why tcp is being displayed if channel is SSL secured? - sql-server

I searched and found no answer for this so thought it is worth asking here.
I have made my client-server(SQL Server) connection secured.It is working fine but whenever i am checking the data packets by using netmon tool i am seeing TCP protocols also along with TLS.
If the channel is secure then i should not expect TCP.It shhoud only show TLS.
Please have a look on screenshot below :
Any comment would be appreciated.
Thanks

I couldn't find a resource better explaining it but these ones:
https://msdn.microsoft.com/en-us/library/bb879935(v=sql.110).aspx
https://technet.microsoft.com/en-us/library/bb879919(v=sql.110).aspx
implicitly try to say that whether you use only SSL or both SSL and non-SSL, the first connection will be made over the default TCP port. Afterwards, if the client requests an SSL connection, then the SSL connection will get started in addition to the default TCP.
By the way, I don't know if netmon is capable of but you can try using WireShark and looking inside those TCP packets to understand better what's going on maybe.

Related

How to distinguish between different type of packets in the same HTTPS traffic?

There's something that bothers me: I'd like to distinguish between a packet coming from Youtube and a packet coming from Wikipedia: they both travel on HTTPS and they both come from the port 443.
Since they travel on HTTPS, their payload is not understandable and I can't do a full Deep Packet Inspection: I can only look at Ethernet, IP and TCP struct headers. I may look at the IP address source of both packets and see where they actually come from, but to know if they are from Youtube or Wikipedia I should already know the IP addresses of these two sites.
What I'm trying to figure out is a way to tell from a streaming over HTTP (like Youtube does) and a simple HTML transport (Wikipedia) without investigating the payload.
Edit 1: in a Wireshark session started during a reproducing video I got tons of packets. Maybe I should start looking at the timeout between packets coming from the same address.
If you are just interested in following the data stream in Wireshark you can use the TCP stream index, filter would be something like tcp.stream == 12
The stream index starts at zero with the first stream that wireshark encounters and increments for each new stream (persistent connection).
So two different streams between the same IPs would have two different numbers. For example a video stream might be 12 and an audio stream, between the same IP addresses, might be 13.
If you started the capture before the stream was initiated you'll be able to see the original traffic setting up the SSL connection (much of this is in clear text)
You may consider looking at the server certificate. It will tell you whether it's youtube (google) or facebook.
That would give you an idea whether SSL connection is to youtube, which one is to facebook.
You can try looking at the TCP header options, but generally the traffic is encrypted for a reason... so that it wouldn't be seen by man-in-the-middle. If it were possible, it would be, by definition, a poor encryption standard. Since you have the capture and all the information known to the user agent, you are not "in-the-middle". But you will need to use the user agent info to do the decryption before you can really see inside the stream.
this link: Reverse ip, find domain names on ip address
indicates several methods.
Suggest running nslookup on the IP from within a C program.
And remembering that address/ip values can be nested within the data of the packet, it may (probably will) take some investigation of the packet data to get to the originator of the packet
Well, you have encountered a dilema. How to get the info users are interchanging with their servers when they have explicitly encrypted the information to get anonymity. The quick response is you can't. But only if you can penetrate on the SSL connection you'll get more information.
Even the SSL certificate interchanged between server and client will be of not help, as it only identifies the server (and not the virtual host you'll try behind this connecton), and more than one SSL server (with the feature known as HTTP virtual host) several servers can be listening for connections on the same port of the same address.
SSL parameters are negotiated just after connection, and virtual server is normally selected with the Host http header field of the request (see RFC-2616) but these ocurr after the SSL negotiation has been finished, so you don't have access to them.
The only thing you can do for sure is to try to identify connections for youtube by the amounts and connection patterns this kind of traffic exhibit.

Detect SSL protocol in C

I'm writing a server which is accepting incoming TCP connections and I would like to implement a simple way in C to detect if connection is SSL just inspecting few received bytes. Any help?
It is possible since the first message after the connection is established should be a "hello" message from the client. The first field in the message is the SSL/TLS version, then a timestamp follows - depending on the application layer protocol a plain client uses, this may be enough to figure out if the client connecting uses SSL/TLS or not.
See https://www.rfc-editor.org/rfc/rfc5246#section-7.4 for more details on the message structure.
Edit: here's a very similar question with an excellent answer: https://security.stackexchange.com/questions/34780/checking-client-hello-for-https-classification

C check what service is running on an open port

I'm writing a port scanner in C and i want to detect what service is running on an open port and its version.I've already wrote the scanner code but now i have no idea about how to detect running service.
What can i do?
If you are determined to do it in your own code, you can connect to the port, see if you get any data on it, if nothing then send a few bytes, and check again.
Then match that against expected response.
to get an idea what you are looking for, you can connect manually to the port with telnet and poke at it. In many cases (a web server is an easy example) you must send some correctly formatted data in order to get a usable response.
nmap has done all this and much more (e.g. extensive checks such as looking for byte order and timing of arp traffic)
UPDATE: several people have mentioned well known ports, but that won't help you discover standard services running on nonstandard ports, such as ssh or http servers running on custom ports.
If server sends something first, use that to identify protocol.
If not, send something according to some protocol, such as http, and see what server sends back (valid response or error). You may need to make several attempts with different protocols, and a good order is important to minimize connection count.
Some protocols may be very hard to identify, and it is easy to make custom server with unique protocol you don't know about, or even hide real server under simple fake server of other proto such as http.
If you just want to know what the port usually is, check "well known ports" and official reserved ports.
Also check nmap source code.

send a HTTP request using raw socket and WinPcap

as part of my project, I'm trying to send IP packets that contain HTTP requests to Google. I'm using Winpcap library and VC++. Currently, I have the TCP three-way handshaing packets done, but I'm stuck on sending the actual HTTP request packet after I send the TCP ACK packet. When I capture the packets using wireshark, this packet is marked "TCP segment of a Reassembled PDU". The protocol column is 'TCP' not 'HTTP' also. What's wrong? How would I send HTTP packets in this way?
You aren't necessarily doing anything wrong.
By default, Wireshark hands the TCP data to a higher level protocol handler - in this case, one that tries to reassemble entire HTTP requests and responses. It attaches the reassembled message to the final packet in the sequence, and labels the other packets with "TCP segment of a reassembled PDU":
You can disable this reassembly feature to examine the individual packets:
Edit -> Preferences -> Protocols -> TCP
Uncheck "Allow subdissector to reassemble TCP streams"
Why are you using WinPCap to send the packets? You should be using normal sockets instead. Better, use a socket library that implements the HTTP protocol for you, such as curl, or even Microsoft's own WinInet or WinHTTP APIs.
I would highly recommend that you learn the basis of the HTTP protocol before you try this if you're planning on extending this. Mess with doing raw sockets and throwing get requests; read some source code.
However, I wouldn't really see the point of pcap. You should be able to use the Wininet library if you don't want to have to code the actual socket:Wininet lib
However, if you're wanting to code raw sockets, I would go ahead and use winsocks. The difference between HTTP and TCP is hard for some to understand; HTTP is BASED on TCP, so they are technically all in the same, TCP is used for quite literally thousands of applications. Most of the connections on your computer are TCP.
If you're trying to intercept a connection as a MITM attack with a pcap program to send an HTTP request, I would probably learn some programming in Pcap. There are numerous tutorials for this, such as this one.
PS: Look up a winsocks tutorial as it's quite hard to understand for beginners. Also, winpcap isn't supported on all systems, and it can be (in some cases) a pain to install. It would honestly be better to use winsocks to do this. Wininet has much more support, and I (don't hold me on this) believe that all of the W2K+ builds all have wininet, so for compatability (which I don't really think is a problem for you) issues I would use wininet or winsocks.
Probably you are not finishing the request with \r\n twice.
If you send the GET / HTTP/1.0\r\n string, you will not receive any packets.
You must send this string: GET / HTTP/1.0\r\n\r\n.

UDP broadcast problem

I'm trying to do something like this. There is one server , and multiple clients in the same subnet. Clients will send something to server and server will send this message back to all the other clients in the subnet. So this looks like broadcast to me. But i never could manage to do this in C.. I'd be glad if you give me an example of this.
EDIT: Well since it is UDP , reliability is not a problem. These computers are in the same network and no packet lost is possible. That program does not recieve messages from other clients. That is what I have to do. Thanks by the way.
You should not use broadcast, but rather multicast. This is used for instance by ghost and other "images disk backup" over network.
I have done it in java with a MulticastSocket sending a DatagramPacket, if you need a test...
[The contents of this post have been moved to the question.]

Resources