June 9, 2016

Analysing FTP traffic using Wireshark - The Logical Kid

Hello! I am back with the new post, and this deals with analysis of FTP traffic using Wireshark.
We will be dealing with identification of data sent/received over FTP and retrieval of files (if any downloaded/uploaded).


Pre-requisites:
Wireshark
* a PCAP file which may have FTP traffic captured. I have got my own, and if you do not have, you can download it from here.

Note: Click on the images to enlarge

Let's begin!
1. Open the pcap file in Wireshark.



2. To find out if there is any FTP traffic in it, just apply the filter 'ftp' in the display filter.













3. Now when you see FTP traffic, find out if any data was downloaded by a user. To find out, just apply the display filter ftp.request.command=="RETR"













4. You can see a retrieve (RETR) request by a few frames, let us see the frame number 767 which was the first instance.














5. Now clear the filters and scroll down to a couple of packets before frame 767. If you look at the frame number 762, the "info" tab gives some information. If you click on the "packet details" pane and on "File Transfer Protocol (FTP)" as shown in the picture below, you will find a field called "passive port". Note down the port number of that field and also the source IP Address of the same.





 We found that the IP Address is 149.20.20.135 and the port number is 30893

6. Now we need to find out any activity to/from the IP address 149.20.20.135 over the port 30893.
To achieve the same, apply the following filter in Wireshark: ip.src==149.20.20.135 and tcp.port==30893
We get the following output.















7. What next?  Observe the frame number 765? We can see some activity over the port 30893 from the source IP 149.20.20.135. Lets "Follow TCP stream"
















8.  Select the data from the source (149.20.20.135) to the destination.
















9. In step 3 we have seen that user had requested for download of a .rpm file, so let us assume it to be the same for the mean time. Let us save the stream content as "something.rpm"
















That's it! Your work is done (well, almost). Now do not try executing the file yourself directly as we are not sure about its nature; can be a malware too. Anyways you can try executing in a sandbox environment isolated from network just in case you are curious to know.

Hope this was informative and I didn't waste either of our time.

Will be back soon with a new post.
Until then, keep reading and keep spreading the word.

Regards,
itsmeRiF
The Logical Kid

March 21, 2016

The Power of Social Media in dealing with day-to-day problems! - The Logical Kid

Hello! A warm welcome to the blog once again. Today I am going to talk neither about Technology nor about Philosophy but something which is relevant though.

My last post was about Social media where I had focused on detecting fake content which was spreading virally over various social (media) platforms.

This post is about my personal experience in dealing with one of many daily problems solved using the social media

tl;dr (long story short) I was conned by two petrol pump employees, and then action was taken on them by the concerned department, thanks to the power of social media.


This starts with the day I happened to re-fuel my bike at a Petrol Station at Barkatpura, Hyderabad. I was always suspicious about this place, but as this station was the first one on my way to office I often used to re-fuel my bike here.

The modus operandi of those people was as follows:
When a person used to ask for re-fuel, the pump operator used to stand in front of the meter apparently to block the meter reading, and the other (cashier) would stand opposite to the operator. As the re-fueling process would start, the cashier would wait for some time and distract the customer asking him to re-fill air in his vehicle and as soon as the person got distracted and set his eyes off the meter, the operator would stop filling and reset the meter and would claim that he had completed filling.

One morning, as usual I went to this petrol station and asked the operator to fill petrol for 100 Rupees. I (with the suspicion in mind) started staring at the meter with full concentration, but somehow the cashier distracted me by shaking my bike and telling me to fill air. After that I turned back to see it was reading '70' on the meter, and I told the operator to fill the remaining 30, and whoosh! The meter was suddenly reset to '0' and the operator told me "It was 100 and not 70" and I (feeling angry, and helpless at same time) was not having any evidence to prove my point as the meter was already reset.

I moved on, and reached office thinking to be careful from next time, but this guilt of a loss of 30 Rupees per 100 Rupees was bothering me and I didn't want this to happen to anybody else too. I had to do something about this.
I had a couple of things in my mind: First, I had not taken any bill so that I could relate it to my transaction. Second, there was no CCTV installed in the premises of that station, atleast not around the pump.

I discussed this with a colleague at Office and he explained me how for every transaction at pump, logs are generated which contain the details of the amount for which petrol was filled in every session, with date and time stamps.

Then came an idea. We have heard a lot about good governance using social media, now it was time to put it to litmus test. I searched for the complaints board on the official site of HP, found their complaints section and posted my complaint there.



























I wasn't satisfied because the complaint section was limited to just about 200 characters and I couldn't elaborate everything.
So, I found out the official handle of Hindustan Petroleum on Twitter and tweeted them my complaint to see if I could bring it into their notice as early as possible.

To my surprise, I received a reply within 15 minutes from their twitter handle.










I e-mailed them the details at the above mentioned e-mail ID.














I then sat back and waited to get an update from the concerned department.
After 5 days from the date of reporting I received call from the Deputy Manager (Vigilance) of HP for Hyderabad and she asked me to elaborate the incidence and also informed me that those (two) employees were proven guilty and were fired. The Manager had also apologized for the inconvenience.

Response time: 5 days


Believe in the power of Social Media. Use it for the good. Things take time to get sorted, but give it a try.
That's all folks!
This post was to show how Social Media can be put to use to deal with our real life problems and not only for dealing with candy crush requests.

I rest my case.
If you have any queries, you can simply comment below, or can mail me at itsmerif[at]thelogicalkid.in

See you soon with a new post!

Regards,
itsmeRiF
The Logical Kid









February 1, 2016

Social media Analysis - Dealing with content posing 'forced' negativity & How to be a myth buster. - The Logical Kid

Lately, there have been so many posts circulating over different social networks which have nothing to do for the betterment, but can be used to create disturbance in communal harmony.

In this era where people debate over Religions with statements like "My religion is superior to yours" and/or something like "Your religion is the cause of terrorism", etc, people have started using social media as a force multiplier in creating hatred among various communities for the reasons best known to them, because obviously there is nothing good in fighting for proving that so-and-so religion is better. If its better, then you don't need to shout and by the way if its better, then first you should follow it sincerely instead of imposing it on others.

My interest, or a 'part' of my work includes keeping eye on the 'potential' hate mongering people and I follow the posts they make, try to verify the authenticity and detect "caption spoofing" (if done) and then read and try to understand the comments the people make on their posts (mostly in favor of them) and try to analyse the 'sentiments' which made them vulnerable to believe whatever is posted by the people they follow.

We do not need to worry about the people who talk 'positive', or at least share the content which is true. The problem is with the people who share anything which they know can create controversy over social media, and they themselves (mostly) do not know whether the content is authentic.

Let me take an example:

While I was browsing through my Facebook news feed, I happened to come along a page which was sharing some content with a 'negative' sentiment to be followed along with it and could disturb the harmony between some communities.















While the post was just gaining momentum as people started sharing this content, my focus was on verifying the authenticity of this post.

Firstly, I downloaded the photo, checked if it was morphed / doctored.
By using tools for 'image based search', we could somehow assume that it wasn't morphed, but had been touched by using some filters to increase the contrast.
As a supporting document to my assumption, I have added the original picture for reference below:

























As seen here, the upper part contains the original picture, and the lower part contains the same picture on which some filters have been applied.

Now coming to the story behind the picture.
Well, for this there are many tools over the internet, but I somehow prefer using Tineye and/or Google's own image based search tool.

The logic to assume which picture is authentic is, sometimes simply looking for the date it was posted. The older it is, the more are the chances of it being legitimate.
Anyways, there is much to it besides this (date), which helps us ascertain the facts.

After searching over a couple of archives where the photo was posted, I could find a website where this content was posted much before it was posted on the other sites.
I gave it a thorough read, and could be sure that this photo was taken somewhere in Thailand.






































On further lookup, I found a video which was aired on a News channel, which could be used for further supporting our assumption.








I rest my case.

- Arif Ali Khan (itsmeRiF)

January 27, 2016

Decrypting SSL traffic using Wireshark! - The Logical Kid

Hello! All.

Like me, you as-well might have heard quite often that the Government is able to 'read' all our 'secure' traffic too, and they do it by using some secret keys, or so. Did you hear the same?

Well, even if you have heard, or have not heard, thats the way they do it! ;)

Now to understand how they do it, the curiosity led me to some good forums over the internet where they explained how they do it.

First things first. To make this happen, the Government needs to have the decryption key, probably the private key.
We will emulate the same here.
Things we require:

1. SSL Traffic dump
2. Decryption key (private key)
3. Wireshark (used Version 2.0.0rc3)

Patience, people! I will provide the link for sample SSL traffic dump and all that is required for this task after I explain; somewhere down the lane.:)


1. Run Wireshark, and open the sample SSL traffic dump file.



The data gets loaded.

 

So far so good, but then you can see some (encrypted stuff) Greek or Latin as we casually refer to something of that sort. Let me presume that none of us know either of these. ;)

In the above picture you can see (under data) that the data is encrypted.
So, what next?

2. Click on Edit -> Preferences -> Protocols -> SSL and click on 'Edit' beside "RSA keys list" as follows:





3. Click on "+" and fill the fields IP Address, Port, protocol with 127.0.0.1, 443 and http respectively.

4. Now double click on the 'Key file' parameter and browse and select the private key file.

Thats it!



You will see some extra panes in the window, as follows:


You can see that the SSL traffic was decrypted and explained in clear HTTP.

Lets compare a couple of frames as to how they looked when encrypted, and also after decryption.



Simple, right?

This was also done for the test given on 'Pentester Academy' with respect to the module 'Decrypting SSL Traffic' in WAP Challenges. If you have enrolled for that course, this will help in solving it. :)

Uhm, now the stuff I used here can be downloaded from here.


Now whenever somebody says that Government is able to read all your 'secure' data sent to an xyz website, you now know that they probably have the private key used by that server. :)

Thats all folks!
Kindly leave comments which may include suggestions, queries, and anything which can make this post effective in doing what it was meant to do.

Regards,
itsmeRiF
The Logical Kid