We had a number of Security On-Demand teammates attend “Hacker Summer Camp”, otherwise known as DEFCON. In an effort to help share what they learned, we are going to post a series of short articles highlighting their interests.  These topics do not always necessarily align with Security On-Demand’s primary business offerings, however they are very interesting cybersecurity topics and advancements that are significant to the global and local community, cybersecurity industry, and individual security and privacy. We hope you find them engaging, educational, and even actionable.

REVERSE ENGINEERING APPLICATION-LAYER PROTOCOLS  – Presenter: David Pearson

By Cody Bloom, Cybersecurity Operator

At Defcon, I attended David Pearson’s workshop about decrypting network packets in order to understand data leakage.  David has been involved with packet capturing for 15 years and has been doing Security R&D for his entire career.  This class covered the basics of packet creation to high-level decryption methods. The key to packet decryption is learning how to understand the different patterns in encoded/encrypted packets.

To understand how to decrypt network packets, you must first learn how they are encrypted.  There are different ways to alter plain text packets into encoded or encrypted packets.  Encoded packets are modified by using some operation to create a less readable output.  This is not actually meant for secrecy, but often times is used in such way.  An example of an encoded packet would be plain text translated to Base64.  Encrypted packets are modified by using an operation to create a “scrambled” output.  The operation must include the algorithm and a secret key.  To reverse the encryption, you must know the secret key and algorithm.

The best way to start decrypting packets is to look for long strings of patterns in the output of ASCII code). ASCII is a character encoding standard for electronic communication and is used for packet translation.  Packets generally contain several generic patterns that can be identified in the ASCII code.  For example, a list of numbers like an employee ID will appear differently than words or other characters.  This can be used to determine what type of packet you are looking at (Encoded vs Encryption).  Null bytes will also show certain patterns depending on encryption.  Once you have an idea of the method of encryption, you can copy the ASCII code into CyberChef and add the correct recipe in order to reverse the packet into plaintext and compromising the payload.  

Why is this important?  Understanding the fundamentals of packet encryption is beneficial to organizations in many ways.  From a SOC perspective, what traffic is bypassing you without your knowledge?  There might be information leaking without any warning signs.  For IT, packet capturing can be used for application inventory.  This would help the IT department process all of the software and applications used within the organization.  Furthermore, the management team can benefit the most from this because they are the ones responsible for traffic moving inside and out of the organization.  This means they should understand how it works and what they can do to protect their data.

Decrypting network packets is a tedious job and can take years to fully understand.  Not to mention one connection could contain over hundreds of packets full of encrypted information.  With the numerous amount of connections every day, this could mean hundreds of thousands of packets to filter though.  To solve this problem, automation must become the main method of filtering through packets.  With the right development in play, packet capturing could be a highly sought out service for many organizations.

Reference: DefCon Presentation 

About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.

Back to the Blog   Subscribe to the Blog

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search