Ben S. Knowles BBST, CISSP, GCIA, GCIH, GSEC, LPIC-1 , et cetera
Sharkin'Using Wireshark to find evil in packet captures
Packet Captures
● Recordings of Internet activity
● Often used by analysts and researchers
What can you quickly find out from a pcap ?
Buy the official Three Investigators Cluedo (auf Deutsch) at http://www.eastforkids.com/
pcaps: quick answers
Basic packet analysis should find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom?
● What is the significance (so what)? and
● What should someone do about it?
IDS: a source of packets for analysis
● Intrusion Detection Systems (IDS):
– Bro IDS, Snort, Suricata, RealSecure, McAfee NSM
● Alert on traffic that matches signature rules (Snort, et al)
– Or log and notify based on policy (Bro IDS)
● Alerts are displayed in consoles:
– DSWX CTP Portal, sguil, Snorby, SiteProtector, EPO
● Consoles display many event details
– And (usually) give you option to pull a pcap file
Wireshark: about
Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.
Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998
from: https://wireshark.org/about.html
Looks a bit like this –>
Packet analysis tips: safety and accuracy
● Get offline!
– Isolate your analysis environment for safety and cleaner results
● Disable lookups in your tools
– tcpdump -nn
– Wireshark: uncheck in View / Name Resolution
● Keep your analysis tools updated!
– Analysis tools are a juicy target for attackers.
– File and protocol parsers are a constant source of vulnerabilities
● No captures on production networks or other peoples networks!
– Check with your boss / client / spouse / lawyer before capturing traffic.
● Double-check those timezones again.
– Most computer systems record time in UTC no matter where they are.
Packets!Let's get some packets and take a look!
PCAP files are at: http://www.atlbbs.com/sharkin/
Snorby: a few events
Snorby: id check returned root : testmy-handout.pcap
testmy-handout.pcap: questions
Let's find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom?
● What is the significance (so what)? and
● What should someone do about it?
Wireshark tricks: Statistics Summary
In Wireshark menu:
Statistics / Summary
Gives times and packet statistics
Similar output to capinfos command
testmy-handout.pcap: answers
● Root user is super admin on UNIX systems
● This suggests an attacker has gotten remote root
● Game over?
Found at anvari.org
Snorby: Wordpress login: ptmag-login.pcap
ptmag-login.pcap: questions
Let's find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom?
● What is the significance (so what)? and
● What should someone do about it?
Wireshark tricks: filters
● Powerful filters let us sift and sort through captures
● Color highlighting for syntax check
● Suggestions help you pick fields
● Use what you already know
● To find what you are looking for faster
Wireshark tricks: display filters
We know from the alert and can filter on to sift out packets:
● Protocols:
– TCP/IP (2445)
– HTTP (2445)
● Hosts
– 192.168.15.105 (1082)
– & 79.125.109.24 ?
● Applications:
– PenTestMag site (73)
– HTML form (1)
– WordPress blog (1)
research: reproduce it and pcap it, search pcaps ...
## check my tcpdump settings with a live capture ##
sudo tcpdump -i en0 -v 'host 79.125.109.24'
## verified, capture session to a file ##
sudo tcpdump -i en0 -w ptmag.pcap 'host 79.125.109.24'
Offstage: login to suspect site again in browser, then
## read back the capture file and dump text to another file ##
tcpdump -r ptmag.pcap -X 2>&1 > outfile.txt
## Look for suspicious strings in the output, grep -c counts ##
grep Password -c outfile.txt ; grep Password outfile.txt
grep adricnet -c outfile.txt ; grep adricnet outfile.txt
Much easier in Wireshark: Find Packet
● Edit / Find Packets● By: String● Packet: bytes
ptmag-login.pcap: answers
Seems our subject web magazine isn't handling logins properly.
● SSL/TLS should be used for all logins and all login pages.
● Especially for public and commercial sites (this one is both).
We should send them a nice note about this after the brownbag is over.
Found on InfoSec Reactions, a very silly place.
pcaps from ATTACK research ;)
Trying out some IE8 attacks on a WinXP VM on my Mac at home
Packets captured to file:
msf_ie0day_winxpsp3.pcap
msf_ie0day_winxpsp3.pcap
msf_ie0day_winxpsp3.pcap: questions
Let's find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom?
● What is the significance (so what)? and
● What should someone do about it?
Wireshark tricks: Conversations
In Wireshark menu:
Statistics / Conversations
Shows all network flows at multiple layers:
● Ethernet
● IP
● TCP
Wireshark tricks: Follow Stream
In Conversations panel:
Select a line and
Follow Stream
Wireshark tricks: Evil found!
This is a Windows Executable.
Attacker is delivering a payload to the victim host.
This is pretty bad.
In Wireshark you can Save As to pull the file contents out for analysis or RE.
Congratulations, you found some evil with Wireshark!
Next Steps?
Wireshark books:
● Practical Packet Analysis, 2nd Ed http://nostarch.com/packet2.htm
● Wireshark 101 http://www.wiresharkbook.com/
Network analysis, forensics courses:
● SANS SEC503 and GCIA
● SANS new! FOR572
– Now in Beta
References
Slide deck, pcaps, and links available online:
http://f.adric.net/index.cgi/wiki?name=Sharkin