Exam 2

Question 1

Incident Response

Answer 1

The planned response process for dealing with network intrusions and misuse of computer systems.
Also known as Incident Handling.
Generally, the intrusion is still active when IR is deployed.

Question 2

Incident Response: Event

Answer 2

An observable change to normal behavior on a system or network.
Not necessarily negative.

Question 3

Incident Response: Vulnerability

Answer 3

A documented security flaw in system software or hardware.

Question 4

Incident Response: Exploit

Answer 4

A security attack using a vulnerability.

Question 5

Incident Response: Threat

Answer 5

The potential for an attacker to exploit a vulnerability.

Weighted by consequences of vulnerability and likelihood of exploit taking advantage of the vulnerability.

Question 6

Incident Response: Alert

Answer 6

A notification of an event to responsible parties.

Requires further investigation.

Question 7

Incident Response: Incident

Answer 7

A malicious event caused by an attacker exploiting a vulnerability.

Question 8

Incident Response: Cycle

Answer 8

Preparation.
Identification.
Containment.
Eradication.
Recovery.
Follow-Up / Lessons Learned.

Question 9

Process

Answer 9

An instance of a running application/executable.

Question 10

Windows Task Manager

Answer 10

GUI to view processes.
Ctrl-Alt-Del or ‘taskmgr.exe’ to access system’s task manager.
‘tasklist’ command line also works.

Question 11

Should we necessarily trust the Task Manager on an infected system to tell us the truth?

Answer 11

We can use our OWN copy of tasklist.exe.

We can also use our own copy of Process Explorer (SysInternals) or Process Hacker (available on SourceForge).

Question 12

Services

Answer 12

A background process that requires no user interaction.
Windows Task Manager.
tasklist /svc’ gives us services with corresponding processes.
Windows Service Control Manager GUI ‘services.msc’.

Question 13

Scheduled Task

Answer 13

A scheduled task is a process/service that runs when a specific condition is met.
Usually timestamp(s).

Question 14

Windows Task Scheduler

Answer 14

Provides GUI to scheduled tasks.

Question 15

Persistence

Answer 15

Keeps coming back!

Question 16

Autoruns

Answer 16

Most often used tricks involve using Windows Registry database.
Sysinternals includes a tool called Autoruns that
looks at ALL of the known methods for persistence.

Question 17

ipconfig

Answer 17

Network configuration details can be seen using ipconfig.
Use ‘ipconfig /all’ to display all the NIC configurations
Includes IP address(es), MAC address, default gateway router, DNS/DHCP servers.
Can also see the DNS cache with ‘ipconfig /dns’.

Question 18

Listening

Answer 18

App is bound to a port and waiting for connections.

Question 19

Established

Answer 19

There is an established communication stream.

Question 20

netstat

Answer 20

Use netstat to view network connections on an end system.
‘netstat’ by default does DNS and known port lookups
Time consuming and sometimes wrong!
‘netstat -na’ to turn off this feature.

Question 21

User Accounts

Answer 21

Once a malicious actor compromises a system, they commonly create an administrator account to access later.
Bank on people not monitoring the accounts on a system.

Question 22

Sysinternals Suite

Answer 22

A suite of network troubleshooting utilities provided for free by Windows.
Autoruns was previously discussed
TCPView (think a GUI of netstat info)
TCPView Console (command line view)
Process Explorer (better Task Manager)

Question 23

Sysinternals Ps Tools

Answer 23

Sysinternals Suite includes a set of tools for management of remote connections.
Begin with “Ps”.

Question 24

PsFile

Answer 24

Shows files being accessed remotely.

Question 25

PsLoggedOn

Answer 25

Shows users logged onto system (local or remote).

Question 26

PsExec

Answer 26

Allows the execution of processes remotely on system
Requires username and password for user account
BEWARE!!!
Attackers commonly install PsExec on a system they compromise to execute commands on it including a backdoor setup.

Question 27

PCAPS

Answer 27

A “full packet capture” is generally stored in a PCAP file
.pcap extension most common.
Contains a bit for bit copy of what traversed the wire.
Windows uses WinPcap.
Note that while we use the term packets for captures we are actually capturing Layer 2 FRAMES.
As previously discussed what traverses the wire is a frame.

Question 28

Network Sniffer

Answer 28

A tool that places a target NIC into promiscuous mode.
TCPDUMP and tshark offer command line sniffer tools.
Wireshark in a network sniffer with GUI.

Question 29

Promiscuous Mode

Answer 29

Will accept any packet that it receives on the wire for processing.
The sniffer will record all packets that traverse the NIC in a PCAP.
Sniffers generally must be run with administrator privileges.

Question 30

Wireshark

Answer 30

GUI.
Both a network/packet sniffer and protocol analyzer.
Includes dissectors.

Question 31

Capture Filters

Answer 31

Can be applied to limit the traffic we capture.
Limit the scope (minimize data loss).
Make it easier to find what we are looking for later.

Question 32

Once we apply a Capture Filter:

Answer 32

Traffic that matches -> Copied to PCAP.
Traffic that doesn’t -> dropped by sniffer.
We will NEVER be able to see those packets again.
This is the opposite of Display Filters.

Question 33

Software Shortcoming: Network Sniffer

Answer 33

Remember that a hub sends traffic to everyone attached.
A promiscuous NIC on a hub-based LAN would see ALL traffic on the network.
Most modern LANs are not using hubs…using switches!
If our promiscuous NIC is on a device connected to a switch, will only see our own traffic?

Question 34

Hardware Network Sniffers

Answer 34

Two most common implementations:
Network taps.
Port spanning.

Question 35

Taps

Answer 35

A hardware device that is placed between two network devices to send all traffic between them to a monitoring device.
Traffic still goes to proper destination, but also goes to monitor.
The monitoring device could be a server or just a system running TCPDUMP or Wireshark.

Question 36

Hardware Sniffer Placement

Answer 36

Placement of a network sniffer is very important.
It is important we consider WHAT traffic we want to monitor.
WHERE on the network would allow us to see that traffic.
Not every part of the network sees everything.
Different segments have a different POV.

Question 37

Port Spanning

Answer 37

Some switches have a built in SPAN port.
It is possible to configure the switch to mirror traffic to/from one of its ports to the SPAN port.
Also possible to mirror traffic to/from all ports to the SPAN port.
Can create a bottleneck = results in lost packets.

Question 38

Hashing

Answer 38

The process of taking data, processing it with a hashing function (math magic), and resulting in a fixed-length output.
MD5, SHA-1, SHA-256, SHA-512.

Question 39

Investigative Leads

Answer 39

Gathered from host artifacts, PCAPs, log files, storage media images, etc.
Evidence we gather during IR.

Question 40

OSINT

Answer 40

Open source intelligence (OSINT) tools to learn more about these leads (for attribution).
Doesn’t require law enforcement legal process.
WHOIS/DNS.
SMTP Headers.
VirusTotal.

Question 41

WHOIS for IPs

Answer 41

When we have a suspect IP address, we can perform a WHOIS query on it to determine what block of IPs it belongs to.
MAY include info on the org, location, and contact info associated with the block of IP addresses.

Question 42

WHOIS for Domains

Answer 42

When we have a suspect domain, we can perform a WHOIS.
Will first perform a DNS query to return the DNS records it can find for the domain.
This data is retrieved from DNS.
Will include the Registrar.

Question 43

SMTP Headers

Answer 43

Recall that SMTP is used to SEND email.
It takes multiple hops to multiple SMTP servers to get to the recipient’s mail server (where they retrieve it from).
Generally you want to look for an indicator about the originator (first hop) of the email.

Question 44

VirusTotal

Answer 44

If during IR or forensics a potential sample is uncovered, use VirusTotal to determine if anyone (AntiVirus and AntiMalware companies) has IDed it already as malicious

Question 45

Packet Sniffer

Answer 45

Sniffer places a NIC in promiscuous mode.
Captures all traffic the NIC sees in a PCAP.
Only goal is to produce a bit for bit copy
of what traverses the NIC.

Question 46

Protocol Analyzer

Answer 46

Has some knowledge of how protocols are specified and what headers and data they contain.
DECIPHERS the content of the bits into something
meaningful.
Also called a packet analyzer or network analyzer.

Question 47

Wireshark: Packet List

Answer 47

Contains all the packets in the capture file.

Columns correspond to different information about each packet.

Question 48

Wireshark: Packet Details

Answer 48

Contains the contents of the currently selected
packet in a form dissected by Wireshark (analyzer!).
Displayed by the LAYERS of the packet.
Each layer can be opened to examine the contents of its header.
All the way until you reach the data/payload.

Question 49

Wireshark: Packet Bytes

Answer 49

Displays the contents of the currently selected
packet in its raw (unprocessed) form.
Displayed in Hex (with an ASCII translation).
This is the binary data that is ACTUALLY sent across the wire.

Question 50

Wireshark: Dissectors

Answer 50

What makes Wireshark a protocol analyzer.
So it can ID the types of data in each frame and pull out all the fields from all the headers and payload data.
This is how it can display all the layers in the Packet Details.

Question 51

Nonstandard Ports

Answer 51

Wireshark relies a lot on standard port numbers to identify what dissector to use.
If we ID that a port looks like a certain protocol, we can force Wireshark to apply a dissector on those packets.

Question 52

Nonstandard Ports: “Decode as”

Answer 52

Right Click and select “Decode as”.
Select the protocol you want Wireshark to interpret the port as.
Also go to Edit ‐> Preferences.
Can select the protocol dissector and add the nonstandard port to its list of ports.

Question 53

Display Filters

Answer 53

Used by protocol analyzers to limit the packets being displayed to the analyst from the PCAP.
It is still in the PCAP…just not currently displayed.

Question 54

Applying a Display Filter

Answer 54

Method #1: Just type it into the Display Filter bar.
Method #2: Find something of interest in the Packet Details, Right Click, and select Prepare as Filter or Apply as Filter.
Method #3: Use the Expression Wizard.

Question 55

Capture Filters vs Display Filters

Answer 55

Both allow you to filter for a specific protocol.
Both allow you to filter for a specific address/domains.
Display Filters allow you to filter on specific fields in
headers/data.

Question 56

Wireshark: Timestamps

Answer 56

Default = seconds since start of capture.
View ‐> Time Display Format.
MANY time options.
Date/Timestamp probably more helpful.

Question 57

Wireshark: Time Shifting

Answer 57

CTRL‐SHIFT‐T
• Sometimes the clock on a system may be a tad off
• Time shifting allows you to shift all timestamps by a set amount
• Especially useful for merging PCAPs that don’t sync

Question 58

Wireshark: Time Reference

Answer 58

CTRL‐T on a selected packet in Packet List
• Selected packet becomes a time reference point
• All subsequent packets’ time is in reference to that packet
• Only works if timestamp is in seconds since capture

Question 59

Wireshark: Name Resolutions

Answer 59

• Wireshark has the ability to do name resolutions
• MAC Addresses (the vender from the OUI)
• IP Addresses (domains associated with the IP)
• Port Numbers (protocols associated with standard port)
If this is on while capturing, Wireshark may send additional traffic not actually going on the NIC
• DNS requests to resolve the IPs (for PTR records)
• This should be turned off when capturing!
View ‐> Name Resolution
• Edit ‐> Preferences ‐> Name Resolution

Question 60

Saving PCAPS

Answer 60

File ‐> Save As (or hit CTRL‐SHIFT‐S).
File ‐> Export Specified Packets
• Can save:
• Single current selected packet
• Marked packets
• Packets from first marked to
last marked
• A range of packets by packet no

Question 61

Merging PCAPS

Answer 61

Sometimes we may have more than one PCAP file we want to merge into a single PCAP for analysis
• File ‐> Merge
• Merge currently opened PCAP with another file

Question 62

Finding a Packet

Answer 62

Edit ‐> Find Packet
• CTRL‐F
• Can search packets for:
• Strings (Example: “evil”)
• Hex Values (Example: 90909090)
• Regular Expressions (Example: “.*\.doc”)

Question 63

Go To = Teleporting

Answer 63

You can jump directly to a specific packet
• Go ‐> Go To Packet
• CTRL‐G
Jump by the Packet Number
• NOTE: Packet Number is a Wireshark thing

Question 64

Wireshark: Bookmarking

Answer 64

We can mark packets that are especially important
• Edit ‐> Mark/Unmark Packet
• CTRL‐ M
• Hit it again to unmark the packet
We can jump from one marked
packet to another
• Edit ‐> Next Mark or
Edit ‐> Previous Mark
• We saw we can also save just marked packets
• File ‐ > Export Specified Packets

Question 65

Wireshark: Statistics

Answer 65

Statistics Menu
• Protocol Hierarchy
• Conversations
• Endpoints

Question 66

Protocol Hierarchy

Answer 66

Distribution of traffic by protocol

• See what protocols dominate the traffic (or look for anomalies)

Question 67

Endpoints

Answer 67

Each device sending or receiving data on the network is an endpoint
• Correspond to our network addresses
• Endpoints statistics show us all of the endpoints seen in the network traffic capture
• Generally good to look for “big talkers” and “anomaly outliers”

Question 68

Conversations

Answer 68

Communication between two endpoints is a conversation.

Conversations statistics show us each conversation in the network traffic capture.

Question 69

Following Streams

Answer 69

Almost all data transmitted over a network must be chunked into multiple data units
• One of the greatest weapons in an analyst’s Wireshark toolbox
is the ability to Follow Streams of data
• Wireshark automatically reassembles data into a
consolidated format

Question 70

Four Types of Streams

Answer 70

TCP Stream – Reassembles TCP segments for a specific session
• UDP Stream – Reassembles UDP datagrams for a specific session
• SSL Stream – Reassembles data chunks from SSL/TLS encrypted
protocols like HTTPS for a specific TCP session
• HTTP Stream – Reassembles/Decompresses data chunks from
HTTP for a specific TCP session

Question 71

Three Methods for Following Streams

Answer 71

All begin with selecting
a packet of interest whose stream you wish to view
• 1) Right‐Click, Follow ‐> \_\_\_\_\_ Stream
• 2) Analyze ‐> Follow ‐> \_\_\_\_\_ Stream
• 3) Keyboard Shortcuts

Question 72

Export Objects

Answer 72

Wireshark provides capability to carve out files from packets
• Files are typically chunked in many separate packets
• Wireshark can reassemble and
export them for you
• File ‐> Export Objects
• Most commonly done for HTTP

Question 73

Network Miner

Answer 73

Protocol analyzer GUI tool.
Packet Sniffer.
The real strength of Network Miner is in carving files from packets.

Question 74

CLI

Answer 74

Command Line Interface.

tcpdump and TShark.

Question 75

Command Line Flags

Answer 75

• i: specifies the NIC to capture on
• w: writes to a specified PCAP file
• r: reads from a specified PCAP file
• c: limits the number of packets displayed/captured

Question 76

Increasing Verbosity

Answer 76

Increase verbosity to see more details per packet.
“-v”, “-vv”, or
“-vvv” in Tcpdump
“-V” in Tshark

Question 77

Command Line: Name Resolution

Answer 77

Tcpdump and Tshark attempt to do name
resolution for addresses for us (by default).
Use “-n” in both to turn OFF

Question 78

Tshark: Filters

Answer 78

Like Wireshark, TShark allows for two types of filter:
• Capture Filters and Display Filters
• Think Capture Filters used with -i and Display Filters with -r
Use -f to specify a capture filter
Use -Y to specify a display filter

Question 79

Command Line: Filters (For PCAP Downsizing)

Answer 79

Take a large PCAP (that would take long to load in GUI) and filter it down to a smaller PCAP
• We achieve this by using BOTH -r and -w with some filter

Question 80

Tshark: Time Display

Answer 80

To change that to date/timestamp use “-ad”

Question 81

Tshark: Statistics

Answer 81

Use “-z”

Use “-z help” to see all available statistics options

Question 82

Tshark: Conversations

Answer 82

Use “-z conv,ip” to display the IPv4 Conversations

Question 83

GUI vs. Command Line

Answer 83

Wireshark’s GUI takes a lot of processing power
• Can result in greater % of dropped (lost) packets in a capture!
• Tcpdump and Tshark are better tools for packet sniffing
Very large PCAPs can overwhelm resources in Wireshark
• The entire file must be loaded into RAM (GUI too)
• Just opening a large PCAP can take a long time to fully load!
• Tcpdump and Tshark can be used to filter the large PCAP down into a smaller (new) PCAP of “interesting” packets to analyze in Wireshark (with GUI)