Malware Traffic Analysis with Wireshark - 1
Summary
TLDRThe video script guides viewers through identifying a victim machine in a network simulation. It explains the process of analyzing IP addresses, distinguishing between private and public addresses, and using packet data to deduce the infected host. The script also covers finding the hostname of the victim machine, noting the absence of NBNS data in the provided pcap file and suggesting manual methods to retrieve it. The tutorial aims to educate on network analysis techniques for detecting malware infections.
Takeaways
- đ The speaker starts by explaining the process of identifying the IP address of a 'victim machine' in a network analysis scenario.
- đĄ The 'Victim Machine' (VM) is the one that gets infected, and its IP address can be found by analyzing the most active conversations in the network statistics.
- đ To find the VM, one should look at the statistics, specifically the 'IPv4' section, and identify the IP addresses with the highest number of packets exchanged.
- đ The distinction between private and public IP addresses is crucial; the private IP is likely the victim, as it's communicating with a public IP address.
- đ€ The speaker speculates that the private IP address was in contact with a potentially malicious website, indicated by the public IP address 217.18.244.196.
- đ”ïžââïž Further investigation is done by filtering for HTTP requests to identify the source of the infection, which in this case is the machine that made the request for 'mko.exe', suspected to be malware.
- đ The victim's private IP address is identified as 10.12.x.x, based on its activity and the HTTP request analysis.
- đ„ïž The hostname of the Windows victim machine is not readily available in the provided pcap file, indicating a missing piece of data.
- đ The speaker mentions that to find the hostname, one would typically use the 'nbns' filter, but it's not present in this case due to the file's incompleteness.
- đ In a real-world scenario, it's expected that the pcap file would contain the hostname, but for this exercise, it's marked as 'not available'.
- đ ïž The speaker also discusses the importance of understanding network protocols and the structure of pcap files for comprehensive network analysis.
Q & A
What is the purpose of analyzing the IP addresses in the script?
-The purpose is to identify the victim machine in a network scenario where a machine gets infected. The analysis focuses on IP addresses with the most data transactions, indicating a likely infection point.
How does the script differentiate between private and public IP addresses?
-The script identifies 10.x.x.x as a private IP address and 217.x.x.x as a public IP address. The distinction is important for understanding the network communication context.
What is the significance of the IP address 217.18.244.196 in the script?
-This IP address is identified as a public IP address with which the private IP address has the most communication, suggesting it might be the source of the malware.
What method does the script use to find the victim host infected with malware?
-The script uses HTTP request filtering to identify the source IP address that made a request, which in this case is suspected to have downloaded the malware.
What is the role of the 'statistics' and 'conversations' in identifying the victim machine?
-These features provide insights into the network traffic and communication patterns, helping to pinpoint the machine with the most data transactions, which is likely the victim.
Why is the HTTP request important in the script's analysis?
-The HTTP request shows which machine made a request for a file, in this case 'mko.exe', which is suspected to be malware, thus identifying the victim machine.
What is the script's approach to finding the hostname of the victim machine?
-The script attempts to find the hostname through NBNS (NetBIOS Name Service) records, but notes that not all pcap files contain this information.
Why is the hostname not available in the provided pcap file?
-The hostname is not available because the pcap file was not created with the necessary NBNS data included, possibly due to oversight or limitations in the capture.
What additional step is suggested to find the hostname in a complete pcap file?
-The script suggests looking into the NBNS records, specifically the 'netbios name' and 'additional records' sections, to find the hostname of the computer.
How does the script conclude that 10.12.x.x is the victim's private IP address?
-The script concludes this based on the analysis of the most data transactions and the HTTP request made to a public IP address, indicating that the private IP address is the victim.
What is the script's final verdict on the hostname of the victim machine?
-The script's final verdict is that the hostname is 'not available' due to the lack of NBNS data in the pcap file provided.
Outlines
đ”ïžââïž Identifying the Victim Machine via IP Addresses
The speaker begins by discussing the process of identifying the victim machine in a network scenario. They mention setting up questions and providing a link in the description, which they have partially answered. The main focus is on determining the IP address of the 'Victim Machine' (VM). The speaker explains that by examining network statistics and looking at the conversations, one can identify the most active IP addresses. They highlight the importance of distinguishing between private and public IP addresses, and suggest that the private IP address (10.12.3.x) is likely the victim since it is communicating extensively with a public IP address (217.18.244.196). The speaker also describes how to use HTTP request filtering to find the victim host that was infected with malware, pointing out that the private IP address made a GET request for a file named 'mko.exe', which is suspected to be the malware.
Mindmap
Keywords
đĄIP Address
đĄVictim Machine
đĄStatistics
đĄConversations
đĄPrivate IP Address
đĄPublic IP Address
đĄPackets
đĄHTTP Request
đĄMalware
đĄNBNS
đĄHostname
Highlights
Identifying the IP address of the Windows victim machine by analyzing statistics and conversations.
Differentiating between private and public IP addresses to determine the victim machine.
Using packet analysis to find the most active IP addresses involved in data transmission.
Assuming that the private IP address with the most transactions is likely the victim.
Filtering HTTP requests to find the source IP address that requested the malware.
Identifying the victim host by analyzing the HTTP request for the malware file 'mko.exe'.
Concluding that the private IP address is the victim based on data transmission volume and HTTP request analysis.
Explaining the reasons why the private IP address is considered the victim machine.
Searching for the hostname of the Windows victim machine using NBNS filtering.
Noting the absence of NBNS data in the pcap file, requiring an alternative approach to find the hostname.
Accessing the unzipped pcap file to manually find the hostname using additional records.
Highlighting the importance of having the hostname in a real-world scenario for complete analysis.
Acknowledging the limitations of the provided pcap file in containing all necessary data for the exercise.
Providing a workaround for the missing hostname data by using the unzipped pcap file.
Demonstrating the process of manually finding the hostname in the absence of NBNS data.
Stressing the need for complete pcap files in professional settings for accurate analysis.
Concluding the hostname as 'not available' due to the limitations of the provided pcap file.
Transcripts
00:03these are the questions i have set up
00:04i'll put in the link of the description
00:06i already answered a little bit because
00:08i don't know why to be honest but
00:11i just i just felt like it but don't
00:13worry about it so let's let's click the
00:15x button
00:16all right now comes the good part let's
00:18start
00:20all right we're going to be answering
00:21some questions
00:23uh based off like what happened and
00:25these are the first questions we usually
00:27ask even in the website they usually
00:28post these questions so let's see
00:31what is the ip address of the windows
00:34victor machine vm stands for victim
00:36machine that gets infected
00:38so how the hell do we like start like
00:41this is confusing as well right
00:43so the first thing we can do is go to
00:45statistics right and go scroll down
00:47where you see conversations click on it
00:50click on so you start on ethernet click
00:51on ipv4
00:53alright we see these ip addresses over
00:55here
00:56click packets
00:58so the so the most amount of like data
01:01that is sent between computers
01:03are like the ones that are talking the
01:04most right so basically 10
01:06and 217 those ip addresses are talking
01:09the most and they're sending the most
01:10data that's what packets are there for
01:12that's the highest amount
01:14so for this part you got to know the
01:15difference between private ip address
01:17and public if you don't then
01:19yeah you're kind of you're going to
01:20struggle with this
01:21but 10 is a pub like ipaddress and 217
01:24is public so these two are talking like
01:27crazy
01:28so i'm guessing that someone with the
01:30private ip address was talking to a
01:33a bad website which is 217.18.244.196.
01:38they were making the most transactions
01:40so i'm going to drill down on this
01:42even more by going to uh
01:44http
01:46by filtering for http
01:48request
01:52yeah so this is another way to find the
01:54victim
01:56uh host that was uh infected with the
01:58malware
01:59so he's the one that requested it we see
02:01source right here that's the source ip
02:03address destination that's the
02:04destination so this source
02:07uh he made a request that's what http
02:10request means for this filter it means
02:12that we want to see who requested what
02:14so basically 10.12.3.101
02:17made a get request right here in the
02:19infotab he's basically saying
02:21uh get me this file right here mko.exe
02:25right that's most likely the malware
02:28obviously because you know i put in the
02:29answers so let's let's go back
02:32so from looking at the statistics going
02:34ipv4 we can conclude that the private ip
02:37address
02:38is the what you call a victim machine he
02:41is the victim
02:42so let's put that down
02:4710.12.
02:52so let's recap the reason why this guy
02:55is a victim is because first
02:57he's a private i p address and he's
02:59making a request to a public ip address
03:01and he has the most data talking between
03:04that ip address like see the most of the
03:06number of packets the second reason why
03:08he is the victim is because when we do
03:10http that request it shows that he is
03:13the only like
03:15computer that made a quest to the
03:17website and most likely he downloaded
03:19the malware
03:20so those are the uh reasons all right
03:22what is the host name of the
03:24windows
03:26victim machine that gets infected so we
03:27want to find the name of the computer
03:29what i usually do is we gotta filter
03:31this one out
03:32nbns
03:34see we don't see anything the reason why
03:35we don't see anything is because whoever
03:37made the pcap he didn't include that
03:40part of the data
03:41so we're gonna have to
03:43close and minimize this one
03:45go back
03:46and unzip the this one it's the reason
03:48why i wanted to unzip it because i want
03:50to show you what it looks like remember
03:52the password is infected all lowercase
03:55okay
03:57actually i go to 2014
04:01yeah for this i couldn't find a p cap
04:02that contained all the uh answer
04:05questions because you know it was pretty
04:06hard
04:07so
04:08what we do is
04:09we go for nbns
04:12and if you want to find the host name we
04:14go to the right you see it says right
04:15there that's the name but if you
04:17actually want to drill down scroll down
04:18to the second box right here
04:21and click netbios name minimize this
04:23with the arrow go to additional records
04:27it shows the name right here and then we
04:28go down it also shows the name right
04:30here that's how you find the hostname of
04:31the computer
04:32not all pcapp files are going to have
04:35the host name if you're doing it for
04:36practice but i'm pretty sure in a real
04:37business you're going to see the damn p
04:39cap
04:40with the name in it so that's the host
04:42name but for now i'm just saying not
04:44available not available because uh you
04:46know the guy was too lazy you know
04:48whoever made this crap all right
04:51okay
Voir Plus de Vidéos Connexes
Advanced Wireshark Network Forensics - Part 2/3
Mengenal IP Address | Network Fundamental Learning Series #8
Malware Traffic Analysis with Wireshark - 2
Wireshark - Malware traffic Analysis
Network Traffic Anomaly Detection Using Machine Learning
Applying Subnet Networks to Network Devices - CCNA 2: Day 2
5.0 / 5 (0 votes)
