ZEEK TryHackMe writeup
Zeek is a free and open-source software network analysis framework.
Zeek is a network security monitor (NSM) but can also be used as a network intrusion detection system (NIDS).(More)
Go Desktop/Exercise-Files/TASK-2
What is the installed Zeek instance version number?
4.2.1
What is the version of the ZeekControl module?
2.4.0
Investigate the “sample.pcap” file. What is the number of generated alert files?
8
Zeek Logs
Go Desktop/Exercise-Files/TASK-3
Investigate the sample.pcap file. Investigate the dhcp.log file. What is the available hostname?
- Dhcp é um servidor que fornece ips a pcs quando se ligam á rede.
Investigate the dns.log file. What is the number of unique DNS queries?
2
Investigate the conn.log file. What is the longest connection duration?
cat conn.log | zeek-cut id.orig_h id.resq_h duration | sort -rn
332.319364
Zeek Signatures
Go Desktop/Exercise-Files/TASK-5
Investigate the http.pcap file. Create the HTTP signature shown in the task and investigate the pcap. What is the source IP of the first event?
cd Desktop/Exercise-Files/TASK-5/http
nano http-password.sig
HTTP signature:
Command: Save and exit
CRTL+S
CRTL+x
Run zeek command:
zeek -C -r http.pcap -s http-password.sig
Investigate the http.pcap file. Create the HTTP signature shown in the task and investigate the pcap. What is the source IP of the first event?
cat signatures.log | zeek-cut src_addr
10.10.57.178
What is the source port of the second event?
cat signatures.log | zeek-cut src_port
38712
Investigate the conn.log.
What is the total number of the sent and received packets from source port 38706?
cat conn.log | zeek-cut id.orig_p id.resp_h id.resp_p proto service orig_pkts orig_ip_bytes resp_pkts
20
Create the global rule shown in the task and investigate the ftp.pcap file.Investigate the notice.log. What is the number of unique events?
Rule: ftp-bruteforce.sig:
zeek -C -r ftp.pcap -s ftp-bruteforce.sig
I
Investigate the notice.log. What is the number of unique events?
cat notice.log | zeek-cut uid | sort | uniq | wc -l
1413
What is the number of ftp-brute signature matches?
cat signatures.log | grep “ftp-brute” | wc -l
1410
Tip: to see the top of the file run:
cat notice.log | head -10
Zeek Scripts | Fundamentals
Go Desktop/Exercise-Files/TASK-6
Investigate the smallFlows.pcap file. Investigate the dhcp.log file. What is the domain value of the “vinlap01” host?
zeek -C -r smallFlows.pcap dhcp-hostname.zeek
cat dhcp.log
astaro_vineyard
Investigate the bigFlows.pcap file. Investigate the dhcp.log file. What is the number of identified unique hostnames?
cat dhcp.log | zeek-cut host_name | sort -rn | uniq | wc -l
18 -1
Investigate the dhcp.log file. What is the identified domain value?
cat dhcp.log | zeek-cut domain
jaalam.net
Investigate the dns.log file. What is the number of unique queries?
cat dns.log | zeek-cut query | grep -v -e’*’ -e’-’ | sort -rn | uniq | wc -l
1109
Zeek Scripts | Scripts and Signatures
Go to folder Desktop/Exercise-Files/TASK-5/101.
Investigate the sample.pcap file with 103.zeek script. Investigate the terminal output. What is the number of the detected new connections?
zeek -C -r sample.pcap 103.zeek | grep “New Connection Found”| wc -l
Go to folder TASK-7/201.
Investigate the ftp.pcap file with ftp-admin.sig signature and 201.zeek script. Investigate the signatures.log file. What is the number of signature hits?
zeek -C -r ftp.pcap -s ftp-admin.sig 201.zeek
cat signatures.log | grep “ftp-admin” | wc -l
1401
Investigate the signatures.log file. What is the total number of “administrator” username detections?
cat signatures.log | grep “administrator” | wc -l
731
Investigate the ftp.pcap file with all local scripts, and investigate the loaded_scripts.log file. What is the total number of loaded scripts?
zeek -C -r ftp.pcap local
cat loaded_scripts.log | grep “.zeek” | wc -l
498
Go to folder TASK-7/202.
Investigate the ftp-brute.pcap file with “/opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek” script. Investigate the notice.log file. What is the total number of brute-force detections?
zeek -C -r ftp.pcap /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek
2
Zeek Scripts | Frameworks
Go Desktop/Exercise-Files/TASK-8
Investigate the case1.pcap file with intelligence-demo.zeek script. Investigate the intel.log file. Look at the second finding, where was the intel info found?
zeek -C -r case1.pcap intelligence-demo.zeek
cat intel.log
IN_HOST_HEADER
Investigate the http.log file. What is the name of the downloaded .exe file?
cat http.log | zeek-cut uri
knr.exe
Investigate the case1.pcap file with hash-demo.zeek script. Investigate the files.log file. What is the MD5 hash of the downloaded .exe file?
zeek -C -r case1.pcap hash-demo.zeek
cat files.log | zeek-cut md5
cc28e40b46237ab6d5282199ef78c464
Investigate the case1.pcap file with file-extract-demo.zeek script. Investigate the “extract_files” folder. Review the contents of the text file. What is written in the file?
zeek -C -r case1.pcap /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
ls extract_files | nl
cd extract_files/
cat The_Extract_File
Microsoft NCSI
Zeek Scripts | Packages
Go Desktop/Exercise-Files/TASK-9
Investigate the http.pcap file with the zeek-sniffpass module. Investigate the notice.log file. Which username has more module hits?
zeek -Cr http.pcap /opt/zeek/share/zeek/site/zeek-sniffpass
brozeek
Investigate the case2.pcap file with geoip-conn module. Investigate the conn.log file. What is the name of the identified City?
zeek -Cr case2.pcap /opt/zeek/share/zeek/site/geoip-conn
cat conn.log
chicago
Which IP address is associated with the identified City?
23.77.86.54
Investigate the case2.pcap file with sumstats-counttable.zeek script. How many types of status codes are there in the given traffic capture?
zeek -Cr case2.pcap sumstats-counttable.zeek