Advanced Wireshark Network Forensics - Part 2/3
HTML-код
- Опубликовано: 12 сен 2024
- So, in this Scenario, we are being told there is a system on the network infested with malware. For some reason the Anti-Virus on the computer didn't detect it and the malware has managed to lock up the system. We don't have access to the hard drive, but we do have a full network packet capture of the incident. And, we already know the IP of the infected host, which will give us a good starting point.
Scenario pcaps:
github.com/Net...
Below is the typed up file in the video (slightly modified though):
`Network Forensics (Wireshark)`
1. Create a new text file to document findings. Copy paste the table below.
1.1. Where did the user contracted the malware from?
1.2. Can we obtain a copy of the malware file?
1.3. What kind of calls to the internet does it make?
1.4. Does it try to self propogate through the internal network?
1.5. Possible network traffic sigantures.
2. Open the PCAP with Wireshark and add two new columns to assist investigation.
2.1. Right click any column > Preferences: (Title=Stream ID, Fields=tcp.stream), (Title=Host, Fields=http.host)
3. Further details will not be covered here. Though below is an example output following the steps above.
1.1. Where did the user contracted the malware from?
Victim IP = 12.183.1.55
puskovayaustanovka.ru/pusk.exe
No User-Agent
1.2. Can we obtain a copy of the malware file?
We have it!
MD5: fbe86fe4bd273ba11ee09799994c9e93 dump2
SHA256: 7fdf98dbacfb45ed800b4ba66bb0887aa7e8529b4fb36bda63d28e1010fbd9d1 dump2
1.3. What kind of calls to the internet does it make?
Seemingly random DNS queries.
Rapid connection attempts to resolved DNS names.
Eventually connects to a web page on port 80 to one of the servers.
1.4. Does it try to self propogate through the internal network?
No connection attempts to RFC 1918, or other 12.x addresses (see below Wireshark filter).
ip.src == `` &&
(ip.addr == 192.168.0.0/16 ||
ip.addr == 172.16.0.0/12 ||
ip.addr == 10.0.0.0/8 ||
ip.dst == ``)
1.5. Possible network traffic sigantures.
We have the DNS names.
High volume of DNS queries followed by high volume of port 80 connection attempts.
File Signatures www.garykessler.net/library/file_sigs.html
Advanced Wireshark Network Forensics 2/3 ruclips.net/video/ZJZlRGLN2_s/видео.html
This is excellent material. I hope you’ll create more content like this or even consider developing a course. It’s very well explained.
Clear, smooth explanation, valuable knowlege and practical skills. All in 10 min, thanks man
Your videos are a blessing. Thank you so much for these wonderful explanations and uploads. Truly appreciate your efforts !
These videos are amazing! I have been using Wireshark for 15 years and learned more in the past 30 minutes than the previous 10 yrs.
Glad to hear it!
Stumbled across this video. Amazing way of explaining! Hope you can upload new stuff more frequently.
Great video and incredibly well explained!
nicely explained.
Thanks, very much helpful
Happy to help
Thanks for part 2, it was very insightful =)
I agree with all other comments - great quality Wireshark material. I would not mind seeing more of it. Thank you
Awesome content ❤️
well explained and great tut, thanks for sharing this knowledge :))
Keep up , good work !
How can I find out the IP address of the victim machine it's unknown?