Advanced Wireshark Network Forensics - Part 2/3

preview_player
Показать описание
So, in this Scenario, we are being told there is a system on the network infested with malware. For some reason the Anti-Virus on the computer didn't detect it and the malware has managed to lock up the system. We don't have access to the hard drive, but we do have a full network packet capture of the incident. And, we already know the IP of the infected host, which will give us a good starting point.

Scenario pcaps:
  1. Netsec Explained
  2. Hacking
  3. Wireshark
  4. Network Forensics
  5. Advanced Wireshark
  6. GTKlondike
Рекомендации по теме
Advanced Wireshark Network 0:07:27

Advanced Wireshark Network Forensics - Part 1/3

Advanced Wireshark Network 0:13:58

Advanced Wireshark Network Forensics - Part 2/3

Advanced Wireshark Network 0:12:00

Advanced Wireshark Network Forensics - Part 3/3

Advanced Network forensics 0:19:08

Advanced Network forensics Part 1: Carving a malware using wireshark

Advanced wireshark for 0:08:33

Advanced wireshark for forensics

Introduction to network 0:11:29

Introduction to network forensics with wireshark

Network Forensic using 0:06:36

Network Forensic using Wireshark

Advanced Wireshark Network 0:15:13

Advanced Wireshark Network Forensics

CYBER FORENSIC-Advanced Network 0:19:09

CYBER FORENSIC-Advanced Network Forensics Analyzing Packet Traffic Using Wireshark Forensics digital

08 Wireshark Network 0:50:33

08 Wireshark Network Forensic Case Studies | Learn Wireshark

Analyzing the live 0:09:27

Analyzing the live capture using Wireshark

Cybersecurity for Beginners: 0:09:29

Cybersecurity for Beginners: How to use Wireshark

Case Study Network 0:12:10

Case Study Network Forensics with Wireshark

Wireshark Tip 4: 0:05:16

Wireshark Tip 4: Finding Suspicious Traffic in Protocol Hierarchy

CTF Academy 0:06:50

CTF Academy Network Forensics and Wireshark

What is Wireshark 0:04:02

What is Wireshark ? Network Traffic and Packet Analyzer, Explained in 4 Minutes

Advanced Network Forensics 1:00:14

Advanced Network Forensics Lab

Advanced Network Forensics 1:13:45

Advanced Network Forensics

How to DECRYPT 0:08:41

How to DECRYPT HTTPS Traffic with Wireshark

Network Forensics with 0:01:03

Network Forensics with Wireshark and Brim(Zui): Analyzing a PCAP from an Agent Tesla infection

Downloading WireShark Network 0:01:38

Downloading WireShark Network Forensics Software

extraction of forensic 0:08:14

extraction of forensic evidence with wireshark and networkminer

Applied-Network-Forensics - Lab 0:22:37

Applied-Network-Forensics - Lab 00 - WireShark Overview

Network Forensics FOR572 0:01:03

Network Forensics FOR572 Phil Hagen

Комментарии
Автор

Below is the typed up file in the video (slightly modified though):

`Network Forensics (Wireshark)`
1. Create a new text file to document findings. Copy paste the table below.
1.1. Where did the user contracted the malware from?
1.2. Can we obtain a copy of the malware file?
1.3. What kind of calls to the internet does it make?
1.4. Does it try to self propogate through the internal network?
1.5. Possible network traffic sigantures.

2. Open the PCAP with Wireshark and add two new columns to assist investigation.
2.1. Right click any column > Preferences: (Title=Stream ID, Fields=tcp.stream), (Title=Host, Fields=http.host)

3. Further details will not be covered here. Though below is an example output following the steps above.

1.1. Where did the user contracted the malware from?
Victim IP = 12.183.1.55

No User-Agent

1.2. Can we obtain a copy of the malware file?
We have it!
MD5: dump2
SHA256: dump2

1.3. What kind of calls to the internet does it make?
Seemingly random DNS queries.
Rapid connection attempts to resolved DNS names.
Eventually connects to a web page on port 80 to one of the servers.

1.4. Does it try to self propogate through the internal network?
No connection attempts to RFC 1918, or other 12.x addresses (see below Wireshark filter).
ip.src == `<12.183.1.55>` &&
(ip.addr == 192.168.0.0/16 ||
ip.addr == 172.16.0.0/12 ||
ip.addr == 10.0.0.0/8 ||
ip.dst == `<12.0.0.0/8>`)

1.5. Possible network traffic sigantures.
We have the DNS names.
High volume of DNS queries followed by high volume of port 80 connection attempts.

OthmanAlikhan
Автор

Clear, smooth explanation, valuable knowlege and practical skills. All in 10 min, thanks man

ameennaser
Автор

Your videos are a blessing. Thank you so much for these wonderful explanations and uploads. Truly appreciate your efforts !

tipsytomes
Автор

This is excellent material. I hope you’ll create more content like this or even consider developing a course. It’s very well explained.

Aleksandra
Автор

These videos are amazing! I have been using Wireshark for 15 years and learned more in the past 30 minutes than the previous 10 yrs.

Navin.R.Johnson
Автор

Stumbled across this video. Amazing way of explaining! Hope you can upload new stuff more frequently.

hashimjarral
Автор

I agree with all other comments - great quality Wireshark material. I would not mind seeing more of it. Thank you

marcinmikolajczyk
Автор

nicely explained.
Thanks, very much helpful

bhootabir
Автор

Great video and incredibly well explained!

comraede
Автор

Thanks for part 2, it was very insightful =)

OthmanAlikhan
Автор

well explained and great tut, thanks for sharing this knowledge :))

abdelrahmanalaa
Автор

How can I find out the IP address of the victim machine it's unknown?

sargunwalia