We covered the second part of Wireshark tutorials where we went over traffic analysis using advanced filters. We analyzed network traffic with different protocols such as HTTP and DNS. We also covered analyzing NMAP scans, ARP Poisoning attacks and SSH tunneling. Additionally, we explained how to extract clear-text credentials passed over insecure protocols such as HTTP & FTP. This was part of TryHackMe Wireshark Traffic Analysis SOC Level 1.
Get Network Traffic Analysis Study Notes
The Complete Practical Metasploit Framework Course
Video Highlights
When investigating a compromise or malware infection activity, a security analyst should know how to identify the hosts on the network apart from IP to MAC address match. One of the best methods is identifying the hosts and users on the network to decide the investigation’s starting point and list the hosts and users associated with the malicious traffic/activity.
Usually, enterprise networks use a predefined pattern to name users and hosts. While this makes knowing and following the inventory easier, it has good and bad sides. The good side is that it will be easy to identify a user or host by looking at the name. The bad side is that it will be easy to clone that pattern and live in the enterprise network for adversaries. There are multiple solutions to avoid these kinds of activities, but for a security analyst, it is still essential to have host and user identification skills.
Protocols that can be used in Host and User identification:
Tunnelling Traffic: ICMP and DNS
ICMP Analysis
Internet Control Message Protocol (ICMP) is designed for diagnosing and reporting network communication issues. It is highly used in error reporting and testing. As it is a trusted network layer protocol, sometimes it is used for denial of service (DoS) attacks; also, adversaries use it in data exfiltration and C2 tunnelling activities.
ICMP analysis in a nutshell:
Usually, ICMP tunnelling attacks are anomalies appearing/starting after a malware execution or vulnerability exploitation. As the ICMP packets can transfer an additional data payload, adversaries use this section to exfiltrate data and establish a C2 connection. It could be a TCP, HTTP or SSH data. As the ICMP protocols provide a great opportunity to carry extra data, it also has disadvantages. Most enterprise networks block custom packets or require administrator privileges to create custom ICMP packets.
A large volume of ICMP traffic or anomalous packet sizes are indicators of ICMP tunnelling. Still, the adversaries could create custom packets that match the regular ICMP packet size (64 bytes), so it is still cumbersome to detect these tunnelling activities. However, a security analyst should know the normal and the abnormal to spot the possible anomaly and escalate it for further analysis.
DNS Analysis
Domain Name System (DNS) is designed to translate/convert IP domain addresses to IP addresses. It is also known as a phonebook of the internet. As it is the essential part of web services, it is commonly used and trusted, and therefore often ignored. Due to that, adversaries use it in data exfiltration and C2 activities.
Cleartext Protocol Analysis
Investigating cleartext protocol traces sounds easy, but when the time comes to investigate a big network trace for incident analysis and response, the game changes. Proper analysis is more than following the stream and reading the cleartext data. For a security analyst, it is important to create statistics and key results from the investigation process
Room Answers
Use the “Desktop/exercise-pcaps/arp/Exercise.pcapng” file.
What is the number of ARP requests crafted by the attacker?
What is the number of HTTP packets received by the attacker?
What is the number of sniffed username&password entries?
What is the password of the “Client986”?
What is the comment provided by the “Client354”?
Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap” file.
What is the MAC address of the host “Galaxy A30”?
How many NetBIOS registration requests does the “LIVALJM” workstation have?
Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap” file.
What is the IP address of the user “u5”? (Enter the address in defanged format.)
Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?
Use the “Desktop/exercise-pcaps/dns-icmp/dns.pcap” file.
Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)
Use the “Desktop/exercise-pcaps/ftp/ftp.pcap” file.
How many incorrect login attempts are there?
What is the size of the file accessed by the “ftp” account?
The adversary uploaded a document to the FTP server. What is the filename?
The adversary tried to assign special flags to change the executing permissions of the uploaded file. What is the command used by the adversary?
Investigate the user agents. What is the number of anomalous “user-agent” types?
What is the packet number with a subtle spelling difference in the user agent field?
Use the “Desktop/exercise-pcaps/http/http.pcapng” file.
Locate the “Log4j” attack starting phase. What is the packet number?
Locate the “Log4j” attack starting phase and decode the base64 command. What is the IP address contacted by the adversary? (Enter the address in defanged format and exclude “{}”.)
What is the frame number of the “Client Hello” message sent to “accounts.google.com”?
Decrypt the traffic with the “KeysLogFile.txt” file. What is the number of HTTP2 packets?
Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)
Investigate the decrypted packets and find the flag! What is the flag?
What is the packet number where “empty password” was submitted?
Select packet number 231. Create “IPFirewall” rules. What is the rule for “allowing destination MAC address”?
Video Walkthrough
