Wireshark - Malware traffic Analysis

00:00

hi guys welcome to hack explored in this

00:03

episode we'll be talking about packet

00:04

analysis which is an important skill

00:07

that a security professional should

00:08

master and we'll be using the world's

00:10

leading network traffic analyzer pie

00:13

shop so if you're a beginner don't worry

00:15

there's a lot of step-by-step guides

00:17

over here and along the way we'll be

00:21

learning a lot how to master this tool

00:23

so continue watching and not come to my

00:26

channel and don't malva traffic

00:33

analysis with buy shock why shack is a

00:36

popular tool for troubleshooting network

00:38

riddle issues but in cybersecurity

00:40

you can disco many interesting events

00:42

that is happening on a network for

00:44

example we can collect lot of i/o CS

00:47

which are known as indication of

00:49

compromised iosys in simply explained

00:52

these are pieces of forensics data that

00:54

we collected during your analysis

00:56

example IP addresses domain names news

00:59

agents and all the rest of things that

01:01

are here which can be some of the iOS's

01:04

that can be collected during a cyber

01:06

investigation how can we use the IP

01:08

address if an IP address is detected as

01:11

spreading malware to our network we can

01:14

immediately block it same thing goes for

01:16

a domain name collection of iOS's will

01:19

help organization to detect and prevent

01:23

attacks in this demonstration we'll be

01:25

looking at some specific io seized from

01:28

a network traffic capture so let's jump

01:32

into Wireshark washa can be used in two

01:34

ways

01:35

one is you can perform a local capture

01:37

of the network traffic and analyze it or

01:39

there are a lot of sites which offers

01:41

you sample packet captures for analysis

01:43

I'm using a packet capture from malware

01:46

traffic analysis dotnet I've given the

01:48

link below so I'm using one of the

01:50

capture sample given by them click open

01:52

the basic things are you can see the

01:54

source and the destination IPS which are

01:56

connected watch protocols they are using

01:58

and info will provide you more

02:00

information

02:01

but this default view we can enhance it

02:05

we can add more features or remove some

02:07

unwanted features to make our analysis

02:09

easier so the first thing I'm going to

02:11

do is make the display

02:13

easier to move I won't be needing the

02:14

number of packets so I'm going to remove

02:16

the packet number and I cut length I'm

02:19

gonna remove that so I'm going to do

02:21

some modifications for the time this

02:23

time is in seconds I'll be changing this

02:26

view at the time display format into

02:29

date and time of which will show you the

02:32

date and time of the network event so

02:35

let's add on columns as we go on one of

02:38

the first things that you have to do

02:40

when you receive a capture like this is

02:42

understand what type of protocols that

02:44

are used inside this traffic capture for

02:46

example if you go to the statistics menu

02:49

which we'll be using a lot to get

02:51

summarized information first things that

02:53

I go is the protocol hierarchy so this

02:57

window shows a summary of what protocol

03:00

activity that we see for example we see

03:02

some in IP version 6 traffic IP version

03:05

4 which is 98% so I'm interested in this

03:08

section this is where all the things are

03:10

happening inside that also we see some

03:13

TCP and UDP traffic so UDP normally we

03:17

can use to get machine related

03:19

information such as DHCP and DNS

03:22

requests and here where we can see the

03:25

application level traffic according this

03:27

graph we can see there is lot of HTTP

03:30

activity hypertext Transfer Protocol

03:32

activity which indicates this is

03:35

something related to web traffic if I

03:39

give you an example in this malware

03:41

traffic analysis dotnet this packet

03:43

capture is all about user downloading a

03:46

malware so definitely we will be finding

03:49

in the hypertext Transfer Protocol so in

03:52

the normal view you can see all the

03:54

protocols since we are interested in HD

03:57

traffic I am going to use a filter you

04:00

can type a filter over here or you can

04:03

use this window and just right click and

04:06

apply this section as a window so I'm

04:08

telling by sharp to show me only the

04:10

HTTP traffic if I close this window the

04:12

HTTP traffic and all the related traffic

04:16

over here but I'm going to filter out

04:17

like this so I'm going to use a method

04:19

called HTTP dot request so the HTTP

04:23

request filter will show me only the

04:25

gate

04:26

the post requests that are made from the

04:28

source to the destination you can see we

04:31

have a narrowed down a search more so

04:33

you have a less number of traffic to

04:36

analyze now right now to make the

04:40

interface more meaningful and more

04:41

understandable I can add more columns

04:44

for example we can see a source and a

04:48

destination and the request that is made

04:50

but we can see only the URL path and

04:53

this destination IP address won't be

04:55

meaningful in this second section of

05:00

this vile Shack you can see all the

05:02

protocol literary information I'm either

05:04

using the hypertext Transfer Protocol

05:06

section and if you go inside here you

05:08

can see this will contain the actual

05:10

hostname so right-click and apply this

05:13

sub column now you can see clearly where

05:17

did this sauce connect to we can add

05:22

some more information into the column

05:24

display to make it more information for

05:25

example when I am doing this I get the

05:28

source port and I'm going to get it from

05:33

here

05:34

the source port and I'm going to add

05:37

another column called G s T port I'll

05:42

make this spiotti

05:44

to make the column no short I'll make

05:47

this is our C port okay and here you can

05:52

select the destination port from here

05:55

click OK

05:57

yeah the ports normally will show in the

06:00

corner you can drag and move them or you

06:04

can also go to column preferences and I

06:09

want it right over here so this will

06:13

make my life more easy to make it clear

06:16

you can align these data to left or

06:18

right according to your preferences so

06:19

now we have more information so this is

06:22

how you set up your column display - in

06:25

order to make you analyst is more easier

06:27

so we can see the time and the source

06:28

and destination ports and the sites that

06:30

they are connected to all of these data

06:32

are derived from the packet data that we

06:34

have right now as I told you this packet

06:37

capture is containing a Mel

06:39

download or we can see according to the

06:41

HTTP request only this machine accessed

06:45

Internet I will see what are the

06:48

questions that we are looking into it so

06:49

we all want to find the fitted file

06:52

download it and there hashes I'm going

06:54

in this order I'm going to answer all of

06:56

these questions so first we will see how

06:59

to find the infected files are

07:00

downloaded you can see all the file

07:03

requests from here but if you want to

07:06

get the actual file you need to go to

07:08

file and this option called export

07:10

objects and you can see all the HTTP

07:14

objects which were down ordered in this

07:16

packet capture there's lot of content

07:18

types

07:18

I'll sort them out you can see

07:21

application in give HTML in JavaScript

07:25

when you're looking for malware the tag

07:29

that you are use is content type and the

07:31

application type over here there are

07:33

three different categories of

07:34

applications you download a Java file it

07:37

makes X download which could be a Exe or

07:40

executable microsoft download and

07:42

Shopville fref these are the main ways

07:46

of fected file can be downloaded other

07:49

than this there could be word files

07:51

which is having a macro as direct

07:53

executables these files are the most

07:55

suspicious one I'm going to click on the

07:56

file and I'm going to click Save yeah

08:00

this is the Java Kuip I'll add the dot

08:03

jar extension for this and I'm going to

08:06

take a sample of this so this was

08:09

executable so I'm going to say X E and

08:12

this is a shockwave object so I'm going

08:15

to save this as a dart establish a file

08:19

that's not only to rename this one but I

08:22

need to identify the file later so

08:24

that's I'm adding the exchange for the

08:25

files but remember the application

08:28

content type is the thing that you had

08:31

looked for when if you are looking for

08:32

any malware PDF and Microsoft our file

08:35

downloads are also suspicious so I'm

08:37

going to open my Explorer window and go

08:40

to my wife investigation and go to

08:42

sample download so you can see these are

08:45

the three files are downloaded now we

08:48

have to see whether these are malicious

08:50

in this situation we can use the

08:53

virustotal we can upload the files and

08:56

see if these are infected I don't

08:59

recommend uploading the files directly

09:01

because imagine this is Microsoft Word

09:04

document which is having any

09:05

confidential data and if you upload it

09:08

your data is out of the organization

09:10

envira started as option where they

09:13

accept the hash of the file until it is

09:15

malicious or not so in this type of

09:18

situations it's better to have a file

09:20

ready to answer your questions so first

09:24

of all what are the infected files and

09:25

their hashes so how do you get the hash

09:28

out file so you have a lot of tools one

09:30

of the main tools that I love is offered

09:32

by Nero soft I'll post the link for this

09:36

file in the description window so this

09:38

very useful tool to extract the file

09:40

hashes from a given file so we have the

09:44

file name and the file hashes so I'm

09:47

going to copy the file hashes it's very

09:48

easy all the file hashes at one these

09:50

are the ones that I should check I'll

09:52

copy the md5 version of this go to my

09:56

notepad editor and just paste the hash

09:58

or so here so first of all we have

10:00

collected the hashes which we are going

10:03

to check for any virus good information

10:05

let me jump into my virus total window

10:08

and search see it will accept the I'll

10:11

hash let's check if it is malicious

10:14

so it's infected so this is a mug this

10:20

has infected let's check for the other

10:24

file and paste it over here hmm that

10:32

seems to be file that is safe but just

10:37

to be safe I'll down or this one

10:47

and you can see we have another infected

10:51

fire which is swf okay it's WF I'll just

11:01

copy this one back again I believe it's

11:04

the jar file yep a Java exploit infected

11:11

Java I'll leave this hash around because

11:17

that was also executable which was

11:20

downloaded this could be a virus which

11:23

was not yet discovered it could be a

11:27

zero-day but we are not sure that we'll

11:29

see if this the sauce is compromised

11:32

with something we have to make sure this

11:34

file Isis was not downloaded okay that

11:38

is how you do use virus turtle in these

11:40

kind of situations so the second

11:44

question is what is the URL domain of

11:46

the infected site let's jump back into

11:50

Ishak we can see the application was

11:55

downloaded from this particular hostname

11:58

standard trust and poverty com

12:03

okay so I'll copy this and what is the

12:10

IP address of the inject website now we

12:13

need the IP address of this one so that

12:16

will be available in the Internet

12:17

Protocol we can copy this value and

12:23

paste it over here right and that was

12:26

easy what is the IP address of the

12:28

infected machine so in our case the

12:31

infected machine is the sauce over here

12:34

I'll copy the value over here alright so

12:38

that was easy the next we have to find

12:41

another two things so what is the

12:43

hostname of the infected machine and the

12:45

MAC address you should go to IP Ethernet

12:48

literally information so this should be

12:51

the source MAC address I'll copy the

12:54

value first so I pasted it here

12:56

I need the hostname now let me go into

12:59

the protocol higher

13:00

so there are many protocols which can be

13:01

used to find the hostname I go to

13:05

statistics and protocol hierarchy here

13:08

you can find a lot of naming services

13:11

and Indian protocol and the UDP protocol

13:14

you have NetBIOS and dhcp which can also

13:18

be used to find the back and host

13:21

information I'll use the DHCP the most

13:25

common way to find proc also it's easy

13:29

you can just right click apply this as

13:31

filter or you can just go to DHCP which

13:37

is show you all the DHCP related

13:39

requests so the host name of this

13:42

particular IP so we can see there are

13:44

two requests the inform and the request

13:46

so normally the DHCP request we should

13:48

find the host information so if you both

13:52

expand this dynamic host configuration

13:54

protocol and if you go in you can see

13:57

the client MAC address who has requested

13:59

which is the same MAC address that we

14:02

found here might be a fan and if you dig

14:05

in deeper you will be able to find the

14:08

host name and this is another way you

14:11

can apply this as a column and get the

14:19

host name copy this copy value and now

14:24

we have found a lot of information

14:27

related to this activity so the first

14:31

parts infected file hashes can be

14:34

blocked inside our network using our

14:37

wireless card so if they see this file

14:39

hash you can easily tell the virus car

14:42

to detect at the virus and delete it we

14:45

can block access to these sites and IP

14:47

addresses and we can make an

14:50

investigation on this PC to see if it is

14:52

infected and make sure the mother is

14:55

cleaned so this is how we carry out a

14:58

Wireshark investigation so if you want

15:01

to learn more about this type of

15:03

Investigations you can always refer to

15:05

the why shock or 1-0-1 essential skills

15:08

for network analysis a by Laura

15:11

so this book will help you a lot of tips

15:13

and tricks by using my shark so this is

15:16

from the founder and the creator of a

15:18

shark

15:19

so that's information for you and again

15:22

if you want to learn more go to malva

15:25

traffic analysis dotnet which will have

15:27

a lot of exercise related to the traffic

15:30

is so there are a lot of latest things

15:32

just down order copy make sure you run

15:35

these on a sandbox these because these

15:37

have over live viruses inside these

15:39

packet captures so make sure you are

15:43

careful when you're handling these

15:45

things if you enjoy this video please

15:48

give a thumbs up and please don't forget

15:50

to subscribe and hope to bring you more

15:53

videos like this in the future thank you

15:55

for watching