Wednesday, March 1, 2017

Cyber Security Analyst (Part 2 of 3)

PCAP Data Analysis

This series will cover analyzing the common data types found in cyber security incidents; Netflow,  Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos.



The information in this blog is design to help people analyzing PCAP data. There are many programs which can automate the manipulation and organization of PCAP data for the end user. I believe it is always a good idea to know how to perform these task manually because every environment will be different. For the purpose of this blog post we'll be covering the use of open source PCAP analysis tool Wireshark.


Tools
The list tool is a free open source tool for Linux and Windows:



Background
Having a working understanding of the PCAP filters are essential to being able to read PCAP data.

A. Wireshark  Filters [1]
1. HTTP header information
  • Description: used to analyze the packet HTTP header information
  • Syntax:
    • http."option"
    • Commonly used "option(s)"
      • http.user_agent
      • http.response
      • http.connection
  2. TCP session information
  • Description: used to analyze the packet TCP session information
  • Syntax:
    • tcp."option(s)"
    • Commonly used "option(s)"
      • tcp.analysis.flags
      • tcp.flags
      • tcp.srcport
3. SSL connection
  • Description: used to determine if an SSL connection was established.
  • Syntax
    •  
    • Commonly used "option(s)"
      • ssl.handshake
4.  System communications
  • Description: used to determine who the system is trying to communicate with and how often.
  • Syntax:
    • dns."option(s)"."option(s)"
    • Commonly used "option(s)"
      • dns.qry.name
      • dns.resp.addr
      • dns.resp.name
5. Text search
  • Description: used to search for specific text inside of a packet.
  • Syntax:
    • frame contains "text"
    • Common text to search for
      • "Dos"
      • ".exe"



Concepts & Techniques
Two things to look for in PCAP when looking for signs of potential malicious activity are magic numbers and Base64.

A. Magic Numbers [2]
Common in programs across many operating systems. Magic numbers implement strongly typed data and are a form of in-band signaling to the controlling program that reads the data type(s) at program run-times. Detecting such constraints in files is a simple and effective way of distinguishing between many file formats and can yield further run-time information.
  • GIF image file:
    • ASCII cod 
      • "GIF89a" (47 49 46 38 39 61) 
      • "GIF87a" (47 49 46 38 37 61)
  • JPEG image file:
    • Begins with "FF D8" and ends with "FF D9"
  • Postscript file:
    • start with "%!" (25 21)
  • MS-DOS exe file:
    • start with 
      • "MZ" (4D 5A)
      • "ZM" (5A 4D) - is NOT as common
B. Base64 [3]
A group of similar encoding schemes that represent binary data in an ASCII string format by translating it into a Radix-64 representation. Base64 encoding schemes are commonly used when there is a need to encode binary that needs to be stored and transferred over media that are designed to deal with textual data. This is done to ensure that the data remains intact without modification during transport.
  • Characters [A-Z], [a-z],[0-9],[+],[/]
  • Padding: 
    • "==" indicates last group contained only 1 bytes. 
    • "=" indicates that it contained 2 bytes.




References 
  1. Wireshark Filters
  2. Magic Numbers
  3. Base64




Recommended Reading and/or Videos
  • Real Digital Forensics: Computer Security and Incident Response by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.
  • Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich, foreword by Marcus Ranum.
 
Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

2 comments: