Download "Hacker hunting with Wireshark (even if SSL encrypted!)"
%3Aformat(webp)%2Fi.ytimg.com%252Fvi%252FObUgYDn1zZ0%252Fmaxresdefault.jpg&w=1139&q=75)
Table of contents
Similar videos from our catalog
%3Aformat(webp)%2Fi.ytimg.com%252Fvi_webp%252F-jLbRnmGYaA%252Fmaxresdefault.webp&w=1139&q=75)
%3Aformat(webp)%2Fi.ytimg.com%252Fvi%252FGmF2wyISVyU%252Fsddefault.jpg&w=1139&q=75)
![A Hacker's Guide to Programming Microcontrollers [Tutorial]](/_next/image?url=https%3A%2F%2Funidownloader.com%2FcontentImages%2FmIIC5KTErZtTDPdXLXlnJ-x8YeQ%3D%2Ffilters%3Aquality(80)%3Aformat(webp)%2Fi.ytimg.com%252Fvi_webp%252FXlFO5Iat178%252Fmaxresdefault.webp&w=1139&q=75)
%3Aformat(webp)%2Fi.ytimg.com%252Fvi%252FchVPS_sRjoI%252Fmaxresdefault.jpg&w=1139&q=75)
%3Aformat(webp)%2Fi.ytimg.com%252Fvi_webp%252FlBxZL98uvdk%252Fmaxresdefault.webp&w=1139&q=75)
%3Aformat(webp)%2Fi.ytimg.com%252Fvi%252Fn7kYogsTkVo%252Fmaxresdefault.jpg&w=1139&q=75)
%3Aformat(webp)%2Fi.ytimg.com%252Fvi%252FuKZb3D-PHS0%252Fmaxresdefault.jpg&w=1139&q=75)
%3Aformat(webp)%2Fi.ytimg.com%252Fvi_webp%252Fz5O9WNfyS8w%252Fmaxresdefault.webp&w=1139&q=75)
%3Aformat(webp)%2Fi.ytimg.com%252Fvi%252FzE_9FvymKpc%252Fmaxresdefault.jpg&w=1139&q=75)
Video tags
Subtitles
Russian
00:00:00
- I've been able to find
indicators of compromise,00:00:03
strange traffic, threat
hunting-style things,00:00:06
while troubleshooting other problems.00:00:08
Things that we weren't even looking for.00:00:09
- There's no way that's legit.00:00:11
Why would on earth would you send00:00:13
internal information like
that to some random server?00:00:16
- So what protections do we have in place00:00:18
for our outgoing web traffic?00:00:21
(exciting music playing)00:00:26
- Hi Everyone, David Bombal.00:00:27
Back with Chris. Chris, welcome.00:00:29
- Great to be back David.
Hope you're doing okay?00:00:31
- I'm well and I'm really
excited about this.00:00:34
We were talking offline,00:00:35
this is something that you've
been doing a lot of work on00:00:39
and really enjoying is that right?00:00:41
- Absolutely, threat hunting,
it's an interesting topic.00:00:43
It's a big world of
traffic to look through.00:00:47
A lot of different
types of attack patterns00:00:48
and things that we can find.00:00:50
So I've been eating it up00:00:51
and I'm excited to share
some of what I've found.00:00:54
- You have been studying this stuff,00:00:56
but then at the same time00:00:57
you've been like using some
of the stuff you've learned00:01:00
on real world engagements.00:01:02
Give us some of the stories00:01:03
'cause were telling me offline00:01:04
some of the cool stuff that you found.00:01:06
- So for years, people
have been coming to me00:01:07
with problems on their network.00:01:09
- Something slow.
- [David] Yeah.00:01:11
- There's an application that
doesn't connect properly.00:01:13
- Says you could have network
connectivity problems.00:01:17
- It's the network stuff.00:01:19
So they'll grab traffic,00:01:20
they'll send it to me, "Hey
Chris, I just need help."00:01:22
And one of the reasons why I
specialized in TCP analysis00:01:27
is 'cause that's what I
was troubleshooting, right?00:01:29
If something was slow, a
handshake looked weird.00:01:31
So those are things that
I constantly was doing00:01:35
from a consultant perspective,
actually fixing things,00:01:37
so it wasn't difficult to
bring that into the course00:01:40
or develop courses around that topic.00:01:42
But over the last few years,00:01:44
that's definitely been changing.00:01:45
Now I'm getting approached
more by SOC teams00:01:48
or someone within the
networking side of the house00:01:51
is responsible for digging
deeper into a problem00:01:54
that comes more from a security angle.00:01:56
So a few years ago,00:01:57
and we've chatted about
this on the channel,00:01:59
I started going for some
cybersecurity certifications00:02:02
'cause I at least wanted
to have a good basis00:02:04
on cybersecurity in general, right?00:02:06
Just to get my hands around,00:02:08
"Typically what does a SOC member know?"00:02:11
Or even from a pentester perspective,00:02:13
"What types of attacks
are they gonna generate?"00:02:15
All the while doing that,
I had Wireshark running.00:02:17
So I was able to get an idea00:02:20
of what an attack starts
to look like on the wire,00:02:23
which is my -- I'm a packet head,00:02:25
that's my visibility into the world.00:02:27
Not to say there's not
a thousand other tools00:02:29
that can help with this, 100%.00:02:30
We're actually gonna look at that today.00:02:31
But from a packet perspective,00:02:33
I find I don't really get it
until I see it on the wire.00:02:37
And then I can, first of
all, I won't forget it,00:02:39
but I also can now adapt
that to other tools.00:02:41
So what started to happen00:02:43
is since I've been developing
more content around this,00:02:46
threat hunting, malware analysis and such,00:02:49
you're gonna see in my Wireshark,00:02:50
now I have a lot more buttons
there, preset filters.00:02:54
I've found that00:02:55
even when I'm doing
troubleshooting for a company,00:02:58
it's not the network style
stuff, something slow,00:03:00
I've been able to find
indicators of compromise,00:03:04
strange traffic, threat
hunting style things00:03:07
while troubleshooting other problems,00:03:09
things that we weren't even looking for.00:03:10
A few weeks ago I was doing
an analysis for a company.00:03:13
They were having a slow problem.00:03:15
They were having external
traffic from their users00:03:17
go through this proxy00:03:18
that came into this big web environment.00:03:21
At certain points of the day,00:03:22
things just were dragging and dragging,00:03:24
but then it would seem to resolve.00:03:25
What we were able to find00:03:26
is that when we did our capture,00:03:29
we just captured on
each side of the proxy,00:03:31
and the users coming in
and then the application,00:03:34
and I found this big burst of
traffic that was happening.00:03:37
And it started to happen regularly,00:03:39
like every 10 minutes or so.00:03:41
And I asked him, "So
like should this proxy00:03:43
be talking to literally directly
to one of your databases?"00:03:47
And the answer was "No."00:03:49
And we found that there was a bunch of
SQL traffic coming back00:03:51
and then that traffic on the other side00:03:53
was being sent to somewhere in a country00:03:56
it shouldn't have been sent to.00:03:58
I'll refrain from mentioning anyone.00:04:00
So those types of things,00:04:02
I start to start to see more often00:04:04
because now just having more
of an awareness of threats00:04:08
and how these types of attacks work,00:04:11
now my Wireshark profiles are
more configured to find them00:04:14
and help me spot them to begin with.00:04:16
But just as an analyst now,00:04:18
I'm more tuned to think in those terms.00:04:20
And that's where a Threat
Hunting with Wireshark course00:04:23
was really hatched.00:04:24
- Just some updates,
you teaching at DEFCON,00:04:27
at the time it was
recording, it's next week.00:04:29
And you just taught this content
around this at SharkFest,00:04:33
is that right?00:04:34
- [Chris] Yeah, I did.00:04:35
So we just had SharkFest,00:04:36
which is the Wireshark users
and developers conference.00:04:39
It happened in Kansas
City a few weeks ago.00:04:42
And I was invited to teach this00:04:44
Threat Hunting with Wireshark course00:04:46
as a pre-conference course.00:04:48
We had lots of attendees to it.00:04:50
We had people that wanted
to dig into these problems00:04:52
on the wire; we had a lot of fun.00:04:54
After that I was able
to repeat that training00:04:57
to a couple other organizations00:05:00
and now at DEFCON is going to
be in two different formats.00:05:05
There's gonna be a four hour workshop00:05:08
and then a full two day course00:05:10
that is gonna be happening through DEFCON.00:05:12
I'm basically gonna be taking
some pieces of that course,00:05:14
as well as some of the
TCP Deep Dive content00:05:18
and sharing that again at DEFCON.00:05:20
- That's amazing. I mean,00:05:21
you're gonna be sharing some of that now,00:05:22
but I've kind of twisted
your arm to create a course.00:05:25
So hopefully at some point,00:05:26
you're gonna have a course on this topic,00:05:28
which we'll link below, is that right?00:05:29
- David, you're a persuasive guy,00:05:31
so I think we're gonna put
that together for everybody.00:05:34
- That's great. So Chris,
without further ado,00:05:37
let's see some packets 'cause
you and I talk too much.00:05:39
So let's jump into the
packets and you know,00:05:41
show us what you've got.00:05:42
- You bet, absolutely.00:05:44
All right, so first of
all, before we get started,00:05:45
let's go ahead and set the stage.00:05:47
Number one, I'm wearing
the wrong color hat.00:05:49
So let's just fix that.00:05:51
(fingers snapping, digital chiming)00:05:52
Okay, that's better now
I'm wearing a blue hat.00:05:53
This is typically a blue
team thing, SOC analyst.00:05:56
So we're looking for attacks.00:05:58
But let's get a definition
of, "What's threat hunting?"00:06:00
Let's go ahead and take
a look at a definition.00:06:02
I like this one, it was taken
from the CompTIA website00:06:05
and it says "Threat hunters
are IT professionals00:06:08
who proactively find cybersecurity threats00:06:10
and mitigate them."00:06:12
Gonna pause on a few of these words here.00:06:13
First, a threat hunter.00:06:15
Are they just seasoned
veterans within the SOC team?00:06:20
What do you think, David?00:06:22
- Well, I don't know, it can vary.00:06:23
I mean I always hate that people think00:06:24
you have to have years
and years of experience00:06:26
because even if you're new,
you might catch something.00:06:28
- Completely agreed.00:06:30
And here this definition
says IT professionals.00:06:32
You could be a network technician,00:06:34
you could be on your first
job just on the help desk00:06:38
and you could find something00:06:39
and you're a threat hunter, all right?00:06:41
So we're talking to everybody right now.00:06:43
We're not talking about
seasoned pentesters00:06:45
that have been in this
industry for tech decades00:06:48
or SOC analysts that
already have their tool set00:06:50
that's just like, you
know, Swiss army knife00:06:53
and all those kinds of things,
although they can benefit.00:06:55
Let's just get a clear definition here.00:06:57
This first of all is all
IT, and also proactive.00:07:01
Proactive means we
don't wait for an alert,00:07:04
if we're threat hunting.00:07:06
We're not sitting around00:07:07
and hoping that we see some alert come up00:07:10
on an IDS/IPS system
or some other tool has,00:07:13
"Brr, brr, brr, brr,
you've been breached."00:07:15
Well then we go into
incident response, recovery.00:07:18
Threat hunting is when00:07:20
we don't yet even have
an alert; it's proactive.00:07:23
Now, why is this important?
And what is abnormal?00:07:26
I'm gonna show you some stuff00:07:28
when we get into the weeds of Wireshark00:07:29
here in just a moment.00:07:31
But why threat hunting with
Wireshark specifically?00:07:35
Why is this a good tool
to add to that tool set?00:07:38
Well, first of all,00:07:39
our systems are being attacked everybody.00:07:42
We're under attack, we're at cyber war.00:07:44
If we don't think so,00:07:45
then we have a false
sense of security, right?00:07:48
We are under attack. We've
gotta have that mindset.00:07:51
Second, our IDS/IPS systems are good.00:07:53
Yes, someone's watching the front door.00:07:55
That is true. Well, in most environments.00:07:57
Or if we don't have someone
watching the front door,00:08:00
we should at least get
an open source Suricata,00:08:02
get some SNORT going,
a Zeek IDS, pick one.00:08:05
And we need to be able to
watch dog our front door.00:08:08
However, it's good, but it's not perfect.00:08:11
These systems are largely built00:08:13
on previously defined signatures
from previous attacks.00:08:17
Attacks are changing every day,00:08:19
new threat actors, new attack vectors.00:08:21
So we need to keep on the watch.00:08:24
Also our IDS/IPS can't be
everywhere all the time.00:08:27
I just said it. A lot of times they're
watching the front door,00:08:29
but when it comes to a thief
breaking into my house,00:08:31
there's a whole lot of other ways00:08:33
they could get in than my front door.00:08:34
There's other places within our network00:08:36
we need to keep an eye on.00:08:37
Now this was a quote
actually from SharkFest00:08:39
that I thought I would just mention here.00:08:41
"You can hide processes or logs,00:08:44
but you can't hide packets."00:08:45
So an attacker, if they
gain access to a system,00:08:48
they can go and wipe the processes,00:08:49
they can clean logs, they
can cover their tracks,00:08:51
and that's gonna be one of their goals.00:08:52
They want to try to make it look like,00:08:54
"Hey, they were never there."00:08:56
The nice thing about doing
this at the packet level,00:08:58
which IDS/IPS systems are
gonna fundamentally use00:09:01
to find this stuff,00:09:03
packets, while they can be manipulated00:09:05
or there's things that we can do00:09:08
to falsify that data, that's true.00:09:10
However, ultimately that
attack has to gain access00:09:13
some kind of way, and it's
gonna happen over packets.00:09:16
So that's why, again,00:09:17
the Wireshark tool set and
the tools that it compliments00:09:20
are such an important skill
set for everybody to learn.00:09:23
Now I mentioned, okay,
Wireshark has friends.00:09:26
There's lots of ways to do this.00:09:27
Here's just a few of them, everybody.00:09:29
There's a lot of tools
that can compliment.00:09:32
I'm gonna show you Brim,
that's a third one over, today.00:09:34
I'm also gonna show you
a little bit of Tshark.00:09:37
You've seen on my channel a
little bit about Ettercap.00:09:39
I'm gonna be continuing talking
about these different tools.00:09:42
But one thing I don't want
everybody to think is,00:09:44
"I've gotta be an expert on
every single one of these tools00:09:48
in order to be a threat hunter,"00:09:50
'cause that's just not true.00:09:52
Today what we're gonna
do is learn how malware,00:09:55
there's a particular malware infection00:09:58
we're gonna take a look at,00:09:59
we're gonna see how it looks in Wireshark.00:10:00
Look at some of the IOCs.00:10:01
Then we're gonna pivot
over to one of these tools00:10:04
and see how it can compliment
what that tool finds as well.00:10:07
- Chris, what's IOCs?00:10:09
- I'm sorry, thank you.00:10:10
Thanks for asking that question.00:10:11
IOCs, Indicator of Compromise.00:10:14
So that means that I see
something in the traffic00:10:18
that indicates that
we've been compromised.00:10:22
There's either been a breach00:10:24
or where you have some malware
or some unexpected traffic.00:10:28
It's the weird stuff,
something that looks weird.00:10:30
Thank you for asking that question.00:10:32
Again, why should we care?00:10:33
Just one last little
statistic for everybody,00:10:35
not to scare you.00:10:37
Are people lurking or are
attackers in my network?00:10:40
Well, let's take a look at
this study from April 2022,00:10:44
just a few months ago.
This is from Mandiant.00:10:46
They published a report
called M-Trends 202200:10:49
and check this out, what they found.00:10:51
They did a study of the breaches00:10:53
that they were aware of from 2021.00:10:57
So for all of those breaches
that happened in that year,00:11:02
that they were able to study.00:11:03
It said in 2021, the median dwell time,00:11:06
so from the time that an attacker gets in00:11:09
until they are discovered, is now 21 days.00:11:13
- It's crazy. - Feelings? How do we like that?00:11:16
They're in, they're dwelling.00:11:19
They're living off the
land, they're pivoting.00:11:21
They're discovering, they're going through00:11:24
different steps of the
MITRE ATT&CK framework,00:11:26
which is basically a definition00:11:28
of a life cycle of an attack.00:11:31
And 21 days is a long time.00:11:34
How would you like someone camping out00:11:35
in your house for 21 days, David?00:11:38
- (chuckling) It's not
good. It's not good.00:11:40
- That's a lot of time.00:11:41
So this is why we need
to be threat hunters.00:11:44
This is why we need to attack
this and be proactive about it00:11:48
because our job, not just as
threat hunters, SOC analysts,00:11:52
cybersecurity professionals, IT, anyone,00:11:55
hell the help desk, is to
reduce or eliminate dwell time.00:11:58
Get that 21 days down to
as little as possible.00:12:03
We find them before
they have that much time00:12:07
to discover our secrets, lock us out,00:12:09
put in some type of ransomware,00:12:12
whatever their objective is.00:12:14
We want to reduce that amount of time.00:12:16
So one way that this
happens is through malware.00:12:20
This is one method.00:12:22
So let's go ahead and talk about,00:12:24
let's go ahead and get to the packets,00:12:25
'cause it's already been too
long since we've been talking00:12:28
and not been in packets, am I right?00:12:29
- Chris Greer, not doing packets00:12:31
within the first two
minutes is like scary.00:12:33
- I know, I know.00:12:34
No, just to tell everybody,
when I do my live courses,00:12:38
like I just did at
SharkFest or I do at DEFCON,00:12:41
I actually put up a slide
and that slide says,00:12:43
"If I don't have you in
a PCAP within 15 minutes,00:12:46
then I'm not doing my job"
and I gotta walk out the room.00:12:48
(David chuckling)00:12:50
- But you're pushing it in this video.00:12:52
We're very close.00:12:53
- Hands on. Well, I mean,00:12:54
this is how I learned this stuff, David.00:12:57
- [David] Exactly.
- I nerd out.00:12:58
Like I just have so much fun with it.00:13:00
It's not a chore. I really enjoy it.00:13:03
So I welcome anyone to reach out,00:13:07
ask questions, comment below,00:13:08
if you feel the same00:13:09
or if you have any other
questions about packet analysis.00:13:11
- You'll give us the PCAP, sorry,00:13:13
and we can put it below, yeah?00:13:14
- Oh, 100%. So we're
gonna be giving everybody00:13:17
this packet capture and it's
called malware analysis,00:13:21
like sec-malwareanalysis.00:13:23
That's my little naming convention.00:13:25
I'd like to show you
where this PCAP came from.00:13:28
So there is a site called
malware-traffic-analysis.net.00:13:32
So this is actually a
gentleman named Brad Duncan.00:13:35
And he's been using this site00:13:38
or populating this blog for
a very long amount of time.00:13:41
The reason why this is a great
place to go for sample PCAPs00:13:44
is 'cause he has so many
different examples of infections.00:13:48
Not all infections are the same.00:13:50
Not all malware acts the same.00:13:52
Here we can go, we can get a sample00:13:54
and he even can help step us through00:13:56
some of the indicators of compromise00:13:59
through these exercises.00:14:00
People can come here and
you can go "Click here"00:14:02
for these exercises.00:14:03
The one that I'm gonna demonstrate to you00:14:05
can actually be found down here.00:14:07
This is the "Traffic analysis
exercise - Catbomber"00:14:10
from May 28th, 2020.00:14:12
A little bit older, but it's
still something that we see.00:14:14
We still see some of these indicators,00:14:17
even in more modern infections, okay?00:14:19
So just wanna let everybody
know about that site00:14:21
and thanks to Brad for
always letting us use this.00:14:24
One of the reasons why I like
to use those samples as well00:14:26
is because these infections are let loose00:14:30
in a demo environment00:14:31
and he has some really
well placed captures00:14:34
to collect the behavior of the malware.00:14:37
It's quite a bit harder when
we're on a real environment00:14:40
and we have gigs and gigs and
gigs of competing traffic,00:14:44
a lot of which could be normal00:14:46
also in conjunction with
our malware traffic.00:14:48
So let's go ahead and back up,00:14:50
learn how to drive in the parking lot.00:14:52
And then we'll go out into the highway00:14:53
and learn how to find this
in a real environment.00:14:55
- Yep, that's great.00:14:57
- So first of all, so let
me just do at a high level.00:15:00
I see a bunch of packets, hey,
I get dizzy too, all right?00:15:05
Where do my eyes go?00:15:06
Well, I'm down here at
the bottom of the screen00:15:08
and I'm down here, I've
got 13,000 packets.00:15:11
Okay, so kind of muscle memory,00:15:13
some of the things that I do00:15:14
just to show people some of my workflow,00:15:16
I just go top to bottom
just to take a walk through.00:15:20
I know some of my coloring
rules have been triggered.00:15:23
You see like this bright orange here.00:15:25
I got this one, this "Client Hello."00:15:27
Of course my handshakes.00:15:28
I like my green handshakes everybody,00:15:30
gotta have green handshakes.00:15:32
Those connections, those new connections,00:15:35
jump out to me. Maybe another thing that I'm gonna try,00:15:37
I'm gonna go to "Statistics"
-> "Conversations."00:15:40
Everybody that's seen our
content together, David,00:15:42
should know to come here.00:15:43
And here we can take a high level look00:15:45
at the different
conversations that are had00:15:47
within this PCAP.00:15:48
All right, so what do my eyes do?00:15:51
Well, first this is sorted by
source or destination address,00:15:54
whichever was the case here.00:15:55
It sorts this first column by address.00:15:57
So I see here, I can see,
I have 28.8 and 28.229,00:16:01
to abbreviate those IPs.00:16:03
So they're involved, then I
have all these other ones.00:16:06
Well, if I come over here to "IPv4,"00:16:08
I'm gonna sort this
"Relative Start" column.00:16:11
The reason is this gives me
a pattern of conversation.00:16:16
The first conversation we
see in the PCAP is here.00:16:19
The final conversation
was down here, all right?00:16:22
So then I can get an idea,00:16:23
"Okay, .229 is talking to this 5.1 device00:16:27
and then, oh, it's also talking to 28.8."00:16:29
So I know that these
guys have a relationship.00:16:32
Okay, so moving forward, all right.00:16:34
Also TCP, I'm just gonna come here00:16:37
to "Relative Start" as well.00:16:39
What's my eye doing?00:16:40
I'm just gazing down "Port B" right here.00:16:43
443, 80, 445, hmm, 135,00:16:49
Windowsy stuff, 389 LDAP.00:16:54
Hmm, 447; that's an interesting port.00:16:56
Might wanna check that out.00:16:57
Come down here, 8082, okay.00:17:01
Could be webish stuff.00:17:02
We'll see, we'll find out.00:17:04
All right, so I got some secure web.00:17:06
I got some open web.00:17:07
I got some other Windowsy
kind of things, all right?00:17:10
That's all stored now.
Cool, let's come back out.00:17:12
Okay, so now we're at the entry point.00:17:15
So one other thing that I
do before I go much farther,00:17:18
and this is something
else we've demonstrated00:17:20
here in your channel, David,00:17:22
if I come up to
"Statistics" -> "Endpoints",00:17:26
and if I go to "IPv4,"00:17:28
this is where I can just take a glance00:17:30
at the GeoIP information, right?00:17:32
So I'm talking to Germany,
talking to Indonesia,00:17:35
United States, Ashburn, Cambodia.00:17:37
- So that could be an indication
that there's a problem,00:17:39
'cause you might not want to talk00:17:41
to those kind of countries, is that right?00:17:43
- Yeah, it depends on my customers, right?00:17:44
Where they coming in from,00:17:45
how are my applications architected?00:17:47
Do I have a CDN00:17:49
that should be taking care
of Cambodian and Indonesia?00:17:52
If that's true, why they
coming in straight to me?00:17:55
And what conversations
are we having, right?00:17:56
Same thing with US and Europe.00:17:59
It's not that any one country we pick on00:18:02
or that any one country by
itself would be an indicator.00:18:06
It's just that, "Is that normal for me?"00:18:08
And, "Is this something that I usually see00:18:12
any given Monday kind of thing?"00:18:13
Just taking a peek at
that, let me close. Okay.00:18:16
- So you're just trying
to get a big picture00:18:18
of what's going on, is that right?00:18:19
- 100%. Trying to get a lay of the land.00:18:21
I don't open up a PCAP00:18:22
and go straight to the TCP window size.00:18:26
I have no basis to yet, right?00:18:28
And you know, that's just too
deep in the weeds, too fast.00:18:31
We're already in the weeds.00:18:33
So let's make this a little
bit easier on ourselves.00:18:37
- Is it like trying to get
like a 10,000 foot view00:18:39
of like what's going on00:18:40
and now you can jump into the details?00:18:42
- Absolutely. That's what I'm here to do.00:18:45
So, okay, I've got my
bit of a lay of the land.00:18:47
Now, there's a few different things00:18:49
that I like to look for that
we call them low hanging fruit.00:18:52
Not all malware is advanced
malware that's all encrypted00:18:58
over the QUIC protocol and
is just absolutely impossible00:19:02
to make sense of on the wire.00:19:03
Yeah, there's some pretty sophisticated,00:19:05
advanced attacks, totally.00:19:07
But there's also some low hanging fruit00:19:09
that we can watch for, okay?00:19:11
So one of those that I like to look for,00:19:14
just go straight to web, HTTP.00:19:17
All right, let's just see,00:19:18
do we have possibly a malware author,00:19:22
whoever put this together
and architected it,00:19:25
maybe they got a little lazy00:19:26
and they didn't want to go
through the whole TLS process00:19:29
for every single web call.00:19:30
Maybe we could find some indicators there.00:19:33
So if you're following along with me,00:19:35
you just go up, "http"
in the display filter.00:19:38
We come down here, we've
got 26 hits for that filter.00:19:41
Now we can start to look
through a few of these.00:19:44
So let's go ahead and
go to this first GET.00:19:45
- You're looking for HTTP00:19:47
because most traffic today
should be encrypted, right?00:19:49
- Yeah, so I noticed in
the conversation list00:19:52
that we had some port 80,00:19:54
so that means it's standard web, right?00:19:56
So I'm gonna take a look at that first,00:19:59
low hanging fruit kind of
stuff, just what's using that.00:20:03
And another reason why I'm
looking at that these days00:20:06
is because so much of my normal traffic,00:20:09
like you and I talking now,00:20:11
you and I going to davidbombal.com,00:20:15
going to packetpioneer.com,
going to wireshark.org.00:20:17
If we're hitting sites out there,00:20:19
most of that today is encrypted, right?00:20:22
So we just shouldn't
have a whole lot of HTTP,00:20:27
standard port 80 left
going out to the internet.00:20:30
There's some, but there's
not gonna be a whole lot00:20:33
because so much of our web
activity is encrypted right now.00:20:36
So that's why this is low hanging fruit.00:20:38
And again, there's nothing
wrong with this GET00:20:40
and this response yet.00:20:43
It's just that this
was a quick way to say,00:20:45
"Okay, what are my GETs
and response strings?"00:20:48
I noticed that I've got
a couple files here.00:20:50
GET /images/imgpaper.png,00:20:53
GET /images/cursor.png.00:20:55
I'm gonna come back to
those in just a minute.00:20:57
Before I do though, literally,
let's go to that first GET.00:21:00
We're gonna right click,00:21:01
we're gonna go to
"Follow" -> "TCP Stream."00:21:03
Now usually I don't first go to "Follow."00:21:05
I'm gonna go to "Conversation
Filter" -> "TCP."00:21:07
But in this case,00:21:09
I wanna see what is
within that GET string.00:21:12
So I'm gonna go "Follow" -> "TCP Stream."00:21:14
And let's take a closer look.00:21:16
First of all, right away,00:21:18
this doesn't look very healthy
to me for a few reasons.00:21:21
First of all is my user region.00:21:23
I shouldn't say not healthy,00:21:24
I should just say my little radar00:21:28
in the back of my mind, David
is just going, do, do, do do.00:21:30
There's just a little yellow
alert going on right now.00:21:33
I'm sending a GET and I'm using basically00:21:35
a kernel level user agent.00:21:39
It's just doing a direct curl call.00:21:40
It's almost like doing
it from the command line.00:21:42
That's something that's
kind of interesting.00:21:44
If this is coming off of someone who,00:21:48
let's just say that their machine,00:21:50
that this is the IP that they're using.00:21:52
What is this, 28.229?00:21:54
I might wanna look up,
"Okay, who is that user?"00:21:57
And if it's just Dave the
secretary in the front,00:22:02
you know he's sitting in
the front of the office,00:22:03
so Dave's machine is
the one generating this.00:22:07
That's where I'll come back here00:22:08
and I'll go,00:22:09
"So why is Dave running like
a kernel level curl call?00:22:13
What, what are they doing?"00:22:14
This could be some API that
they're running possibly.00:22:17
However, that's just gonna
cause my little radar to go up.00:22:21
Next, how about this?00:22:22
I go out to the server,
returns back at 200 OK.00:22:27
But the server's name is "Cowboy."00:22:29
(David laughing)00:22:30
- That looks legit.00:22:31
- Might, yeah. Okay, right, because --00:22:35
- But curl, yeah? So just for
everyone who doesn't know,00:22:37
curl is like a command line URL tool.00:22:40
It's not something that normal
users would ever use, right?00:22:44
- Yeah, or the actual API will,00:22:47
a lot of the browsers are, like the APIs,00:22:49
are actually going to use curl,00:22:51
but so into the kernel00:22:53
that we just don't see
this user agent, right?00:22:56
So curl's a very, very, very common thing.00:23:00
However, usually your user
agent is gonna be much longer.00:23:04
It's gonna say, okay, Mozilla 5.0,00:23:06
and it's gonna say --00:23:07
My user agent is me
basically introducing myself00:23:10
to the server and establishing
some of the parameters00:23:15
of the engagement.00:23:16
So you can send me these languages.00:23:18
I accept this kind of coding.00:23:20
And "Hey, here I am."00:23:21
So in fact, we've all seen
some of the statistics00:23:25
that different websites track.00:23:27
This amount of traffic is
coming from mobile devices,00:23:29
or iPads, or Windows 10, Windows 11.00:23:32
Well, the way they figure
that out is by the user agent,00:23:34
it's the client introducing
themself to the server.00:23:37
So, okay. We're doing like
a kernel level introduction,00:23:41
no frills, no gimmicks, nothing.00:23:44
This is usually pretty unusual to see00:23:46
in normal, healthy traffic.00:23:48
Not to say it never happens,00:23:50
but it just is going to raise my eyebrow.00:23:52
Next, "Cowboy" comes back with a 200 OK.00:23:55
Date, also all they return
back is an IP address;00:23:58
that's the content, all right?00:23:59
So that looks kind of interesting.00:24:02
That's just gonna be a note to self.00:24:04
So I'm actually gonna take
and just take this address.00:24:06
I'm just gonna do a little
quick little copy on it,00:24:09
and now I'm gonna say "Close."00:24:10
Now with this infection,00:24:12
we basically reach out to a server,00:24:14
we knock on its door and it
returns back an IP address.00:24:17
And we can see that
address again here down00:24:20
in our hexadecimal view.00:24:21
All right, so I'm gonna take that00:24:23
and you know what I'm gonna
do? I'm just gonna first see,00:24:25
"Do we ever actually go
talk to that address?"00:24:27
"Ip.addr," 'cause I'm like,00:24:29
"What if it's sending me an instruction00:24:31
to then go talk to
another machine, right?"00:24:34
Like, "Hey buddy, go talk
to my buddy over here."00:24:37
Okay, so I never actually
see that address being used.00:24:41
That means that I don't
go and knock on the door00:24:43
of yet another server out there.00:24:44
But I'm still not in the clear.00:24:47
So let me just back up again.00:24:49
I'm gonna go clear out my filter.00:24:51
I'm gonna go ahead and go
back up here, "http" again.00:24:54
So now let's take a
look at this next POST.00:24:59
Now it's interesting here.00:25:01
I have this station.00:25:03
First of all, it reached
out to this device up here.00:25:05
Then this next one was a POST.00:25:08
So now with HTTP, I
can either GET traffic,00:25:11
"Hey David, give me this."00:25:13
Or I can say, "Hey David, here is data."00:25:16
It can go in either direction.00:25:18
And the method of HTTP
call that I use GET, POST,00:25:23
there's a few other ones, HEAD, INFO.00:25:25
I can come here and I say, "Okay, I'm POSTing, sending
data out to this machine."00:25:30
I'm just gonna peek over here.00:25:32
Let's take a look at the IP address.00:25:34
Gonna go down to GeoIP. Ooh,
now we're talking to Indonesia.00:25:39
We're sending data to Indonesia.00:25:41
Now that could be again, I
gotta think of my context.00:25:43
Do I have a legit system running00:25:45
that should be talking to another country?00:25:48
That's something that
we'd have to look at.00:25:50
Gonna come to "Follow" -> "TCP Stream."00:25:53
Okay, so here, let's take
a look at this again.00:25:54
Now you notice our user agent's00:25:56
a little longer this time.00:25:58
This is actually a more
normal looking user agent00:26:01
and I can actually take
this user agent, copy it,00:26:04
and there's a few sites
out there on the internet00:26:06
that I can search for,00:26:07
just to see what type of system this is.00:26:10
Mozilla 4.0, it's gonna
be a little bit older.00:26:13
The host, usually when
I'm talking to a server,00:26:17
in many cases,00:26:18
I'm using a hostname,00:26:21
wireshark.org, davidbombal.com, whatever.00:26:23
This time I'm using an IP, right?00:26:25
So I'm not doing a domain lookup.00:26:27
I'm just going straight to an IP.00:26:29
But let's see the data that I am sending00:26:32
to here again, "Cowboy."00:26:35
Hmm, now I'm posting to "Cowboy."00:26:38
Let's check out our content disposition.00:26:40
So let me just read these fields to you00:26:46
and see if this sounds comfortable, David.00:26:48
What would you think if I
started sending data out00:26:50
that was "formdata",
"billinfo" and "cardinfo?"00:26:54
Anything suspect there?00:26:56
- Yeah, straight away. I mean, who's just gonna send00:26:58
that kind of information
to some random server00:27:00
in perhaps a foreign country?00:27:02
- Very good. So would you say that this,00:27:04
even if we aren't yet malware experts00:27:07
or we're not hackers and all the above,00:27:11
even if we're not00:27:12
at a certain comfort level
yet with cybersecurity,00:27:15
should this kind of thing
raise our little antenna?00:27:18
- Oh yeah, yeah.00:27:19
- Yeah for sure.00:27:20
Now there's a very cool little thing,00:27:22
a feature in Wireshark.00:27:24
This was just one POST,00:27:25
but if you remember from
before I saw several POSTs.00:27:28
There's a cool feature in Wireshark00:27:30
called "Stream" down here,
it's easy to overlook.00:27:32
You see here in the lower right?00:27:33
Right now I'm on "Stream 8."00:27:35
So a "Stream" is basically00:27:37
just a single TCP conversation.00:27:40
And here, what I'm doing in this view00:27:42
is I'm extracting any clear
text out of that conversation00:27:46
and presenting it in ASCII.00:27:48
All right, I could also
change that if I want to,00:27:50
if there's any other language, however,00:27:51
let's just keep with ASCII.00:27:53
I'm gonna come down here to "Stream"00:27:54
and I'm going to go to the next one.00:27:56
So I don't have to close, reset a filter,00:28:00
come back to "Follow" -> "TCP Stream."00:28:01
I can just jump to the next
one using the "Stream" number.00:28:05
So Wireshark kicks me to the next one.00:28:07
Let's take a look at this,
still talking to Indonesia.00:28:09
Hmm, now I'm exporting,
exfiltrating, I'll use that word,00:28:15
mail.catbomber.net, port 995.00:28:19
Here's a username. Oh,
and here's a password.00:28:22
Suspect or no?00:28:23
- No, it looks dodgy.00:28:25
I mean, why would the
password be clear text?00:28:26
And it's, I mean, a name like "catbomber"00:28:29
is like straightaway doesn't look good.00:28:31
- Yeah, I'd agree in
this case or, oh yeah.00:28:34
And we're identifying
Outlook passwords, wonderful.00:28:36
- Yeah, Outlook passwords,
that's sounds a bit dodgy, yep?00:28:41
It's trying to email
passwords or something, right?00:28:45
- I am exfiltrating over web00:28:48
a username and password of email.00:28:51
- Oh, I see. Yeah, so that's
really dodgy. Yep, yep.00:28:54
- Yeah. So I'm telling,00:28:55
"Hey, here's my username
password over email."00:28:57
- So basically the
"Cowboy" server, whatever,00:29:00
has now just learned an
email address and password.00:29:03
- Absolutely, yep.00:29:04
And we're not done yet.00:29:07
How about open VPN passwords and configs?00:29:10
- [David] (chuckling) Yeah.00:29:13
- In this packet, we
don't see any of that,00:29:15
but again, it's trying.00:29:17
It's trying to kick this stuff out.00:29:20
How about this open SSH private keys?00:29:23
- Yeah, I'm glad that
you highlighted that.00:29:24
So in other words, it's a
whole bunch of HTTP POSTs.00:29:27
In other words, it's
basically sending data00:29:30
to a server on the internet00:29:32
and it's sending email
information, VPN information.00:29:36
And what I'm seeing now is like00:29:39
a whole bunch of process information.00:29:41
- Yes, and while you were talking,00:29:43
I just fast forwarded just a little bit.00:29:46
There are some encrypted
conversations, 100%.00:29:49
But if we come back to "Stream 21,"00:29:51
everyone go ahead and
drop "Stream 21" in here.00:29:53
Or you can filter for that in Wireshark,00:29:55
come back to "Follow" -> "TCP Stream."00:29:57
And this is where we can see
our user agent "Winhttp 1/0."00:30:04
Again, it's just not a common one00:30:06
that I'm typically gonna see00:30:07
for most web traffic that's
being done over browsers.00:30:09
Also the host that I'm talking to,00:30:12
talking to this 203 box,00:30:14
we can go and check out who that is.00:30:15
See, my IP is changed.00:30:17
I was talking to Indonesia
now I've switched here.00:30:21
Now I'm POSTing somewhere else.00:30:22
This time, I'm sending a process list00:30:25
of the system that I'm
actually on right now.00:30:29
So how about this?00:30:30
What would you think if I had a user00:30:33
that was sending to some
unknown server out there,00:30:36
all of their system processes,00:30:38
their internal system
information, including their name,00:30:43
their DNS suffix, their
ethernet adapter information?00:30:48
Here's our IP.00:30:49
Here's our default
gateway, DHCP server, DNS.00:30:53
Come down here, "net config,"00:30:55
even the type of software that this is.00:30:57
We see it's an older operating system.00:30:59
This is why we shouldn't leave00:31:00
this kind of stuff lurking
around, side point. "Net view."00:31:04
I mean, look at all of this
that's being sent out, right?00:31:08
Local machine data, username.00:31:10
- There's no ways that's legit.00:31:11
Why on earth would you send
internal information like that00:31:15
to some random server?00:31:16
- Exactly. And why would this,00:31:19
and let's think about this
from a practical standpoint,00:31:22
if we're blue teamers,00:31:23
well, how come this would still happen?00:31:26
Well, are we looking for it?00:31:27
This is web, it's being
initiated from the inside.00:31:30
So what protections do we have in place00:31:32
for our outgoing web traffic?00:31:35
Most firewalls are gonna
let it blast right through.00:31:38
So are we inspecting this?00:31:40
Okay, all that we get
back from that server,00:31:42
by the way, here's some
usernames, you know, no big deal.00:31:45
- I was just gonna say,
"Username: Administrator,"00:31:46
"Username: Guest," all that
information's being sent.00:31:48
Sorry, and you were gonna
say something, sorry?00:31:50
- You took it right outta my mouth.00:31:53
"Is that something I should expect?"00:31:56
- No, for sure not.00:31:57
- Yeah, and also too, "Catbomber-DC."00:32:00
So my domain controller.00:32:02
I'm gonna talk about
that in just a minute.00:32:04
So first, this is just a station00:32:06
that's just doing all this stuff.00:32:07
If I come down here, check out here again,00:32:10
here's our server, "Cowboy."00:32:11
So we can see that we
have a distributed system00:32:14
that's accepting this data.00:32:16
It's not just one isolated
actor working alone00:32:19
on one machine.00:32:20
Or they could be working alone
and have several machines00:32:24
that are set up to receive this traffic.00:32:26
However, it's not always
going to just a single IP,00:32:29
a single server.00:32:30
That server named "Cowboy"
though is the thread00:32:32
that's tying this together.00:32:34
So what have we learned? Let me back up.00:32:35
I'm just gonna say "Close."00:32:37
While I'm here,00:32:38
I'm also gonna peak at,00:32:40
if I say "Destination."00:32:41
Let me just take a quick little peak00:32:43
at the GeoIP information.00:32:45
And there we go, Cambodia.00:32:46
So I've talked to Germany,
I've talked to Cambodia,00:32:48
I've talked to Indonesia,00:32:50
a few other places around
the world, which is, again,00:32:53
that could be normal traffic.00:32:54
However, this doesn't look very normal,00:32:57
the conversations that I'm having out.00:33:00
Also remember, you saw
this catch my eye before,00:33:04
this 8082 port number.00:33:07
- [David] Yeah, yeah.00:33:08
- And again, it's just not 443, 80,00:33:13
the standard ports that I'm seeing run by.00:33:15
It's just enough different
that it caught my attention.00:33:19
So maybe what I'll do, let me do this.00:33:21
Let me see, do I see
any other 8082 traffic?00:33:24
I'm going to just go "tcp.port==8082."00:33:30
So I definitely see it
here, but if I scroll down,00:33:33
uh oh, remember our domain controller?00:33:36
So we had "Catbomber-DC?"00:33:38
If I come down here I
have two conversations.00:33:41
One is coming from 229,
but I also have 28.8.00:33:46
Let me see what's up down here.00:33:48
Let me do, there we go,
"Follow" -> "TCP Stream."00:33:51
I went blind for a minute and
sure enough, check this out.00:33:55
So this is a POST from "Catbomber-DC."00:33:58
And if I come down here,00:33:59
that same process list, system info.00:34:02
Oh great, our domain
controller's been infected too.00:34:05
It's exfilling that same stuff out00:34:08
to that site out there, to "Cowboy."00:34:10
This malware has compromised
more than one station.00:34:14
I got 229. I got .8.00:34:16
I'm seeing those indicators
come from both places.00:34:19
Okay, how we doing? Just checking in.00:34:21
- Yeah, I was just thinking of a question,00:34:23
which we can come back
to later if necessary,00:34:25
"Is how do you find the
needle in the haystack?"00:34:28
And I think what you did, which is great,00:34:30
and you can fill in more detail, Chris,00:34:32
is that you went high
level, like 10,000 foot,00:34:35
and then you noticed HTTP00:34:37
and you just started looking at HTTP00:34:38
amongst all the other traffic.00:34:40
And that's kind of like
how you spotted this stuff.00:34:43
How do you it in like the real world00:34:44
where you've got gigs and gigs of data.00:34:45
That's always the question, isn't it?00:34:47
- Well actually I'm gonna
show you some of the things00:34:50
that I can do on the
terminal, on the command line.00:34:52
And that greatly improves the speed00:34:56
that we can do this with.00:34:57
And it also has some
other interesting features00:35:00
that make this a little faster for us.00:35:03
- [David] Right. - You asked another
interesting question though00:35:05
I want to talk about.00:35:06
So how do you know what to look for?00:35:09
And basically, I mean,00:35:11
since I haven't yet had
an attacker come up to me00:35:14
and just send me an email of the details00:35:16
of all of his attacks,
right? (both chuckling)00:35:20
If I'm playing another
team in the Super Bowl,00:35:21
he's not gonna send me his playlist00:35:23
and his offensive plan, you know,00:35:24
so I can defend against it.00:35:26
It's what we do is we start
looking, we're threat hunters.00:35:29
When we set out as threat hunters,00:35:31
we're first of all, we're proactive.00:35:32
We don't wait for an alert.00:35:34
We also don't always know
what we're looking for00:35:37
because we don't have an alert.00:35:39
So some of these skills
you can learn at home.00:35:43
Start capturing on your machine00:35:45
and look at the HTTP calls
that your system sends.00:35:49
There's several different things
that might jump out to you00:35:52
and say, "Hey, you know, that
just looks strange," okay?00:35:54
And the more you see your
normal baseline traffic,00:35:58
the faster and better00:36:00
you're gonna be able to
identify the abnormal.00:36:02
But that's why I say one of the reasons00:36:04
why I like teaching this way,00:36:05
especially with HTTP,
is because it is open.00:36:08
It is clear text. We didn't
have to decrypt anything.00:36:12
We didn't have to have
a special one-off case00:36:14
where we're able to capture
the keys from a TLS proxy00:36:17
or from locally on this client.00:36:18
We're able to see this
going across the wire.00:36:20
So that way we can learn how this works,00:36:23
so that if something becomes encrypted,00:36:26
we still have some
indicators we can look for.00:36:28
I'm about to pivot to that.00:36:29
- [David] Great.00:36:31
- Because in here, let me just remove this and
jump back through to the top.00:36:34
So when I jump back up to the top,00:36:36
here I can see that I
actually come out the gate00:36:39
with an encrypted conversation.00:36:41
My packet number one is 443, all right?00:36:45
So it's coming from 28.229.00:36:47
Now this is a packet number one.00:36:50
So this could be that
a client was phished.00:36:54
They were sent an email, a link,00:36:58
something that they executed.00:37:01
This is the kind of thing
that can go on under the hood00:37:03
once that link is clicked00:37:05
or whatever script comes
down from that initial server00:37:09
and then it starts to
actually do its badness.00:37:12
So that's another reason00:37:13
why I like these PCAPs from
malware-traffic-analysis00:37:15
is it starts very clean.00:37:17
So here's our SYN, SYN-ACK, ACK.00:37:18
We do our three-way handshake.00:37:20
The first thing I'm gonna look for, again,00:37:21
muscle memory, click
here. Let's go to GeoIP.00:37:25
I'm talking to Germany.00:37:27
Okay, just taking a look through.00:37:30
What have we got, our country code,00:37:31
our Autonomous System numbers.00:37:32
We're going out knocking
on that door, comes back.00:37:35
Okay, handshake finishes,00:37:37
and then I have this "Client Hello."00:37:38
Now I'm going to just take a look.00:37:40
I'm gonna show you when we
go "Follow" -> "TCP Stream"00:37:42
on this, it's encrypted, right?00:37:44
We don't have a whole lot to go on here00:37:46
from a clear text perspective.00:37:47
This doesn't mean that we're
completely in trouble though,00:37:50
because there's something super cool00:37:52
called the JA3 Client Fingerprint.00:37:56
Everybody click packet four,00:37:58
'cause I know you're
following along, right?00:37:59
Why stand by and watch people have fun00:38:02
when you can dig into the
packets too? So, alright.00:38:05
The "Client Hello" is the first
packet of a TLS handshake.00:38:10
It happens after the TCP connection.00:38:13
The client now is reaching out00:38:14
and basically establishing the parameters00:38:16
of an encrypted conversation.00:38:18
So there's some interesting
things that are here00:38:20
that could raise our eyebrow, right?00:38:23
First, it's actually normal-ish
to see version TLS 1.0 here00:38:28
in the initial part of the handshake,00:38:30
but it's not really common
to see it down here.00:38:33
So TLS 1.0, first of all,
we're on TLS 1.3 now.00:38:37
An overwhelming amount
of traffic out there00:38:39
is now TLS 1.2 or 1.3.00:38:41
If I'm running old TLS,00:38:43
So either SSL 3.0, TLS 1.0 or 1.1,00:38:50
those could be just an indicator00:38:53
that this is either super
old, it needs to be patched,00:38:57
or I'm dealing with a
lazy malware situation,00:39:00
where they didn't go to
this extent of TLS 1.300:39:03
to fully do perfect forward secrecy00:39:06
and do all the modern stuff that we do.00:39:08
It was just good enough00:39:09
to keep this out of the
view of most IDSs, okay?00:39:13
So old, interesting.00:39:16
Now that actually forms
this version field,00:39:20
begins to form the basis of
something that we call JA3.00:39:26
JA3 is a fingerprint
of this "Client Hello."00:39:30
So what else does it look for?00:39:32
Version, cipher suites.00:39:36
So cipher suites,00:39:37
this is the different
encryption algorithms00:39:40
that I want to use
within this conversation.00:39:43
So I offer the ones that I know
or I can use, to my server.00:39:47
The server comes back and
picks the one they want to use.00:39:50
And then we can complete that handshake.00:39:52
But these are all the ones
that the client has capable.00:39:54
Just right off the bat,
RSA catches my attention.00:39:57
That's kind of an old, dead standard now,00:39:59
shouldn't see it in the
modern world anymore.00:40:01
Unless it's with an older system,00:40:03
we've kind of moved on from RSA.00:40:05
But that's also gonna form a fingerprint.00:40:09
Okay, so those 12 suites, version TLS 1.0.00:40:13
Also if I take a look at
some supported groups,00:40:15
a few other little indicators,00:40:16
and I come up with this
full string number.00:40:19
Now here's the gory details,
I'll do it very quickly.00:40:22
769 is actually the decimal equivalent00:40:25
of the hexadecimal value up here.00:40:28
So 0301, if you flip it
to decimal, it's 769.00:40:33
For all these cipher suites,00:40:34
I just take all of these values over here00:40:35
and flip 'em to decimals.00:40:37
And I get all this long stringing numbers.00:40:40
The great thing about JA300:40:41
is you don't have to
memorize all those numbers.00:40:44
It basically goes through a hash00:40:46
and then the hash value
that's outputted is here.00:40:48
This is the JA3 hash, the JA3 signature,00:40:52
for this "Client Hello."00:40:54
What does that do?00:40:55
- That's in every hello or
every message, is that right?00:40:59
- This is a feature,
that's a great question,00:41:00
this is a feature of Wireshark;
Wireshark's doing this.00:41:03
And JA3, it's not unique to Wireshark.00:41:06
There's other tools
that are able to do it.00:41:07
But basically it pulls out these values00:41:10
and we're able to get a hash value00:41:13
that we can then look up
against a known database.00:41:16
So this is what we're gonna do.00:41:18
Right click, I'm gonna
go to "Copy" -> "Value."00:41:24
Now there's a site that I like
to tinker with, ja3er.com.00:41:28
Let's have everybody go there.00:41:30
All right, so if you
drop it into ja3er.com,00:41:33
I went ahead and copied that hash,00:41:35
if you come back here to search JA3 hash,00:41:38
this is where we can paste this in,00:41:40
search for JA3 hash.00:41:42
And this looks up against a known list00:41:45
of hash values for "Client Hello's."00:41:49
So there's tons of them out there, right?00:41:51
Because there's all
kinds of different ways00:41:53
that we approach servers.00:41:54
It depends on our browser,
our browser version,00:41:55
our operating system,00:41:57
the type of software00:41:58
that's actually generating
the TLS connection.00:42:02
And what this is telling
us is that this signature00:42:05
looks like a trickbot infection.00:42:08
So malspam-infection-traffic,
hmm. Malware test.00:42:13
So this site has already seen this before.00:42:15
It's already been registered00:42:16
as a malware trickbot infection, which is,00:42:21
it's something that it's seen before.00:42:23
So that's where I can come back here,00:42:25
and even in an encrypted conversation,00:42:29
I can still use the destination IP.00:42:31
So where are we talking to?00:42:33
And I can also take a look
at the "Client Hello,"00:42:35
and get that JA3 string to get a vibe,00:42:38
"Is this possibly malware?"00:42:41
And that's just another
indicator I can use00:42:43
to do some threat hunting.00:42:45
- That's great 'cause you
didn't have to decrypt anything.00:42:49
Just by taking that signature
you were able to discover00:42:52
that it's malware.00:42:54
- Absolutely, yeah.00:42:55
Now we could make the case,00:42:56
"Well, all an attacker has to do00:42:57
is just use a normal
looking 'Client Hello.'"00:42:59
That happens, but we're talking
about low hanging fruit.00:43:02
We're talking about,
we gotta do something.00:43:05
We gotta keep scanning.00:43:07
Not all malware00:43:08
is going to be perfectly, perfectly hidden00:43:12
in encrypted conversations
with just perfect user agents00:43:15
and perfect "Client Hello's"00:43:17
that will just whizz by the IDS/IPS.00:43:19
Absolutely. Those exist, 100%.00:43:22
But there's things like this00:43:23
that we can do while we're threat hunting00:43:25
that should raise our antenna.00:43:27
- And I mean, I like the
example that you shared offline00:43:29
where you were doing
this in the real world.00:43:32
And I mean, you've shared
a little bit about it00:43:33
in this video,00:43:34
but you you've been doing
this in the real world00:43:36
where you're looking at slow traffic00:43:37
and then suddenly you
encounter stuff like this.00:43:40
So it's not like this is theoretical.00:43:42
This is real world stuff
that you're encountering.00:43:45
- Yes, in fact,00:43:47
just a teaser to a previous video00:43:49
that you and I did together on Nmap scans00:43:51
and what those look like.00:43:53
Well, if I come up here to the SYN,00:43:56
if I come down here to the
TCP Hello, the window size?00:43:59
If I take and pop this guy upstairs, boop.00:44:03
If I say take that
window size value, 8192,00:44:06
if I come to 1024, how
do I know it's 1024?00:44:09
Go watch the video.00:44:10
But Nmap likes to use that00:44:11
as an initial TCP window size value.00:44:13
So what I did, I just hit "Save."00:44:16
And now I've got it over
here as a signature.00:44:18
And what I'll do from time to time,00:44:20
if I'm just looking at normal traffic,00:44:22
I'll look at this window size value.00:44:26
I literally David, was just
working with a customer00:44:29
that I just happened to
throw this on the PCAP.00:44:33
And we found internal scans
happening behind the IDS, right?00:44:38
So a device that should not
have been running an Nmap scan00:44:42
was scanning the network.00:44:44
It wasn't like a blast of data,00:44:46
but it was just real slow,00:44:48
checking different ports coming over here,00:44:50
checking over there.00:44:51
So I told them,00:44:52
"You need to go find
out what this device is00:44:53
and why it's scanning your network.00:44:55
And if that's something
that should be happening."00:44:57
So the case could be made that,
"Okay, I stumbled on this."00:45:00
But if you think there are other ways00:45:02
that I could do a more persistent
scan against network data,00:45:06
I can take a huge block of network data00:45:09
and just look through it for
all window sizes of 1024.00:45:12
So I'm gonna show you how
to do that in just a moment.00:45:14
So as you can see,00:45:15
there's a lot that we
could cover in this PCAP.00:45:18
In fact, I'm sure that
there's a whole lot more00:45:19
that the viewers will be able
to find, a ton of detail.00:45:22
I think every time I
look at this trace file,00:45:24
I find something new.00:45:26
But before we finish, I
wanna make sure to show you00:45:28
one last thing about this PCAP.00:45:30
So let's have everybody to do this.00:45:32
Let's go ahead and
investigate those two files00:45:35
that the client retrieved
from the HTTP server.00:45:38
You remember those PNG files?
Let's take a look at 'em.00:45:41
We're gonna go up to "File."00:45:44
We're gonna come down to
"Export Objects" -> "HTTP."00:45:48
Now I just want to caution everybody,00:45:50
remember you're playing with live malware.00:45:53
There are malicious files in here00:45:56
that if we locally execute
them, we can become infected.00:45:59
So what I wanna make sure
everybody does not do,00:46:01
do not under any circumstances,00:46:04
come down here and say, "Save all"00:46:06
and extract these png files
and locally execute them.00:46:10
Leave them alone. You're fine looking at them
here in the packet format,00:46:14
but we wanna make sure we don't extract them
and execute them, okay?00:46:17
But let's just take a look at those names,00:46:19
imgpaper.png, cursor.png, okay?00:46:23
So let's go ahead and say "Close."00:46:30
When I clicked on one of those files,00:46:32
it jumped me there in the packets.00:46:33
So I'm gonna take a look at one of those.00:46:35
I'm just gonna right click this00:46:36
and just do first "Conversation Filter."00:46:38
And I just want to go "TCP."00:46:41
Now, if I take a look up on top here,00:46:44
so here the client is reaching out00:46:46
and it's saying, "Hey, SYN, SYN-ACK, ACK,"00:46:48
there's my handshake.00:46:49
It's getting cursor.png.00:46:52
That was one of the
files it was requesting.00:46:54
Let's just see where this
IP address is located00:46:57
while we're here.00:46:58
Okay, this is actually in
the US at Nodes Direct.00:47:01
Okay, interesting. Now,
if I come down here,00:47:03
I'm getting cursor.png
as the name of the file.00:47:08
But if we take a look at the response,00:47:09
check out this first packet of response.00:47:11
And we can come over here.00:47:12
In fact, let's go ahead
and just right click,00:47:14
"Follow" -> "TCP Stream."00:47:15
Okay, so here we are on the stream data.00:47:17
Now here, we can see we do that request.00:47:19
And again, we're doing it to
a host IP, not to a host name.00:47:23
But down here when we request it,00:47:26
here we can see MZ is the
initial part of that file header.00:47:32
Now MZ, those are the initials
of one of the gentlemen00:47:35
that had a hand in creating DOS basically.00:47:39
So MZ is at the start of every executable00:47:43
or binary file that we see00:47:45
in that actual header information.00:47:48
Over here, we can actually see as well,00:47:50
this program cannot be run in DOS mode.00:47:53
So that tells us that this
is not actually a png file,00:47:56
'cause that would be an image.00:47:58
We're actually retrieving
an executable file00:48:01
that's being hidden behind
that cursor.png filename.00:48:05
So another indicator here of this malware00:48:07
and what it's trying to do00:48:09
and that it's up to no good,00:48:11
if we're downloading hidden executables.00:48:14
Okay, so Brim is one, if
you're a threat hunter,00:48:16
you should have in your toolbox.00:48:18
And what it does is it
basically takes PCAP data,00:48:21
like we just saw, and it
generates Zeek logs off of it.00:48:24
And then it allows us
to search those logs.00:48:27
So all I did was I
opened up this same PCAP00:48:29
that we've been working with00:48:30
and I popped it open in Brim.00:48:32
Open source, go download it,00:48:34
it's got a bunch of
different operating systems00:48:37
it can work on.00:48:38
So go ahead and pick your flavor.00:48:40
And what I'm gonna do is I'm
just gonna come over here00:48:42
and just for this PCAP --00:48:43
- It's free software, right? Yeah?00:48:44
- [Chris] Yep. Open source,
totally open source.00:48:47
So I'm gonna come over here00:48:48
and I'm just gonna zoom,
zoom, zoom, zoom, zoom00:48:50
into this little bar
over there on the side00:48:56
and it's coming in.00:48:57
So basically what this shows
me is over time for this PCAP,00:49:01
what conversations were
held, where, and with whom.00:49:06
Now something that I like about Brim00:49:08
is I can come down here and
just say, "Whoa, alert."00:49:12
Hmm, that doesn't look right.00:49:15
So why don't I just take
alert if I want, right?00:49:19
- Picked it up straight
away, yeah? Yeah, go on.00:49:21
- I mean anybody's eyes
could catch that I hope.00:49:24
Let me right click it and
say "Filter as value."00:49:28
Let's take a look at some of
the alerts that it figured out.00:49:30
Check out 8082, check
out some of those ports.00:49:34
In fact, if I back up, let
me just come over here.00:49:36
So my alert, "MALWARE
Trickbot Checkin Response."00:49:40
That took five seconds from a PCAP.00:49:42
- And you can filter
for alerts, can't you?00:49:44
Just like any alerts
and then it'll show you00:49:46
what it thinks is badgered, right?00:49:48
- Oh yeah, absolutely. We can either filter for that value,00:49:51
or another thing I can do is
come over here to the side00:49:53
and I can say, okay, coming down here,00:49:55
I can even use Suricata alerts, right?00:49:58
So, "Hey, you got potentially bad traffic,00:50:00
malware command and control,
network trojan was detected."00:50:04
I can take this and then I can pivot00:50:05
and go back into that actual alert.00:50:07
And then I can even pivot further00:50:08
and go back into the packets.
You see my little fin up here?00:50:12
So I'm not gonna go too far on Brim,00:50:13
but I can select that conversation.00:50:16
This gives me more of
my fire alarm level view00:50:19
if I have a very large data set.00:50:22
And it allows me to pick out these things00:50:24
that my eyes should go to.00:50:25
I approach this backwards00:50:27
from the way a lot of
people might approach it.00:50:30
They might go to Brim first
and do that high level.00:50:33
I wanted you to start on
the wire just so you can see00:50:35
the actual anatomy of attack00:50:37
and how this progresses, and
down to the packet level,00:50:41
showing the kind of
data that was sent out.00:50:44
So now I absolutely
compliment what Wireshark sees00:50:48
with a tool like this.00:50:49
- I think it's important
what you do, Chris,00:50:51
because if you understand
the low level stuff,00:50:54
it's gonna help you catch stuff00:50:55
that these tools might not catch.00:50:58
It's good to have an understanding00:50:59
and then use the automated tools.00:51:01
But if you just use automated
tools, you're kind of blind.00:51:03
- Yeah, absolutely.00:51:04
I mean, I could have a self-driving car00:51:07
and it could get me from A to B,00:51:08
but what if something happens? (chuckling)00:51:12
You know, I still need
to know how to drive.00:51:13
Or the other thing about
our IDS/IPS systems,00:51:17
they're watching only on certain links.00:51:20
Like take the example00:51:21
of the client I was talking to you about,00:51:23
where we found some scan traffic.00:51:25
They had an IDS/IPS, but
it wasn't picking it up00:51:29
because those packets never
crossed that connection00:51:33
that was being analyzed.00:51:35
The C2 traffic, the attacker, I think,00:51:37
was coming in over probably
an encrypted C2 conversation00:51:41
probably on port 443.00:51:43
So it just looked like any old web traffic00:51:46
and it was being let in.00:51:47
- Chris, you said that
you'd show us how to do this00:51:49
like in real world, like large data sets.00:51:51
Have you got an example of that00:51:53
or am I jumping the gun again?00:51:54
- Not at all. No, that's a
natural next question like,00:51:58
"Okay, this is an isolated
PCAP from a known infection,00:52:02
how do you actually find this stuff?"00:52:04
And let me go ahead and show you00:52:05
from the PCAP we already have.00:52:07
So, first of all, one way that
I like to do some scanning00:52:11
or just again, high level stuff,00:52:14
kind of like what you're seeing,00:52:15
we did it packet by packet
in the user interface.00:52:17
But an important tool I'd
like everybody to start00:52:19
to get used to is a command
line tool called Tshark.00:52:22
And that's Terminal Shark.00:52:24
If you have Wireshark installed,00:52:25
it wants to install
Terminal Shark as well.00:52:28
So if you just type in "tshark."00:52:31
So I'm actually starting to
capture traffic right now.00:52:35
So Tshark, let me make sure
you understand as well though,00:52:39
Tshark is a part of my path
variable here on my system.00:52:43
So if I just do print and I say path --00:52:47
Okay, so I actually added00:52:49
"/Applications/Wireshark.app/Contents/MacOS"
to my
system.00:52:53
You can do the same.00:52:54
If you're on a Windows system,00:52:55
you can go ahead and go
to your path variable,00:52:58
which is in your environment variables,00:52:59
and you can add its
"Program Files/Wireshark."00:53:03
That's where all of those
command line tools are installed.00:53:06
And then you'll be able to
run those command line tools00:53:08
from anywhere in your system.00:53:09
And I'll go ahead and
demonstrate a little bit00:53:12
of this for you.00:53:13
So lemme go ahead and
just see, first of all,00:53:14
what I have here in this folder.00:53:16
I have my malwareanalysis.pcap.00:53:18
I also saw reverseshell,
in case we had time for it,00:53:20
might have to do that another time.00:53:22
But anyway so, what I can do is I can say,00:53:24
"Hey, Tshark, go ahead and read in00:53:27
my first malwareanalysis.pcap, read that.00:53:32
And then from here, I can decide,00:53:34
"Do I want to take a
look at conversations?"00:53:37
Just go ahead and pull
out all the conversations.00:53:40
"Do I wanna look at user agents?"00:53:42
"Do I want to filter on
specific signatures?"00:53:45
So let me do this,
we've already seen this.00:53:47
So I'm gonna use the "-t fields."00:53:51
Okay, this is where I tell T shark,00:53:54
I want to take the field that
I'm going to indicate for you00:53:59
and either print it
here on the command line00:54:01
or copy it to a text file.00:54:03
And the field that I'm gonna
be interested in is, "-e,"00:54:07
that's how I indicate what
field I'm talking about.00:54:10
So I first say, go look at
a field. Look at this field.00:54:13
The field I'm gonna say
is "http.user_agent."00:54:21
So where I get that from,
'cause you might be thinking,00:54:23
"How do I remember that?"00:54:25
Well, remember when we
were back in the packets,00:54:27
you actually have a cheat sheet here.00:54:29
I'm gonna go to my GET,
I'm going to collapse TCP,00:54:33
open up HTTP, you see "User-Agent: curl?"00:54:36
Remember, we saw that first?00:54:38
- [David] Yeah.00:54:39
- Look down here to the
low left, http.user_agent.00:54:43
All I'm telling Tshark
is to take this field,00:54:47
pull it out and put it on my command line.00:54:50
Let's see what happens.00:54:51
So first, if I just hit this,00:54:53
it's actually gonna run
through the entire PCAP00:54:55
and you kind of saw a
couple of them blip by.00:54:58
But I don't want to
just have those blip by,00:55:00
I wanna actually isolate them.00:55:01
So what I can do is I can say "-y,"00:55:07
which is a filter, http.user_agent, okay?00:55:16
So what that does is it says filter only00:55:18
for the packets that have a user agent.00:55:21
So what I did is I focused
now only on packets00:55:23
that actually have a user agent.00:55:26
Okay, so I can see I've got a few of 'em.00:55:28
I got this Mozilla 4.0, WinHTTP, curl.00:55:31
You notice that I have a
few copies, a few doubles?00:55:35
So what I can do here is I can just say,00:55:36
okay, let me up arrow again.00:55:38
Actually, you know, I'm gonna
go ahead and use "sort."00:55:42
And what that'll do is it'll sort it,00:55:44
but it'll also, if I say "unique,"00:55:47
what that'll do is it'll only show me00:55:49
the unique user agents.00:55:51
So now I can take and run
this against a huge PCAP00:55:56
and it can pull out the user agents00:55:58
that are unique within that PCAP.00:56:00
And I'm gonna tell you,00:56:02
these ones start to jump out to you00:56:04
because all these other ones
just start to look like this,00:56:06
you start to see, okay.00:56:08
I can even run this against
a user agent checker00:56:10
just to see what type of
user agent it came from.00:56:13
But this is one way that I
can parse larger data sets.00:56:19
I could also do the same with DNS names.00:56:22
I can say, forget all of this packet,00:56:23
let me just export all of the DNS names00:56:25
that I'm scanning for, or
that are a part of that PCAP.00:56:30
Also another one that I could do,00:56:31
and this is this one's gonna
be real world everybody,00:56:33
so let's go ahead and modify this.00:56:35
In fact, you know what, let me just clear.00:56:41
All right, let's do a real world one00:56:43
that you could do right now
on your network back home00:56:46
or in your enterprise environment.00:56:49
Let's do "tshark," read. Okay.00:56:51
Let's read in the same
malware example, okay?00:56:56
And I'm gonna say, I only wanna see,00:56:59
I'm gonna say, so "-y", which is a filter,00:57:02
and I'm gonna say, "tcp.port==443."00:57:06
So I'm looking for secure web,00:57:09
and I'm going to say,
"-T," out fields again.00:57:13
And I'm gonna say, "-e,"
but this time I want the --00:57:16
Let's go back into Wireshark.
Let's go ahead and remove.00:57:19
I'm gonna show you where
I actually get this from;00:57:21
it's not just coming
from the top of my head.00:57:23
I want the version, tls.handshake.version.00:57:27
Go ahead and pull that out, "tls.," and --00:57:31
Did I spell that right,
"tls.handshake.version?"00:57:38
Okay, let's pull that out.00:57:39
I'm just gonna do a sort on
that. Let's do unique as well.00:57:44
All right. So in this
PCAP, there's only one.00:57:47
But this tells me if I come
back here, you see TLS 1.,00:57:51
so 0301 means TLS 1.0.00:57:55
So I should be seeing 304 or 303.00:57:58
So thankfully they just
count up 301 is TLS 1.0,00:58:03
302 is 1.1, 303, 3.2, or 1.2
and then 1.3, respectively.00:58:10
So if I ever see those, ooh!00:58:14
I don't wanna see some old
TLS "Client Hello" versions.00:58:18
So this is where I could start
to, if I had large data sets,00:58:22
if I had gig files, which
I could show you as well,00:58:26
maybe on another video
or if we have time now,00:58:29
how to capture and stream that00:58:30
to basically capture,
capture, capture, save;00:58:33
capture, capture, capture, save.00:58:34
And just have a whole
section of a hard drive00:58:38
full of capture data from that day.00:58:41
What I can do is I can take
this value, or this command,00:58:45
and then I can script it00:58:46
to run against all of
those different files00:58:49
and it can rip out all of
the low hanging fruit there.00:58:52
- Yeah. So Chris, can
you give us an example00:58:55
of like a large amount of data,00:58:57
because the problem with
a lot of the training,00:59:00
and that's what I love about
talking with you is, you know,00:59:02
people have these like
cookie cutter type PCAPs.00:59:06
Have you got an example with
like a crazy amount of data,00:59:08
like gigs of data that we
can just filter through?00:59:11
- Sure, 100%. Let me
go ahead and show you.00:59:14
So here on my screen, I
actually have some sample data.00:59:17
Now, of course, I can't
really ever use client data,00:59:20
to protect everybody.00:59:21
- [David] Yeah.00:59:22
- But this is a larger data set.00:59:23
If you take a look at,00:59:24
basically I call this ring buffer,00:59:26
and you can see over here the size,00:59:27
this is gig gig gig gig gig, basically.00:59:30
So we got 11 gigs of data
here or close, right?00:59:34
So I don't wanna pop open
one, go to the user interface,00:59:38
take a look at old versions of TLS00:59:41
and take a look at user agent strings00:59:43
and such things like that
on a file by file basis.00:59:48
Instead what I'd like to do
is be able to script that.00:59:52
So what I'm able to do,00:59:53
I actually created a script00:59:54
and I'll first show you how it works00:59:55
and then I'll show you how I made it.00:59:58
And again, this is all part
of the threat hunting course,01:00:00
so hopefully you guys will
check it out when we drop it.01:00:04
But basically I'm just
gonna do "./threathunt."01:00:07
And this is a script
that's gonna start running.01:00:09
Now, let me show you what this does.01:00:11
So first thing it does is it
first goes into each file.01:00:16
And the first thing it's going
to do is create a DNS folder.01:00:20
It's going to go into each
file and it's going to rip out01:00:23
just the DNS data from that folder.01:00:25
Now I could be more specific.01:00:26
If I wanted to look for a certain domain,01:00:30
if I'm just suspect of
a certain type of call,01:00:33
then I can be very specific
to that thing that I comb for.01:00:38
All right, so it's gonna rip all that out.01:00:40
And then it's going to
create a separate PCAP01:00:42
for everything it found
within each larger data set.01:00:47
After this, what it's gonna do
is merge everything together.01:00:50
And then it's just gonna
leave me with one PCAP01:00:52
that I call all DNS.01:00:55
And so now that part of
the script, what it does,01:00:59
is it pulls out all the
DNS, rips it out for me,01:01:02
and now I can just look
through that DNS traffic.01:01:04
If I wanted to be, again,01:01:05
if I wanna be more
specific, I could do that.01:01:06
Another aspect of the script is,01:01:08
we're gonna see this happen
since it's running live,01:01:11
let's give it just a minute to run.01:01:13
Okay, so this one just finished.01:01:15
So I got all DNS now,
so okay, that's done.01:01:18
And it went ahead and erased
all the other previous PCAPs.01:01:20
It did that with a tool called Mergecap.01:01:22
Next I go for strange ports.01:01:24
So I built a filter within
the script that it will say,01:01:28
"Okay, ignore port 443, port
80, some just normal ports,01:01:34
maybe port 8,000,"01:01:36
even though things can
hide in those ports.01:01:38
However, I'm looking for the
one offs, the weird ones.01:01:41
So go ahead and pull out01:01:42
all the non-normal web traffic ports01:01:45
and just show me any of those.01:01:47
And so now it's going through
and ripping all of those out01:01:50
and making separate PCAPs for me.01:01:52
Okay, it's gonna do the same thing01:01:54
for strange country codes.01:01:56
It's gonna do the same thing
for old versions of TLS.01:02:00
And so the way this happens,01:02:03
I'm gonna go ahead and stop the script.01:02:05
All right, so if I come in here,01:02:06
I'm just gonna open
this with a text editor.01:02:11
All right, so this is just
one example, everybody.01:02:13
So basically what I'm
telling it, and again,01:02:16
I'm not huge on scripting.01:02:17
This is something that I modify01:02:19
and just depending on
the environment I'm in,01:02:21
this is where I say,01:02:22
"Okay, make a directory DNS,
go ahead and pull out DNS,01:02:25
go ahead and save that to
a new DNS file," right?01:02:28
So I say, okay, "for f in rings."01:02:31
So ring is where that actual location is.01:02:34
For all the files in that folder,01:02:36
do "tshark," throw this filter at it,01:02:40
go ahead and write that to
another file with that name.01:02:45
And then you're done.01:02:46
Once you're done doing all of
those files in that folder,01:02:51
now I want you to go
and merge them together.01:02:54
Now let's Mergecap, write "alldns,"01:02:58
and your source is gonna be
everything in that folder.01:03:01
After that, remove it.01:03:03
So I just did this for DNS,
strange ports, TLS versions,01:03:07
Nmap scans, remember I told you before?01:03:09
Show me everything with a SYN, that's one,01:03:11
an ACK that's zero and
a window size of 1024.01:03:14
If I start to see a bunch of hits here,01:03:16
I'm starting to see Nmap-like signatures.01:03:20
And also countries that I'm
not typically talking to.01:03:25
So using this kind of
script, David, this is where,01:03:27
let me go back to my ring buffer,01:03:29
so this is where I can take
a large, large data set,01:03:32
and I can create different filters01:03:34
or different types of signatures01:03:36
that I'm gonna be
interested in threat hunting01:03:38
and throw it at a much larger
data set, boil that down,01:03:42
and I can start to look more
specifically at those packets.01:03:45
I'm always gonna do that though,01:03:47
in conjunction with a tool like Brim.01:03:49
Also, I can run Suricata
logs against this,01:03:52
take a look at some of
the deeper Suricata logs01:03:54
and just be able to take a large data set01:03:57
and just look at it from
more of a fire alarm level.01:04:00
- Chris, I mean, this is fantastic,01:04:01
but we don't have enough time
to go through all of this.01:04:04
This is where you're gonna
add this to the course,01:04:06
is that right?01:04:07
- This is already built in.
It's already part of course.01:04:09
- Great.01:04:10
- [Chris] So, so what I do is --01:04:11
- This is what you're teaching at DEFCON01:04:12
and other places, right?01:04:13
- Yes. I'm gonna be
teaching this at DEFCON.01:04:15
This also part of my Threat
Hunting with Wireshark course.01:04:18
Keep in mind that we built
this over several exercises.01:04:22
So, I mean, this is a lot
to take in right away.01:04:24
And again, you might be thinking,01:04:25
"Okay, what do I look for?"01:04:27
Well, in the course,01:04:28
we go and we look at
command and control traffic.01:04:31
We look at exfil traffic.01:04:33
We look at lateral movement indicators.01:04:37
In the course, what I do is
I take MITRE ATT&CK framework01:04:41
or the Cyber Kill Chain
by Lockheed Martin,01:04:43
and what those do is
they give us a picture01:04:46
of how an attack works
from start to finish.01:04:50
How does an attacker first get in?01:04:52
So in the course, once
we get to this point,01:04:54
we've already learned the
life cycle of an attack,01:04:57
and that's part of what
threat threat hunting is,01:04:59
we have to know our adversary.01:05:00
In order to be able to find an attacker,01:05:03
it's good to think like one.01:05:05
So we go through and we take a look at,01:05:08
"How does an attacker initially get in?01:05:11
What are some of the signatures of that?"01:05:12
Or, "How does it actually happen?"01:05:14
Then, "How do they move
laterally and find other systems?01:05:17
How do they discover a network?"01:05:19
Not just Nmap, but other tools.01:05:21
And, "What does that look
like on the packet level?"01:05:23
The reason why we do it is
because you now understand better01:05:26
of how that attack life
cycle actually happens.01:05:29
And you have a better understanding01:05:31
of how to find it on the wire.01:05:32
So using frameworks like MITRE
ATT&CK and Cyber Kill Chain,01:05:36
we at least get an understanding,01:05:38
"Okay, they first get in.01:05:40
Then they overcome a machine01:05:42
and then they try to move laterally.01:05:43
They try to get to the crown jewels,01:05:45
then get that important data out."01:05:49
So those are things that, again,
they can overwrite syslogs,01:05:55
they can wipe processes,
but they can't wipe packets.01:05:59
That's why Wireshark and these tools01:06:01
that we've talked about
today know as threat hunters,01:06:03
which isn't just the SOC team people.01:06:05
This is help desk. This
is network technicians.01:06:08
This is network engineers.01:06:10
Anybody that's interested in cybersecurity01:06:12
that wants to pivot over,01:06:13
you have access to those packets.01:06:15
So now it's just capturing them01:06:17
and then learning to find the
strange ones that pop out.01:06:20
- Chris, this is amazing.01:06:21
I'm really glad that you've
decided to teach this.01:06:23
And thanks for, you know,
teaching this at DEFCON,01:06:27
but also creating a course
that people can access,01:06:29
which I'll, again, link below.01:06:30
Really appreciate you
putting all this work in;01:06:32
I know it's been a journey for you.01:06:34
- Hey, I have fun. This is
great. I have a great time.01:06:36
But I wanna thank everybody
that is watching the video.01:06:39
And I just want to encourage you that,01:06:41
hey, I feel overwhelmed too.01:06:43
Sometimes I open up a PCAP01:06:44
and I initially might not
know what to look for.01:06:48
And I don't always get
to the exact right place01:06:52
just within a few clicks.01:06:54
Sometimes it takes some time.01:06:55
So be patient with yourself,01:06:58
stick to those fundamentals,
learn them well,01:07:00
and you will start to see
some strange looking traffic.01:07:05
find it and understand it with Wireshark.01:07:07
- Brilliant, Chris. Thanks so much.01:07:09
- You bet.01:07:10
(exciting music playing)Description:
The packets don't lie. You can hide processes or logs, but you cannot hide packets. Malware is a major problem in today's networks. Chris Greer is the Wireshark master. He shows us how to use Wireshark to find Malware and suspicious traffic in our networks. // PCAP download // Get the pcap here: https://malware-traffic-analysis.net//2020/05/28/index.html // Websites mentioned // ja3: https://ja3er.com If ja3er doesn't work, try this site: https://sslbl.abuse.ch/ja3-fingerprints Malware Analysis pcaps: https://malware-traffic-analysis.net //CHRIS GREER // Wireshark course: https://www.udemy.com/course/wireshark-ultimate-hands-on-course/?referralCode=4F008584C9FF58683EE9 Nmap course: https://www.udemy.com/course/getting-started-with-nmap/?referralCode=DCCC70140CF7E865310C LinkedIn: https://www.linkedin.com/in/cgreer/ YouTube: https://www.youtube.com/c/ChrisGreer Twitter: https://twitter.com/packetpioneer // David SOCIAL // Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.facebook.com/unsupportedbrowser LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/unsupportedbrowser TikTok: https://www.tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: [email protected] // MENU // 00:00 - Intro 04:24 - Sharkfest / DEFCON 05:55 - What is Threat Hunting? 07:33 - Why threat hunt with Wireshark? 10:05 - What are IOCs 10:30 - Why should we care? 12:23 - Packets/PCAPs 18:48 - 'Low hanging fruit' 21:10 - TCP Stream 27:29 - Stream 35:00 - How to know what to look for? 37:49 - JA3 Client Fingerprint 41:25 - ja3er.com 48:08 - Brim 52:20 - TSHARK 58:50 - Large Data Example 01:04:00 - Chris' Course 01:06:20 - Outro malware hacking hacker wireshark udp http https quic tcp firewall firewall quic quic firewall threat hunting hack hackers blue team red team tshark chris greer http https ssl nmap ja3 ja3 ssl ssl fingerprint nmap tutorial defcon sharkfest, acket analysis wireshark training wireshark tutorial free wireshark training wireshark tips wireshark for beginners wireshark analysis packet capture wireshark tutorial kali linux wireshark course introduction to wireshark Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Preparing download options
* — If the video is playing in a new tab, go to it, then right-click on the video and select "Save video as..."
** — Link intended for online playback in specialized players
Questions about downloading video
How can I download "Hacker hunting with Wireshark (even if SSL encrypted!)" video?
http://unidownloader.com/ website is the best way to download a video or a separate audio track if you want to do without installing programs and extensions.
The UDL Helper extension is a convenient button that is seamlessly integrated into YouTube, Instagram and OK.ru sites for fast content download.
UDL Client program (for Windows) is the most powerful solution that supports more than 900 websites, social networks and video hosting sites, as well as any video quality that is available in the source.
UDL Lite is a really convenient way to access a website from your mobile device. With its help, you can easily download videos directly to your smartphone.
Which format of "Hacker hunting with Wireshark (even if SSL encrypted!)" video should I choose?
The best quality formats are FullHD (1080p), 2K (1440p), 4K (2160p) and 8K (4320p). The higher the resolution of your screen, the higher the video quality should be. However, there are other factors to consider: download speed, amount of free space, and device performance during playback.
Why does my computer freeze when loading a "Hacker hunting with Wireshark (even if SSL encrypted!)" video?
The browser/computer should not freeze completely! If this happens, please report it with a link to the video. Sometimes videos cannot be downloaded directly in a suitable format, so we have added the ability to convert the file to the desired format. In some cases, this process may actively use computer resources.
How can I download "Hacker hunting with Wireshark (even if SSL encrypted!)" video to my phone?
You can download a video to your smartphone using the website or the PWA application UDL Lite. It is also possible to send a download link via QR code using the UDL Helper extension.
How can I download an audio track (music) to MP3 "Hacker hunting with Wireshark (even if SSL encrypted!)"?
The most convenient way is to use the UDL Client program, which supports converting video to MP3 format. In some cases, MP3 can also be downloaded through the UDL Helper extension.
How can I save a frame from a video "Hacker hunting with Wireshark (even if SSL encrypted!)"?
This feature is available in the UDL Helper extension. Make sure that "Show the video snapshot button" is checked in the settings. A camera icon should appear in the lower right corner of the player to the left of the "Settings" icon. When you click on it, the current frame from the video will be saved to your computer in JPEG format.
What's the price of all this stuff?
It costs nothing. Our services are absolutely free for all users. There are no PRO subscriptions, no restrictions on the number or maximum length of downloaded videos.