Now that we have covered almost all the basic features of Wireshark, in this section we will try and practically implement the techniques we have learnt so far in the previous sections. This exercise will be helpful in giving you a practical insight of various processes that are followed while performing network forensics. We will be taking an example where a user visits a website while browsing the Internet but after a few minutes he notices some weird behavior on his system. Fortunately, the user has captured a pcap file that can help us in analyzing what exactly happened on the wire.
For your better understanding, you can download the capture file from the following location and follow up with this section:
https://www.dropbox.com/s/ykl6rhsfstuw0fp/wireshark_starter.pcap
Once you have opened the packet capture in Wireshark, the first step will be to look at the different DNS queries that are made while the user was online. This will give us a quick view of any malicious DNS request that may have been made without the knowledge of the user. This can happen if the website that the user has visited contains a hidden iframe of some malicious script inside it.
Typing dns in the Filter box and pressing Enter will return different DNS resolutions that occurred over the wire.
You will notice lots of DNS name resolutions being carried out. It looks a bit difficult to figure out if there is anything suspicious in it. The next thing that you can do is to look for different HTTP streams that have flown during the network activity. Typing http and pressing Enter will return different HTTP packets. You will notice several HTML, JavaScript, and image traffic become visible to you. Taking a closer look at it, you will also find some 302 redirections, non-HTTP streams, and Java Archive downloads. This can raise some suspicion in the investigators' minds that the system may have been infected using a Java exploit. To investigate further, you can look at different GET requests made through the machine. Typing tcp contains "GET" will reflect all the GET requests in the capture panel.
You will notice a GET request with an unusual URL pattern of ?page=<random numbers>.
You can right-click on it and follow the stream to see the original source code of the GET request.
You will notice that the page content is gzip encoded. Now to view the source code in plain text, you will have to export is as an HTML page and then view its source. To do this, we can go to File | Export | Objects | HTTP.
This will open the dialog box that contains the complete list of different HTTP objects present in the packet streams.
Now you can select the HTML page and click on Save As to export it onto your disk. Then the webpage can be opened in any HTML editor to view its source code. Taking a closer look at the Export dialog box, you will notice that the application /x-msdownload executable file(exe) is also being downloaded from the URL pattern w.php?f=<random>. This can be a dangerous executable that might have infected the user's system. You can select the object and export it as an executable. Alternatively, you can export all the objects by selecting Save All.
Coming back to our mysterious HTML page, once it has been exported, you can view its original source by opening it in any text editor. You will notice lots of random numbers and alphabets. Scrolling down to the bottom of the page will show some JavaScript obfuscation that is used as the decoding algorithm for those long random texts. A quick search of some of the lines of JavaScript on Google reveals that they are the parts of the well known Blackhole exploit kit.
Blackhole is a web-based exploit kit that compromises the user's system by exploiting browser vulnerabilities in applications such as Java, PDF, and ActiveX. Once the user system has been exploited, the exploit kit downloads malwares and viruses and infects the system. If you remember, the application file that we exported can be a malicious malware or virus that would have been downloaded once the user's browser was exploited by the exploit kit. To quickly analyze the sample, it can be uploaded to malware analysis websites such as virustotal.com or can be scanned by an effective antivirus product.
Uploading the file on virustotal.com shows that 33 out of 43 antivirus products detect it as a virus.
This finally proves that the user's system was exploited by the Blackhole exploit kit which dropped a virus that resulted into the malfunctioning of the machine.
This was a short demonstration of how Wireshark can be used in network forensics to identify malicious activities over the network. The complexity of the analysis may vary based on the situation but the underlining principle remains the same.
In the last section of this book we will look into some additional information that can be helpful for you in carrying your Wireshark study forward.