Module 13 - Hands-on Malicious Traffic Analysis with Wireshark
Hands-on Malicious Traffic Analysis with Wireshark
Communication and networking are vital for every modern organization. Making sure that all the networks of the organization are secure is a key mission.In this article we are going to learn how to analyze malicious traffic using the powerful tool Wireshark.
Before diving deep into traffic analysis, I believe that we need to explore some networking fundamentals first. It is essential to learn how a network works. Networking is the process of changing information between different devices. The transmission is usually done using a transmission mode. In communications we have generally 3 transmission modes:
- Simplex Mode: in this mode the data is transferred in one direction like the transmission used in TV broadcasting
- Half-duplex Mode: in this mode the data flows in two directions but using a single mean of communication
- Full-duplex Mode: in this mode the data flow is bidirectional and simultaneous.
When it comes to communication networks we have many types. Some of them are the following:
- Local Area Network (LAN): this network is used in small surfaces and areas
- Metropolitan area network (MAN): this network is larger than the Local Area Network. We can use for example to connect two offices.
- Wide area network (WAN): We use this type of networks to connect large distances
- Personal area network (PAN): this network is used in short distances and small areas like a single room.
A topology is a schematic representation of a network. You can see it as the layout of the network and how the connected devices are arranged in the network. In networking we have many topologies some of the them are:
- Ring Topology: the data flows in one direction
- Star Topology: all the devices are connected to a single node (Hub)
- Tree Topology: this topology is hierarchical
- Bus Topology: all the devices are connected to a central connection
- Fully-connected Topology: each device is connected with all the other devices of the network
What is a network traffic?
Techopedia defines it as follows:
"Network traffic refers to the amount of data moving across a network at a given point of time. __Network data__ is mostly encapsulated in __network packets__ , which provide the load in the network. __Network traffic__ is the main component for network traffic measurement, network traffic __control__ and simulation."
Traffic Analysis with Wireshark
The most suitable tool that will help you analyze your network traffic is definitely Wireshark. Wireshark is a free and open-source tool to help you analyse network protocols with deep inspection capabilities. It gives you the ability to perform live packet capturing or offline analysis. It supports many operating systems including Windows, Linux, MacOS, FreeBSD and many more systems.
You can download it from here: https://www.wireshark.org/download.html
Wireshark will help capture and analyze traffic as pcap files. The analysis follows the OSCAR methodology:
- Collect Evidence
Let's start by analyzing a sample pcap file so we can understand Wireshark capabilities. But before that we need to know an important model called the OSI netwoking Model :
By Definition: "The Open Systems Interconnection model ( OSI model ) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard protocols. The model partitions a communication system into abstraction layers. The original version of the model defined seven layers.
In other words data is moving in the network respecting a specific order. The following are the seven Layers of the OSI Model:
7- Application layer
6 -Presentation layer
5- Session layer
4- Transport layer
3- Network layer
2- Data link layer
1- Physical layer
The following graph illustrates the different OSI model layers:
As a first demonstration let's start analyze a small pcap delivered by malware-traffic-analysis.net. _The file password is "_infected"
Once you open it with Wireshark you will get this main window:
Let's start collecting some helpful information like the Host, destination, source etc...
To get the host we can use the DHCP filter.
Dynamic Host Configuration Protocol (DHCP) is a network layer protocol based on RFC 2131 that enables assigning IP addresses dynamically to hosts. It goes through 4 steps:
- _Discovery _
To learn more about Filters check this great resource: Using Wireshark – Display Filter Expressions
Now select: DHCP Request and you will get many helpful pieces of information including the client Mac address. In switching the traffic of data is determined by Media Access Control (MAC) addresses. A MAC address is a unique 48-bit serial number. It is composed equally of the Organizational Unique Identifier (OUI) and the vendor-assigned address.MAC addresses are stored in a fixed size table called the Content Addressable Memory (CAM)
And you will get also the hostname. It is "Rogers-iPad"
After taking a look at how you can use Wireshark to extract some pieces of information, let's analyze a malicious traffic. As a demonstration we are going to analyze this pcap from the same source (the password is "infected"). Some additional alerts file can be found here.
Open the pcap file with Wireshark. We are going to find:
- The IP address, MAC address, and host name of the infected Windows host
- The Windows user account name of the victim
- The used Malware
By highlighting "Internet Protocol Version 4" we can get the IP address which is: 10.18.20.97
The MAC address is: 00:01:24:56:9b:cf
Like what we did previously to detect the hostname we can see that the hostname is: JUANITA-WORK-PC
To get the windows user account by analyzing the kerberos traffic using this filter: _ kerberos.CNameString _
The Windows account name is: momia.juanita
Based on the alerts we can get that the malware was a variant of " Ursnif"
_ Ursnif steals system information and attempts to steal banking__ and online account credentials. (from: F-Secure Labs: https://www.f-secure.com/v-descs/trojan_w32_ursnif.shtml )_
The malware appears to come from a mail because if you notice closely you will find that the victim visited mail.aol.com:
I hope you found it helpful.
In this article, we explored Wireshark and how to use to perform malicious traffic analysis.
To learn more about traffic analysis you can download this doc that contains many useful resources: Malicious Traffic Analysis Resources
References and Credit