pcap analysis

• Exposing One of China’s Cyber Espionage Units

aPt1: attaCk LIFeCyCLe
They begin with aggressive spear phishing, proceed to deploy custom digital weapons, and end by exporting compressed bundles of files to China – before beginning the cycle again.
These attacks fit into a cyclic pattern of activity that we will describe in this section within the framework of Mandiant’s
Attack Lifecycle model. In each stage we will discuss APT1’s specific techniques to illustrate their tenacity and the
scale at which they operate.
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

• 8 cyber security technologies DHS is trying to commercialize

REnigma
This software runs malware within a virtual machine and records what it does so it can be played back and analyzed in detail.

Socrates
This software platform automatically seeks patterns in data sets, and can tease out those that represent cyber threats.

PcapDB
This is a software database system that captures packets to analyze network traffic by first organizing packet traffic into flows.

REDUCE
This is a software analysis tool to reveal relationships between malware samples and to develop signatures that can be used to identify threats.

Dynamic Flow Isolation
DFI leverages software defined networking to apply security policies on-demand based on current operational state or business needs.

TRACER
Timely Randomization Applied to Commodity Executables at Runtime (TRACER) is a means to alter the internal layout and data of closed-source Windows applications such as Adobe Reader, Internet Explorer, Java and Flash.

FLOWER
Network FLOW AnalyzER inspects IP packet headers to gather data about bi-directional flows that can be used to identify baseline traffic and abnormal flows as a way to spot potential breaches and insider threats.

SilentAlarm
This platform analyzes network behaviors to identify likely malicious behavior to stop attacks including zero-days for which there are no signatures.

http://www.networkworld.com/article/3056624/security/8-cyber-security-technologies-dhs-is-trying-to-commercialize.html

• Inspection of packet captures

–
PCAP-for signs of intrusions, is a typical everyday task for security analysts and an essential skill analysts should develop. Malwares have many
ways to hide their activities on the system level (i.e. Rootkits), but at the end, they must leave a visible trace on the network level, regardless if it's obfuscated or encrypted. This paper guides the reader through a structured way to analyze a PCAP trace, dissect it using Bro Network Security Monitor (Bro) to facilitate active threat hunting in an efficient time to detect possible intrusions. The detection arm itself can be broken down into two major parts, reactive and proactive On the network level –the scope of this paper, one widespread reactive detection example is SNORT (SANS, n.d.), which used to be an effective approach, but it has two significant shortcomings.Firstly, SNORT depends on static signatures, which determined attackers could easily bypass. The second is that security analysts operate into
a more passive mode, waiting for something malicious to happen that might –or might not- trigger an alert and only then, an investigatio attacks have evolved and require more than traditional NIDS –reactive detection- to detect adversaries (Ashford, n.d.). Active detection (aka threat hunting) was
introduced to fill this gap.

https://www.sans.org/reading-room/whitepapers/threathunting/hunting-threats-packet-captures-37765

• Source Routing

Source Routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network
network administrators block all source-routed packets at their border routers.

Unless a network depends on it, source routing should be disabled.
Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the destination IP address and choose the next hop to forward the packet to. In source routing, the "source" (i.e., the sender) makes some or all of these decisions.
Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a network's topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions.
https://superuser.com/questions/924633/why-doesnt-ping-j-work

• Source routing has been around for a very long time. In fact, it’s a part of the specification of the IP protocol.

many network engineers fail to understand the potential dangers in allowing source routed packets to pass through internal routers.
http://www.enclaveforensics.com/Blog/files/dbe04629c14a2d07495a38bbf2fc98d9-5.html

• Wireshark

Wireshark is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level.
http://www.wireshark.org

• Wireshark shows all the action in the bottom pane like this:

    Frame (Physical Layer)
    Ethernet II (Data Link Layer)
    Internet Protocol Version 4 (Network Layer)
    User Datagram Protocol (Transport Layer)
    Domain Name System (response) Application Layer

So here’s the big review:

    Routers are layer 3 devices because they make forwarding decisions based on layer 3 addresses.
    Switches are considered layer 2 devices because they make forwarding decisions based on layer 2 addresses.
    Hubs, NICS, Wi-Fi cards, cables, and connectors are at layer 1.

Layer 2 has MAC addresses, the NIC is also a Layer 2 device because it has the MAC address.  Switches are bridges with more ports they also work at layer 2 since they understand physical addresses.

At Layer 3 we use IPv4 and IPv6.  Routers live here and the protocol data units (PDUs) used here are called Packets.

And here’s a quick review of the terms:

    MAC address and Physical Address and Layer 2 addresses are the same thing.
    Frames are Protocol Data Units (PDUs) at Layer 2
    Packets are PDUs at Layer 3
    Segments are PDUs at Layer 4
    Data is just called a PDU at the Application Layer


http://www.fixedbyvonnie.com/2015/05/networking-101-layers-part-3-of-3/#.WhVetjdRWUk

• wireshark

Use ping -l 2500 <default gateway address> to ping the default gateway address with a 2,500 byte packet. Notice that because the default maximum transmission unit (MTU) for Ethernet frames is 1,500 bytes, this should generate fragmented packets
https://en.wikiversity.org/wiki/Wireshark/IPv4_fragments

• Packets 8, 9, 10, 11

These are the four “handshake” WPA packets.
These are the four critical packets required by aircrack-ng to crack WPA using a dictionary.
The first pair of packets has a “replay counter” value of 1.
The second pair has a “replay counter” value of 2.
Packets with the same “replay counter” value are matching sets.

 If you have only one packet for a specific “replay counter” value then you are missing it from the capture and packet you do have cannot be used by aircrack-ng. That is why sometimes you have four EAPOL packets in your capture but aircrack-ng still says there are “0” handshakes. You must have matching pairs.

EAPOL packets 1 and 3 should have the same nonce value. If they don't, then they are not part of the matching set.

Aircrack-ng also requires a valid beacon. Ensure this beacon is part of the same packet sequence numbers. For example, if the beacon packet sequence number is higher then the EAPOL packet sequence numbers from the AP, the handshake will be ignored. This is because the aircrack-ng “resets” handshake sets when association packets and similar are seen.

Packets 12, 13, 14, 15
These are data packets to/from the wireless client to the LAN via the AP. You can view the TKIP Parameters field to confirm that WPA is used for these packets:

In Wireshark, use “eapol” as a filter. This will show only handshake packets and is useful for analyzing why you don't have the full handshake

http://aircrack-ng.org/doku.php?id=wpa_capture

• tcpdump -nnvvS src 172.5.2.3 and dst port 3389

tcpdump -nnvvS src 172.22.92.62 and dst port 80

tcpdump -nnvvS src 172.22.92.62 and dst port 80 -w capture2 -i wlo1

tcpdump -nnvvS not src 172.22.92.62 and dst port 80 -w capture2

tcpdump -i wlo1 port 80 -w capture1

sudo tcpdump -i wlo1 port 80 -w capture1

• netcat

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts
http://en.wikipedia.org/wiki/Netcat

Port Scanning with Netcat
For port scanning with Netcat use the following syntax:

nc –[options] hostname [ports]

As we said, you scan use range, commas and name of port for scanning. Below we show you some examples:

nc –v 192.168.1.4 21, 80, 443
nc –v 192.168.1.4 1-200
nc –v 192.168.1.4 http

http://linux.devicegadget.com/attack/netcat/167/

• hping

hping is a command-line oriented TCP/IP packet assembler/analyzer.
http://www.hping.org/ 

• PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs

the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate
DNS answers in-memory, limiting the amount of data in the logfile without
losing the essence in the DNS answer.

https://github.com/gamelinux/passivedns

• CIRCL Passive DNS is a database storing historical DNS records from various resources including malware analysis or partners. The DNS historical data is indexed, which makes it searchable for incident handlers, security analysts or researchers.

https://www.circl.lu/services/passive-dns/

• TCP reset attack

TCP reset attack, also known as "forged TCP resets", "spoofed TCP reset packets" or "TCP reset attacks", is a way to tamper and terminate the Internet connection by sending a forged TCP reset packet. This tampering technique can be used by a firewall in goodwill, or abused by a malicious attacker to interrupt Internet connections.

https://en.wikipedia.org/wiki/TCP_reset_attack