adric.net

few_notes
Login

Finding Evil with Wireshark text dump of slides, with some Markdown for readability

Pcaps and PDF slides: http://dfirfiles.atlbbs.com/myslides/h3/

menu:

Evil ?

Packet Captures

pcaps: quick answers

Basic packet analysis should find:

pcaps: characterization

IDPS: a source of packets for analysis

Wireshark: about

Packet analysis tips: safety and accuracy

  1. Get offline!
    • Isolate your analysis environment for safety and cleaner results
    • Disable lookups in your tools
    • tcpdump -nn
    • Wireshark: uncheck in View / Name Resolution
  2. Keep your analysis tools updated!
    • Analysis tools are a juicy target for attackers.
    • File and protocol parsers are a constant source of vulnerabilities
  3. No captures on production networks or other peoples networks!
    • Check with your boss / client / spouse / lawyer before capturing traffic.
  4. Double-check those timezones again.
    • Most computer systems record time in UTC no matter where they are.

Snorby: a few Suricata events

Snorby: id check returned root : testmy-handout.pcap

testmy-handout.pcap: questions

Let's find:

Wireshark tricks: Statistics Summary

In Wireshark menu:

testmy-handout.pcap: answers

Snorby: Wordpress login: ptmag-login.pcap

ptmag-login.pcap: questions

Let's find:

Wireshark tricks: filters

Wireshark tricks: display filters

research: reproduce it and pcap it, search pcaps ...

## check my tcpdump settings with a live capture
sudo tcpdump -i en0 -v 'host 79.125.109.24'
## verified, capture session to a file
sudo tcpdump -i en0 -w ptmag.pcap 'host 79.125.109.24'
Offstage: login to suspect site again in browser, then
## read back the capture file and dump text to another file 
tcpdump -r ptmag.pcap -X 2>&1 > outfile.txt
## Look for suspicious strings in the output, grep -c counts 
grep Password -c outfile.txt ; grep Password outfile.txt  
grep adricnet -c outfile.txt ; grep adricnet outfile.txt

Much easier in Wireshark: Find Packet

ptmag-login.pcap: answers

pcaps from ATTACK research ;)

msfie0daywinxpsp3.pcap

msfie0daywinxpsp3.pcap: questions

Let's find:

Wireshark tricks: Conversations

Wireshark tricks: Follow Stream

Wireshark tricks: Evil found!

Do you want to know more?

Next Steps?

Resources

Resources

dir(self)