Ben S. Knowles BBST, CISSP, GCIA, GCIH, GSEC, LPIC-1 , et cetera

Sharkin'Using Wireshark to find evil in packet captures

Packet Captures

● Recordings of Internet activity

● Often used by analysts and researchers

What can you quickly find out from a pcap ?

Buy the official Three Investigators Cluedo (auf Deutsch) at http://www.eastforkids.com/

pcaps: quick answers

Basic packet analysis should find:

● IP addresses involved → hosts → who

● Protocols used → how → characterization

● Directionality → who did to whom

● Application used (if any) →how → TTP

● Time and date → when, but watch out for timezones!

Adds up to Characterization of the traffic and a possible story it tells:

● Who?, Did What?, When?, To Whom?

● What is the significance (so what)? and

● What should someone do about it?

IDS: a source of packets for analysis

● Intrusion Detection Systems (IDS):

– Bro IDS, Snort, Suricata, RealSecure, McAfee NSM

● Alert on traffic that matches signature rules (Snort, et al)

– Or log and notify based on policy (Bro IDS)

● Alerts are displayed in consoles:

– DSWX CTP Portal, sguil, Snorby, SiteProtector, EPO

● Consoles display many event details

– And (usually) give you option to pull a pcap file

Wireshark: about

Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998

from: https://wireshark.org/about.html

Looks a bit like this –>

Packet analysis tips: safety and accuracy

● Get offline!

– Isolate your analysis environment for safety and cleaner results

● Disable lookups in your tools

– tcpdump -nn

– Wireshark: uncheck in View / Name Resolution

● Keep your analysis tools updated!

– Analysis tools are a juicy target for attackers.

– File and protocol parsers are a constant source of vulnerabilities

● No captures on production networks or other peoples networks!

– Check with your boss / client / spouse / lawyer before capturing traffic.

● Double-check those timezones again.

– Most computer systems record time in UTC no matter where they are.

Packets!Let's get some packets and take a look!

PCAP files are at: http://www.atlbbs.com/sharkin/

Snorby: a few events

Snorby: id check returned root : testmy-handout.pcap

testmy-handout.pcap: questions

Let's find:

● IP addresses involved → hosts → who

● Protocols used → how → characterization

● Directionality → who did to whom

● Application used (if any) →how → TTP

● Time and date → when, but watch out for timezones!

Adds up to Characterization of the traffic and a possible story it tells:

● Who?, Did What?, When?, To Whom?

● What is the significance (so what)? and

● What should someone do about it?

Wireshark tricks: Statistics Summary

In Wireshark menu:

Statistics / Summary

Gives times and packet statistics

Similar output to capinfos command

testmy-handout.pcap: answers

● Root user is super admin on UNIX systems

● This suggests an attacker has gotten remote root

● Game over?

Found at anvari.org

Snorby: Wordpress login: ptmag-login.pcap

ptmag-login.pcap: questions

Let's find:

● IP addresses involved → hosts → who

● Protocols used → how → characterization

● Directionality → who did to whom

● Application used (if any) →how → TTP

● Time and date → when, but watch out for timezones!

Adds up to Characterization of the traffic and a possible story it tells:

● Who?, Did What?, When?, To Whom?

● What is the significance (so what)? and

● What should someone do about it?

Wireshark tricks: filters

● Powerful filters let us sift and sort through captures

● Color highlighting for syntax check

● Suggestions help you pick fields

● Use what you already know

● To find what you are looking for faster

Wireshark tricks: display filters

We know from the alert and can filter on to sift out packets:

● Protocols:

– TCP/IP (2445)

– HTTP (2445)

● Hosts

– 192.168.15.105 (1082)

– & 79.125.109.24 ?

● Applications:

– PenTestMag site (73)

– HTML form (1)

– WordPress blog (1)

research: reproduce it and pcap it, search pcaps ...

## check my tcpdump settings with a live capture ##

sudo tcpdump -i en0 -v 'host 79.125.109.24'

## verified, capture session to a file ##

sudo tcpdump -i en0 -w ptmag.pcap 'host 79.125.109.24'

Offstage: login to suspect site again in browser, then

## read back the capture file and dump text to another file ##

tcpdump -r ptmag.pcap -X 2>&1 > outfile.txt

## Look for suspicious strings in the output, grep -c counts ##

grep Password -c outfile.txt ; grep Password outfile.txt

grep adricnet -c outfile.txt ; grep adricnet outfile.txt

Much easier in Wireshark: Find Packet

● Edit / Find Packets● By: String● Packet: bytes

ptmag-login.pcap: answers

Seems our subject web magazine isn't handling logins properly.

● SSL/TLS should be used for all logins and all login pages.

● Especially for public and commercial sites (this one is both).

We should send them a nice note about this after the brownbag is over.

Found on InfoSec Reactions, a very silly place.

pcaps from ATTACK research ;)

Trying out some IE8 attacks on a WinXP VM on my Mac at home

Packets captured to file:

msf_ie0day_winxpsp3.pcap

msf_ie0day_winxpsp3.pcap

msf_ie0day_winxpsp3.pcap: questions

Let's find:

● IP addresses involved → hosts → who

● Protocols used → how → characterization

● Directionality → who did to whom

● Application used (if any) →how → TTP

● Time and date → when, but watch out for timezones!

Adds up to Characterization of the traffic and a possible story it tells:

● Who?, Did What?, When?, To Whom?

● What is the significance (so what)? and

● What should someone do about it?

Wireshark tricks: Conversations

In Wireshark menu:

Statistics / Conversations

Shows all network flows at multiple layers:

● Ethernet

● IP

● TCP

Wireshark tricks: Follow Stream

In Conversations panel:

Select a line and

Follow Stream

Wireshark tricks: Evil found!

This is a Windows Executable.

Attacker is delivering a payload to the victim host.

This is pretty bad.

In Wireshark you can Save As to pull the file contents out for analysis or RE.

Congratulations, you found some evil with Wireshark!

Next Steps?

Wireshark books:

● Practical Packet Analysis, 2nd Ed http://nostarch.com/packet2.htm

● Wireshark 101 http://www.wiresharkbook.com/

Network analysis, forensics courses:

● SANS SEC503 and GCIA

● SANS new! FOR572

– Now in Beta

References

Slide deck, pcaps, and links available online:

http://f.adric.net/index.cgi/wiki?name=Sharkin