Saturday, April 5, 2014

Network Forensics - PCAP analysis


How did it start ?

It all started in December of 2013 when I received an email via a mailing list that there is a Holiday challenge which they have created.   This is the link to the challenge.  This is the link to the solutions.

Reason
The reason for putting together a bash script was to make our life as network analyst a bit easier if an unknown PCAP is given to be analysed.  The script which I have created will give us a quick overview of what we can expect in the pcap.

Running the script
There are some prerequisite for running the script.
  1. Tcpdump should be installed and be in path.
  2. Tshark be installed and be in path.
  3. Snort be installed and be in path.
Running the script is as simple as[1] invoking the shellscript and passing the pcap file as the argument.  You can get the script by clicking here.

[1]
#./pcap2csv.sh sansholidayhack2013.pcap

Output file
There are two output files which will be created namely ip.csv and idsalert.txt

ip.csv - You can get the output file by clicking here.
1st column - List of all IP addresses in the PCAP.
2nd - List of all MAC gathered for the IP addresses in 1st column via ARP reply.
3rd - SYN connection attempted to various ports by 1st column.
4th - All listening TCP services of 1st column.
5th - All non-listening TCP services of 1st column.
6th - Open UDP ports (may give erroneous value).
7th - Domains resolved.
8th - HTTP useragent used by 1st column.

While opening the ip.csv, if you see that the rows are misaligned try these settings as shown in the screen shot. Remember to select Unicode (UTF-8), Comma and Text delimiter double quotes.


idsalert.txt - You can get the output file by clicking here.
This text file would show all the snort alerts generated for each IP considering it as its only HOME_NET. This is done as we don't know which is our HOME_NET to configure snort.












Sunday, August 11, 2013

IDS alert analysis

Today I was going through my IDS logs and found something suspicious.

The following are the steps I took to know that the alerts were benign.


I went inside the payload, nothing was evident.  So I wanted to know how did I end up on the IP 130.239.18.142, so I went to my proxy logs and grep'ed the IP.  In an instance I came to realize that I was downloading some ISO files.


Now to prove that the timing match,

The first field on the proxy logs is unix epoch time, I converted that (1374814496.635) using [date -d @1374814496.635 +"%d-%m-%Y %T %z"]  to verify the same. "26-07-2013 10:24:56 +0530"
The second field is the milliseconds which took to download the file "1330675". Since unix epoch time increments one per second I had to get the seconds component by dividing the number by 1000 which gives me approx 1330 and add this with the previous epoch time to get the TotalTime of 1374815826 which happens to translate to "26-07-2013 10:47:06 +0530"

This shows that the alerts were well within the time of the download and IDS was sure to trip off any data contained within the ISO file which is obviously falsepositive.  Case closed.

Monday, July 29, 2013

Error while loading shared libraries

Hi

In Ubuntu when we get the following error "Error while loading shared libraries"  Check to see if you have the shared libraries which it complaints is present on your system.


Run the following command as shown in the image, then the error disappear.

export LD_LIBRARY_PATH=/usr/local/lib

Sunday, June 23, 2013

Synergy setup for my friend

This is the synergy client script which runs at the client end.




At the synergys side do like the following

synergys -a 127.0.0.1 --config /etc/synergy.conf &

cat /etc/synergy.conf
section: screens
synergys:
synergyc:
end

section: aliases
synergyc:
127.0.0.1
end

section: links
synergys:
left = synergyc
synergyc:
right = synergys
end

section: options
screenSaverSync = false
keystroke(f12) = lockCursorToScreen(toggle)
end

Sunday, May 12, 2013

Edit a binary file in VI


Let us edit a file in binary mode with the -b switch

$ vi -b somefile.bin

Once inside the file go to the command mode then press the following, I am not sure about the % is for,  However !xxd is to run the xxd command.

:%!xxd

Now navigate around and begin editing the HEX characters, Ahhhh one picture is definitely worth a thousand words.


Sunday, April 21, 2013

View Unbilled usage in Airtel Internet


Log on to this website https://ebpp.airtelworld.com/myaccount/

After logging in you need to select you internet account, first click on "My account" > Then drop down > Then select you DSL connection.



Now select on my account


On scrolling down we can see the unbilled usage.  If we need detailed usage, we can still click on "Click here"