Advanced Wireshark Network Forensics - Part 2/3

00:00

let's take a look at scenario one you

00:02

can download this and the other capture

00:03

files from the github link in the

00:05

description below so in this scenario

00:07

we're being told that there's a system

00:09

on the network infested with malware for

00:12

some reason the antivirus on the

00:13

computer didn't detect it and the

00:15

malware is managed to lock up the system

00:16

we don't have access to the hard drive

00:18

but we do have a full network packet

00:21

capture of the incident and we already

00:23

know the IP of the infected host this

00:26

12.1 8 3 1.55 this gives us a good

00:31

starting point now for our goals since

00:34

we have a full packet capture of the

00:36

incident we'll want to know where the

00:37

system managed to contract the malware

00:38

from and if we can we'll want to see if

00:40

we can reassemble the network bites to

00:42

collect the malware file for further

00:44

investigation then we'll want to see

00:46

what we can find out about the malware

00:48

is activity on the system things like

00:50

what kind of calls to the internet

00:52

doesn't make and does it try to self

00:54

propagate like a worm and are there any

00:57

possible network traffic signatures that

00:59

we can use to catch other systems

01:01

potentially infected with the same piece

01:02

of malware ok we have a capture we know

01:06

what we're looking for and we have our

01:08

goals one last thing before we move on I

01:12

want to give a little disclaimer in this

01:14

scenario I will be showing you how to

01:16

carve out a live virus file I will be

01:18

doing it on my Windows PC and will need

01:20

to disable my antivirus to do so

01:22

following my steps exactly it should not

01:25

cause any problems but I recommend that

01:28

you do not do this on Windows and use a

01:30

different operating system with a

01:32

virtual machine that you can reflash

01:34

later the virus is non-destructive and

01:37

I'm not liable for any complications

01:39

that might occur so with that let's get

01:42

started

01:43

the first thing I like to do with any

01:45

new Wireshark install is to add a few

01:47

helpful columns so let's go ahead and

01:49

open our pcap file we can right-click on

01:52

one of the columns and select column

01:53

preferences from there click on the plus

01:56

sign to add two columns the first we're

01:59

gonna call stream ID and the second will

02:01

be called host set the fields to be TCP

02:04

stream and HTTP host I'd like to put the

02:09

stream ID column between protocol and

02:11

length and the host column between

02:13

length and info so when we're done it'll

02:16

look like this the other thing I like to

02:19

do when starting a new investigation is

02:21

to document what we know our goals and

02:23

the results of each goal as we go

02:25

through this since we're walking through

02:27

this together I won't write down the

02:28

steps we've taken but you'll want to

02:30

write those down as well now that we

02:32

have our Wireshark set up and our goals

02:34

written down we can start with our

02:35

analysis we begin with pattern matching

02:38

we already know the IP address of the

02:40

system we're interested in so let's

02:41

create a display filter to show us only

02:43

the traffic related to that device you

02:45

can type in IP addr for IP address

02:48

equals equals and then our victim's IP

02:52

already we see something that looks a

02:54

little suspicious now I want to point

02:57

out something really important when

02:58

investigating capture files what may be

03:00

true for one network may not be true for

03:03

another in this case a dot ru domain

03:06

name might seem like something to worry

03:07

about but it's also possible that this

03:10

is a company that does a lot of business

03:11

with other Russian companies either way

03:15

we're gonna want to check our suspicions

03:17

right click and follow TCP stream

03:22

okay there's a few things we want to

03:24

take note of here first what's something

03:26

strange that we notice about the web

03:28

request there is no user agent normally

03:32

when you use a web browser or even curl

03:34

to make a web request the browser

03:36

includes its user agent in the web

03:38

headers so not seeing a user agent here

03:41

can mean one of two things either the

03:44

user manually downloaded this virus

03:45

themselves using some sort of local

03:47

utility or there was already a piece of

03:50

malware on the system that downloaded

03:52

the rest of the virus next what kind of

03:55

file is it that's being downloaded

03:57

it's an exe executable obvious the name

04:01

is pus about exe but another way we can

04:03

tell what kind of file it is is by

04:05

looking at the first few bytes of the

04:06

file this is known as the file signature

04:10

see in Windows you need to have the

04:12

correct extension to open a file with

04:14

the right application Exe PNG do see but

04:19

with Linux you don't need that in fact

04:22

there's a Linux utility called file that

04:24

will tell you what type of file

04:25

something is and it does that by looking

04:28

at the file signatures I'll show you

04:31

where you can look up your own file

04:32

signatures in a second but first let's

04:35

write down what we have so far the file

04:37

was downloaded from this dot ru domain

04:40

with the name puska Exe and there was no

04:43

user agent in the request okay so if we

04:47

search google for a file signature

04:48

database several pop-up personally I

04:52

prefer gary kessler net since it's

04:54

updated regularly from here we can just

04:57

do a ctrl F search for MZ which was the

05:00

first two bytes of the file and we can

05:02

see here that MZ is a file signature for

05:04

a number of Microsoft file types

05:06

including Exe executables and DLL

05:09

libraries so now that we have the bytes

05:12

of the file how can we pull this out

05:14

with Wireshark well first we want to

05:17

change the traffic we're looking at to

05:18

only include the communication coming

05:20

from the server to the client we can do

05:23

that in the bottom left corner here then

05:25

we'll want to show the raw bytes instead

05:27

of their ASCII form finally just save

05:30

the file now remember this is a live

05:33

virus and since I'm using Windows I

05:35

don't

05:36

save it as a dot exe file I'm also gonna

05:38

save this file twice as dump one and

05:41

dump two you don't have to do this but

05:44

you'll see why in a moment we're not

05:47

done yet

05:48

to get the original file we need to

05:49

strip off any and all protocol headers

05:51

and footers in this case we only have

05:54

the HTTP headers to deal with open the

05:57

file in a hex editor now the way HTTP

06:01

headers work is that they let you know

06:03

where the headers end and the data

06:05

starts by this 0d 0a 0d 0a so just

06:10

delete that and everything above it when

06:13

we're done the file will start with MZ

06:14

the first few bites of our file

06:16

signature see this is why I saved the

06:20

file twice when I tried to reconstruct

06:22

the original virus my antivirus

06:24

recognized it and put it in quarantine

06:26

so here I'm gonna go ahead and disable

06:29

my antivirus and try it again I'm only

06:32

using Windows Defender so all I need to

06:34

do is open my security settings virus

06:36

and threat protection then turn off real

06:38

time protection this little video glitch

06:41

is from it asking me for privileged

06:43

permissions so don't worry about that ok

06:47

with the antivirus now disabled let's go

06:49

ahead and try it again

06:55

and success immediately after carving

06:59

out any file in this investigation

07:01

you'll want to get a hash of the file it

07:03

doesn't matter too much of its md5 or

07:05

shot 256 since the likelihood of a

07:08

collision is pretty much zero but you'll

07:10

want to make sure that you get the hash

07:12

value so that your process is repeatable

07:14

and so that the carved out file and the

07:16

original file can be matched together

07:18

for example if you're following along

07:21

and managed to get different hash values

07:23

that means that the file was carved out

07:25

wrong and you should try it again

07:26

don't worry it happens from time to time

07:29

but this just illustrates why it's so

07:31

important to collect the right hash

07:32

values okay now to send the file for

07:36

analysis if you're capable you can

07:38

analyze the file yourself or we can do

07:41

my preferred method and upload it to

07:43

virustotal

07:44

I love virustotal it's just a great

07:47

website from our research here we have

07:49

the sha-256 hash the original name pasta

07:52

Exe remember we didn't give it that name

07:55

they already knew it and elicited

07:57

details about the virus itself there's

07:59

also a list of antivirus vendors where

08:02

they note which AV can and cannot detect

08:04

the virus remember in our scenario where

08:08

the antivirus wasn't able to detect it

08:10

it might be on this list with a green

08:12

checkmark and maybe we should

08:13

re-evaluate our AV solution

08:15

just a thought okay so we were able to

08:19

collect and analyze the malware file

08:21

let's take a look at what kind of

08:22

network traffic it generates we can

08:25

filter out the virus download by

08:26

filtering out TCP stream 5

08:29

and here we can see a lot of DNS traffic

08:32

to what seems to be somewhat randomly

08:35

generated domain names if we scroll down

08:38

a little we can start to see quite a few

08:40

syn packets being sent before we reach

08:42

our first syn ACK that usually means

08:45

that they were all sent out in a short

08:46

amount of time if we kept scrolling down

08:49

we would start to see connections that

08:51

were being established and then closed

08:53

immediately if you're new to malware

08:56

traffic this is pretty standard form for

08:58

botnet persistence the virus comes with

09:00

a pre-loaded list of domains or with a

09:02

built-in way to generate domain names it

09:05

then tries to reach out to each of the

09:06

domain names in the list to see what's

09:08

available and online that way if some of

09:11

the domains in the list are blocked or

09:13

shut down it still has a way to call

09:15

home let's look at one of the packets to

09:18

see what TCP port it's trying to

09:20

communicate on ok port 80 so most likely

09:24

web traffic now if we wanted to see

09:27

which of these domains it connected to

09:29

and stayed connected to it's very likely

09:32

that it would be using HTTP web traffic

09:34

so let's check the hosts headers ad and

09:38

and HTTP host to our filter and we can

09:42

see that most of the communication

09:44

happens with this

09:45

wham-o Jeff desi comm domain let's

09:50

follow one of the streams and see what

09:52

kind of traffic we have

09:55

yep this looks like a normal webpage

09:58

might have redirected the user to their

10:00

site to buy a fake antivirus says here

10:03

Windows 7 total security let's make a

10:07

note of what we found we saw that we now

10:09

have a list of domain names that we can

10:11

add to our blacklist we also noticed a

10:13

spike of DNS traffic followed by a spike

10:16

in port 80 traffic okay we're almost

10:19

done the last thing we want to know is

10:22

if the virus tries to self propagate

10:24

over the network like a worm so what do

10:27

we look for well if the virus tries to

10:30

reach out to other devices on the

10:32

network it might try to follow RFC 1918

10:34

and look for private IP addresses

10:36

there's also a chance that it takes the

10:39

IP address of the infected machine and

10:40

tries to reach out to other devices on

10:43

that network as well if you're not

10:45

familiar RFC 1918 is the standard for

10:48

private IP addressing this is where we

10:50

get the $10 the 192 168 and 172 dot 16

10:56

networks these are all well known

10:58

addresses and they're sometimes reached

11:00

out to by computer worms we're also

11:03

going to want to check the 12 networks

11:05

with a / 8 subnet because it's at least

11:07

a Class A address so we're gonna build

11:11

one large filter and you're gonna want

11:14

to be careful doing this since the

11:16

larger the filter the trickier it can be

11:18

we want to include the source IP address

11:21

of 12.1 83 155 and the list of the

11:27

following addresses 192.168.0.0 / 16 172

11:35

dot 16 dot 0 dot 0 / 12 10.0.0.0

11:41

/ 8 and 12.000 / 8 again since 12 dot is

11:51

a Class A address we're gonna use these

11:54

double pipes instead of the double ands

11:56

since we're only need one of these to

11:58

show up in our filter and we want to

12:00

make sure that we wrap it with a

12:01

parenthesis for the proper boolean logic

12:03

with the and earlier okay let's stir

12:07

this into Wireshark

12:09

you might see these ICMP destination

12:12

unreachable messages this is actually a

12:14

bug in the Wireshark filters where it

12:16

thinks that the ICMP messages are

12:18

sourced and destined for the same

12:20

address these are quick to look through

12:23

and we can easily sort them out by just

12:25

adding no ICMP to the end of our filter

12:28

at this point it doesn't look like there

12:30

are any attempts from the virus to try

12:32

and connect to other internal systems so

12:34

let's write this down and that's it

12:37

awesome so now we're done let's hop back

12:40

to the slides and review what we found

12:44

okay

12:45

let's revisit what we found where did

12:47

the user contract the malware from well

12:49

the user made a direct call to the

12:51

executable therefore the user either

12:52

deliberately downloaded the malware or

12:54

there was a piece of malware sleeping on

12:56

the system how about the malware file

13:00

well we were able to get that carved out

13:02

we have the md5 and the sha-256 hashes

13:04

of these files we were able to analyze

13:06

them through virustotal

13:08

so here are some results taking

13:11

screenshots of the virus total output so

13:14

here we have a list of antivirus that

13:15

was able to detect the virus and here's

13:18

a list of those that weren't so what

13:22

kind of calls did it make well we saw a

13:24

large number of DNS queries to a number

13:26

of what seemed like randomly generated

13:28

domain names and we also saw a lot of

13:30

HTTP communication for websites located

13:33

on a few of these domains did it try to

13:37

self propagate no we didn't find any

13:39

evidence that it tried to reach out to

13:41

any other internal network addresses and

13:43

as far as traffic signatures we saw a

13:45

high volume of DNS queries within a

13:47

short amount of time so that's

13:49

definitely something to look at well

13:52

that's it for now in the next video

13:54

we're going to take a look at our second

13:55

scenario