Want to be a better Cyber Analyst? Analyze a PCAP like a Hacker!
If you clicked on this article, you are probably familiar with PCAP files. Even if you are not, and you are just starting your way in the Cyber Security world, I recommend that you keep reading. You might learn something very interesting that may also be helpful for you somewhere in your future career!
As you might know, PCAP files contain network traffic data, usually captured by a network sniffer such as Wireshark or Tcpdump.
A significant number of employees in the Cyber Security industry are starting their way as Analysts. Part of the analyst’s job is to analyze suspicious traffic in order to trace offensive activity on a network. If you think about it for a moment, it is not an easy task at all. The analyst must be familiar with so many different protocols, vectors and tools, that sometimes make it feel almost impossible to find out what is actually wrong.
I have always believed that in order to catch one — you have to think like one! Therefore, I suggest that you look over a PCAP like a hacker would. In this article I am going to explain what it means to think like a hacker.
When a hacker wants to attack a network — first of all he needs to learn it: he identifies weak spots as well as network topology, lateral movement, checks its privileges and even more, depending on the case. In most of the cases the purpose of all of this effort is finding the data that he is interested in, and how he can get it (For more information, see Cyber Kill Chain).
OK, Let’s discuss some actions that a hacker might conduct, doing so by sniffing network traffic and analyzing it!
Building a network map
When an attacker enters a network, first of all he wants to know where he is at and what’s around him. While normally link-layer protocols are not particularly interesting, in this scenario they are playing a very main role. By analyzing ARP data, we can build a nice and interesting view of the network’s layout. With additional access to the transport layer (TCP/UDP), we can to gain an even larger view of the network.
Although it sounds basic, you first need to know where you are and who is next to you to know where you want to go.
For further reading about network maps you can take a look at “Visualizing Network map” by Aviad Tamir.
Looking For Passwords
Oh yes! There is nothing as satisfying as finding a plain text password in some traffic that connects you to a service on the network. However, plain text password is quite an outdated method, since most of the newer protocols do not transfer password as a plain text, for obvious security flaws. Still, you might be surprised to find out just how many outdated systems and misconfigured networks are out there. A password can grant you access to the most sensitive account, mail, internal system, or sometimes even the whole network. For example, Telnet traffic or FTP are pretty common to find in organizational network, this protocols are often used for remote access to a server and therefore contain a password to a server, which can be extracted with basic knowledge and tools.
In the above example we can see a full session of a user named “csandres”, working on a server, using FTP. In addition to the fact that the user’s password is visible to everyone, so are the other actions he performs on the server
Crack Hashes
Hashes are my favorite category, and the reason for this is very simple — while most analysts are renowned for extracting passwords, I rarely see any analysts looking for hashes, even though they may have the same effect. Moreover, the most sensitive services use hashes! A hacker might start by getting hashes of user accounts over HTTP traffic, using HTTP-Digest, or hashes of user accounts that are associated with NTLM / Kerberos traffic. After finding those hashes, a hacker can start brute-forcing it or even use bypass authentication techniques. Have I said earlier that finding a password is satisfying? Try extracting a password and then brute-forcing it until you crack it open!
In this video you can see how I crack NTLM hash from a random PCAP file from Wireshark site using tools like Hashcat and BruteShark:
Identifying Services
Knowing a certain IP address that belongs to a host in a network is nice, but you would like to know more. What is the role of this machine? Is it some random workstation? Is it a file server? Maybe it is a CCTV, or even the database with all of the company’s sensitive data. The attacker would also desire information about the services that are installed and running over that machine. Finding an old and unpatched service, which is vulnerable to a public exploit, can be the difference between the success or failure of the attack.
Extracting Files
Files contain data. that’s a big surprise I know. And as we said before data is usually the main reason for an attacker to try to penetrate a network in the first place. But consider that, the interesting fact about files is that sometimes you do not have to get to the very machine that contains the data — you can just sniff the data straight off the wire. There are many different methods for extracting files from raw data, starting from parsing applicative file transfer protocols like FTP and HTTP, to using classic forensics techniques like File-Carving from TCP/UDP streams.
Try It For Yourself
If you would like to give these new learned methods a shot — I recommend using BruteShark. I have developed this tool according to the approach explained above. In addition to that, BruteShark’s GitHub repository contains many PCAP files for educational usage.
All you have to do now is install BruteShark and let it do the work for you!
Use the example files and take a deep look at the results, if you are braver than that, take a look at the source code and and dive into the algorithms and their implementation.
Conclusion
To conclude, I have introduced you to the approach of thinking like hacker thinks, a part of your way to become a better analyst. We have also talked about how hacker would think and how he operates in an attack.
In case that a certain example in this article seems useful or interesting to you, I deeply encourage you to dig deeper and learn more about it. Feel free to contact me with any further questions and feedback.
My E-Mail contact.oded.shimon@gmail.com
