's put into the robots. Don t X t file that Google bought
is able to get into a lot of Web pages that should actually be,
So one of the things you want to check for in your company if you have content that needs to be paid for is, Are you allowing Google bought into that content?
somebody can use just a simple agent user agent changer and make themselves look like Google Box
and then below that we have the connection type, which was a keep alive connection. There's two types of connections. There's keep alive in this closed, and then
we do not have a cookie
But in a normal packet where you might be logging into something, you would have a cookie, and that cookie contains the session token. That's a very important piece of information, because if somebody was to capture that, using something like cross site scripting, they can use that session token to pretend to be somebody else
and get access into everything that they were doing
without needing a password. Then, right below that, we had the response packet Here in the first line of the response packet, we saw the 200. Okay, so that's the server Coke coming back saying, Hey,
communications were good
200. Okay, here's the data.
It also gave us a time stamp, which is important
if you need to keep record of what you did at what time. That's another way of being able to provide evidence. Is the time stands timestamps provided within your packets? Then the server also send us back information saying, Hey, I'm an Apache 2.2 point 16 Debbie and server.
So that's also very handy for somebody who's performing a Web application pen test. You can simply look at the packets. See, Hey, this is an Apache to doubt whatever or one dot whatever you can. Then look up any known vulnerabilities and kind of big bugs and try to exploit that and see
if you're still vulnerable in your organization.
Then there's the content encoding. So
if you can't figure out
what's going on with certain piece of content, if you're looking through the packets and
can't quite look at the information properly, you might want to look at the content in coding because that will tell you
how the content is being served back to you. In this case, it was G zipped back,
and then we have the content length, So that's the length of the response and bites. This is important because this can give you a baseline
of what should be normal for what's returned to a customer. So the company takes a baseline pack. Caption says, Hey, are content length should be about this much and
you go to browse to it. And all of a sudden your gang
something that's thousands upon thousands upon, thousands of bites, bigger.
Something might be up. You might beginning something extra returned back, such as some kind of crosses scripting attempt that might be going on So there's to keep alive.
How long is this connection gonna be maintained? How long before the server
does not maintain that connection anymore? And how vulnerable are you to something like a de DOS? If you have a very, very high
keep a lifetime, then you're more likely to be deed Austin. A very little keep a lifetime, and then again we have the connection type, saying, going back saying, Hey, the connection type keep alive is get accept it
and then we have the content type, so it tells you right there Hey, we're delivering back to you. Text HTML. So what will we need to worry about? Packets. What's the big deal with them? Well, I went on to another field, and I submit it
Some information. I said, this is a form field
and click submit. And here we see in this http traffic clear as day that
that query went out.
This is a form field. Now,
if you have http traffic going
and somebody was to submit user credentials, then
those would be clear, Tex. That's why you would worry about packets. Another reason to worry about packets
is hidden form fields. Sometimes a web application may put
something like privilege levels as a hidden form field. So your privilege levels will start out as a basic user.
if I analyze that traffic
and I saying a submission for a brain new account
and I see that that my privilege equals basic
I could start messing around with that. You know, I can confuse my privilege to admin and an attempt that
or just look at some
kind of structure, take a look at the different user accounts that you see floating around
um, and see what they might have in common. You know, look at the HTML maybe, and try to figure out any kind of leaked information in there
and simply submit your new privilege level. Packet manipulation is a very good way of getting even deeper into a network and tricking ah Web application into giving you
higher credentials. Packet manipulation can also be used
to fake cookies and things like that. So that's why we would worry about packets.
You need to always analyze your packets, know what's being delivered out to people,
and I know what people are submitting, and you need to know if those packets could be manipulated or not.
So what was covering?
Well, I discussed what a packet is.
Just guess what makes up a packet I talked about those different forum fields are important,
and I discussed why we need to worry about packets.
Heavy action, everyone