Network Traffic Analysis - Web Server Compromise.

calendar Mar 23, 2023 · 2 min read · Network Incident Response Tutorial  ·
Share on: linkedin copy

Overview

Disclaimer: This is not aimed at delivering the level of supporting computer science knowledge and self study is a requirement to obtain profficiency.

Scope

This tutorial is based on a PCAP file of an alleged web server compromise and potential data loss. The file contains connections to a single webserver over a number of days. This will walk thoguht common approaches where parsing through network captures.

Required Tooling

  • Wireshark
  • NGREP

Competency

Level: Basic, Difficulty: Easy, Computer Science: TCP/IP,UDP,HTTP

Competancy Areas:

  • Vulnerabilities Assessment - Skill in performing packet-level analysis using appropriate tools.
  • Infrastructure Design - Knowledge of network protocols and directory services.
  • Information Systems/Network Security - Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.
  • Computer Network Defence - Knowledge of common attack vectors on the network layer.

Learning Outcome

With practice this will allow the student to navigate through network capture data and search for indicators or anomolies.

Visual inspection and pattern search will allow students to become familiar with the type of data they would expect to see and signs of untoward network traffic.

Subject

The intial traffic view confirms web based http access. Using tools like wireshark or ngrep to perform simple quiries to search for certain interactions with the web server such as HEAD or GET requests.

This allows a crude filtering of the traffic through ngrep to help focus in on activity. Wireshark graphical inspection allows a more visual view of the entire traffic to spot obvious traffic patterns and suspect GET requests.

This approach is useful in quickly identifying relevant packet information and remote hosts. A more detailed view of traffic then allows and analyst to identify exchanged packets and form a hypothesis of what occured on the web server.

This method also allows to identify what was attempted and failed or resulted in 404 response as it can help to asscertain motive of the enumeration of intrusion.

Being able to reduce a data volume when dealing with network traffic is essential as part of triage to ensure the analyst focuses on the pertinant data as time is often limited.

Video

Duration:24min

Further Reading Subjects:

  • TCP/IP handshake
  • Common Network proctocols such as DNS, HTTP, HTTPS, FTP,SFTP, RDP, TELNET, SSH.
  • Ensure a fundemental knowledge of computer networks.