2
DFIR Playbook - Network Forensics
source link: https://angry-bender.github.io/blog/DFIR_Playbook-Network-Forensics/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
IntroductionPermalink
This post aims to replicate my physical playbook on Networking and includes the following tools
- tshark
- capinfos
- Network Miner
- editcap
- nfdummp
- bro
- passivedns
- zcat
Future editions will include Snort and Live Monitoring
ContentsPermalink
Converting PCAPsPermalink
From | To | Command |
---|---|---|
pcap | netflow | nfcapd -r <pcapfile> -S 1 -z -l <Outputdirectory> |
pcap | zeek | bro <profile> -r <pcapfile> profiles listed in /opt/bro/share/bro/site/<name>.bro |
pcap | dns | passivedns -r <pcapfile> -l dnslog.txt -L nxdomain.txt Not included in SIFT, see repo |
pcapng | pcap | tcpdump -r <pcapngfile> -w pcap.pcap |
gz | grep’able text | zcat <gzfile> |
LargePCAP | FilteredPCAP | tcpdump port 80 -r in.pcap -w out.pcap |
LargePCAP | PlainTextWebPCAP | tshark -r Capture.pcap -Y "http.request or http.response or dns" -w Capture-Web.pcap Note:tshark will ONLY capture port 80, if HTTP traffic is on other ports, use TCPDump with port numbers |
Analysing PCAPsPermalink
Description | Command | |
---|---|---|
HTTP Packet Counter | tshark -r <pcapfile> -z http,tree -q |
|
Info | capinfos <pcapfile> |
|
Basic filter output | tshark -r <pcapfile> -Y '<filters>' See Wireshark wiki or Unit42 for filter examples Note:tshark uses wireshark filters |
|
Get files from pcap | tcpflow -r <pcapfile> -o <outputdirectory> or networkminer *Note: see Netresec for network miner installation instructions |
|
Splice PCAP by before time | editcap -B "<YYYY-MM-DD HH:MM:SS Before Time>" <pcapfile> spliced.pcap |
|
Splice PCAP by after time | editcap -A "<YYYY-MM-DD HH:MM:SS After Time>" <pcapfile> spliced.pcap |
|
Forensics Analysis | tshark -r <pcap file> -Y <display filters> -T fields -e <Fields To display> Can be combined with |sort|uniq -c | sort -nr for statistical analysis Fields Use one -e for each field, examples include ip.addr udp frame.number or to show protocol fields from wireshark use _ws.col for example _ws.col.info or _ws.col.dns.query . To print all available fields use tshark -G fields or see Wireshark documentation |
|
Filter pcaps (Reduce them down) | tcpdump -n -r <pcapfile> -w out.pcap <filter> filter could be udp and port 53 for DNS traffic see TCP Dump filters for more examples |
|
Yet Another Filter pcaps (Reduce them down) | .\tshark.exe -r <input pcap> -Y <display filters> -w out.pcap |
|
Dump netflow | nfdump -R <inputdirectory> <options> <filter> -o fmt.<format string> see 572 Poster for usage |
|
Convert PCAP to http.log, files.log, conn.log Not nativley included in SIFT, download from zeek-packages |
zeek -r <filename> |
|
Filter zeek columns | cat http.log | zeek-cut column_name |
|
DNS Quick Wins | tshark -r <pcap file> -z dns,tree |
grep |
Extracting Certificates for TLS TrafficPermalink
- Open Wireshark
- Find the relevant certificate with the following wireshark filter
tls.handshake.type == 11
and an identifier such as IP or domain name that resolves to that endpoint. You can also usetls.handshake.extensions_server_name contains <name>
if you know the domain name then follow the stream. - Right click the certificate entry and selct “Export Packet Bytes”
- Save the file as a .der certificate
- Convert to pem with openssl x509 -inform der -in hotjar.der -out hotjar.pem
NetflowPermalink
SnortPermalink
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK