Wireshark - Malware traffic Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Good stuff. Thank you!

👍︎︎ 3 👤︎︎ u/SuperSeyoe 📅︎︎ Sep 15 2019 🗫︎ replies

OP if you have the time, would be neat to see you do the same thing with Moloch with the sample you used above

While wireshark is solid tool, most of the time it isnt scalable. With something like moloch you can link it to your SEIM

👍︎︎ 2 👤︎︎ u/julietscause 📅︎︎ Sep 15 2019 🗫︎ replies

Bookmarked. Thank you friend. :)

👍︎︎ 1 👤︎︎ u/21stCenturyLuther 📅︎︎ Sep 15 2019 🗫︎ replies

Captions

hi guys welcome to hack explored in this episode we'll be talking about packet analysis which is an important skill that a security professional should master and we'll be using the world's leading network traffic analyzer pie shop so if you're a beginner don't worry there's a lot of step-by-step guides over here and along the way we'll be learning a lot how to master this tool so continue watching and not come to my channel and don't malva traffic analysis with buy shock why shack is a popular tool for troubleshooting network riddle issues but in cybersecurity you can disco many interesting events that is happening on a network for example we can collect lot of i/o CS which are known as indication of compromised iosys in simply explained these are pieces of forensics data that we collected during your analysis example IP addresses domain names news agents and all the rest of things that are here which can be some of the iOS's that can be collected during a cyber investigation how can we use the IP address if an IP address is detected as spreading malware to our network we can immediately block it same thing goes for a domain name collection of iOS's will help organization to detect and prevent attacks in this demonstration we'll be looking at some specific io seized from a network traffic capture so let's jump into Wireshark washa can be used in two ways one is you can perform a local capture of the network traffic and analyze it or there are a lot of sites which offers you sample packet captures for analysis I'm using a packet capture from malware traffic analysis dotnet I've given the link below so I'm using one of the capture sample given by them click open the basic things are you can see the source and the destination IPS which are connected watch protocols they are using and info will provide you more information but this default view we can enhance it we can add more features or remove some unwanted features to make our analysis easier so the first thing I'm going to do is make the display easier to move I won't be needing the number of packets so I'm going to remove the packet number and I cut length I'm gonna remove that so I'm going to do some modifications for the time this time is in seconds I'll be changing this view at the time display format into date and time of which will show you the date and time of the network event so let's add on columns as we go on one of the first things that you have to do when you receive a capture like this is understand what type of protocols that are used inside this traffic capture for example if you go to the statistics menu which we'll be using a lot to get summarized information first things that I go is the protocol hierarchy so this window shows a summary of what protocol activity that we see for example we see some in IP version 6 traffic IP version 4 which is 98% so I'm interested in this section this is where all the things are happening inside that also we see some TCP and UDP traffic so UDP normally we can use to get machine related information such as DHCP and DNS requests and here where we can see the application level traffic according this graph we can see there is lot of HTTP activity hypertext Transfer Protocol activity which indicates this is something related to web traffic if I give you an example in this malware traffic analysis dotnet this packet capture is all about user downloading a malware so definitely we will be finding in the hypertext Transfer Protocol so in the normal view you can see all the protocols since we are interested in HD traffic I am going to use a filter you can type a filter over here or you can use this window and just right click and apply this section as a window so I'm telling by sharp to show me only the HTTP traffic if I close this window the HTTP traffic and all the related traffic over here but I'm going to filter out like this so I'm going to use a method called HTTP dot request so the HTTP request filter will show me only the gate the post requests that are made from the source to the destination you can see we have a narrowed down a search more so you have a less number of traffic to analyze now right now to make the interface more meaningful and more understandable I can add more columns for example we can see a source and a destination and the request that is made but we can see only the URL path and this destination IP address won't be meaningful in this second section of this vile Shack you can see all the protocol literary information I'm either using the hypertext Transfer Protocol section and if you go inside here you can see this will contain the actual hostname so right-click and apply this sub column now you can see clearly where did this sauce connect to we can add some more information into the column display to make it more information for example when I am doing this I get the source port and I'm going to get it from here the source port and I'm going to add another column called G s T port I'll make this spiotti to make the column no short I'll make this is our C port okay and here you can select the destination port from here click OK yeah the ports normally will show in the corner you can drag and move them or you can also go to column preferences and I want it right over here so this will make my life more easy to make it clear you can align these data to left or right according to your preferences so now we have more information so this is how you set up your column display - in order to make you analyst is more easier so we can see the time and the source and destination ports and the sites that they are connected to all of these data are derived from the packet data that we have right now as I told you this packet capture is containing a Mel download or we can see according to the HTTP request only this machine accessed Internet I will see what are the questions that we are looking into it so we all want to find the fitted file download it and there hashes I'm going in this order I'm going to answer all of these questions so first we will see how to find the infected files are downloaded you can see all the file requests from here but if you want to get the actual file you need to go to file and this option called export objects and you can see all the HTTP objects which were down ordered in this packet capture there's lot of content types I'll sort them out you can see application in give HTML in JavaScript when you're looking for malware the tag that you are use is content type and the application type over here there are three different categories of applications you download a Java file it makes X download which could be a Exe or executable microsoft download and Shopville fref these are the main ways of fected file can be downloaded other than this there could be word files which is having a macro as direct executables these files are the most suspicious one I'm going to click on the file and I'm going to click Save yeah this is the Java Kuip I'll add the dot jar extension for this and I'm going to take a sample of this so this was executable so I'm going to say X E and this is a shockwave object so I'm going to save this as a dart establish a file that's not only to rename this one but I need to identify the file later so that's I'm adding the exchange for the files but remember the application content type is the thing that you had looked for when if you are looking for any malware PDF and Microsoft our file downloads are also suspicious so I'm going to open my Explorer window and go to my wife investigation and go to sample download so you can see these are the three files are downloaded now we have to see whether these are malicious in this situation we can use the virustotal we can upload the files and see if these are infected I don't recommend uploading the files directly because imagine this is Microsoft Word document which is having any confidential data and if you upload it your data is out of the organization envira started as option where they accept the hash of the file until it is malicious or not so in this type of situations it's better to have a file ready to answer your questions so first of all what are the infected files and their hashes so how do you get the hash out file so you have a lot of tools one of the main tools that I love is offered by Nero soft I'll post the link for this file in the description window so this very useful tool to extract the file hashes from a given file so we have the file name and the file hashes so I'm going to copy the file hashes it's very easy all the file hashes at one these are the ones that I should check I'll copy the md5 version of this go to my notepad editor and just paste the hash or so here so first of all we have collected the hashes which we are going to check for any virus good information let me jump into my virus total window and search see it will accept the I'll hash let's check if it is malicious so it's infected so this is a mug this has infected let's check for the other file and paste it over here hmm that seems to be file that is safe but just to be safe I'll down or this one and you can see we have another infected fire which is swf okay it's WF I'll just copy this one back again I believe it's the jar file yep a Java exploit infected Java I'll leave this hash around because that was also executable which was downloaded this could be a virus which was not yet discovered it could be a zero-day but we are not sure that we'll see if this the sauce is compromised with something we have to make sure this file Isis was not downloaded okay that is how you do use virus turtle in these kind of situations so the second question is what is the URL domain of the infected site let's jump back into Ishak we can see the application was downloaded from this particular hostname standard trust and poverty com okay so I'll copy this and what is the IP address of the inject website now we need the IP address of this one so that will be available in the Internet Protocol we can copy this value and paste it over here right and that was easy what is the IP address of the infected machine so in our case the infected machine is the sauce over here I'll copy the value over here alright so that was easy the next we have to find another two things so what is the hostname of the infected machine and the MAC address you should go to IP Ethernet literally information so this should be the source MAC address I'll copy the value first so I pasted it here I need the hostname now let me go into the protocol higher so there are many protocols which can be used to find the hostname I go to statistics and protocol hierarchy here you can find a lot of naming services and Indian protocol and the UDP protocol you have NetBIOS and dhcp which can also be used to find the back and host information I'll use the DHCP the most common way to find proc also it's easy you can just right click apply this as filter or you can just go to DHCP which is show you all the DHCP related requests so the host name of this particular IP so we can see there are two requests the inform and the request so normally the DHCP request we should find the host information so if you both expand this dynamic host configuration protocol and if you go in you can see the client MAC address who has requested which is the same MAC address that we found here might be a fan and if you dig in deeper you will be able to find the host name and this is another way you can apply this as a column and get the host name copy this copy value and now we have found a lot of information related to this activity so the first parts infected file hashes can be blocked inside our network using our wireless card so if they see this file hash you can easily tell the virus car to detect at the virus and delete it we can block access to these sites and IP addresses and we can make an investigation on this PC to see if it is infected and make sure the mother is cleaned so this is how we carry out a Wireshark investigation so if you want to learn more about this type of Investigations you can always refer to the why shock or 1-0-1 essential skills for network analysis a by Laura so this book will help you a lot of tips and tricks by using my shark so this is from the founder and the creator of a shark so that's information for you and again if you want to learn more go to malva traffic analysis dotnet which will have a lot of exercise related to the traffic is so there are a lot of latest things just down order copy make sure you run these on a sandbox these because these have over live viruses inside these packet captures so make sure you are careful when you're handling these things if you enjoy this video please give a thumbs up and please don't forget to subscribe and hope to bring you more videos like this in the future thank you for watching

Info

Channel: Hack eXPlorer

Views: 84,870

Rating: undefined out of 5

Keywords: network security, wireshark tutorial 2019, wireshark, malware analysis, malware traffic analysis, malware traffic analysis tutorial, how to, cyber security training for beginners, cyber security day in the life, cyber security career, cyber security, network analysis, security analyst, security analysis, cyber security training, pcap analysis, windows malware analysis, certified ethical hacker, exploit, tips, information security, wireshark 3.0

Id: 3t1BNAavrlQ

Channel Id: undefined

Length: 16min 0sec (960 seconds)

Published: Sat Sep 14 2019