SlideShare a Scribd company logo

27.2.10 lab extract an executable from a pcap

Freddy Buenaño
Freddy Buenaño

REDES

Engineering
1 of 6
Download to read offline
© 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 6 www.netacad.com LABORATORIO Nombre: Rafael Buenaño Semestre: 9no B Lab - Extract an Executable from a PCAP Objectives Part 1: Analyze Pre-Captured Logs and Traffic Captures Part 2: Extract Downloaded Files from PCAP Background / Scenario Looking at logs is very important, but it is also important to understand how network transactions happen at the packet level. In this lab, you will analyze the traffic in a previously captured pcap file and extract an executable from the file. Required Resources • CyberOps Workstation virtual machine Instructions Part 1: Analyze Pre-Captured Logs and Traffic Captures In Part 2, you will work with the nimda.download.pcap file. Captured in a previous lab, nimda.download.pcap contains the packets related to the download of the Nimda malware. Your version of the file, if you created it in the previous lab and did not reimport your CyberOps Workstation VM, is stored in the /home/analyst directory. However, a copy of that file is also stored in the CyberOps Workstation VM, under the /home/analyst/lab.support.files/pcaps directory so that you can complete this lab. For consistency of output, the lab will use the stored version in the pcaps directory. While tcpdump can be used to analyze captured files, Wireshark’s graphical interface makes the task much easier. It is also important to note that tcpdump and Wireshark share the same file format for packet captures; therefore, PCAP files created by one tool can be opened by the other. a. Change directory to the lab.support.files/pcaps folder, and get a listing of files using the ls –l command. [analyst@secOps ~]$ cd lab.support.files/pcaps [analyst@secOps pcaps]$ ls -l total 7460 -rw-r--r-- 1 analyst analyst 3510551 Aug 7 15:25 lab_prep.pcap -rw-r--r-- 1 analyst analyst 371462 Jun 22 10:47 nimda.download.pcap -rw-r--r-- 1 analyst analyst 3750153 May 25 11:10 wannacry_download_pcap.pcap [analyst@secOps pcaps]$ b. Issue the command below to open the nimda.download.pcap file in Wireshark. [analyst@secOps pcaps]$ wireshark nimda.download.pcap & c. The nimda.download.pcap file contains the packet capture related to the malware download performed in a previous lab. The pcap contains all the packets sent and received while tcpdump was running.
Lab - Extract an Executable from a PCAP © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 6 www.netacad.com Select the fourth packet in the capture and expand the Hypertext Transfer Protocol to display as shown below. d. Packets one through three are the TCP handshake. The fourth packet shows the request for the malware file. Confirming what was already known, the request was done over HTTP, sent as a GET request. Step 2: a. Because HTTP runs over TCP, it is possible to use Wireshark’s Follow TCP Stream feature to rebuild the TCP transaction. Select the first TCP packet in the capture, a SYN packet. Right-click it and choose Follow > TCP Stream.
Lab - Extract an Executable from a PCAP © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 6 www.netacad.com b. Wireshark displays another window containing the details for the entire selected TCP flow. Questions: What are all those symbols shown in the Follow TCP Stream window? Are they connection noise? Data? Explain. Los símbolos son el contenido real del archivo descargado. Debido a que es un archivo binario, Wireshark no sabe cómo representarlo. Los símbolos mostrados son la mejor suposición de Wireshark para dar sentido a los datos binarios mientras los decodifica como texto. There are a few readable words spread among the symbols. Why are they there? Esas son cadenas contenidas en el código ejecutable. Por lo general, estas palabras son parte de los mensajes que el programa proporciona al usuario mientras se ejecuta. Si bien es más un arte que una ciencia, un analista experto puede extraer información valiosa leyendo estos fragmentos. Challenge Question: Despite the W32.Nimda.Amm.exe name, this executable is not the famous worm. For security reasons, this is another executable file that was renamed as W32.Nimda.Amm.exe. Using the word fragments displayed by Wireshark’s Follow TCP Stream window, can you tell what executable this really is?
Lab - Extract an Executable from a PCAP © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 6 www.netacad.com Desplazarse hacia abajo en esa ventana revela que este es el archivo cmd.exe de Microsoft Windows c. Click Close in the Follow TCP Stream window to return to the Wireshark nimda.download.pcap file. Part 2: Extract Downloaded Files from PCAP Because capture files contain all packets related to traffic, a PCAP of a download can be used to retrieve a previously downloaded file. Follow the steps below to use Wireshark to retrieve the Nimda malware. a. In that fourth packet in the nimda.download.pcap file, notice that the HTTP GET request was generated from 209.165.200.235 to 209.165.202.133. The Info column also shows this is in fact the GET request for the file. b. With the GET request packet selected, navigate to File > Export Objects > HTTP, from Wireshark’s menu. c. Wireshark will display all HTTP objects present in the TCP flow that contains the GET request. In this case, only the W32.Nimda.Amm.exe file is present in the capture. It will take a few seconds before the file is displayed.
Lab - Extract an Executable from a PCAP © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 6 www.netacad.com Question: Why is W32.Nimda.Amm.exe the only file in the capture? Porque la captura se inició justo antes de la descarga y se detuvo inmediatamente después. No se capturó ningún otro tráfico mientras la captura estaba activa. d. In the HTTP object list window, select the W32.Nimda.Amm.exe file and click Save As at the bottom of the screen. e. Click the left arrow until you see the Home button. Click Home and then click the analyst folder (not the analyst tab). Save the file there. f. Return to your terminal window and ensure the file was saved. Change directory to the /home/analyst folder and list the files in the folder using the ls -l command. [analyst@secOps pcaps]$ cd /home/analyst [analyst@secOps ~]$ ls –l total 364 drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop drwx------ 3 analyst analyst 4096 May 25 11:16 Downloads drwxr-xr-x 2 analyst analyst 4096 May 22 08:39 extra drwxr-xr-x 8 analyst analyst 4096 Jun 22 11:38 lab.support.files drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive -rw-r--r-- 1 analyst analyst 345088 Jun 22 15:12 W32.Nimda.Amm.exe [analyst@secOps ~]$ Question: Was the file saved? si g. The file command gives information on the file type. Use the file command to learn a little more about the malware, as show below: [analyst@secOps ~]$ file W32.Nimda.Amm.exe W32.Nimda.Amm.exe: PE32+ executable (console) x86-64, for MS Windows [analyst@secOps ~]$ As seen above, W32.Nimda.Amm.exe is indeed a Windows executable file. Question: In the malware analysis process, what would be a probable next step for a security analyst? El objetivo es identificar el tipo de malware y analizar su comportamiento. Por lo tanto, el archivo de malware debe trasladarse a un entorno controlado y ejecutarlo para observar su comportamiento. Los entornos de análisis de malware a menudo se basan en máquinas virtuales y están aislados para evitar daños en los sistemas que no son de prueba. Estos entornos suelen contener herramientas que facilitan el seguimiento de la ejecución de malware; el uso de recursos, las conexiones de red y los cambios en el sistema operativo son aspectos comunes monitoreados. También hay algunas herramientas de análisis de malware basadas en Internet. VirusTotal (virustotal.com) es un ejemplo. Los analistas cargan malware en VirusTotal, que a su vez, ejecuta el código malicioso. Después de la ejecución y una serie de otras comprobaciones, VirusTotal devuelve un informe al analista.
Lab - Extract an Executable from a PCAP © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 6 www.netacad.com End of document

Recommended

Advanced computer network lab manual (practicals in Cisco Packet tracer)
Advanced computer network lab manual (practicals in Cisco Packet tracer)Advanced computer network lab manual (practicals in Cisco Packet tracer)
Advanced computer network lab manual (practicals in Cisco Packet tracer)VrundaBhavsar
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Aksum Institute of Technology(AIT, @Letsgo)
 
data as the new corporate resource
data as the new corporate resourcedata as the new corporate resource
data as the new corporate resourceFadhilah Mat Yamin
 
Higher studies after B.Tech in CSE
Higher studies after B.Tech in CSE Higher studies after B.Tech in CSE
Higher studies after B.Tech in CSE CheggIndia1
 
SDN-ppt-new
SDN-ppt-newSDN-ppt-new
SDN-ppt-newGifty Susan Mani
 
Network scanner
Network scannerNetwork scanner
Network scannerShrikrishna Parab
 
Network administration and Management
Network administration and ManagementNetwork administration and Management
Network administration and ManagementBry Cunal
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic PresentationMD. SHORIFUL ISLAM
 

Recommended

Advanced computer network lab manual (practicals in Cisco Packet tracer)
Advanced computer network lab manual (practicals in Cisco Packet tracer)Advanced computer network lab manual (practicals in Cisco Packet tracer)
Advanced computer network lab manual (practicals in Cisco Packet tracer)VrundaBhavsar
 
Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Ns lecture5: Introduction to Computer, Information, and Network Security.
Ns lecture5: Introduction to Computer, Information, and Network Security.Aksum Institute of Technology(AIT, @Letsgo)
 
data as the new corporate resource
data as the new corporate resourcedata as the new corporate resource
data as the new corporate resourceFadhilah Mat Yamin
 
Higher studies after B.Tech in CSE
Higher studies after B.Tech in CSE Higher studies after B.Tech in CSE
Higher studies after B.Tech in CSE CheggIndia1
 
SDN-ppt-new
SDN-ppt-newSDN-ppt-new
SDN-ppt-newGifty Susan Mani
 
Network scanner
Network scannerNetwork scanner
Network scannerShrikrishna Parab
 
Network administration and Management
Network administration and ManagementNetwork administration and Management
Network administration and ManagementBry Cunal
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic PresentationMD. SHORIFUL ISLAM
 
Chapter 1: Introduction to Data Communication and Networks
Chapter 1: Introduction to Data Communication and NetworksChapter 1: Introduction to Data Communication and Networks
Chapter 1: Introduction to Data Communication and NetworksShafaan Khaliq Bhatti
 
Curso: Redes y comunicaciones I: Sílabo
Curso: Redes y comunicaciones I: SílaboCurso: Redes y comunicaciones I: Sílabo
Curso: Redes y comunicaciones I: SílaboJack Daniel Cáceres Meza
 
Training report on web developing
Training report on web developingTraining report on web developing
Training report on web developingJawhar Ali
 
Osi layers
Osi layersOsi layers
Osi layersRiadh Briki
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project ReportRaghav Bisht
 
Network Management System and Protocol
Network Management System and Protocol Network Management System and Protocol
Network Management System and Protocol Hamdamboy (함담보이)
 
TCP/IP Network ppt
TCP/IP Network pptTCP/IP Network ppt
TCP/IP Network pptextraganesh
 
ROUTER PPT
ROUTER PPTROUTER PPT
ROUTER PPTJw Media
 
Reference models in Networks: OSI & TCP/IP
Reference models in Networks: OSI & TCP/IPReference models in Networks: OSI & TCP/IP
Reference models in Networks: OSI & TCP/IPMukesh Chinta
 
OSI MODEL - A PROJECT
OSI MODEL - A PROJECTOSI MODEL - A PROJECT
OSI MODEL - A PROJECTAbhi shreshtha
 
Network management ppt
Network management pptNetwork management ppt
Network management pptDheerajPachauri
 
NETWORK DESIGN CHAPTER 1(1).pptx
NETWORK DESIGN CHAPTER 1(1).pptxNETWORK DESIGN CHAPTER 1(1).pptx
NETWORK DESIGN CHAPTER 1(1).pptxamanueltafese2
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
SNMP
SNMPSNMP
SNMPOECLIB Odisha Electronics Control Library
 
Tcp IP Model
Tcp IP ModelTcp IP Model
Tcp IP ModelAnkur Kumar
 
IP addressing and Subnetting PPT
IP addressing and Subnetting PPTIP addressing and Subnetting PPT
IP addressing and Subnetting PPTPijush Kanti Das
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentationKateryna Haskova
 
DNS server config on cisco packet tracer
DNS server config on cisco packet tracerDNS server config on cisco packet tracer
DNS server config on cisco packet tracerArjun Das
 
introduction about TCP/IP
introduction about TCP/IPintroduction about TCP/IP
introduction about TCP/IPSmt. Indira Gandhi College of Engineering, Navi Mumbai, Mumbai
 
Trabajo investigativo sobre la programación orientada a objetos y java
Trabajo investigativo sobre la programación orientada a objetos y javaTrabajo investigativo sobre la programación orientada a objetos y java
Trabajo investigativo sobre la programación orientada a objetos y javaJulio César Rojas Maza
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 

More Related Content

What's hot

Chapter 1: Introduction to Data Communication and Networks
Chapter 1: Introduction to Data Communication and NetworksChapter 1: Introduction to Data Communication and Networks
Chapter 1: Introduction to Data Communication and NetworksShafaan Khaliq Bhatti
 
Training report on web developing
Training report on web developingTraining report on web developing
Training report on web developingJawhar Ali
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project ReportRaghav Bisht
 
TCP/IP Network ppt
TCP/IP Network pptTCP/IP Network ppt
TCP/IP Network pptextraganesh
 
ROUTER PPT
ROUTER PPTROUTER PPT
ROUTER PPTJw Media
 
Reference models in Networks: OSI & TCP/IP
Reference models in Networks: OSI & TCP/IPReference models in Networks: OSI & TCP/IP
Reference models in Networks: OSI & TCP/IPMukesh Chinta
 
NETWORK DESIGN CHAPTER 1(1).pptx
NETWORK DESIGN CHAPTER 1(1).pptxNETWORK DESIGN CHAPTER 1(1).pptx
NETWORK DESIGN CHAPTER 1(1).pptxamanueltafese2
 
IP addressing and Subnetting PPT
IP addressing and Subnetting PPTIP addressing and Subnetting PPT
IP addressing and Subnetting PPTPijush Kanti Das
 
DNS server config on cisco packet tracer
DNS server config on cisco packet tracerDNS server config on cisco packet tracer
DNS server config on cisco packet tracerArjun Das
 
Trabajo investigativo sobre la programación orientada a objetos y java
Trabajo investigativo sobre la programación orientada a objetos y javaTrabajo investigativo sobre la programación orientada a objetos y java
Trabajo investigativo sobre la programación orientada a objetos y javaJulio César Rojas Maza
 

What's hot (20)

Chapter 1: Introduction to Data Communication and Networks
Chapter 1: Introduction to Data Communication and NetworksChapter 1: Introduction to Data Communication and Networks
Chapter 1: Introduction to Data Communication and Networks
 
Curso: Redes y comunicaciones I: Sílabo
Curso: Redes y comunicaciones I: SílaboCurso: Redes y comunicaciones I: Sílabo
Curso: Redes y comunicaciones I: Sílabo
 
Training report on web developing
Training report on web developingTraining report on web developing
Training report on web developing
 
Osi layers
Osi layersOsi layers
Osi layers
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project Report
 
Network Management System and Protocol
Network Management System and Protocol Network Management System and Protocol
Network Management System and Protocol
 
TCP/IP Network ppt
TCP/IP Network pptTCP/IP Network ppt
TCP/IP Network ppt
 
ROUTER PPT
ROUTER PPTROUTER PPT
ROUTER PPT
 
Reference models in Networks: OSI & TCP/IP
Reference models in Networks: OSI & TCP/IPReference models in Networks: OSI & TCP/IP
Reference models in Networks: OSI & TCP/IP
 
OSI MODEL - A PROJECT
OSI MODEL - A PROJECTOSI MODEL - A PROJECT
OSI MODEL - A PROJECT
 
Network management ppt
Network management pptNetwork management ppt
Network management ppt
 
NETWORK DESIGN CHAPTER 1(1).pptx
NETWORK DESIGN CHAPTER 1(1).pptxNETWORK DESIGN CHAPTER 1(1).pptx
NETWORK DESIGN CHAPTER 1(1).pptx
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
SNMP
SNMPSNMP
SNMP
 
Tcp IP Model
Tcp IP ModelTcp IP Model
Tcp IP Model
 
IP addressing and Subnetting PPT
IP addressing and Subnetting PPTIP addressing and Subnetting PPT
IP addressing and Subnetting PPT
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentation
 
DNS server config on cisco packet tracer
DNS server config on cisco packet tracerDNS server config on cisco packet tracer
DNS server config on cisco packet tracer
 
introduction about TCP/IP
introduction about TCP/IPintroduction about TCP/IP
introduction about TCP/IP
 
Trabajo investigativo sobre la programación orientada a objetos y java
Trabajo investigativo sobre la programación orientada a objetos y javaTrabajo investigativo sobre la programación orientada a objetos y java
Trabajo investigativo sobre la programación orientada a objetos y java
 

Similar to 27.2.10 lab extract an executable from a pcap

26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Lab3Lab3steps.docxScenario    The university has caught a .docx
Lab3Lab3steps.docxScenario    The university has caught a .docxLab3Lab3steps.docxScenario    The university has caught a .docx
Lab3Lab3steps.docxScenario    The university has caught a .docxsmile790243
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamStewart Needham
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat KorchaginNETWAYS
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Florin D. Tanasache
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
Approaching package manager
Approaching package managerApproaching package manager
Approaching package managerTimur Safin
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdfIGedeArieYogantaraSu
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87Max Kleiner
 

Similar to 27.2.10 lab extract an executable from a pcap (20)

26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Lab3Lab3steps.docxScenario    The university has caught a .docx
Lab3Lab3steps.docxScenario    The university has caught a .docxLab3Lab3steps.docxScenario    The university has caught a .docx
Lab3Lab3steps.docxScenario    The university has caught a .docx
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
 
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchaginstackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
stackconf 2020 | Speeding up Linux disk encryption by Ignat Korchagin
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
Approaching package manager
Approaching package managerApproaching package manager
Approaching package manager
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdfLaporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdf
Laporan Praktikum Keamanan Siber - Tugas 7 -Kelas C - Kelompok 3.pdf
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87
 
AWS Pentest.pdf
AWS Pentest.pdfAWS Pentest.pdf
AWS Pentest.pdf
 

More from Freddy Buenaño

27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tupleFreddy Buenaño
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actorFreddy Buenaño
 
27.2.9 lab regular expression tutorial
27.2.9 lab regular expression tutorial27.2.9 lab regular expression tutorial
27.2.9 lab regular expression tutorialFreddy Buenaño
 
27.1.5 lab convert data into a universal format
27.1.5 lab convert data into a universal format27.1.5 lab convert data into a universal format
27.1.5 lab convert data into a universal formatFreddy Buenaño
 
25.3.11 packet tracer logging from multiple sources
25.3.11 packet tracer logging from multiple sources25.3.11 packet tracer logging from multiple sources
25.3.11 packet tracer logging from multiple sourcesFreddy Buenaño
 
25.3.10 packet tracer explore a net flow implementation
25.3.10 packet tracer explore a net flow implementation25.3.10 packet tracer explore a net flow implementation
25.3.10 packet tracer explore a net flow implementationFreddy Buenaño
 

More from Freddy Buenaño (7)

27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit
 
27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple
 
27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor27.2.12 lab interpret http and dns data to isolate threat actor
27.2.12 lab interpret http and dns data to isolate threat actor
 
27.2.9 lab regular expression tutorial
27.2.9 lab regular expression tutorial27.2.9 lab regular expression tutorial
27.2.9 lab regular expression tutorial
 
27.1.5 lab convert data into a universal format
27.1.5 lab convert data into a universal format27.1.5 lab convert data into a universal format
27.1.5 lab convert data into a universal format
 
25.3.11 packet tracer logging from multiple sources
25.3.11 packet tracer logging from multiple sources25.3.11 packet tracer logging from multiple sources
25.3.11 packet tracer logging from multiple sources
 
25.3.10 packet tracer explore a net flow implementation
25.3.10 packet tracer explore a net flow implementation25.3.10 packet tracer explore a net flow implementation
25.3.10 packet tracer explore a net flow implementation
 

Recently uploaded

Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxthe ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxhumanexperienceaaa
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 

Recently uploaded (20)

Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxthe ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 

27.2.10 lab extract an executable from a pcap

  • 1. © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 6 www.netacad.com LABORATORIO Nombre: Rafael Buenaño Semestre: 9no B Lab - Extract an Executable from a PCAP Objectives Part 1: Analyze Pre-Captured Logs and Traffic Captures Part 2: Extract Downloaded Files from PCAP Background / Scenario Looking at logs is very important, but it is also important to understand how network transactions happen at the packet level. In this lab, you will analyze the traffic in a previously captured pcap file and extract an executable from the file. Required Resources • CyberOps Workstation virtual machine Instructions Part 1: Analyze Pre-Captured Logs and Traffic Captures In Part 2, you will work with the nimda.download.pcap file. Captured in a previous lab, nimda.download.pcap contains the packets related to the download of the Nimda malware. Your version of the file, if you created it in the previous lab and did not reimport your CyberOps Workstation VM, is stored in the /home/analyst directory. However, a copy of that file is also stored in the CyberOps Workstation VM, under the /home/analyst/lab.support.files/pcaps directory so that you can complete this lab. For consistency of output, the lab will use the stored version in the pcaps directory. While tcpdump can be used to analyze captured files, Wireshark’s graphical interface makes the task much easier. It is also important to note that tcpdump and Wireshark share the same file format for packet captures; therefore, PCAP files created by one tool can be opened by the other. a. Change directory to the lab.support.files/pcaps folder, and get a listing of files using the ls –l command. [analyst@secOps ~]$ cd lab.support.files/pcaps [analyst@secOps pcaps]$ ls -l total 7460 -rw-r--r-- 1 analyst analyst 3510551 Aug 7 15:25 lab_prep.pcap -rw-r--r-- 1 analyst analyst 371462 Jun 22 10:47 nimda.download.pcap -rw-r--r-- 1 analyst analyst 3750153 May 25 11:10 wannacry_download_pcap.pcap [analyst@secOps pcaps]$ b. Issue the command below to open the nimda.download.pcap file in Wireshark. [analyst@secOps pcaps]$ wireshark nimda.download.pcap & c. The nimda.download.pcap file contains the packet capture related to the malware download performed in a previous lab. The pcap contains all the packets sent and received while tcpdump was running.
  • 2. Lab - Extract an Executable from a PCAP © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 6 www.netacad.com Select the fourth packet in the capture and expand the Hypertext Transfer Protocol to display as shown below. d. Packets one through three are the TCP handshake. The fourth packet shows the request for the malware file. Confirming what was already known, the request was done over HTTP, sent as a GET request. Step 2: a. Because HTTP runs over TCP, it is possible to use Wireshark’s Follow TCP Stream feature to rebuild the TCP transaction. Select the first TCP packet in the capture, a SYN packet. Right-click it and choose Follow > TCP Stream.
  • 3. Lab - Extract an Executable from a PCAP © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 6 www.netacad.com b. Wireshark displays another window containing the details for the entire selected TCP flow. Questions: What are all those symbols shown in the Follow TCP Stream window? Are they connection noise? Data? Explain. Los símbolos son el contenido real del archivo descargado. Debido a que es un archivo binario, Wireshark no sabe cómo representarlo. Los símbolos mostrados son la mejor suposición de Wireshark para dar sentido a los datos binarios mientras los decodifica como texto. There are a few readable words spread among the symbols. Why are they there? Esas son cadenas contenidas en el código ejecutable. Por lo general, estas palabras son parte de los mensajes que el programa proporciona al usuario mientras se ejecuta. Si bien es más un arte que una ciencia, un analista experto puede extraer información valiosa leyendo estos fragmentos. Challenge Question: Despite the W32.Nimda.Amm.exe name, this executable is not the famous worm. For security reasons, this is another executable file that was renamed as W32.Nimda.Amm.exe. Using the word fragments displayed by Wireshark’s Follow TCP Stream window, can you tell what executable this really is?
  • 4. Lab - Extract an Executable from a PCAP © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 6 www.netacad.com Desplazarse hacia abajo en esa ventana revela que este es el archivo cmd.exe de Microsoft Windows c. Click Close in the Follow TCP Stream window to return to the Wireshark nimda.download.pcap file. Part 2: Extract Downloaded Files from PCAP Because capture files contain all packets related to traffic, a PCAP of a download can be used to retrieve a previously downloaded file. Follow the steps below to use Wireshark to retrieve the Nimda malware. a. In that fourth packet in the nimda.download.pcap file, notice that the HTTP GET request was generated from 209.165.200.235 to 209.165.202.133. The Info column also shows this is in fact the GET request for the file. b. With the GET request packet selected, navigate to File > Export Objects > HTTP, from Wireshark’s menu. c. Wireshark will display all HTTP objects present in the TCP flow that contains the GET request. In this case, only the W32.Nimda.Amm.exe file is present in the capture. It will take a few seconds before the file is displayed.
  • 5. Lab - Extract an Executable from a PCAP © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 6 www.netacad.com Question: Why is W32.Nimda.Amm.exe the only file in the capture? Porque la captura se inició justo antes de la descarga y se detuvo inmediatamente después. No se capturó ningún otro tráfico mientras la captura estaba activa. d. In the HTTP object list window, select the W32.Nimda.Amm.exe file and click Save As at the bottom of the screen. e. Click the left arrow until you see the Home button. Click Home and then click the analyst folder (not the analyst tab). Save the file there. f. Return to your terminal window and ensure the file was saved. Change directory to the /home/analyst folder and list the files in the folder using the ls -l command. [analyst@secOps pcaps]$ cd /home/analyst [analyst@secOps ~]$ ls –l total 364 drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop drwx------ 3 analyst analyst 4096 May 25 11:16 Downloads drwxr-xr-x 2 analyst analyst 4096 May 22 08:39 extra drwxr-xr-x 8 analyst analyst 4096 Jun 22 11:38 lab.support.files drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive -rw-r--r-- 1 analyst analyst 345088 Jun 22 15:12 W32.Nimda.Amm.exe [analyst@secOps ~]$ Question: Was the file saved? si g. The file command gives information on the file type. Use the file command to learn a little more about the malware, as show below: [analyst@secOps ~]$ file W32.Nimda.Amm.exe W32.Nimda.Amm.exe: PE32+ executable (console) x86-64, for MS Windows [analyst@secOps ~]$ As seen above, W32.Nimda.Amm.exe is indeed a Windows executable file. Question: In the malware analysis process, what would be a probable next step for a security analyst? El objetivo es identificar el tipo de malware y analizar su comportamiento. Por lo tanto, el archivo de malware debe trasladarse a un entorno controlado y ejecutarlo para observar su comportamiento. Los entornos de análisis de malware a menudo se basan en máquinas virtuales y están aislados para evitar daños en los sistemas que no son de prueba. Estos entornos suelen contener herramientas que facilitan el seguimiento de la ejecución de malware; el uso de recursos, las conexiones de red y los cambios en el sistema operativo son aspectos comunes monitoreados. También hay algunas herramientas de análisis de malware basadas en Internet. VirusTotal (virustotal.com) es un ejemplo. Los analistas cargan malware en VirusTotal, que a su vez, ejecuta el código malicioso. Después de la ejecución y una serie de otras comprobaciones, VirusTotal devuelve un informe al analista.
  • 6. Lab - Extract an Executable from a PCAP © 2017 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 6 www.netacad.com End of document