The Art of Network Hunter (pt. 1)
Recently, when I was a Security Consultant, I participated in a course with some cool people at RSA Security about a very interesting tool acquired by RSA, the RSA NetWitness.
What NetWitness do? NetWitness is a very powerful tool capable of storing and performing advanced analysis of network traffic, showing, in an intelligible way, the communications that are happening in the corporate network, through parsers created in LUA script.
Essentially NetWitness has 2* main modules. NetWitness for Packets and NetWitness for Logs, I did that course with my friend Xopis. It was almost entirely about NetWitness for Logs, however, I realized that the fun part and that I would really be interested in NetWitness, was the NetWitness “for Packets” due to its malleability in the treatment of network packets.
During this course, I listened a very cool slang “Network Hunter”, ok but what is a Network Hunter?
The Network Hunter basically is the professional responsible for analyzing the network traffic always looking for anomalous behaviors as leaking sensivity information of corporations, weird network events and creating timelines of attacks and supporting incident response. The NetHunter will have more emphasis on identifying and investigating malicious behavior on the network with the intention to prevent attacks on the network corporation.
Some employees from Symantec did a cool article about some types of exist threats and how it works. I’ll not extend myself about it because these articles are public. These articles were divided into three parts.
- Part 1 - Viruses and worms
- Part 2 - Trojans and- other threats
- Part 3 - Various types network attacks
I made some research about this subject , however I didn’t find a lot of practical stuff, so I decided to create this article explaining how to identify this particular network attack, applying some forensics and/or analysis PCAP files, trying to show that these techniques can be perfectly used for continuous operation, threat analysis and incident response or to destroy some CTF challenges… BTW, PLEAASE MORE PCAP/NETWORK CHALLZ
To explain how it works I’ll use a PCAP file that a got with the people of RSA during the course.
Let’s start!
The Forbes did a post about the 5 principals types of attacks that companies often suffer. The most common that companies suffer, according to Forbes, is Malware/Ransomware attacks. Knowing this, we can start out attack analysis.
The first step is to identify which are the file extensions most used by the attackers in malicious files. You can verify the most threat extensions used in network attacks (for Windows platforms) in the links below:
- File types and extensions that are common threat vectors in email attachments
- File Extensions that are potentially Dangerous on Windows
Using these links, you can generate a file text with some malicious extensions to facilitate your filters during your analysis.
To optimize the process we’ll realize our search on the PCAP only using the principals malicious extensions used by attackers like .exe, .msi, .bat and .ps1. Before we start the forensics process, we have to check the type of the file that we’ll do the analysis.
To do this check you have to use the command “file”. This command is responsible to determine the type of file that you’ll go to analysis. As you can see, the file that you’ll do the analysis is a network dump or PCAP file. The file has a size o 6.9GB.
You can do realize an analysis in PCAP files with a lot of tools like:
- RSA NetWitness
- tcpdump
- Wireshark
- Windump
- tshark
- Network Miner
- Etc
In this post, I’ll use only tcpdump and Wireshark because these tools are open source and I am familiar with those. The first command that we’ll utilize is “tcpdump”.
When the command is done, you can do a manual analysis searching for anomalous things as you can see on the image below, a file with two extensions “resume.pdf.exe”
Back to the PCAP file you can verify that host 172.30.200.50 do a HTTP/GET to the host 223.25.233.248 and downloading the file “resume.pdf.exe”. Rename files for “normal” extensions with the intention of tricking the victim. It’s a very common practice that the attackers do, so you can presume that “resume.pdf.exe” it’s a “potential dangerous file”.
The next step for our analysis is extract the malicious file “resume.pdf.exe” from PCAP, you can use the tcpdump to isolate the infected host and the atackers’s IP in other PCAP file.
After you isolate the host, you can extract the malicious file from PCAP with the Wireshark, you just have to go to “File > Export Objects”.
Once that the file was extracted, you can do the same procedure that we did before, use the “file” command to check what type is the malicious file.
As you can see after use the command file, the resume.pdf.exe is a 32bits executable for Windows Platform. You can do an online validation if the resume.pdf.exe is a malware or not. To do this validation, we use 2 websites, the https://www.virustotal.com and https://www.hybrid-analysis.com
After the website do the scan, we can say the resume.pdf.exe is a malware.
Conclusion
Until this moment, we can conclude the host 172.30.200.50 is probably infected by a malware that do request for external domains like www.gtishare.com [223.25.233.248].
In the second part from this post, we’ll realize a detailed analysis about what actions the attacker did after the victim do the download of the malware
======================================
The Art of Network Hunter - Episode II - The Snitch PCAP !
======================================
Authors
Daniel “Oi*” Simplício ( https://www.linkedin.com/in/danielakaoi )
Victor “Xopis” Haberkorn ( https://www.linkedin.com/in/vhaberkorn )
