How to Perform CLI-Based Packet Analysis
Because employees are the most vulnerable targets for an organization, giving attackers the ability to compromise their targets by preying on human weakness like emotions. For this reason, adversaries plan their assaults intelligently by using phishing attacks.
In this demo, we will tackle about how to analyze a packet sample using tshark.
Scenario: You are tasked to examine the network log of an endpoint that may have fallen victim to a phishing attack.
To do this, run the tshark command below.
tshark -t ad -r 2021-08-19-traffic-analysis-exercise.pcap -Y ‘http.user_agent contains “curl” and http.request.method == GET’
In this case, our script returns all GET method from our .pcap file and we now have interesting output such as network traffic communication: 10.8.19.101 -> 185.244.41.29 HTTP 140 GET/ooiwy.pdf HTTP/1.1
#tip: filtering “curl” is good for identifying XSS
See Image #1 below for reference.
To do this, run the tshark command. tshark -t ad -r 2021-08-19-traffic-analysis-exercise.pcap -Y “http” | less
#tip: To get more details from this command we can use -x -V and pipe to “less” to browse the output.
In this case, we can see that there are insecure network communication.
See Image #2 for reference.
Additional details: run “xxd <http_object>” to view hex.
Why this approach?
NSM solution (e.g. Security Onion) saves every log file to disk and its a cool thing to be able to remotely inspect these logs without opening GUI-based tools such as Wireshark and by using “export-objects” option from tshark we can export the dropped file and copy it remotely to our analysis machine.
