A Network Forensic Analysis Framework Professor Patrick McDaniel - - PowerPoint PPT Presentation

a network forensic analysis framework
SMART_READER_LITE
LIVE PREVIEW

A Network Forensic Analysis Framework Professor Patrick McDaniel - - PowerPoint PPT Presentation

Oct 12, 2023 19 likes •383 views

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

slide-1
SLIDE 1

A Network Forensic Analysis Framework

Professor Patrick McDaniel Daniel Krych Fall 2015

slide-2
SLIDE 2

Page

About

  • An extensible network forensic analysis framework.
  • Enables rapid development of plugins to support the

dissection of network packet captures.

  • Key features:
  • Robust stream reassembly
  • IPv4 and IPv6 support
  • Custom output handlers
  • Chainable decoders
  • Billy Glodek
slide-3
SLIDE 3

Page

slide-4
SLIDE 4

Page

Installation (Ubuntu)

> sudo apt-get install git > git clone https://github.com/USArmyResearchLab/Dshell.git > sudo apt-get install python-crypto python-dpkt python-ipy python-pypcap python-pip > sudo pip install pygeoip Download GeoLite Country, GeoLite Country IPv6, GeoLite ASN, GeoLite ASN IPv6 http://dev.maxmind.com/geoip/legacy/geolite/ > gunzip * Move the MaxMind dat files to ~/Dshell/share/GeoIP/ > cd ~/Dshell > make > ./dshell If you get a Dshell> prompt, you're good to go!

slide-5
SLIDE 5

Page

Malware Traffic Analysis

  • http://www.malware-traffic-analysis.net/

> wget http://www.malware-traffic- analysis.net/2014/11/16/2014-11-16- traffic-analysis-exercise.pcap

slide-6
SLIDE 6

Page

General Usage

  • To run a decoder

> decode –d <decoder> *.pcap

  • To list all decoders

> decode –l

  • To get help

> decode –h

  • To learn more about a specific decoder

> decode –d <decoder>

slide-7
SLIDE 7

Page

> decode –l

slide-8
SLIDE 8

Page

Example Uses - followstream

  • Generates color-coded Screen/HTML output

similar to Wireshark Follow Stream.

  • Default filter: tcp

> decode –d followstream 2014-11-16- traffic-analysis-exercise.pcap

slide-9
SLIDE 9

Page

Example Uses - followstream

slide-10
SLIDE 10

Page

Example Uses - web

  • Tracks server responses
  • Default filter: tcp and (port 80 or port 8080 or port

8000) > decode –d web 2014-11-16-traffic- analysis-exercise.pcap

slide-11
SLIDE 11

Page

Example Uses - web

slide-12
SLIDE 12

Page

Example Uses - DNS

  • Extracts and summarizes DNS queries/responses

(defaults: A,AAAA,CNAME,PTR records),

  • Default filter: (udp and port 53)

> decode -d dns 2014-11-16-traffic- analysis-exercise.pcap

slide-13
SLIDE 13

Page

Example Uses - DNS

slide-14
SLIDE 14

Page

Example Uses - DHCP

  • Extracts client information from DHCP messages
  • Default filter: (udp and port 67)

> decode -d dhcp 2014-11-16-traffic- analysis-exercise.pcap

slide-15
SLIDE 15

Page

Example Uses - DHCP

slide-16
SLIDE 16

Page

So, how does it work?

slide-17
SLIDE 17

Page

dpkt

  • An ethernet packet decoding module
  • Python library - Dug Song & Jon Oberheide
  • leveraged by Dshell
  • https://github.com/kbandla/dpkt
slide-18
SLIDE 18

Page

Dshell Types

slide-19
SLIDE 19

Page

Dshell Types

slide-20
SLIDE 20

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-21
SLIDE 21

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-22
SLIDE 22

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-23
SLIDE 23

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-24
SLIDE 24

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-25
SLIDE 25

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-26
SLIDE 26

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-27
SLIDE 27

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-28
SLIDE 28

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-29
SLIDE 29

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-30
SLIDE 30

Page

Dshell Classes

~/Dshell/lib/dshell.py

slide-31
SLIDE 31

Page

User-Agent

Author: Eric Kilmer

slide-32
SLIDE 32

Page

User-Agent

Author: Eric Kilmer

slide-33
SLIDE 33

Page

Useful tools

  • Python libraries:
  • util.hexPlusAscii
  • Function to print hex and Ascii side-by-

side

  • binascii.hexlify / binascii.unhexlify
  • tcpdump
  • Wireshark
slide-34
SLIDE 34

Page

Additional Notes

  • Decoders can be chainable
  • see the country decoder for an example
  • Read the protocol’s RFCs
  • Make your code more pythonic
  • Raymond Hettinger’s Tips and Tricks

https://gist.github.com/JeffPaine/6213790

  • Youtube videos of Raymond’s talks

https://www.youtube.com/watch?v=wf-BqAjZb8M https://www.youtube.com/watch?v=OSGv2VnC0go

  • PEP 8 Style Guide for Python Code

https://www.python.org/dev/peps/pep-0008/

slide-35
SLIDE 35

Page

Our Contributions

  • Dan - DHCP, NBNS, Bitcoin
  • Eric – User-Agent, Flash-Detect, teredo
  • Mark – WebColors, ether
  • Nate – accept-filter, asn-filter, flow-range, uaabf,

entropy

slide-36
SLIDE 36

Page

Assignment

  • Repeat the process in these slides using the

DNS, Followstream, and Web decoders for Dshell

  • n 3 different pcap’s (malware-traffic-analysis.net)
  • What information can you discover using these

decoders?

  • Write a new decoder that parses out the ‘Referrer’

field from a HTTP Header (HINT: This will be similair to the ‘User-Agent’ decoder discussed earlier)

  • What will this provide us with? What else could

we add to the decoder to make it more useful as an analysis tool?