Packet Capture Analysis

G

GrepMan

n00b
Joined
Apr 7, 2013
Messages
1
Hey Everyone. I have a team working on analyzing a packet capture file for a practice case we've been given by our club.

We have 2 .PCAP files. We have to figure out whether our company's server has been compromised, and which data the attacker had access to, and which attack has been used, and have to figure out what the attacker took. The problem is that we do not have in-depth knowledge in analyzing packet capture data. We suspect that the attacker had connected to a few specific ports and had access to http, https, and ssh. But the problem is that we do not know what method the attack used to get in, and we don't know exactly what the attacker had access to, viewed, or downloaded from or to the company's server. We have already opened up the PCAP files in wireshark and run filters but we still aren't sure about how to determine exactly what has been accessed.

Are there any freeware tools and/or tutorials that you could recommend to help us in the right direction. Any advice would be greatly appreciated.

Thanks in Advance,
GrepMan
 
Use Riverbed's Wireshark, or download a demo of Cascade Pilot.

I would suggest reading up more on Wireshark.
 
Wireshark is the best bet. Look for IPs that do not appear to be related to your network. So the first step will be attempting to figure out what IPs are yours and which are not. Then filter based on that IP in order to narrow your search to just that IP.

Do you have insider knowledge of your network? Such as x.x.x.x is the web server, x.x.x.x is the Exchange server, etc? As it appears in your post, maybe its just one server? This actually helps a lot. Just go through line by line looking for an anomoly. If you know what type of server it is you can figure out what port should be open and if data is being requested from that server on a different port that should send a red flag
 
Another tool that can be useful in these situations is Network Miner from Netresec. It can parse the PCAP files and do some OS fingerprinting and put together files that were transmitted over the wire.
 
Definitely use Wireshark.

The most useful feature to me when I'm analyzing pcap (which I do all day, every day) is the Follow TCP Stream feature. When you find HTTP/SSL/FTP/anything running on TCP, right click and hit "Follow TCP Stream". This will show you all of the payloads from packets in that TCP connection. It makes it super nice and easy to analyze the various protocols and find evil.
 
Sounds like he knows how to open the files in wireshark...he just needs help learning how to analyze it.
 
I can't say I know the best place to go, but in order to understand the Wireshark captures, you'll need to know how the TCP/IP stack and ethernet works, as well as any protocols involved with the services on your servers and network devices.

Digging through my list of bookmarks, here's a few things I come up with that might be a good starting point:

http://www.techrepublic.com/article/exploring-the-anatomy-of-a-data-packet/1041907

http://www.firewall.cx/networking-topics/the-osi-model/179-osi-data-encapsulation.html

http://www.firewall.cx/networking-topics/protocols.html

http://www.firewall.cx/networking-topics/ethernet/ethernet-frame-formats.html

http://www.cisco.com/warp/public/105/encheat.pdf

All of this is fairly academic however, and if you already know the above but don't know where to start with your analysis, I'd say you should start by identifying IPs and MACs on the captures, applying filters, and looking for anything suspect. Particularly pay attention to ARP broadcasts for signs of poisoning (man-in-the-middle attack) and strange TCP requests from outside devices that don't already have an established TCP stream. There are other possible security issues residing within DHCP requests and the like, but I don't have any formal security or penetration testing training so I can't advise much beyond that.
 
You must log in or register to reply here.
Back
Top