Advanced Wireshark Network Forensics - Part 3/3
Summary
TLDRThis script details a network security analysis of a denial-of-service attack on an FTP server. The investigation uncovers an ARP scan, port scanning, and a brute-force attack resulting in unauthorized file access. The presenter guides through packet analysis techniques, using tools to filter and identify malicious activities, ultimately carving out and examining the downloaded file. The session concludes with resources for further learning in network security and forensics.
Takeaways
- 🔍 The script describes a network security analysis scenario involving a denial-of-service attack on an FTP server.
- 📍 The attacker's IP address is identified as 101.168.56.101, and the FTP server's address is 56.1.
- 🕵️♂️ The analysis aims to determine the cause of the FTP traffic spike and events leading to the server going offline, including file transfers and user account compromises.
- 📝 Documentation of goals, steps, and results is emphasized as a crucial part of the analysis process.
- 🔎 The capture file is filtered to show only two IP addresses, indicating a focus on the attacker and the FTP server.
- 🌐 An ARP scan is detected, suggesting the attacker was mapping the network to find the FTP server.
- 🔑 A port scan reveals open ports 21, 445, 139, 135, and unregistered high-number ports, which might be related to Microsoft NetBIOS.
- 🚀 The script details a brute-force attack on the FTP server, with the attacker successfully logging in using the 'anon anon' credentials.
- 📁 The attacker downloaded a file named 'why we can't have nice cat.PNG', which was carved out of the network traffic for further analysis.
- 🔑 The file's hash was taken to ensure integrity and to compare against the original file on the server.
- 📚 The presenter recommends resources for learning more about network security, including forensics contest, honeynet.org, and malware traffic analysis.
Q & A
What type of attack was reported against the FTP server?
-A denial-of-service attack was reported against the FTP server.
What was the IP address of the attacker?
-The IP address of the attacker was 101.168.56.101.
What was the IP address of the FTP server that was attacked?
-The IP address of the FTP server that was attacked was 56.1.
What was the purpose of the ARP scan mentioned in the script?
-The ARP scan was used by the attacker to discover the IP address of the FTP server and potentially other devices on the network.
How many IP addresses were visible in the capture file according to the statistics?
-Only two IP addresses were visible in the capture file, which were the attacker's address and the FTP server's address.
What ports were found open by the attacker during the port scan of the FTP server?
-The attacker found ports 21, 445, 139, and 135 open during the port scan.
What is the FTP response code that indicates a successful login?
-FTP response code 230 indicates a successful login.
What file did the attacker download from the FTP server?
-The attacker downloaded a file named 'why we can't have nice cat.PNG'.
What method was used to verify the integrity of the downloaded file?
-The file was carved out of the network bytes and its hash was taken to compare it with the hash of the original file on the server.
What resources were recommended in the script for further learning in network security?
-Resources recommended include forensicscontest.com, honeynet.org, malware-traffic-analysis.net, and books such as 'Practical Packet Analysis' and 'Network Forensics: Tracking Hackers through Cyberspace'.
What is the significance of the file signature in the context of the script?
-The file signature, such as 'PNG' in the case of the image file, helps in identifying the type of file that was downloaded by the attacker and ensures it matches the expected file format.
Outlines
🛡️ Investigating a Denial-of-Service Attack on FTP Server
The script begins with an examination of a denial-of-service attack on an FTP server, with a focus on understanding the cause of a spike in FTP traffic prior to the server going offline. The investigation includes identifying the attacker's IP address and the FTP server's address, and aims to determine whether files were transferred or user accounts compromised. The process involves documenting goals, analyzing the pcap file, and looking for indicators of compromise. The script describes the initial steps of the analysis, including filtering ARP traffic to identify network devices and conducting a port scan to find open ports, which in this case were ports 21, 445, 139, and 135. The analysis also notes the presence of unregistered high-number ports, suggesting potential NetBIOS traffic.
🔒 Analyzing FTP Traffic and Identifying a Brute-Force Attack
This paragraph delves into the FTP traffic on port 21, revealing a significant volume of traffic that appears to be part of a brute-force attack, with numerous login attempts. The script details the process of identifying successful login attempts by filtering for FTP response code 230, which indicates a successful login. It is discovered that the attacker logged in using the 'anon anon' credentials and downloaded a file named 'why we can't have nice cat.PNG'. The file is carved out of the network traffic, and its hash is taken for integrity checking. The script also discusses the importance of filtering packets and conversations when analyzing pcap files and provides a method for quickly identifying downloaded files by their size in the conversations list.
📚 Resources for Network Security Enthusiasts and Recap
The final paragraph provides a recap of the findings from the investigation, which include an ARP scan, port scan, and the discovery of a brute-force attack that led to unauthorized file download. The attacker's activities are summarized, and resources for further learning in network security are recommended. These include forensics contest websites, books like 'Practical Packet Analysis' and 'Network Forensics: Tracking Hackers through Cyberspace', and NIST publication 886 for integrating forensic techniques into incident response. The script concludes by inviting feedback and suggestions for future topics, and encourages viewers to like, subscribe, and check out the provided links.
Mindmap
Keywords
💡Denial-of-Service (DoS) Attack
💡FTP Server
💡Traffic Spikes
💡ARP Scan
💡Port Scan
💡FTP Traffic
💡Brute-Force Attack
💡FTP Response Code 230
💡Packet Capture (PCAP)
💡File Carving
💡Hash
Highlights
A denial-of-service attack was reported against an FTP server with IP 192.168.1.
FTP traffic spikes were observed prior to the server going offline.
The attacker's IP address was identified as 101.168.56.101.
An abstract goal was set to determine the cause of the FTP traffic spike and events leading to the server's offline status.
A methodology was proposed to document goals, steps, and results for analyzing the pcap file.
ARP scan activity was detected, indicating the attacker's reconnaissance of the network.
A third IP address, 56.100, was discovered during ARP replies, suggesting potential unknown network traffic.
Over 7,000 TCP connections were made between the two known IP addresses.
Port scanning revealed open ports 21, 445, 139, and 135 on the FTP server.
A brute-force attack was conducted on the FTP server, evidenced by multiple login attempts.
FTP response code 230 indicated a successful login by the attacker.
The attacker downloaded a file named 'why we can't have nice cat.PNG' using anonymous credentials.
The file 'why we can't have nice cat.PNG' was carved out of the network traffic for further analysis.
The file's hash was taken for integrity checks against the original file on the server.
Resources for further learning in network security were recommended, including forensics contest, honeynet, and malware traffic analysis.
Books such as 'Practical Packet Analysis' and 'Network Forensics: Tracking Hackers through Cyberspace' were suggested for deeper understanding.
NIST publication 800-86 was highlighted as a guide for integrating forensic techniques into incident response processes.
The importance of using file signature databases for identifying file types was emphasized.
Transcripts
okay let's look at scenario two it looks
like there was a denial-of-service
attack that was reported against our FTP
server
192.168.1 and it also seems like there
was some FTP traffic spikes that were
seen prior to the FTP server being taken
offline so what do we know we know the
address of the attacker 1 i2 1 6 8 56 .
101 and the address of the FTP server
56.1 but what are we trying to figure
out this one's a little bit more
abstract so generally what we want to
find out is what caused the spike in the
FTP traffic and what events took place
prior to the FTP server being taken
offline so where any files transferred
where any user accounts compromised
things like that so let's take a look
before we get started we always want to
make sure that we document our goals
steps and results in this scenario our
goals are a little bit more abstract and
will depend on what we find in the pcap
in the meantime we at least know what
types of things that we're looking for
indicators of compromise so let's start
with what happened before during and
after the attack on the FTP server so in
this case we want to know what led up to
the attack what types of attacks did the
attacker perform and were they able to
get in and what did they find
okay so now that we have our goals
written down let's open the pcap whoa
that's a lot of our frames being sent
looking at the info column we can see
that in most of these are per quests the
IP address is going up for each request
this looks like an ARP scan being sent
off by 56 top 101 here the attacker
address it might be a little crazy to
sort through all the requests here so
first let's take a look at how many
conversations are within the capture
file to begin with so that we see
exactly how many IP addresses are in
this we can do that by going to
statistics and then conversations
looking at the ipv4 tab the only IPs
that we see are our 56.1
and 101 addresses that we were already
aware of
that's good it means that this capture
file was already filtered down for us
glancing over at our TCP tab we can also
see over 7,000 TCP connections were made
just between these two addresses we're
not gonna find anything interesting in
there right away so let's make a mental
note of that and move on now we already
know that this capture file only has two
IP addresses but even with that we want
to look through the attack traffic and
try to find out what the attacker was
able to see on our network let's look at
the ARP scans again our scans work by
sending out a bunch of art requests
throughout the network the idea is that
when another device on the network
receives an ARP request it will send an
ARP reply so let's filter this down to
show only the ARP replies okay cool we
have the 56.1 and dot 101 that we
expected but there's a third address dot
100 we don't have any information on it
so it's possible there was no
communication from the attacker at all
or it could have been filtered out from
the capture either way let's make a note
of this and move on at this point we're
done with the ARP traffic so let's
filter that out
now we're starting to see a flood of
packets coming from our attacker and
based on the changing port numbers this
is pretty obviously a network port scan
so it looks like we're gonna have to do
the same thing again from here how can
we figure out what open ports the
attacker was able to find in their scan
of the system well we already know that
when we send out a syn we expect to see
a syn ack returned so let's filter by
packets with the syn ACK flag set and
just like that we were able to see the
ports the attacker was able to find open
here we have port 21 445 139 and 135 we
also have these forty nine thousand
number ports they're unregistered port
so it's impossible to know exactly what
protocols these belong to but with a
little googling you'll see that
Microsoft NetBIOS is the top hit either
way let's document what we have hmm it
looks like we still have a lot more data
to come through we know this is an FTP
server so let's eliminate the obvious
and filter out port 21 with that we can
separate the signal from the noise and
verify that these are the only open
ports the attacker was able to find and
sure enough this is all we have there
seems to be a few more syn ACK flagged
packets in the mix but looking at the
stream ID those aren't seen until well
beyond the attackers port scan results
which makes sense given how TCP works
you can take a look at these on your own
if you would like we will eventually get
to them but following a formal
methodology doesn't just mean that
you'll get the answers that you're
looking for it also means that you'll
get the context of those answers so in
the mean time these can be safely
ignored now let's look at the ftp
traffic on port 21 okay so this looks
like the huge flood of ftp traffic we
were told about we've already seen the
traffic that's part of stream 20 that
was the port scan we documented earlier
but after that we start to see a lot of
connection requests going straight to
port 21 let's follow one of the streams
and see what we can find hmm this looks
like a bunch of login attempts
let's hit the up arrow a few times and
check out the other streams you know
this definitely looks like a brute-force
attack
with all these attempted logins there's
probably a burning question in the back
ear mind did they get in so how can we
figure that out well we can see these
FTP codes like five thirty login
incorrect there has to be one for a
successful login well let's check on
there it is FTP response code 230 let's
put that in our filter and see what we
can find awesome
there's only two streams and it looks
like both of them have the response to
30 let's check them out okay the first
one looks like it was still part of the
brute-force attack they logged in but
didn't go anywhere with it now let's
look at the second one we can hit the
down key to go to our previous filter
ah this one's a bit more interesting
here we can see that they logged in with
the anon anon then they listed the
directory changed to images listed the
directory again and downloaded the file
called why we can't have nice cat PNG
and the server is even so kind as to
tell us the exact size of the file so we
definitely want to write this down since
this is all over the network we can see
the results of each command
let's hit the up arrow a couple of times
and step through the streams here we can
see the contents of the first directory
the second directory and then this looks
like the PNG that the attacker
downloaded if we didn't know any better
we could look at the first few bytes and
match that to a file signature in this
case PNG files simply spell out PNG in
their signature so that makes it easy on
us now something that I want to point
out is with real-world capture files it
won't always be as easy as pressing the
up arrow and streams list sometimes the
next stream or the next several streams
are actually parts of other traffic this
is why you need to filter packets and
list conversations as your first steps
when analyzing pcap files another way we
can quickly find a downloaded file is to
look in the conversations list we know
the size of the file given by the FTP
servers response so all I need to do is
find a conversation that has at least
the same number of bytes then we can
filter by that and look at the stream
this is also how I tend to do a quick
and dirty analysis of a packet capture
to see if there are any obvious files
within the pcap that can be extracted
okay now that we've located the file
let's carve it out like we did in
scenario one and take a hash of it that
way we can compare the hash against the
hash of the original file on the server
for integrity
last step let's go ahead and open the
file so that we can see what the
attacker was able to get their hands on
well that's disturbing
but hey you know what we're done let's
hop back to the slides and review what
we found okay
recap the attacker set off an ARP scan
of the subnet 1 & 2 1 6 8 56 0 they were
able to find the address 56.1 which was
the FTP server we were looking in to
begin with and we also found this
address 56 dot 100 which we don't have
any traffic so we couldn't really do any
further analysis on the attacker then
started a port scan against the host
56.1 and found several ports so port 21
4 4 5 139 135 and so on after the port
scan the attacker set off a brute-force
attack and was able to find the
credentials anon anon and with those
credentials they were able to download a
file why we can't have nice cat PNG and
we were able to carve that file out of
the network bytes and we have a sum of
the file to compare to what's on the
server well that's all I have for you
guys if you manage to stick through this
far I just want to say thank you net SEC
is a passion of mine and I'm just glad
to have the opportunity to share this
with you now I don't want to let you go
empty-handed
here's a few resources that I use to get
started and a few more that I still use
to better my own skills some of the ones
that I want to point out here are
forensics contest comm honeynet org and
malware traffic analysis net forensics
contest comm I cannot recommend enough
this is the group that runs or at least
used to run the DEF CON network forensic
challenges their online puzzles start
off pretty easy
and then slowly build to incredibly
complex challenges hands down the best
place to start here next on e network I
would say are more intermediate and
advanced level challenges they'll
require you to do some of the same stuff
we did in here plus a little bit more
malware analysis on the end finally if
you want a real-world challenge
check out malware traffic analysis net
this
Blagh is almost exclusively real-world
attack traffic and you're gonna really
need to think outside of the box
sometimes to find what you're looking
for if some light readings more your
thing here's a few books you're gonna
want to check out practical packet
analysis another great resource for
beginners once you're finished with that
network forensics tracking hackers
through cyberspace is a good one to bump
up your skills to the next level this
one was also written by the DEF CON
Network forensics people if you wanna
learn how to use these techniques into
your current Incident Response process
check out NIST publication 886 as a
guide to integrating forensic techniques
and then of course the file signature
database that we used earlier gary
kessler net well again thank you for
taking the time and I hope you learned
something new if you like this workshop
series or whatever you want to call it
let me know your thoughts in the
comments down below
also let me know if there's a particular
net SEC topic you'd like me to cover
next who knows I might make a video of
it anyways check out the links in the
description below and don't forget to
Like and subscribe to see more videos
like this I'll see you next time
Weitere ähnliche Videos ansehen
Advanced Wireshark Network Forensics - Part 1/3
Advanced Wireshark Network Forensics - Part 2/3
Basics of Network Traffic Analysis | TryHackMe Traffic Analysis Essentials
Wireshark - Malware traffic Analysis
WiFi Pentesting Using Aircrack-ng | [Hindi] | Cyber Academy
Malware Traffic Analysis with Wireshark - 2
5.0 / 5 (0 votes)