Hacker hunting with Wireshark (even if SSL encrypted!)

The packets don't lie. You can hide processes or logs, but you cannot hide packets. Malware is a major problem in today's networks. Chris Greer is the Wireshark master. He shows us how to use Wireshark to find Malware and suspicious traffic in our networks.

// MENU //
00:26 - Intro
04:24 - Sharkfest / DEFCON
05:55 - What is Threat Hunting?
07:33 - Why threat hunt with Wireshark?
10:05 - What are IOCs
10:30 - Why should we care?
12:23 - Packets/PCAPs
18:48 - 'Low hanging fruit'
21:10 - TCP Stream
27:29 - Stream
35:00 - How to know what to look for?
37:49 - JA3 Client Fingerprint
41:25 - ja3er.com
48:08 - Brim
52:20 - TSHARK
58:50 - Large Data Example
01:04:00 - Chris' Course
01:06:20 - Outro

// PCAP download //

// Websites mentioned //

//CHRIS GREER //

// David SOCIAL //

// MY STUFF //

// SPONSORS //

Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!

davidbombal

Wireshark is a great threat hunting tool! Had fun digging with David into the packets with this one.

ChrisGreer

I love how professionals are both the way they talk and kind of complement each other with their personalities

francorreaccna

David, you have managed to bring so many talented experts to your channel, including your experience accumulated over the years... Thank you for your contribution

robtot

I know Chris mentioned it a few times, but I think it's worth emphasizing that one of the most powerful skills in all Wireshark analysis is just scanning through a capture file looking for things that seem even a little bit unusual. Pretty much all the other smart Wireshark people, such as Kary Rogers, Jasper Bongertz, Hansang Bae, and Laura Chappell, preach this as well. This is one of the main reasons for just looking at a lot of capture files as Chris also suggests (even just normal traffic), since it gives you the experience to more quickly recognize more things that may be out of the ordinary. Yet another excellent video, David & Chris. Well done!!!

Also one little note: "sort -u" does the same thing as "sort | uniq"

djdawso

Thank you David. I find that whether you are the one sharing or a guest, I always leave each video much more knowledgeable and wanting to know more.

Ebi_J

Good stuff. This guy Chris Greer is awesome. Thanks, both of you.

shadowcipher

Wow, This fascinates me. I have always thought that looking at what your machine or network is sending out is the key to finding whether you are compromised or not. I am an old newbie at this. David your channel ROCKS!

Stuloud

The more I read and learn about Blue Hatting and Purple Hatting, the more I feel like that is where I want to go. Red Team is super cool, but all the blue team threat hunting stuff is intensely interesting and cool. I know that learning how to Pen Test is a vital part of really building a great defense, I am really excited to keep diving into Cyber Security. I'm going through a Software Development Degree in College, and I am seriously considering adding a Cyber Security minor. Thank you gentlemen for the excellent discussion and lesson

billzade

David and his friend is giving us another level of knowledge again.

verolyn

for some reason Wireshark was never one of the best tool I would have liked to use in the future but now my Perspective in viewing this tool has been far broadened😅 Thanks David and also much thanks to Chris

onikira

I think is absolutely necessary to understand packets in order to prevent new forms of malware, and not just with WireShark, NetScat or tools alike. But having a great knowledge abput network with these kind of tools should be great for counterattack and hunting, so I demand a full master course from this brilliant gentleman so I can put my own blue cap on :)

the_graytest

I am old enough to recall the days when even at MIT, the password was usually "Password" or just hit enter. How far we have come since those days.. This is by far the best anti hacking videos I have seen so far. Thanks David.

rustybolts

I like this cut much better than some of your earlier videos. Very frequently these interviews seem to ramble, get a little repetitive and unstructured.

I really enjoyed how the cut improved that in this video. Whoever the editor is give them a big thumbs up.

tjmarx

Fantastic video, David. Thanks to Chris also. God, I learnt so much from this video. I'm frequently doing scans on my home network to what is I class as normal traffic etc. Just fantastic video

cryptombt

Thanks, David, & Chris, this was a great episode. I really enjoy when you have Chris on.

joerockhead

Thanks Chris and David putting this together, really amazing to brush up the packet analysis skills.

criptovida

WOW! I have been in IT for over 25 years. This guy just got me interested in another facet of IT.. just splendid! Thanks!

OLDMANDOM.Dominic

the extent to which we can analyse the packets and go deep inside is making me ready to take the course. thanks for all your efforts.

pivotindia

One of my favorite videos David, this guys good.

factoidsandquotations