Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS,...
Transcript of Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS,...
![Page 1: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/1.jpg)
Ben S. Knowles BBST, CISSP, GCIA, GCIH, GSEC, LPIC-1 , et cetera
Sharkin'Using Wireshark to find evil in packet captures
![Page 2: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/2.jpg)
Packet Captures
● Recordings of Internet activity
● Often used by analysts and researchers
What can you quickly find out from a pcap ?
Buy the official Three Investigators Cluedo (auf Deutsch) at http://www.eastforkids.com/
![Page 3: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/3.jpg)
pcaps: quick answers
Basic packet analysis should find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom?
● What is the significance (so what)? and
● What should someone do about it?
![Page 4: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/4.jpg)
IDS: a source of packets for analysis
● Intrusion Detection Systems (IDS):
– Bro IDS, Snort, Suricata, RealSecure, McAfee NSM
● Alert on traffic that matches signature rules (Snort, et al)
– Or log and notify based on policy (Bro IDS)
● Alerts are displayed in consoles:
– DSWX CTP Portal, sguil, Snorby, SiteProtector, EPO
● Consoles display many event details
– And (usually) give you option to pull a pcap file
![Page 5: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/5.jpg)
Wireshark: about
Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.
Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998
from: https://wireshark.org/about.html
Looks a bit like this –>
![Page 6: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/6.jpg)
Packet analysis tips: safety and accuracy
● Get offline!
– Isolate your analysis environment for safety and cleaner results
● Disable lookups in your tools
– tcpdump -nn
– Wireshark: uncheck in View / Name Resolution
● Keep your analysis tools updated!
– Analysis tools are a juicy target for attackers.
– File and protocol parsers are a constant source of vulnerabilities
● No captures on production networks or other peoples networks!
– Check with your boss / client / spouse / lawyer before capturing traffic.
● Double-check those timezones again.
– Most computer systems record time in UTC no matter where they are.
![Page 7: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/7.jpg)
Packets!Let's get some packets and take a look!
PCAP files are at: http://www.atlbbs.com/sharkin/
![Page 8: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/8.jpg)
Snorby: a few events
![Page 9: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/9.jpg)
Snorby: id check returned root : testmy-handout.pcap
![Page 10: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/10.jpg)
testmy-handout.pcap: questions
Let's find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom?
● What is the significance (so what)? and
● What should someone do about it?
![Page 11: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/11.jpg)
Wireshark tricks: Statistics Summary
In Wireshark menu:
Statistics / Summary
Gives times and packet statistics
Similar output to capinfos command
![Page 12: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/12.jpg)
testmy-handout.pcap: answers
● Root user is super admin on UNIX systems
● This suggests an attacker has gotten remote root
● Game over?
Found at anvari.org
![Page 13: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/13.jpg)
Snorby: Wordpress login: ptmag-login.pcap
![Page 14: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/14.jpg)
ptmag-login.pcap: questions
Let's find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom?
● What is the significance (so what)? and
● What should someone do about it?
![Page 15: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/15.jpg)
Wireshark tricks: filters
● Powerful filters let us sift and sort through captures
● Color highlighting for syntax check
● Suggestions help you pick fields
● Use what you already know
● To find what you are looking for faster
![Page 16: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/16.jpg)
Wireshark tricks: display filters
We know from the alert and can filter on to sift out packets:
● Protocols:
– TCP/IP (2445)
– HTTP (2445)
● Hosts
– 192.168.15.105 (1082)
– & 79.125.109.24 ?
● Applications:
– PenTestMag site (73)
– HTML form (1)
– WordPress blog (1)
![Page 17: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/17.jpg)
research: reproduce it and pcap it, search pcaps ...
## check my tcpdump settings with a live capture ##
sudo tcpdump -i en0 -v 'host 79.125.109.24'
## verified, capture session to a file ##
sudo tcpdump -i en0 -w ptmag.pcap 'host 79.125.109.24'
Offstage: login to suspect site again in browser, then
## read back the capture file and dump text to another file ##
tcpdump -r ptmag.pcap -X 2>&1 > outfile.txt
## Look for suspicious strings in the output, grep -c counts ##
grep Password -c outfile.txt ; grep Password outfile.txt
grep adricnet -c outfile.txt ; grep adricnet outfile.txt
![Page 18: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/18.jpg)
Much easier in Wireshark: Find Packet
● Edit / Find Packets● By: String● Packet: bytes
![Page 19: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/19.jpg)
ptmag-login.pcap: answers
Seems our subject web magazine isn't handling logins properly.
● SSL/TLS should be used for all logins and all login pages.
● Especially for public and commercial sites (this one is both).
We should send them a nice note about this after the brownbag is over.
Found on InfoSec Reactions, a very silly place.
![Page 20: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/20.jpg)
pcaps from ATTACK research ;)
Trying out some IE8 attacks on a WinXP VM on my Mac at home
Packets captured to file:
msf_ie0day_winxpsp3.pcap
![Page 21: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/21.jpg)
msf_ie0day_winxpsp3.pcap
![Page 22: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/22.jpg)
msf_ie0day_winxpsp3.pcap: questions
Let's find:
● IP addresses involved → hosts → who
● Protocols used → how → characterization
● Directionality → who did to whom
● Application used (if any) →how → TTP
● Time and date → when, but watch out for timezones!
Adds up to Characterization of the traffic and a possible story it tells:
● Who?, Did What?, When?, To Whom?
● What is the significance (so what)? and
● What should someone do about it?
![Page 23: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/23.jpg)
Wireshark tricks: Conversations
In Wireshark menu:
Statistics / Conversations
Shows all network flows at multiple layers:
● Ethernet
● IP
● TCP
![Page 24: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/24.jpg)
Wireshark tricks: Follow Stream
In Conversations panel:
Select a line and
Follow Stream
![Page 25: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/25.jpg)
Wireshark tricks: Evil found!
This is a Windows Executable.
Attacker is delivering a payload to the victim host.
This is pretty bad.
In Wireshark you can Save As to pull the file contents out for analysis or RE.
Congratulations, you found some evil with Wireshark!
![Page 26: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/26.jpg)
Next Steps?
Wireshark books:
● Practical Packet Analysis, 2nd Ed http://nostarch.com/packet2.htm
● Wireshark 101 http://www.wiresharkbook.com/
Network analysis, forensics courses:
● SANS SEC503 and GCIA
● SANS new! FOR572
– Now in Beta
![Page 27: Sharkin' · IDS: a source of packets for analysis Intrusion Detection Systems (IDS): – Bro IDS, Snort, Suricata, RealSecure, McAfee NSM Alert on traffic that matches signature rules](https://reader034.fdocuments.us/reader034/viewer/2022043007/5f93a98bf0e1943f0431f4a0/html5/thumbnails/27.jpg)
References
Slide deck, pcaps, and links available online:
http://f.adric.net/index.cgi/wiki?name=Sharkin