Wireshark - Lesson 1: The basics

Hi everybody,

welcome to this lesson, where I explain the basics of the software called: Wireshark. The Wireshark is a open-source sniffer or packet analyzer, that allows you to capture the packets pass on network but without sending any packet from the source. This method is called: promiscuous mode. In fact Wireshark is focused own on this concept that is: capture packets leaving any trace. The Wireshark can capture all things that pass on network (sometimes in fact you can probably capture packet from switch flooding, then from the vulnerability of switch). So, now that we clear this concept, launch Wireshark! The first time you run it, you find in front of this window:

This window is the main window where we can choose the interfaces to be analyzed. In figure I have nflog, nfqueue, dbus-system, enp9s0 (that is: ethernet card), any. For analyze the network packets we must click to: enp9s0 interface. Once this is done we see a window similar to this:

Welcome (tatan!) in the Wireshark capture window, are you happy? So, begin to know the windows and single functions. The Wireshark is powerful software of network analysis traffic and he looks to the bone a single network packet. But one thing at a time, start by the main toolbar, here we can find the options or choices that allows analyze the packet or save the captured packets and also other. The second toolbar, is dedicated to other function that we'll see hereafter. The filter option is enter some filters during the analysis. For example: if I want reduce the protocols and see only TCP packets on the packet list pane I enter in the text box the TCP, and as if by magic voilà the TCP packets are shown! But as mentioned earlier: one thing at a time. Now the next step is study the 'Packet List Pane' and 'Detail List Pane'.

• PACKET LIST PANE

The 'Packet List' pane is the window that show the packets captured during the analysis. The figure below depicts the 'Packet List' pane:

Here this window has seven columns that each has its own specific role. Let's see better:

No. The number of the packet in the capture file. This number don't change because is a sequence of packet captured in that moment.
Time: Time is timestamp of the packet.
Source: The address where this packet is coming from.
Destination: The address where this packet is going to.
Protocol: The protocol name in a short (perhaps abbreviated) version.
Info: Additional information about the packet content.

Bye,

Tefnut.

Windows Registry fundamentals - Lesson 1

Hello everyone,

welcome to this lesson where we're going to explore the fundamentals of Windows Registry. The Microsoft Windows Registry has not changed for users that using a Windows 8, so that you can learn it without problems also that you use Windows 8. The registry in Windows operating systems has a very important role in our function. If we had a registry analyzer we could observe that all operations in Windows modify single or multiple key of registry. The registry has soul and heart of Windows, rember that for new future lessons. Well, after this little introduction, I'll say you that a registry have a hierarchical structure so represent in figure:

This figure represent other things and it's not really representing elements of registry, but the hierarchical structure is so it. The Windows Registry is as a big database, where data are stored. Data is such as: data settings, configuration files and so on. I recommend to new users of registry to work via Virtual Machine, why? Because if you damage with some modify the systems you can restore new Virtual Machine and new Windows XP or 7 or other, after various exercises on the Virtual Machine you can switch on real Microsoft Windows without a virtual world (also if I use for some operation use VirtualBox with Windows XP so if I do some damages I restore again and I try other ways. To set the points in this course we're going to see some topics of registry:

• Learn keys and fundamentals of registry and it's structure
• How we can backup a registry
• How we can create a .reg file
• How we can hacking the registry
• Configure security of Windows with the registry key and other security topics. 

The main registry keys are: 

• HKEY_CLASSES_ROOT (HKCR)
• HKEY_CURRENT_USER (HKCU)
• HKEY_LOCAL_MACHINE (HKLM)
• HKEY_USERS (HKU)
• HKEY_CURRENT_CONFIG (HKCC)

REGISTRY STRUCTURE:

The registry structure is similar at the filesystem of Windows. In the software called: REGEDIT there are different panes, the left pane that is a list of main registry keys and their subkeys. While the right pane has a differents things, it's divided into three sections. Those three section are:

1. Name
2. Type
3. Data

Now let's see them in detail. First of all, the part 'Name' this column identify a name of key or value. Let's start with an obvious assumption that each value has a name. This name is reported here. We pass to the part 'Type' the value in addition to having a name also has a type. This type could have many values, REG_SZ is one of this. REG_SZ indicates that the variable called X contains a string value. While we can find other value called REG_DWORD. The REG_DWORD value can contains a dword value (that is 32 bit variable). Instead the column 'Data' can is null or empty or could contain a data. The Data field can be contain only value with a maximum values of 32,767 bytes also that in practice can be contain a limit of 2 KB. This for now is all, I hope that is all clear.

Bye,

Tefnut.

IP Address - IPv6 Header

Hello everybody,

welcome to this new lesson about of networking topics, today we'll cover how IPv6 packet is composed. As perhaps the majority of readers will know the IPv6 has taken hold because the IPv4 addresses are over, so that the computer scientist have decided to create the IPv6 address, and this time the address space is very large because the IPv6 address has 128 bit. Well now explain some things... the IPv6 address use the hexadecimal values so represented in figure below:

This is a structure of IPv6 address where 'X' is switched with 2001:0DB8:AC10:FE01:0000:0000:0000:0000, now see that is a long address and is boring copy when setting a net-device we can use some simple rules:

1. Zero Omitting: we can remove all zeros in address then the 0DB8 become: DB8.
2. Omitting segment zeros: The segments zeros are represented of that pile of zeros 0000:0000:0000:0000 how we can delete it? It's simple! We can delete with the omitting segment zeros. 

So that when we write an IPv6 address, we represent in this form: 

2001:DB8:AC10:FE01::

But a warning, when you use the segment omitting, you can use only one time. Now we move on header of this packet. In this packet we can found
some modifications to the header, let's see.

  

IPv6 HEADER 

The IPv6 header has this structure:

Version (4 bit): This field is 4 binary value. In this field we can find the IPv6 version, infact this field is always set to 0110.

Traffic Class (8 bit): This field is 8 binary value. This field is used for the management priority of packet. The 6 most-significant bits are used for differentiated services, which is used to classify packets while the remaining two bits are used for ECN (Explicit Congestion Notification).

Flow Label (20 bit): This field is used by the sender to identify a sequence of packets as if they were in the same flow. Supports the management of QoS, but for now this field is still in an experimental stage.

Payload Lenght (16 bit): This field instead is used for understand the lenght of packet. Then it represents the number of bytes of everything that comes after the header.

Next Header (8 bit): This field is very similar to the protocol field of the IPv4 header, which uses the same values. Because this field is used for understand the type of header follows the basic IPv6 header.

Hop Limit (8 bit): This field deals of the TTL jumps. Let me explain better the limit of jumps allowed. This field is decremented to 1 each time that the packet passes by a router when it reaches zero is discarded (deleted).

Source Address (128 bit): This field is source address or sender of a letter.

Destination Address (128 bit): This field is destination address or receiver of a letter. 

Bye,

Tefnut.