When I was visiting TROOPERS17 in Heidelberg, Germany, I had the chance to follow a 2-day training in Network Forensics by Erik Hjelmvik. I’m glad I did! In this post I want to describe a technique I learned there. This technique is a nice way to investigate captured network traffic to find suspicious or malicious traffic. Although I dislike the term ‘threat hunting’, this is actually a neat and fast way to hunt for the weird and interesting stuff in a large PCAP-file!
The workflow I want to describe could be called “Rinse and repeat”. I like it because it is elegant: simple and flexible, but powerful if used right.
The idea is as follows:
Repeat step 2 and 3 and you’ll end up with a PCAP-file that only contains unusual (ie. unexpected, unwanted, suspicious or malicious) traffic.
Of course, the way you go about your actual indepth analysis and what you do with the results of that analysis afterwards is entirely up to you.
What you define as normal is completely dependent on the scenario you’re investigating. Are you analyzing network traffic from a web server? Then, the traffic on port 80 will probably be normal, since this is where most web server applications run. Are you looking at a desktop computer that’s not supposed to run a web server? Then, host traffic on port 80 might be suspect. For example, an attacker could be using a pop-up on-the-fly webserver to exfiltrate data.
Need to brush up on your basic knowledge of networking, protocols, etc? Don’t worry, no one knows everything. Be sure to check out Julia Evans great comics, zines and blog articles. She’s written a zine about basic networking concepts in a very accessible, fun and clear way.
When you capture traffic for later analysis, I recommend you do full network packet sniffing. Flow data contains only parts of network traffic, such as it does not save the whole contents of a network packet, but only the interface, source, destination, protocol, ports, timestamps, etc. When we have the full network packet, including contents, we can use tools like Wireshark or NetworkMiner to extract all kinds of useful information for our analysis.
Caploader has a few advantages over Wireshark, which make it very suitable for this workflow.
If you have defined an aspect of normal behaviour, you can use CapLoader to hide all flows that show that behavior. This leaves us with a subset of network traffic that is not normal according to our definition. The cool thing is that CapLoader can automatically generate a new PCAP-file from this subset. By clicking the purple PCAP-icon in the top right of the screen, we can open this generated PCAP in Wireshark (or another program of our choosing for further investigation.
What I also like about this technique is that we don’t have to use the Wireshark syntax for filtering. Both the Wireshark syntax and the Wireshark UI are not optimized for long queries, and editing Wireshark queries by hand can be a real pain. CapLoader allows us to hide entire groups of flows with one click of a button and generates a new PCAP for us to boot! YAY!
During the Network Forensics course, all participants received a 6-month license for CapLoader so we could play around with it some more. When I returned home after the training, I tried out this technique on my own web server. I definitely found some interesting stuff: stuff that I wouldn’t have found going through my log files by hand.
So far, I found two drawbacks to CapLoader. Firstly, it is a Windows program, so I ended up transferring PCAP files between a Windows host and a Linux guest computer when I was doing my analysis. Secondly, a CapLoader license is a bit too expensive to buy for personal use, and I will be sad when my license has expired – I really like this workflow and I still have to find an free and/or open source project that has the same functionality. However, if you just want to try out CapLoader, you can download a trial version with a 30-day license on the website, which has all the functionality you need for the workflow I describe in this article.