1
00:00:01,220 --> 00:00:02,570
Is this murder on windows?

2
00:00:03,110 --> 00:00:10,310
In contrast to Unix like systems, Windows implement its user mode network functions without direct

3
00:00:10,610 --> 00:00:11,390
system calls.

4
00:00:12,350 --> 00:00:19,240
So the networking stack is exposed through the driver and establishing a connection uses the file open,

5
00:00:19,260 --> 00:00:26,330
read and write system cars to configure network socket for use, even if windows support there facilities.

6
00:00:26,330 --> 00:00:33,710
Similar to stress, this implementation makes it more difficult to monitor network traffic at the same

7
00:00:33,710 --> 00:00:35,420
level as the other platforms.

8
00:00:36,200 --> 00:00:45,290
Windows, starting with Vista and later has supported an image generation framework that locks applications

9
00:00:45,410 --> 00:00:51,320
to a monitor network activity where I think our own implementation of this will be quite complex.

10
00:00:51,320 --> 00:00:56,420
But fortunately, someone has already written a tool to do it for you.

11
00:00:56,840 --> 00:01:00,680
This is the maker of Microsoft's process monitor tool.

12
00:01:01,050 --> 00:01:02,870
Let's don't this tool here.

13
00:01:04,310 --> 00:01:07,940
Just, uh, search in Google, as you know.

14
00:01:09,910 --> 00:01:15,220
Searching Google, uh, as Microsoft Process monitor tool.

15
00:01:16,200 --> 00:01:16,940
Actually, yes.

16
00:01:17,450 --> 00:01:19,340
Images of purchasing one or two.

17
00:01:46,110 --> 00:01:50,400
These internals, a process monitor.

18
00:01:53,820 --> 00:01:57,020
And click on the Microsoft Fed official website.

19
00:01:58,100 --> 00:02:00,270
Here and in the donut sections.

20
00:02:00,290 --> 00:02:01,370
Click on Download.

21
00:02:12,900 --> 00:02:13,290
OK.

22
00:02:14,910 --> 00:02:16,740
And extract from zip file.

23
00:02:37,570 --> 00:02:39,250
So as you can see here.

24
00:02:41,980 --> 00:02:42,550
Um.

25
00:02:44,200 --> 00:02:46,060
And two main interface here.

26
00:02:46,510 --> 00:02:52,720
Um, so selecting the filter here, as you can see here, filter.

27
00:02:54,420 --> 00:02:57,510
Process three include process three, high like filter here.

28
00:02:58,000 --> 00:02:59,160
Um, was.

29
00:03:00,780 --> 00:03:08,820
So this causes so selecting the filter that displays only events related to network connections from

30
00:03:08,820 --> 00:03:09,840
a monitoring process.

31
00:03:10,680 --> 00:03:17,580
It does include the hosting world as well as the protocol and port being used, although the capture

32
00:03:17,580 --> 00:03:21,240
doesn't provide any data associated with the connections.

33
00:03:21,510 --> 00:03:27,540
It does offer a valuable insight into network communications applications establishing.

34
00:03:28,690 --> 00:03:35,320
Horses Monitor can also capture the state of the current culling stack, which helps you to determine

35
00:03:35,320 --> 00:03:39,610
where in an application network connections are being made.

36
00:03:41,410 --> 00:03:48,040
Actually, this will become important in the next, um, lectures of our course when we start reverse

37
00:03:48,040 --> 00:03:51,880
engineering binaries to work out the network protocol.

38
00:03:53,690 --> 00:04:01,070
Here we have clumsier, as you can see here, time process name, porcini operation patch result and

39
00:04:01,070 --> 00:04:01,520
detail.

40
00:04:02,490 --> 00:04:05,350
So actually increase the size of it.

41
00:04:05,790 --> 00:04:07,370
Um, screen.

42
00:04:11,240 --> 00:04:14,870
No screen screen here, King screen resolution.

43
00:04:16,110 --> 00:04:17,660
Let's make it clear the.

44
00:04:19,240 --> 00:04:20,710
Scalable here.

45
00:04:24,770 --> 00:04:25,060
Oops!

46
00:04:25,440 --> 00:04:27,050
It's it's even worse now.

47
00:04:31,440 --> 00:04:31,740
So.

48
00:04:32,920 --> 00:04:42,640
As you can see here, we have columns here and there which this column time here, um, shows the name

49
00:04:42,640 --> 00:04:46,580
of the actually first we have to pronounce his name.

50
00:04:46,600 --> 00:04:48,340
Let's start with process name.

51
00:04:48,580 --> 00:04:54,730
This process name shows the name of the person that it published the connection and.

52
00:04:57,860 --> 00:05:05,720
This column, years of operation here, uh, shows the operation, which in the case is connected to

53
00:05:05,720 --> 00:05:15,790
a remote server here, as you can see here, uh, these three open key core key, uh, you know, rigid

54
00:05:15,800 --> 00:05:17,930
file lock file like that.

55
00:05:19,160 --> 00:05:19,700
And.

56
00:05:21,260 --> 00:05:28,910
We have Pat here as well as you can see here, uh, this Pat, uh, actually indicates the source and

57
00:05:28,910 --> 00:05:30,050
destination addresses.

58
00:05:30,320 --> 00:05:35,780
And this is a detail here, as you can see here, it's increased a little bit.

59
00:05:36,140 --> 00:05:43,190
So this is the, uh, this detail column provides more in-depth information about the of, uh, event,

60
00:05:43,760 --> 00:05:48,140
although this solution isn't as helpful as monitoring system calls on other platforms.

61
00:05:48,470 --> 00:05:54,230
It is still useful in windows, and you just want to determine the network protocols a particular application

62
00:05:54,230 --> 00:05:54,830
is using.

63
00:05:55,610 --> 00:06:01,010
You can capture data using this technique, but once you determine the protocols in use, you can add

64
00:06:01,010 --> 00:06:05,420
that information to your analysis before a more active network traffic capture.

65
00:06:07,080 --> 00:06:11,280
And now advantages and disadvantages of passive capture.

66
00:06:12,960 --> 00:06:18,170
So the greatest advantage of using passive capture is that it doesn't disrupt the client and server

67
00:06:18,180 --> 00:06:24,570
applications communication, so it will not change the destination or source address of traffic.

68
00:06:24,780 --> 00:06:30,210
And it doesn't require any modifications or reconfiguration of the applications.

69
00:06:30,850 --> 00:06:37,500
Passive caption might also be the only technology you can use when you don't have direct control over

70
00:06:37,500 --> 00:06:38,820
the client or the server.

71
00:06:39,420 --> 00:06:46,140
You can usually find a way to listen to the network traffic and capture it with a limited amount of

72
00:06:46,140 --> 00:06:46,650
effort.

73
00:06:47,460 --> 00:06:53,970
After you are collected your data, you can determine which active capture techniques to use and the

74
00:06:53,970 --> 00:06:56,970
best way to attack the protocol you want to analyze.

75
00:06:57,900 --> 00:07:04,830
One measure of passive network traffic capture is that capture techniques like packet sniffing around

76
00:07:05,040 --> 00:07:12,570
such a low level that it can difficult to interact to interpret what an application received to such

77
00:07:12,570 --> 00:07:15,150
Wireshark is certainly help.

78
00:07:15,150 --> 00:07:21,240
But if you are analyzing a custom protocol, it might not be possible to easily take apart the protocol

79
00:07:21,840 --> 00:07:23,910
without interacting with it directly.

80
00:07:24,450 --> 00:07:30,810
Passive capture also doesn't always make it easy to modify the traffic and application produites.

81
00:07:31,230 --> 00:07:37,800
So modifying trapping isn't always necessary, but it's useful when you encounter encrypted protocols

82
00:07:38,040 --> 00:07:43,320
and want to disable compression or need to change the traffic for exploitation.

83
00:07:43,950 --> 00:07:51,360
When analyzing, trapping and injecting new packages doesn't yield results.

84
00:07:51,780 --> 00:07:55,230
Switch tactics and try using active capture techniques.

85
00:07:57,610 --> 00:08:00,520
And we have active in the culture as well.

86
00:08:01,210 --> 00:08:05,920
So actually, I want to illustrate this here, uh.

87
00:08:07,400 --> 00:08:10,550
Let's change it to four years.

88
00:08:24,190 --> 00:08:30,460
So now, uh, we will, uh, firstly client application.

89
00:08:32,000 --> 00:08:37,450
Here and, yes, Target and we need.

90
00:08:38,690 --> 00:08:39,560
Brooks, see?

91
00:08:48,400 --> 00:08:48,820
Man.

92
00:08:52,050 --> 00:08:54,720
Men in the middle man.

93
00:08:58,290 --> 00:08:58,740
The.

94
00:08:59,930 --> 00:09:01,890
I mean, the proxy.

95
00:09:06,700 --> 00:09:07,030
See?

96
00:09:08,390 --> 00:09:10,580
So this is the attacker's proxy here.

97
00:09:13,520 --> 00:09:14,820
And it's.

98
00:09:16,470 --> 00:09:20,520
Here and we have actually.

99
00:09:22,210 --> 00:09:23,920
We have another proxy here.

100
00:09:25,150 --> 00:09:27,400
We just need several application server.

101
00:09:28,510 --> 00:09:29,320
Location.

102
00:09:31,410 --> 00:09:32,430
For example.

103
00:09:35,500 --> 00:09:35,860
This.

104
00:09:37,760 --> 00:09:39,650
This is the service, sir.

105
00:09:41,830 --> 00:09:44,650
And let's change this.

106
00:09:52,530 --> 00:09:53,010
Yeah.

107
00:09:58,270 --> 00:09:59,110
Here he is.

108
00:10:02,200 --> 00:10:12,040
So the capture of the active capture differs from passive in that you will try to influence the flow

109
00:10:12,040 --> 00:10:20,440
of the traffic, usually by using men in the middle, um, attack on the network, on the network communication

110
00:10:20,890 --> 00:10:22,330
as shown in this figure.

111
00:10:23,250 --> 00:10:30,760
They do device capturing traffic usually sits between the client and a client and server application,

112
00:10:31,840 --> 00:10:33,790
uh, acting as a bridge here.

113
00:10:34,450 --> 00:10:40,330
So this approach has several advantages, including the ability to modify traffic and disable features

114
00:10:40,870 --> 00:10:50,170
like encryption compression, which can make it easier to analyze and exploit and network protocol advantages.

115
00:10:50,380 --> 00:10:55,870
Actually, not the advantages and disadvantages of this approach is that it's usually more difficult

116
00:10:55,870 --> 00:10:59,950
because you need to reroute applications traffic through your active culture system.

117
00:11:00,520 --> 00:11:04,600
Active capture can also have unintended, undesirable effects.

118
00:11:05,050 --> 00:11:12,280
For example, if you change the network address of the server or client to the proxy, this can cause

119
00:11:12,280 --> 00:11:16,750
confusion, resulting in the application sending traffic to the wrong place.

120
00:11:17,200 --> 00:11:24,160
Despite these, user's active capture is probably the most valuable technique for analyzing and exploiting

121
00:11:24,160 --> 00:11:26,500
application network protocols.

122
00:11:27,340 --> 00:11:30,160
We have network proxies here as well.

123
00:11:31,360 --> 00:11:33,700
So, uh, what?

124
00:11:33,790 --> 00:11:39,910
Um, net of proxies does is, uh, we will learn in next lecture.