NETRESEC Network Security Blog - Tag : Pcap

rss Google News

CapLoader 1.9.4 Released

CapLoader 1.9.4

A new version of our advanced PCAP filtering tool CapLoader was released today. The new CapLoader 1.9.4 release includes features like JA3 hash extraction from TLS traffic and a fantastic thing called Select Similar Flows, which is a unique feature that you will only find in CapLoader! We have also included a VXLAN parser, so that flows tunneled inside of overlay networks can be presented directly in the CapLoader GUI.

Select Similar Flows or Services

If you right-click a flow or service in CapLoader you’ll now be presented with an option to “select similar flows” (or services). This feature causes CapLoader to read through the loaded PCAP files again in order to find other flows that are similar to the one that was right-clicked. CapLoader doesn’t care about IP addresses or port numbers when assessing this similarity. Instead it looks at behavioral patterns in the traffic itself, such as packet sizes and byte patterns. In practice, this feature will select flows that are communicating using the same protocol as the one you clicked, regardless of which port it runs on. CapLoader already comes with an advanced feature for doing port-independent protocol identification, which currently detects over 170 protocols. But the “select similar” feature can even be used to find odd or proprietary protocols that aren’t in CapLoaders protocol database.

There is also a feature called “select VERY similar flows” which, instead of searching for flows with the same protocol, looks for flows with the same implementation or dialect of that particular protocol. This feature can be used to single out the network traffic of a particular software or tool from a haystack of network traffic from multiple applications, which all run the same application layer protocol. Another use case is to find additional malicious C2 sessions that run on top of a standard protocol like HTTP, TLS or DNS – provided that you’ve located at least one such malicious flow or service.

JA3 and JA3S Hashes for TLS Flows

We added JA3 extraction to NetworkMiner back in 2019, with the release of NetworkMiner 2.5. It’s now time to bring this useful little TLS fingerprinting feature into CapLoader as well. As of version 1.9.4 CapLoader attempts to extract JA3 and JA3S hashes from all TCP flows. The JA3 and JA3S hashes are presented in the Flows and Services tabs as separate columns. This allows users to filter flows based on a JA3 hash directly in CapLoader instead of having to export a filtered PCAP to an external tool to calculate JA3 hashes.

CapLoader with Column Critera filter for JA3 hash

Image: Column criteria filter “JA3 = a72f351cf3c3cd1edb345f7dc071d813” on PCAP from CERT-SE’s 2021 CTF.

Extraction of Flows Inside of VXLAN Tunnels

VXLAN is a network virtualization technology that can be used to create overlay networks, where Ethernet frames are encapsulated inside of UDP packets (see RFC 7348). The UDP port used for VXLAN is 4789 or 8472. We added support for VXLAN to NetworkMiner in 2017, but CapLoader has until now only presented the VXLAN tunnels in the GUI when VXLAN traffic is loaded. We’re happy to announce that CapLoader now extracts flows for the VXLAN tunnels and the traffic inside of those tunnels.

ICMP flow extracted from VXLAN tunnel

Image: ICMP flow extracted from VXLAN tunnel. PCAP file is Virtual_Extensible_LAN-VXLAN.pcap from Xena Networks

Additional GUI Improvements

We’ve also made several minor improvements to CapLoader’s user interface, such as a “Save Visible Flows” option on the File menu, which can be used to save the filtered traffic in the current view to a PCAP file. Another nice addition is the “Copy from Selected Rows” menu option, which can be used to copy text from a particular column.

CapLoader’s OSINT lookup context menus have also been updated to include some very useful services like Feodo Tracker, Hatching Triage and IPVoid.

Free Trial versus Full Version

Many of the new additions to CapLoader are only available in the full version, but the VXLAN extraction and some of the GUI additions are also available in the free trial version of CapLoader. No registration is required to download the trial — just download, extract and run for 30 days. If you like it, then please consider purchasing the full version!

Updating to the Latest Release

Users who have already purchased a license for CapLoader can download a free update to version 1.9.4 from our customer portal.

Posted by Erik Hjelmvik on Thursday, 16 June 2022 11:44:00 (UTC/GMT)

Tags: #CapLoader#JA3#JA3S#Protocol Identification#Protocol Detection#PCAP#TLS#VXLAN

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=226917b


Real-time PCAP-over-IP in Wireshark

Did you know that it is possible to stream captured packets from a remote device or application to Wireshark in real-time using PCAP-over-IP? This blog post explains how you can configure Wireshark to read decrypted TLS packets directly from PolarProxy over a TCP socket.

PolarProxy

PolarProxy is a TLS proxy that decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file. Users who wish to inspect the decrypted TLS traffic in Wireshark typically open this file from disk, but that doesn’t allow for a real-time view of the traffic.

PolarProxy comes with a feature called PCAP-over-IP, which provides a real-time PCAP stream with decrypted packets to connecting clients. If you start PolarProxy with “--pcapoverip 57012” then a PCAP-over-IP listener will be set up on TCP port 57012. I have previously demonstrated how this decrypted stream can be read by NetworkMiner, but it was not until recently that I learned that the same thing can be done with Wireshark as well.

PCAP-over-IP in Wireshark

There’s a little known feature in Wireshark that allows a PCAP stream to be read from a TCP socket, which is exactly what PCAP-over-IP is! To connect to a PolarProxy PCAP-over-IP service on the local PC, do as follows:

  1. Capture > Options (or Ctrl+K)
  2. “Manage Interfaces...”
  3. Select the “Pipes” tab
  4. Click the “+” button
  5. Name the pipe “TCP@127.0.0.1:57012” and press ENTER to save it.
    Manage Interfaces in Wireshark
  6. Click “OK” in the Manage Interface window.
  7. Click “Start” to inspect decrypted traffic from PolarProxy in real-time.

This setup works on Windows, Linux and macOS. Just remember to replace 127.0.0.1 with the IP of PolarProxy in case it is running on a remote machine.

Decrypted TLS packets from PolarProxy in Wireshark

Image: Real-time view of HTTP2 packets from decrypted TLS traffic

It’s also possible to read PCAP-over-IP with the command line tool tshark like this:

tshark -i TCP@127.0.0.1:57012

The PCAP-over-IP params can also be supplied to Wireshark on the command line in a similar manner:

wireshark -k -i TCP@127.0.0.1:57012

Happy sniffing!

Posted by Erik Hjelmvik on Tuesday, 24 May 2022 14:00:00 (UTC/GMT)

Tags: #pcapoverip#Wireshark#PolarProxy#PCAP

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=2257d9f


Emotet C2 and Spam Traffic Video

This video covers a life cycle of an Emotet infection, including initial infection, command-and-control traffic, and spambot activity sending emails with malicious spreadsheet attachments to infect new victims.

The video was recorded in a Windows Sandbox in order to avoid accidentally infecting my Windows PC with malware.

Initial Infection

Palo Alto's Unit 42 sent out a tweet with screenshots and IOCs from an Emotet infection in early March. A follow-up tweet by Brad Duncan linked to a PCAP file containing network traffic from the infection on Malware-Traffic-Analysis.net.

Screenshot of original infection email from Unit 42

Image: Screenshot of original infection email from Unit 42

  • Attachment MD5: 825e8ea8a9936eb9459344b941df741a

Emotet Download

The PCAP from Malware-Traffic-Analysis.net shows that the Excel spreadsheet attachment caused the download of a DLL file classified as Emotet.

CapLoader download of Emotet DLL from diacrestgroup.com

Image: CapLoader transcript of Emotet download

  • DNS: diacrestgroup.com
  • MD5: 99f59e6f3fa993ba594a3d7077cc884d

Emotet Command-and-Control

Just seconds after the Emotet DLL download completes the victim machine starts communicating with an IP address classified as a botnet command-and-control server.

Emotet C2 sessions with JA3 51c64c77e60f3980eea90869b68c58a8 in CapLoader

Image: Emotet C2 sessions in CapLoader

  • C2 IP: 209.15.236.39
  • C2 IP: 147.139.134.226
  • C2 IP: 134.209.156.68
  • JA3: 51c64c77e60f3980eea90869b68c58a8
  • JA3S: ec74a5c51106f0419184d0dd08fb05bc
  • JA3S: fd4bc6cea4877646ccd62f0792ec0b62

Emotet Spambot

The victim PC eventually started sending out spam emails. The spam bot used TLS encryption when possible, either through SMTPS (implicit TLS) or with help of STARTTLS (explicit TLS).

Emotet spambot JA3 hash 37cdab6ff1bd1c195bacb776c5213bf2 in NetworkMiner Professional

Image: Emotet spambot JA3 hash in NetworkMiner Professional

  • SMTPS JA3: 37cdab6ff1bd1c195bacb776c5213bf2
  • STARTTLS JA3: 37cdab6ff1bd1c195bacb776c5213bf2

Transmitted Spam

Below is a spam email sent from the victim PC without TLS encryption. The attached zip file contains a malicious Excel spreadsheet, which is designed to infect new victims with Emotet.

Emotet spam email from PCAP

Image: Spam email extracted from Emotet PCAP with NetworkMiner

  • .zip Attachment MD5: 5df1c719f5458035f6be2a071ea831db
  • .xlsm Attachment MD5: 79cb3df6c0b7ed6431db76f990c68b5b

Network Forensics Training

If you want to learn additional techniques for analyzing network traffic, then take a look at our upcoming network forensic trainings.

Posted by Erik Hjelmvik on Monday, 09 May 2022 06:50:00 (UTC/GMT)

Tags: #Emotet#C2#video#pcap#JA3#JA3S#SMTP#SMTPS#Windows Sandbox

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=225196a


Industroyer2 IEC-104 Analysis

The Industroyer2 malware was hardwired to attack a specific set of electric utility substations in Ukraine. It seems to have been custom built to open circuit breakers, which would effectively cut the power from the substation.

Industroyer2

After connecting to an RTU in a substation the malware would immediately start changing the outputs at specific addresses without first having to enumerate which IOAs that were available on the targeted device. This custom-built malware seems to know what IOAs to use at each station, as well as what type of output each specific IOA controls.

UPDATE 2022-04-26

Upon popular demand we've decided to release three PCAP files with IEC-104 traffic from our own sandbox execution of the Industroyer2 malware. Please feel free to use these capture files to verify our findings using any tool of your choice. The capture files can be downloaded from here:
https://www.netresec.com/files/Industroyer2-Netresec.zip

These PCAP files are shared under a CC BY 4.0 license, which allows you to redistribute them as long as you give appropriate credit.

UPDATE 2022-04-29

A PNG image in the original CERT-UA security alert #4435 turned out to actually include the IOAs targeted by the non-public 108_100.exe Industroyer2 version. The IOAs disclosed in CERT-UAs alert have now been included in this blog post as well.

Backstory

I was looking at a public sandbox execution of a presumed Industroyer2 malware sample two weeks ago. At first glance the malware sample, which was named “40_115.exe”, didn't do much. It just printed the text below to the console and then terminated the process.

19:46:06:0106> T281 00006800
19:46:06:0247> RNM 0015
19:46:06:0294> 10.82.40.105: 2404: 3
19:46:06:0294> T65 00006800
19:46:06:0341> 10.82.40.105 M68B0 SGCNT 44
19:46:06:0497> RNM 0015
19:46:06:0544> T113 00006800
19:46:06:0544> 192.168.122.2: 2404: 2
19:46:06:0544> 192.168.122.2 M68B0 SGCNT 8
19:46:06:0591> RNM 0015
19:46:06:0653> 192.168.121.2: 2404: 1
19:46:06:0700> 192.168.121.2 M68B0 SGCNT 16
19:46:21:0747> 192.168.122.2 M6812
19:46:21:0747> 10.82.40.105 M6812
19:46:21:0794> 192.168.121.2 M6812

I later noticed that it also sent TCP SYN packets to three different RFC1918 addresses, but never received a response.

Industroyer2 trying to connect to TCP port 2404 on 10.82.40.105, 192.168.122.2 and 192.168.121.2 in Wireshark

Image: Wireshark showing Industroyer2 trying to reach TCP port 2404

TCP port 2404 is used by the SCADA protocol IEC 60870-5-104, also known as IEC-104, which is primarily used to monitor and control electricity transmission and distribution systems. IEC-104 is also the only Industrial Control System (ICS) protocol implemented in Industroyer2 according to ESET. The previous version of Industroyer, which was used to cut the power in Ukraine in 2016, additionally supported the IEC 61850 and OPC DA protocols according to the CRASHOVERRIDE report from Dragos.

Industroyer2's IEC-104 client didn't receive any SYN+ACK response in the sandbox execution I was looking at, so I couldn't tell what it was trying to do. I therefore decided to set up my own sandbox with a built-in IEC-104 server (also known as a slave, RTU or IED). My sandbox execution confirmed that Industroyer2 was indeed trying to communicate with these three IP addresses using IEC-104. I also noticed that it was very specific about which outputs (or IOAs) it wanted to access on those servers in order to turn these outputs either ON or OFF.

Station Address 1 at 192.168.121.2

The Industroyer2 malware spawned three separate threads when started, one thread for each IEC-104 server to contact. The malware would communicate with all three servers in parallel if all of them were available. However, in order to simplify my analysis I decided to only respond to one of the IPs at a time, starting with IP address 192.168.121.2.

The thread that connected to IP address 192.168.121.2 toggled all outputs between 1250 and 1265 to OFF at Station Address 1 (also known as “ASDU address” or “common address”). Judging from the command type used (ID 46 with short pulse duration) these outputs likely control circuit breakers, which are used to disconnect the power from an electric utility substation.

IEC-104 traffic to 192.168.121.2 in NetworkMiner

Image: PCAP file with IEC-104 traffic to 192.168.121.2 in NetworkMiner

Station Address 2 at 192.168.122.2

On 192.168.122.2 the malware targeted station address 2, where it toggled outputs between 1101 and 1108 to OFF.

IEC-104 traffic to 192.168.122.2 in NetworkMiner

Image: PCAP file with IEC-104 traffic to 192.168.122.2 in NetworkMiner

Station Address 3 at 10.82.40.105

The malware toggled a great deal of outputs on 10.82.40.105, which had station address 3. But in contrast to the other stations, many of these outputs were toggled to the “ON” state rather than “OFF”.

IEC-104 traffic to 10.82.40.105 in NetworkMiner

Image: PCAP file with IEC-104 traffic to 10.82.40.105 in NetworkMiner

Yet, after setting those outputs to “ON” it proceeded with setting outputs to “OFF” for several other IOAs on station address 3.

IEC-104 traffic to 10.82.40.105 in NetworkMiner

Image: PCAP file with IEC-104 traffic to 10.82.40.105 in NetworkMiner

In each thread Industroyer2 paused for approximately 3 seconds between each accessed IOA. This delay seems to have been hard coded since the malware didn't seem to care whether or not the IEC-104 server responded with an OK message, such as ACT or ACTTERM, or an error message, like “unknown common address of ASDU”. Each thread would simply proceed with setting an IOA every 3 seconds no matter what the server responded.

The specific order in which the IOAs were accessed was also very deterministic, the exact same sequence of IOAs was used every time. I verified this behavior by running the malware multiple times as well as by comparing my results to an execution of the same sample on a different sandbox (thanks for the PCAP Joe and Dan).

What Did the Attackers Know?

The fact that the malware toggled these specific outputs, rather than just randomly turning outputs ON or OFF, indicates that the threat actors had technical knowledge about the specific substation(s) they were attacking. Not only did the attackers know the IP addresses, station addresses and IOAs of each targeted output. They also knew what ASDU Type ID to use for each respective output. For IOA 1101 to 1404 the Type ID 46 was used (also known as "double command" or C_DC_NA_1) while for IOAs from 130202 and above it used Type ID 45 (also known as “single command” or C_SC_NA_1).

As you can see in the previous screenshots, NetworkMiner nicely parses and presents the IEC-104 commands issued by Industroyer2. But I noticed that the malware also printed all sent and received commands to the console when executed. For example, the following output was printed to the console by the Industroyer2 thread communicating with station address 2 on 192.168.122.2:

11:51:56:0163> T65 00006800
11:51:56:0201> RNM 0003
11:51:56:0241> 192.168.122.2: 2404: 2
11:51:56:0267> 192.168.122.2 M68B0 SGCNT 8
11:51:56:0297> 192.168.122.2 M6813

The string “192.168.122.2: 2404: 2” above reveals that “2404” is the target port and “2” is the station address. The “SGCNT 8” string additionally tells us that there were 8 outputs to be toggled on that station. The other two stations had SGCNT 16 and 44.

The malware also printed very detailed information about each sent and received IEC-104 command, such as in the example below where the output at IOA 1104 was successfully turned off at station address 2 (here referred to as “ASDU:2”).

MSTR ->> SLV 192.168.122.2:2404
  x68 x0E x02 x00 x08 x00 x2E x01 x06 x00 x02 x00 x50 x04 x00 x05

  I |Length:16 bytes | Sent=x1 | Received=x4
  ASDU:2 | OA:0 | IOA:1104 |
  Cause: (x6) | Telegram type: (x2E)

MSTR <<- SLV 192.168.122.2:2404
  x68 x0E x08 x00 x04 x00 x2E x01 x47 x00 x02 x00 x50 x04 x00 x05

  I |Length:16 bytes | Sent=x4 | Received=x2
  ASDU:2 | OA:0 | IOA:1104 |
  Cause: (x47) | Telegram type: (x2E)

Note that the Type ID values were also logged to the console by Industroyer2, but it used the term “Telegram type” instead of “Type ID”.

Static Analysis

The following three Unicode strings can be found in the 40_115.exe binary:

10.82.40.105 2404 3 0 1 1 PService_PPD.exe 1 "D:\OIK\DevCounter" 0 1 0 0 1 0 0 44 130202 1 0 1 1 1 160921 1 0 1 1 2 160923 1 0 1 1 3 160924 1 0 1 1 4 160925 1 0 1 1 5 160927 1 0 1 1 6 160928 1 0 1 1 7 190202 1 0 1 1 8 260202 1 0 1 1 9 260901 1 0 1 1 10 260902 1 0 1 1 11 260903 1 0 1 1 12 260904 1 0 1 1 13 260905 1 0 1 1 14 260906 1 0 1 1 15 260907 1 0 1 1 16 260908 1 0 1 1 17 260909 1 0 1 1 18 260910 1 0 1 1 19 260911 1 0 1 1 20 260912 1 0 1 1 21 260914 1 0 1 1 22 260915 1 0 1 1 23 260916 1 0 1 1 24 260918 1 0 1 1 25 260920 1 0 1 1 26 290202 1 0 1 1 27 338501 1 0 1 1 28 1401 0 0 0 1 29 1402 0 0 0 1 30 1403 0 0 0 1 31 1404 0 0 0 1 32 1301 0 0 0 1 33 1302 0 0 0 1 34 1303 0 0 0 1 35 1304 0 0 0 1 36 1201 0 0 0 1 37 1202 0 0 0 1 38 1203 0 0 0 1 39 1204 0 0 0 1 40 1101 0 0 0 1 41 1102 0 0 0 1 42 1103 0 0 0 1 43 1104 0 0 0 1 44
192.168.122.2 2404 2 0 1 1 PService_PPD.exe 1 "D:\OIK\DevCounter" 0 1 0 0 1 0 0 8 1104 0 0 0 1 1 1105 0 0 0 1 2 1106 0 0 0 1 3 1107 0 0 0 1 4 1108 0 0 0 1 5 1101 0 0 0 1 6 1102 0 0 0 1 7 1103 0 0 0 1 8
192.168.121.2 2404 1 0 1 1 PService_PPD.exe 1 "D:\OIK\DevCounter" 0 1 0 0 1 0 0 16 1258 0 0 0 1 1 1259 0 0 0 1 2 1260 0 0 0 1 3 1261 0 0 0 1 4 1262 0 0 0 1 5 1265 0 0 0 1 6 1252 0 0 0 1 7 1253 0 0 0 1 8 1254 0 0 0 1 9 1255 0 0 0 1 10 1256 0 0 0 1 11 1257 0 0 0 1 12 1263 0 0 0 1 13 1264 0 0 0 1 14 1250 0 0 0 1 15 1251 0 0 0 1 16

After having analyzed the IEC-104 traffic from the binary it's obvious that this is the IEC-104 configuration that has been hard-coded into the binary. For example, the substring “10.82.40.105 2404 3” in the first Unicode string refers to the IP, port and station number of the first target.

The “16 1258 [...]” section in the third Unicode string above tells us that there are 16 outputs configured for station address 1, where the first one to be set is at IOA 1258. Thus, we can easily verify that all accessed IOAs on all three stations were hard-coded into the binary.

Additional Substations Targeted

The malware sample I've analyzed has the following properties:

  • Filename: 40_115.exe
  • MD5: 7c05da2e4612fca213430b6c93e76b06
  • SHA1: fdeb96bc3d4ab32ef826e7e53f4fe1c72e580379
  • SHA256: d69665f56ddef7ad4e71971f06432e59f1510a7194386e5f0e8926aea7b88e00
  • Compiled: 2022-03-23 10:07:29 UTC

But there is an additional Industroyer2 sample called “108_100.exe” (MD5 3229e8c4150b5e43f836643ec9428865), which has been mentioned by ESET as well as CERT-UA. I haven't been able to access that binary though, so I don't yet know which IP addresses it was designed to target. However, a few screenshots [1] [2] [3] published by ESET reveal that the 108_100.exe malware sample was hard coded to access 8 different station addresses, 5 of which were on the 10.0.0.0/8 network and 3 on the 192.168.0.0/16 net. An image in CERT-UA's alert #4435 from April 12 reveals the targeted IOAs for these 8 stations.

Targets hard-coded in 108_100.exe ordered by station address:

  • SA#1, 192.x.x.x, 12 IOAs (1101-1104, 1201-1204, 1301-1304)
  • SA#2, 10.x.x.x, 12 IOAs (1101-1104, 1201-1204, 1301-1304)
  • SA#3, 192.x.x.x, 18 IOAs (1103-1104, 1201-1204, 1301-?, 38601-38607)
  • SA#4, 10.x.x.x, 34 IOAs (16501, 16603, 26502, 38507-38513, 38519-38524 and more...)
  • SA#5, 192.x.x.x, 10 IOAs (1101-1103, 1201-1204, 1301-1303)
  • SA#6, 10.x.x.x, 8 IOAs (1101-1104, 1201-1204)
  • SA#7, 10.x.x.x, 8 IOAs (1101-1104, 1201-1204)
  • SA#8, 10.x.x.x, 8 IOAs (1101-1104, 1201-1204)

We can compare those station addresses, IP addresses and IOAs to the ones targeted by the 40_115.exe sample, which was analyzed in this blog post.

  • SA#1, 192.168.121.2, 16 IOAs (1250-1265)
  • SA#2, 192.168.122.2, 8 IOAs (1101-1108)
  • SA#3, 10.82.40.105, 44 IOAs (1101-1104, 1201-1204, 1301-1304, 1401-1404, 130202, 160921-160928, 190202, 260202, 260901-260920, 290202, 338501)

There doesn't seem to be any overlap across the two sets (except for possibly station address 1 which is on the 192.x.x.x network in both configs but has different IOAs). This indicates that the 108_100.exe Industroyer2 version was hard coded to attack a different set of targets than the 40_115.exe sample that I've analyzed.

More ICS blog posts from Netresec

If you'd like to find our earlier work in the field of ICS/SCADA security, then check out these (slightly older but still very relevant) blog posts:

Posted by Erik Hjelmvik on Monday, 25 April 2022 10:35:00 (UTC/GMT)

Tags: #IEC-104#60870-5-104#ICS#ICS#SCADA#PCAP

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=224e357


Open .ETL Files with NetworkMiner and CapLoader

NetTrace.ETL in CapLoader 1.9.3 and NetworkMiner 2.7.2

Windows event tracing .etl files can now be read by NetworkMiner and CapLoader without having to first convert them to .pcap or .pcapng. The ETL support is included in NetworkMiner 2.7.2 and CapLoader 1.9.3, which were both released this morning.

What is an ETL Trace File?

ETL is short for Event Trace Log, which is ETW session data that has been logged to a file. You can, for example, extract EVTX logs from ETL files. But in this blog post we're gonna focus on network traffic that has been captured to an ETL file with a command like:

netsh trace start capture=yes report=no tracefile=packets.etl
...wait while packets are being captured...
netsh trace stop

Pro-tip: You can specify a capture NIC explicitly with "CaptureInterface=<GUID>"

NetworkMiner and CapLoader can also read packets in Pktmon ETL files, which actually are different from those created with netsh. Capturing packets to an ETL file with Pktmon is very simple:

pktmon start --capture --pkt-size 0 -f packets.etl
...wait while packets are being captured...
pktmon stop

Pro-tip: You can specify capture filters with "pktmon filter add"

You can also capture packets to ETL files with PowerShell:

New-NetEventSession -Name sniffer -LocalFilePath C:\packets.etl
Add-NetEventPacketCaptureProvider -SessionName sniffer -TruncationLength 2000
Start-NetEventSession -Name sniffer
...wait while packets are being captured...
Stop-NetEventSession -Name sniffer
Remove-NetEventSession -Name sniffer

Pro-tip: You capture packets on a remote PC by specifying a CimSession

Advantages

The built-in support for ETL files in NetworkMiner and CapLoader makes it easy to work with ETL files. Not only will you no longer need to go through the extra step of converting the ETL file to PCAP using etl2pcapng or Microsoft Message Analyzer (which was retired in 2019), the analysis will also be faster because both CapLoader and NetworkMiner read ETL files faster compared to etl2pcapng and MMA.

Limitations

The primary limitation with NetworkMiner and CapLoader's ETL support is that it only works in Windows. This means that you will not be able to open ETL files when running NetworkMiner in Linux or macOS.

Another limitation is that both NetworkMiner and CapLoader might fail to parse logged packets if the event trace was created on an OS version with an event manifest that is incompatible with the OS version on which the ETL file is opened.

Under the Hood

Both NetworkMiner and CapLoader leverage Windows specific API calls to read packets from ETL files. An ETL file opened in CapLoader first get converted to PcapNG, then CapLoader parses that PcapNG file. NetworkMiner, on the other hand, parses the packets in the ETL file directly to extract artifacts like files, images and parameters. NetworkMiner's approach is both simpler and quicker, but by converting the ETL file to PcapNG CapLoader can utilize its packet indexing feature to rapidly extract any subset of the captured traffic upon request by the user.

CapLoader's approach is also useful for users who are wondering how to open ETL files in Wireshark, since the packets from an ETL file can be opened in Wireshark by dragging the PcapNG file from the CapLoader GUI onto Wireshark.

Drag-and-drop NetTrace.pcapng from CapLoader to Wireshark
Image: NetTrace.etl converted to PcapNG in CapLoader can be drag-and-dropped onto Wireshark.

Additional Updates in NetworkMiner

The ETL support is not the only new feature in NetworkMiner 2.7.2 though. We have also added support for the ERSPAN protocol. The FTP parser has also been improved to support additional commands, such as AUTH (RFC2228).

We've also added a useful little feature to the context menu of the Parameter's tab, which allows users to send extracted parameters to CyberChef (on gchq.github.io) for decoding.

Submit Parameter value from NetworkMiner to CyberChef
Image: Right-clicking a parameter brings up a context menu with "Submit to CyberChef" option.

Additional Updates in CapLoader

The only major improvement in CapLoader 1.9.3, apart from the built-in ETL-to-PcapNG converter, is that the protocol identification speed and precision has been improved. We've also separated the identification of SSL (version 2.0 to 3.0) and TLS (SSL 3.1 and later) as two separate protocols in this version, whereas they previously both were fingerprinted as "SSL".

Credits

We'd like to thank Dick Svensson and Glenn Larsson for their input on reading ETL files. We also want to thank Markus Schewe for recommending us to add ERSPAN support to NetworkMiner!

Posted by Erik Hjelmvik on Tuesday, 02 November 2021 07:15:00 (UTC/GMT)

Tags: #PowerShell#CapLoader#NetworkMiner#PcapNG#Windows#Wireshark#PCAP#CyberChef

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=21B0d0e


Start Menu Search Video

In this video I demonstrate that text typed into the Windows 10 start menu gets sent to Microsoft and how that traffic can be intercepted, decrypted and parsed.

What Was Sent?

The XML files shown in the video were sent by Cortana's "SmartSearch" app to https://www.bing.com/threshold/xls.aspx in HTTP/2 POST requests. As shown in the video, the POST'ed keystrokes can be found inside requestInfo XML tags that have a "RawQuery" key.

The following tcpdump and grep commands can be used to list the RawQuery data sent to Bing in these HTTP/2 requests:

tcpdump -A -r proxy-210927-134557.pcap | grep -a -o 'key="RawQuery" value="[^"]*"'

Running that command on the PolarProxy PCAP file from the video gives the following output:

key="RawQuery" value="n"
key="RawQuery" value="no"
key="RawQuery" value="not"
key="RawQuery" value="note"
key="RawQuery" value="notep"
key="RawQuery" value="notepa"
key="RawQuery" value="notepad"
key="RawQuery" value="s"
key="RawQuery" value="se"
key="RawQuery" value="sea"
key="RawQuery" value="sear"
key="RawQuery" value="searc"
key="RawQuery" value="search"
key="RawQuery" value="search .."
key="RawQuery" value="search ..e"
key="RawQuery" value="search ..er"
key="RawQuery" value="search ..e"
key="RawQuery" value="search .."
key="RawQuery" value="search"
key="RawQuery" value="search p"
key="RawQuery" value="search per"
key="RawQuery" value="search perm"
key="RawQuery" value="search permi"
key="RawQuery" value="p"
key="RawQuery" value="pr"
key="RawQuery" value="pri"
key="RawQuery" value="priv"
key="RawQuery" value="priva"
key="RawQuery" value="privac"
key="RawQuery" value="privacy"

The same data also gets sent in the query string variable "qry" of GET requests for https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions, as shown in this NetworkMiner screenshot.

Parameters tab in NetworkMiner
Image: NetworkMiner's Parameters tab with filter "qry" on "Parameter name" column

How to Intercept, Decrypt and Decode HTTPS Traffic

The following section presents the technical details regarding my setup, so that others can reproduce and verify these findings.

My first step was to install PolarProxy on a Linux machine on the local network. PolarProxy is a TLS proxy, which can intercept and decrypt TLS traffic. This TLS proxy is primarily designed to decrypt traffic from malware and hackers, but can also be used to decrypt legitimate traffic when needed.

PolarProxy was configured to listen for incoming TLS connections on TCP port 443 and output PCAP data with the decrypted traffic as if it had been transmitted over TCP 80. The decrypted traffic was accessible as a real-time stream through a PCAP-over-IP service running on port 57012. Here's the full command that was used to start PolarProxy:

sudo ./PolarProxy -p 443,80 --pcapoverip 0.0.0.0:57012 --certhttp 10080

In the video I showed the Windows 10 client's modified hosts file, which included an entry for www.bing.com pointing to the PolarProxy machine. What was not shown in the video though, is that PolarProxy's own CA certificate had been added to the Win10 machine's list of trusted root CA's, as explained in the "Trusting the PolarProxy root CA" section of the PolarProxy installation instructions. With these two changes in place all HTTPS requests for www.bing.com from the Win10 PC got diverted through the PolarProxy TLS inspection service, which then decrypted and re-encrypted the traffic before forwarding it to Bing.

The decrypted Bing requests could be accessed either locally on the Linux machine, or remotely using the PCAP-over-IP service on TCP port 57012. I used NetworkMiner to read the live PCAP stream with decrypted traffic from port 57012 and extract all files being sent and received in real-time.

Is it Possible to Disable the Cortana Search?

When Ars Technica reporters asked Microsoft back in 2015 if there was any way to disable this communication, Microsoft replied with the following statement:

As part of delivering Windows 10 as a service, updates may be delivered to provide ongoing new features to Bing search, such as new visual layouts, styles and search code. No query or search usage data is sent to Microsoft, in accordance with the customer's chosen privacy settings.

There are plenty of how-to guides online with instructions on how the Cortana search feature can be disabled. Most of these guides suggest disabling the AllowCortana setting in group policies or in the registry. We've tried several of the settings suggested in these how-to guides, but none of them seem to prevent Windows from sending keystrokes to Bing.

If you know how to successfully disable Cortana's Bing searches, then please feel free to reach out to us so that we can update this blog post.

UPDATE 210928 - How to Actually Disable Cortana Search

Twitter user @GeorgeProfonde3 reached out to suggest a fix that might prevent the start menu from sending data to Bing. We have now verified this fix and we're happy to announce that it works (at least for us).

  1. Start regedit.exe
  2. Open the following registry key:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
  3. Ensure that the value for CortanaConsent is set to 0
  4. Create a new DWORD registry entry called "BingSearchEnabled" with value 0

You should no longer see any connections to www.bing.com when interacting with the start menu after implementing this fix.

UPDATE 211015 - Another way to Disable Cortana Search

You may need to use a different method to disable the start meny search, depending on your Windows version and build. Kimberly (@StopMalvertisin) suggested the following method, which seems to work on Windows 11:

  1. Start regedit.exe
  2. Create a registry key for:
    HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer
  3. Create a new DWORD registry entry called "DisableSearchBoxSuggestions" with value 1

Disabling Start Menu Search from Group Policy

There are also a few different methods for disabling start menu searches using GPO. However, please note that your success will vary depending on your Windows version and build.

GPO Method #1

  1. Start gpedit.msc
  2. Open the following branch:
    User configuration\Administrative templates\Windows components\File Explorer
  3. Enable the following group policy:
    "Turn off display of recent search entries in the File Explorer search box"

GPO Method #2

  • Start gpedit.msc
  • Open the following branch:
    User Configuration\Administrative Templates\Start Menu and Taskbar
  • Enable the following group policy: "Do not search communications"

Posted by Erik Hjelmvik on Tuesday, 28 September 2021 08:24:00 (UTC/GMT)

Tags: #PCAP#NetworkMiner#PolarProxy#Microsoft#video#videotutorial#pcapoverip#PCAP-over-IP#HTTP/2#http2

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=2199fe7


Carving Packets from Memory

The packets are in the router

Someone who says "We're gonna pull the packet captures out of the router" probably has no clue how to capture network traffic. In the Lindell case, statements like these were results of an elaborate hoax.

Nevertheless, such a statement doesn't have to be nonsense — if it comes from someone who knows how to dump the physical memory from the router. There are actually more packets available in the RAM of a router, or computer for that matter, than you might think.

The Forensic Challenge from DFRWS 2016 contains a memory dump from an SDN switch. If you drag-and-drop SDN.ram.raw from that challenge to CapLoader then you'll be asked if you wanna carve packets from the memory dump.

CapLoader error message - Invalid capture file

This packet carving feature is also available in the free trial version of CapLoader.

Clicking "Yes" in the dialogue brings up a configuration window. The default settings are okay in most cases.

CapLoader's Carve Packets Window

After pressing "Start" CapLoader will start identifying packets in the memory dump from the SDN switch. The packets will be saved to a Pcap-NG file located in the %TEMP% directory, unless you specified a different output location in the config window.

You can download a copy of the Pcap-NG file that I generated with CapLoader 1.9.2 here:
https://www.netresec.com/files/SDN.ram.raw.pcapng (661 kB, 2959 packets)

Here's what it looks like when the carved packets have been loaded into NetworkMiner Professional.

NetworkMiner Professional with SDN.ram.raw.pcapng loaded

As you can see, a great deal of information can be extracted about the hosts on this network just by examining the dumped memory from the SDN switch.

What about Bulk Extractor?

Simson Garfinkel's bulk_extractor can also extract packets from memory dumps. It was actually a research paper by Simson that inspired me to implement a packet carver in the first place.

There are a few significant differences between bulk_extractor and CapLoader with regards to packet carving though. One difference is that bulk_extractor identifies network packets by looking for Ethernet frames containing IPv4 packets, while CapLoader looks for IPv4 or IPv6 packets containing TCP or UDP packets. The output from bulk_extractor is usually quite similar to that of CapLoader, and so is the parsing speed. CapLoader was just slightly faster in our tests and carved about 3% more packets compared to bulk_extractor, these additional packets were primarily IPv6 packets and packets that weren't encapsulated by an Ethernet frame.

Where can I download memory dumps?

I posted a question on Twitter, asking the #DFIR community for their favorite publicly available memory dumps prior to writing this blog post, and I received lots of great answers. Thank you all for contributing! I have now compiled the following list of places from where you can download memory dumps:

For a more detailed blog post on CapLoader's packet carving functionality, please see our Carving Network Packets from Memory Dump Files blog post from 2014.

Posted by Erik Hjelmvik on Tuesday, 31 August 2021 15:10:00 (UTC/GMT)

Tags: #Forensics#RAM#PCAP#Pcap-NG#PcapNG#DFIR#carve#carver#packets#dump#CapLoader#memory forensics#DFRWS

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=218cf94


Walkthrough of DFIR Madness PCAP

I recently came across a fantastic digital forensics dataset at dfirmadness.com, which was created by James Smith. There is a case called The Stolen Szechuan Sauce on this website that includes forensic artifacts like disk images, memory dumps and a PCAP file (well, pcap-ng actually). In this video I demonstrate how I analyzed the capture file case001.pcap from this case.

Follow Along in the Analysis

Please feel free to follow along in the analysis performed in the video. You should be able to use the free trial version of CapLoader and the free open source version of NetworkMiner to perform most of the tasks I did in the video.

Here are some of the BPF and Column Criteria filters that I used in the video, so that you can copy/paste them into CapLoader.

  • net 10.0.0.0/8
  • Umbrella_Domain =
  • not ip6 and not net 224.0.0.0/4
  • host 194.61.24.102 or host 203.78.103.109 or port 3389

ASCII Network Flow Chart

References and Links

Timeline

All events in this timeline take place on September 19, 2020. Timestamps are in UTC.

  • 02:19:26 194.61.24.102 performs RDP brute force password attack against DC01.
  • 02:21:47 RDP password brute force successful.
  • 02:22:08 194.61.24.102 connects to DC01's RDP service as Administrator. Duration: 9 sec.
  • 02:22:36 194.61.24.102 connects to DC01's RDP service as Administrator again. Duration: 30 min.
  • 02:24:06 DC01 downloads coreupdater.exe from 194.61.24.102 using IE11.
  • 02:25:18 DC01 establishes Metrepreter reverse_tcp connection to 203.78.103.109. Duration: 4 min.
  • 02:29:49 DC01 re-establishes Metrepreter reverse_tcp connection to 203.78.103.109. Duration: 23 min.
  • 02:35:55 DC01 connects to DESKTOP's RDP service Administrator (username in Kerberos traffic). Duration 16 min.
  • 02:39:58 DESKTOP download coreupdater.exe from 194.61.24.102 using MS Edge.
  • 02:40:49 DESKTOP establishes Metrepreter reverse_tcp connection to 203.78.103.109. Duration: 2h 58 min.
  • 02:56:03 194.61.24.102 connects to DC01's RDP service as Administrator one last time. Duration: 1 min 38 sec.
  • 02:56:38 DC01 re-establishes Metrepreter reverse_tcp connection to 203.78.103.109. Duration: 2h 42 min.

IOC's

  • IP : 194.61.24.102 (Attacker)
  • IP : 203.78.103.109 (C2 server)
  • MD5 : eed41b4500e473f97c50c7385ef5e374 (coreupdater.exe)
  • JA3 Hash : 84fef6113e562e7cc7e3f8b1f62c469b (RDP scan/brute force)
  • JA3 Hash : 6dc99de941a8f76cad308d9089e793d7 (RDP scan/brute force)
  • JA3 Hash : e26ff759048e07b164d8faf6c2a19f53 (RDP scan/brute force)
  • JA3 Hash : 3bdfb64d53404bacd8a47056c6a756be (RDP scan/brute force)

Wanna learn more network forensic analysis techniques? Then check out our upcoming network forensics classes in September and October.

Posted by Erik Hjelmvik on Friday, 09 July 2021 13:20:00 (UTC/GMT)

Tags: #PCAP#NetworkMiner#CapLoader#video#videotutorial

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=217dfc7

2021 June

NetworkMiner 2.7 Released

Network Forensics Classes for EU and US

2021 May

Detecting Cobalt Strike and Hancitor traffic in PCAP

CapLoader 1.9 Released

Running NetworkMiner in Windows Sandbox

2021 March

Live Online Training - PCAP in the Morning

2020 December

Capturing Decrypted TLS Traffic with Arkime

2020 November

PolarProxy 0.8.16 Released

2020 October

PolarProxy in Podman

Honeypot Network Forensics

PolarProxy in Docker

2020 September

NetworkMiner 2.6 Released

2020 March

Discovered Artifacts in Decrypted HTTPS

Reverse Proxy and TLS Termination

2020 January

RawCap Redux

Sniffing Decrypted TLS Traffic with Security Onion

Sharing a PCAP with Decrypted HTTPS

2019 December

Installing a Fake Internet with INetSim and PolarProxy

2019 November

Extracting Kerberos Credentials from PCAP

NetworkMiner 2.5 Released

2019 September

Raspberry PI WiFi Access Point with TLS Inspection

2019 June

PolarProxy Released

2019 January

Video: TrickBot and ETERNALCHAMPION

2018 December

TorPCAP - Tor Network Forensics

2018 November

Remote Packet Dumps from PacketCache

2018 September

Reverse Engineering Proprietary ICS Protocols

2018 July

CapLoader 1.7 Released

2018 April

NetworkMiner 2.3 Released!

2018 February

Examining Malware Redirects with NetworkMiner Professional

Analyzing Kelihos SPAM in CapLoader and NetworkMiner

Antivirus Scanning of a PCAP File

Examining an x509 Covert Channel

Zyklon Malware Network Forensics Video Tutorial

2017 December

Don't Delete PCAP Files - Trim Them!

2017 October

CapLoader 1.6 Released

2017 September

Hunting AdwindRAT with SSL Heuristics

2017 August

NetworkMiner 2.2 Released

2017 March

CapLoader 1.5 Released

Enable file extraction from PCAP with NetworkMiner in six steps

2017 January

NetworkMiner 2.1 Released

2016 October

Reading cached packets with Wireshark

Detect TCP content injection attacks with findject

2016 September

PacketCache lets you Go Back in Time

Bug Bounty PCAP T-shirts

2016 May

Detecting Periodic Flows with CapLoader 1.4

2016 March

Packet Injection Attacks in the Wild

2016 February

Analyzing Web Browsing Activity

2015 December

Network Forensics Training at TROOPERS

2015 November

BPF is your Friend

From 4SICS with ICS PCAP Files

2015 October

Port Independent Protocol Detection

2015 September

CapLoader 1.3 Released

Covert Man-on-the-Side Attacks

2015 August

Rinse-Repeat Intrusion Detection

2015 June

Two-day Network Forensics Class in Stockholm

T-shirt : PCAP or it didn't happen

2015 March

China's Man-on-the-Side Attack on GitHub

2015 January

Chinese MITM attack on outlook.com

2014 November

Observing the Havex RAT

2014 October

Chinese MITM Attack on iCloud

Verifying Chinese MITM of Yahoo

2014 September

Analysis of Chinese MITM on Google

2014 April

Keyword Search in PCAP files

2014 March

Carving Network Packets from Memory Dump Files

Search and Carve Packets with CapLoader 1.2

2013 October

Command-line Forensics of hacked PHP.net

2013 August

Security Advisory: Two Vulnerabilities in NetworkMiner

2013 April

Detecting TOR Communication in Network Traffic

2013 February

Extracting Metadata from PcapNG files

2013 January

Analyzing 85 GB of PCAP in 2 hours

CapLoader 1.1 Released

2012 December

HowTo handle PcapNG files

2012 November

Convert Endace ERF capture files to PCAP

2012 August

SCADA Network Forensics with IEC-104

2012 July

WPAD Man in the Middle

twitter

NETRESEC on Twitter

Follow @netresec on twitter:
» twitter.com/netresec