Wednesday, 2 October 2013

Wireshark (what's on your network) and how to analyse packets in it???

 Wireshark is the world's foremost network protocol analyzer. It lets you see  what's happening on your network at a microscopic level. It is used across  many industries and educational institutions.It is a network packet analyzer. A  network packet analyzer will try to capture network packets and tries to  display that packet data as detailed as possible.You could think of a network    packet analyzer as a measuring device used to  examine what's going on inside  a network cable, just like a voltmeter is used  by an electrician to examine  what's going on inside an electric cable. 
However, with the advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet analyzers available today.

 

 Features of Wireshark:

  • Available for UNIX and Windows.
  • Capture live packet data from a network interface.
  • Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other packet capture programs.
  • Import packets from text files containing hex dumps of packet data.
  • Display packets with very detailed protocol information.
  • Save packet data captured.
  • Export some or all packets in a number of capture file formats.
  • Filter packets on many criteria.
  • Search for packets on many criteria.
  • Colorize packet display based on filters.
  • ... and a lot more!

    For more information visit http://www.wireshark.org/


    How to Analyse a Packet in Wireshark:

    First of all download the .pcap file here which has to be open in wireshark.

    Now Open the downloaded file analyst.pcap in the wireshark as shown below image:


    So lets analyse from the above diagram::::
    Line 1 - the internal host at 192.168.1.100 has successfully connected to an outside server at 5.4.3.2 listing microsoft-ds (file sharing). Analysis - looks suspicious as internal hosts should not be sharing files outside the network.
    Line 2 - the internal host at 192.168.1.100 has successfully connected to an outside server at 5.192.78.3 on TCP port 31337.
    Analysis - looks suspicious as this port is known to be used by multiple Trojans, namely, Back Orifice.

    Line 3 - the internal host at 192.168.2.142 has sent an ICMP echo (ping) request to an outside server at 5.255.255.255 (broadcast).
    Analysis - this looks suspicious as malware will perform certain basic functions, after infecting the internal system they need to phone home and let their owner know that he/she has another satisfied customer.


    Line 4 - the internal host at 192.168.2.142 has connected to an outside server at 64.157.165.182 and looks to be infected spyware.
    Analysis - "Gator.exe" belongs to the Claria advertising program, it's running process on your system may be "Adware.W32.Claria". This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This process is a security risk and should be removed from your system.


    Line 5 - the internal host at 192.168.2.142 has connected to outside server at 5.192.33.34 listing "sunrpc".
    Analysis - Sun's Remote Proceedure Call forms the basis of many UNIX services, especially NFS (Network File System). However, RPC is extremely dangerous when left exposed to the Internet, which leads to frequent compromise of servers based upon Sun Solaris and Linux. RPC should never be exposed to the Internet.


    Line 6 - the internal host at 192.168.1.100 has attempted to connect to outside server at 66.75.160.13 using SMTP.
    Analysis - this looks suspicious as this host appears to be infected, though secureinfo.com is a company that performs vulnerability assessments, penetration testing and security auditing services. If I was not informed of this in advance, I would still treat this as suspicious until confirmed otherwise. It could also represent an infected host sending an email worm. 
    The next step is to remove this host from the network, review any compliance regulations if any apply (i.e. PCI, SOX, HIPAA, GLBA), perform a complete virus scan to remove all malware, update and apply all patches. Next, I would recommend reviewing all log files to determine the origin of the infection to prevent further problems.


    Line 7 - the internal host at 192.168.2.142 has connected to outside server at 66.136.57.21 containing "winnt/system32/cmd.exe".
    Analysis - This tells me that this internal host may be infected with the Nimbda worm, which unlike the Code Red worm spreads as an email attachment and can infect everyone in your email client's contact list by sending a malicious attachment sometimes named "readme.exe"


    Line 8 - the internal host at 192.168.0.68 has sent a syn packet to an internal host with the same ip address 192.168.0.68 listing microsoft ds (file sharing). 
    Analysis - This is suspicious as it could represent ip spoofing attempt to gain access to internal file shares.


    Line 9 - the internal host at 192.168.0.68 has sent a request to an outside server at 5.222.3.1 using IRC protocol.
    Analysis - This is suspicious as it may be an infected internal host phoning home to tell it's master that it is infected.


    Line 10 - the internal host at 192.168.0.68 has requested a file (test.exe) transfer from an outside server at 5.234.7.2 using the TFTP protocol.
    Analysis - This is suspicious. TFTP uses UDP port 69, rather then tcp port 21 like ftp, and can cause DOS. It uses no authentication or encryption mechanisms, and is used to read files from, or write files to, a remote server. "Due to the lack of security, it is dangerous over the open Internet. Thus, TFTP is generally only used on private, local networks."
    Also, based on the previous events with this internal host, it appears to be malicious activity.


    Overall analysis is to perform complete anti virus scans of hosts 192.168.1.100, 192.168.2.142 and 192.168.0.68. and carefully check the running processes and services for anything not listed as a Microsoft service or authorized application (located in c:/Windows or c:/Windows/System32 folders). Also, check for unauthorized services and startup programs.

    Enjoy!!!!!!!!!!!!!!!!!!!1