Open Source Network Forensics and Advanced Pcap Analysis

ORSo we have a Pcap, now what?

By: GTKlondike

Who Am I?Oh hey, that guy…

I Am…Local hacker/independent security researcherSeveral years of experience in network

infrastructure and security consulting as well as systems administration (Routing, Switching, Firewalls, Servers)

Passionate about networkingI’m friendly, just come up and say hi

Contact Info:Email: gtklondike@gmail.comBlog: gtknetrunner.blogspot.com

I Am Here Because…Not enough easily accessible “advanced”

material when it comes to packet analysis and network forensics

Goal: To bridge the gap between basic understanding and real world usage

* Disclaimer: I am not an expert, I’m just really passionate about networks

This is For…Incident response teamsNetwork defendersMalware analystsLaw enforcementNetwork engineersTechnology lawyersInfosec managersSecurity researchers

Assumed Prior Knowledge

What should you know already?Assumed basic knowledge of:

Protocol analyzers (Wireshark/TCPdump)OSI and TCP/IP modelMajor protocols (I.e. DNS, HTTP(s), TCP, UDP,

DHCP, ARP, IP, etc.)

Tools I Will Be UsingWireshark Network MinerHex editorSiLKScalpelGeoIP DB

(http://dev.maxmind.com/geoip/legacy/geolite/)

What Is Network Forensics?Network forensics is the capture, recording,

and analysis of network events in order to discover the source of security attacks or other problem incidents.

Pcap DataPros ConsFull packet captureDetailed communication

informationUsed to set up new

IDS/IPS rules

Large amount of data to parse

Large file sizesDisk write latency may

not record all packets

Flow DataPros ConsEasy to implementEasy to identify the

important things at a high level

BaseliningVisualizationUp to 10,000:1 ratio

from the packet size

Different analysis suites and Flow types

Mostly command line tools

Only “who’s talking to whom”, not the details of the conversation

Network Forensics ProcessKnow your Triggering EventsHave a GoalPacket Capture Analysis

Pattern MatchingList ConversationsExportFile/Data Carving

Triggering EventsExamples of Triggering Events:IDS alertNoticeable anomaly (I.e. DoS or virus activity)Log anomaliesDeviations from network baselinesKnown malicious/compromised system (I.e. Known C&C servers or from out of country)Time frameTraffic signatureetc.

Have A GoalAlways have a goal for analysis, there could

be many needles in the haystack and not having a goal could prolong a particular investigation

Prioritize your goals

Pcap Analysis Methodology1. Pattern Matching – Identify and filter

packets of interest by matching specific values or protocol meta-data

2. List Conversations – List all conversation streams within the filtered packet capture

3. Export - Isolate and export specific conversation streams of interest

4. Draw Conclusions – Extract files or data from streams and compile data

Demo Time!Yeah….

Scenario 1Triggering Events:User reporting malware activityCurrent AV solution does not have a signature for

the virus; nor is the virus recoverable from the infected host

What We Know:Full network packet capture for the day of the

incidentHost of intrest: 12.183.1.55

Security Onion: /opt/samples/fake_av.pcap

Scenario 1 (contd.)What We Want to Know:Where the user contracted the malware from?Malware file (if possible)What kind of calls to the internet does it make?Does it try to self propagate through the

internal network?Possible network traffic signatures

Security Onion: /opt/samples/fake_av.pcap

Results Of The Investigation Where did the user contract the malware from?

User made a direct call to the executable. Therefore, user either deliberately downloaded the malware, or there was a piece of malware sleeping on the system.

Malware file (if possible) Malware has been carved out and analyzed via virustotal.com MD5 hash of the file: fbe86fe4bd273ba11ee09799994c9e93 Sha256 hash of the file:

7fdf98dbacfb45ed800b4ba66bb0887aa7e8529b4fb36bda63d28e1010fbd9d1

What kind of calls to the internet does it make? DNS queries for a plethora of domains HTTP communication for web sites located on a few of those domains

Does it try to self propagate? No communication to other internal addresses

Network traffic signatures High volume of DNS queries within a short amount of time

Scenario 2Triggering Events:A denial of service (DoS) attack has been

reported against FTP server 192.168.56.1 FTP traffic spikes were seen prior to the FTP

server being taken offline

What We Know:Captured traffic data that is narrowed down

between an attacking host (192.168.56.101) and the FTP server (192.168.56.1)

Scenario 2 (contd.)What We Want to Know:What happened?

What caused the spike in FTP trafficWhat events took place prior to the FTP server

being taken offline?(I.e. Were any files transferred to/from the FTP server or were any user accounts compromised)

Results Of The InvestigationAttacker first initiated a ARP scan of the subnet 192.168.56.0/24

The following hosts were discovered: 192.168.56.1 and 192.168.56.100

Attacker then began a port scan of host 192.168.56.1 The following ports were found open: 21, 445, 139, 135, 49152,

49153, 49154, 49155, 49156

Attacker followed up with an FTP brute force attack against FTP server User anon credentials were compromised

Attacker successfully logged in as user anon with stolen credentials File "Whywecanthavenicecat.png" was downloaded MD5 sum of the file: 12039fd05bc2fcd3902247124edcea06

Network FlowsJust goin with the flow…

Network FlowA record of source and destination traffic information,

without the conversation detailsSource IPDestination IPSource Port Destination PortProtocolStart, end, and duration of the conversation *Number of bytesNumber of PacketsDirectionality *

* format dependent

Flow Use In SecurityIdentify and track compromised hostsIdentify potential data leaks to unauthorized

networks (Exfiltration)Network/Host Traffic Patterns (Baselining)

DevicesSensor – Monitor flows and sends

information back to CollectorsCollector – Collect flows from some or all

sensorsAnalyzer – Perform analysis on collected

Flow data

Flow FormatsNetflow V5 – Uses UDP to send information

from Sensor to Collector; very common and widely adopted. Does not work with IPv6.

Netflow V9 – Uses TCP, UDP, or SCTP (Stream Control Transmission Protocol) to send information from Sensor to Collector; also very common. Includes many improvements over Netflow V5.

Flow Formats (contd.)IPFIX (IP Flow Information Export) –

Built off of Netflow V9; uses TCP, UDP, or SCTP to send information from Sensor to Collector.

Sflow – Flows based off of samples.

Flow Analysis MethodologyFiltering – Filter down flows to relevant

targetsBaselining – Compare flow record traffic to

network baselinesPattern Matching – Monitor fingerprints in

traffic flowsUnidirectional traffic volumesComplex deviations from normal traffic

Additional Information (Pcap Files)http://www.netresec.com/?page=PcapFileshttp://forensicscontest.com/puzzleshttp://www.honeynet.org/node/504https://www.evilfingers.com/repository/

pcaps.phphttp://code.google.com/p/security-onion/

wiki/Pcaps

Further ReadingPractical Packet Analysis: Using Wireshark to Solve Real-

World Network ProblemsBy: Chris Sanders

Network Forensics: Tracking Hackers Through CyberspaceBy: Sherri Davidoff, Jonathan Ham

Guide to Integrating Forensic Techniques into Incident Responsehttp://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf

SiLK Analysis Handbookhttps://tools.netsa.cert.org/silk/analysis-handbook.pdf

File Signatureshttp://www.garykessler.net/library/file_sigs.html