In the book they are using the scenario to explain and teach about the tool called Xplico. However, I am going to use the scenario to identify useful tshark commands that can be used in such an investigation.
The first lead in the investigation is that of an IP Address. "The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a Nitroba student dorm room. "
IP Address: 140.247.62.34. I am going to use tshark to isolate and save to another pcap all activity with the IP Address as the source or destination.
tshark -r nitroba.pcap -Y "ip.src==140.247.62.34 or ip.dst==140.247.62.34" -w 140_247_62_34.pcap
The above tshark command reads like this:
-r nitroba.pcap - Read the nitroba.pcap file
-Y "ip.src==140.247.62.34 or ip.dst==140.247.62.34" - Filter so the source and destination are the same
-w 140_247_62_34.pcap - Write the packets that were found to the following file
From the information that is extracted the IP Address of 192.168.15.4 is observed. This would be a private non-routable IP Address that is used. In the packet capture I wonder how many private non-routeable IP Addresses there are:
tshark -r nitroba.pcap -T fields -e ip.src > ip-src.txt
The above tshark command reads like this:
-T fields - Sets the output to that of fields
-e ip.src - Defines which fields to output
> ip-src.txt - Redirects the output to a text file
$ cat ip-src.txt | sort | uniq -c | sort -n | grep -e " 172\." -e " 192\.168\." -e " 10\."
2 192.168.15.2
3 192.168.15.7
6 192.168.15.8
8 10.0.1.5
14 192.168.15.5
16 192.168.1.5
1486 192.168.1.254
2154 192.168.15.1
6818 192.168.1.64
34554 192.168.15.4
The above command takes the output of the source IP addresses then I used sort to sort them in a list, then I used uniq to count the number of instances and then place the count in the front of the IP, then sort the frequency of usage, and grep out the private IP Address ranges.
We can tell the busiest device is 192.168.15.4. Let's look into the devices more and try and determine what they are. I am going to use the MAC addresses of each device to try and identify the vendor that manufactured the device.
tshark -r nitroba.pcap -T fields -e ip.src -e eth.src > ip-src-and-mac-src.txt
cat ip-src-and-mac-src.txt | sort | uniq -c | sort -rn | grep -e " 172\." -e " 192\.168\." -e " 10\."
With adding the source ethernet address we noticed that there is a total of 12 devices that we should gather knowledge about, not just the 10 above based on the IP Addresses. I have bolded the IP Addresses that have more than one MAC address associated with it. I also included the manufacturer next to the MAC Address.
The MAC Address of 00:1c:b3:79:00:31 is also found to have used 2 IP Addresses. 10.0.1.5 and 192.168.15.7
192.168.1.64 is the gateway
192.168.1.254 is the DNS Server
192.168.15.1 is the inside of the gateway
192.168.15.4 is the main IP of interest
192.168.15.5 is nothing
Did not complete the scenario...
No comments:
Post a Comment