Hands-On Network Forensics: Investigate network attacks and find evidence using common network forensic tools
By Nipun Jaswal
()
About this ebook
Gain basic skills in network forensics and learn how to apply them effectively
Key Features- Investigate network threats with ease
- Practice forensics tasks such as intrusion detection, network analysis, and scanning
- Learn forensics investigation at the network level
Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threat, it’s now more important than ever to have skills to investigate network attacks and vulnerabilities.
Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You’ll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Towards the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together.
By the end of this book, you will have gained hands-on experience of performing forensics analysis tasks.
What you will learn- Discover and interpret encrypted traffic
- Learn about various protocols
- Understand the malware language over wire
- Gain insights into the most widely used malware
- Correlate data collected from attacks
- Develop tools and custom scripts for network forensics automation
The book targets incident responders, network engineers, analysts, forensic engineers and network administrators who want to extend their knowledge from the surface to the deep levels of understanding the science behind network protocols, critical indicators in an incident and conducting a forensic search over the wire.
Read more from Nipun Jaswal
Metasploit Bootcamp Rating: 5 out of 5 stars5/5Mastering Metasploit Rating: 0 out of 5 stars0 ratings
Related to Hands-On Network Forensics
Related ebooks
Nmap Essentials Rating: 4 out of 5 stars4/5Mastering Kali Linux for Advanced Penetration Testing - Second Edition Rating: 0 out of 5 stars0 ratingsMastering Kali Linux for Advanced Penetration Testing Rating: 4 out of 5 stars4/5Nmap: Network Exploration and Security Auditing Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsMastering Kali Linux for Web Penetration Testing Rating: 4 out of 5 stars4/5Building Virtual Pentesting Labs for Advanced Penetration Testing Rating: 0 out of 5 stars0 ratingsWireshark Network Security Rating: 3 out of 5 stars3/5Mastering Wireshark Rating: 2 out of 5 stars2/5Learn Kali Linux 2019: Perform powerful penetration testing using Kali Linux, Metasploit, Nessus, Nmap, and Wireshark Rating: 0 out of 5 stars0 ratingsPenetration Testing Bootcamp Rating: 5 out of 5 stars5/5Penetration Testing with the Bash shell Rating: 0 out of 5 stars0 ratingsKali Linux 2 – Assuring Security by Penetration Testing - Third Edition Rating: 0 out of 5 stars0 ratingsKali Linux Wireless Penetration Testing Essentials Rating: 5 out of 5 stars5/5Penetration Testing with Raspberry Pi - Second Edition Rating: 5 out of 5 stars5/5Penetration Testing with Raspberry Pi Rating: 5 out of 5 stars5/5Applied Network Security Rating: 0 out of 5 stars0 ratingsPenetration Testing with BackBox Rating: 0 out of 5 stars0 ratingsKali Linux Network Scanning Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsMastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercrime, and IoT attacks Rating: 0 out of 5 stars0 ratingsMastering Python Forensics Rating: 4 out of 5 stars4/5Mastering the Nmap Scripting Engine Rating: 0 out of 5 stars0 ratingsInstant Traffic Analysis with Tshark How-to Rating: 0 out of 5 stars0 ratingsMastering Kali Linux Wireless Pentesting Rating: 3 out of 5 stars3/5Burp Suite Essentials Rating: 4 out of 5 stars4/5Mastering Modern Web Penetration Testing Rating: 0 out of 5 stars0 ratingsLearning Penetration Testing with Python Rating: 0 out of 5 stars0 ratings
Networking For You
Networking All-in-One For Dummies Rating: 5 out of 5 stars5/5The Compete Ccna 200-301 Study Guide: Network Engineering Edition Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Networking For Dummies Rating: 5 out of 5 stars5/5Cisco Networking All-in-One For Dummies Rating: 4 out of 5 stars4/5Hacking Android Rating: 4 out of 5 stars4/5Quantum Computing For Dummies Rating: 0 out of 5 stars0 ratingsA Beginner's Guide to Ham Radio Rating: 0 out of 5 stars0 ratingsNetworking Fundamentals: Develop the networking skills required to pass the Microsoft MTA Networking Fundamentals Exam 98-366 Rating: 0 out of 5 stars0 ratingsAWS Certified Cloud Practitioner Study Guide: CLF-C01 Exam Rating: 5 out of 5 stars5/5Microsoft Certified Azure Fundamentals Study Guide: Exam AZ-900 Rating: 0 out of 5 stars0 ratingsCCNA Certification Study Guide, Volume 2: Exam 200-301 Rating: 0 out of 5 stars0 ratingsRaspberry Pi Electronics Projects for the Evil Genius Rating: 3 out of 5 stars3/5Linux Bible Rating: 0 out of 5 stars0 ratingsComputer Networking: Beginners Guide to Network Security & Network Troubleshooting Fundamentals Rating: 0 out of 5 stars0 ratingsAmazon Web Services (AWS) Interview Questions and Answers Rating: 5 out of 5 stars5/5SharePoint For Dummies Rating: 0 out of 5 stars0 ratingsWikis For Dummies Rating: 3 out of 5 stars3/5TCP/IP for Everyone Rating: 4 out of 5 stars4/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsEmergency Preparedness and Off-Grid Communication Rating: 0 out of 5 stars0 ratingsProgramming Arduino: Getting Started with Sketches Rating: 4 out of 5 stars4/5The Windows Command Line Beginner's Guide: Second Edition Rating: 4 out of 5 stars4/5Comptia Network+ Primer Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsMicrosoft Azure For Dummies Rating: 0 out of 5 stars0 ratingsCisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3 Rating: 0 out of 5 stars0 ratings
Reviews for Hands-On Network Forensics
0 ratings0 reviews
Book preview
Hands-On Network Forensics - Nipun Jaswal
Hands-On Network Forensics
Investigate network attacks and find evidence using common network forensic tools
Nipun Jaswal
BIRMINGHAM - MUMBAI
Hands-On Network Forensics
Copyright © 2019 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Commissioning Editor: Gebin George
Content Development Editor: Abhishek Jadhav
Technical Editor: Aditya Khadye
Copy Editor: Safis Editing
Project Coordinator: Jagdish Prabhu
Proofreader: Safis Editing
Indexer: Priyanka Dhadke
Graphics: Tom Scaria
Production Coordinator: Shraddha Falebhai
First published: February 2019
Production reference: 1300319
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78934-452-3
www.packtpub.com
In the memory of our CRPF fallen heroes in Pulwama attack
– Nipun Jaswal
mapt.io
Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.
Why subscribe?
Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Mapt is fully searchable
Copy and paste, print, and bookmark content
Packt.com
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at customercare@packtpub.com for more details.
At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.
Contributors
About the author
Nipun Jaswal is an International Cyber Security Author and an award-winning IT security researcher with a decade of experience in penetration testing, vulnerability research, surveillance and monitoring solutions, and RF and wireless hacking. He is currently working as an Associate Partner in Lucideus where he is leading services such as red teaming and vulnerability research along with other enterprise customer services. He has authored Metasploit Bootcamp and Mastering Metasploit, and co-authored the Metasploit Revealed set of books. In addition to this, he has authored numerous articles and exploits that can be found on popular security databases, such as Packet Storm and Exploit-DB. Please feel free to contact him at @nipunjaswal.
About the reviewer
Charlie Brooks fell in love with the internet in 1978, and hasn't strayed far from it since. He has worked as a developer, technical lead, and software architect, developing network management, network performance analysis, and managed VPN services. Since 2005, he has worked as a course developer and instructor in data storage, network security analysis, and forensics.
Charlie has served as a technical reviewer for several books, including Network Forensics and the Network Analysis Using Wireshark Cookbook, and is also the author of the All-In-One CHFI Computer Hacking Forensic Investigator Certification Exam Guide. He holds an MS in Computer Information Systems from Boston University and holds the CISSP, CHFI, and CTT+ certifications.
Packt is searching for authors like you
If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.
Table of Contents
Title Page
Copyright and Credits
Hands-On Network Forensics
Dedication
About Packt
Why subscribe?
Packt.com
Contributors
About the author
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
Disclaimer
Section 1: Obtaining the Evidence
Introducing Network Forensics
Technical requirements
Network forensics investigation methodology
Source of network evidence
Tapping the wire and the air
CAM table on a network switch
Routing tables on routers
Dynamic Host Configuration Protocol logs
DNS servers logs
Domain controller/authentication servers/ system logs
IDS/IPS logs
Firewall logs
Proxy server logs
Wireshark essentials
Identifying conversations and endpoints
Identifying the IP endpoints
Basic filters
Exercise 1 – a noob's keylogger
Exercise 2 – two too many
Summary
Questions and exercises
Further reading
Technical Concepts and Acquiring Evidence
Technical requirements
The inter-networking refresher
Log-based evidence
Application server logs
Database logs
Firewall logs
Proxy logs
IDS logs
Case study – hack attempts
Summary
Questions and exercises
Further reading
Section 2: The Key Concepts
Deep Packet Inspection
Technical requirements
Protocol encapsulation
The Internet Protocol header
The Transmission Control Protocol header
The HTTP packet
Analyzing packets on TCP
Analyzing packets on UDP
Analyzing packets on ICMP
Case study – ICMP Flood or something else
Summary
Questions and exercises
Further reading
Statistical Flow Analysis
Technical requirements
The flow record and flow-record processing systems (FRPS)
Understanding flow-record processing systems
Exploring Netflow
Uniflow and bitflow
Sensor deployment types
Analyzing the flow
Converting PCAP to the IPFIX format
Viewing the IPFIX data
Flow analysis using SiLK
Viewing flow records as text
Summary
Questions
Further reading
Combatting Tunneling and Encryption
Technical requirements
Decrypting TLS using browsers
Decoding a malicious DNS tunnel
Using Scapy to extract packet data
Decrypting 802.11 packets
Decrypting using Aircrack-ng
Decoding keyboard captures
Summary
Questions and exercises
Further reading
Section 3: Conducting Network Forensics
Investigating Good, Known, and Ugly Malware
Technical requirements
Dissecting malware on the network
Finding network patterns
Intercepting malware for fun and profit
PyLocky ransomware decryption using PCAP data
Decrypting hidden tear ransomware
Behavior patterns and analysis
A real-world case study – investigating a banking Trojan on the network
Summary
Questions and exercises
Further reading
Investigating C2 Servers
Technical requirements
Decoding the Metasploit shell
Working with PowerShell obfuscation
Decoding and decompressing with Python
Case study – decrypting the Metasploit Reverse HTTPS Shellcode
Analyzing Empire C2
Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16
Summary
Questions and exercises
Further reading
Investigating and Analyzing Logs
Technical requirements
Network intrusions and footprints
Investigating SSH logs
Investigating web proxy logs
Investigating firewall logs
A case study – defaced servers
Summary
Questions and exercises
Further reading
WLAN Forensics
Technical requirements
The 802.11 standard
Wireless evidence types
Using airodump-ng to tap the air
Packet types and subtypes
Locating wireless devices
Identifying rogue access points
Obvious changes in the MAC address
The tagged perimeters
The time delta analysis
Identifying attacks
Rogue AP attacks
Peer-to-peer attacks
Eavesdropping
Cracking encryption
Authentication attacks
Denial of service
Investigating deauthentication packets
Case study – identifying the attacker
Summary
Questions
Further reading
Automated Evidence Aggregation and Analysis
Technical requirements
Automation using Python and Scapy
Automation through pyshark – Python's tshark
Merging and splitting PCAP data
Splitting PCAP data on parameters
Splitting PCAP data in streams
Large-scale data capturing, collection, and indexing
Summary
Questions and exercises
Further reading
Other Books You May Enjoy
Leave a review - let other readers know what you think
Assessments
Chapter 1: Introducing Network Forensics
Chapter 6: Investigating Good, Known, and Ugly Malware
Chapter 7: Investigating C2 Servers
Chapter 9: WLAN Forensics
Preface
Network forensics is a subset of digital forensics that deals with network attacks and their investigation. In the era of network attacks and malware threats, it's now more important than ever to have the skills required to investigate network attacks and vulnerabilities.
Hands-On Network Forensics starts with the core concepts within network forensics, including coding, networking, forensics tools, and methodologies for forensic investigations. You'll then explore the tools used for network forensics, followed by understanding how to apply those tools to a PCAP file and write the accompanying report. In addition to this, you will understand how statistical flow analysis, network enumeration, tunneling and encryption, and malware detection can be used to investigate your network. Toward the end of this book, you will discover how network correlation works and how to bring all the information from different types of network devices together.
By the end of this book, you will have gained hands-on experience of performing forensic analysis tasks.
Who this book is for
This book is aimed at incident responders, network engineers, analysts, forensic engineers, and network administrators who want to extend their knowledge beyond that of a beginner to a level where they understand the science behind network protocols and the critical indicators in an incident, and are able to conduct a forensic search over the wire.
What this book covers
Chapter 1, Introducing Network Forensics, lays the network forensics base for you and will focus on the key concepts that will aid in understanding network anomalies and behavior.
Chapter 2, Technical Concepts and Acquiring Evidence, focuses on developing some fundamental knowledge and insights into network forensics. This chapter will discuss the IP suite, the collection of evidence, and internetworking through hands-on practical exercises.
Chapter 3, Deep Packet Inspection, focuses on key concepts related to widely used protocols, such as Dynamic Host Configuration Protocol (DHCP), Simple Mail Transfer Protocol (SMTP), and Hyper Text Transfer Protocol (HTTP).
Chapter 4, Statistical Flow Analysis, demonstrates statistical flow analysis, collection and aggregation, and protocols and flow record export protocols.
Chapter 5, Combatting Tunneling and Encryption, focuses on network tunneling, its concepts, and an analysis from the perspective of network forensics.
Chapter 6, Investigating Good, Known, and Ugly Malware, focuses on malware forensics over an infected network by making use of various tools and techniques. It discusses many modern malware examples, their modus operandi, and focuses on developing skills in investigating network behavior and patterns in relation to malware.
Chapter 7, Investigating C2 Servers, focuses on Command and Control (C2) servers, their execution over the network, widely used C2 ecosystems, and the most critical identifiers to look for while working with C2-based malware.
Chapter 8, Investigating and Analyzing Logs, primarily focuses on working with a variety of log types and gathering inputs to ultimately aid your network forensics exercises.
Chapter 9, WLAN Forensics, highlights critical concepts in relation to Wi-Fi forensics, and discusses various packet structures and sources of evidence while familiarizing you with finding rogue access points and identifying attack patterns.
Chapter 10, Automated Evidence Aggregation and Analysis, focuses on developing scripts, tools, segregation techniques, and methodologies for automation while processing a large evidence set. This chapter also highlights the insights of reading network packets and PCAP through programming while automating manual techniques.
To get the most out of this book
The book details practical forensic approaches and explains techniques in a simple manner. The content is organized in a way that allows a user who only has basic computer skills to examine a device and extract the required data. A Windows computer would be helpful to successfully repeat the methods defined in this book. Where possible, methods for all computer platforms are provided.
Download the color images
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789344523_ColorImages.pdf.
Conventions used
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: We can see that the MDNS protocol communicates over port 5353.
A block of code is set as follows:
#!/usr/bin/env python
# Author: Nipun Jaswal
from prettytable import PrettyTable
import operator
import subprocess
Any command-line input or output is written as follows:
SET global general_log = 1;
Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Similarly, if you need to open a packet-capture file, you can press the
Open button, browse to the capture file, and load it in the Wireshark tool."
Warnings or important notes appear like this.
Tips and tricks appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at customercare@packtpub.com.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at