Part 3 - Packets

Video Activity

Packets are the essence of web communications and in this video we discuss packet basics and how they can be manipulated to attack and exploit web apps. We discuss what a packet is, what makes up a packet in terms of its fields, and how to capture packet data using packet sniffing tools such as wireshark. In addition, we examine packet responses in...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Description

Packets are the essence of web communications and in this video we discuss packet basics and how they can be manipulated to attack and exploit web apps. We discuss what a packet is, what makes up a packet in terms of its fields, and how to capture packet data using packet sniffing tools such as wireshark. In addition, we examine packet responses in the form of HTML status codes. Finally, the importance of packets in web app exploits is discussed with regards to hidden HTML form fields and how apps are tricked into giving up sensitive info via packet manipulation. An example of such manipulation is the creation of fake browser cookies.

Video Transcription
00:04
Welcome to cyber ery. I'm Raymond Evans, and I will be your subject matter. Expert for cyber is by application penetration. Testing course.
00:11
In this video, we'll be discussing packets.
00:15
What are they? So what will be covered? Or we're gonna
00:19
discuss what a packet is what makes up a packet?
00:23
Different fields that make up the packet.
00:26
And
00:28
why don't we need to worry about packets? Exactly. So
00:32
let's get started. What is a packet?
00:34
Well, a packet is a unit of data which is transported across networks to facilitate communications between hosts.
00:42
So what exactly does that mean? We'll pack? It is how we browse the Web, stream movies on text messages and do everything else on the Internet.
00:50
Send email all kind of stuff. Packets.
00:54
They're how machines communicate. It's how they talk
00:58
symbols that packets come in TCP and UDP and
01:03
they
01:03
both look very different
01:06
TCP in UDP because they both facilitate different kinds of communications.
01:11
TCP deals with the
01:15
connection oriented communications, whereas UDP deals with connection lists oriented communications. And and I discussed that and another video. So what makes a packet?
01:26
Well,
01:27
we're gonna be discussing this packet here. This image that I snapped. This was a
01:34
simple packet that was captured via wire shark.
01:38
I did it.
01:40
I followed the TCP stream to get the packet information all the TCP stream. So we're gonna be breaking down the fields in this image here that are the important field that you need to know about. Information like this can be acquired through any kind of packet capture
01:59
programs such as TCP dump or wire shark.
02:04
TCP dump is better to use f
02:07
you were doing packing analysis over a large period of time.
02:13
Wire shark is good to use if you are analyzing the packets on the fly and just need to look at things for for a quick minute.
02:20
If you continue to run wire shark for an extended period of time, it will eat up. A lot of resource is so the first part we're gonna discuss here is that that top portion of that image, which is the get packet.
02:32
So the get packet is somebody going out to the Internet and saying, Hey, I want a view this website. So what This get packages doing here in the first line?
02:43
This is giving us the directory
02:46
of where that resource is that's trying to get from the server. And it also shows us that we're using http 1.1
02:54
and save https. It says, Right there issue to be next.
03:01
We have our host, so that is the website that we're trying to get to. I tried to get to it
03:07
V and I p address
03:09
rather than the U. R L.
03:12
If
03:14
you were going to a normal website, you would see the Earl of the website
03:19
in that field.
03:21
Next is the user agent string, So the user agent string is what
03:27
is telling the server what you are. So there are user agent changers that you can have as an adult into your Web browser. And with those different user agent changers, you can get all kinds of different views of Web pages, and in fact, you can actually get
03:46
access to certain pages on
03:52
servers that you shouldn't be able to get access to based on different user agents.
03:57
For example, the Google bought
04:00
goes around and will
04:02
index all the Web pages on the Internet
04:05
except for what's put into the robots. Don t X t file that Google bought
04:12
is able to get into a lot of Web pages that should actually be,
04:17
uh, paid for.
04:20
So one of the things you want to check for in your company if you have content that needs to be paid for is, Are you allowing Google bought into that content?
04:31
If so,
04:33
somebody can use just a simple agent user agent changer and make themselves look like Google Box
04:41
and then below that we have the connection type, which was a keep alive connection. There's two types of connections. There's keep alive in this closed, and then
04:49
we do not have a cookie
04:53
in this packet.
04:55
But in a normal packet where you might be logging into something, you would have a cookie, and that cookie contains the session token. That's a very important piece of information, because if somebody was to capture that, using something like cross site scripting, they can use that session token to pretend to be somebody else
05:13
and get access into everything that they were doing
05:15
without needing a password. Then, right below that, we had the response packet Here in the first line of the response packet, we saw the 200. Okay, so that's the server Coke coming back saying, Hey,
05:27
communications were good
05:29
200. Okay, here's the data.
05:32
It also gave us a time stamp, which is important
05:36
if you need to keep record of what you did at what time. That's another way of being able to provide evidence. Is the time stands timestamps provided within your packets? Then the server also send us back information saying, Hey, I'm an Apache 2.2 point 16 Debbie and server.
05:55
So that's also very handy for somebody who's performing a Web application pen test. You can simply look at the packets. See, Hey, this is an Apache to doubt whatever or one dot whatever you can. Then look up any known vulnerabilities and kind of big bugs and try to exploit that and see
06:14
if you're still vulnerable in your organization.
06:16
Then there's the content encoding. So
06:19
if you can't figure out
06:23
what's going on with certain piece of content, if you're looking through the packets and
06:28
can't quite look at the information properly, you might want to look at the content in coding because that will tell you
06:34
how the content is being served back to you. In this case, it was G zipped back,
06:41
and then we have the content length, So that's the length of the response and bites. This is important because this can give you a baseline
06:49
of what should be normal for what's returned to a customer. So the company takes a baseline pack. Caption says, Hey, are content length should be about this much and
07:01
you go to browse to it. And all of a sudden your gang
07:04
something that's thousands upon thousands upon, thousands of bites, bigger.
07:09
Something might be up. You might beginning something extra returned back, such as some kind of crosses scripting attempt that might be going on So there's to keep alive.
07:18
How long is this connection gonna be maintained? How long before the server
07:26
does not maintain that connection anymore? And how vulnerable are you to something like a de DOS? If you have a very, very high
07:33
keep a lifetime, then you're more likely to be deed Austin. A very little keep a lifetime, and then again we have the connection type, saying, going back saying, Hey, the connection type keep alive is get accept it
07:48
and then we have the content type, so it tells you right there Hey, we're delivering back to you. Text HTML. So what will we need to worry about? Packets. What's the big deal with them? Well, I went on to another field, and I submit it
08:03
Some information. I said, this is a form field
08:07
and click submit. And here we see in this http traffic clear as day that
08:15
that query went out.
08:18
States name equals.
08:20
This is a form field. Now,
08:24
if you have http traffic going
08:28
and somebody was to submit user credentials, then
08:33
those would be clear, Tex. That's why you would worry about packets. Another reason to worry about packets
08:39
is hidden form fields. Sometimes a web application may put
08:45
something like privilege levels as a hidden form field. So your privilege levels will start out as a basic user.
08:54
Well,
08:56
if I analyze that traffic
08:58
and I saying a submission for a brain new account
09:03
and I see that that my privilege equals basic
09:09
Well,
09:09
I could start messing around with that. You know, I can confuse my privilege to admin and an attempt that
09:16
or just look at some
09:20
kind of structure, take a look at the different user accounts that you see floating around
09:26
um, and see what they might have in common. You know, look at the HTML maybe, and try to figure out any kind of leaked information in there
09:35
and simply submit your new privilege level. Packet manipulation is a very good way of getting even deeper into a network and tricking ah Web application into giving you
09:50
higher credentials. Packet manipulation can also be used
09:56
to fake cookies and things like that. So that's why we would worry about packets.
10:01
You need to always analyze your packets, know what's being delivered out to people,
10:07
and I know what people are submitting, and you need to know if those packets could be manipulated or not.
10:13
So what was covering?
10:15
Well, I discussed what a packet is.
10:16
Just guess what makes up a packet I talked about those different forum fields are important,
10:22
and I discussed why we need to worry about packets.
10:26
Heavy action, everyone
Up Next
Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By