SlideShare une entreprise Scribd logo

Open source network forensics and advanced pcap analysis

Télécharger en tant que PPTX, PDF
GTKlondike
GTKlondike

Speaker: GTKlondike There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.). Bio GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.

Technologie
1  sur  31
OR So we have a Pcap, now what? By: GTKlondike
Oh hey, that guy…
I Am…  Local hacker/independent security researcher  Several years of experience in network infrastructure and security consulting as well as systems administration (Routing, Switching, Firewalls, Servers)  Passionate about networking  I’m friendly, just come up and say hi Contact Info:  Email: gtklondike@gmail.com  Blog: gtknetrunner.blogspot.com
I Am Here Because…  Not enough easily accessible “advanced” material when it comes to packet analysis and network forensics  Goal: To bridge the gap between basic understanding and real world usage * Disclaimer: I am not an expert, I’m just really passionate about networks
This is For…  Incident response teams  Network defenders  Malware analysts  Law enforcement  Network engineers  Technology lawyers  Infosec managers  Security researchers
What should you know already?  Assumed basic knowledge of:  Protocol analyzers (Wireshark/TCPdump)  OSI and TCP/IP model  Major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.)
Tools I Will Be Using  Wireshark  Network Miner  Hex editor  SiLK  Scalpel  GeoIP DB (http://dev.maxmind.com/geoip/legacy/geolite/)
What Is Network Forensics?  Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
Pcap Data Pros Cons  Full packet capture  Detailed communication information  Used to set up new IDS/IPS rules  Large amount of data to parse  Large file sizes  Disk write latency may not record all packets
Flow Data Pros Cons  Easy to implement  Easy to identify the important things at a high level  Baselining  Visualization  Up to 10,000:1 ratio from the packet size  Different analysis suites and Flow types  Mostly command line tools  Only “who’s talking to whom”, not the details of the conversation
Network Forensics Process  Know your Triggering Events  Have a Goal  Packet Capture Analysis  Pattern Matching  List Conversations  Export  File/Data Carving
Triggering Events Examples of Triggering Events:  IDS alert  Noticeable anomaly (I.e. DoS or virus activity)  Log anomalies  Deviations from network baselines  Known malicious/compromised system (I.e. Known C&C servers or from out of country)  Time frame  Traffic signature  etc.
Have A Goal  Always have a goal for analysis, there could be many needles in the haystack and not having a goal could prolong a particular investigation  Prioritize your goals
Pcap Analysis Methodology 1. Pattern Matching – Identify and filter packets of interest by matching specific values or protocol meta-data 2. List Conversations – List all conversation streams within the filtered packet capture 3. Export - Isolate and export specific conversation streams of interest 4. Draw Conclusions – Extract files or data from streams and compile data
Yeah….
Scenario 1 Triggering Events:  User reporting malware activity  Current AV solution does not have a signature for the virus; nor is the virus recoverable from the infected host What We Know:  Full network packet capture for the day of the incident  Host of intrest: 12.183.1.55 Security Onion: /opt/samples/fake_av.pcap
Scenario 1 (contd.) What We Want to Know:  Where the user contracted the malware from?  Malware file (if possible)  What kind of calls to the internet does it make?  Does it try to self propagate through the internal network?  Possible network traffic signatures Security Onion: /opt/samples/fake_av.pcap
Results Of The Investigation  Where did the user contract the malware from?  User made a direct call to the executable. Therefore, user either deliberately downloaded the malware, or there was a piece of malware sleeping on the system.  Malware file (if possible)  Malware has been carved out and analyzed via virustotal.com  MD5 hash of the file: fbe86fe4bd273ba11ee09799994c9e93  Sha256 hash of the file: 7fdf98dbacfb45ed800b4ba66bb0887aa7e8529b4fb36bda63d28e1010fbd9d1  What kind of calls to the internet does it make?  DNS queries for a plethora of domains  HTTP communication for web sites located on a few of those domains  Does it try to self propagate?  No communication to other internal addresses  Network traffic signatures  High volume of DNS queries within a short amount of time
Scenario 2 Triggering Events:  A denial of service (DoS) attack has been reported against FTP server 192.168.56.1  FTP traffic spikes were seen prior to the FTP server being taken offline What We Know:  Captured traffic data that is narrowed down between an attacking host (192.168.56.101) and the FTP server (192.168.56.1)
Scenario 2 (contd.) What We Want to Know:  What happened?  What caused the spike in FTP traffic  What events took place prior to the FTP server being taken offline? (I.e. Were any files transferred to/from the FTP server or were any user accounts compromised)
Results Of The Investigation  Attacker first initiated a ARP scan of the subnet 192.168.56.0/24  The following hosts were discovered: 192.168.56.1 and 192.168.56.100  Attacker then began a port scan of host 192.168.56.1  The following ports were found open: 21, 445, 139, 135, 49152, 49153, 49154, 49155, 49156  Attacker followed up with an FTP brute force attack against FTP server  User anon credentials were compromised  Attacker successfully logged in as user anon with stolen credentials  File "Whywecanthavenicecat.png" was downloaded  MD5 sum of the file: 12039fd05bc2fcd3902247124edcea06
Just goin with the flow…
Network Flow  A record of source and destination traffic information, without the conversation details  Source IP  Destination IP  Source Port  Destination Port  Protocol  Start, end, and duration of the conversation *  Number of bytes  Number of Packets  Directionality * * format dependent
Flow Use In Security  Identify and track compromised hosts  Identify potential data leaks to unauthorized networks (Exfiltration)  Network/Host Traffic Patterns (Baselining)
Devices  Sensor – Monitor flows and sends information back to Collectors  Collector – Collect flows from some or all sensors  Analyzer – Perform analysis on collected Flow data
Flow Formats  Netflow V5 – Uses UDP to send information from Sensor to Collector; very common and widely adopted. Does not work with IPv6.  Netflow V9 – Uses TCP, UDP, or SCTP (Stream Control Transmission Protocol) to send information from Sensor to Collector; also very common. Includes many improvements over Netflow V5.
Flow Formats (contd.)  IPFIX (IP Flow Information Export) – Built off of Netflow V9; uses TCP, UDP, or SCTP to send information from Sensor to Collector.  Sflow – Flows based off of samples.
Flow Analysis Methodology  Filtering – Filter down flows to relevant targets  Baselining – Compare flow record traffic to network baselines  Pattern Matching – Monitor fingerprints in traffic flows  Unidirectional traffic volumes  Complex deviations from normal traffic
Additional Information (Pcap Files)  http://www.netresec.com/?page=PcapFiles  http://forensicscontest.com/puzzles  http://www.honeynet.org/node/504  https://www.evilfingers.com/repository/pcaps.php  http://code.google.com/p/security-onion/wiki/Pcaps
Further Reading  Practical Packet Analysis: Using Wireshark to Solve Real- World Network Problems  By: Chris Sanders  Network Forensics: Tracking Hackers Through Cyberspace  By: Sherri Davidoff, Jonathan Ham  Guide to Integrating Forensic Techniques into Incident Response  http://csrc.nist.gov/publications/nistpubs/800-86/SP800- 86.pdf  SiLK Analysis Handbook  https://tools.netsa.cert.org/silk/analysis-handbook.pdf  File Signatures  http://www.garykessler.net/library/file_sigs.html

Recommandé

Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
Jake K.
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Dmz
Dmz Dmz
Dmz
أحلام انصارى
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
Santosh Khadsare
 
Firewalls
FirewallsFirewalls
Firewalls
University of Central Punjab
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 

Recommandé

Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
Jake K.
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Dmz
Dmz Dmz
Dmz
أحلام انصارى
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
Santosh Khadsare
 
Firewalls
FirewallsFirewalls
Firewalls
University of Central Punjab
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark Tutorial
Coursenvy.com
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
Pina Parmar
 
What is network security and Types
What is network security and TypesWhat is network security and Types
What is network security and Types
Vikram Khanna
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Firewall
FirewallFirewall
Firewall
Muhammad Sohaib Afzaal
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
Vishwanath Badiger
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purpose
Rohit Phulsunge
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Firewall
FirewallFirewall
Firewall
Apo
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
Information Technology
 
IBM QRadar BB & Rules
IBM QRadar BB & RulesIBM QRadar BB & Rules
IBM QRadar BB & Rules
Muhammad Abdel Aal
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network Forensics
Savvius, Inc
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
Varun Kakumani
 
SIEM and SOC
SIEM and SOCSIEM and SOC
SIEM and SOC
Abolfazl Naderi
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
Sameera Amjad
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration Testing
Jeffery Brown
 
CPU SCHEDULING AND DEADLOCK
CPU SCHEDULING AND DEADLOCKCPU SCHEDULING AND DEADLOCK
CPU SCHEDULING AND DEADLOCK
Vicky Kumar
 

Contenu connexe

Tendances

Firewall
FirewallFirewall
Firewall
Apo
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
Information Technology
 

Tendances (20)

Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark Tutorial
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
 
What is network security and Types
What is network security and TypesWhat is network security and Types
What is network security and Types
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Firewall
FirewallFirewall
Firewall
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purpose
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Firewall
FirewallFirewall
Firewall
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
 
IBM QRadar BB & Rules
IBM QRadar BB & RulesIBM QRadar BB & Rules
IBM QRadar BB & Rules
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network Forensics
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
SIEM and SOC
SIEM and SOCSIEM and SOC
SIEM and SOC
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 

En vedette

Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
Soumen Debgupta
 

En vedette (6)

Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration Testing
 
CPU SCHEDULING AND DEADLOCK
CPU SCHEDULING AND DEADLOCKCPU SCHEDULING AND DEADLOCK
CPU SCHEDULING AND DEADLOCK
 
Cyber forensic standard operating procedures
Cyber forensic standard operating proceduresCyber forensic standard operating procedures
Cyber forensic standard operating procedures
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013
 
Cyber crime journal by central detective training school
Cyber crime journal by central detective training schoolCyber crime journal by central detective training school
Cyber crime journal by central detective training school
 
Standard Penetration Test
Standard Penetration TestStandard Penetration Test
Standard Penetration Test
 

Similaire à Open source network forensics and advanced pcap analysis

Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
Novetta
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
tehkotak4
 
Serverless (Distributed computing)
Serverless (Distributed computing)Serverless (Distributed computing)
Serverless (Distributed computing)
Sri Prasanna
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
ShainaBoling829
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffers
leminhvuong
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 

Similaire à Open source network forensics and advanced pcap analysis (20)

Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
Co se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel MinaříkCo se skrývá v datovém provozu? - Pavel Minařík
Co se skrývá v datovém provozu? - Pavel Minařík
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gle
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
Serverless (Distributed computing)
Serverless (Distributed computing)Serverless (Distributed computing)
Serverless (Distributed computing)
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffers
 
Cisco Stealtwatch
Cisco StealtwatchCisco Stealtwatch
Cisco Stealtwatch
 
Day4
Day4Day4
Day4
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 

Dernier

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Open source network forensics and advanced pcap analysis

  • 1. OR So we have a Pcap, now what? By: GTKlondike
  • 2. Oh hey, that guy…
  • 3. I Am…  Local hacker/independent security researcher  Several years of experience in network infrastructure and security consulting as well as systems administration (Routing, Switching, Firewalls, Servers)  Passionate about networking  I’m friendly, just come up and say hi Contact Info:  Email: gtklondike@gmail.com  Blog: gtknetrunner.blogspot.com
  • 4. I Am Here Because…  Not enough easily accessible “advanced” material when it comes to packet analysis and network forensics  Goal: To bridge the gap between basic understanding and real world usage * Disclaimer: I am not an expert, I’m just really passionate about networks
  • 5. This is For…  Incident response teams  Network defenders  Malware analysts  Law enforcement  Network engineers  Technology lawyers  Infosec managers  Security researchers
  • 6.
  • 7. What should you know already?  Assumed basic knowledge of:  Protocol analyzers (Wireshark/TCPdump)  OSI and TCP/IP model  Major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.)
  • 8. Tools I Will Be Using  Wireshark  Network Miner  Hex editor  SiLK  Scalpel  GeoIP DB (http://dev.maxmind.com/geoip/legacy/geolite/)
  • 9. What Is Network Forensics?  Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.
  • 10. Pcap Data Pros Cons  Full packet capture  Detailed communication information  Used to set up new IDS/IPS rules  Large amount of data to parse  Large file sizes  Disk write latency may not record all packets
  • 11. Flow Data Pros Cons  Easy to implement  Easy to identify the important things at a high level  Baselining  Visualization  Up to 10,000:1 ratio from the packet size  Different analysis suites and Flow types  Mostly command line tools  Only “who’s talking to whom”, not the details of the conversation
  • 12. Network Forensics Process  Know your Triggering Events  Have a Goal  Packet Capture Analysis  Pattern Matching  List Conversations  Export  File/Data Carving
  • 13. Triggering Events Examples of Triggering Events:  IDS alert  Noticeable anomaly (I.e. DoS or virus activity)  Log anomalies  Deviations from network baselines  Known malicious/compromised system (I.e. Known C&C servers or from out of country)  Time frame  Traffic signature  etc.
  • 14. Have A Goal  Always have a goal for analysis, there could be many needles in the haystack and not having a goal could prolong a particular investigation  Prioritize your goals
  • 15. Pcap Analysis Methodology 1. Pattern Matching – Identify and filter packets of interest by matching specific values or protocol meta-data 2. List Conversations – List all conversation streams within the filtered packet capture 3. Export - Isolate and export specific conversation streams of interest 4. Draw Conclusions – Extract files or data from streams and compile data
  • 17. Scenario 1 Triggering Events:  User reporting malware activity  Current AV solution does not have a signature for the virus; nor is the virus recoverable from the infected host What We Know:  Full network packet capture for the day of the incident  Host of intrest: 12.183.1.55 Security Onion: /opt/samples/fake_av.pcap
  • 18. Scenario 1 (contd.) What We Want to Know:  Where the user contracted the malware from?  Malware file (if possible)  What kind of calls to the internet does it make?  Does it try to self propagate through the internal network?  Possible network traffic signatures Security Onion: /opt/samples/fake_av.pcap
  • 19. Results Of The Investigation  Where did the user contract the malware from?  User made a direct call to the executable. Therefore, user either deliberately downloaded the malware, or there was a piece of malware sleeping on the system.  Malware file (if possible)  Malware has been carved out and analyzed via virustotal.com  MD5 hash of the file: fbe86fe4bd273ba11ee09799994c9e93  Sha256 hash of the file: 7fdf98dbacfb45ed800b4ba66bb0887aa7e8529b4fb36bda63d28e1010fbd9d1  What kind of calls to the internet does it make?  DNS queries for a plethora of domains  HTTP communication for web sites located on a few of those domains  Does it try to self propagate?  No communication to other internal addresses  Network traffic signatures  High volume of DNS queries within a short amount of time
  • 20. Scenario 2 Triggering Events:  A denial of service (DoS) attack has been reported against FTP server 192.168.56.1  FTP traffic spikes were seen prior to the FTP server being taken offline What We Know:  Captured traffic data that is narrowed down between an attacking host (192.168.56.101) and the FTP server (192.168.56.1)
  • 21. Scenario 2 (contd.) What We Want to Know:  What happened?  What caused the spike in FTP traffic  What events took place prior to the FTP server being taken offline? (I.e. Were any files transferred to/from the FTP server or were any user accounts compromised)
  • 22. Results Of The Investigation  Attacker first initiated a ARP scan of the subnet 192.168.56.0/24  The following hosts were discovered: 192.168.56.1 and 192.168.56.100  Attacker then began a port scan of host 192.168.56.1  The following ports were found open: 21, 445, 139, 135, 49152, 49153, 49154, 49155, 49156  Attacker followed up with an FTP brute force attack against FTP server  User anon credentials were compromised  Attacker successfully logged in as user anon with stolen credentials  File "Whywecanthavenicecat.png" was downloaded  MD5 sum of the file: 12039fd05bc2fcd3902247124edcea06
  • 23. Just goin with the flow…
  • 24. Network Flow  A record of source and destination traffic information, without the conversation details  Source IP  Destination IP  Source Port  Destination Port  Protocol  Start, end, and duration of the conversation *  Number of bytes  Number of Packets  Directionality * * format dependent
  • 25. Flow Use In Security  Identify and track compromised hosts  Identify potential data leaks to unauthorized networks (Exfiltration)  Network/Host Traffic Patterns (Baselining)
  • 26. Devices  Sensor – Monitor flows and sends information back to Collectors  Collector – Collect flows from some or all sensors  Analyzer – Perform analysis on collected Flow data
  • 27. Flow Formats  Netflow V5 – Uses UDP to send information from Sensor to Collector; very common and widely adopted. Does not work with IPv6.  Netflow V9 – Uses TCP, UDP, or SCTP (Stream Control Transmission Protocol) to send information from Sensor to Collector; also very common. Includes many improvements over Netflow V5.
  • 28. Flow Formats (contd.)  IPFIX (IP Flow Information Export) – Built off of Netflow V9; uses TCP, UDP, or SCTP to send information from Sensor to Collector.  Sflow – Flows based off of samples.
  • 29. Flow Analysis Methodology  Filtering – Filter down flows to relevant targets  Baselining – Compare flow record traffic to network baselines  Pattern Matching – Monitor fingerprints in traffic flows  Unidirectional traffic volumes  Complex deviations from normal traffic
  • 30. Additional Information (Pcap Files)  http://www.netresec.com/?page=PcapFiles  http://forensicscontest.com/puzzles  http://www.honeynet.org/node/504  https://www.evilfingers.com/repository/pcaps.php  http://code.google.com/p/security-onion/wiki/Pcaps
  • 31. Further Reading  Practical Packet Analysis: Using Wireshark to Solve Real- World Network Problems  By: Chris Sanders  Network Forensics: Tracking Hackers Through Cyberspace  By: Sherri Davidoff, Jonathan Ham  Guide to Integrating Forensic Techniques into Incident Response  http://csrc.nist.gov/publications/nistpubs/800-86/SP800- 86.pdf  SiLK Analysis Handbook  https://tools.netsa.cert.org/silk/analysis-handbook.pdf  File Signatures  http://www.garykessler.net/library/file_sigs.html