Figure 4. In some cases, Windows executables are intentionally labeled as a different type of file in an effort to avoid detection. Fortunately, the first pcap in this tutorial is a very straight-forward example. Still, we should confirm these files are what we think they are. In a MacBook or Linux environment, you can use a terminal window or command line interface CLI for the following commands:. The file command returns the type of file. The shasum command will return the file hash, in this case the SHA file hash.
Figure 5. Determining the file type and hash of our two objects exported from the pcap. The information above confirms our suspected Word document is in fact a Microsoft Word document.
It also confirms the suspected Windows executable file is indeed a Windows executable. We could also do a Google search on the SHA hashes to possibly find additional information. In addition to Windows executable or other malware files, we can also extract web pages. Our second pcap for this tutorial, extracting-objects-from-pcap-example When reviewing network traffic from a phishing site, we might want to see what the phishing web page looks like. Then we can view it through a web browser in an isolated environment as shown in Figure 7.
Figure 6. Exporting a fake PayPal login page from our second pcap. Figure 7. The exported fake PayPal login page viewed in a web browser. A banking Trojan known as Trickbot added a worm module as early as July that uses an exploit based on EternalBlue to spread across a network over SMB. We continue to find indications of this Trickbot worm module today. Our next pcap represents a Trickbot infection that used SMB to spread from an infected client at The pcap, extracting-objects-from-pcap-example Open the pcap in Wireshark.
Figure 8. Getting to the Export SMB objects list. Figure 9. The export SMB object list. Later a separate data connection is established to transfer files and folders. TCP is generally used in every session to control datagram delivery, arrival, and window size management.
Hence, we will begin our analysis with the available TCP packet information for the FTP session initiation and termination in the middle pane. Start packet capture from your selected interface and use the ftp command in the terminal to access the site ftp. Apply tcp filter to see the first three packets in the Packet list panel. The explanation for each field in the Transport Control Protocol layer in Wireshark is given below:.
Moving toward the second TCP datagram captured in the Wireshark filter. In the last packet, you can notice that the host sends an acknowledgment to the server for FTP session initiation. You can notice that the Sequence number and the ACK bits are set to 1.
Display Filters are those filters which work on pre-captured packets. Consider this example for a better understanding: Say that a total of packets are gonna flow for a particular activity on the network, out of which packets are from IP We will be examining a Wireshark capture between my system and a remote system with FTP service enabled. You can download this packet capture if you want to. The client IP in this case was When we type in the command ftp The first three packets of the capture is the 3-way handhshake, highlighted with grey in Wireshark, which can be seen with the tshark output above.
The fourth packet is the FTP banner sent by the remote server and the fifth is the acknowledgment of the previous packet. This can be summarized with the following sequence diagram. And once authorized, our system issued a SYST command to ask the system type of the remote server. With this output, I identify the streams that have objects, and manually create a filter like: tcp. This works for trace files with few objects, but not when the list is long.
I would like something like: "tcp. Thank you.
0コメント