Take a systematic approach at identifying intrusions that range from the most basic to the most sophisticated, using Wireshark, an open source protocol analyzer. This book will show you how to effectively manipulate and monitor different conversations and perform statistical analysis of these conversations to identify the IP and TCP information of interest.
Next, you'll be walked through a review of the different methods malware uses, from inception through the spread across and compromise of a network of machines. The process from the initial “click” through intrusion, the characteristics of Command and Control (C2), and the different types of lateral movement will be detailed at the packet level.
In the final part of the book, you'll explore the network capture file and identification of data for a potential forensics extraction, including inherent capabilities for the extraction of objects such as file data and other corresponding components in support of a forensics investigation.
After completing this book, you will have a complete understanding of the process of carving files from raw PCAP data within the Wireshark tool.What You Will Learn- Use Wireshark to identify intrusions into a network
- Exercise methods to uncover network data even when it is in encrypted form
- Analyze malware Command and Control (C2) communications and identify IOCs
- Extract data in a forensically sound manner to support investigations
- Leverage capture file statistics to reconstruct network events
Who This Book Is ForNetwork analysts, Wireshark analysts, and digital forensic analysts.
Author(s): Kevin Cardwell
Edition: 1
Publisher: Apress
Year: 2023
Language: English
Pages: 477
City: Berkeley, CA
Tags: Wireshark; Intrusions; Incident; Attacks; Hacking; Network; Intrusion Analysis; Forensic Evidence
Table of Contents
About the Author
About the Technical Reviewer
Introduction
Chapter 1: Customization of the Wireshark Interface
Configuring Wireshark
Column Customization
Malware
Summary
Chapter 2: Capturing Network Traffic
Capturing Network Traffic
Prerequisites for Capturing Live Network Data
Normal Mode
Promiscuous Mode
Wireless
Working with Network Interfaces
Exploring the Network Capture Options
Filtering While Capturing
Summary
Chapter 3: Interpreting Network Protocols
Investigating IP, the Workhorse of the Network
Analyzing ICMP and UDP
ICMP
UDP
Dissection of TCP Traffic
Transport Layer Security (TLS)
TLS Record Layer
Reassembly of Packets
Interpreting Name Resolution
DNS
Windows Name Resolution
Summary
Chapter 4: Analysis of Network Attacks
Introducing a Hacking Methodology
Planning
Non-intrusive Target Search
Intrusive Target Search
Live Systems
Ports
Services
Enumeration
Identify Vulnerabilities
Exploit
Examination of Reconnaissance Network Traffic Artifacts
Leveraging the Statistical Properties of the Capture File
Identifying SMB-Based Attacks
Uncovering HTTP/HTTPS-Based Attack Traffic
XSS
SQL Injection
HTTPS
Set the Environment Variable
Configure Wireshark
Summary
Chapter 5: Effective Network Traffic Filtering
Identifying Filter Components
Investigating the Conversations
Extracting the Packet Data
Building Filter Expressions
Decrypting HTTPS Traffic
Kerberos Authentication
Summary
Chapter 6: Advanced Features of Wireshark
Working with Cryptographic Information in a Packet
Exploring the Protocol Dissectors of Wireshark
Viewing Logged Anomalies in Wireshark
Capturing Traffic from Remote Computers
Command-Line Tool TShark
Creating Firewall ACL Rules
Summary
Chapter 7: Scripting and Interacting with Wireshark
Lua Scripting
Interacting with Pandas
Leveraging PyShark
Summary
Chapter 8: Basic Malware Traffic Analysis
Customization of the Interface for Malware Analysis
Extracting the Files
Recognizing URL/Domains of an Infected Site
Determining the Connections As Part of the Infected Machine
Scavenging the Infected Machine Meta Data
Exporting the Data Objects
Summary
Chapter 9: Analyzing Encoding, Obfuscated, and ICS Malware Traffic
Encoding
Investigation of NJRat
Analysis of WannaCry
Exploring CryptoLocker and CryptoWall
Dissecting TRITON
Examining Trickbot
Understanding Exploit Kits
Establish Contact
Redirect
Exploit
Infect
Summary
Chapter 10: Dynamic Malware Network Activities
Dynamic Analysis and the File System
Setting Up Network and Service Simulation
Monitoring Malware Communications and Connections at Runtime and Beyond
Detecting Network Evasion Attempts
Investigating Cobalt Strike Beacons
Exploring C2 Backdoor Methods
Identifying Domain Generation Algorithms
Summary
Chapter 11: Extractions of Forensics Data with Wireshark
Interception of Telephony Data
Discovering DOS/DDoS
Analysis of HTTP/HTTPS Tunneling over DNS
Carving Files from Network Data
Summary
Chapter 12: Network Traffic Forensics
Chain of Custody
Isolation of Conversations
Detection of Spoofing, Port Scanning, and SSH Attacks
Spoofing
Port Scanning
SSH
Reconstruction of Timeline Network Attack Data
Extracting Compromise Data
Summary
Chapter 13: Conclusion
Intrusion Analysis
Malware Analysis
Forensics
Summary
Index
