SlideShare a Scribd company logo

Threat hunting on the wire

Download as PPTX, PDF
InfoSec Addicts
InfoSec Addicts

This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.

Technology
1 of 29
Command-Line Packet Analysis & Network Forensics Presented By: Joe McCray Threat hunting on the wire
About me • Joe McCray • Deep Technical IT Security Consultant & Trainer • Spoken/Trained at: • Black Hat, Def Con, Hacker Halted, and over 200 security conferences • Founder of InfoSecAddicts.com • joemccray@infosecaddicts.com
About the Threat Hunting courses • Course 1: Threat Hunting Fundamentals • Course 2: Threat hunting on the wire (hands-on) • Course 3: Threat hunting on the endpoint (hands-on) • Course 4: Threat hunting with static analysis (hands-on) • Course 5: Threat hunting with dynamic analysis (hands-on) • Course 6: Threat hunting with memory analysis (hands-on) • Course 7: Threat hunting with SIEM/NSM solutions (hands-on) • Course 8: Advanced threat hunting with machine learning and artificial intelligence (hands-on)
Threat Hunting on the wire • Get Linux • Setting up your virtual machine • What is PCAP? • PCAP Analysis with PRADS • PCAP Analysis with ChaosReader • PCAP Analysis with TShark • PCAP Analysis with Suricata • PCAP Analysis with Yara
This is a HANDS-ON class • This course is designed for you to follow along • The slides can be found at: https://www.slideshare.net/infosecaddicts • The commands can be found at: https://pastebin.com/DfqiGN7u
Get Linux • Get a virtualization platform • VMWare/Vbox • OSBoxes.org • Great site to download FREE Linux virtual machines (VMware and Virtualbox) • Download my virtual machine • https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip • user: infosecaddicts • pass: infosecaddicts • Great website for Linux basics • Linuxsurvival.com
Setting up your virtual machine • Default install of Ubuntu 16.04 • Lot of dependencies to install (run as root) sudo apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev unzip sendmail sendmail-bin prads tcpflow python-scapy whois python-yara tshark
Setting up your virtual machine • Install Suricata (run as root) wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz tar -zxvf suricata-4.0.5.tar.gz cd suricata-4.0.5 ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var make make install make install-conf mkdir suri wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap cd rules cp *.rules /etc/suricata/rules/ cd /etc/suricata/ wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz tar -zxvf emerging.rules.tar.gz
VM Setup Demo
What Is PCAP? • PCAP == Packet Capture • Complete record of network activity • Layers 2 – 7 • Most common format is libpcap • Open-source • Available on *nix and Windows • C library, bindings in many languages • Others proprietary formats not covered
Collect PCAP files Internet Packets Wireshark tcpdump Tap Inline Device
Find malicious PCAPs • Malware Traffic Analysis • https://www.malware-traffic-analysis.net/ • ThreatGlass • http://www.threatglass.com/ • Evil Fingers • https://www.evilfingers.com/repository/pcaps.php
PCAP Analysis with PRADS • PRADS is a Passive Real-time Asset Detection System PRADS employs digital fingerprints to recognize services on the wire, and can be used to map your network and monitor for changes in real time. Real-time passive traffic analysis will also let you detect assets that are just connected to the network for a short period of time, since PRADS can glean useful information from every packet. PRADS aims to be the one-stop-shop for passive asset detection, and currently does MAC lookups, TCP and UDP OS fingerprinting as well as client and service application matching and a connection state table. Various output plugins include logfile and FIFO and make PRADS a useful replacement for p0f, pads and sancp. PRADS was built from the ground up for a small footprint and modern networks with IPv6 and gigabits of throughput. Source: http://manpages.ubuntu.com/manpages/trusty/man1/prads.1.html
PCAP Analysis with PRADS • Run PRADS as a regular user cd ~/pcap_analysis/ mkdir prads cd ~/pcap_analysis/prads wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap prads -r suspicious-time.pcap cat prads-asset.log | less
Prads Demo
PCAP Analysis with ChaosReader • What if you have to parse multiple large PCAP files • Try chaosreader.pl (oldie but goodie) • A free tool to trace TCP/UDP/... sessions and fetch application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs. A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports • Source: http://chaosreader.sourceforge.net/ • What can chaosreader do? • I like being able to quickly go through really large, multiple, or even worse multiple large PCAP files. • It also creates a down and dirty web page (really handy)
PCAP Analysis with ChaosReader cd ~ mkdir -p pcap_analysis/chaos_reader/ cd ~/pcap_analysis/chaos_reader/ wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl perl chaosreader.pl suspicious-time.pcap cat index.text | grep -v '"' | grep -oE "([0-9]+.){3}[0-9]+.*)" cat index.text | grep -v '"' | grep -oE "([0-9]+.){3}[0-9]+.*)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http: ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http: ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host: ' | sort -u | sed -e 's/Host: //g'`; echo "$srcip --> $dstip = $host"; done | sort -u python -m SimpleHTTPServer ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
ChaosReader Demo
PCAP Analysis with TShark • Make a directory and download the files tshark -i ens3 -r suspicious-time.pcap -qz io,phs tshark -r suspicious-time.pcap | grep 'NB.*20>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u tshark -r suspicious-time.pcap | grep 'NB.*1e>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?' tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq tshark -r suspicious-time.pcap -qz ip_hosts,tree tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
PCAP Analysis with TShark • Make a directory and download the files whois rapidshare.com.eyu32.ru whois sploitme.com.cn tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' | grep -v -e '/image' -e '.css' -e '.ico' -e google -e 'honeynet.org' tshark -r suspicious-time.pcap -qz http_req,tree tshark -r suspicious-time.pcap -R "data-text-lines contains "<script"" -T fields -e frame.number -e ip.src -e ip.dst tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' | grep -v -e '/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/?[^cse].*/?.../g'
TShark Demo
PCAP Analysis with Suricata • Suricata is a free and open source, mature, fast and robust network threat detection engine. • The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. • Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. • With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless. • Suricata’s fast paced community driven development focuses on security, usability and efficiency. • The Suricata project and code is owned and supported by the Open Information Security Foundation (OISF), a non-profit foundation committed to ensuring Suricata’s development and sustained success as an open source project. Source: https://suricata-ids.org/
PCAP Analysis with Suricata • Run Suricata against the suspicious PCAP cd ~/pcap_analysis/ mkdir suri suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/ cat suri/fast.log | less
Suricata Demo
PCAP Analysis with Yara • YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. • With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Source: https://virustotal.github.io/yara/
Isn’t Yara is for file analysis • Yes, that’s right Yara is for file analysis • Let me introduce you to YaraPCAP • Reads a PCAP File and Extracts Http Streams. • gzip deflates any compressed streams • Scans every file with yara • writes a report.txt • optionally saves matching files to a Dir Source: https://github.com/kevthehermit/YaraPcap
PCAP Analysis with Yara • Run Yara against the suspicious PCAP git clone https://github.com/kevthehermit/YaraPcap.git cd YaraPcap/ wget https://github.com/Yara-Rules/rules/archive/master.zip unzip master.zip cd rules-master/ cat index.yar clear ./index_gen.sh cd .. python yaraPcap.py rules-master/index.yar ../suspicious-time.pcap -s matching_files/ cd matching_files/ cat report.txt
Questions
My Contact Info Joe McCray Email: joemccray@infosecaddicts.com Toll Free: 1-844-458-1008 Twitter: @j0emccray Twitter: @InfoSecAddicts FaceBook: https://www.facebook.com/InfoSecAddicts/ WebSite: https://infosecaddicts.com

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdflaibaarsyila
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Securitytools
SecuritytoolsSecuritytools
SecuritytoolsRichmond Adebiaye
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMPShaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
 

More Related Content

What's hot

Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdflaibaarsyila
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 

What's hot (20)

Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 

Similar to Threat hunting on the wire

MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redactedRyan Breed
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisBrendan Gregg
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Debugging applications with network security tools
Debugging applications with network security toolsDebugging applications with network security tools
Debugging applications with network security toolsConFoo
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 

Similar to Threat hunting on the wire (20)

Securitytools
SecuritytoolsSecuritytools
Securitytools
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redacted
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Monitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance AnalysisMonitorama 2015 Netflix Instance Analysis
Monitorama 2015 Netflix Instance Analysis
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
 
Debugging applications with network security tools
Debugging applications with network security toolsDebugging applications with network security tools
Debugging applications with network security tools
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 

Recently uploaded

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...Sri Ambati
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 

Recently uploaded (20)

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 

Threat hunting on the wire

  • 1. Command-Line Packet Analysis & Network Forensics Presented By: Joe McCray Threat hunting on the wire
  • 2. About me • Joe McCray • Deep Technical IT Security Consultant & Trainer • Spoken/Trained at: • Black Hat, Def Con, Hacker Halted, and over 200 security conferences • Founder of InfoSecAddicts.com • joemccray@infosecaddicts.com
  • 3. About the Threat Hunting courses • Course 1: Threat Hunting Fundamentals • Course 2: Threat hunting on the wire (hands-on) • Course 3: Threat hunting on the endpoint (hands-on) • Course 4: Threat hunting with static analysis (hands-on) • Course 5: Threat hunting with dynamic analysis (hands-on) • Course 6: Threat hunting with memory analysis (hands-on) • Course 7: Threat hunting with SIEM/NSM solutions (hands-on) • Course 8: Advanced threat hunting with machine learning and artificial intelligence (hands-on)
  • 4. Threat Hunting on the wire • Get Linux • Setting up your virtual machine • What is PCAP? • PCAP Analysis with PRADS • PCAP Analysis with ChaosReader • PCAP Analysis with TShark • PCAP Analysis with Suricata • PCAP Analysis with Yara
  • 5. This is a HANDS-ON class • This course is designed for you to follow along • The slides can be found at: https://www.slideshare.net/infosecaddicts • The commands can be found at: https://pastebin.com/DfqiGN7u
  • 6. Get Linux • Get a virtualization platform • VMWare/Vbox • OSBoxes.org • Great site to download FREE Linux virtual machines (VMware and Virtualbox) • Download my virtual machine • https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip • user: infosecaddicts • pass: infosecaddicts • Great website for Linux basics • Linuxsurvival.com
  • 7. Setting up your virtual machine • Default install of Ubuntu 16.04 • Lot of dependencies to install (run as root) sudo apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev unzip sendmail sendmail-bin prads tcpflow python-scapy whois python-yara tshark
  • 8. Setting up your virtual machine • Install Suricata (run as root) wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz tar -zxvf suricata-4.0.5.tar.gz cd suricata-4.0.5 ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var make make install make install-conf mkdir suri wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap cd rules cp *.rules /etc/suricata/rules/ cd /etc/suricata/ wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz tar -zxvf emerging.rules.tar.gz
  • 10. What Is PCAP? • PCAP == Packet Capture • Complete record of network activity • Layers 2 – 7 • Most common format is libpcap • Open-source • Available on *nix and Windows • C library, bindings in many languages • Others proprietary formats not covered
  • 11. Collect PCAP files Internet Packets Wireshark tcpdump Tap Inline Device
  • 12. Find malicious PCAPs • Malware Traffic Analysis • https://www.malware-traffic-analysis.net/ • ThreatGlass • http://www.threatglass.com/ • Evil Fingers • https://www.evilfingers.com/repository/pcaps.php
  • 13. PCAP Analysis with PRADS • PRADS is a Passive Real-time Asset Detection System PRADS employs digital fingerprints to recognize services on the wire, and can be used to map your network and monitor for changes in real time. Real-time passive traffic analysis will also let you detect assets that are just connected to the network for a short period of time, since PRADS can glean useful information from every packet. PRADS aims to be the one-stop-shop for passive asset detection, and currently does MAC lookups, TCP and UDP OS fingerprinting as well as client and service application matching and a connection state table. Various output plugins include logfile and FIFO and make PRADS a useful replacement for p0f, pads and sancp. PRADS was built from the ground up for a small footprint and modern networks with IPv6 and gigabits of throughput. Source: http://manpages.ubuntu.com/manpages/trusty/man1/prads.1.html
  • 14. PCAP Analysis with PRADS • Run PRADS as a regular user cd ~/pcap_analysis/ mkdir prads cd ~/pcap_analysis/prads wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap prads -r suspicious-time.pcap cat prads-asset.log | less
  • 16. PCAP Analysis with ChaosReader • What if you have to parse multiple large PCAP files • Try chaosreader.pl (oldie but goodie) • A free tool to trace TCP/UDP/... sessions and fetch application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs. A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports • Source: http://chaosreader.sourceforge.net/ • What can chaosreader do? • I like being able to quickly go through really large, multiple, or even worse multiple large PCAP files. • It also creates a down and dirty web page (really handy)
  • 17. PCAP Analysis with ChaosReader cd ~ mkdir -p pcap_analysis/chaos_reader/ cd ~/pcap_analysis/chaos_reader/ wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl perl chaosreader.pl suspicious-time.pcap cat index.text | grep -v '"' | grep -oE "([0-9]+.){3}[0-9]+.*)" cat index.text | grep -v '"' | grep -oE "([0-9]+.){3}[0-9]+.*)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http: ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http: ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host: ' | sort -u | sed -e 's/Host: //g'`; echo "$srcip --> $dstip = $host"; done | sort -u python -m SimpleHTTPServer ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
  • 19. PCAP Analysis with TShark • Make a directory and download the files tshark -i ens3 -r suspicious-time.pcap -qz io,phs tshark -r suspicious-time.pcap | grep 'NB.*20>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u tshark -r suspicious-time.pcap | grep 'NB.*1e>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?' tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq tshark -r suspicious-time.pcap -qz ip_hosts,tree tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  • 20. PCAP Analysis with TShark • Make a directory and download the files whois rapidshare.com.eyu32.ru whois sploitme.com.cn tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' | grep -v -e '/image' -e '.css' -e '.ico' -e google -e 'honeynet.org' tshark -r suspicious-time.pcap -qz http_req,tree tshark -r suspicious-time.pcap -R "data-text-lines contains "<script"" -T fields -e frame.number -e ip.src -e ip.dst tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "t: ","http://"$3$4}' | grep -v -e '/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/?[^cse].*/?.../g'
  • 22. PCAP Analysis with Suricata • Suricata is a free and open source, mature, fast and robust network threat detection engine. • The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. • Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats. • With standard input and output formats like YAML and JSON integrations with tools like existing SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other database become effortless. • Suricata’s fast paced community driven development focuses on security, usability and efficiency. • The Suricata project and code is owned and supported by the Open Information Security Foundation (OISF), a non-profit foundation committed to ensuring Suricata’s development and sustained success as an open source project. Source: https://suricata-ids.org/
  • 23. PCAP Analysis with Suricata • Run Suricata against the suspicious PCAP cd ~/pcap_analysis/ mkdir suri suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/ cat suri/fast.log | less
  • 25. PCAP Analysis with Yara • YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. • With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Source: https://virustotal.github.io/yara/
  • 26. Isn’t Yara is for file analysis • Yes, that’s right Yara is for file analysis • Let me introduce you to YaraPCAP • Reads a PCAP File and Extracts Http Streams. • gzip deflates any compressed streams • Scans every file with yara • writes a report.txt • optionally saves matching files to a Dir Source: https://github.com/kevthehermit/YaraPcap
  • 27. PCAP Analysis with Yara • Run Yara against the suspicious PCAP git clone https://github.com/kevthehermit/YaraPcap.git cd YaraPcap/ wget https://github.com/Yara-Rules/rules/archive/master.zip unzip master.zip cd rules-master/ cat index.yar clear ./index_gen.sh cd .. python yaraPcap.py rules-master/index.yar ../suspicious-time.pcap -s matching_files/ cd matching_files/ cat report.txt
  • 29. My Contact Info Joe McCray Email: joemccray@infosecaddicts.com Toll Free: 1-844-458-1008 Twitter: @j0emccray Twitter: @InfoSecAddicts FaceBook: https://www.facebook.com/InfoSecAddicts/ WebSite: https://infosecaddicts.com