Home > CAPEC List > CAPEC-192: Protocol Analysis (Version 2.10)  

CAPEC-192: Protocol Analysis

Protocol Analysis
Definition in a New Window Definition in a New Window
Attack Pattern ID: 192
Abstraction: Meta
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network. Although certain techniques for protocol analysis benefit from manipulating live 'on-the-wire' interactions between communicating components, static or dynamic analysis techniques applied to executables as well as to device drivers, such as network interface drivers, can also be used to reveal the function and characteristics of a communication protocol implementation. Depending upon the methods used the process may involve observing, interacting, and modifying actual communications occurring between hosts. The goal of protocol analysis is to derive the data transmission syntax, as well as to extract the meaningful content, including packet or content delimiters used by the protocol. This type of analysis is often performed on closed-specification protocols, or proprietary protocols, but is also useful for analyzing publicly available specifications to determine how particular implementations deviate from published specifications.

+ Attack Prerequisites
  • Access to a binary executable.

  • The ability to observe and interact with a communication channel between communicating processes.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Low

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: High

+ Resources Required

Depending on the type of analysis, a variety of tools might be required, such as static code and/or dynamic analysis tools. Alternatively, the effort might require debugging programs such as ollydbg, SoftICE, or disassemblers like IDA Pro. In some instances, packet sniffing or packet analyzing programs such as TCP dump or Wireshark are necessary. Lastly, specific protocol analysis might require tools such as PDB (Protocol Debug), or packet injection tools like pcap or Nemesis.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Read application data
Successful deciphering of protocol information compromises the confidentiality of future sensitive communications.
Modify application data
Modifying communications after successful deciphering of protocol information compromises integrity.
+ References
[R.192.1] [REF-6] "Wikipedia". Proprietary protocol. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Proprietary_protocol>.
[R.192.2] [REF-6] "Wikipedia". Reverse engineering. The Wikimedia Foundation, Inc. <http://en.wikipedia.org/wiki/Reverse_engineering>.
+ Other Notes

There are several challenges inherent to protocol analysis depending upon the nature of the protocol being analyzed. There may also be other types of factors which complicate the process such as encryption or ad hoc obfuscation of the protocol. In general there are two kinds of networking protocols, each associated with its own challenges and analysis approaches or methodologies. Some protocols are human-readable, which is to say they are text-based protocols. Examples of these types of protocols include HTTP, SMTP, and SOAP. Additionally, application-layer protocols can be embedded or encapsulated within human-readable protocols in the data portion of the packet. Typically, human-readable protocol implementations are susceptible to automatic decoding by the appropriate tools, such as Wireshark/ethereal, tcpdump, or similar protocol sniffers or analyzers.

The presence of well-known protocol specifications in addition to easily identified protocol delimiters, such as Carriage Return or Line Feed characters (CRLF) result in text-based protocols susceptibility to direct scrutiny through manual processes. Protocol analysis against protocol implementations such as HTTP is often performed to identify idiosyncratic implementations of a protocol by a server or client. In the case of application-layer protocols which are embedded within text-based protocols, analysis techniques typically benefit from the well-known nature of the encapsulating protocols and can focus on discovering the semantic characteristics of the proprietary protocol or API, since the syntax and protocol delimiters of the underlying protocols can be readily identified.

When performing protocol analysis of machine-readable (non-text-based) protocols difficulties emerge as the protocol itself was designed to be read by computing process. Such protocols are typically composed entirely in binary with no apparent syntax, grammar, or structural boundaries. Examples of these types of protocols are IP, UDP, and TCP. Binary protocols with published specifications can be automatically decoded by protocol analyzers, but in the case of proprietary, closed-specification, binary protocols there are no immediate indicators of packet syntax such as packet boundaries, delimiters, or structure, or the presence or absence of encryption or obfuscation. In these cases there is no one technology that can extract or reveal the structure of the packet on the wire, so it is necessary to use trial and error approaches while observing application behavior based on systematic mutations introduced at the packet-level. Tools such as Protocol Debug (PDB) or other packet injection suites are often employed. In cases where the binary executable is available, protocol analysis can be augmented with static and dynamic analysis techniques.

+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2015-11-09Updated Activation_Zone, Attacker_Skills_or_Knowledge_Required, Description Summary, Injection_Vector, Other_Notes, Payload, Payload_Activation_Impact, Related_Attack_Patterns, Related_WeaknessesInternal
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Resources_Required, Typical_Likelihood_of_ExploitInternal
Previous Entry Names
DatePrevious Entry Name
2015-11-09Protocol Reverse Engineering

More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017