Sharkin' Using Wireshark to find evil in packet captures. Ben S. Knowles BBST, CISSP, GCIA, GCIH, GSEC, LPIC-1, et cetera

Transcription

1 Sharkin' Using Wireshark to find evil in packet captures Ben S. Knowles BBST, CISSP, GCIA, GCIH, GSEC, LPIC-1, et cetera

2 Packet Captures Recordings of Internet activity Often used by analysts and researchers What can you quickly find out from a pcap? Buy the official Three Investigators Cluedo (auf Deutsch) at

3 pcaps: quick answers Basic packet analysis should find: IP addresses involved hosts who Protocols used how characterization Directionality who did to whom Application used (if any) how TTP Time and date when, but watch out for timezones! Adds up to Characterization of the traffic and a possible story it tells: Who?, Did What?, When?, To Whom? What is the significance (so what)? and What should someone do about it?

4 IDS: a source of packets for analysis Intrusion Detection Systems (IDS): Alert on traffic that matches signature rules (Snort, et al) Or log and notify based on policy (Bro IDS) Alerts are displayed in consoles: Bro IDS, Snort, Suricata, RealSecure, McAfee NSM DSWX CTP Portal, sguil, Snorby, SiteProtector, EPO Consoles display many event details And (usually) give you option to pull a pcap file

5 Wireshark: about Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998 from: Looks a bit like this >

6 Packet analysis tips: safety and accuracy Get offline! Disable lookups in your tools tcpdump -nn Wireshark: uncheck in View / Name Resolution Keep your analysis tools updated! Analysis tools are a juicy target for attackers. File and protocol parsers are a constant source of vulnerabilities No captures on production networks or other peoples networks! Isolate your analysis environment for safety and cleaner results Check with your boss / client / spouse / lawyer before capturing traffic. Double-check those timezones again. Most computer systems record time in UTC no matter where they are.

7 Packets! Let's get some packets and take a look! PCAP files are at:

8 Snorby: a few events

9 Snorby: id check returned root : testmy-handout.pcap

10 testmy-handout.pcap: questions Let's find: IP addresses involved hosts who Protocols used how characterization Directionality who did to whom Application used (if any) how TTP Time and date when, but watch out for timezones! Adds up to Characterization of the traffic and a possible story it tells: Who?, Did What?, When?, To Whom? What is the significance (so what)? and What should someone do about it?

11 Wireshark tricks: Statistics Summary In Wireshark menu: Statistics / Summary Gives times and packet statistics Similar output to capinfos command

12 testmy-handout.pcap: answers Root user is super admin on UNIX systems This suggests an attacker has gotten remote root Game over? Found at anvari.org

13 Snorby: Wordpress login: ptmag-login.pcap

14 ptmag-login.pcap: questions Let's find: IP addresses involved hosts who Protocols used how characterization Directionality who did to whom Application used (if any) how TTP Time and date when, but watch out for timezones! Adds up to Characterization of the traffic and a possible story it tells: Who?, Did What?, When?, To Whom? What is the significance (so what)? and What should someone do about it?

15 Wireshark tricks: filters Powerful filters let us sift and sort through captures Color highlighting for syntax check Suggestions help you pick fields Use what you already know To find what you are looking for faster

16 Wireshark tricks: display filters We know from the alert and can filter on to sift out packets: Protocols: TCP/IP HTTP (2445) (2445) Hosts (1082) & ? Applications: PenTestMag site HTML form WordPress blog (73) (1) (1)

17 research: reproduce it and pcap it, search pcaps... ## check my tcpdump settings with a live capture ## sudo tcpdump -i en0 -v 'host ' ## verified, capture session to a file ## sudo tcpdump -i en0 -w ptmag.pcap 'host ' Offstage: login to suspect site again in browser, then ## read back the capture file and dump text to another file ## tcpdump -r ptmag.pcap -X 2>&1 > outfile.txt ## Look for suspicious strings in the output, grep -c counts ## grep Password -c outfile.txt ; grep Password outfile.txt grep adricnet -c outfile.txt ; grep adricnet outfile.txt

18 Much easier in Wireshark: Find Packet Edit / Find Packets By: String Packet: bytes

19 ptmag-login.pcap: answers Seems our subject web magazine isn't handling logins properly. SSL/TLS should be used for all logins and all login pages. Especially for public and commercial sites (this one is both). We should send them a nice note about this after the brownbag is over. Found on InfoSec Reactions, a very silly place.

20 pcaps from ATTACK research ;) Trying out some IE8 attacks on a WinXP VM on my Mac at home Packets captured to file: msf_ie0day_winxpsp3.pcap

21 msf_ie0day_winxpsp3.pcap

22 msf_ie0day_winxpsp3.pcap: questions Let's find: IP addresses involved hosts who Protocols used how characterization Directionality who did to whom Application used (if any) how TTP Time and date when, but watch out for timezones! Adds up to Characterization of the traffic and a possible story it tells: Who?, Did What?, When?, To Whom? What is the significance (so what)? and What should someone do about it?

23 Wireshark tricks: Conversations In Wireshark menu: Statistics / Conversations Shows all network flows at multiple layers: Ethernet IP TCP

24 Wireshark tricks: Follow Stream In Conversations panel: Select a line and Follow Stream

25 Wireshark tricks: Evil found! This is a Windows Executable. Attacker is delivering a payload to the victim host. This is pretty bad. In Wireshark you can Save As to pull the file contents out for analysis or RE. Congratulations, you found some evil with Wireshark!

26 Next Steps? Wireshark books: Practical Packet Analysis, 2nd Ed Wireshark Network analysis, forensics courses: SANS SEC503 and GCIA SANS new! FOR572 Now in Beta

27 References Slide deck, pcaps, and links available online: