Malware Traffic Analysis with Wireshark - 1

LetsDefend

2 Nov 202204:54

Summary

TLDRThe video script guides viewers through identifying a victim machine in a network simulation. It explains the process of analyzing IP addresses, distinguishing between private and public addresses, and using packet data to deduce the infected host. The script also covers finding the hostname of the victim machine, noting the absence of NBNS data in the provided pcap file and suggesting manual methods to retrieve it. The tutorial aims to educate on network analysis techniques for detecting malware infections.

Takeaways

🔍 The speaker starts by explaining the process of identifying the IP address of a 'victim machine' in a network analysis scenario.
💡 The 'Victim Machine' (VM) is the one that gets infected, and its IP address can be found by analyzing the most active conversations in the network statistics.
📈 To find the VM, one should look at the statistics, specifically the 'IPv4' section, and identify the IP addresses with the highest number of packets exchanged.
🌐 The distinction between private and public IP addresses is crucial; the private IP is likely the victim, as it's communicating with a public IP address.
🤔 The speaker speculates that the private IP address was in contact with a potentially malicious website, indicated by the public IP address 217.18.244.196.
🕵️‍♂️ Further investigation is done by filtering for HTTP requests to identify the source of the infection, which in this case is the machine that made the request for 'mko.exe', suspected to be malware.
📝 The victim's private IP address is identified as 10.12.x.x, based on its activity and the HTTP request analysis.
🖥️ The hostname of the Windows victim machine is not readily available in the provided pcap file, indicating a missing piece of data.
🔑 The speaker mentions that to find the hostname, one would typically use the 'nbns' filter, but it's not present in this case due to the file's incompleteness.
📚 In a real-world scenario, it's expected that the pcap file would contain the hostname, but for this exercise, it's marked as 'not available'.
🛠️ The speaker also discusses the importance of understanding network protocols and the structure of pcap files for comprehensive network analysis.

Q & A

What is the purpose of analyzing the IP addresses in the script?
-The purpose is to identify the victim machine in a network scenario where a machine gets infected. The analysis focuses on IP addresses with the most data transactions, indicating a likely infection point.
How does the script differentiate between private and public IP addresses?
-The script identifies 10.x.x.x as a private IP address and 217.x.x.x as a public IP address. The distinction is important for understanding the network communication context.
What is the significance of the IP address 217.18.244.196 in the script?
-This IP address is identified as a public IP address with which the private IP address has the most communication, suggesting it might be the source of the malware.
What method does the script use to find the victim host infected with malware?
-The script uses HTTP request filtering to identify the source IP address that made a request, which in this case is suspected to have downloaded the malware.
What is the role of the 'statistics' and 'conversations' in identifying the victim machine?
-These features provide insights into the network traffic and communication patterns, helping to pinpoint the machine with the most data transactions, which is likely the victim.
Why is the HTTP request important in the script's analysis?
-The HTTP request shows which machine made a request for a file, in this case 'mko.exe', which is suspected to be malware, thus identifying the victim machine.
What is the script's approach to finding the hostname of the victim machine?
-The script attempts to find the hostname through NBNS (NetBIOS Name Service) records, but notes that not all pcap files contain this information.
Why is the hostname not available in the provided pcap file?
-The hostname is not available because the pcap file was not created with the necessary NBNS data included, possibly due to oversight or limitations in the capture.
What additional step is suggested to find the hostname in a complete pcap file?
-The script suggests looking into the NBNS records, specifically the 'netbios name' and 'additional records' sections, to find the hostname of the computer.
How does the script conclude that 10.12.x.x is the victim's private IP address?
-The script concludes this based on the analysis of the most data transactions and the HTTP request made to a public IP address, indicating that the private IP address is the victim.
What is the script's final verdict on the hostname of the victim machine?
-The script's final verdict is that the hostname is 'not available' due to the lack of NBNS data in the pcap file provided.