Malware Traffic Analysis with Wireshark - 1
Summary
TLDRThe video script guides viewers through identifying a victim machine in a network simulation. It explains the process of analyzing IP addresses, distinguishing between private and public addresses, and using packet data to deduce the infected host. The script also covers finding the hostname of the victim machine, noting the absence of NBNS data in the provided pcap file and suggesting manual methods to retrieve it. The tutorial aims to educate on network analysis techniques for detecting malware infections.
Takeaways
- 🔍 The speaker starts by explaining the process of identifying the IP address of a 'victim machine' in a network analysis scenario.
- 💡 The 'Victim Machine' (VM) is the one that gets infected, and its IP address can be found by analyzing the most active conversations in the network statistics.
- 📈 To find the VM, one should look at the statistics, specifically the 'IPv4' section, and identify the IP addresses with the highest number of packets exchanged.
- 🌐 The distinction between private and public IP addresses is crucial; the private IP is likely the victim, as it's communicating with a public IP address.
- 🤔 The speaker speculates that the private IP address was in contact with a potentially malicious website, indicated by the public IP address 217.18.244.196.
- 🕵️♂️ Further investigation is done by filtering for HTTP requests to identify the source of the infection, which in this case is the machine that made the request for 'mko.exe', suspected to be malware.
- 📝 The victim's private IP address is identified as 10.12.x.x, based on its activity and the HTTP request analysis.
- 🖥️ The hostname of the Windows victim machine is not readily available in the provided pcap file, indicating a missing piece of data.
- 🔑 The speaker mentions that to find the hostname, one would typically use the 'nbns' filter, but it's not present in this case due to the file's incompleteness.
- 📚 In a real-world scenario, it's expected that the pcap file would contain the hostname, but for this exercise, it's marked as 'not available'.
- 🛠️ The speaker also discusses the importance of understanding network protocols and the structure of pcap files for comprehensive network analysis.
Q & A
What is the purpose of analyzing the IP addresses in the script?
-The purpose is to identify the victim machine in a network scenario where a machine gets infected. The analysis focuses on IP addresses with the most data transactions, indicating a likely infection point.
How does the script differentiate between private and public IP addresses?
-The script identifies 10.x.x.x as a private IP address and 217.x.x.x as a public IP address. The distinction is important for understanding the network communication context.
What is the significance of the IP address 217.18.244.196 in the script?
-This IP address is identified as a public IP address with which the private IP address has the most communication, suggesting it might be the source of the malware.
What method does the script use to find the victim host infected with malware?
-The script uses HTTP request filtering to identify the source IP address that made a request, which in this case is suspected to have downloaded the malware.
What is the role of the 'statistics' and 'conversations' in identifying the victim machine?
-These features provide insights into the network traffic and communication patterns, helping to pinpoint the machine with the most data transactions, which is likely the victim.
Why is the HTTP request important in the script's analysis?
-The HTTP request shows which machine made a request for a file, in this case 'mko.exe', which is suspected to be malware, thus identifying the victim machine.
What is the script's approach to finding the hostname of the victim machine?
-The script attempts to find the hostname through NBNS (NetBIOS Name Service) records, but notes that not all pcap files contain this information.
Why is the hostname not available in the provided pcap file?
-The hostname is not available because the pcap file was not created with the necessary NBNS data included, possibly due to oversight or limitations in the capture.
What additional step is suggested to find the hostname in a complete pcap file?
-The script suggests looking into the NBNS records, specifically the 'netbios name' and 'additional records' sections, to find the hostname of the computer.
How does the script conclude that 10.12.x.x is the victim's private IP address?
-The script concludes this based on the analysis of the most data transactions and the HTTP request made to a public IP address, indicating that the private IP address is the victim.
What is the script's final verdict on the hostname of the victim machine?
-The script's final verdict is that the hostname is 'not available' due to the lack of NBNS data in the pcap file provided.
Outlines
🕵️♂️ Identifying the Victim Machine via IP Addresses
The speaker begins by discussing the process of identifying the victim machine in a network scenario. They mention setting up questions and providing a link in the description, which they have partially answered. The main focus is on determining the IP address of the 'Victim Machine' (VM). The speaker explains that by examining network statistics and looking at the conversations, one can identify the most active IP addresses. They highlight the importance of distinguishing between private and public IP addresses, and suggest that the private IP address (10.12.3.x) is likely the victim since it is communicating extensively with a public IP address (217.18.244.196). The speaker also describes how to use HTTP request filtering to find the victim host that was infected with malware, pointing out that the private IP address made a GET request for a file named 'mko.exe', which is suspected to be the malware.
Mindmap
Keywords
💡IP Address
💡Victim Machine
💡Statistics
💡Conversations
💡Private IP Address
💡Public IP Address
💡Packets
💡HTTP Request
💡Malware
💡NBNS
💡Hostname
Highlights
Identifying the IP address of the Windows victim machine by analyzing statistics and conversations.
Differentiating between private and public IP addresses to determine the victim machine.
Using packet analysis to find the most active IP addresses involved in data transmission.
Assuming that the private IP address with the most transactions is likely the victim.
Filtering HTTP requests to find the source IP address that requested the malware.
Identifying the victim host by analyzing the HTTP request for the malware file 'mko.exe'.
Concluding that the private IP address is the victim based on data transmission volume and HTTP request analysis.
Explaining the reasons why the private IP address is considered the victim machine.
Searching for the hostname of the Windows victim machine using NBNS filtering.
Noting the absence of NBNS data in the pcap file, requiring an alternative approach to find the hostname.
Accessing the unzipped pcap file to manually find the hostname using additional records.
Highlighting the importance of having the hostname in a real-world scenario for complete analysis.
Acknowledging the limitations of the provided pcap file in containing all necessary data for the exercise.
Providing a workaround for the missing hostname data by using the unzipped pcap file.
Demonstrating the process of manually finding the hostname in the absence of NBNS data.
Stressing the need for complete pcap files in professional settings for accurate analysis.
Concluding the hostname as 'not available' due to the limitations of the provided pcap file.
Transcripts
these are the questions i have set up
i'll put in the link of the description
i already answered a little bit because
i don't know why to be honest but
i just i just felt like it but don't
worry about it so let's let's click the
x button
all right now comes the good part let's
start
all right we're going to be answering
some questions
uh based off like what happened and
these are the first questions we usually
ask even in the website they usually
post these questions so let's see
what is the ip address of the windows
victor machine vm stands for victim
machine that gets infected
so how the hell do we like start like
this is confusing as well right
so the first thing we can do is go to
statistics right and go scroll down
where you see conversations click on it
click on so you start on ethernet click
on ipv4
alright we see these ip addresses over
here
click packets
so the so the most amount of like data
that is sent between computers
are like the ones that are talking the
most right so basically 10
and 217 those ip addresses are talking
the most and they're sending the most
data that's what packets are there for
that's the highest amount
so for this part you got to know the
difference between private ip address
and public if you don't then
yeah you're kind of you're going to
struggle with this
but 10 is a pub like ipaddress and 217
is public so these two are talking like
crazy
so i'm guessing that someone with the
private ip address was talking to a
a bad website which is 217.18.244.196.
they were making the most transactions
so i'm going to drill down on this
even more by going to uh
http
by filtering for http
request
yeah so this is another way to find the
victim
uh host that was uh infected with the
malware
so he's the one that requested it we see
source right here that's the source ip
address destination that's the
destination so this source
uh he made a request that's what http
request means for this filter it means
that we want to see who requested what
so basically 10.12.3.101
made a get request right here in the
infotab he's basically saying
uh get me this file right here mko.exe
right that's most likely the malware
obviously because you know i put in the
answers so let's let's go back
so from looking at the statistics going
ipv4 we can conclude that the private ip
address
is the what you call a victim machine he
is the victim
so let's put that down
10.12.
so let's recap the reason why this guy
is a victim is because first
he's a private i p address and he's
making a request to a public ip address
and he has the most data talking between
that ip address like see the most of the
number of packets the second reason why
he is the victim is because when we do
http that request it shows that he is
the only like
computer that made a quest to the
website and most likely he downloaded
the malware
so those are the uh reasons all right
what is the host name of the
windows
victim machine that gets infected so we
want to find the name of the computer
what i usually do is we gotta filter
this one out
nbns
see we don't see anything the reason why
we don't see anything is because whoever
made the pcap he didn't include that
part of the data
so we're gonna have to
close and minimize this one
go back
and unzip the this one it's the reason
why i wanted to unzip it because i want
to show you what it looks like remember
the password is infected all lowercase
okay
actually i go to 2014
yeah for this i couldn't find a p cap
that contained all the uh answer
questions because you know it was pretty
hard
so
what we do is
we go for nbns
and if you want to find the host name we
go to the right you see it says right
there that's the name but if you
actually want to drill down scroll down
to the second box right here
and click netbios name minimize this
with the arrow go to additional records
it shows the name right here and then we
go down it also shows the name right
here that's how you find the hostname of
the computer
not all pcapp files are going to have
the host name if you're doing it for
practice but i'm pretty sure in a real
business you're going to see the damn p
cap
with the name in it so that's the host
name but for now i'm just saying not
available not available because uh you
know the guy was too lazy you know
whoever made this crap all right
okay
関連動画をさらに表示
Advanced Wireshark Network Forensics - Part 2/3
Mengenal IP Address | Network Fundamental Learning Series #8
Malware Traffic Analysis with Wireshark - 2
Wireshark - Malware traffic Analysis
Network Traffic Anomaly Detection Using Machine Learning
Applying Subnet Networks to Network Devices - CCNA 2: Day 2
5.0 / 5 (0 votes)