Wireshark - Malware traffic Analysis
Summary
TLDRIn this episode of 'Hack Explored,' the host delves into packet analysis using Wireshark, a vital skill for security professionals. They guide viewers through using Wireshark to analyze network traffic, focusing on identifying indicators of compromised systems, such as IP addresses and domain names. The demonstration includes filtering HTTP traffic, exporting objects, and using tools like VirusTotal to check for malware. The video concludes with tips on blocking malicious files and sites, and further learning resources are suggested for mastering network analysis.
Takeaways
- 📚 The video is an educational tutorial on packet analysis using Wireshark, a leading network traffic analyzer.
- 👨🏫 It is aimed at security professionals, including beginners, and provides step-by-step guides for mastering the tool.
- 🔍 Wireshark is popular for troubleshooting network issues and can reveal interesting events happening on a network.
- 🔑 The script explains how to collect I/O CS, which are forensics data pieces collected during analysis and can indicate compromised systems.
- 🚫 It demonstrates using IP addresses and domain names to block malicious activity detected within a network.
- 🖥️ The tutorial covers how to use Wireshark to analyze network traffic captures, either locally or from sample captures online.
- 📈 The video guides viewers on how to enhance the default view in Wireshark to make analysis easier, such as by modifying the time display format.
- 📊 It emphasizes the importance of understanding the protocols used in a traffic capture and how to filter traffic to focus on specific protocols like HTTP.
- 🔎 The script details how to add and modify columns in Wireshark to better understand the source, destination, and nature of network traffic.
- 🛠️ It shows how to export HTTP objects from a capture to find and save files that may be infected, such as executables or Java files.
- 🛡️ The tutorial suggests using VirusTotal to check the downloaded files for malware by uploading them or checking their hashes.
- 🔗 Finally, the video provides a method to identify the infected machine's hostname, IP address, and MAC address from the captured data.
Q & A
What is the main topic of the video?
-The main topic of the video is packet analysis using Wireshark, a network traffic analyzer, and its importance for security professionals.
Why is packet analysis an important skill for security professionals?
-Packet analysis is important for security professionals to troubleshoot network issues, discover events happening on a network, and collect forensics data known as IoCs (Indicators of Compromise).
What is Wireshark and how is it used in the video?
-Wireshark is a leading network traffic analyzer used in the video to demonstrate how to analyze network traffic, filter specific protocols, and collect data to investigate potential security threats.
What is an IoC (Indicator of Compromise) and how can it be used?
-An IoC is a piece of forensic data collected during analysis, such as IP addresses, domain names, and user agents, which can be used to detect and prevent attacks by identifying compromised systems.
How can an IP address be utilized in cybersecurity?
-In cybersecurity, if an IP address is detected as spreading malware, it can be immediately blocked to prevent further threats to the network.
What is the purpose of the 'protocol hierarchy' in Wireshark?
-The protocol hierarchy in Wireshark provides a summary of the protocol activity within a traffic capture, helping users understand the types of protocols used and focus on relevant sections for analysis.
How can Wireshark filters help in narrowing down the analysis?
-Wireshark filters allow users to display only the traffic of interest, such as HTTP requests, which helps in focusing the analysis on specific activities and reducing the amount of data to be examined.
What is the significance of adding custom columns in Wireshark for analysis?
-Adding custom columns in Wireshark can make the interface more meaningful and understandable by displaying specific information relevant to the analysis, such as source and destination ports, URLs, and hostnames.
How can Wireshark be used to identify and save infected files from a network traffic capture?
-Wireshark can be used to identify file downloads through HTTP requests, and the 'export objects' feature can be utilized to save the files for further analysis, such as checking for malware.
What is the role of VirusTotal in the context of the video?
-VirusTotal is used in the video to check the downloaded files for any infections by uploading the files or their hashes to determine if they are malicious.
How can the information collected from Wireshark be used to prevent future attacks?
-The information collected, such as infected file hashes and IP addresses, can be used to block malicious traffic within the network and conduct investigations on compromised systems to ensure they are cleaned and secure.
What additional resources are mentioned in the video for learning more about packet analysis and Wireshark?
-The video mentions 'Wireshark Network Analysis' by Laura Chappell as a book for learning more about packet analysis, and 'malware_traffic_analysis.net' as a website with exercises related to traffic analysis.
Outlines
🔍 Introduction to Packet Analysis with Wireshark
The video script introduces packet analysis as a crucial skill for security professionals, focusing on the use of Wireshark, a leading network traffic analyzer. It assures beginners that step-by-step guides are available and emphasizes learning to master the tool. The script mentions the importance of packet analysis in cybersecurity for identifying network events and collecting forensic data, such as IP addresses and domain names, which can indicate compromised systems. The video demonstrates how to use Wireshark to analyze a specific packet capture from malware traffic, highlighting the tool's capabilities in local network traffic capture and analysis of sample captures available online. It also covers basic navigation in Wireshark, such as modifying the display for easier analysis and understanding the protocols involved in a traffic capture.
📚 Enhancing Wireshark Display and Filtering HTTP Traffic
This paragraph delves into customizing the Wireshark interface to enhance analysis by removing unnecessary information like packet numbers and adjusting the time display format to show date and time of network events. It discusses the use of the statistics menu to understand the types of protocols present in a traffic capture, with a focus on IP version 4 and HTTP activity, indicating web traffic. The script provides a step-by-step guide on applying filters to show only HTTP traffic and further refining the display by adding columns for source and destination ports, and the URL path of HTTP requests. This approach narrows down the analysis to relevant traffic, making it easier to identify specific activities such as file downloads.
🛠 Analyzing Malware Downloads and Collecting File Hashes
The script explains how to analyze a packet capture containing a malware download, instructing viewers on how to find and export HTTP objects, which represent downloaded files. It emphasizes the importance of identifying file types associated with malware, such as Java archives, executables, and shockwave objects, and saving them with appropriate file extensions for further analysis. The use of VirusTotal to check the files for malicious content is introduced, along with the recommendation to use file hashes for this purpose to maintain data confidentiality. The paragraph also covers how to extract file hashes using a tool from Nero soft and how to use these hashes to search for malicious files on VirusTotal, identifying infected files and their respective hashes.
🔎 Investigating Infected Systems and Preventive Measures
The final paragraph wraps up the investigation by identifying the URL domain and IP address of the infected site, as well as the IP address, hostname, and MAC address of the infected machine, all extracted from the Wireshark analysis. It discusses the implications of the findings, such as blocking infected file hashes within a network, preventing access to malicious sites and IP addresses, and conducting further investigations on potentially compromised machines. The script concludes with recommendations for further learning, including a book by Laura Chappell, the founder of Wireshark, and a website for additional exercises in network traffic analysis. It also cautions viewers to handle packet captures containing live viruses with care, such as by using a sandbox environment.
Mindmap
Keywords
💡Packet Analysis
💡Wireshark
💡IoCs (Indicators of Compromise)
💡Malware
💡HTTP Traffic
💡File Hashes
💡VirusTotal
💡DHCP
💡IP Address
💡MAC Address
💡Sandbox
Highlights
Introduction to packet analysis as an essential skill for security professionals.
Using Wireshark, the world's leading network traffic analyzer, for mastering packet analysis.
Availability of step-by-step guides for beginners in Wireshark.
Wireshark's role in troubleshooting network issues and discovering security events.
Collection of I/O CS, indicators of compromised systems, during network analysis.
Utilizing IP addresses and domain names to block malware spread in a network.
Demonstration of analyzing specific I/O CS from a network traffic capture.
Explanation of Wireshark's capabilities for local capture and analysis of sample packet captures.
Customization of Wireshark's display for easier analysis by removing unwanted features.
Using the protocol hierarchy in Wireshark to understand traffic protocols.
Filtering HTTP traffic in Wireshark to focus on web-related activities.
Adding custom columns in Wireshark for a clearer analysis interface.
Identifying file downloads in a packet capture and exporting them for further analysis.
Using VirusTotal to check downloaded files for malicious content.
Extracting file hashes for security analysis using tools like HashCalc.
Investigating the source of infection by identifying URLs and IP addresses.
Determining the hostname and MAC address of the infected machine using DHCP analysis.
Preventative measures such as blocking file hashes and IP addresses within a network.
Recommendation of resources for further learning on network analysis and Wireshark.
Emphasis on the importance of running packet captures in a sandbox environment for safety.
Transcripts
hi guys welcome to hack explored in this
episode we'll be talking about packet
analysis which is an important skill
that a security professional should
master and we'll be using the world's
leading network traffic analyzer pie
shop so if you're a beginner don't worry
there's a lot of step-by-step guides
over here and along the way we'll be
learning a lot how to master this tool
so continue watching and not come to my
channel and don't malva traffic
analysis with buy shock why shack is a
popular tool for troubleshooting network
riddle issues but in cybersecurity
you can disco many interesting events
that is happening on a network for
example we can collect lot of i/o CS
which are known as indication of
compromised iosys in simply explained
these are pieces of forensics data that
we collected during your analysis
example IP addresses domain names news
agents and all the rest of things that
are here which can be some of the iOS's
that can be collected during a cyber
investigation how can we use the IP
address if an IP address is detected as
spreading malware to our network we can
immediately block it same thing goes for
a domain name collection of iOS's will
help organization to detect and prevent
attacks in this demonstration we'll be
looking at some specific io seized from
a network traffic capture so let's jump
into Wireshark washa can be used in two
ways
one is you can perform a local capture
of the network traffic and analyze it or
there are a lot of sites which offers
you sample packet captures for analysis
I'm using a packet capture from malware
traffic analysis dotnet I've given the
link below so I'm using one of the
capture sample given by them click open
the basic things are you can see the
source and the destination IPS which are
connected watch protocols they are using
and info will provide you more
information
but this default view we can enhance it
we can add more features or remove some
unwanted features to make our analysis
easier so the first thing I'm going to
do is make the display
easier to move I won't be needing the
number of packets so I'm going to remove
the packet number and I cut length I'm
gonna remove that so I'm going to do
some modifications for the time this
time is in seconds I'll be changing this
view at the time display format into
date and time of which will show you the
date and time of the network event so
let's add on columns as we go on one of
the first things that you have to do
when you receive a capture like this is
understand what type of protocols that
are used inside this traffic capture for
example if you go to the statistics menu
which we'll be using a lot to get
summarized information first things that
I go is the protocol hierarchy so this
window shows a summary of what protocol
activity that we see for example we see
some in IP version 6 traffic IP version
4 which is 98% so I'm interested in this
section this is where all the things are
happening inside that also we see some
TCP and UDP traffic so UDP normally we
can use to get machine related
information such as DHCP and DNS
requests and here where we can see the
application level traffic according this
graph we can see there is lot of HTTP
activity hypertext Transfer Protocol
activity which indicates this is
something related to web traffic if I
give you an example in this malware
traffic analysis dotnet this packet
capture is all about user downloading a
malware so definitely we will be finding
in the hypertext Transfer Protocol so in
the normal view you can see all the
protocols since we are interested in HD
traffic I am going to use a filter you
can type a filter over here or you can
use this window and just right click and
apply this section as a window so I'm
telling by sharp to show me only the
HTTP traffic if I close this window the
HTTP traffic and all the related traffic
over here but I'm going to filter out
like this so I'm going to use a method
called HTTP dot request so the HTTP
request filter will show me only the
gate
the post requests that are made from the
source to the destination you can see we
have a narrowed down a search more so
you have a less number of traffic to
analyze now right now to make the
interface more meaningful and more
understandable I can add more columns
for example we can see a source and a
destination and the request that is made
but we can see only the URL path and
this destination IP address won't be
meaningful in this second section of
this vile Shack you can see all the
protocol literary information I'm either
using the hypertext Transfer Protocol
section and if you go inside here you
can see this will contain the actual
hostname so right-click and apply this
sub column now you can see clearly where
did this sauce connect to we can add
some more information into the column
display to make it more information for
example when I am doing this I get the
source port and I'm going to get it from
here
the source port and I'm going to add
another column called G s T port I'll
make this spiotti
to make the column no short I'll make
this is our C port okay and here you can
select the destination port from here
click OK
yeah the ports normally will show in the
corner you can drag and move them or you
can also go to column preferences and I
want it right over here so this will
make my life more easy to make it clear
you can align these data to left or
right according to your preferences so
now we have more information so this is
how you set up your column display - in
order to make you analyst is more easier
so we can see the time and the source
and destination ports and the sites that
they are connected to all of these data
are derived from the packet data that we
have right now as I told you this packet
capture is containing a Mel
download or we can see according to the
HTTP request only this machine accessed
Internet I will see what are the
questions that we are looking into it so
we all want to find the fitted file
download it and there hashes I'm going
in this order I'm going to answer all of
these questions so first we will see how
to find the infected files are
downloaded you can see all the file
requests from here but if you want to
get the actual file you need to go to
file and this option called export
objects and you can see all the HTTP
objects which were down ordered in this
packet capture there's lot of content
types
I'll sort them out you can see
application in give HTML in JavaScript
when you're looking for malware the tag
that you are use is content type and the
application type over here there are
three different categories of
applications you download a Java file it
makes X download which could be a Exe or
executable microsoft download and
Shopville fref these are the main ways
of fected file can be downloaded other
than this there could be word files
which is having a macro as direct
executables these files are the most
suspicious one I'm going to click on the
file and I'm going to click Save yeah
this is the Java Kuip I'll add the dot
jar extension for this and I'm going to
take a sample of this so this was
executable so I'm going to say X E and
this is a shockwave object so I'm going
to save this as a dart establish a file
that's not only to rename this one but I
need to identify the file later so
that's I'm adding the exchange for the
files but remember the application
content type is the thing that you had
looked for when if you are looking for
any malware PDF and Microsoft our file
downloads are also suspicious so I'm
going to open my Explorer window and go
to my wife investigation and go to
sample download so you can see these are
the three files are downloaded now we
have to see whether these are malicious
in this situation we can use the
virustotal we can upload the files and
see if these are infected I don't
recommend uploading the files directly
because imagine this is Microsoft Word
document which is having any
confidential data and if you upload it
your data is out of the organization
envira started as option where they
accept the hash of the file until it is
malicious or not so in this type of
situations it's better to have a file
ready to answer your questions so first
of all what are the infected files and
their hashes so how do you get the hash
out file so you have a lot of tools one
of the main tools that I love is offered
by Nero soft I'll post the link for this
file in the description window so this
very useful tool to extract the file
hashes from a given file so we have the
file name and the file hashes so I'm
going to copy the file hashes it's very
easy all the file hashes at one these
are the ones that I should check I'll
copy the md5 version of this go to my
notepad editor and just paste the hash
or so here so first of all we have
collected the hashes which we are going
to check for any virus good information
let me jump into my virus total window
and search see it will accept the I'll
hash let's check if it is malicious
so it's infected so this is a mug this
has infected let's check for the other
file and paste it over here hmm that
seems to be file that is safe but just
to be safe I'll down or this one
and you can see we have another infected
fire which is swf okay it's WF I'll just
copy this one back again I believe it's
the jar file yep a Java exploit infected
Java I'll leave this hash around because
that was also executable which was
downloaded this could be a virus which
was not yet discovered it could be a
zero-day but we are not sure that we'll
see if this the sauce is compromised
with something we have to make sure this
file Isis was not downloaded okay that
is how you do use virus turtle in these
kind of situations so the second
question is what is the URL domain of
the infected site let's jump back into
Ishak we can see the application was
downloaded from this particular hostname
standard trust and poverty com
okay so I'll copy this and what is the
IP address of the inject website now we
need the IP address of this one so that
will be available in the Internet
Protocol we can copy this value and
paste it over here right and that was
easy what is the IP address of the
infected machine so in our case the
infected machine is the sauce over here
I'll copy the value over here alright so
that was easy the next we have to find
another two things so what is the
hostname of the infected machine and the
MAC address you should go to IP Ethernet
literally information so this should be
the source MAC address I'll copy the
value first so I pasted it here
I need the hostname now let me go into
the protocol higher
so there are many protocols which can be
used to find the hostname I go to
statistics and protocol hierarchy here
you can find a lot of naming services
and Indian protocol and the UDP protocol
you have NetBIOS and dhcp which can also
be used to find the back and host
information I'll use the DHCP the most
common way to find proc also it's easy
you can just right click apply this as
filter or you can just go to DHCP which
is show you all the DHCP related
requests so the host name of this
particular IP so we can see there are
two requests the inform and the request
so normally the DHCP request we should
find the host information so if you both
expand this dynamic host configuration
protocol and if you go in you can see
the client MAC address who has requested
which is the same MAC address that we
found here might be a fan and if you dig
in deeper you will be able to find the
host name and this is another way you
can apply this as a column and get the
host name copy this copy value and now
we have found a lot of information
related to this activity so the first
parts infected file hashes can be
blocked inside our network using our
wireless card so if they see this file
hash you can easily tell the virus car
to detect at the virus and delete it we
can block access to these sites and IP
addresses and we can make an
investigation on this PC to see if it is
infected and make sure the mother is
cleaned so this is how we carry out a
Wireshark investigation so if you want
to learn more about this type of
Investigations you can always refer to
the why shock or 1-0-1 essential skills
for network analysis a by Laura
so this book will help you a lot of tips
and tricks by using my shark so this is
from the founder and the creator of a
shark
so that's information for you and again
if you want to learn more go to malva
traffic analysis dotnet which will have
a lot of exercise related to the traffic
is so there are a lot of latest things
just down order copy make sure you run
these on a sandbox these because these
have over live viruses inside these
packet captures so make sure you are
careful when you're handling these
things if you enjoy this video please
give a thumbs up and please don't forget
to subscribe and hope to bring you more
videos like this in the future thank you
for watching
5.0 / 5 (0 votes)