moth/packages/net-re/6/index.mdwn

More Application Protocols
==========================

Several popular application-layer protocols are what's referred to as
“binary protocols”, meaning their communications are not easily readable
by humans.  They are still readable, though, if you know how to read
them.


Secure Shell (SSH)
------------------

Although SSH is a binary protocol, the first message sent by both client
and server is typically an ASCII banner announcing the version:

    S: SSH-1.99-OpenSSH_5.1p1 Debian-5
    C: SSH-2.0-OpenSSH_3.9p1

In SSH, the server speaks first.


Transport Layer Security (TLS)
------------------------------

TLS (formerly known as Secure Sockets Layer or SSL) is a protocol for
encrypting communications over TCP.  While the contents of an SSL
session are encrypted, we can at least identify it as such by looking at
the beginning few bytes:

<dl>
<dt>Hex</dt>
<dd><code>C: <b>16</b> <i>03 01</i> 00 8a 01 00 01 00 00 86 <i>03
01</i>…</code><br/>
<code>S: <b>16</b> <i>03 01</i> 00 4a 02 00 00 46 <i>03
01</i>…</code></dd>
<dt>ASCII</dt>
<dd><code>C: <b>^V</b><i>^C^A</i>^@\e212^A^@^A^@^@\e206<i>^C^A</i>…</code><br/>
<code>S: <b>^V</b><i>^C^A</i>^@\e112^B^@^@\e106<i>^C^A</i>…</code></dd>
</dl>

The primary indicator of SSL is that both sides of the conversation send
hex value 0x16 (`^V`) as their first byte.  A secondary indicator is a
repeated version number (0x03 0x01).

In TLS, the client speaks first.


Domain Name Service (DNS)
-------------------------

DNS, a very frequently-occuring protocol, can be identified by the
combination of its port (53) and its typical payload.  Examples follow:

<dl>
<dt>Hex</dt>
<dd><code>3a fb <b>01 00</b> 00 01 00 00 00 00 00 00 <b>07 65 78 61 6d 70 6c
65</b> </b>03 63 6f 6d</b> 00</code></dd>
<dt>ASCII</dt>
<dd><code>H\e373<b>^A^@</b>^@^A^@^@^@^@^@^@<b>^Gexample</b><b>^Ccom^A</b>^@</code>
</dl>

The first highlighted part, with the *opcode* (1, an “A record request”,
which asks for an IP given a name), and the name to be resolved
(example.com).

The name is encoded by preceding it by a byte count, and then than many
bytes.  Breaking this name apart, we can see:

    \x07 “example”
    \x03 “com”
    \x00

The protocol is decoded by first reading in the length, then that number
of bytes.  This continues until a length of 0 is encountered.  This
method of encoding strings is very common in binary protocols.


Question
========

The following is an extract of a DNS packet.  What does this decode to?

    087768617465766572076578616d706c65036e657400
Add in puzzles Also, modularize the build. This is now a single project for all CTF packages. 2010-09-24 17:24:43 -06:00			`More Application Protocols`
			`==========================`

			`Several popular application-layer protocols are what's referred to as`
			`“binary protocols”, meaning their communications are not easily readable`
			`by humans. They are still readable, though, if you know how to read`
			`them.`


			`Secure Shell (SSH)`
			`------------------`

			`Although SSH is a binary protocol, the first message sent by both client`
			`and server is typically an ASCII banner announcing the version:`

			`S: SSH-1.99-OpenSSH_5.1p1 Debian-5`
			`C: SSH-2.0-OpenSSH_3.9p1`

			`In SSH, the server speaks first.`



			`Transport Layer Security (TLS)`
			`------------------------------`

			`TLS (formerly known as Secure Sockets Layer or SSL) is a protocol for`
			`encrypting communications over TCP. While the contents of an SSL`
			`session are encrypted, we can at least identify it as such by looking at`
			`the beginning few bytes:`

			`<dl>`
			`<dt>Hex</dt>`
			`<dd><code>C: <b>16</b> <i>03 01</i> 00 8a 01 00 01 00 00 86 <i>03`
			`01</i>…</code><br/>`
			`<code>S: <b>16</b> <i>03 01</i> 00 4a 02 00 00 46 <i>03`
			`01</i>…</code></dd>`
			`<dt>ASCII</dt>`
			`<dd><code>C: <b>^V</b><i>^C^A</i>^@\e212^A^@^A^@^@\e206<i>^C^A</i>…</code><br/>`
			`<code>S: <b>^V</b><i>^C^A</i>^@\e112^B^@^@\e106<i>^C^A</i>…</code></dd>`
			`</dl>`

			`The primary indicator of SSL is that both sides of the conversation send`
			hex value 0x16 (`^V`) as their first byte. A secondary indicator is a
			`repeated version number (0x03 0x01).`

			`In TLS, the client speaks first.`



			`Domain Name Service (DNS)`
			`-------------------------`

			`DNS, a very frequently-occuring protocol, can be identified by the`
			`combination of its port (53) and its typical payload. Examples follow:`

			`<dl>`
			`<dt>Hex</dt>`
			`<dd><code>3a fb <b>01 00</b> 00 01 00 00 00 00 00 00 <b>07 65 78 61 6d 70 6c`
			`65</b> </b>03 63 6f 6d</b> 00</code></dd>`
			`<dt>ASCII</dt>`
			`<dd><code>H\e373<b>^A^@</b>^@^A^@^@^@^@^@^@<b>^Gexample</b><b>^Ccom^A</b>^@</code>`
			`</dl>`

			`The first highlighted part, with the opcode (1, an “A record request”,`
			`which asks for an IP given a name), and the name to be resolved`
			`(example.com).`

			`The name is encoded by preceding it by a byte count, and then than many`
			`bytes. Breaking this name apart, we can see:`

			`\x07 “example”`
			`\x03 “com”`
			`\x00`

			`The protocol is decoded by first reading in the length, then that number`
			`of bytes. This continues until a length of 0 is encountered. This`
			`method of encoding strings is very common in binary protocols.`



			`Question`
			`========`

			`The following is an extract of a DNS packet. What does this decode to?`

			`087768617465766572076578616d706c65036e657400`