WEBVTT 0:00:04.700000 --> 0:00:06.820000 Analyzing PCaps with Wireshark. 0:00:06.820000 --> 0:00:11.680000 So welcome everyone to the Network Traffic Analysis section of this course. 0:00:11.680000 --> 0:00:15.800000 To begin with, we're going to take a look at how to analyze PCaps with 0:00:15.800000 --> 0:00:22.000000 Wireshark. The objective of this video is to give you some practical experience 0:00:22.000000 --> 0:00:26.540000 with Wireshark if you haven't used it previously and will be going through 0:00:26.540000 --> 0:00:28.960000 a very simple lab exercise. 0:00:28.960000 --> 0:00:32.500000 So this video has a lab associated with it. 0:00:32.500000 --> 0:00:35.580000 It's going to be the lab just below this video. 0:00:35.580000 --> 0:00:41.780000 And what we're going to be doing as I said is loading in a PCap into Wireshark 0:00:41.780000 --> 0:00:47.740000 and going through some basic analysis and we'll try and do some interesting 0:00:47.740000 --> 0:00:54.400000 things. But the idea here is to give you an introduction or your, an introductory 0:00:54.400000 --> 0:01:00.440000 foray into using Wireshark for analyzing PCaps. 0:01:00.440000 --> 0:01:05.500000 And then once we've covered this or once we've gotten to this initial 0:01:05.500000 --> 0:01:10.240000 introduction, we'll then move on to more incident response related or 0:01:10.240000 --> 0:01:17.920000 instant response centric network analysis techniques or tasks that you 0:01:17.920000 --> 0:01:21.660000 know you typically be doing when analyzing PCaps. 0:01:21.660000 --> 0:01:26.400000 So I'm going to start up my lab and I'll see you in the lab environment 0:01:26.400000 --> 0:01:28.600000 in a couple of seconds. 0:01:28.600000 --> 0:01:35.680000 Alright so I'm currently within the lab environment and as you can see 0:01:35.680000 --> 0:01:39.680000 you'll be provided with access to a Kali Linux system with a PCaps full 0:01:39.680000 --> 0:01:44.160000 on the desktop that contains the, it contains three PCaps. 0:01:44.160000 --> 0:01:48.100000 We'll really be focusing on one but you can go through you know all three 0:01:48.100000 --> 0:01:52.720000 of them. You can see that one is called TCP network so it's more also 0:01:52.720000 --> 0:01:58.980000 network, network based traffic and then one which is web based this is 0:01:58.980000 --> 0:02:03.120000 HTTP basic authentication and then extracting files. 0:02:03.120000 --> 0:02:08.140000 So to open up Wireshark just open up your whisk or your, your the whisker 0:02:08.140000 --> 0:02:15.220000 menu here and you can just type in Wireshark like so and I'll just fire 0:02:15.220000 --> 0:02:18.940000 that up and we can get started immediately. 0:02:18.940000 --> 0:02:24.380000 So I'll give this a few seconds, one second I'm not sure why it is taking 0:02:24.380000 --> 0:02:28.980000 a while to start up in any case we'll wait for that to open up. 0:02:28.980000 --> 0:02:35.100000 Alright so once Wireshark is up and running you have the ability to capture 0:02:35.100000 --> 0:02:40.200000 traffic in the form of a PCap and you can you know enter your capture 0:02:40.200000 --> 0:02:45.740000 filters here but we want to go into file open and we'll go to the desktop 0:02:45.740000 --> 0:02:51.260000 here under PCaps let's start off with HTTP basic authentication.PCAP. 0:02:51.260000 --> 0:02:56.740000 Open this up and welcome to Wireshark so this is your first time you can 0:02:56.740000 --> 0:03:04.800000 sort of rearrange the panes here like so and you can always go into edit 0:03:04.800000 --> 0:03:11.020000 and preferences and you can then take a look at the layout here. 0:03:11.020000 --> 0:03:17.140000 So in the the default layout is where you have the packet list first that's 0:03:17.140000 --> 0:03:21.320000 the packet list pane you then have the packet details and then the packet 0:03:21.320000 --> 0:03:27.720000 bytes like so and you can change the layout depending on your requirements. 0:03:27.720000 --> 0:03:32.120000 So first things first you can zoom in and out so on your keyboard control 0:03:32.120000 --> 0:03:36.340000 and plus that'll just make things bigger and you can resize the column. 0:03:36.340000 --> 0:03:40.360000 So to begin with you have the packet number the timestamp right over here 0:03:40.360000 --> 0:03:45.360000 you can change that format and then the source IP the destination IP the 0:03:45.360000 --> 0:03:50.580000 protocol for you know each individual packet here and then the length 0:03:50.580000 --> 0:03:55.600000 and info. So you know if we start off with the first one we can see that 0:03:55.600000 --> 0:04:02.800000 this is a TCP SIM request from this IP to this IP on port 80 okay so we're 0:04:02.800000 --> 0:04:10.980000 dealing with web server traffic right and you know we can see TCP HTTP 0:04:10.980000 --> 0:04:16.140000 there's a mix of stuff going on and you can first things first is you 0:04:16.140000 --> 0:04:20.980000 know if you wanted to just filter or if you just wanted to display the 0:04:20.980000 --> 0:04:26.420000 HTTP related packets or HTTP packets you type in right over here in your 0:04:26.420000 --> 0:04:31.320000 display filter HTTP like so and now it's going to limit that so it gets 0:04:31.320000 --> 0:04:36.760000 rid of the underlying TCP packets over there so let me just resize this 0:04:36.760000 --> 0:04:39.440000 a little bit so things are clearer. 0:04:39.440000 --> 0:04:44.380000 You can see we have a get request here for the resource password okay 0:04:44.380000 --> 0:04:49.300000 dot PHP now one more thing I would like to point out is if you go into 0:04:49.300000 --> 0:04:52.960000 your preferences here and you take a look at the columns you can actually 0:04:52.960000 --> 0:04:56.780000 add more columns depending on your requirements or the amount of info 0:04:56.780000 --> 0:05:01.860000 you want to display or you want displayed and if you wanted to modify 0:05:01.860000 --> 0:05:06.840000 the time format here you can just double click on that there and you can 0:05:06.840000 --> 0:05:13.080000 say for example you know UTC UTC time like so and then just hit okay and 0:05:13.080000 --> 0:05:19.980000 now you have it in UTC time like so and you can also let me just cover 0:05:19.980000 --> 0:05:28.500000 one more thing here yeah so columns yeah you can add a new column and 0:05:28.500000 --> 0:05:34.820000 let's say you wanted this to display the source port you can then select 0:05:34.820000 --> 0:05:41.860000 that so source port like so and then you hit okay and now that's going 0:05:41.860000 --> 0:05:47.500000 to be added so let me see there we are so you can now drag this to where 0:05:47.500000 --> 0:05:52.280000 you want it so maybe here this is a good place so there we are so wire 0:05:52.280000 --> 0:05:56.600000 shock is very flexible in this regard now and you take a look at the packet 0:05:56.600000 --> 0:06:01.960000 details you can sort of see you know encapsulated in the packet you have 0:06:01.960000 --> 0:06:07.160000 all the seven layers or the layers that are applicable to the protocol 0:06:07.160000 --> 0:06:11.220000 or the the protocol of the packet you're analyzing so you know you have 0:06:11.220000 --> 0:06:18.860000 your data link layer network layer transport layer and then application 0:06:18.860000 --> 0:06:25.040000 layer so in this case it's HTTP and we can see the get request here and 0:06:25.040000 --> 0:06:30.940000 we can see in this case the get request is specific to a file called or 0:06:30.940000 --> 0:06:36.260000 you know a get request is made to the remote server for password okay 0:06:36.260000 --> 0:06:42.640000 dot PHP and there we are so you can see the response actually hold on 0:06:42.640000 --> 0:06:49.500000 yeah there we are so you can see that there in addition to filtering for 0:06:49.500000 --> 0:06:54.140000 you know specific protocol you can also you know specify or use the IP 0:06:54.140000 --> 0:07:02.500000 address filter here and specify an IP address you know specify that you 0:07:02.500000 --> 0:07:07.380000 want to display packets pertinent to a specific IP address in terms of 0:07:07.380000 --> 0:07:13.000000 both you know packets to and from the IP address so we can say 192 168 0:07:13.000000 --> 0:07:19.280000 .0.4 here and that'll only display you know packets pertinent to that IP 0:07:19.280000 --> 0:07:25.200000 now if you wanted to say IP dot source you can do that you know as shown 0:07:25.200000 --> 0:07:30.860000 here so you can specify you know you can limit the results what's displayed 0:07:30.860000 --> 0:07:36.840000 here to just the packets whose source is the following IP so 192 168.0 0:07:36.840000 --> 0:07:42.000000 .4 and now you'll see you know lonely display packets where the source 0:07:42.000000 --> 0:07:47.540000 is the IP you've provided here and then you can also utilize logical operators 0:07:47.540000 --> 0:07:57.480000 like AND and say for example HTTP one second I believe I need to do this 0:07:57.480000 --> 0:08:04.020000 and HTTP like so so that'll you know you're combining filters and now 0:08:04.020000 --> 0:08:11.400000 we have packets HTTP packets where the source IP address is 192 168.0 0:08:11.400000 --> 0:08:16.480000 .4 okay so that's some basic display filters that you can use to look for 0:08:16.480000 --> 0:08:20.880000 you know what you're looking for then we can say TCP dot port if you wanted 0:08:20.880000 --> 0:08:26.220000 to just you know filter by port so we can say TCP port is equal to 80 0:08:26.220000 --> 0:08:31.160000 and so we're going to display you know that particular traffic so and 0:08:31.160000 --> 0:08:36.740000 you can then again combine this with HTTP for example and there we are 0:08:36.740000 --> 0:08:42.780000 so one of the tasks associated with this particular lab is the process 0:08:42.780000 --> 0:08:47.700000 of reconstructing a file so for example here for the get request right 0:08:47.700000 --> 0:08:53.540000 over here being made to the web server whose IP address is listed here 0:08:53.540000 --> 0:08:57.400000 you can see get request is being made for a file called pass-a-dokay.php 0:08:57.400000 --> 0:09:03.380000 we can right click and follow the HTTP stream to actually view or have 0:09:03.380000 --> 0:09:09.080000 Yshark reconstruct the HTTP request and response and you can see this 0:09:09.080000 --> 0:09:12.920000 is the entire conversation has been reconstructed here so we have the 0:09:12.920000 --> 0:09:17.760000 get request being made by the following you know the IP that we saw there 0:09:17.760000 --> 0:09:25.080000 192 168.4 and the response here where you know the web server responded 0:09:25.080000 --> 0:09:29.640000 with a 401 authorization required and then displayed you know this particular 0:09:29.640000 --> 0:09:35.980000 web page right over here so as I said one of the tasks or really the only 0:09:35.980000 --> 0:09:48.340000 task of this lab is PCAP so in this case what if we wanted to export to 0:09:48.340000 --> 0:09:52.840000 this particular web page well let's go ahead and close this here and now 0:09:52.840000 --> 0:09:56.600000 we're going to file with that packet still highlighted and we go to export 0:09:56.600000 --> 0:10:05.500000 objects and HTTP you can see that these are all the the files that Yshark 0:10:05.500000 --> 0:10:09.740000 was able to ascertain so packet 43 that's the one we highlighted the file 0:10:09.740000 --> 0:10:16.420000 name is pass-a-dokay.php we can save that onto our desktop here and now 0:10:16.420000 --> 0:10:20.400000 you'll see the power of Yshark we can literally get files just from a 0:10:20.400000 --> 0:10:25.820000 you know from a PCAP so there we are we have the password ok.php file 0:10:25.820000 --> 0:10:29.780000 and indeed it looks like the entire file that was returned in the response 0:10:29.780000 --> 0:10:35.560000 and this is a great way you know if traffic is being captured on a network 0:10:35.560000 --> 0:10:39.940000 and you know certain addresses are being visited and those websites go 0:10:39.940000 --> 0:10:45.360000 down if they were malicious you still have these traces of evidence I 0:10:45.360000 --> 0:10:49.720000 think we should be able to open this up with Firefox actually no it's 0:10:49.720000 --> 0:10:55.840000 a PHP file in any case that's how you can do that there now we can also 0:10:55.840000 --> 0:10:59.340000 try and open up some of the other PCAPs here like for example extracting 0:10:59.340000 --> 0:11:05.460000 files dot PCAP and in this case let me get rid of the TCP stream equals 0:11:05.460000 --> 0:11:10.820000 zero and we have a bit more information here or different types of packets 0:11:10.820000 --> 0:11:16.600000 so we also have DNS so you can actually use the display filter DNS to 0:11:16.600000 --> 0:11:21.540000 just display DNS packets so here you can see domain name system query 0:11:21.540000 --> 0:11:26.740000 the flag is a standard query and if we take a look at the user datagram 0:11:26.740000 --> 0:11:32.360000 protocol you know which DNS operates on one second so if we take a look 0:11:32.360000 --> 0:11:37.100000 at DNS the query so in this case the address was that's being resolved 0:11:37.100000 --> 0:11:44.040000 or attempted to be resolved is packet pioneer dot com so we can see that 0:11:44.040000 --> 0:11:47.720000 there and then we have the so that's the request or the query and then 0:11:47.720000 --> 0:11:52.300000 the response here so it should actually give us the IP address right over 0:11:52.300000 --> 0:11:56.200000 here the A address for that so this you know this is the type of info 0:11:56.200000 --> 0:12:03.380000 you can get in here now we can see that there's a PNG file here so that 0:12:03.380000 --> 0:12:08.660000 that was part of a response if we wanted to export it we can do so you 0:12:08.660000 --> 0:12:14.500000 know just by going into file export objects and HTTP now if you're trying 0:12:14.500000 --> 0:12:21.300000 to export file from you know specific to a or from a specific type of 0:12:21.300000 --> 0:12:26.980000 packet or a packet with a specific protocol like as you saw the SMB then 0:12:26.980000 --> 0:12:31.500000 you need to select that accordingly so we have the PNG here and we can 0:12:31.500000 --> 0:12:36.340000 also just save it and go into the desktop save it there and that should 0:12:36.340000 --> 0:12:41.220000 export the PNG so this is if you remember when we're talking about network 0:12:41.220000 --> 0:12:46.820000 data types or data sources as it were this is the thing that I pointed 0:12:46.820000 --> 0:12:50.960000 out with PCAPs now the disadvantage or the consideration that I also pointed 0:12:50.960000 --> 0:12:55.120000 out is because it's capturing everything or a lot more information like 0:12:55.120000 --> 0:13:00.880000 you know images web pages etc PCAPs can be quite large and we can actually 0:13:00.880000 --> 0:13:07.540000 see this here how big is this exactly that's not that large but just a 0:13:07.540000 --> 0:13:12.660000 few requests and you're getting you know it starts getting into megabytes 0:13:12.660000 --> 0:13:17.940000 and so on and so forth so we extracted that PNG let's just see if we can 0:13:17.940000 --> 0:13:24.860000 open it up so there we are we get the image and that's the extracting 0:13:24.860000 --> 0:13:29.260000 files PCAP again these are very very simple just there to get you comfortable 0:13:29.260000 --> 0:13:34.920000 with YSHOCK we can also try the TCP network dot PCAP file here this has 0:13:34.920000 --> 0:13:40.420000 you know much more robust types of packets in terms of the protocol so 0:13:40.420000 --> 0:13:44.480000 you have TLS here so this means it will be encrypted so if we actually 0:13:44.480000 --> 0:13:50.120000 right click and say follow TLS stream actually that'll not work let's 0:13:50.120000 --> 0:13:55.080000 go ahead and say follow TCP stream you'll say it's all encrypted so this 0:13:55.080000 --> 0:14:01.360000 is why SSL sets are very important and you know Y attackers now you know 0:14:01.360000 --> 0:14:07.240000 even for their C2s are actually using TLS sets so that you know the traffic 0:14:07.240000 --> 0:14:11.220000 being sent to and from the target system or target systems is encrypted 0:14:11.220000 --> 0:14:18.420000 so yeah you can go ahead and you know go through these these different 0:14:18.420000 --> 0:14:22.240000 PCAPs and play around with the filters here there's quite a few filters 0:14:22.240000 --> 0:14:25.340000 that you can use of course I've just covered a couple of them but we'll 0:14:25.340000 --> 0:14:29.940000 be building we'll be building on this you know when we get into some other 0:14:29.940000 --> 0:14:36.200000 lab demos you know specifically focused on network traffic analysis so 0:14:36.200000 --> 0:14:40.720000 that brings us to the end of the practical demonstration section of this 0:14:40.720000 --> 0:14:46.460000 video all right so that was how to analyze PCAPs with YSHOCK again very 0:14:46.460000 --> 0:14:50.860000 very basic just getting the ball rolling now that you've got that initial 0:14:50.860000 --> 0:14:55.980000 foray I feel you know a lot more comfortable with moving on to some more 0:14:55.980000 --> 0:15:05.700000 as as I mentioned earlier more you know forms of analysis or ones that 0:15:05.700000 --> 0:15:09.320000 you know you'll you'll frequently be dealing with so with that being said 0:15:09.320000 --> 0:15:14.720000 that's going to be it for this video and I will be seeing you in the next