How to Perform CLI-Based Packet Analysis
Linux commands used in this demo.
- Linux System
Because employees are the most vulnerable targets for an organization, giving attackers the ability to compromise their targets by preying on human weakness like emotions. For this reason, adversaries plan their assaults intelligently by using phishing attacks.
In this demo, we will tackle about how to analyze a packet sample using tshark.
Scenario: You are tasked to examine the network log of an endpoint that may have fallen victim to a phishing attack.
To do this, run the tshark command below.
tshark -t ad -r 2021-08-19-traffic-analysis-exercise.pcap -Y ‘http.user_agent contains “curl” and http.request.method == GET’
In this case, our script returns all GET method from our .pcap file and we now have interesting output such as network traffic communication: 10.8.19.101 -> 126.96.36.199 HTTP 140 GET/ooiwy.pdf HTTP/1.1
#tip: filtering “curl” is good for identifying XSS
See Image #1 below for reference.
To do this, run the tshark command. tshark -t ad -r 2021-08-19-traffic-analysis-exercise.pcap -Y “http” | less
#tip: To get more details from this command we can use -x -V and pipe to “less” to browse the output.
In this case, we can see that there are insecure network communication.
See Image #2 for reference.
Additional details: run “xxd <http_object>” to view hex.