Command-Line Packet Analysis/Network Forensics V2

1. ##########
2. # VMWare #
3. ##########
4. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
5.  
6. - http://www.vmware.com/ap/products/player.html
7.  
8.  
9. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
10.  
11.  
12.  
13. #########################
14. # Class Virtual Machine #
15. #########################
16.  
17.  
18. Here is the VMWare virtual machine for the class:
19.  
20. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
21. user: infosecaddicts
22. pass: infosecaddicts
23.  
24.  
25.  
26. ###################################
27. # Setting up your virtual machine #
28. # Note: run as root user #
29. ###################################
30.  
31.  
32. Here is where we will setup all of the required dependencies for the tools we plan to install
33. ---------------------------Type This-----------------------------------
34. apt update
35. apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev unzip python-dev swig zlib1g-dev sendmail sendmail-bin prads tcpflow python-scapy python-yara tshark whois jq
36. -----------------------------------------------------------------------
37.  
38.  
39.  
40.  
41. Now we install Suricata
42. ---------------------------Type This-----------------------------------
43. wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz
44.  
45. tar -zxvf suricata-4.0.5.tar.gz
46.  
47. cd suricata-4.0.5
48.  
49. ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
50.  
51. make
52.  
53. make install
54.  
55. make install-conf
56.  
57. cd rules
58.  
59. cp *.rules /etc/suricata/rules/
60.  
61. cd /etc/suricata/
62.  
63. wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
64.  
65. tar -zxvf emerging.rules.tar.gz
66. -----------------------------------------------------------------------
67.  
68.  
69.  
70.  
71.  
72. ##################################################################
73. # Analyzing a PCAP Prads #
74. # Note: run as regular user #
75. ##################################################################
76.  
77. ---------------------------Type This-----------------------------------
78. cd ~
79.  
80. mkdir pcap_analysis/
81.  
82. cd ~/pcap_analysis/
83.  
84. mkdir prads
85.  
86. cd ~/pcap_analysis/prads
87.  
88. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
89.  
90. prads -r suspicious-time.pcap -l prads-asset.log
91.  
92. cat prads-asset.log | less
93.  
94. cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
95.  
96. cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
97.  
98. cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
99. -----------------------------------------------------------------------
100.  
101.  
102.  
103.  
104. ##################################
105. # PCAP Analysis with ChaosReader #
106. # Note: run as regular user #
107. ##################################
108. ---------------------------Type This-----------------------------------
109. cd ~
110.  
111. mkdir -p pcap_analysis/chaos_reader/
112.  
113. cd ~/pcap_analysis/chaos_reader/
114.  
115. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
116.  
117. wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
118.  
119. perl chaosreader.pl suspicious-time.pcap
120.  
121. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
122.  
123. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
124.  
125.  
126. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
127.  
128. python -m SimpleHTTPServer
129. ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
130.  
131. ------------------------------------------------------------------------
132.  
133.  
134.  
135.  
136.  
137.  
138.  
139.  
140. #############################
141. # PCAP Analysis with tshark #
142. # Note: run as regular user #
143. #############################
144. ---------------------------Type This-----------------------------------
145. cd ~/pcap_analysis/
146.  
147. mkdir tshark
148.  
149. cd ~/pcap_analysis/tshark
150.  
151. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
152.  
153. tshark -i ens3 -r suspicious-time.pcap -qz io,phs
154.  
155. tshark -r suspicious-time.pcap -qz ip_hosts,tree
156.  
157. tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
158.  
159. tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
160.  
161.  
162. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
163.  
164. whois rapidshare.com.eyu32.ru
165.  
166. whois sploitme.com.cn
167.  
168. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
169.  
170. tshark -r suspicious-time.pcap -qz http_req,tree
171.  
172. tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
173.  
174. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
175. ------------------------------------------------------------------------
176.  
177.  
178.  
179.  
180.  
181.  
182.  
183. ###############################
184. # PCAP Analysis with Suricata #
185. # Note: run as root #
186. ###############################
187. ---------------------------Type This-----------------------------------
188. cd /home/joe/pcap_analysis/
189.  
190. mkdir suricata
191.  
192. cd suricata/
193.  
194. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
195.  
196. mkdir suri
197.  
198. suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/
199.  
200. cd suri/
201.  
202. cat stats.log | less
203.  
204. cat eve.json |grep -E "e\":\"http"|jq ".timestamp,.http"|csplit - /..T..:/ {*}
205.  
206. cat xx01
207.  
208. cat xx02
209.  
210. cat xx03
211.  
212. cat xx04
213.  
214. cat xx05
215.  
216. cat xx06
217. ------------------------------------------------------------------------
218.  
219.  
220. #############################
221. # PCAP Analysis with Yara #
222. # Note: run as regular user #
223. #############################
224. ---------------------------Type This-----------------------------------
225. cd ~/pcap_analysis/
226.  
227. git clone https://github.com/kevthehermit/YaraPcap.git
228. cd YaraPcap/
229. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
230. wget https://github.com/Yara-Rules/rules/archive/master.zip
231. unzip master.zip
232. cd rules-master/
233. ls
234. cat index.yar
235. clear
236. ./index_gen.sh
237. cd ..
238. mkdir matching_files/
239. python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
240. whereis tcpflow
241. vi yaraPcap.py **** fix line 35 with correct path to tcpflow ****:q!
242. python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
243. cd matching_files/
244. ls
245. cat report.txt
246. ------------------------------------------------------------------------
247.  
248.  
249.  
250. #######################################################################################################
251. # Analyzing C&C with Bro IDS and RITA #
252. # Run the following commands as root #
253. # References: #
254. # https://www.vultr.com/docs/installing-bro-ids-on-ubuntu-16-04 #
255. # https://www.blackhillsinfosec.com/how-to-hunt-command-and-control-channels-using-bro-ids-and-rita/ #
256. #######################################################################################################
257.  
258. sh -c "echo 'deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /' > /etc/apt/sources.list.d/bro.list"
259. wget -nv http://download.opensuse.org/repositories/network:bro/xUbuntu_16.04/Release.key -O Release.key
260. apt-key add - < Release.key
261. apt-get update
262. apt-get install -y cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev sendmail sendmail-bin
263.  
264.  
265.  
266. mkdir -p /root/Bro-IDS/
267. cd /root/Bro-IDS/
268. wget https://www.bro.org/downloads/bro-2.5.2.tar.gz
269. tar -xvzf bro-2.5.2.tar.gz
270. cd bro-2.5.2
271. ./configure --prefix=/root/Bro-IDS
272. make
273. make install
274. export PATH=/root/Bro-IDS/bin:$PATH
275.  
276.  
277.  
278. vi /root/Bro-IDS/etc/node.cfg
279. /root/Bro-IDS/bin/broctl
280. install
281. exit
282. /root/Bro-IDS/bin/broctl deploy
283.  
284.  
285.  
286.  
287. mkdir b_analysis/
288. cd b_analysis/
289. bro -C -r suspicious-time.pcap local "Site::local_nets += { 10.0.0.0/8 }"
290. ls -S dns.log
291. cat conn.log | bro-cut uid id.orig_h id.resp_h duration | sort -nr -k4 | head -n 5
292.  
293.  
294.  
295.  
296.  
297.  
298.  
299.  
300. git clone https://github.com/ocmdev/rita.git
301.  
302. cd rita/
303.  
304. chmod +x install.sh
305.  
306. ./install.sh
307.  
308. source ~/.bashrc
309.  
310. systemctl start mongod
311.  
312. rita import -i /root/btest/ -d suspicious-time
313.  
314. rita analyze
315.  
316. cd suspicious-time
317.  
318. python -m SimpleHTTPServer