Speaker: GTKlondike
There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.).
Bio
GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
3. I Am…
Local hacker/independent security researcher
Several years of experience in network infrastructure
and security consulting as well as systems
administration (Routing, Switching, Firewalls, Servers)
Passionate about networking
I’m friendly, just come up and say hi
Contact Info:
Email: gtklondike@gmail.com
Blog: gtknetrunner.blogspot.com
4. I Am Here Because…
Not enough easily accessible “advanced” material
when it comes to packet analysis and network
forensics
Goal: To bridge the gap between basic understanding
and real world usage
* Disclaimer: I am not an expert, I’m just really
passionate about networks
5. This is For…
Incident response teams
Network defenders
Malware analysts
Law enforcement
Network engineers
Technology lawyers
Infosec managers
Security researchers
6.
7. What should you know already?
Assumed basic knowledge of:
Protocol analyzers (Wireshark/TCPdump)
OSI and TCP/IP model
Major protocols (I.e.
DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.)
8. Tools I Will Be Using
Wireshark
Network Miner
Hex editor
SiLK
Scalpel
GeoIP DB
(http://dev.maxmind.com/geoip/legacy/geolite/)
9. What Is Network Forensics?
Network forensics is the capture, recording, and
analysis of network events in order to discover the
source of security attacks or other problem incidents.
10. Pcap Data
Pros Cons
Full packet capture
Detailed communication
information
Used to set up new IDS/IPS
rules
Large amount of data to parse
Large file sizes
Disk write latency may not
record all packets
11. Flow Data
Pros Cons
Easy to implement
Easy to identify the
important things at a high
level
Baselining
Visualization
Up to 10,000:1 ratio from the
packet size
Different analysis suites and
Flow types
Mostly command line tools
Only “who’s talking to
whom”, not the details of the
conversation
12. Network Forensics Process
Know your Triggering Events
Have a Goal
Packet Capture Analysis
Pattern Matching
List Conversations
Export
File/Data Carving
13. Triggering Events
Examples of Triggering Events:
IDS alert
Noticeable anomaly (I.e. DoS or virus activity)
Log anomalies
Deviations from network baselines
Known malicious/compromised system
(I.e. Known C&C servers or from out of country)
Time frame
Traffic signature
etc.
14. Have A Goal
Always have a goal for analysis, there could be many
needles in the haystack and not having a goal could
prolong a particular investigation
Prioritize your goals
15. Pcap Analysis Methodology
1. Pattern Matching – Identify and filter packets of
interest by matching specific values or protocol
meta-data
2. List Conversations – List all conversation streams
within the filtered packet capture
3. Export - Isolate and export specific conversation
streams of interest
4. Draw Conclusions – Extract files or data from
streams and compile data
17. Scenario 1
Triggering Events:
User reporting malware activity
Current AV solution does not have a signature for the
virus; nor is the virus recoverable from the infected
host
What We Know:
Full network packet capture for the day of the incident
Host of intrest: 12.183.1.55
Security Onion: /opt/samples/fake_av.pcap
18. Scenario 1 (contd.)
What We Want to Know:
Where the user contracted the malware from?
Malware file (if possible)
What kind of calls to the internet does it make?
Does it try to self propagate through the internal
network?
Possible network traffic signatures
Security Onion: /opt/samples/fake_av.pcap
19. Results Of The Investigation
Where did the user contract the malware from?
User made a direct call to the executable. Therefore, user either deliberately downloaded
the malware, or there was a piece of malware sleeping on the system.
Malware file (if possible)
Malware has been carved out and analyzed via virustotal.com
MD5 hash of the file: fbe86fe4bd273ba11ee09799994c9e93
Sha256 hash of the file:
7fdf98dbacfb45ed800b4ba66bb0887aa7e8529b4fb36bda63d28e1010fbd9d1
What kind of calls to the internet does it make?
DNS queries for a plethora of domains
HTTP communication for web sites located on a few of those domains
Does it try to self propagate?
No communication to other internal addresses
Network traffic signatures
High volume of DNS queries within a short amount of time
20. Scenario 2
Triggering Events:
A denial of service (DoS) attack has been reported
against FTP server 192.168.56.1
FTP traffic spikes were seen prior to the FTP server
being taken offline
What We Know:
Captured traffic data that is narrowed down between
an attacking host (192.168.56.101) and the FTP server
(192.168.56.1)
21. Scenario 2 (contd.)
What We Want to Know:
What happened?
What caused the spike in FTP traffic
What events took place prior to the FTP server being
taken offline?
(I.e. Were any files transferred to/from the FTP server or
were any user accounts compromised)
22. Results Of The Investigation
Attacker first initiated a ARP scan of the subnet 192.168.56.0/24
The following hosts were discovered: 192.168.56.1 and 192.168.56.100
Attacker then began a port scan of host 192.168.56.1
The following ports were found open:
21, 445, 139, 135, 49152, 49153, 49154, 49155, 49156
Attacker followed up with an FTP brute force attack against FTP server
User anon credentials were compromised
Attacker successfully logged in as user anon with stolen credentials
File "Whywecanthavenicecat.png" was downloaded
MD5 sum of the file: 12039fd05bc2fcd3902247124edcea06
24. Network Flow
A record of source and destination traffic
information, without the conversation details
Source IP
Destination IP
Source Port
Destination Port
Protocol
Start, end, and duration of the conversation *
Number of bytes
Number of Packets
Directionality *
* format dependent
25. Flow Use In Security
Identify and track compromised hosts
Identify potential data leaks to unauthorized networks
(Exfiltration)
Network/Host Traffic Patterns (Baselining)
26. Devices
Sensor – Monitor flows and sends information back
to Collectors
Collector – Collect flows from some or all sensors
Analyzer – Perform analysis on collected Flow data
27. Flow Formats
Netflow V5 – Uses UDP to send information from
Sensor to Collector; very common and widely adopted.
Does not work with IPv6.
Netflow V9 – Uses TCP, UDP, or SCTP (Stream
Control Transmission Protocol) to send information
from Sensor to Collector; also very common. Includes
many improvements over Netflow V5.
28. Flow Formats (contd.)
IPFIX (IP Flow Information Export) – Built off of
Netflow V9; uses TCP, UDP, or SCTP to send
information from Sensor to Collector.
Sflow – Flows based off of samples.
29. Flow Analysis Methodology
Filtering – Filter down flows to relevant targets
Baselining – Compare flow record traffic to network
baselines
Pattern Matching – Monitor fingerprints in traffic
flows
Unidirectional traffic volumes
Complex deviations from normal traffic