[Wireshark]Cyber security analysis and identify common cyber network attacks
overview
We will cover the basics of Wireshark first, then you’ll gain the ability to threat hunt at the packet level.
capture traffic and examine the packet
- open Wireshark and choose Ethernet

- you can check capture options

- let’s generate some traffic

- Use filter to find the related IP address
ip.addr == 1.1.1.1 (target IP)

/%ifconfigen0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
ether 14:9d:99:81:0a:c9
inet6 fe80::10c2:5ce7:5c47:1822%en0 prefixlen 64 secured scopeid 0x4
inet 192.168.3.9 netmask 0xffffff00 broadcast 192.168.3.255
you can see the traffic from my IP (192.168.3.9) to 1.1.1.1 and reply from 1.1.1.1 as well


- you can see four sections

- frame section shows the entire message

- Ethernet section shows specific ethernet header

- shows specific IPv4 info

- specific to ICMP info

- hexadecimal values

- In the bottom, the detail info about packet
Examine the frame dissector
- start capturing
- Open Firefox and press shift + command + p to open private browser


once you open it, close it and stop capturing. Let’s filter now!!
frame contains veronica
This filters every packet containing the word “veronica”

- Right click > Follow > HTTP steam


you can see the detail of HTTP stream. close it.


You can see the IPv4 info is organized in Wireshark
Use Wireshark packets to map a network
Network diagram



Capturing traffic using Display filters
arp
- show all of the arp requests and reply
dns
- show all DNS requests

dns.qry.name == "www.pluralsight.com"
- show only dns query of the specific DNS query


you can see the answers section

combining multiple display filters
dns.qry.name == "www.pluralsight.com" ||dns

ip.addr eq 192.168.3.9 && ip.addr == 52.88.45.204

(ip.src == 192.168.3.9) && (ip.dst == 52.88.45.204)



you can create automated filter as well.
Foundational TCP Analysis
- Lets create a new profile from bottom right. right-click > new. Name
“TCP plain”


- Wireshark > preferences >+ > add Delta

- Drag and drop to the position next to Time

- View > coloring rules > add TCP SYN

- statistics > conversations

we can see the statistics of TCP

- this is the largest Delta time.
ip.addr==192.168.3.9 && tcp.port==59166 && ip.addr==75.2.53.94 && tcp.port==443 && tcp.analysis.flags

tcp.analysis.flags
This shows error of tcp packet
Wireshark Configuration for Cyber Security Analysis
Creating a security profile
- right bottom > right click > new. Create a profile called security operations

- View > Time Display format > Time of Day, milliseconds

- save useful TCP setting
tcp.flags.syn==1

- view > coloring rule

So you can color traffics

The statistics view
- statistics > conversations (ports, ip, bytes)

Configure GeoIP location Resolution
- Wireshark > preferences > name resolution > MaxMind database > Edit

- write a path to MaxMind database


- statistics > endpoints > IPv4



- we can see where the traffic come from
Configure custom colums
- choose one packet > tcp > source port > right click > add as column


- you can have your own column

- right click source port and edit column > add “or udp.srcport” in the Fields


- lets right click Request URI and add column too.

Name resolutions
- Wireshark > preferences > name resolution >


exporting HTTP objects and files
- file > HTTP object export > save

- After exporting, you can upload malicious files to VirusTotal.
Filtering for unusual DNS activity
dns.flags.response == 1
- check how many responses

dns.count.answers > 10
- check answers more than 10 times

dns.flags.response == 0 and ! ip.dst == 10.0.0.0/24 (local DNS IP address)
- check the DNS query destination is not local DNS server (here pretending the local DNS server is in 10.0.0.x/24)

dns.flags.response == 1 and ip.len > 500
- DNS response which contains more than 500 bytes

Filtering for traffic based on country location
ip.geoip.dst_country == "Japan"
- filter traffic only coming from Japan

filtering for suspect TCP behavior
(tcp.flags.syn==1) && (tcp.flags.ack == 0)
- filter only Syn packet

((tcp.flags.urg == 0) && (tcp.flags.syn == 0)) && (tcp.flags.push == 0)
- filter for Xmas scan

tcp.port == 22 and ! ip.src == 10.0.0.1/24 (spcific IP that ssh is allowed)
- filter SSH that connect from strange ip address

Filtering for Executable files
http contains DOS
- right click the file > follow > TCP stream

executable file disguises
Decrypting TLS traffic
- Wireshark > preference >protocol > TLS


Identify Common Cyber Network Attacks with Wireshark
Detecting Port Scans
tcp.flags.syn == 1 and tcp.flags.ack == 1 and ip.dst == 10.0.2.15 <target IP >
- check ports responded to scans from target IP

Threat hunting: Analyzing a real netwrok and port scan
http.request or http.response
- look for “post”

check TCP stream as well

!tcp.port in {80 135 443 445 995 8000}
- check unusual ports are used or not

check TCP stream as well

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS

http.request.uri contains "png"
name is png but the content is executable file.
tcp.analysis.flags
- show all retransmission and strange TCP behavior

You can also see other Wireshark articles