Keylogger vs Wireshark

Keylogger vs Wireshark

Show Video

So this this was entered in as uh the URL that  a user went to and here's the address or the   email that was used to log in and here's the  password that was used. I think that's really   important to highlight right you do this  stuff day in day out helping organizations   from governments to large Banks etc with threat  hunting looking for malware looking for problems   on their networks correct? Yeah and know I  I primarily focus on the performance side   when something isn't working properly if it's  broken or if it's slow but a byproduct of that   has been also having access to the golden data  set that is the packet so doing exercises like   this David have helped me to refine that part of  threat hunting at the packet level I don't know   exactly what is exchanged here with application  data but I do know the client goes out sends 399   bytes out gets 433 back and then right after  that happens this is where some interesting   stuff really goes down so this is where we go into  the things that we can actually see on the wire.   Yeah even even before you go to FTP stuff which  looks really weird um you already got warning   well sirens going off that there's some weird  traffic. Absolutely 100% and that's also why   for me I keep virus total nearby to just help me  validate what I think is weird. Hey everyone it's   David Bombal back with the amazing Chris Greer.  Chris it's been way too long great to have you  

back on the channel. I know David it has been  too long thank you for having me back I really   appreciate it. So for everyone who's watching  I've got some fantastic news Chris has been   sharing some really cool stuff with me lips are  lips are closed my lips are sealed my lips are   seal Bangles all right great can't share it at  the moment but look forward to some amazing stuff   coming in 2025 Chris and I also going to ramp up  the content that we're creating with regards to   Wireshark so put your comments below the kind of  stuff that you want to see Chris is the person I   always talk to when I want to know about packet  analysis and Wireshark he's the expert that I   trust personally with my packet captures but  he also consults to a lot of businesses very   experienced 20 years of experience or more Chris  we're getting old but you've been doing this since   the Ethereal days you're telling me off camera  that you were 19 when you started learning this   stuff many many years ago but Chris that's enough  talking really cool demonstration that I believe   you've got for us today something about a snake  key logo or something? Yeah David So part of what   I like to do if I'm uh sitting and I want to learn  more about something that I don't have a lot of   experience with is all stopped by malware traffic  analysis.net very awesome guy named Brad he has a  

site where he captures malware that's presently  in the wild uh and he is able to execute it in a   lab environment and he's able to set up different  capture points and collect how it behaves and then   he takes those captures and then presents them to  the world and lets us learn more about how on the   packet level how some of this malware behaves  so link in this description down below malware   traffic analysis.net you're actually going to be  sent directly to the packet capture that I will be   demonstrating to you in this video. I think it's  really cool this demonstration from the point of   view that we're not looking at like malware  analysis like some other examples that I've   done with with other experts where they're showing  you know the the malware on the computer you're   actually looking at it from the the wire point of  view which is is very cool. That's exactly it like   how does this thing actually behave and what I do  what I take away from it is just principles of how   this type of malware could look in an environment  and it causes me to set different filters or even   uh refine my radar of what to look for when I'm  threat hunting for my clients so this isn't to   say that this is exactly how you would see it  if it was in the wild but if you did see it in   the wild there are some principles that you could  get by looking at it from a contained environment   I think that's really important to highlight  right you do this stuff day in day out helping   organizations from governments to large Banks Etc  with threat hunting looking for malware looking   for problems on their networks correct yeah and  know I I primarily focus on the performance side   when something isn't working properly if it's  broken or if it's slow but a byproduct of that   has been also having access to the golden data set  that is the packet also looking through and seeing   if there's some weird Behavior so doing exercises  like this David have helped me to refine that part   of threat hunting at the packet level looking  at how things look different examples of malware   different behaviors and then applying that when  I'm looking through my customer traffic. That's   great Chris I'll take it away show us the demo  right I'm looking forward to this. All right   let's do this so okay David just to kick this off  here where we're at malware traffic analysis. net  

again thanks Brad and I am looking at the packet  capture that he took on September 17th 2024 on a   Tuesday snake key logger and this was the actual  infection but it had an FTP EXFIL component which   is what we're going to focus on so for the viewing  audience if you come down here to this file that's   in the middle exfil.pcap.zip go ahead and pull  that down uh if you want to actually analyze   the malware itself he actually includes that as  well down here but we're going to focus on how   it looked on the wire itself now there's also a  password that you're going to need which he tells   you about here uh and we'll also link that in the  description or we'll show that in the description   down below so you can get quick access to it  all right so here's the packets and if I just   look up here you can see the name snake key logger  infection FTP exfill.pcap okay so what I do when   I first get started with a packet capture like  this is I just like to breeze through and look   through things that just jump out at me David and  this is what I was talking about earlier when it   comes to just refining that uh radar that's in my  mind that's what these exercises help me to do uh   what looks weird Okay so let's just scan through  top to bottom we're not going to go deep dive in   any one hexadecimal value yet but just an overview  of what we're dealing with I see that I've got 896   packets down here at the bottom the very first  thing that we do is at checkip.dyndns.org okay   going to come back to that a reallyfreegeoip  interesting also TLSv1 hm stowed away got a   few GET okay get okay we'll come back to this  several different HTTP just standard TCP Port   80 gets there's some interesting stuff I'm going  to come back to keep scrolling. Great stuff is  

that is that what you're saying interesting right?  yeah it's just stuff that my brain is calling out   right now now why would HTTP be weird well because  so much today is over HTTPS yeah so much of what   we do is secured it's encrypted as it should be so  something that's not encrypted it's just something   that my brain is filing away api.telegram.org okay  we've got a secure connection I'm going to come   back to that FTP life changers care okay you see  some DNS in fact I'm going to come up here let's   set our first filter people packet people in the  house we're going to set our filter for DNS and   that's just going to let me just take a breeze  through the different services that I'm trying   to resolve for IPs so let's see we can just  go through okay so there's our first scan so   sometimes people ask me where do you start Chris I  just do a real quick overview and see what starts   to jump out at me going to remove filter going  to come up here now going to go to statistics   conversations statistics conversations going to  go ahead and bring this in another thing that I   like to do just from the jump from the top level  is I like to see what types of conversations do I   have going both from an IP perspective and from a  TCP connections perspective so if I come over here   to the TCP tab on the conversations view I can see  that I've got a couple of secure connections I've   got some open port 80 traffic I've got some Port  21 there's my FTP and some high numbered it looks   like high numbered services that we'll go ahead  and take a look at and see what those are actually   doing okay so there's my overview I already have  stored away a bunch of stuff that I want to dig   into so we're going to take those one at a time  the first one very beginning checkip.dyndns.net solutions for you so here's all these IPS and you  can usually I just grab the first one and that's   where I go and look for my very next conversation  I fire off a TCP Port 80 SYN at that at that   server now it's not always going to be Port 80  depends on what application is trying to kick   off right now so I can see that this is just a a  web conversation going out to that server right   now though if this was just a regular environment  David I always put myself in the chair of someone   that's just sitting in an Enterprise Network and  let's just say that they saw that DNS traffic go   out my first question here would be like okay  who is trying to check their IP because a check   IP service let me ask you David I mean do you  think it would be normal for just any standard   user that's non-technical they're just doing their  day-to-day job for a business would it be normal   for them to go out and check what their external  IP address is? No an application normally don't do   that. Yeah so so right there that's kind of weird  right that's an unusual thing but let's let's see  

if that's actually what happened so I'm going to  come down here and everybody can join me because   you did open up the packets didn't you you're  following along all right packet 3 there's my   TCP handshake I come down to the GET establishes  that connection and now I'm actually using it and   I'm going to actually right click and this is  where we can have some fun with Wireshark this   is a screen a lot of people know and love follow  you can do HTP stream or TCP stream honestly it's   going to do the same thing I'll just pick TCP  out of habit going to bring this in and now I   get this stream data which is basically a  representation of what was inside the packet   payload in this TCP stream so here I can see my  GET user agent here's the host that I'm going   and talking to here's what I'm trying to do with  that connection am I closing it or am I keeping it   alive uh client side is saying keep alive Now red  is client what the client is sending out to the   server what the server sends back is blue if you  ever forget that look right down here on the lower   left two client packets server packets client  in red servers in blue server responds and says   current IP check current IP address here you go  Chris there's your external IP as I see it so this   server is kicking back what I look like on the  outside now back to you David does that look like   something that a normal everyday user should care  about? No you think you know where you are I mean   it's I mean I know it's technical people do that  a lot we might check things um but wouldn't think   a normal user would even know what that is. yeah  good call I mean if I saw that this user if I go   back to this user this 10.9.17.101 if I look that  up and oh that's David Bombal oh well yeah okay I   get it he's he's doing some fun little thing yeah  he's he's firing up utility you know that guy he's   always checking his external address no big deal  but if it was somebody that usually wouldn't be   doing that that's where my radar kind of goes up  now why would this person need to know what they   look like on the outside now many times this IP  is going to come into play later this is where if   you're going to go out and talk to an external  station or some other listener out there maybe   some C2 traffic to somebody that's that's waiting  this is where you can alert hey this is where I'm   coming from this is what I will look like on  the outside when I leave this network cuz this   10 Network won't show up out there in the world  it's a non- routed range but this guy right here   is is a legit external address right so that's  weird now I'm going to go ahead and come up here   I'm just going to remove that filter come back to  my conversations so how we doing so far? That is   great I mean you've already highlighted like why  is it checking its IP address HTTP seems weird in   today's world as well. yeah exactly both of those  two things putting on my threat hunting hat I just  

had two little alarms fire off so as I keep going  really reallyfreegeoip okay so we go and we knock   on that door we hit a response that came back now  while I'm at it something else I'm going to draw   to your attention is virus total so this is something I  always keep up on a browser nearby and one reason   is I like to search URLs and also IPs to just do  a high level radar scan just to see or not a scan   just a look up what type of service am I going to  is this something that other systems know about   and is it malicious so let's just do that really  reallyfreegeoip reallyfreegeoip okay reallyfreegeoip   so from a high level no real alarms just yet okay  check over to community don't see anything just   yet from any anybody major saying that this is an  issue so that's just just good for me to tuck away   all right so but then I do this client hello to it  and what I don't like about this is this is using   version TLSv1 so if I come down here I  I did this connection I complete the connection   and if I come down to TLS not to get super duper  crazy far in the weeds but if I look at the TLs   client hello coming from that client it's got  a the record level version is TLS 1.0 and the   actual client hello handshake version is TLS 1.0 as  well and I don't have anything down here there's   no extensions down here to talk about any other  version so if this version goes up to TLS 1.2 1.1  

1.0 this typically the record version and the  version within the client Hello tells me the the   bottom version that I'll support and the most  recent version that I'll support so right here   it's just saying 1.0 so. And that's weird right  yeah that's weird these days right because uh   TLS 1.0 1.1 we've really moved forward from right  now we're in the world of TLS 1.2 1.3 so to have  

1.1 still lingering around would be a radar thing  for me like what what's still using a pretty dated   version of TLS okay so I go and I just knock  on that door now this is where encryption takes   over right so I do my client hello server hello  assert comes back if I really want to I can start   digging and just take a look at what it includes  Global sign OK Google Trust Services OK so   uh it could be it looks like just an overall OK  conversation but it's using that old version and   again I would wonder what is it on this system  that is calling an old TLS version that's going   to be an interesting thing for me to to start  to dig at moving forward and I'm just calling   out stuff as I see it here moving forward here how  about this one the next conversation that I have   so I'm going to DNS api.telegram.org and I get  an IP back that looks weird yeah why you telegram   yeah all right so API telegram let's actually  do that here let's I'm in virus total so let's actually we're going to punch that in and ooh  here's we got some security vendors flagging   this as malicious suspicious phishing uh and from  the community this is where I can uh start to get   an idea of what types of malware this has  been an IOCs of uh and just see malicious Google   updator uh can stealer, Tor exit nodes so this  yeah so that domain has been seen before and has   some risks associated to it so that's something  that again that's another red flag for me so I   can see that this client is touching base in a  couple of different ways it's going and having   these conversations I don't know exactly because I  don't have a way of decrypting this at this moment   I don't know exactly what is exchanged here with  application data but I do know the client goes out   sends 399 bytes out gets 433 back and then right  after that happens this is where some interesting   stuff really goes down so this is where we go into  the things that we can actually see on the wire   let's go to packet 109. I'll say something before you  do that Chris sorry .You bet. um if you were doing   this in the real world would you be flagging  to the client like why are you sending stuff   to telegram why are you sending it to this weird  domain why you're using these we protocols or old   protocols? Yeah that that's a great question too  so for me absolutely I would this would just be   radar triggering right not necessarily that it's  an absolute problem yet but hey client what are   we doing here what is this system doing what do we  expect it to do now hopefully here's my hope David   that they already have an IDs IPS system that's  all over this that's that's the goal right that   that they have already been or there are alerts  maybe alerts that have been overlooked because   alert paloa sometimes I run into that with my  clients like hey this is kind of strange looking   and they go oh we didn't know that that alert  really was related to this so if anything it's   giving more validity to an alert that they didn't  fully realize was associated to an infection   like this. Yeah even even before you got to FTP  stuff which looks really weird um you already  

got warning well sirens going off that there's  some weird traffic. Absolutely 100% And that's   also why for me I keep Virus Total nearby to just  help me validate what I think is weird right like   right here I mean this is this is just calling it  out activity related to snakey I mean boom there   we go right and that that validates that this  packet capture did in fact capture some IOC's   from snake key logger and if you're interested  let's go a and Link this down below as well David   I I went and just did a quick dig quick search for  snake key logger just an overview of what it is   and and if we look right here so it's a sub this  at least this version of it that they're writing   up here uh once executed on the victim's computer  it has the ability to steal sensitive data it   is uh basically a phishing campaign in the wild  malicious Excel document attached to a phishing   email they performed a deep analysis this is a  very interesting read if you really want to go   into the guts of what this how it actually did its  remote code execution through that Excel file so   if that's if that's your jam go at it um but I  am a packet person so going to go back to what   the actual traffic was that it that it executed  on the wire. I think it's great though because in   the real world we need people like you and then  we also need the malware reverse engineering type   people. Oh yeah for sure yeah I keep in mind  I'm looking at this from the perspective of  

what actually happened on the wire what did it  do and then pulling that back into the system   along with someone like you just mentioned from  a sock team that can further do some some some   digging within the system itself okay so back  to our packet we ready to go to FTP now yeah all   right so I can see about 10 seconds after it did  that last conversation to telegram.org come here   10 seconds later FTP lifechangers care.com so we  get an address back so we just see on our answers   if I just look here here's our IP address so 216. 252 and we actually go and do uh a TCP Port   21 conversation to it and that's our standard  port for FTP traffic it's or FTP uh control   traffic so we go and we talk to that server and  FTP being FTP being open it also allows us to   see a username and password right so we can still  see that uh over FTP in clear text so the username   Chucks lifechangers care.com and the password  is this nice little password right here okay   okay so and can I just tangent just for a quick  second David I in the past hey look the listening   audience told us they like tangents so you ask  for it where my brain thinks of it I just share it   with you and that's where I mean we don't want to  get too excited super excited about open usernames   and passwords sometimes I see real flashy videos  oh capture usernames and passwords on the wire   with Wireshark so much is encrypted these days  that a lot of times you're just not going to see   this in open wire but today sometimes malware like  this can be lazy and it does it anyway so if I did   ever see usernames password on the open wire that  is actually something I would first think of like   typical applications don't do that anymore and  haven't for years so what is doing this coming   back to that being open. I think it's really  important that you go on these tangents about   real world versus like the theory right because  you're seeing this all the time so it's great   to get your you know real world um expertise on  this. Thanks David and and uh for those that uh are  

watching definitely comment below let us know what  you think and um happy to to share what comes to   my brain or David can choose to cut it out that's  his call cut cut cut okay uh coming down here so   we did that first check in with FTP and FTP is  doing something that's pretty standard here if I   come down to this response so basically the client  does a passive request to the server so basically   the client says Hey I want to do uh we want to do  some interaction but over a passive FTP instead   of active FTP so hey server go ahead and hit me  back and use a port number that I'm going to send   you that's what the I'm sorry the server sent that  back to me so client says Hey server I want to go   passive server comes back says sure here's my IP  address and here's a port number that I want you   to hit me back on not Port 21 and that's why this  can be interesting to analyze because notice now   that the client switches to that port number that  was send now if you look in Wireshark if you look   at packet 132 uh it's actually here's my response  I'm going to come down to you see that entering   passive mode right here yeah so the way that these  numbers work out here's the actual octets of the   address and then this one down here this 220, 27  it actually translates into this port number so   the server says hit me back on 56347 so the client  says okay 56347 that's the port that you indicated   I'm just going to rightclick that port and just  set a quick filter now notice I'm not doing follow   stream yet I'm just going to conversation filter  TCP uh that's a whopping nine packets and my TCP   length here just shows me that there's only one  packet that actually has some payload in it for   the listening audience uh you might on Wireshark  have length and that's the full packet length   that includes the TCP IP and ethernet headers  so you might have a different number there the   way that I got this is if I go down to TCP  just going to expand TCP and you can come down   here to TCP segment length you see that number  right click that guy add it as a column or you   can just drag that number I'm on packet 140 drag  and drop and you can just drop it upstairs now   I already have that so I'm just going to take it  and I'm going to remove it okay and for the super   Wireshark nerds among us good for you because  Wireshark's pretty awesome to be a nerd about   if you right click up here and just go to edit  column that's where you can change the name of the   you can title the column differently and I just  shortened it to TCP length it shows TCP length   and everyone is happy in the world okay SYN SYN ACK  a we connect 133 milliseconds and network around   trip time a few other things that I could see in  there but I'm interested client to server we send   out 1140 bytes via this passive FTP Port all right  let's actually see what that is I'm going to right   click that and just to put it on one page follow  TCP stream so this is all from the client okay so   hopefully the viewers can see this okay we just  zoomed in now this this is from client server   we're sending this out all right so VIP recovery  PC name hey Mr server here's my PC name here's the   date and time here's my external IP address here's  the where that came back into the mix here's where   I'm from this is my GeoIP stuff that's why we hit  GeoIP up above we actually went out and talked to   a GeoIP server about what our external address was  now we're starting to put together the pieces of   the previous conversation right we first got our  external IP then we looked up its GeoIP information   South Carolina time zone latitude longitude hey  I am just right here here's all my stuff about   me and this is also what I'm sending out to that  device here's my VIP recovery so recovered from   Outlook so this this was entered in as uh the  URL that a user went to and here's the address   or the email that was used to log in and here's  the password that was used how about recovered   from this Edge browser here's the host that it  went to here's the username here's the password   Edge chromium we have a few other usernames  and passwords silly site and username password   username password so this was all collected off  that machine and sent out to that listener over   FTP now this isn't where it stops if I there's  a couple ways I can do this I'm actually just   going to show you this here and then I'm going  to reverse and show you a longer way to do it   but if you come over here to stream you see I'm  on stream 4 yeah every TCP conversation within   Wireshark gets a stream number and to keep it  simple basically a TCP conversation is is the   same as a a four so two IP addresses two port  numbers there's a couple other factors that go   into it and with timing but let's just keep it at  that for now so whenever I see two different IPs   two different ports that that gets an identity as  as a TCP stream between those two if any of those   change if we change port numbers if we change IP  addresses well that's a different TCP stream and   it's going to get a different TCP stream number  once I'm here and I'm looking at the stream data   I can jump to a different stream by just staying  right here I can come down here to stream four I   want to go to stream five so rather than shutting  this down going and finding the conversation for   stream five rightclick follow TCP stream just to  come right back here you can just jump through   your TCP streams without ever leaving this screen  kind of a little trick for the for the good people   all right so see what else we found so this  time instead of uh passwords we were looking   for cookies so in this case what the malware was  able to do was actually go and extract cookies   out of a browser or it's also possible that it was  able to see them entered in real time uh recovered   from shows us where it was recovered from what  the host is uh when it expires what the value is   so all of these cookies so once we get all these  cookies now what we would be able to do is assume   the identity hopefully of that user interacting  with these different systems and hopefully do like   a session resumption because we have that cookie  really depends on what protections are in place on   that server but we get the idea we stole a bunch  of cookies off of this client okay so that was   I'm just going to come back to my packets and and  pause for a minute David what do you think so far?   That's great I mean it's nice to see this stuff  on the on the on the wire rather than trying to   reverse engineer it. Yeah exactly and again these  are things these are all things for everybody out   there to start thinking about like okay this is  a lab environment but you probably would think   about it a little bit differently if you're just  capturing traffic off of your local connection   and you start to see your local machine without  your knowledge going and doing a bunch of check   external IP checks yep now you're going to go whoa  why why is my machine wondering what it looks like   on the outside that's weird yeah right so okay so  this was all sent out so exfiltrated if you will   I'll use that heard to that listener um oh man  David you know that I want to dig into this stuff   but this is the wrong time to do it zero Windows  window full tell you what does everybody maybe on   a future video do you want to use this pcap and  go into this stuff window full what does this   mean why do I care when does it matter I'll I'll  just put that out to the audience and see if you   guys are interested what do you think David? yeah  I think if everyone could just comment below the   kind of stuff that you want Chris to cover like  perhaps like a series on weird and wonderful Wireshark    stuff right. WWW I like it I think we just we  just came that up on Wednesday quad I like it quad   W okay good so I'm just going to back this off now  so that second conversation pulled so the first   one was um passwords the next one was um cookies  so I'm just going to scan through this just to see   do I see anything else going on well as expected  at the end it just wraps up its conversations does   some fins the file was successfully transferred  and really that's it that's what we were able to   capture off of that malware so let me back up  and just re-approach this like what did we learn in   800 packets 896 packets we were able to see an  infection as it played out so first we went and   checked our external IP then we did this whole  GeoIP thing and then after about 10 seconds we   started to see uh this malware exfiltrate out that  those uh passwords and also cookies something that   helped us as we were in the radar stage just  tuning that we when we went to virus total we   were to see several steps along the way we also  had some red flags there especially with that API   call that was a strange one uh also if you look up  life changers care in fact you know what while I'm   here I'm just going to do that as well it was  FTP just zoom in here a little bit FTP ftp.com

care they care David. They care about your data  yeah. They definitely do especially your passwords.   yeah exactly so here we go we had definitely  some flags here on that one if we jump over to   community don't see any writeups yet on it but  yeah as we start digging through we'll we'll uh   maybe we be able to help help the community with  a post about what it is don't go to this website   yeah just let's just stay away from there so good  so that was a quick walk through uh hey any any   other thoughts that come up right now about that  David or questions you have? yeah I think we miss   uh just for everyone once again comment below  weird and wonderful Wireshark Wednesdays might   be sort of a sort of a series of videos that I  think Chris and I should should create but please   let us know in the comments the kind of stuff that  you want to see Chris has so much experience and   you can shortcut your learning by just you know  watching him do this and learn from his tips   and tricks Chris you've also got a course in Udemy  that's recently been updated right I do so if you   head out to Udemy to me uh you'll see the video that  David and I partnered to create and really gets   you from Zero to Hero with Wireshark so all the  things that you just saw me do uh setting filters   setting coloring rules uh creating profiles all  of those things are things that I cover uh really   David and I have a combined goal we want to make  packet analysis more accessible to more people   yeah um to take that fear factor out and to get  make it just less scary I I don't forget how it   felt when I first looked at a packet trace and  there was so much going on in there and I thought   I'm never going to learn this I it's so much like  how can anybody know what's actually happening but   literally bit by bit bite by bite uh sticking with  it and learning some fundamentals some things that   apply across any domain regardless of IT silo  regardless of what what type of protocol or   application I'm analyzing there are fundamentals  you can learn which make that much easier so   that's our goal it's our goal with videos like  these uh also with different shorts that we post   together but also with that course on Udemy to give  you that core skill set with Wireshark because we   think it's it's just so important. So for everyone  who's watching I've put a discount code below   so if you use that you'll get the course for a  cheaper price hopefully that helps you but again   Chris and I have got some exciting things coming  expect a lot of Wireshark content on the channel   let us know the kind of stuff that you want to  see again let's leverage Chris's knowledge to   help you better analyze networks Chris as always  thanks. Absolutely David thanks for having me back

2025-01-28 10:24

Show Video

Other news

Суть GNU/Linux и свободного ПО 2025-02-23 13:58
Dell AI PCs Powering Productivity 2025-02-19 13:09
So läuft DeepSeek lokal mit voller Qualität 2025-02-17 17:47