SlideShare une entreprise Scribd logo

Threat hunting on the wire

Télécharger en tant que PPTX, PDF
InfoSec Addicts
InfoSec Addicts

This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.

Technologie
1  sur  29
Command-Line Packet Analysis & Network Forensics Presented By: Joe McCray Threat hunting on the wire
About me • Joe McCray • Deep Technical IT Security Consultant & Trainer • Spoken/Trained at: • Black Hat, Def Con, Hacker Halted, and over 200 security conferences • Founder of InfoSecAddicts.com • joemccray@infosecaddicts.com
About the Threat Hunting courses • Course 1: Threat Hunting Fundamentals • Course 2: Threat hunting on the wire (hands-on) • Course 3: Threat hunting on the endpoint (hands-on) • Course 4: Threat hunting with static analysis (hands-on) • Course 5: Threat hunting with dynamic analysis (hands-on) • Course 6: Threat hunting with memory analysis (hands-on) • Course 7: Threat hunting with SIEM/NSM solutions (hands-on) • Course 8: Advanced threat hunting with machine learning and artificial intelligence (hands-on)
Threat Hunting on the wire • Get Linux • Setting up your virtual machine • What is PCAP? • PCAP Analysis with PRADS • PCAP Analysis with ChaosReader • PCAP Analysis with TShark • PCAP Analysis with Suricata • PCAP Analysis with Yara
This is a HANDS-ON class • This course is designed for you to follow along • The slides can be found at: https://www.slideshare.net/infosecaddicts • The commands can be found at: https://pastebin.com/DfqiGN7u
Get Linux • Get a virtualization platform • VMWare/Vbox • OSBoxes.org • Great site to download FREE Linux virtual machines (VMware and Virtualbox) • Download my virtual machine • https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip • user: infosecaddicts • pass: infosecaddicts • Great website for Linux basics • Linuxsurvival.com
Setting up your virtual machine • Default install of Ubuntu 16.04 • Lot of dependencies to install (run as root) sudo apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev unzip sendmail sendmail-bin prads tcpflow python-scapy whois python-yara tshark
Setting up your virtual machine • Install Suricata (run as root) wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz tar -zxvf suricata-4.0.5.tar.gz cd suricata-4.0.5 ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var make make install make install-conf mkdir suri wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap cd rules cp *.rules /etc/suricata/rules/ cd /etc/suricata/ wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz tar -zxvf emerging.rules.tar.gz
VM Setup Demo
What Is PCAP? • PCAP == Packet Capture • Complete record of network activity • Layers 2 – 7 • Most common format is libpcap • Open-source • Available on *nix and Windows • C library, bindings in many languages • Others proprietary formats not covered
Collect PCAP files Internet Packets Wireshark tcpdump Tap Inline Device
Find malicious PCAPs • Malware Traffic Analysis • https://www.malware-traffic-analysis.net/ • ThreatGlass • http://www.threatglass.com/ • Evil Fingers • https://www.evilfingers.com/repository/pcaps.php
PCAP Analysis with PRADS • PRADS is a Passive Real-time Asset Detection System PRADS employs digital fingerprints to recognize services on the wire, and can be used to map your network and monitor for changes in real time. Real-time passive traffic analysis will also let you detect assets that are just connected to the network for a short period of time, since PRADS can glean useful information from every packet. PRADS aims to be the one-stop-shop for passive asset detection, and currently does MAC lookups, TCP and UDP OS fingerprinting as well as client and service application matching and a connection state table. Various output plugins include logfile and FIFO and make PRADS a useful replacement for p0f, pads and sancp. PRADS was built from the ground up for a small footprint and modern networks with IPv6 and gigabits of throughput. Source: http://manpages.ubuntu.com/manpages/trusty/man1/prads.1.html
PCAP Analysis with PRADS • Run PRADS as a regular user cd ~/pcap_analysis/ mkdir prads cd ~/pcap_analysis/prads wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap prads -r suspicious-time.pcap cat prads-asset.log | less
Prads Demo
PCAP Analysis with ChaosReader • What if you have to parse multiple large PCAP files • Try chaosreader.pl (oldie but goodie) • A free tool to trace TCP/UDP/... sessions and fetch application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs. A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports • Source: http://chaosreader.sourceforge.net/ • What can chaosreader do? • I like being able to quickly go through really large, multiple, or even worse multiple large PCAP files. • It also creates a down and dirty web page (really handy)
PCAP Analysis with ChaosReader cd ~ mkdir -p pcap_analysis/chaos_reader/ cd ~/pcap_analysis/chaos_reader/ wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl perl chaosreader.pl suspicious-time.pcap cat index.text | grep -v '"' | grep -oE "([0-9]+.){3}[0-9]+.*)" cat index.text | grep -v '"' | grep -oE "([0-9]+.){3}[0-9]+.*)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http: ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http: ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host: ' | sort -u | sed -e 's/Host: //g'`; echo "$srcip --> $dstip = $host"; done | sort -u python -m SimpleHTTPServer ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
ChaosReader Demo
PCAP Analysis with TShark • Make a directory and download the files tshark -i ens3 -r suspicious-time.pcap -qz io,phs tshark -r suspicious-time.pcap | grep 'NB.*20>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u tshark -r suspicious-time.pcap | grep 'NB.*1e>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?' tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq tshark -r suspicious-time.pcap -qz ip_hosts,tree tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
PCAP Analysis with TShark • Make a directory and download the files whois rapidshare.com.eyu32.ru whois sploitme.com.cn tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' | grep -v -e '/image' -e '.css' -e '.ico' -e google -e 'honeynet.org' tshark -r suspicious-time.pcap -qz http_req,tree tshark -r suspicious-time.pcap -R "data-text-lines contains "<script"" -T fields -e frame.number -e ip.src -e ip.dst tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' | grep -v -e '/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/?[^cse].*/?.../g'
TShark Demo
PCAP Analysis with Suricata • Suricata is a free and open source, mature, fast and robust network threat detection engine. • The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. • Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. • With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless. • Suricata’s fast paced community driven development focuses on security, usability and efficiency. • The Suricata project and code is owned and supported by the Open Information Security Foundation (OISF), a non-profit foundation committed to ensuring Suricata’s development and sustained success as an open source project. Source: https://suricata-ids.org/
PCAP Analysis with Suricata • Run Suricata against the suspicious PCAP cd ~/pcap_analysis/ mkdir suri suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/ cat suri/fast.log | less
Suricata Demo
PCAP Analysis with Yara • YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. • With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Source: https://virustotal.github.io/yara/
Isn’t Yara is for file analysis • Yes, that’s right Yara is for file analysis • Let me introduce you to YaraPCAP • Reads a PCAP File and Extracts Http Streams. • gzip deflates any compressed streams • Scans every file with yara • writes a report.txt • optionally saves matching files to a Dir Source: https://github.com/kevthehermit/YaraPcap
PCAP Analysis with Yara • Run Yara against the suspicious PCAP git clone https://github.com/kevthehermit/YaraPcap.git cd YaraPcap/ wget https://github.com/Yara-Rules/rules/archive/master.zip unzip master.zip cd rules-master/ cat index.yar clear ./index_gen.sh cd .. python yaraPcap.py rules-master/index.yar ../suspicious-time.pcap -s matching_files/ cd matching_files/ cat report.txt
Questions
My Contact Info Joe McCray Email: joemccray@infosecaddicts.com Toll Free: 1-844-458-1008 Twitter: @j0emccray Twitter: @InfoSecAddicts FaceBook: https://www.facebook.com/InfoSecAddicts/ WebSite: https://infosecaddicts.com

Recommandé

Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 

Recommandé

Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxInfosec
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Huntingn|u - The Open Security Community
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
Securitytools
SecuritytoolsSecuritytools
SecuritytoolsRichmond Adebiaye
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMPShaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 

Contenu connexe

Tendances

Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxInfosec
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 

Tendances (20)

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 

Similaire à Threat hunting on the wire

MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redactedRyan Breed
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisBrendan Gregg
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Debugging applications with network security tools
Debugging applications with network security toolsDebugging applications with network security tools
Debugging applications with network security toolsConFoo
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 

Similaire à Threat hunting on the wire (20)

Securitytools
SecuritytoolsSecuritytools
Securitytools
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redacted
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance Analysis
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
 
Debugging applications with network security tools
Debugging applications with network security toolsDebugging applications with network security tools
Debugging applications with network security tools
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 

Dernier

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 

Dernier (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Threat hunting on the wire

  • 1. Command-Line Packet Analysis & Network Forensics Presented By: Joe McCray Threat hunting on the wire
  • 2. About me • Joe McCray • Deep Technical IT Security Consultant & Trainer • Spoken/Trained at: • Black Hat, Def Con, Hacker Halted, and over 200 security conferences • Founder of InfoSecAddicts.com • joemccray@infosecaddicts.com
  • 3. About the Threat Hunting courses • Course 1: Threat Hunting Fundamentals • Course 2: Threat hunting on the wire (hands-on) • Course 3: Threat hunting on the endpoint (hands-on) • Course 4: Threat hunting with static analysis (hands-on) • Course 5: Threat hunting with dynamic analysis (hands-on) • Course 6: Threat hunting with memory analysis (hands-on) • Course 7: Threat hunting with SIEM/NSM solutions (hands-on) • Course 8: Advanced threat hunting with machine learning and artificial intelligence (hands-on)
  • 4. Threat Hunting on the wire • Get Linux • Setting up your virtual machine • What is PCAP? • PCAP Analysis with PRADS • PCAP Analysis with ChaosReader • PCAP Analysis with TShark • PCAP Analysis with Suricata • PCAP Analysis with Yara
  • 5. This is a HANDS-ON class • This course is designed for you to follow along • The slides can be found at: https://www.slideshare.net/infosecaddicts • The commands can be found at: https://pastebin.com/DfqiGN7u
  • 6. Get Linux • Get a virtualization platform • VMWare/Vbox • OSBoxes.org • Great site to download FREE Linux virtual machines (VMware and Virtualbox) • Download my virtual machine • https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip • user: infosecaddicts • pass: infosecaddicts • Great website for Linux basics • Linuxsurvival.com
  • 7. Setting up your virtual machine • Default install of Ubuntu 16.04 • Lot of dependencies to install (run as root) sudo apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev unzip sendmail sendmail-bin prads tcpflow python-scapy whois python-yara tshark
  • 8. Setting up your virtual machine • Install Suricata (run as root) wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz tar -zxvf suricata-4.0.5.tar.gz cd suricata-4.0.5 ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var make make install make install-conf mkdir suri wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap cd rules cp *.rules /etc/suricata/rules/ cd /etc/suricata/ wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz tar -zxvf emerging.rules.tar.gz
  • 10. What Is PCAP? • PCAP == Packet Capture • Complete record of network activity • Layers 2 – 7 • Most common format is libpcap • Open-source • Available on *nix and Windows • C library, bindings in many languages • Others proprietary formats not covered
  • 11. Collect PCAP files Internet Packets Wireshark tcpdump Tap Inline Device
  • 12. Find malicious PCAPs • Malware Traffic Analysis • https://www.malware-traffic-analysis.net/ • ThreatGlass • http://www.threatglass.com/ • Evil Fingers • https://www.evilfingers.com/repository/pcaps.php
  • 13. PCAP Analysis with PRADS • PRADS is a Passive Real-time Asset Detection System PRADS employs digital fingerprints to recognize services on the wire, and can be used to map your network and monitor for changes in real time. Real-time passive traffic analysis will also let you detect assets that are just connected to the network for a short period of time, since PRADS can glean useful information from every packet. PRADS aims to be the one-stop-shop for passive asset detection, and currently does MAC lookups, TCP and UDP OS fingerprinting as well as client and service application matching and a connection state table. Various output plugins include logfile and FIFO and make PRADS a useful replacement for p0f, pads and sancp. PRADS was built from the ground up for a small footprint and modern networks with IPv6 and gigabits of throughput. Source: http://manpages.ubuntu.com/manpages/trusty/man1/prads.1.html
  • 14. PCAP Analysis with PRADS • Run PRADS as a regular user cd ~/pcap_analysis/ mkdir prads cd ~/pcap_analysis/prads wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap prads -r suspicious-time.pcap cat prads-asset.log | less
  • 16. PCAP Analysis with ChaosReader • What if you have to parse multiple large PCAP files • Try chaosreader.pl (oldie but goodie) • A free tool to trace TCP/UDP/... sessions and fetch application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs. A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports • Source: http://chaosreader.sourceforge.net/ • What can chaosreader do? • I like being able to quickly go through really large, multiple, or even worse multiple large PCAP files. • It also creates a down and dirty web page (really handy)
  • 17. PCAP Analysis with ChaosReader cd ~ mkdir -p pcap_analysis/chaos_reader/ cd ~/pcap_analysis/chaos_reader/ wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl perl chaosreader.pl suspicious-time.pcap cat index.text | grep -v '"' | grep -oE "([0-9]+.){3}[0-9]+.*)" cat index.text | grep -v '"' | grep -oE "([0-9]+.){3}[0-9]+.*)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http: ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http: ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host: ' | sort -u | sed -e 's/Host: //g'`; echo "$srcip --> $dstip = $host"; done | sort -u python -m SimpleHTTPServer ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
  • 19. PCAP Analysis with TShark • Make a directory and download the files tshark -i ens3 -r suspicious-time.pcap -qz io,phs tshark -r suspicious-time.pcap | grep 'NB.*20>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u tshark -r suspicious-time.pcap | grep 'NB.*1e>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?' tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq tshark -r suspicious-time.pcap -qz ip_hosts,tree tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  • 20. PCAP Analysis with TShark • Make a directory and download the files whois rapidshare.com.eyu32.ru whois sploitme.com.cn tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' | grep -v -e '/image' -e '.css' -e '.ico' -e google -e 'honeynet.org' tshark -r suspicious-time.pcap -qz http_req,tree tshark -r suspicious-time.pcap -R "data-text-lines contains "<script"" -T fields -e frame.number -e ip.src -e ip.dst tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' | grep -v -e '/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/?[^cse].*/?.../g'
  • 22. PCAP Analysis with Suricata • Suricata is a free and open source, mature, fast and robust network threat detection engine. • The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. • Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. • With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless. • Suricata’s fast paced community driven development focuses on security, usability and efficiency. • The Suricata project and code is owned and supported by the Open Information Security Foundation (OISF), a non-profit foundation committed to ensuring Suricata’s development and sustained success as an open source project. Source: https://suricata-ids.org/
  • 23. PCAP Analysis with Suricata • Run Suricata against the suspicious PCAP cd ~/pcap_analysis/ mkdir suri suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/ cat suri/fast.log | less
  • 25. PCAP Analysis with Yara • YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. • With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Source: https://virustotal.github.io/yara/
  • 26. Isn’t Yara is for file analysis • Yes, that’s right Yara is for file analysis • Let me introduce you to YaraPCAP • Reads a PCAP File and Extracts Http Streams. • gzip deflates any compressed streams • Scans every file with yara • writes a report.txt • optionally saves matching files to a Dir Source: https://github.com/kevthehermit/YaraPcap
  • 27. PCAP Analysis with Yara • Run Yara against the suspicious PCAP git clone https://github.com/kevthehermit/YaraPcap.git cd YaraPcap/ wget https://github.com/Yara-Rules/rules/archive/master.zip unzip master.zip cd rules-master/ cat index.yar clear ./index_gen.sh cd .. python yaraPcap.py rules-master/index.yar ../suspicious-time.pcap -s matching_files/ cd matching_files/ cat report.txt
  • 29. My Contact Info Joe McCray Email: joemccray@infosecaddicts.com Toll Free: 1-844-458-1008 Twitter: @j0emccray Twitter: @InfoSecAddicts FaceBook: https://www.facebook.com/InfoSecAddicts/ WebSite: https://infosecaddicts.com