Part 3 - Packets

Video Activity

Packets are the essence of web communications and in this video we discuss packet basics and how they can be manipulated to attack and exploit web apps. We discuss what a packet is, what makes up a packet in terms of its fields, and how to capture packet data using packet sniffing tools such as wireshark. In addition, we examine packet responses in...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Description

Packets are the essence of web communications and in this video we discuss packet basics and how they can be manipulated to attack and exploit web apps. We discuss what a packet is, what makes up a packet in terms of its fields, and how to capture packet data using packet sniffing tools such as wireshark. In addition, we examine packet responses in the form of HTML status codes. Finally, the importance of packets in web app exploits is discussed with regards to hidden HTML form fields and how apps are tricked into giving up sensitive info via packet manipulation. An example of such manipulation is the creation of fake browser cookies.

Video Transcription
00:03
>> Welcome to Cybrary. I'm Raymond Evans,
00:03
and I'll be your subject matter expert for
00:03
Cybrary's web application penetration testing course.
00:03
In this video, we'll be discussing
00:03
packets. What are they?
00:03
What will be covered, we're going
00:03
to discuss what a packet is,
00:03
what makes up a packet,
00:03
the different fields that make up the packet,
00:03
and why do we need to worry about packets exactly.
00:03
Let's get started. What is a packet?
00:03
Well, a packet is a unit of data which is
00:03
transported across networks to
00:03
facilitate communication between hosts.
00:03
What exactly does that mean?
00:03
Well, a packet is how we browse the web, stream movies,
00:03
send text messages,
00:03
and do everything else on the Internet;
00:03
send email, all kinds of stuff.
00:03
Packets are how machines communicate.
00:03
It's how they talk. As simple as that.
00:03
Packets come in TCP,
00:03
>> and UDP,
00:03
>> and they both look very different.
00:03
TCP, and UDP because they both
00:03
facilitate different kinds of communications.
00:03
TCP deals with the connection oriented communication,
00:03
whereas UDP deals with
00:03
connectionless oriented communications.
00:03
I discussed that in another video.
00:03
What makes up a packet?
00:03
Well, we're going to be discussing this packet here,
00:03
this image that I snapped.
00:03
This was a simple packet
00:03
that was captured via Wireshark. I did it.
00:03
I followed the TCP stream to get
00:03
>> the packet information,
00:03
>> now the TCP stream.
00:03
We're going to be breaking down
00:03
>> the fields in this image
00:03
>> here that are the important fields
00:03
that you need to know about.
00:03
Information like this can be acquired through
00:03
any packet capture programs
00:03
>> such as tcpdump or Wireshark.
00:03
>> Tcpdump is better to use if you are
00:03
doing packet analysis over a large period of time.
00:03
Wireshark is good to
00:03
use if you're analyzing the packets on
00:03
the fly, and just need to look at
00:03
things for a quick minute.
00:03
If you continue to run Wireshark
00:03
for an extended period of time,
00:03
it will eat up a lot of resources.
00:03
The first part we're going to discuss here is
00:03
the top portion of that image,
00:03
which is the GET packet.
00:03
The GET packet is
00:03
somebody going out to the Internet, and saying,
00:03
"Hey, I want to view this website."
00:03
What this GET packet is doing here in
00:03
the first line is it's giving us
00:03
the directory of where
00:03
that resource is that's trying to get from the server.
00:03
It also shows us that we're using HTTP
00:03
1.1 instead of HTTPS.
00:03
It says right there HTTP.
00:03
Next, we have our host.
00:03
That is the website that we're trying to get to.
00:03
I tried to get to it via an IP address
00:03
>> rather than a URL.
00:03
>> If you were going to a normal website,
00:03
you would see the URL of the website in that field.
00:03
Next is a user agent string.
00:03
The user agent string is what
00:03
is telling the server what you are.
00:03
There are user agent changes that
00:03
you can have as an add on to your web browser.
00:03
With those different user agent changers,
00:03
you can get all kinds of different views of webpages.
00:03
In fact, you can actually get access to certain pages
00:03
on servers that you
00:03
shouldn't be able to get access to
00:03
based on different user agents.
00:03
For example, the Googlebot goes around, and will
00:03
index all the web pages on the Internet
00:03
except for what's put into the robots.txt file.
00:03
The Googlebot is able to get into a lot of
00:03
web pages that should actually be paid for.
00:03
One of the things you want to check for in your company
00:03
if you have content that needs to be paid for is,
00:03
are you allowing Googlebot into that content?
00:03
If so, somebody can use
00:03
just a simple user agent changer
00:03
in and make themselves look like Googlebot.
00:03
Then below that,
00:03
we have the connection type,
00:03
which was a keep-alive connection.
00:03
There's two types of connections.
00:03
There's keep-alive and there's closed.
00:03
Then, we did not have a cookie in this packet,
00:03
but in a normal packet
00:03
where you might be logging into something,
00:03
you would have a cookie.
00:03
That cookie contains the session token.
00:03
It's a very important piece of information because if
00:03
somebody who to capture that using
00:03
something like cross-site scripting,
00:03
they can use that session token to
00:03
pretend to be somebody else, and
00:03
get access into everything that they were
00:03
doing without needing a password.
00:03
Then right below that, we had the response packet.
00:03
Here in the first line of the response packet,
00:03
we saw the 200 OK.
00:03
That's the server code coming back saying,
00:03
"Hey, communications were good.
00:03
200 OK, here's the data."
00:03
It also gave us a timestamp,
00:03
which is important if you need to
00:03
keep record of what's your data, what time?
00:03
That's another way of being able to provide evidence is
00:03
the timestamps provided within your packets.
00:03
Then the server also sends us
00:03
back information saying, "Hey,
00:03
I'm an Apache 2.2.16 Debian server."
00:03
That's also very handy for
00:03
somebody who is performing a web application pen test.
00:03
You can simply look at the packets, see, hey,
00:03
this is an Apache two dot whatever,
00:03
>> or one dot whatever.
00:03
>> You can then look up
00:03
any known vulnerabilities, and the big bugs, and try to
00:03
exploit that, and see
00:03
if you're still vulnerable in your organization.
00:03
Then there's the content encoding.
00:03
If you can't figure
00:03
out what's going on with certain piece of content,
00:03
if you're looking through the packets,
00:03
and you can't quite look at the information properly,
00:03
you might want to look at the content encoding
00:03
because that will tell
00:03
you how the content is being served back to you.
00:03
In this case, it was gzipped back.
00:03
Then we have the content length.
00:03
That's the length of the response in bytes.
00:03
This is important because this can give you a baseline
00:03
of what should be normal
00:03
for what's returned us to a customer.
00:03
If a company takes a baseline packet caption and says,
00:03
hey, our content length should be about this much,
00:03
and you go to browse to it, and all of a sudden you're
00:03
getting something that's
00:03
thousands upon thousands of bytes bigger,
00:03
something might be up,
00:03
and you might be getting something
00:03
extra returned back such
00:03
as some cross-site scripting attempt
00:03
that might be going on.
00:03
Then there's the keep-alive.
00:03
How long is this connection going to be maintained?
00:03
How long before the server
00:03
does not maintain a connection anymore,
00:03
and how vulnerable are you to something like a DDos?
00:03
If you have a very high keep-alive time,
00:03
then you're more likely to be
00:03
DDos than a very little keep-alive time.
00:03
Then again, we have the connection
00:03
>> going back, and saying,
00:03
>> "Hey, the connection type
00:03
keep-alive is good, I accept it."
00:03
Then we have the content type.
00:03
It tells you right there, "Hey,
00:03
we are delivering back to you, text HTML."
00:03
Why would we need to worry about
00:03
packets? What's the big deal with them?
00:03
Well, I went on to another field,
00:03
and I submitted some information.
00:03
I said, this is a form field, then clicked, "Submit".
00:03
Here we see in this HTTP traffic clear as
00:03
day that that query went out.
00:03
State's name equals,
00:03
this is a form field.
00:03
Now, if you have
00:03
HTTP traffic going, and
00:03
somebody was to submit user credentials,
00:03
then those would be clear text.
00:03
That's why you would worry about packets.
00:03
Another reason to worry about
00:03
packets is hidden form fields.
00:03
Sometimes a web application may put
00:03
something like privilege levels
00:03
>> as a hidden form fields.
00:03
>> Your privilege levels will start out as a basic user.
00:03
Well, if I analyze
00:03
that traffic, and I
00:03
send a submission for a brand new account,
00:03
and I see that my privilege equals basic,
00:03
well, I can start messing around with that.
00:03
I can choose my privilege to admin and attempt
00:03
that or just look at some structure.
00:03
Take a look at the different user
00:03
accounts that you see floating
00:03
around and see what they might have in common.
00:03
Look at the HTML maybe, and try
00:03
to figure out any leaked information in there,
00:03
and then simply submit your new privilege level.
00:03
Packet manipulation is a very good way
00:03
of getting even deeper into a network
00:03
and tricking a web application
00:03
into giving you higher credentials.
00:03
Packet manipulation can also be
00:03
used to fake cookies and things like that.
00:03
That's why we would worry about packets.
00:03
You need to always analyze your packets,
00:03
know what's being delivered out to people,
00:03
and know what people are submitting,
00:03
and you need to know if those packets
00:03
can be manipulated or not.
00:03
What was covered? Well, I discussed what a packet is.
00:03
I discussed what makes up a packet.
00:03
I talked about those different form
00:03
fields that are important,
00:03
and I discussed why we need to worry about
00:03
packets. Happy hacking everyone.
Up Next