Wireshark investigation: Wireshark Strikes Back
In this investigation I am acting as a Security Engineer for mock company called X-CORP, supporting the SOC infrastructure. During this investigation we will be going through several mini investigations Time Thieves, Vulnerable Windows Machine, Illegal Downloads. I encourage you to investigate your self. By following along by filling out this document as you progress through the investigation:
The SOC analysts at X-CORP have noticed some discrepancies with alerting in the Kibana system and the manager has asked the Security Engineering team to investigate.
Yesterday, your team confirmed that newly created alerts are working. Today, you will monitor live traffic on the wire to detect any abnormalities that aren’t reflected in the alerting system.
You are to report back all your findings to both the SOC manager and the Engineering Manager with appropriate analysis.
If you wish to follow along you will need to use a Kali VM to analyze live traffic on the wire.
In order to get started, you will need to:
- Start up your Kali VM.
- Download the PCAP file directly from this link .
- Alternatively you can use
curlto download the file with this alternate URL: http://tinyurl.com/yaajh8o8.
Curl download example:
curl -L -o pcap.pcap http://tinyurl.com/yaajh8o8
- Launch Wireshark and go to the file option and select open navigate to find your downloaded PCAP file .
Note: You will be dealing with live malware in this investigation. Please make sure all work is done in your VM.
At least two users on the network have been wasting time on YouTube. Usually, IT wouldn’t pay much mind to this behavior, but it seems these people have created their own web server on the corporate network. So far, Security knows the following about these time thieves:
- They have set up an Active Directory network.
- They are constantly watching videos on YouTube.
- Their IP addresses are somewhere in the range 10.6.12.0/24.
In this section are goal is to inspect the captured traffic to answer the following questions:
- What is the domain name of the users’ custom site?
- What is the IP address of the Domain Controller (DC) of the AD network?
- What is the name of the file downloaded to the 10.6.12.203 machine? Once you have found the file, export it to your Kali machine’s desktop.
- Upload the file to VirusTotal.com. To see if its some possible malware and which type it is classified as.
For the first question lets filter for the 10.6.12.0/24:
We can take a look at the the packet list panel in Wireshark and see the DNS requests. lets click on it and under the packet details pane. We and see that the domain name of the users custom site is frank-n-ted.com
Now to answer the next question of what is the IP address of the Domain Controller (DC) of the AD network. We need to look under the details panel so we can see the IP address associated with the Domain Controller which is: 10.6.12.12 (Frank-n-Ted-DC.frank-n-ted.com)
Next to answer the question in regards to the downloaded malware. Let filter for GET requests. So we can find the malware that was downloaded to the 10.6.12.203 machine:
ip.addr==10.16.12.203 and http.request.method==GET
lets export the file for further analysis click: File > Export Objects > HTTP > june11.dll
Lets upload the file to virus total and see what comes up!
Looks like are file turned out to be a Trojan. That's pretty bad as the user of the 10.6.12.203 machine is most likely infected with the trojan horse malware.
Vulnerable Windows Machines:
Additionally the Security team received reports of an infected Windows host on the network. They currently know the following:
- Machines in the network live in the range 172.16.4.0/24.
- The domain mind-hammer.net is associated with the infected computer.
- The DC for this network lives at 172.16.4.4 and is named Mind-Hammer-DC.
- The network has standard gateway and broadcast addresses.
In this section we are going to answer the following questions:
- Find the following information about the infected Windows machine:
- Host name: ROTTERDAM-PC
- IP address: 172.16.4.205
- MAC address: (00:59:07:b0:63:a4)
2. What is the username of the Windows user whose computer is infected?
3. What are the IP addresses used in the actual infection traffic?
4. As a bonus, retrieve the desktop background of the Windows host.
For the first question lets filter for Kerberos network traffic. To find a possible sign on with the mind-hammer.net domain. Which will give us access to Host Names, IP address, MAC address we need to complete the question. And we are luckily able to extract this information because the Kerberos protocol is mostly unencrypted except for the tickets, authenticators, and some other sensitive details
For the hostname of the infected windows machine we need to look for the cname-string which contains the user name being authenticated so lets filter for it.
Filter: ip.src==172.16.4.4 and kerberos.CNameString
Click on the packet number 3209 and move on to details pane and Kerberos > tgs-rep > cname:
Lets add the CNameString as a column for future reference sake:
Now to find the IP address of the infected machine its pretty simple it’s just the destination IP Address: 172.16.4.205
Now lets find the MAC Address under Ethernet II we see the MAC Address clear as day:
Now for question 2, we are going to use the same Kerberos filter as used previous. But since we saved the CNameString as a column we don’t have to retype it in. Our answer for question 2 is matthijs.devries
Now lets move on to the question of what IP addresses used in the actual infection traffic? Let go to the statistics option in Wireshark
Statistics > Conversations > IPv4 (tab) > Packets (high to low)
Based on the Conversations statistics and then filtering by the highest amount packets between IPs, 172.16.4.205, 184.108.40.206 that's pretty suspicious lets investigate a bit more.
Lets filter for 172.16.4.205 and 220.127.116.11. And lets see what pops up.
Filter: ip.addr==172.16.4.205 and ip.addr==18.104.22.168
Now the result of our filter, it can be seen that their is a the frequent amount of POST requests of empty.gif being sent out without any originating GET request that pretty suspicious!
If you follow the HTTP stream of one of the frequent amount of POST requests being sent without any originating GET request. You see that it
references to 22.214.171.124 (b569023.green.mattingsolutions.co). Which is flagged as Malicious and Malware by some security vendors.
All these red flag strongly lean towards 172.16.4.205, 126.96.36.199 being the infected traffic.
IT was informed that some users are torrenting on the network. The Security team does not forbid the use of torrents for legitimate purposes, such as downloading operating systems. However, they have a strict policy against copyright infringement.
IT shared the following about the torrent activity:
- The machines using torrents live in the range 10.0.0.0/24 and are clients of an AD domain.
- The DC of this domain lives at 10.0.0.2 and is named DogOfTheYear-DC.
- The DC is associated with the domain dogoftheyear.net.
Various isolate torrent traffic and answer the following questions:
- Find the following information about the machine with IP address 10.0.0.201:
- MAC address: 00:16:17:18:66:c8
- Windows username: elmer.blanco
- Host Name: BLANCO-DESKTOP
2. Which torrent file did the user download?
To answer the first questions lets filter for CNameString with the 10.0.0.201 IP address provided to us.
Filter: ip.src==10.0.0.201 and kerberos.CNameString
In one swoop we obtained both MAC address, Windows username, and Host Name, Now we got our answers for question one.
Now for question 2 we can use a more somewhat complex Wireshark filter:
Filter: ip.addr==10.0.0.201 and http.request.method==GET and http.request.uri contains “.torrent”
This filter filters for the IP address of 188.8.131.52. And filters for GET requests methods associated with it. Which Contains requests Uri's that include the text “.torrent”
We are presented with a file called : Betty_Boop_Rythm_on_the_Reservation.avi.torrent the illegal download