ANALYSING PCAP FILES WITH WIRESHARK-PART 2
Hello everybody ,
Welcome to part 2 of .pcap analysing with Wireshark .Today I will try answers Quiz questions from this website :
1.I have created folder “Quiz” where I downloaded the zip file and extracted the pcap file in.
My tasks will be to find answers for the following questions :
-What is the date and time in UTC the infection started?
-What is the IP address of the infected Windows client?
-What is the MAC address of the infected Windows client?
-What is the hostname of the infected Windows client?
-What is the user account name from the infected Windows host?
-Is there any follow-up activity from other malware?
2. Preparing Wireshark :
- Firstly opened the quiz pcap with Wireshark
- Customized it a bit :
Wireshark has a lot of customization options like colouring rules where you can change the colour of the different types of packets, another one which I really like is to add custom filter buttons . They are easy to create and use .If you often need to type or copy paste a long or complex filter apply it once and press the little + button on the right. Then type a name in label field also you can add some notes on comment field and click ok .
We can create as many buttons as we want repeating the same procedure with different filters .
3. Staring to analyse :
For starting point Ibegin with exporting trh suspicious objects from the pcap file .
- When I go ( File/Export objects/ HTTP ..) New windows appears and I scroll through the list ,looking to spot any suspicious files and take notes of them and their details.
- I have created new folder for extracted objects and new text document where I start taking notes
- found 2 very suspicious files ,then extracted them in the created folder.
4. Next thing I would like to check In Wireshark Statistics menu if we choose and click on HTTP /Requests we gonna get a new window like this :
going through the whole list I can check for websites and downloaded files are suspicious and focus on them . To make the list shorter I just close the expanded non suspicious activities by clicking the little — box in the front . This way I can get some neat view like the following screen shot:
Found some suspicious files requested through 5 suspicious hosts. Some of the files were available to be exported as objects earlier and I have two of them in “extracted objects” folder already. ( “ %2f “ and “643d0491bcea1.zip” )
5. From here i copied suspicious requests into my notes.
6. Checked each of them in Virustotal and removed the last one from my notes as it has not been detected as malicious while all of the others returned as detected. Also i have noted that from which hosts the two exported files have been requested.
Interestingly the first exported object is not seen on this list so I want to go back to export-object window and open it side by side with http requests window to compare the two lists .
So the host name “skigimeetroc.com” associated with this file “%2f” is present on both sides and on the both lists this file is present named with this this character “/”. which also in http requests list is associated to another host name “x1.c.lencr.org”
The file “wicd/643d0491bcea1.zip” in both lists can be seen hosted in “cotecsecuritygroup.com”
Next we have a php file “main.php” requested from the host IP “80.77.25.175 ”- This file is not available in object export list, as probably it is a script file that executed without being downloaded at all.
6. Using first display filter:
I use this filter
http.host == <domain name>
when I have a specific domain that I need to investigate it’s http traffic
Another great feature in Wireshark is that i can join filters with logical operators and expressions like - and , or , && , || etc..
Instead of applying this filter with each domain or IP in the list from my notes I have used this feature to join them all together like this:
http.host == x1.c.lencr.org or http.host == skigimeetroc.com or http.host == cotecsecuritygroup.com or http.host == 80.77.25.175
When applied this as a filter it returns results associated with these domains and IP’s only.
7. Analysing the results
First packet in the results is the one which happened first by the time and it is a GET request from the victim(source IP) to the attacker’s host (destination IP).Where a malicious .php file is reached out and most likely executed a script.
So we have few answers already:
-What is the date and time in UTC the infection started? —
Apr 19, 2023 15:31:08 UTC
-What is the IP address of the infected Windows client? —
10.4.19.136
-What is the MAC address of the infected Windows client? —
14:58:d0:2e:c5:ae
{this is found in Data link layer (Ethernet ) details}
8. To find the other answers i have applied the following filter:
kerberos.CNameString and ip.addr== 10.4.19.136
-What is the hostname of the infected Windows client?
DESKTOP-SFF9LJF
-What is the user account name from the infected Windows host? —
csilva
8. Last question of the quiz :
-Is there any follow-up activity from other malware?
To answer this i need to go back to the first combined filter , then right click on the first packet ,Follow the TCP( or HTTP stream ) any of them will open the same window , where we can see more details about this traffic.
On this window we can see some more information that can be used for further investigation, like : the file has been accessed attacker’s ip and user-agent etc… , but what picks up attention here is — the Location URL at the bottom which seems like a server where the malicious files I have exported earlier been stored and have been downloaded from. I have checked this URL in Virustotal and results have showed malicious detected as expected.
Basically even from the results I see with the first filter anything after the .php can be accepted as follow up activities as they seem to be related to each other in the traffic.
8. Checking the answers:
To check if my answers are correct I went back to the Quiz website
Dear readers , before end up this post i would like to say that this is not a professional analysis,but a part of a my cybersecurity course and i am doing this as student’s home work .
For those who wants to see professional work on this article i found this link:
here is a link to the part 1: https://medium.com/@salim.y.salimov/analysing-pcap-files-with-wireshark-783a0bab6a05
Thanks for stopping by and reading this article,hope you have liked it. See you on my next post .
