Wireshark

Wireshark is one of the most popular packet capture analysis tools available to incident response analysts. In addition to the ability to capture packets, there are a great many other features that are available. As entire volumes and training courses are built around this platform, it is impossible to identify every feature. Therefore, this chapter will focus on some of the key features of Wireshark that are most applicable to an incident investigation.

Arguably, Wireshark is the packet analyzer of choice for IT and security professionals. Due to the ubiquity of the application, there are a wide variety of resources available for additional training on Wireshark and its capability. The Wireshark site at https://www.wireshark.org/ contains a great deal of information. Furthermore, the site at https://www.chappell-university.com/ contains exercises and training packet captures to hone skills around analysis.

Because Wireshark is a feature-rich tool, there are some settings that lend themselves more to network traffic analysis that are outside incident response activities. As a result, there are some changes to be made to better assist the incident response analyst with performing packet capture analysis in relation to an incident investigation:

  • Time: The time setting in Wireshark allows several options. These include the time of the packet since 1/1/1970 or since the start of the packet capture. One of these options, which can be useful in an incident investigation, is the date and time that the individual packets have been captured. This allows analysts to correlate the date and time of other suspicious or malicious activity with the date and time of specific traffic within the packet capture. To enable this, navigate to View and then to Time Display Format. From there, choose one of the time options such as Date and Time of Day or Time of Day. Another option to consider is utilizing the UTC time options as well. This is very useful if the internal network utilizes UTC rather than local time. Also, the time can be set all the way to nanoseconds.
  • Name resolution: The name resolution setting allows analysts to toggle between seeing the IP address of source and destination hosts and hostname resolution. This is useful if an analyst is examining a packet capture and wants to determine if there are any suspicious hostnames found. For example, if the packet capture is opened, the following shows the IP addresses:

To determine the hostnames, navigate to View and then Name Resolution. Click on Resolve Network Addresses. Wireshark will then resolve the IP addresses to hostnames:

  • Colorize packet list: This feature allows analysts to toggle between a blank background of the packet list or to allow Wireshark to color-code the packets:

For the purposes of this chapter, an exploration of Wireshark will be done utilizing a packet capture found on Malware Traffic Analysis at https://www.malware-traffic-analysis.net/2019/03/13/index.html. This packet capture is provided along with a scenario involving a user that downloads a crypto locker malware strain contained within a Word document. For the purposes of this chapter, several key elements of the packet capture will be identified. Prior to examining the packet capture, Wireshark was configured so that the date and time are visible, as well as the hostnames identified.

The following are some of the features in Wireshark that provide key pieces of information from the packet capture:

  • Display filters: One of the most important features is the ability to filter packet captures on a wide range of services and ports. Filters can also be utilized on the source and destination IP addresses. For example, an incident response analyst would like to filter traffic on the source IP address of 10.3.13.101. By right-clicking on the IP address in the packet capture window and navigating to Apply as Filter and then Selected, the analyst can select the IP address as a filter. This filter then appears in the filter bar with the syntax ip.src==10.3.13.101:

  • Host identification: Another key aspect of the analysis of packet captures is to identify the localhost, if applicable. Considering that this packet capture is from a single host, identifying the hostname, IP address, and MAC address is straightforward. By double-clicking on the individual packet, a great deal of information is found:

  • Physical connection identification: In this packet, the analyst can identify the source of the traffic from the Ethernet II and Internet Protocol Version 4 (IPV4) lines. In this case, the source of the traffic is the Hewlett Packard device located at 10.3.13.101 and the destination located at 103.119.144.250. By examining the Ethernet II line, an analyst would be able to identify the physical connections for both systems. Finally, an analysis of the preceding data reveals that although this is an HTTP packet, it is over a non-standard HTTP port, as the destination port is 8082. While this may be benign, it could also be something that should be followed up.
  • Protocol identification: In this case, there was a good deal of HTTP connections, due to the activity of the user. As a result, the primary transmission of the malware was quite possibly through an HTTP connection. Wireshark has a number of filters that allow analysts to limit the packet capture results with specific parameters. In the top green dialog box, enter http. Pay attention while entering in the filter, as there will be several different filters available. Once the filter is typed in, click the right-facing arrow located at the far right of the dialog box. Wireshark will now limit the view of packets to those that are utilizing the HTTP protocol:

  • Hostname identification: Parsing through the packet capture source and destination hostnames, one hostname appears to be suspicious. This host, rozhan-hse.com, may be a suspect URL. Another feature of Wireshark is the ability to follow the TCP or HTTP stream of communication between the source and destination hosts. Right-click on the hostname rozhan-hse.com and the following appears:

A second window will appear; click on HTTP Stream and a third window appears. This window contains the HTTP packets in a format that can be read. The incident response analyst can review this output to determine what types of files may have been sent or received:

  • Packet stream examination: An examination of the Follow TCP Stream output indicates that an HTTP GET command is reaching out to the deo7t-dcaum4-fykaarrdt file. An analyst may want to extract this file for analysis. Click on File and then Export Objects, and then HTTP, and a window will appear listing all of the files associated with the HTTP connections. The list can be sorted on any of the fields at the top of the window. In this case, select the hostname and scroll down until the suspected URL is located:

From here, the analyst can click on the file and save it onto the local system for later analysis. Chapter 12, Malware Analysis for Incident Response, will take select files and evaluate them for malicious code.

Wireshark is a powerful tool for conducting detailed analysis of packet captures. The ability to drill down to individual packets and dissect them allows analysts to gain a very detailed sense of what is contained within the traffic running to and from external hosts, as well as to and from internal hosts. This visibility can afford the analyst possible insight into how an infected host communicates with an external host, or even identify other hosts that may have become compromised.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset