Network Forensics Tutorial PDF
Document Details
Uploaded by ConciliatoryInsight524
Tags
Summary
This tutorial provides an introduction to network forensics, covering essential concepts, protocols, and tools. It explains network packets, protocols, IP addresses, MAC addresses, and discusses the role of these elements in cyberattacks. The material is suitable for professionals in cybersecurity.
Full Transcript
Hello World! Every cybersecurity incident starts with a motivated attacker trying to achieve his goals by attacking a target. The motive can be money, power, fame, or even a desire for revenge. The target can be a person, a company, an organization, or even a country. In today’s world, where almost...
Hello World! Every cybersecurity incident starts with a motivated attacker trying to achieve his goals by attacking a target. The motive can be money, power, fame, or even a desire for revenge. The target can be a person, a company, an organization, or even a country. In today’s world, where almost every electronic device is connected to the Internet Network, this network became one of the most common ways of performing the attack. Infecting a computer with malware which usually happens throughout the network, and controlling that target computer, is not the goal of the attack but a phase towards the final goal. Moreover, the attacker will usually want to extract information from the infected computer. How can he extract this information? Through the same network which he used to attack the computer. Therefore, the network plays a significant role in cyber-attacks, and with Network Forensics, one can learn about how the attack was started, what kind of information was leaked out and what is the attacker’s motive. In this lesson, we will meet some network concepts, protocols, and tools that will help us with our investigation. We will also look at a demonstration of a network attack and show how we can investigate it using some existing tools. Things we will cover: - Network packets and protocols - Network analyzing - Wireshark - Common application protocols - HTTP - DNS - Guided example - Exercises This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Network Packets and Protocols The data that is being sent over the network can convey different information but is being sent similarly. This is similar to letter mail sending. Getting a letter from the bank and getting a Happy Birthday greeting card, conveys different information but is being sent similarly - using letters with text inside envelopes. The envelopes in the network world are called network packets and the type of information they convey is called application protocol As all letters that are sent via the Post Office system need to have a recipient’s address and name, similarly, all protocols that will be sent over the computer network will also need to have some addressing in order to reach the correct recipient. These addresses in computer networks are called IP address and MAC address IP Address - address in the format of 4 groups of numbers from 0 to 255. Examples: 192.168.1.0, 10.0.5.200, 70.80.1.1 The IP address of a device can be changed, depending on the network it is a member of. There are special IP addresses that signify that the message is intended for more than one recipient. For example: - The broadcast IP address is an address that ends with 255, i.e. 10.0.0.255 This means that every device in a network with IP address 10.0.0.X (where X can be any number from 1 to 254) will treat this message as if it was sent to him and will not ignore it. - The multicast IP address is any address in the range 224.0.0.0 to 224.0.0.255, i.e. 224.0.0.22 This means that a device with the IP 10.0.0.5 can still subscribe to multicast messages and accept any message that reaches him with a multicast IP Both broadcast and multicast addresses are considered logical addresses and are not representing real machines. Lastly, as the number of available IP addresses is limited to about 4 billion, and today there are many more electronic devices that are connected to the internet, we cannot assign a unique IP address for each device. To solve this, there are special IP addresses that are considered private IPs, and they are allowed not to be unique and repeat themselves between different networks. These groups are: - 10.0.0.0 – 10.255.255.255 - 192.168.0.0 – 192.168.255.255 - 172.16.0.0 – 172.31.255.255 Every IP address which is not in this group is a public IP address, and must be uniquely assigned to a single device. Any device that wants to be accessible through the This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Internet network must have a public IP address. If google web server had a private IP address, it would not be accessible via the Internet. MAC Address - addresses of network cards that cannot be changed as they are burnt in the network card hardware. These addresses are in the following format: XX-XX- XX-XX-XX-XX, where X can be a digit between 0 to 9 or an alphabetical letter between A to F. 00-1A-A0-52-76-9F is an example of a valid MAC address The first 3 groups of the MAC address uniquely identify who is the manufacturer of this network device, and they are called OUI (Organization Unit Id). All of the network cards manufactured by TP-LINK will start with D0-37-45. This information can be found online by looking for “TP-LINK MAC address OUI”. Similar to IP, MAC addresses also have special addresses: Broadcast and Multicast: - Broadcast MAC address is always the address FF-FF-FF-FF-FF-FF. This means that every device that gets a packet with destination MAC which is equal to FF-FF-FF-FF-FF-FF, will not ignore this message. - Multicast MAC addresses are addresses that start with a special prefix. Examples are: 01-80-C2-XX-XX-XX, 01-00-5E-XX-XX-XX, 33-33-XX-XX-XX- XX But with these two addresses, IP and MAC, a network packet might be able to reach my computer but my computer won’t know to which of all the running applications this packet is relevant for. In order to solve this, we need another kind of address called a port number. Port number - A number between 1 - 65,535, which identifies a specific running application that listens for incoming network packets. All of the network packets that you will capture, although they might convey different kinds of information and as such will be of different application protocols, they will all contain source and destination IP address, MAC address, and Port number, which will tell us the addresses of the sender and the recipient respectively. Examples of known and widely used application protocols are - HTTP (Hypertext Transfer Protocol) Generic and can be used for many purposes - Get HTML web pages - Download / Upload files - Video streaming Client / Server based - one side is the client which initiates the HTTP request, while another side is the server which can only respond to client requests This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. HTTP servers are addressable at port 80 or 443 for a secured version of HTTP called HTTPS where the client request and server response are both encrypted and can be decrypted only by them - DNS (Domain Name System) As it is hard for humans to remember IP address, DNS is used to translate domain names to IP address, such as www.google.com → 72.17.11.228 DNS is always used behind the scenes when you browse the internet or play online games where your game client tries to access the game server We will dive more in-depth into these two protocols later on. Network Analyzing Here is an example of a capture of a network packet. It might be easy to look at the textual parts of the packet (the red square) and try to understand what protocol this packet encapsulates. In this example, we can see known HTTP headers like “Accept- Language” and “Accept-Encoding” and conclude that this is an HTTP packet. However, not all protocols are textual, and in this example, it might be cumbersome to identify what is the source/destination IP of this packet, or the source/destination port. For this, we have some analysis tools that can help us to dissect the protocols. We will cover one of the most common and easy to use, called Wireshark This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Wireshark Wireshark is like the guard at the entrance of a condominium. As the guard logs in a logbook every person who enters or leaves the condo, Wireshark logs every incoming data that reaches a computer’s network card, or outgoing data that leaves it. This will include any malicious network activity. It allows us not only to monitor network traffic but also to analyze it. The process of monitoring the network is called sniffing. Wireshark can be used to sniff the traffic and analyze it in real-time, or load an existing sniff file, called a Packet Capture (.PCAP) file, and analyze it offline. This tool is extremely useful for learning hands-on networking and understanding how everything works. Want to know how your browser communicates with google? Or how does your torrent client download gigabytes of movies from thousands of peers? Open Wireshark and start analyzing! Start with downloading Wireshark here. Once the download is finished, install it. Open up Wireshark. Go to Capture | Start or click the fin icon to start a new capture. Open up your browser and go to your favorite search engine, bing. You will notice Wireshark is recording a lot of traffic. Do not worry, by the end of this tutorial, you will understand almost all of it. Wireshark is smart and can give us hints on what kind of data we are dealing with. It does so by dissecting the frames and making an educated guess of the protocols it includes. It does a great job, but remember that in the end everything is just raw data and it can mean different things according to the context. Let’s take a closer look at the Wireshark interface: This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. There are 3 different panes that are open in Wireshark: 1. The first pane includes all the captured frames. By default, they are sorted by time, but we can sort them however we like. We can click on a packet and see more information in the other 2 panes. 2. The second pane shows a breakdown of the frame into protocols. We can see the frame consists of multiple protocols which encapsulate the ones below them - Ethernet (Data Link), IPv4 (Network), TCP (Transport), and HTTP (Application). 3. The third layer is a binary dump of the data. On the right, we can see a textual representation of the data, and on the left, we can see the hex view of the raw frame data. Hex is a shorter way to represent binary data, where 4 bits are converted to a single alphanumeric character, from 0 to F. We can filter out frames by using the display filter. Since Wireshark understands protocols and automatically figures them out, we can use this to our advantage. Let’s filter by source IP address, using the destination IP from the above frame. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Using a filter like ip.dst == 192.168.1.3, Wireshark now only shows frames that have the required destination IP. We can combine filters using the logical operators and/or: We can also filter frames that contain the IP protocol by providing the IP filter without any other info. As an analysis tool, another thing we get from Wireshark is statistical data. Protocol Hierarchy is an example of it. We can see visually what is the amount of traffic being sent or received per protocol, and identify the most common protocols in our capture. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Usually, application data is being sent in multiple TCP segments. What we are interested in, is in the application data itself and not the different TCP segments with their fields. “Follow TCP Stream” is a very useful feature in Wireshark which builds for us all of the TCP segments of a specific TCP connection that we choose, and shows us only the application data that was transmitted as a single stream. Conversations and Endpoints are another two types of statistical data. “Conversations” shows packet exchange between two entities in the network while “Endpoints” shows a summary of all communication sent to or from a specific entity. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Flow graph provides us with time-based statistics about the flow of communication. It helps us to see what was the chronological order of the communication. We might expect to see a DNS query before an HTTP request to a specific web server. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Many times the way in which malware enters a system is by downloading it from a malicious web server using the HTTP protocol. Export HTTP objects allow us to save resources that were downloaded using the HTTP protocol to the disk and research them in a sandbox environment. Common application protocols HTTP HTTP is a generic protocol and can be used for many purposes which made it so popular and widely used. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. It is a Client / Server based protocol which means that there will always be a client sending an HTTP request to a server which in return will send an HTTP response. Imagine one computer in a network wants to download a file from another computer in the network, you can run the second one as an HTTP server and in the first one, use your web browser as the HTTP client that will send an HTTP request asking for the desired file. The server then will send an HTTP response containing the file. Another example can be a smart light bulb that acts as an HTTP server and using your web browser or a mobile app, you will be able to turn on and off the lights via HTTP requests. HTTP Request HTTP requests contain information that specifies the type of the request and the desired resource or command we are asking from the server. Here is how an HTTP request looks like: Let’s explain some of these fields: This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. URI A uniform resource identifier (URI) identifies a resource. URIs are generic and may be used for various purposes, like pointing to files The HTTP URI consists of 5 main parts: scheme - The protocol used, either http or https host - the host running the webserver port - port of the webserver. If not specified, the default port for the protocol is used (80 for http, 443 for https) path - Path to the resource on the server query - appears at the end of the path after the question mark. This is optional and allows passing parameters to the webserver. Parameters are given key value pairs and are separated using the and (&) sign. For example, Google uses the q parameter for its query string. Try this: https://www.google.com/search?q=singapore HTTP Methods GET and POST are the most common methods that are implemented by all servers and are utilized by your web browser directly GET - when you browse google, your browser uses GET requests to retrieve the content of the page POST - When you send a form like a signup form, the browser sends the form parameters through the HTTP body in the same syntax of a query. This is useful because the URI has a limited length. This may also be used for sending large parameters like files. HTTP Headers Lastly, an HTTP request allows the client to pass additional information using headers, which are key and value pairs like words and their respective translations in a dictionary. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. We always use headers when we want to add additional information that is not related to the data, but for the communication. Let’s take the “User Agent” header as an example. The “User Agent” is a string that conveys information about the requesting client such as: - application (chrome / firefox / safari / etc.) - operating system (Windows / MacOS / Android / etc.) - Browser engine version (AppleWebKit 525.13) This header allows the server to respond with different content (or style) for different clients. For example, if a client is accessing the server from a mobile phone, the server can respond with a mobile-friendly version of the web page which is different from the response that a client who is surfing from a desktop computer will receive. Example of a User Agent header value: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.45 Safari/535.19 Luckily, some online tools can extract the information from a User Agent string and explain it better: This information can be very valuable when analyzing HTTP network traffic as we can learn about the actual devices in the communications, including their OS version and whether they are using a desktop or a mobile device. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. HTTP Response The HTTP response contains information that specifies whether the request was handled successfully, the type and size of the response content, and the requested resource itself. Here is how an HTTP request looks like: HTTP Response Codes Indicate whether a specific HTTP request has been completed successfully. Responses are grouped into five classes: - Successful responses (200–299) – i.e. 200 OK - The server successfully handled the request - Redirects (300–399) – i.e. 301 Moved Permanently - The requested resource has been moved somewhere else, the client should make a new request to the new URI - Client errors (400–499) – i.e. 400 Bad Request / 404 Not Found - The client is sending a malformed request, doesn’t have permission to access the resource, or the resource he is trying to access does not exist. This usually indicates a failure due to the client’s fault - Server errors (500–599) – i.e. 500 Internal Server Error - An error on the server side prevented it from handling the client request. This usually indicates a failure due to the server’s fault HTTP in Wireshark This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Most HTTP traffic is secured using HTTPS which cannot be understood using Wireshark. However, there are still some large websites that use HTTP: Let’s examine the traffic generated when browsing baidu.com, searching for kittens. We can see the request methods, user agent, and parameters: For the HTTP response, we can see interesting headers: This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Which webserver is returning our answers Content-Type - distinguishes different file types, like scripts, binary, or plain text files. Content-Encoding - compression method DNS As it is hard for humans to remember IP address, DNS is used to translate domain names to IP address, such as www.google.com → 72.17.11.228 DNS is always used behind the scenes when you browse the internet or play online games where your game client tries to access the game server Similar to HTTP, DNS is also Client / Server based. A DNS client, usually your computer, sends a DNS query to a DNS server, asking “What is the IP address of the domain called www.google.com?” The DNS server responds with a DNS reply containing the IP address This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. DNS Query DNS Reply The reply repeats the question and appends to it the relevant answer with the IP address As mentioned before, HTTPS communication is encrypted and the request and response cannot be understood from Wireshark. However, you can see which sites someone is browsing by correlating DNS queries that were performed right before an HTTPS request. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Guided example John came home one night and started browsing the web. Not doing much, suddenly his computer shuts down. Luckily, his son, Mike, had a sniffer running on John’s computer. Investigate the result pcap file (sniff1.pcap) and answer the following questions. Task 1. Describe John’s network 1. IP Addresses (in the LAN or WAN) 2. MAC Addresses (in the LAN or WAN) 2. Describe John’s computer: 1. How do you know it is John’s computer? 2. Operating System 3. Web browser Let’s load the given pcap file to Wireshark and provide the necessary information for this question using the existing analysis tools in Wireshark. 1. Using Wireshark Endpoints statistics we can easily get a list of all of the IP address and MAC addresses in the capture file. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. By clicking on the “Copy” button, we can copy the information in a CSV format and in a text editor we can go over the list and analyze it. We can see that some of the IPs are internal private IPs which are IPs in John’s LAN. Others are public Internet (WAN) IPs. We can also see that some of the IPs are not real IPs like the following: 10.0.0.255 - A IP used for broadcasting a message to the entire Network Subnet 224.0.0.22 , 224.0.0.252 - Multicast IPs which are used to send data to a group of hosts in a computer network. After removing these 3 IPs, we are left with a list of 47 IPs containing LAN and WAN IP addresses. 2. For the list of MAC addresses we can use again the Endpoints statistics but this time too look at the Ethernet protocol. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. We can now start to analyze the MAC addresses as we did with the IP addresses. We first divide them to groups with the same first 3 bytes of the MAC address which represent the OUI (Organization Unique Identifier) of the network device. Then we can go over the list and try to see what MAC addresses represent real devices and what are special addresses for broadcasting or multicasting. ff:ff:ff:ff:ff:ff - This MAC address is easily identified as broadcast address and can be eliminated from the list. Now to the 33:33:ff group: Wireshark helps us by recognizing this OUI (33:33:ff) as a special MAC address used for multicast. This means it is not a real MAC address of a device in the network and all of the MAC addresses with this OUI can be eliminated. This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. Same thing happens with the 33:33:00 group: And with 01:00:5e group: So all of these MACs can be eliminated as well. Finally, we are left with the 00:0c:29 group. Looking at the traffic coming from or going to this MAC address we can see that MAC addresses in this group are addresses of actual devices in the network. Specifically in this case, Virtual devices created with VMware virtualization software. So to answer this part of the question, MAC address in John’s network are: 00:0c:29:31:f9:66 00:0c:29:4c:0f:cd 00:0c:29:b9:45:b2 For part two of this exercise we need to focus on John’s computer. For this part we will have to understand which computer is John’s computer. We have seen 3 IP This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. addresses. We know one of them, 10.0.0.1, is the router’s IP while John’s computer can be either 10.0.0.2 or 10.0.0.3. Let’s try to find the information of the OS and Web browser. Usually, a header called User-Agent that is being sent with every HTTP request can provide us with this information. So let’s filter on HTTP protocol. We can take this User-Agent value to some websites that parse User-Agents for us: From this we learn that this is Firefox version 61 running on a Windows 7 machine. Let’s see what information we can get about the other IP address (10.0.0.3). This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part. We can find different HTTP requests with different user agents such as: MSDW, MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT and Microsoft- CryptoAPI/10.0 These all seem not related to activities of a real user, but instead, HTTP requests that are being sent from some running Microsoft applications on this computer. We can assume that 10.0.0.2, which contains user activity of someone browsing the Internet, is John’s computer. So to conclude: Computer 00:0c:29:b9:45:b2 with IP 10.0.0.2 is John’s computer. It is running a Windows 7 with Firefox web browser. Exercise Use the knowledge you’ve acquired in the tutorial and extract from the file red_alpha.pcap a PDF file which contains the password to complete this challenge This document is protected by copyright laws and contains material proprietary to Red Alpha Cybersecurity Pre. Ltd. It or any components may not be reproduced, republished, distributed, transmitted, displayed, broadcast or otherwise exploited in any manner without the express prior written permission of Red Alpha Cybersecurity. The receipt or possession of this document does not convey any rights to reproduce, disclose, or distribute its contents, or to manufacture, use, or sell anything that it may describe, in whole or in part.
