Advanced Wireshark Network Forensics - Part 3/3

00:00

okay let's look at scenario two it looks

00:04

like there was a denial-of-service

00:04

attack that was reported against our FTP

00:07

server

00:10

192.168.1 and it also seems like there

00:13

was some FTP traffic spikes that were

00:15

seen prior to the FTP server being taken

00:17

offline so what do we know we know the

00:21

address of the attacker 1 i2 1 6 8 56 .

00:25

101 and the address of the FTP server

00:28

56.1 but what are we trying to figure

00:32

out this one's a little bit more

00:34

abstract so generally what we want to

00:38

find out is what caused the spike in the

00:39

FTP traffic and what events took place

00:42

prior to the FTP server being taken

00:44

offline so where any files transferred

00:47

where any user accounts compromised

00:49

things like that so let's take a look

00:54

before we get started we always want to

00:56

make sure that we document our goals

00:58

steps and results in this scenario our

01:01

goals are a little bit more abstract and

01:02

will depend on what we find in the pcap

01:04

in the meantime we at least know what

01:07

types of things that we're looking for

01:08

indicators of compromise so let's start

01:12

with what happened before during and

01:14

after the attack on the FTP server so in

01:17

this case we want to know what led up to

01:20

the attack what types of attacks did the

01:22

attacker perform and were they able to

01:24

get in and what did they find

01:27

okay so now that we have our goals

01:29

written down let's open the pcap whoa

01:32

that's a lot of our frames being sent

01:35

looking at the info column we can see

01:38

that in most of these are per quests the

01:39

IP address is going up for each request

01:42

this looks like an ARP scan being sent

01:44

off by 56 top 101 here the attacker

01:47

address it might be a little crazy to

01:50

sort through all the requests here so

01:52

first let's take a look at how many

01:53

conversations are within the capture

01:55

file to begin with so that we see

01:56

exactly how many IP addresses are in

01:58

this we can do that by going to

02:01

statistics and then conversations

02:04

looking at the ipv4 tab the only IPs

02:07

that we see are our 56.1

02:09

and 101 addresses that we were already

02:12

aware of

02:13

that's good it means that this capture

02:16

file was already filtered down for us

02:18

glancing over at our TCP tab we can also

02:21

see over 7,000 TCP connections were made

02:24

just between these two addresses we're

02:27

not gonna find anything interesting in

02:28

there right away so let's make a mental

02:31

note of that and move on now we already

02:34

know that this capture file only has two

02:35

IP addresses but even with that we want

02:38

to look through the attack traffic and

02:40

try to find out what the attacker was

02:41

able to see on our network let's look at

02:43

the ARP scans again our scans work by

02:46

sending out a bunch of art requests

02:48

throughout the network the idea is that

02:50

when another device on the network

02:51

receives an ARP request it will send an

02:53

ARP reply so let's filter this down to

02:56

show only the ARP replies okay cool we

03:00

have the 56.1 and dot 101 that we

03:04

expected but there's a third address dot

03:08

100 we don't have any information on it

03:11

so it's possible there was no

03:12

communication from the attacker at all

03:14

or it could have been filtered out from

03:17

the capture either way let's make a note

03:20

of this and move on at this point we're

03:24

done with the ARP traffic so let's

03:26

filter that out

03:29

now we're starting to see a flood of

03:31

packets coming from our attacker and

03:32

based on the changing port numbers this

03:34

is pretty obviously a network port scan

03:37

so it looks like we're gonna have to do

03:39

the same thing again from here how can

03:41

we figure out what open ports the

03:43

attacker was able to find in their scan

03:45

of the system well we already know that

03:47

when we send out a syn we expect to see

03:49

a syn ack returned so let's filter by

03:52

packets with the syn ACK flag set and

03:55

just like that we were able to see the

03:58

ports the attacker was able to find open

03:59

here we have port 21 445 139 and 135 we

04:06

also have these forty nine thousand

04:08

number ports they're unregistered port

04:10

so it's impossible to know exactly what

04:12

protocols these belong to but with a

04:14

little googling you'll see that

04:16

Microsoft NetBIOS is the top hit either

04:19

way let's document what we have hmm it

04:24

looks like we still have a lot more data

04:25

to come through we know this is an FTP

04:28

server so let's eliminate the obvious

04:30

and filter out port 21 with that we can

04:33

separate the signal from the noise and

04:34

verify that these are the only open

04:36

ports the attacker was able to find and

04:38

sure enough this is all we have there

04:42

seems to be a few more syn ACK flagged

04:43

packets in the mix but looking at the

04:45

stream ID those aren't seen until well

04:47

beyond the attackers port scan results

04:49

which makes sense given how TCP works

04:53

you can take a look at these on your own

04:55

if you would like we will eventually get

04:57

to them but following a formal

04:58

methodology doesn't just mean that

05:00

you'll get the answers that you're

05:01

looking for it also means that you'll

05:03

get the context of those answers so in

05:07

the mean time these can be safely

05:08

ignored now let's look at the ftp

05:11

traffic on port 21 okay so this looks

05:15

like the huge flood of ftp traffic we

05:17

were told about we've already seen the

05:19

traffic that's part of stream 20 that

05:21

was the port scan we documented earlier

05:23

but after that we start to see a lot of

05:26

connection requests going straight to

05:28

port 21 let's follow one of the streams

05:30

and see what we can find hmm this looks

05:34

like a bunch of login attempts

05:35

let's hit the up arrow a few times and

05:38

check out the other streams you know

05:40

this definitely looks like a brute-force

05:42

attack

05:43

with all these attempted logins there's

05:45

probably a burning question in the back

05:46

ear mind did they get in so how can we

05:51

figure that out well we can see these

05:53

FTP codes like five thirty login

05:56

incorrect there has to be one for a

05:58

successful login well let's check on

06:00

Google

06:07

there it is FTP response code 230 let's

06:12

put that in our filter and see what we

06:13

can find awesome

06:16

there's only two streams and it looks

06:18

like both of them have the response to

06:20

30 let's check them out okay the first

06:25

one looks like it was still part of the

06:27

brute-force attack they logged in but

06:29

didn't go anywhere with it now let's

06:31

look at the second one we can hit the

06:33

down key to go to our previous filter

06:38

ah this one's a bit more interesting

06:41

here we can see that they logged in with

06:44

the anon anon then they listed the

06:46

directory changed to images listed the

06:49

directory again and downloaded the file

06:51

called why we can't have nice cat PNG

06:55

and the server is even so kind as to

06:58

tell us the exact size of the file so we

07:00

definitely want to write this down since

07:05

this is all over the network we can see

07:07

the results of each command

07:08

let's hit the up arrow a couple of times

07:09

and step through the streams here we can

07:12

see the contents of the first directory

07:14

the second directory and then this looks

07:16

like the PNG that the attacker

07:18

downloaded if we didn't know any better

07:20

we could look at the first few bytes and

07:22

match that to a file signature in this

07:24

case PNG files simply spell out PNG in

07:27

their signature so that makes it easy on

07:29

us now something that I want to point

07:32

out is with real-world capture files it

07:34

won't always be as easy as pressing the

07:36

up arrow and streams list sometimes the

07:39

next stream or the next several streams

07:40

are actually parts of other traffic this

07:43

is why you need to filter packets and

07:45

list conversations as your first steps

07:47

when analyzing pcap files another way we

07:50

can quickly find a downloaded file is to

07:52

look in the conversations list we know

07:55

the size of the file given by the FTP

07:57

servers response so all I need to do is

07:59

find a conversation that has at least

08:01

the same number of bytes then we can

08:03

filter by that and look at the stream

08:05

this is also how I tend to do a quick

08:08

and dirty analysis of a packet capture

08:10

to see if there are any obvious files

08:12

within the pcap that can be extracted

08:16

okay now that we've located the file

08:19

let's carve it out like we did in

08:20

scenario one and take a hash of it that

08:23

way we can compare the hash against the

08:25

hash of the original file on the server

08:27

for integrity

08:33

last step let's go ahead and open the

08:36

file so that we can see what the

08:38

attacker was able to get their hands on

08:40

well that's disturbing

08:43

but hey you know what we're done let's

08:46

hop back to the slides and review what

08:48

we found okay

08:50

recap the attacker set off an ARP scan

08:53

of the subnet 1 & 2 1 6 8 56 0 they were

08:57

able to find the address 56.1 which was

09:00

the FTP server we were looking in to

09:02

begin with and we also found this

09:04

address 56 dot 100 which we don't have

09:07

any traffic so we couldn't really do any

09:09

further analysis on the attacker then

09:12

started a port scan against the host

09:14

56.1 and found several ports so port 21

09:19

4 4 5 139 135 and so on after the port

09:25

scan the attacker set off a brute-force

09:26

attack and was able to find the

09:28

credentials anon anon and with those

09:31

credentials they were able to download a

09:32

file why we can't have nice cat PNG and

09:36

we were able to carve that file out of

09:38

the network bytes and we have a sum of

09:40

the file to compare to what's on the

09:41

server well that's all I have for you

09:44

guys if you manage to stick through this

09:47

far I just want to say thank you net SEC

09:50

is a passion of mine and I'm just glad

09:52

to have the opportunity to share this

09:53

with you now I don't want to let you go

09:56

empty-handed

09:57

here's a few resources that I use to get

09:59

started and a few more that I still use

10:01

to better my own skills some of the ones

10:04

that I want to point out here are

10:05

forensics contest comm honeynet org and

10:08

malware traffic analysis net forensics

10:12

contest comm I cannot recommend enough

10:14

this is the group that runs or at least

10:17

used to run the DEF CON network forensic

10:20

challenges their online puzzles start

10:22

off pretty easy

10:23

and then slowly build to incredibly

10:25

complex challenges hands down the best

10:28

place to start here next on e network I

10:32

would say are more intermediate and

10:34

advanced level challenges they'll

10:36

require you to do some of the same stuff

10:37

we did in here plus a little bit more

10:40

malware analysis on the end finally if

10:43

you want a real-world challenge

10:44

check out malware traffic analysis net

10:47

this

10:48

Blagh is almost exclusively real-world

10:50

attack traffic and you're gonna really

10:52

need to think outside of the box

10:53

sometimes to find what you're looking

10:55

for if some light readings more your

10:58

thing here's a few books you're gonna

10:59

want to check out practical packet

11:01

analysis another great resource for

11:04

beginners once you're finished with that

11:05

network forensics tracking hackers

11:08

through cyberspace is a good one to bump

11:10

up your skills to the next level this

11:13

one was also written by the DEF CON

11:14

Network forensics people if you wanna

11:17

learn how to use these techniques into

11:18

your current Incident Response process

11:20

check out NIST publication 886 as a

11:23

guide to integrating forensic techniques

11:25

and then of course the file signature

11:28

database that we used earlier gary

11:30

kessler net well again thank you for

11:34

taking the time and I hope you learned

11:36

something new if you like this workshop

11:38

series or whatever you want to call it

11:40

let me know your thoughts in the

11:42

comments down below

11:43

also let me know if there's a particular

11:45

net SEC topic you'd like me to cover

11:47

next who knows I might make a video of

11:49

it anyways check out the links in the

11:52

description below and don't forget to

11:53

Like and subscribe to see more videos

11:55

like this I'll see you next time