Welcome back, my hacker apprentices!
I recently began a new series on digital forensics to show aspiring hackers what the forensic investigator can do and see while investigating a cyber attack. This is the second installment in that series and will focus upon network forensics. In other words, what can a network forensic investigator learn about the attacker during an investigation and how.
Step 1: Get Wireshark
Although there are numerous tools to do network analysis and investigations, the most widely used tool, by far, for doing so is Wireshark. It's a free, network analysis tool that's ported for Windows, Unix, OS X and Linux, and you can get it from here. Even better, it's built into our BackTrack, so no need to download anything, if you are using BackTrack.
You can start Wireshark from the BackTrack menu by going to BackTrack -> Information Gathering -> Network Analysis -> Network Traffic Analysis and click on Wireshark.
Step 2: Grab a Live Capture
Next, we need to start Wireshark, which is capable of doing analysis on pcap and other capture files, as well as a live capture. Let's do a live capture. Click on Capture on the Menu across the top and it will open a window like that below.
Select the active interface, which in this case is eth0, as I'm running it on a wired connection.
Step 3: Our Problem
Here's the problem we're faced with.
Our client has been complaining that strange things are happening on his computer. His browser keeps changing his home page to a page that keeps telling him that his computer is infected with a virus, while also telling him that he needs to buy an antivirus program. We've all seen this at one time or another.
In addition, his computer is running slowly and various ads keep coming up. Something has infected this system. Let's see what we can decipher about this situation.
Step 4: Live Capture
We start by sniffing the traffic on the network and we can see the live packets go by like that below.
Note that Wireshark has three windows. The upper windows shows us each packet and some basic information about it. The middle window enables us to see each and every bit and byte of the packet headers. The bottom window shows us the packet contents in hexadecimal and ASCII.
Step 5: Remote Attempts
The far left column enumerates the packets in the order that they arrive. Let's look at packet 147 below. We can see a messenger packet from a device somewhere on the Internet. Let's take a closer look at this packet by clicking on it. When we do, it's details appear in the middle window in white.
Since the messenger service is disabled on this network, nothing happens. We can verify that by looking at the next packet, which is an ICMP "Destination Unreachable" packet sent back to the IP requesting a messenger connection. This is suspicious activity.
Step 6: Filter the Traffic
With so much traffic going by, we need to filter the traffic so we only see the traffic we are interested in. If we click on traffic between 216.49.88.118, we can see that this address is antivirus update from McAfee (note in the bottom window in the ASCII section a reference to mcafee.com).
Since this traffic is not dangerous, we can remove it from our viewing by filtering it out. In this case, we want to see everything that is not coming from IP address 216.49.88.118. We can put the following filter into the filter window. When the syntax is correct it, the window background will turn green. The proper syntax to exclude an IP address is:
- !ip.addr == 216.49.88.118
Now we have removed any traffic from our view coming from an innocuous address. This helps us focus our attention on the other, potentially malicious traffic.
In the screenshot below, we have successfully filtered out the traffic to and from McAfee.
Step 7: DNS Query
Now let's look down a few packets. In this screenshot, we can see that our client's computer (216.148.227.68) in the second packet shows a "standard query" with the DNS protocol to virtumonde.com. This is suspicious!
If we scroll down to packet 386, we can see our client's host goes out to the virtumonde.com server and requests a download. When we click on this packet and expand its HTTP protocol in the middle window, we can see "updates.virtumonde.com\r\n."
This is VERY suspicious activity and probably indicates that our client's system has been infected with a rootkit or spyware and it's reporting back to its home server.
Keep coming back my aspiring hackers as we keep exploring the finer points of hacking and forensics!
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
34 Comments
I need your help
PLEASE :'(
Ghada;
How can I help you?
OTW
Question. I have strong suspicion my boss has been remotely hacking into my Macbook air laptop. I am on his wi-fi and i discover the program VM Fusion running on my computer after lunch. Is this possible? Could he extract incriminating evidence from my laptop? Is there ANY forensic evidence i could use against this as proof?
Sir OTW,
I want to ask you about how to properly dual-boot a system. I was first using backtrack as a live usb, but now I want to make it into a proper hard disk booted os. Also I wanted to ask you if I can reverse partition and if I can,how can I do it.
Thanks in advance
U31
U31:
Dual booting is relatively simple. Simply boot from your USB device and then when the BT GUI comes up, click on the icon that says "Install BackTrack". From there, it will walk you through the installation. Make certain that you do not use the entire hard drive. It will ask you whether you want to partition the drive and, of course, the answer should be yes.
OTW
Sir OTW,
Should I select the "Install them side by side, choosing betweenthem eac h startup", or Sir the "Specify partitions manually" option. Also after some time can I somehow go back to Windows 7 only, without any of my hard disk being wasted.
Thanks in advance.
U31
U31:
Choose, "Install them side by side". Yes, you can go back to Windows 7 only by deleting the Linux partition.
Also, you should ALWAYS make a backup of your Windows installation in case anything goes wrong. Here is a link on how to do that ;
OTW
Sir OTW,
Thank you very much for continously answering my queries. You're always present when I need your help. Thanks inadvance
U31
Hello,nice site ,amazing job you're doing here! I have a question about rkhunter and unhide.Is it here the right place and the right time?
Lars:
Always feel free to ask. I may not get to it right away, but I will always answer.
OTW
Sir OTW,
After reading some articles about duel-boot, I have found that I should backup my windows installer. What is the windows installer? How can I backup it? How much space is required for backup?
U31
my rkhunter log tells me some files have been modified,her the ones(with dates):
/usr/sbin/rsyslogd 19.9.13;/usr/bin/dpgk 14.10.13;/usr/bin/dpkg-query 14.10.13;/usr/bin/ldd 30.9.13;/usr/bin/size 24.6.13;/usr/bin/strings 24.6.13;
/usr/bin/top 28.10.13;/usr/bin/vmstat 28.10.13;/usr/bin/w;/usr/bin/watch 28.10.13;/usr/bin/unhide.rbbb;/usr/bin/w.procps 28.10.13;/sbin/ifdown 19.9.13;
/bin/kill 28.10.13
.. and my unhide log tells me about some hidden process(PID over 40000).
These files (rsyslogd,top,vmstat,watch...)are needed to controland see the behavior of processes,I think but would not sign for it..
The hidden process I found a file in /proc with many files inside but all empty(0 byte)...
So know I'm a little confused if anybody hacked my box...:( and manipulate those files.
My questiions are now:
1: is it usefull to compare those files with a live-disc like knoppix?is a "top"-tool everywhere the same "top"-tool(the binary),or are there difference between the different distributions?
2: If ever i've been hacked which will be a good way to find it out?And more over all:can i find out who it was?
Tx, in advance.I know,this has nothing to do with scripting... but I am really pi*d off if anybody else controls my box!
Lars:
From what you have told me, I'm pretty sure you have been hacked.
I would use Wireshark to look for rogue communications taking place at high numbered ports.
OTW
OTW, Tx for the answer ...that's what I thought ! at the moment ..merry xmas :) Lars
do i need to make a non-root user?how to add new user other than root?
Greenlemon:
You don't need a non-root user for this exerise, but when you do need one, Linux has two commands
adduser
useradd
OTW
Because every time I open wireshark, it tells me that it maybe dangerous to work with that tool using the root account. so I'll just ignore that?
Greenlemon;
The general rule is never run any application or command with root permissions that doesn't need root permissions.
OTW
Ok. Thanks master OTW! :)
Another thing, can I get the IP address of someone who started a chat with me on facebook using wireshark?
Greenlemon:
Of course. Simply open wireshark while chatting and you can see the IP address in the TCP stream.
OTW
there are too many IP's
how to find out if it's already the IP address of the one i'm chatting with?
Greenlemon:
Check out this tutorial on Wireshark .
OTW
Thanks. It's really helpful, but can I figure out the private IP's?How can I find out the private IP of a specific person I want to hack?
My boss blocked my external hd in the laptop using Mcafee Data Loss Protection.Can you help me unblock it
Hey OTW, another great article as always. Just with your own experience, are there certain protocols or anything else of that nature that would typically raise a red flag for you? I'm thinking of things that wouldn't necessarily be covered in man pages, but after some experience in the wild, I'm sure there are some patterns we should be on the lookout for.
Wit:
Thanks.
I'm not sure what you are asking me. Are there certain protocols that raise red flags? Do you mean are there protocols that raise red flags to a forensic investigator?
OTW
Yeah, that was poorly worded. Mainly just asking, in your experience with wireshark, have you noticed any patterns that consistently stand out from normal traffic, or does noticing things like that just generally come with familiarizing yourself with your own network traffic.
Wit:
The key to finding anomalous behavior is to have a picture of "normal" behavior. It is critical to have a baseline of normal behavior to detect the anomalies. That having been said, I generally look for traffic leaving the network on high number ports as an indication of a successful intrusion.
OTW
Hi again OTW,
When I go to wireshark and search for interfaces, none show up. Why would it be doing this and is there any way to fix it? Thanks!
Clayton:
Are you running Wireshark on your physical machine or virtual machine?
Does the system have any active interfaces?
Can you send a screenshot?
OTW
I have a question about detecting traffic on machines other than your own. Do you need to buy a device to view 802.11 traffic on your network or WLAN or is there a way to do it for free? Is it easy to configure a way to view this traffic?
is there a part 3?
There are many parts.
Share Your Thoughts