If you've ever picked up a book on Wireshark or network monitoring, they almost all cover about the same information. They'll show you, "Here's an ARP frame, here's an IP packet, here's a web request..." But what they don't go into is: when you open a Pcap file for the first time, where do you start? What are the things that you look for? And how do you find them? So my goal here is to help you bridge that gap between having a basic understanding of network protocol analyzers, and using them to solve real world problems.
-
Where did the user contracted the virus
-
any malware files captured? If there are, we can generate hash and submit to virustotal.
-
kinda of calls made to external sources It makes various call. Seems like the ones that responding via Pot 80
-
did try to propogate No
The commands uses in wireshark
To see traffic from 12.183.1.55 ip.addr == 12.183.1.55
Look for acknowledgement when a SYNC call was made. It should ideally return ACK.
Use the following command on wireshark's filter
ip.addr == 12.183.1.55 && !(tcp.stream == 5) && http.host
Internal network scanned, called
ip.src == 12.183.1.55 && ( ip.addr == 192.168.0.0/16 || ip.addr == 192.168.0.0/16 || ip.addr == 172.16.0.0/12 || ip.addr == 10.0.0.0/8 || ip.dst == 12.0.0.0/8)
Client network attack.
Denial of service attack against FTP 192.168.56.1
FTP taken offline
Attacking host 192.168.56.101
FTP Server 192.168.56.1
Objective
What causes the spike in FTP traffic?
What type of attack?
See alot or ARP - pretty sure it is port scan going on. Go to Statistic -> Converation
Use the filter = arp.opcode == 2 on wirewhark and hit enter
- This is to
What are the results of those attacks? What types of attack
!(arp)
ARP is Address Resolution protocol which tend to retrieve ips from a dns name.
And verify that, there are various different port number appearing. This is an obvious sign that attacker trying to do a port scan
tcp.flags == 0x012
You should see SYN, ACK for the following ports :-
21
445
139
135
49154
49152
49155
Use the following command :-
tcp.flags == 0x012 && (tcp.port == 21)
0x012 = SYNC / ACK For more info, please refere to link below :- http://rapid.web.unc.edu/resources/tcp-flag-key/
tcp.port == 21
Right click and choose follow stream. We can see attacker trying to use brute force to login
What event took place prior to the FTP Servier being taken offline
Did they get in? Ftp login for success code for login successful is 230
We want to see if the attacker has login successfully.
ftp.response.code == 230
And right click, and then choose 'Follow Stream'. Then click on the 'Srream' drop down button up. You can scroll through different types of network traffic capture data.