Sunday, June 8, 2014

Beginning IPv6 - Analyzing Telnet Traffic

In the previous post we look at analyzing HTTP. Let's now look at the Telnet protocol. Since in the post on DNS I elaborated on the fields which makes up the header of the IPv6 protocol, I will refrain from doing so again. In addition, as we continue to go through these protocols, we will omit stuff which can be easily found in the previous posts in this series.

root@securitynik:~/securitynik# tshark -r ipv6-telnet.pcap -n -c 3
  1   0.000000 fd33:e581:65d4:0:a000:27ff:fe28:1d5 -> fd33:e581:65d4:0:a000:27ff:fe21:1a75 TCP 94 46906 > 23 [SYN] Seq=0 Win=28800 Len=0 MSS=1440 SACK_PERM=1 TSval=283731 TSecr=0 WS=128
  2   0.002348 fd33:e581:65d4:0:a000:27ff:fe21:1a75 -> fd33:e581:65d4:0:a000:27ff:fe28:1d5 TCP 94 23 > 46906 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1 TSval=94364 TSecr=283731
  3   0.002402 fd33:e581:65d4:0:a000:27ff:fe28:1d5 -> fd33:e581:65d4:0:a000:27ff:fe21:1a75 TCP 86 46906 > 23 [ACK] Seq=1 Ack=1 Win=28800 Len=0 TSval=283732 TSecr=94364

    The 3 packets above represents the typical TCP 3-Way handshake. Nothing here different is from what we would have seen in our IPv4 TCP 3-way handshake

    4   0.004552 fd33:e581:65d4:0:a000:27ff:fe28:1d5 -> fd33:e581:65d4:0:a000:27ff:fe21:1a75 TELNET 113 Telnet Data ...

In packet 4 above we see the client at source "fd33:e581:65d4:0:a000:27ff:fe28:1d5" beginning its Telnet Session
   
    5   0.048954 fd33:e581:65d4:0:a000:27ff:fe21:1a75 -> fd33:e581:65d4:0:a000:27ff:fe28:1d5 TCP 86 23 > 46906 [ACK] Seq=1 Ack=28 Win=65536 Len=0 TSval=94369 TSecr=283732
Here we see the server at "fd33:e581:65d4:0:a000:27ff:fe21:1a75" responding with an ACK (Acknowledgement) to the request sent by the client.

    Ok, let's skip through some of the clutter and follow TCP stream 0
   
root@securitynik:~/securitynik#tshark -r ipv6-telnet.pcap -z "follow,tcp,ascii,0" | more
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 253.51.229.129:46906
Node 1: 253.51.229.129:23
27
........... ..!.."..'.....#
    21
..%........'.........
21
..%.......P..........
    53
..... ..!.."..'.....'..SFUTLNTVER.SFUTLNTMODE.......#
    38
Welcome to Microsoft Telnet Service

34
..'..DISPLAY.securitynik:0....'...
    9

login:
password:

...... REDUCED FOR BREVITY ........

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\Administrator>
1

As can be seen above, the knowledge we have from analyzing Telnet on IPv4 can be easily transferred to IPv6



   

No comments:

Post a Comment