Networks and Security Lab. Network Forensics

Size: px

Start display at page:

Download "Networks and Security Lab. Network Forensics"

Marshall Kelley
10 years ago
Views:

1 Networks and Security Lab Network Forensics

2 Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite search engine Optional exercises: Virustotal (web service), Linux command line tools (uniq, file, hexdump, md5sum, xxd), tshark (Wireshark command line). Check Lab 2 slides for Wireshark basics.

Tools needed: Wireshark and your favorite search engine Optional exercises: Virustotal

3 PCAP Files (reminder) Network traffic data captured during the attacks. Relatively small and filtered, contains information relevant to the attacker and victim only. A PCAP from an actual personal computer will have much more variety in traffic. In some of the PCAPs, the attacker uses exploits and malware to break into the victim s system. If you choose to use your own PC instead of the virtual machine, the malware binaries in the files could trigger your anti-virus, but you are safe as long as you don t convert them into.exe files and run them on a Windows XP machine.

A PCAP from an actual personal computer will have much more variety in traffic.

4 Installing tshark Wireshark commandline extensions sudo apt-get install tshark (you will be prompted for password) Useful for some of the optional exercises.

5 Exercise 1: TCP port scan (f1.pcap) 1. Identify the IP addresses of the attacker and the target. 2. How many connection attempts have been made by the attacker? 3. How many of the ports are open? 4. Identify / guess the services running on the open ports. 5. (optional) Extract a complete list of ports tried by the attacker, and the ports that are open on the target host.

How many connection attempts have been made by the attacker? 3.

6 Exercise 2: Attack against the Windows Service (f2.pcap) Overview: The victim is compromised by an automated attacker (possibly a botnet) using the vulnerabilities of the operating system. 1. Which IP addresses are involved? 2. What is the duration of the packet capture? 3. Which application-layer protocols are detected by Wireshark? 4. How many TCP sessions are in the file?

the vulnerabilities of the operating system. 1. Which IP addresses are involved? 2.

7 Exercise 2 (continued) 5. Identify the attacker s IP address and location (use a free online tool such as ip2location.com). 6. Check the conversation content in TCP stream #3. Which application-level protocol is used?

8 Execise 2 (optional) 7. Identify the attacker s and the victim s native operating system and version (Hint: check packets #16 and #17) 8. Identify the script used by the attacker after compromising the system. (Hint: TCP stream #2) 9. A malware binary is downloaded by the host at TCP stream #4. Obtain a copy of the file (might trigger your anti-virus if not using VM). Get the md5 sum of the binary and identify it at virustotal.com.

#17) 8. Identify the script used by the attacker after compromising the system. (Hint: TCP stream #2) 9.

9 Exercise 3: Malicious PHP query (f3.pcap) 1. List the hosts (IP addresses) in the traffic. 2. Identify the packet that sends the initial malicious query. 3. Identify the attacker (malicious client) and the victim (web server). 4. (optional) Analyze the contents of the packet containing malicious query. What do you think is the effect of the query on the web server? How does the attacker follow-up on the initial malicious query?

Identify the attacker (malicious client) and the victim (web server). 4.

10 Exercise 4: Spear Phishing (f4.pcap) Overview: The victim is targeted by a spear-phishing attack containing a 0-day vulnerability for the victim s web browser. 1. What are the IP addresses of victim and attacker? 2. What is the address of the victim s original HTTP request (i.e. the malicious web server)? 3. The victim made a second request for another HTTP object. What is the file s name and type? 4. What is the name and version of the victim s browser? 5. What is the operating system of the victim? Hint: Look out for a broadcast address. 5. How long was the TCP session at port 4444? 6. The infected victim made repeated attempts to connect to the server via port When was the relative time of the first attempt, and how long did the attempts continue until the victim made a successful connection?

The victim made a second request for another HTTP object. What is the file s name and type? 4. What is the name and version of the victim s browser? 5. What is the operating system of the victim?

11 Exercise 4 (optional) 7. The server replied with a page containing obfuscated Javascript. An array with the length 1300 is created with the label COMMENT. What string does the array s "data" section contain? 8. Two files were sent to the client. Identify the types of the files. (Check packet #17, and the connection on port 4445) 9. Extract the content and md5 sums of both files and use Virustotal to analyze them (might trigger your anti-virus if not using VM). Hint: First two bytes in the TCP conversation denote the file length in little endian notation.

Two files were sent to the client. Identify the types of the files. (Check packet #17, and the connection on port 4445) 9.

Networks & Security Course. Web of Trust and Network Forensics

Networks & Security Course. Web of Trust and Network Forensics Networks & Security Course Web of Trust and Network Forensics Virtual Machine Virtual Machine Internet connection You need to connect the VM to the Internet for some of the Web of Trust exercises. Make