Главная

Saturday, 14 March 2020

Using Python for Network Forensics #1.

Hi all.

Today I would like to present for us excerpt from book "Mastering Python Forensics", Copyright © 2015 Packt Publishing, written by authors Dr. Michael Spreitzenbarth and Dr. Johann Uhrmann. It's concerning using Python for network forensics. You are welcome!

In this chapter, we will focus on the parts of the forensic investigation that are specific to the network layer. We will choose one of the most widely used Python packages for the purpose of manipulating and analyzing network trafic (Scapy) as well as a newly released open source framework by the U.S. Army Research Laboratory (Dshell). For both the toolkits, we have selected the examples of
interesting evidence. This chapter will teach you the following:
•  How to search for IOC in network traffic
•  How to extract files for further analysis
•  How to monitor accessed files through Server Message Block (SMB)
•  How to build your own port scanner

So, how we are using Dshell during an investigation.

Dshell is a Python-based network forensic analysis toolkit that is developed by the U.S. Army Research Laboratory and released as open source at the end of 2014. It can help in making the forensic investigations on the network layer a little easier. The toolkit comes with a large number of decoders that can be used out of the box and are very helpful. Some of these decoders are as follows:
•  dns: Extracts and summarizes DNS queries/responses
•  reservedips: Identifies the DNS resolutions that fall in the reserved IP space
•  large-flows: Displays the netflows that have at least transferred 1MB
•  rip-http: Extracts the files from the HTTP traffic
•  protocols: Identifies non-standard protocols
•  synrst: Detects failed attempts to connect (SYN followed by a RST/ACK).

Dshell can be installed in our lab environment by cloning the sources from GitHub at, https://github.com/USArmyResearchLab/Dshell and running install-ubuntu.py.
This script will automatically download the missing packages and build the executables that we will need afterwards. Dshell can be used against the pcap files that have been recorded during the incidents or as a result of an IDS alert. A packet capture (pcap) file is either created by libpcap (on Linux) or WinPcap (on Windows). In the following section, we will explain how an investigator can make use of Dshell by demonstrating the toolkit with real-world scenarios that are gathered from
http://malware-traffic-analysis.net.




The first example is a malicious ZIP file that a user has encountered through an email link. The user logged in to Gmail and clicked the download link in the mail. This can easily be seen with the web decoder of Dshell, as follows:

user@lab:~$ source labenv/bin/activate
(labenv)user@lab:~$ ./dshell
(labenv)user@lab:~$ Dshell> decode -d web infected_email.pcap

web 2015-05-29 16:23:44     10.3.162.105:62588 ->   74.125.226.181:80    ** GET mail.google.com/ HTTP/1.1  // 200 OK  2015-05-29 14:23:40 **

web 2015-05-29 16:24:15     10.3.162.105:62612 <-    149.3.144.218:80    ** GET sciclubtermeeuganee.it/wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip HTTP/1.1  // 200 OK  2015-05-28 14:00:22 **

When looking at the previous trafic extract, the ZIP file could be the first Indicator of Compromise. Therefore, we should take a deeper look at it. The easiest way to do this is to rip the ZIP file out of the pcap file and compare its md5 hash against the VirusTotal database:

(labenv)user@lab:~$ Dshell> decode -d rip-http --bpf "tcp and port 62612" infected_email.pcap

rip-http 2015-05-29 16:24:15 10.3.162.105:62612 <- 149.3.144.218:80 
** New file: pdf_efax_message_3537462.zip (sciclubtermeeuganee.it/wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip) ** 
--> Range: 0 - 132565
rip-http 2015-05-29 16:24:15     10.3.162.105:62612 <-    149.3.144.218:80  
** File done: ./pdf_efax_message_3537462.zip (sciclubtermeeuganee.it/wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip) **

(labenv)user@lab:~$ Dshell> md5sum pdf_efax_message_3537462.zip
9cda66cba36af799c564b8b33c390bf4  pdf_efax_message_3537462.zip

In this simple case, our first guess was right as the downloaded ZIP file  contains another executable that part of an infostealer malware kit.

Another really good example is searching for the accessed files on a network share via the SMB protocol. This can be very helpful when trying to find out whether an attacker was able to access or even exfiltrate the data and-if successful-which data has been potentially leaked:

(labenv)user@lab:~$ Dshell> decode -d smbfiles exfiltration.pcap

smbfiles 2005-11-19 04:31:58    192.168.114.1:52704 ->
192.168.114.129:445   ** VNET3\administrator \\192.168.114.129\TEST\
torture_qfileinfo.txt (W) **

smbfiles 2005-11-19 04:31:58    192.168.114.1:52704 ->
192.168.114.129:445   ** VNET3\administrator \\192.168.114.129\
TESTTORTUR~1.TXT (-) **

smbfiles 2005-11-19 04:31:58    192.168.114.1:52705 ->
192.168.114.129:445   ** VNET3\administrator \\192.168.114.129\TEST\
testsfileinfo\fname_test_18.txt (W) **

With the help of the rip-smb-uploads decoder, Dshell is also able to automatically extract all the uploaded files of the recorded pcap file. Another interesting example is searching for the IOC with the help of the snort rules, which can also be done by Dshell, as follows:

(labenv)user@lab:~$ Dshell> decode -d snort malicious-word-document.
pcap --snort_rule 'alert tcp any 443 -> any any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1)"; content:"|55 04 03|"; content:"*.tor2web.";)' –snort_alert

snort 2015-02-03 01:58:26      38.229.70.4:443   --  192.168.120.154:50195 ** ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) **

snort 2015-02-03 01:58:29      38.229.70.4:443   --  192.168.120.154:50202 ** ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) **

snort 2015-02-03 01:58:32      38.229.70.4:443   --  192.168.120.154:50204 ** ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) **

In this example we opened a potentially malicious Word document that we have received within a spam email. The Word document is trying to download the Vawtrak malware and thereby communicating over the Tor network. The snort rule we are using originates from Emerging Threats, (refer to http://www.emergingthreats.net/), and is searching for known SSL certificates for the
Tor2Web service (a service to let users access Tor Onion Services without using the Tor Browser). Similar checks can be done using all available snort rules and can be very helpful if you are searching for a specific attack within the network.

As an alternative to the shown pcap files, all the demonstrated examples can also be run against an active network connection with the help of the –i interface_name flag as shown in the following:

(labenv)user@lab:~$ Dshell> decode -d netflow -i eth0

2015-05-15 21:35:31.843922   192.168.161.131 ->    85.239.127.88  (None -> None)  TCP   52007      80     0      0        0        0  5.1671s
2015-05-15 21:35:31.815329   192.168.161.131 ->    85.239.127.84  (None -> None)  TCP   46664      80     0      0        0        0  5.1976s
2015-05-15 21:35:32.026244   192.168.161.131 ->    208.91.198.88  (None -> None)  TCP   40595      80     9     25     4797   169277  6.5642s
2015-05-15 21:35:33.562660   192.168.161.131 ->    208.91.198.88  (None -> None)  TCP   40599      80     9     19     4740    85732  5.2030s
2015-05-15 21:35:32.026409   192.168.161.131 ->    208.91.198.88  (None -> None)  TCP   40596      80     7      8     3843   121616  6.7580s
2015-05-15 21:35:33.559826   192.168.161.131 ->    208.91.198.88  (None -> None)  TCP   40597      80     5     56     2564   229836  5.2732s

In this example, we are generating the netflow data of an active connection.  Dshell is purely written in Python, which makes it highly adaptable to all the  needs of the forensic investigators and can also be used in a chain with other  tools or predefined processes. If you want to test this, you can download the sample files from  http://www.emergingthreats.net/.

So, we will use Scapy during an investigation in chapter #2.
See you.

No comments:

Post a Comment

А что вы думаете по этому поводу?