WDavid404
commented
8 months ago Open WDavid404 opened 8 months ago
WDavid404
commented
8 months ago WDavid404
commented
8 months ago Basic filter:
and - operator: and / &&
or - operator: or / ||
equals - operator: eq / ==
not equal - operator: ne / !=
greater than - operator: gt / >
less than - operator: lt / <例子:
WDavid404
commented
8 months ago The Opcode is short for operation code and will tell you whether it is an ARP Request or Reply.
ARP Request Packets:
The second outlined detail is where the packet is targeted at, which in this case, is a broadcast request to all.
ARP Reply Packets:
Looking at the above packet details we can see from the Opcode that it is an ARP Reply packet. We can also get other useful information like the MAC and IP Address that was sent along with the reply since this is a reply packet we know that this was the information sent along with the message.
WDavid404
commented
8 months ago A type that equals 8 means that it is a request packet, if it is equal to 0 it is a reply packet. When these codes are altered or do not seem correct that is typically a sign of suspicious activity.
ICMP request:
We can also look at the data string which will typically just be a random data string.
ICMP Reply:
Below you can see that the reply packet is very similar to the request packet. One of the main difference that distinguishes a reply packet is the code, in this case, you can see it is 0, confirming that it is a reply packet.
WDavid404
commented
8 months ago DNS Query:
DNS Response:
WDavid404
commented
8 months ago Below is a Client Hello packet showing the SSLv2 Record Layer, Handshake Type, and SSL Version.
Below is the Server Hello packet sending similar information as the Client Hello packet however this time it includes session details and SSL certificate information
Below is the Client Key Exchange packet, this part of the handshake will determine the public key to use to encrypt further messages between the Client and Server.
In the next packet, the server will confirm the public key and create the secure tunnel, all traffic after this point will be encrypted based on the agreed-upon specifications listed above.
WDavid404
commented
8 months ago the PCAP file contains a Windows Domain Controller with a private IP of 192.168.100.6 and an attacker with the private IP of 192.168.100.128.
Identifying the Attacker Immediately upon opening the PCAP file we see some things that may be out of the ordinary. First, we see some normal traffic from OpenVPN, ARP, etc. We then start to identify what would be known as unknown protocols in this case DCERPC and EPM.
Looking at the packets we see that 192.168.100.128 is sending all of the requests.
We can set a filter for the src of the IP that we believe to be suspicious.
Looking further at the PCAP we can see SMB2/3 traffic and DRSUAPI traffic, again with prior knowledge of the attack we know that it uses secretsdump to dump hashes. Secretsdump abuses SMB2/3 and DRSUAPI to do this, so we can assume that this traffic is secretsdump.
Each exploit and attack will come with its unique artifacts, in this case, it is clear what happened and the order of events that occurred. Once we have identified the attacker we would need to move on to other steps to identify and isolate as well as report the incident if we were on a Threat Hunting or DFIR team.