Saturday, March 12, 2016

tshark - More than I ever wanted to know...

Recently I purchased the book, "The Practice of Network Security Monitoring" by Richard Bejtlich.  I was reading in chapter 7 of the book about the Digital Corpora project located at http://www.digitalcorpora.org.  In the chapter he presents the scenario of the "Nitroba University Harassment Scenario".  A pcap can be downloaded about how a teacher was being harassed by a student and the object of the scenario is to identify who did it and with what evidence.  The scenario and the files you need are located at the following link.

In the book they are using the scenario to explain and teach about the tool called Xplico.  However, I am going to use the scenario to identify useful tshark commands that can be used in such an investigation.

The first lead in the investigation is that of an IP Address.  "The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a Nitroba student dorm room. "

IP Address: 140.247.62.34.  I am going to use tshark to isolate and save to another pcap all activity with the IP Address as the source or destination.

tshark -r nitroba.pcap -Y "ip.src==140.247.62.34 or ip.dst==140.247.62.34" -w 140_247_62_34.pcap

The above tshark command reads like this:
-r nitroba.pcap - Read the nitroba.pcap file
-Y "ip.src==140.247.62.34 or ip.dst==140.247.62.34" - Filter so the source and destination are the same
-w 140_247_62_34.pcap - Write the packets that were found to the following file

From the information that is extracted the IP Address of 192.168.15.4 is observed.  This would be a private non-routable IP Address that is used.  In the packet capture I wonder how many private non-routeable IP Addresses there are:

tshark -r nitroba.pcap -T fields -e ip.src > ip-src.txt

The above tshark command reads like this:
-T fields - Sets the output to that of fields
-e ip.src - Defines which fields to output
> ip-src.txt - Redirects the output to a text file

$ cat ip-src.txt | sort | uniq -c | sort -n | grep -e " 172\." -e " 192\.168\." -e " 10\."
      2 192.168.15.2
      3 192.168.15.7
      6 192.168.15.8
      8 10.0.1.5
     14 192.168.15.5
     16 192.168.1.5
   1486 192.168.1.254
   2154 192.168.15.1
   6818 192.168.1.64
  34554 192.168.15.4

The above command takes the output of the source IP addresses then I used sort to sort them in a list, then I used uniq to count the number of instances and then place the count in the front of the IP, then sort the frequency of usage, and grep out the private IP Address ranges.

We can tell the busiest device is 192.168.15.4.  Let's look into the devices more and try and determine what they are.  I am going to use the MAC addresses of each device to try and identify the vendor that manufactured the device.

tshark -r nitroba.pcap -T fields -e ip.src -e eth.src > ip-src-and-mac-src.txt
cat ip-src-and-mac-src.txt | sort | uniq -c | sort -rn | grep -e " 172\." -e " 192\.168\." -e " 10\."

34554
192.168.15.4
00:17:f2:e2:c0:ce
Apple
6814
192.168.1.64
00:1d:d9:2e:4f:61
Hon Hai Precision
2154
192.168.15.1
00:1d:d9:2e:4f:60
Hon Hai Precision
1161
192.168.1.254
00:1d:d9:2e:4f:60
Hon Hai Precision
325
192.168.1.254
00:1d:6b:99:98:68
Arris Group
16
192.168.1.5
00:0a:95:69:38:cc
Apple
14
192.168.15.5
00:14:d1:44:a0:f1
Trendnet
8
10.0.1.5
00:1c:b3:79:00:31
Apple
6
192.168.15.8
00:16:cb:b4:a3:f8
Apple
4
192.168.1.64
00:1f:f3:5a:77:9b
Apple
3
192.168.15.7
00:1c:b3:79:00:31
Apple
2
192.168.15.2
00:1b:63:f1:8a:6e
Apple

With adding the source ethernet address we noticed that there is a total of 12 devices that we should gather knowledge about, not just the 10 above based on the IP Addresses.  I have bolded the IP Addresses that have more than one MAC address associated with it.  I also included the manufacturer next to the MAC Address.

The MAC Address of 00:1c:b3:79:00:31 is also found to have used 2 IP Addresses. 10.0.1.5 and 192.168.15.7

192.168.1.64 is the gateway
192.168.1.254 is the DNS Server
192.168.15.1 is the inside of the gateway
192.168.15.4 is the main IP of interest
192.168.15.5 is nothing


Did not complete the scenario...

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...