Saturday, April 5, 2014

Network Forensics - PCAP analysis

How did it start ?

It all started in December of 2013 when I received an email via a mailing list that there is a Holiday challenge which they have created.   This is the link to the challenge.  This is the link to the solutions.

The reason for putting together a bash script was to make our life as network analyst a bit easier if an unknown PCAP is given to be analysed.  The script which I have created will give us a quick overview of what we can expect in the pcap.

Running the script
There are some prerequisite for running the script.
  1. Tcpdump should be installed and be in path.
  2. Tshark be installed and be in path.
  3. Snort be installed and be in path.
Running the script is as simple as[1] invoking the shellscript and passing the pcap file as the argument.  You can get the script by clicking here.

#./ sansholidayhack2013.pcap

Output file
There are two output files which will be created namely ip.csv and idsalert.txt

ip.csv - You can get the output file by clicking here.
1st column - List of all IP addresses in the PCAP.
2nd - List of all MAC gathered for the IP addresses in 1st column via ARP reply.
3rd - SYN connection attempted to various ports by 1st column.
4th - All listening TCP services of 1st column.
5th - All non-listening TCP services of 1st column.
6th - Open UDP ports (may give erroneous value).
7th - Domains resolved.
8th - HTTP useragent used by 1st column.

While opening the ip.csv, if you see that the rows are misaligned try these settings as shown in the screen shot. Remember to select Unicode (UTF-8), Comma and Text delimiter double quotes.

idsalert.txt - You can get the output file by clicking here.
This text file would show all the snort alerts generated for each IP considering it as its only HOME_NET. This is done as we don't know which is our HOME_NET to configure snort.