Wireshark

Wireshark is one of the most popular packet capture analysis tool available to incident response analysts. In addition to the ability to capture packets, there are a great many features that are available. As entire volumes and training courses are built around this platform, it is impossible to identify every feature. Therefore, this chapter will focus on some of the key features of Wireshark that are most applicable to an incident investigation.

There are a number of free resources about Wireshark and its capability. The Wireshark site wireshark.org contains a great deal of information. Furthermore, the site wiresharkuniversity.com contains exercises and training packet captures to hone skills around analysis.

Because Wireshark is a feature-rich tool, there are some settings that lend themselves more to network traffic analysis that are outside incident response activities. As a result, there are some changes to be made to better assist the incident response analyst with performing packet capture analysis in relation to an incident investigation:

  • Time: The time setting in Wireshark allows for several options. These include the time of the packet since 1/1/1970 or since the start of the packet capture. One of these options which can be useful in an incident investigation is the date and time that the individual packets have been captured. This allows analysts to correlate the date and time of other suspicious or malicious activity with the date and time of specific traffic within the packet capture. To enable this, navigate to View and then to Time Display Format. From there, choose one of the time options such as Date and Time of Day or Time of Day. Another option to consider is utilizing the UTC time options as well. This is very useful if the internal network utilizes UTC rather than local time. Also, the time can be set all the way to nanoseconds.
  • Name resolution: The name resolution setting allows analysts to toggle between seeing the IP address of source and destination hosts and hostname resolution. This is useful if an analyst is examining a packet capture and wants to determine if there are any suspicious hostnames found. For example, if the packet capture is opened, the following shows the IP addresses:
  • To determine the hostnames, navigate to View and then Name Resolution. Click on Resolve Network Addresses. Wireshark will then resolve the IP addresses to hostnames:
  • Colorize packet list: This feature allows analysts to toggle between a blank background of the packet list or to allow Wireshark to color-code the packets.

For the purposes of this chapter, an exploration of Wireshark will be done utilizing the packet capture: http://www.malware-traffic-analysis.net/2017/01/28/index.html. This packet capture is provided along with a scenario involving a user that downloads a crypto locker malware strain while conducting an online search. For the purposes of this chapter, several key elements of the packet capture will be identified. Prior to examining the packet capture, Wireshark was configured so that date and time are visible, as well as the hostnames identified.

The following are some of the features in Wireshark that provide key pieces of information from the packet capture:

  • Display filters: One of the most important features is the ability to filter packet captures on a wide range of services and ports. Filters can also be utilized on the source and destination IP addresses. For example, an incident response analyst would like to filter traffic on the source IP address of 172.16.4.193. By right-clicking on the IP address in the packet capture window and navigating to Apply as Filter and then Selected, the analyst can select the IP address as a filter. This filter then appears in the filter bar.
  • Host identification: Another key aspect to the analysis of packet captures is to identify the localhost, if applicable. Considering that this packet capture is from a single host, identifying the hostname, IP address, and MAC address is straightforward. The first packet in the capture is a DHCP packet originating from a CISCO device to the compromised machine. By double-clicking on the individual packet, a great deal of information is found:
  • In this packet, the analyst can identify the source of the traffic from the Ethernet II and Internet Protocol Version 4 (IPV4) lines. In this case, the source of the traffic is the Cisco device located at 172.16.4.1 and the destination located at 172.16.4.193. In the second window that contains the hexadecimal and ASCII characters, the analyst can determine the name of the compromised machine. In this case, Stewie-PC.
  • In this case, there was a good deal of HTTP connections, due to the activity of the user. As a result, the primary transmission of the malware was quite possibly through an HTTP connection. Wireshark has a number of filters that allow analysts to limit the packet capture results with specific parameters. In the top green dialog box, enter http. Pay attention while entering in the filter as there will be several different filters available. Once the filter is typed in, click the right-facing arrow located at the far right of the dialog box. Wireshark will now limit the view of packets to those that are utilizing the HTTP protocol:
  • Parsing through the packet capture source and destination hostnames, one host name appears to be suspicious. This host, p27dokhpz2n7nvgr.1jw21x.top does not look like a standard URL that an analyst would find in a packet capture. Another feature of Wireshark is the ability to follow the TCP or HTTP stream of communication between the source and destination hosts. Right-click on the host name p27dokhpz2n7nvgr.1jw21x.top and the following appears:

Click on HTTP Stream and a second window appears. This window contains the HTTP packets in a format that can be read. The incident response analyst can review this output to determine what types of files may have been sent or received.

  • In addition to examining the actual communications stream, Wireshark allows analysts to export specific objects from the packet capture. Click on File and then Export Objects and then HTTP and a window will appear listing all of the HTTP connections. The list can be sorted on any of the fields at the top of the window. In this case, select the Hostname and scroll down until the suspected URL is located:

Analysts can then parse through the results for any items of evidentiary value. For example, the last entry, packet 6002, is a PNG file titled bitcoin.png. Highlight the line and click Save. The file can then be downloaded for review.

Wireshark is a powerful tool for conducting detailed analysis of packet captures. The ability to drill down to indiviudal packets and disect them allows analysts to gain a very detailed sense of what is contained within the traffic running to and from external hosts, as well as to and from internal hosts. This visibility can afford the analyst possible insight into how an infected host communicates with an external host, or even identify other hosts that may have become compromised.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset