So this this was entered in as uh the URL that a user went to and here's the address or the email that was used to log in and here's the password that was used. I think that's really important to highlight right you do this stuff day in day out helping organizations from governments to large Banks etc with threat hunting looking for malware looking for problems on their networks correct? Yeah and know I I primarily focus on the performance side when something isn't working properly if it's broken or if it's slow but a byproduct of that has been also having access to the golden data set that is the packet so doing exercises like this David have helped me to refine that part of threat hunting at the packet level I don't know exactly what is exchanged here with application data but I do know the client goes out sends 399 bytes out gets 433 back and then right after that happens this is where some interesting stuff really goes down so this is where we go into the things that we can actually see on the wire. Yeah even even before you go to FTP stuff which looks really weird um you already got warning well sirens going off that there's some weird traffic. Absolutely 100% and that's also why for me I keep virus total nearby to just help me validate what I think is weird. Hey everyone it's David Bombal back with the amazing Chris Greer. Chris it's been way too long great to have you
back on the channel. I know David it has been too long thank you for having me back I really appreciate it. So for everyone who's watching I've got some fantastic news Chris has been sharing some really cool stuff with me lips are lips are closed my lips are sealed my lips are seal Bangles all right great can't share it at the moment but look forward to some amazing stuff coming in 2025 Chris and I also going to ramp up the content that we're creating with regards to Wireshark so put your comments below the kind of stuff that you want to see Chris is the person I always talk to when I want to know about packet analysis and Wireshark he's the expert that I trust personally with my packet captures but he also consults to a lot of businesses very experienced 20 years of experience or more Chris we're getting old but you've been doing this since the Ethereal days you're telling me off camera that you were 19 when you started learning this stuff many many years ago but Chris that's enough talking really cool demonstration that I believe you've got for us today something about a snake key logo or something? Yeah David So part of what I like to do if I'm uh sitting and I want to learn more about something that I don't have a lot of experience with is all stopped by malware traffic analysis.net very awesome guy named Brad he has a
site where he captures malware that's presently in the wild uh and he is able to execute it in a lab environment and he's able to set up different capture points and collect how it behaves and then he takes those captures and then presents them to the world and lets us learn more about how on the packet level how some of this malware behaves so link in this description down below malware traffic analysis.net you're actually going to be sent directly to the packet capture that I will be demonstrating to you in this video. I think it's really cool this demonstration from the point of view that we're not looking at like malware analysis like some other examples that I've done with with other experts where they're showing you know the the malware on the computer you're actually looking at it from the the wire point of view which is is very cool. That's exactly it like how does this thing actually behave and what I do what I take away from it is just principles of how this type of malware could look in an environment and it causes me to set different filters or even uh refine my radar of what to look for when I'm threat hunting for my clients so this isn't to say that this is exactly how you would see it if it was in the wild but if you did see it in the wild there are some principles that you could get by looking at it from a contained environment I think that's really important to highlight right you do this stuff day in day out helping organizations from governments to large Banks Etc with threat hunting looking for malware looking for problems on their networks correct yeah and know I I primarily focus on the performance side when something isn't working properly if it's broken or if it's slow but a byproduct of that has been also having access to the golden data set that is the packet also looking through and seeing if there's some weird Behavior so doing exercises like this David have helped me to refine that part of threat hunting at the packet level looking at how things look different examples of malware different behaviors and then applying that when I'm looking through my customer traffic. That's great Chris I'll take it away show us the demo right I'm looking forward to this. All right let's do this so okay David just to kick this off here where we're at malware traffic analysis. net
again thanks Brad and I am looking at the packet capture that he took on September 17th 2024 on a Tuesday snake key logger and this was the actual infection but it had an FTP EXFIL component which is what we're going to focus on so for the viewing audience if you come down here to this file that's in the middle exfil.pcap.zip go ahead and pull that down uh if you want to actually analyze the malware itself he actually includes that as well down here but we're going to focus on how it looked on the wire itself now there's also a password that you're going to need which he tells you about here uh and we'll also link that in the description or we'll show that in the description down below so you can get quick access to it all right so here's the packets and if I just look up here you can see the name snake key logger infection FTP exfill.pcap okay so what I do when I first get started with a packet capture like this is I just like to breeze through and look through things that just jump out at me David and this is what I was talking about earlier when it comes to just refining that uh radar that's in my mind that's what these exercises help me to do uh what looks weird Okay so let's just scan through top to bottom we're not going to go deep dive in any one hexadecimal value yet but just an overview of what we're dealing with I see that I've got 896 packets down here at the bottom the very first thing that we do is at checkip.dyndns.org okay going to come back to that a reallyfreegeoip interesting also TLSv1 hm stowed away got a few GET okay get okay we'll come back to this several different HTTP just standard TCP Port 80 gets there's some interesting stuff I'm going to come back to keep scrolling. Great stuff is
that is that what you're saying interesting right? yeah it's just stuff that my brain is calling out right now now why would HTTP be weird well because so much today is over HTTPS yeah so much of what we do is secured it's encrypted as it should be so something that's not encrypted it's just something that my brain is filing away api.telegram.org okay we've got a secure connection I'm going to come back to that FTP life changers care okay you see some DNS in fact I'm going to come up here let's set our first filter people packet people in the house we're going to set our filter for DNS and that's just going to let me just take a breeze through the different services that I'm trying to resolve for IPs so let's see we can just go through okay so there's our first scan so sometimes people ask me where do you start Chris I just do a real quick overview and see what starts to jump out at me going to remove filter going to come up here now going to go to statistics conversations statistics conversations going to go ahead and bring this in another thing that I like to do just from the jump from the top level is I like to see what types of conversations do I have going both from an IP perspective and from a TCP connections perspective so if I come over here to the TCP tab on the conversations view I can see that I've got a couple of secure connections I've got some open port 80 traffic I've got some Port 21 there's my FTP and some high numbered it looks like high numbered services that we'll go ahead and take a look at and see what those are actually doing okay so there's my overview I already have stored away a bunch of stuff that I want to dig into so we're going to take those one at a time the first one very beginning checkip.dyndns.net solutions for you so here's all these IPS and you can usually I just grab the first one and that's where I go and look for my very next conversation I fire off a TCP Port 80 SYN at that at that server now it's not always going to be Port 80 depends on what application is trying to kick off right now so I can see that this is just a a web conversation going out to that server right now though if this was just a regular environment David I always put myself in the chair of someone that's just sitting in an Enterprise Network and let's just say that they saw that DNS traffic go out my first question here would be like okay who is trying to check their IP because a check IP service let me ask you David I mean do you think it would be normal for just any standard user that's non-technical they're just doing their day-to-day job for a business would it be normal for them to go out and check what their external IP address is? No an application normally don't do that. Yeah so so right there that's kind of weird right that's an unusual thing but let's let's see
if that's actually what happened so I'm going to come down here and everybody can join me because you did open up the packets didn't you you're following along all right packet 3 there's my TCP handshake I come down to the GET establishes that connection and now I'm actually using it and I'm going to actually right click and this is where we can have some fun with Wireshark this is a screen a lot of people know and love follow you can do HTP stream or TCP stream honestly it's going to do the same thing I'll just pick TCP out of habit going to bring this in and now I get this stream data which is basically a representation of what was inside the packet payload in this TCP stream so here I can see my GET user agent here's the host that I'm going and talking to here's what I'm trying to do with that connection am I closing it or am I keeping it alive uh client side is saying keep alive Now red is client what the client is sending out to the server what the server sends back is blue if you ever forget that look right down here on the lower left two client packets server packets client in red servers in blue server responds and says current IP check current IP address here you go Chris there's your external IP as I see it so this server is kicking back what I look like on the outside now back to you David does that look like something that a normal everyday user should care about? No you think you know where you are I mean it's I mean I know it's technical people do that a lot we might check things um but wouldn't think a normal user would even know what that is. yeah good call I mean if I saw that this user if I go back to this user this 10.9.17.101 if I look that up and oh that's David Bombal oh well yeah okay I get it he's he's doing some fun little thing yeah he's he's firing up utility you know that guy he's always checking his external address no big deal but if it was somebody that usually wouldn't be doing that that's where my radar kind of goes up now why would this person need to know what they look like on the outside now many times this IP is going to come into play later this is where if you're going to go out and talk to an external station or some other listener out there maybe some C2 traffic to somebody that's that's waiting this is where you can alert hey this is where I'm coming from this is what I will look like on the outside when I leave this network cuz this 10 Network won't show up out there in the world it's a non- routed range but this guy right here is is a legit external address right so that's weird now I'm going to go ahead and come up here I'm just going to remove that filter come back to my conversations so how we doing so far? That is great I mean you've already highlighted like why is it checking its IP address HTTP seems weird in today's world as well. yeah exactly both of those two things putting on my threat hunting hat I just
had two little alarms fire off so as I keep going really reallyfreegeoip okay so we go and we knock on that door we hit a response that came back now while I'm at it something else I'm going to draw to your attention is virus total so this is something I always keep up on a browser nearby and one reason is I like to search URLs and also IPs to just do a high level radar scan just to see or not a scan just a look up what type of service am I going to is this something that other systems know about and is it malicious so let's just do that really reallyfreegeoip reallyfreegeoip okay reallyfreegeoip so from a high level no real alarms just yet okay check over to community don't see anything just yet from any anybody major saying that this is an issue so that's just just good for me to tuck away all right so but then I do this client hello to it and what I don't like about this is this is using version TLSv1 so if I come down here I I did this connection I complete the connection and if I come down to TLS not to get super duper crazy far in the weeds but if I look at the TLs client hello coming from that client it's got a the record level version is TLS 1.0 and the actual client hello handshake version is TLS 1.0 as well and I don't have anything down here there's no extensions down here to talk about any other version so if this version goes up to TLS 1.2 1.1
1.0 this typically the record version and the version within the client Hello tells me the the bottom version that I'll support and the most recent version that I'll support so right here it's just saying 1.0 so. And that's weird right yeah that's weird these days right because uh TLS 1.0 1.1 we've really moved forward from right now we're in the world of TLS 1.2 1.3 so to have
1.1 still lingering around would be a radar thing for me like what what's still using a pretty dated version of TLS okay so I go and I just knock on that door now this is where encryption takes over right so I do my client hello server hello assert comes back if I really want to I can start digging and just take a look at what it includes Global sign OK Google Trust Services OK so uh it could be it looks like just an overall OK conversation but it's using that old version and again I would wonder what is it on this system that is calling an old TLS version that's going to be an interesting thing for me to to start to dig at moving forward and I'm just calling out stuff as I see it here moving forward here how about this one the next conversation that I have so I'm going to DNS api.telegram.org and I get an IP back that looks weird yeah why you telegram yeah all right so API telegram let's actually do that here let's I'm in virus total so let's actually we're going to punch that in and ooh here's we got some security vendors flagging this as malicious suspicious phishing uh and from the community this is where I can uh start to get an idea of what types of malware this has been an IOCs of uh and just see malicious Google updator uh can stealer, Tor exit nodes so this yeah so that domain has been seen before and has some risks associated to it so that's something that again that's another red flag for me so I can see that this client is touching base in a couple of different ways it's going and having these conversations I don't know exactly because I don't have a way of decrypting this at this moment I don't know exactly what is exchanged here with application data but I do know the client goes out sends 399 bytes out gets 433 back and then right after that happens this is where some interesting stuff really goes down so this is where we go into the things that we can actually see on the wire let's go to packet 109. I'll say something before you do that Chris sorry .You bet. um if you were doing this in the real world would you be flagging to the client like why are you sending stuff to telegram why are you sending it to this weird domain why you're using these we protocols or old protocols? Yeah that that's a great question too so for me absolutely I would this would just be radar triggering right not necessarily that it's an absolute problem yet but hey client what are we doing here what is this system doing what do we expect it to do now hopefully here's my hope David that they already have an IDs IPS system that's all over this that's that's the goal right that that they have already been or there are alerts maybe alerts that have been overlooked because alert paloa sometimes I run into that with my clients like hey this is kind of strange looking and they go oh we didn't know that that alert really was related to this so if anything it's giving more validity to an alert that they didn't fully realize was associated to an infection like this. Yeah even even before you got to FTP stuff which looks really weird um you already
got warning well sirens going off that there's some weird traffic. Absolutely 100% And that's also why for me I keep Virus Total nearby to just help me validate what I think is weird right like right here I mean this is this is just calling it out activity related to snakey I mean boom there we go right and that that validates that this packet capture did in fact capture some IOC's from snake key logger and if you're interested let's go a and Link this down below as well David I I went and just did a quick dig quick search for snake key logger just an overview of what it is and and if we look right here so it's a sub this at least this version of it that they're writing up here uh once executed on the victim's computer it has the ability to steal sensitive data it is uh basically a phishing campaign in the wild malicious Excel document attached to a phishing email they performed a deep analysis this is a very interesting read if you really want to go into the guts of what this how it actually did its remote code execution through that Excel file so if that's if that's your jam go at it um but I am a packet person so going to go back to what the actual traffic was that it that it executed on the wire. I think it's great though because in the real world we need people like you and then we also need the malware reverse engineering type people. Oh yeah for sure yeah I keep in mind I'm looking at this from the perspective of
what actually happened on the wire what did it do and then pulling that back into the system along with someone like you just mentioned from a sock team that can further do some some some digging within the system itself okay so back to our packet we ready to go to FTP now yeah all right so I can see about 10 seconds after it did that last conversation to telegram.org come here 10 seconds later FTP lifechangers care.com so we get an address back so we just see on our answers if I just look here here's our IP address so 216. 252 and we actually go and do uh a TCP Port 21 conversation to it and that's our standard port for FTP traffic it's or FTP uh control traffic so we go and we talk to that server and FTP being FTP being open it also allows us to see a username and password right so we can still see that uh over FTP in clear text so the username Chucks lifechangers care.com and the password is this nice little password right here okay okay so and can I just tangent just for a quick second David I in the past hey look the listening audience told us they like tangents so you ask for it where my brain thinks of it I just share it with you and that's where I mean we don't want to get too excited super excited about open usernames and passwords sometimes I see real flashy videos oh capture usernames and passwords on the wire with Wireshark so much is encrypted these days that a lot of times you're just not going to see this in open wire but today sometimes malware like this can be lazy and it does it anyway so if I did ever see usernames password on the open wire that is actually something I would first think of like typical applications don't do that anymore and haven't for years so what is doing this coming back to that being open. I think it's really important that you go on these tangents about real world versus like the theory right because you're seeing this all the time so it's great to get your you know real world um expertise on this. Thanks David and and uh for those that uh are
watching definitely comment below let us know what you think and um happy to to share what comes to my brain or David can choose to cut it out that's his call cut cut cut okay uh coming down here so we did that first check in with FTP and FTP is doing something that's pretty standard here if I come down to this response so basically the client does a passive request to the server so basically the client says Hey I want to do uh we want to do some interaction but over a passive FTP instead of active FTP so hey server go ahead and hit me back and use a port number that I'm going to send you that's what the I'm sorry the server sent that back to me so client says Hey server I want to go passive server comes back says sure here's my IP address and here's a port number that I want you to hit me back on not Port 21 and that's why this can be interesting to analyze because notice now that the client switches to that port number that was send now if you look in Wireshark if you look at packet 132 uh it's actually here's my response I'm going to come down to you see that entering passive mode right here yeah so the way that these numbers work out here's the actual octets of the address and then this one down here this 220, 27 it actually translates into this port number so the server says hit me back on 56347 so the client says okay 56347 that's the port that you indicated I'm just going to rightclick that port and just set a quick filter now notice I'm not doing follow stream yet I'm just going to conversation filter TCP uh that's a whopping nine packets and my TCP length here just shows me that there's only one packet that actually has some payload in it for the listening audience uh you might on Wireshark have length and that's the full packet length that includes the TCP IP and ethernet headers so you might have a different number there the way that I got this is if I go down to TCP just going to expand TCP and you can come down here to TCP segment length you see that number right click that guy add it as a column or you can just drag that number I'm on packet 140 drag and drop and you can just drop it upstairs now I already have that so I'm just going to take it and I'm going to remove it okay and for the super Wireshark nerds among us good for you because Wireshark's pretty awesome to be a nerd about if you right click up here and just go to edit column that's where you can change the name of the you can title the column differently and I just shortened it to TCP length it shows TCP length and everyone is happy in the world okay SYN SYN ACK a we connect 133 milliseconds and network around trip time a few other things that I could see in there but I'm interested client to server we send out 1140 bytes via this passive FTP Port all right let's actually see what that is I'm going to right click that and just to put it on one page follow TCP stream so this is all from the client okay so hopefully the viewers can see this okay we just zoomed in now this this is from client server we're sending this out all right so VIP recovery PC name hey Mr server here's my PC name here's the date and time here's my external IP address here's the where that came back into the mix here's where I'm from this is my GeoIP stuff that's why we hit GeoIP up above we actually went out and talked to a GeoIP server about what our external address was now we're starting to put together the pieces of the previous conversation right we first got our external IP then we looked up its GeoIP information South Carolina time zone latitude longitude hey I am just right here here's all my stuff about me and this is also what I'm sending out to that device here's my VIP recovery so recovered from Outlook so this this was entered in as uh the URL that a user went to and here's the address or the email that was used to log in and here's the password that was used how about recovered from this Edge browser here's the host that it went to here's the username here's the password Edge chromium we have a few other usernames and passwords silly site and username password username password so this was all collected off that machine and sent out to that listener over FTP now this isn't where it stops if I there's a couple ways I can do this I'm actually just going to show you this here and then I'm going to reverse and show you a longer way to do it but if you come over here to stream you see I'm on stream 4 yeah every TCP conversation within Wireshark gets a stream number and to keep it simple basically a TCP conversation is is the same as a a four so two IP addresses two port numbers there's a couple other factors that go into it and with timing but let's just keep it at that for now so whenever I see two different IPs two different ports that that gets an identity as as a TCP stream between those two if any of those change if we change port numbers if we change IP addresses well that's a different TCP stream and it's going to get a different TCP stream number once I'm here and I'm looking at the stream data I can jump to a different stream by just staying right here I can come down here to stream four I want to go to stream five so rather than shutting this down going and finding the conversation for stream five rightclick follow TCP stream just to come right back here you can just jump through your TCP streams without ever leaving this screen kind of a little trick for the for the good people all right so see what else we found so this time instead of uh passwords we were looking for cookies so in this case what the malware was able to do was actually go and extract cookies out of a browser or it's also possible that it was able to see them entered in real time uh recovered from shows us where it was recovered from what the host is uh when it expires what the value is so all of these cookies so once we get all these cookies now what we would be able to do is assume the identity hopefully of that user interacting with these different systems and hopefully do like a session resumption because we have that cookie really depends on what protections are in place on that server but we get the idea we stole a bunch of cookies off of this client okay so that was I'm just going to come back to my packets and and pause for a minute David what do you think so far? That's great I mean it's nice to see this stuff on the on the on the wire rather than trying to reverse engineer it. Yeah exactly and again these are things these are all things for everybody out there to start thinking about like okay this is a lab environment but you probably would think about it a little bit differently if you're just capturing traffic off of your local connection and you start to see your local machine without your knowledge going and doing a bunch of check external IP checks yep now you're going to go whoa why why is my machine wondering what it looks like on the outside that's weird yeah right so okay so this was all sent out so exfiltrated if you will I'll use that heard to that listener um oh man David you know that I want to dig into this stuff but this is the wrong time to do it zero Windows window full tell you what does everybody maybe on a future video do you want to use this pcap and go into this stuff window full what does this mean why do I care when does it matter I'll I'll just put that out to the audience and see if you guys are interested what do you think David? yeah I think if everyone could just comment below the kind of stuff that you want Chris to cover like perhaps like a series on weird and wonderful Wireshark stuff right. WWW I like it I think we just we just came that up on Wednesday quad I like it quad W okay good so I'm just going to back this off now so that second conversation pulled so the first one was um passwords the next one was um cookies so I'm just going to scan through this just to see do I see anything else going on well as expected at the end it just wraps up its conversations does some fins the file was successfully transferred and really that's it that's what we were able to capture off of that malware so let me back up and just re-approach this like what did we learn in 800 packets 896 packets we were able to see an infection as it played out so first we went and checked our external IP then we did this whole GeoIP thing and then after about 10 seconds we started to see uh this malware exfiltrate out that those uh passwords and also cookies something that helped us as we were in the radar stage just tuning that we when we went to virus total we were to see several steps along the way we also had some red flags there especially with that API call that was a strange one uh also if you look up life changers care in fact you know what while I'm here I'm just going to do that as well it was FTP just zoom in here a little bit FTP ftp.com
care they care David. They care about your data yeah. They definitely do especially your passwords. yeah exactly so here we go we had definitely some flags here on that one if we jump over to community don't see any writeups yet on it but yeah as we start digging through we'll we'll uh maybe we be able to help help the community with a post about what it is don't go to this website yeah just let's just stay away from there so good so that was a quick walk through uh hey any any other thoughts that come up right now about that David or questions you have? yeah I think we miss uh just for everyone once again comment below weird and wonderful Wireshark Wednesdays might be sort of a sort of a series of videos that I think Chris and I should should create but please let us know in the comments the kind of stuff that you want to see Chris has so much experience and you can shortcut your learning by just you know watching him do this and learn from his tips and tricks Chris you've also got a course in Udemy that's recently been updated right I do so if you head out to Udemy to me uh you'll see the video that David and I partnered to create and really gets you from Zero to Hero with Wireshark so all the things that you just saw me do uh setting filters setting coloring rules uh creating profiles all of those things are things that I cover uh really David and I have a combined goal we want to make packet analysis more accessible to more people yeah um to take that fear factor out and to get make it just less scary I I don't forget how it felt when I first looked at a packet trace and there was so much going on in there and I thought I'm never going to learn this I it's so much like how can anybody know what's actually happening but literally bit by bit bite by bite uh sticking with it and learning some fundamentals some things that apply across any domain regardless of IT silo regardless of what what type of protocol or application I'm analyzing there are fundamentals you can learn which make that much easier so that's our goal it's our goal with videos like these uh also with different shorts that we post together but also with that course on Udemy to give you that core skill set with Wireshark because we think it's it's just so important. So for everyone who's watching I've put a discount code below so if you use that you'll get the course for a cheaper price hopefully that helps you but again Chris and I have got some exciting things coming expect a lot of Wireshark content on the channel let us know the kind of stuff that you want to see again let's leverage Chris's knowledge to help you better analyze networks Chris as always thanks. Absolutely David thanks for having me back
2025-01-28 10:24