Saturday, March 5, 2016

Intrusion Analysis - Packet Capture

This post covers the different ways of capturing and Analysing the packet Capture files (PCAP) files from the IDS/IPS devices. 

Packet Capture

Use either Tshark or TCP Dump to capture the live packets as pcap files 


Use Tshark to capture and dump the file for analysing the packet. 

tshark -f "udp port 1812" -i eth0 -w /tmp/capture.cap
tshark -R "ip.addr ==" -r /tmp/capture.cap
Capture network statistics using tshark
tshark -q -w capture_duration1 -a duration:1 -z io,stat,1
Capture network packets for a specific host
tshark -S -q -w capture_duration6 -a duration:6 -z io,stat,1,ip.addr==
tshark -f “tcp port 22” -w capture_out (Spcific port)
tshark -q -w capture_out -a duration:60 (capture for 60 sec)
tshark -r capture_dump.gz (to read network packets from as compressed file)
tshark -R “rtp” -r capture_dump(to displays only specific packet types)
tshark -f “port 1720 or port 1721” -w capture_dump


tcpdump -w output.pcap -i eth0 (Live capture)

tcpdump -tttt -r read.pcap

tcpdump -n -tttt -i eth0 (timestamp)

tcpdump -i eth0 port 22 (lisenting on port)

tcpdump -w xpackets.pcap -i eth0 dst x.x.x.x and port 22 (capture from particular dst ip and port)

tcpdump -w comm.pcap -i eth0 dst x.x.x.x and port 22 (comm btn two hosts)

tcpdump -i eth0 -A 'port 80' > tcpdump_download.txt

If you need a sample, t below are some of the safe sites to download the samples. (Networking Technology related PCAPs - Very useful for L&D) (Collection of Pcap files from malware analysis) (PCAP Analysis tutorials and samples) (Collection of malware samples from Panda's lab) (Publically available PCAP's from CTF and CDX) (Only if absolutely bored)

Analyse with Wireshark

What is the date and time of this activity?

What is the IP address of the Windows host that gets infected?

What is the MAC address of the infected Windows host?

What is the host name of the infected Windows host?

What is the domain name of the compromised web site?

What is the IP address of the compromised web site?

What is the domain name that delivered the exploit kit (EK) and malware payload?

What is the IP address that delivered the EK and malware payload?

What snort events (either VRT or EmergingThreats) are generated by this pcap?

What EK is this (Angler, Nuclear, Neutrino, etc)?

What is the redirect URL that points to the EK landing page?

What is the IP address of the redirect URL that points to the EK landing page?

How many times is the malware payload delivered? (It's encrypted each time.)

Which HTTP request (GET or POST) is the post-infection traffic caused by the malware?

What browser was used by the infected Windows host?

What different exploits were sent by the EK during this infection?

What is the date of these exploits? (When were they created or modified?)

What is the size of the malware payload?
          How many times is the malware payload delivered? 

To View HTTP Object

A quick way to check is to export HTTP objects and see what is sent as an executable or application/octet stream

wireshark -r file_name.pcap

Frequently used filters

All HTTP Requests : http.request or http.response

NetBIOS Name Service : nbns OR udp.port eq 67

Packets to and from a host : ip.addr=

Packets with port 443 : tcp.port==443

Packets with destination port 443 : tcp.dstport==443

HTTP GET requests : http contains GET

Java user-agent strings : http.user_agent contains Java

SSL Certificates : ssl.handshake.certificate

identify some of the post-infection traffic from the infected host - !(tcp.port eq 80) and tcp.flag eq 0x0002

tcp.flags.syn == 1 && tcp.flags.ack == 1 (this packets has list of open ports)

ip.addr == [Sets a filter for any packet with, as either the source or dest]
ip.addr== && ip.addr== [sets a conversation filter between the two defined IP addresses]

http or dns [sets a filter to display all http and dns]

tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]

tcp.flags.reset==1 [displays all TCP resets]

http.request [displays all HTTP GET requests]

tcp contains traffic [displays all TCP packets that contain the word ‘traffic’. Excellent when searching on a specific string or user ID]

!(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be background noise. Allowing you to focus on the traffic of interest]

udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset]

Analysing with JQ

Read the suricatta json formatted output with specialised parsing tool like JQ 
root@brainfold-blackbox:/mnt/hgfs/Shared/network_traffic_analysis/json# cat eve.json | jq -s '[.[]|.http.hostname]|group_by(.)|map({key:.[0],value:(.|length)})|from_entries'

cat eve.json | jq -s '[.[]|.http.hostname]|group_by(.)|map({key:.[0],value:(.|length)})|from_entries'

To understand the high level fields
cat eve.json | jq -s '[.[]|.alert.signature]|group_by(.)|map({key:.[0],value:(.|length)})|from_entries'

To understand the details
cat eve.json | jq 'select(.alert.signature =="ET CURRENT_EVENTS Angler EK XTEA encrypted binary (16) M2")'

cat eve1.json | jq '.'