7.2 TCPReplay Part 2

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

Security Onion

Course

Time

3 hours 10 minutes

Difficulty

Beginner

CEU/CPE

Video Transcription

00:00

All right. So let's get started with our demo of replaying traffic onto a standalone server with TCP replay.

00:11

So the

00:14

website that we're grabbing RP cap from is malware traffic analysis dot net.

00:19

This one was released. Done.

00:22

Uh, 19 2005 to. And the

00:26

name of this

00:29

exercises beguile soft, which is the fictional company that this occurred at. So have a pea cap. Here we scroll down, we have a quick screen capture of wire shark

00:41

and we have a scenario.

00:44

So looking at this pea cap, what they have tasked us to do is

00:50

find out

00:53

this information right here.

00:55

So we have our executive summary on 19 2005. To what? Such and such time a Windows host used by such and such person was inspected with what?

01:04

Then We want to know the details of the infected host and some of the indicators of compromise and the information that we're given is up here in the scenario. So we know the land segment range the domain domain controller, gateway and broadcast address.

01:23

So let's get started with this, and we will be replaying this onto the

01:30

server that I have on my virtual ization server.

01:33

That's the stand alone one that we built. And we will be doing the analysis on the

01:40

A server that we built on my desktop.

01:46

So we want to grab power.

01:49

You are well,

01:51

this copy link location,

01:53

and we come over to a terminal session to the

01:57

stand alone server. We just do w get

02:00

through an hour, e

02:02

you are out.

02:04

That'll downloaded automatically for us. L s and magically there.

02:08

And it is zipped right now, so we want to.

02:12

Not girl.

02:17

Okay,

02:20

now all P caps from Mel, where traffic analysis dot net Our password protected. You can get the password by going into the about Paige. The I already know what it is infected.

02:34

Okay,

02:36

so do l s again. And

02:38

it has shown up the unzipped version,

02:43

So we want to do

02:46

pseudo. Well. First things first. Let's make sure that all of our service is a ready.

03:02

Okay? Looking over this real quick, it looks like everything's fine. Um,

03:08

all of our status is up here. Are Okay. We know that this right here is our

03:16

Ah, Nick, that will be replaying onto. So just copy that real quick.

03:23

Great out of there Now let's do sudo. KCP agree. Pope?

03:30

Yeah, I spell that correctly.

03:34

We want to do Dash I for interface.

03:37

I want to do it on the e m p zero as a

03:40

and we're putting the dash T ha option in there that replace it a top speed. If you don't do the dash t

03:51

on, do you just leave it? Blank them? It'll replay the pea cap at the speed at which it was gathered.

03:58

So if this pea cap took place over six hours, then will be waiting here for six hours for this to play back on tour and Nick and I don't have that kind of time. So we're just doing Dusty.

04:11

Then we'll do 2000. Go tap complete. There we go.

04:15

So just hit. Enter.

04:18

Okay.

04:21

So everything was played out there. 8763 attempted packets and successful packets,

04:30

04:31

we should be good to go here. Let's jump over to our analysis machine has logged out on us so

04:40

or locked on us, I should say.

04:43

All right, so to connect, we goto applications

04:49

you want to connect to

04:54

how were

04:55

Web interface

04:57

now if we were working on our

05:02

05:04

if we were doing all of the analysis on this of'em, then we could just connect a local host. But we want to connect to our

05:15

huh

05:15

non local machine. In this case, it's 1921680.61.

05:23

First thing, we want to take a look at his cabana

05:30

Carl and my password. Okay,

05:42

take a moment to log in,

06:10

All right? And it does not look like our

06:16

logs have shown up yet in here.

06:26

Give it a second. Okay, there we go.

06:30

Because it just hadn't loaded on the home page quite yet.

06:43

Even better, I just blind either of those two possibilities is

06:48

possible.

06:50

All right, so

06:54

we replayed this with TCP replay, and we have all of thes alerts a lot of these air coming from the operating system itself. So, or os sac, Krahn,

07:04

things like that.

07:05

07:10

we need a good starting point. And since we know that something happened on here, but we don't know what

07:15

let's see what Snort was able to catch

07:18

will come over to Ned's so network intrusion detection system.

07:24

And we have four alerts here

07:28

looking down here a little bit. We have classification network Trojan was detected

07:32

and potential corporate policy violation.

07:36

Scroll down a bit.

07:39

Okay. So alert. Summary. We have 34 Trojan Hawkeye key logger FTP

07:46

and one for D. N s update from external net.

07:48

Now, this one, it's more of a policy, uh, rule.

07:53

So if you care about this, then

07:56

you definitely look into it more.

07:58

But in this case, we

08:00

don't So

08:03

looking at these three up here, we care a lot more about thes.

08:07

So when we

08:09

things that we were tasked with

08:13

Is this information right here?

08:16

Let's pull up our no pad plus plus and throw it in here and

08:22

just take some notes on what we're finding because we're already finding some interesting stuff.

08:28

Okay, so we know everything is coming from this source i p address.

08:33

So we will filter for this value

08:37

and to make it persistent across our dashboards, we will pin it.

08:46

Okay, So what? We have our first source I p address

08:50

who are infected host.

08:52

That was

08:54

Tenn 0.0. That 0 to 27.

09:03

We have these three i p addresses for destination I p's those are likely some sort of ftp server.

09:31

All right?

09:37

And we also know that you have a Trojan Hawkeye key logger FTP

09:43

09:45

such and such host was infected with

09:56

*** key logger FTP or Hawkeye

10:03

climb. I'm kind of curious in these. So

10:09

let's see if we can dig a little bit deeper into these particular alerts Just filtering for those

10:16

If we scroll all the way down B c bit more information

10:22

that we should already know

10:24

down here are the

10:26

complete lugs

10:28

can expand those. And just right off the bat, we see it's over Port 21 which

10:33

is for typically for FTP.

10:37

All right, so just looking through here,

10:41

not saying a whole lot of new information we

10:43

haven't

10:45

reference you are l that we could look at.

10:50

Let's see what happens when we click this I d.

10:54

All right, so this will allow us to pivot over to cap me, which will

11:00

hold the packets that

11:03

triggered the alert and,

11:07

uh,

11:09

put them into a nice stream for us to view.

11:11

And it will also show us the i. D. S rule that triggered.

11:16

So in this case, it This is the ideas. Well, we have alert TCP our home network.

11:22

Any to external network over port 21. Our home networks should just be the RFC 1918 private internal I p addresses

11:31

and our messages at Trojan Hawkeye Key Logger FTP looking for an established flow to the server The content of store Hawkeye, no case and the

11:41

p C r e. So regular expression with key logger in it,

11:46

we have ah reference Mt. Five. Check some free Google that we could probably find something interesting

11:54

then class type Trojan activity. So everything here is just rule information.

12:01

Let's look through our

12:03

information down here. Our TCP stream that was reassembled for us.

12:09

12:11

looks like

12:13

the This is an FTP server with that name. See if I can throw it over here.

12:20

Okay,

12:24

Copy And paste isn't working between the two, so we'll just say 000

12:28

Web host.

12:33

Come

12:37

have a source User name of Sniffer Zet. Okay.

12:43

And well, looks like we have a password of Tribble 22. All right. It's interesting.

12:50

12:52

destination

12:54

backslash is your current location. Location is backslash forward slash I can never remember difference, but just looking at that, that should indicate that

13:05

now this is being sent to a clinic server.

13:09

Okay. It looks like here

13:13

it is sending a text file.

13:16

Okay.

13:18

And looks like they sent a JPEG file as well.

13:22

I wonder if we look at the other one.

13:26

Probably. Seymour.

13:28

TCP streams. Okay.

13:31

It's like another text file

13:35

J pack. Okay,

13:39

this is one place that we can view our

13:43

Ah,

13:46

I d s logs. Another place that we can view them Isn't squirt

13:50

just opening that up in a new tab?

13:56

All right, so this will show our west sec logs as well as our I. D s logs.

14:05

So if we want to drill down into this

14:07

clicking on the 1st 1 we have our rule that we looked at,

14:13

and this will give a bit more information. Looks like the country is the Netherlands.

14:20

Scroll down a bit more. We

14:24

have

14:26

the specific packet. It looks like that triggered the

14:31

ruled that triggered their rule.

14:33

Um,

14:35

so this is not as descriptive as

14:39

it is when we look and cap me. But it's still a very good starting point. I've found some pretty interesting things in the past. Looking through squirt.

14:52

Then There's one more place that we can look for I d s logs,

14:58

and that is in squeal.

15:00

We come down to

15:01

out there,

15:05

scroll down a bit. We go to squeal,

15:13

take a moment to load.

15:18

Okay, so

15:20

now this is will be connecting directly to the squeal database. So

15:24

as I've mentioned before, we are connecting to a squeal database that is external to this particular ritual machine. If we were connecting to one on this machine, then this would just be local host. In this case, it's 1921680.61 password of Carl. Excuse me? Use the name of Carl,

15:41

My password.

15:46

All right. It's asking what interfaces we want to monitor will say ho

15:54

and load up for us.

15:58

All right, so once again, we have all of our OS sec logs, and then our network I. D. S logs

16:07

we come in here,

16:11

we have