Jumping the T-Shark with Chris Brenton – Video Blog
Video – A.A.S.L.R.
tshark -n -r lab1.pcap -T fields -e ip.src -e ip.dst tcp.flags==2 | sort | uniq -c | sort -rn | head -5 tshark -n -r lab1.pcap -T fields -e ip.dst -e ip.src tcp.flags==18 | sort | uniq -c | sort -rn | head -5 tshark -nr lab1.pcap -T fields -e ip.src -e ip.dst tcp.flags.reset==1 | sort | uniq -c | sort -rn | head -5 tshark -n -r lab2.pcap -T fields -Y data.data -e data.data | xxd -r -p | less -S tshark -nr lab3.pcap -T fields -e dns.qry.name | grep -v '^$' | cut -d . -f 1 | xxd -r -p | less -S
John Strand (00:00):
Another addition of Antisyphon Address Space Layout Randomization. We are joined by our illustrious crew. We’ve got myself, we’ve got Chris, we’ve got Jason, Serena and Ryan. Once again, as always, this particular addition is brought to you by Black Hills Information Security. If you need to get hacked or afraid that you have been hacked, or you would like to not get hacked, call Black Hills Information Security for all of your hacking needs. And there’s also-
Chris Brenton (00:26):
Not necessarily in that order.
John Strand (00:27):
Not necessarily in that order. Also Antisyphon InfoSec Training, we’ve got pay what you can training. It’s kick ass training that’s actually affordable. So please check that out. And to that end, speaking of training, this particular ASLR episode, I am very, very honored to introduce you to Chris Brenton. For those of you that may not know, Chris Brenton is an early mentor in my career. I believe that we met the summer in August of 2003. I know this because he was teaching in Denver while Blaster was spreading all over the place, and he literally dissected the entire thing live, which was absolutely awesome. Got me hooked in the industry. In today’s episode of ASLR, we are literally just going to hand it over to Chris, and Chris is going to do stupid cool TShark tricks. If you’re not familiar with Chris’s body of works, he has been a network ninja for a long, long time. Has ran a number of classes dealing with firewalls, VPNs, perimeters, intrusion detection, and is also the COO of Active Counter Measures. So Chris, take it away, sir. What are you going to show us today, sir?
Chris Brenton (01:37):
Speaking of Antisyphon, some of this is kind of adjacent to what’s going on in the pack a decoding class that I teach as part of that, but I wanted to just play around with TShark today. A lot of folks know Wireshark, they don’t know TShark. TShark is basically the command line version of Wireshark and you can do some really cool things with it. So I’m going to just start basic. So the first switch I’m going to use with it is dash end, don’t retry and resolve any IP addresses to fully qualified domain names. That just makes it a whole lot easier or makes everything run a whole lot faster. And then I’m going to let dash R load up a PCAP file, and then we’ll just pump this through the less command so we can see what’s there.
Chris Brenton (02:16):
And this is what your general output from Tshark looks like. So I can see which frame was it inside the capture? What was the timestamp, source IP, destination IP, here’s my transport. Notice I’m getting some line wrap here. So it all goes together and makes it hard to read. One of the things you can do to straighten that out is just do a dash capital S command at the end of less. And when I do that, oh, hey, look, everything shows up a nice, pretty little column, which makes it-
Jason Blanchard (02:48):
That’s way better.
Chris Brenton (02:49):
Isn’t that way better?
Jason Blanchard (02:50):
John Strand (02:51):
I can live with that. That’s what everyone’s going to take from this now. We’re going to be like pretty columns
Chris Brenton (02:55):
Dash capital S, that’s all you got to add to the less command and it makes it into nice, pretty columns. You can page up, page down. You can see this stuff scrolled off to the right hand side. I can just right arrow over and get over to that stuff. I’ve got a lot of ethernet frame check sequence incorrect errors here. You may run into that in occasion if you’re capturing packets that you’re sending. If you’re capturing packets while you’re trying to send them, the system will, it has to do with where the CRC check gets generated. If you ever want to get rid of those errors, I can go in and say, hey, I want to change this option. Dash O and the ethernet check for FCS is usually set to true. Here, you can just see I’ve set it to false, and when I go in and do that, oh, Hey look, all those nasty little frame errors go away.
Chris Brenton (03:47):
So I can see I’ve got a bunch of systems communicating back and forth here. So one of the things I may want to go through and do is just get a look at, hey, who’s talking to who the most often. It’s a good way to go in and look for port scans, look for command and control channels. There’s a lot of reasons why you may want to go through and hit that. We can see it here, who’s talking to who, but we got a lot of data here that we may not necessarily care about. In other words, if all I care about is who’s talking to who, the only things I really care about seeing is the source IP address and the destination IP address.
Chris Brenton (04:21):
One of the really cool things you can do at TShark that you can’t do with like TCP dump and other tools is you can say, no, no, no, don’t print out that generic summary. I’m going to tell you exactly the fields I want to see. So notice I’ve added in a command here, dash capital T. That allows me to go in and specify what fields I want to look at, and this says, show me the source IP address. This says, show me the destination IP address. And then I’m just running it through the head command so that’ll show me 10 lines worth of output. That’s what we got going on here.
Chris Brenton (04:50):
Now, remember, we’re looking at raw packets. So this isn’t like a unique session each way. What I’m actually looking at is the number of packets going in each direction. So one of the things I may want to do is go in and just look at connection establishment. In other words, if I look at when was the TCP SYN flag turned on, that’s just going to show me packets that we use to start a session, and that’ll give me a better idea of what’s actually being generated for unique sessions between systems.
Chris Brenton (05:23):
So I’m still using that dash T fields command, still looking at source IP, destination IP. I got a display filter in here that I added in. I’m saying TCP dot flags. So basically, what I’m doing is I’m saying, go to byte 13 in the TCP header, the lower six order bits, those are my TCP flags. If those six bits combined equals two, that’s an interesting packet and that’s something I want to see. What’s two? Well, two is the value of that section if the SYN flag is turned on and everything else is turned off. So effectively, what I’m looking for is first packet in a TCP session. Then I ran that through sort.
Chris Brenton (06:02):
So what the sort command here is doing is it’s just saying, hey, anytime the source IP address and the destination IP address are the same, line them up one line after the other, and then I’m running it through unique dash C. Unique dash C says, okay, if there’s 50 instances of one IP talking to another, compact that down to one line, but give me the number 50 to be able to tell me that there were 50 instances of that in there. It going to allow me to count very quickly how many sessions there are. I dumped it through sort again, my sort dash RN is saying, do a reverse sort. So instead of sorting lowest to highest, sort highest to lowest. And dash N says, don’t, this is a numeric value. It’s not alpha numeric so sort it like it’s a number. And head dash five just says, hey, I only want to see the first five lines worth of output.
Chris Brenton (06:51):
So you can see my very first line here. I’ve got this system 247.10 talking to 247.4, and there’s about 10 times as many connections as I’m seeing on any of the other systems. So if I want to kind of focus in on who’s generating the most number of sessions to who, that would probably be one of the ones I’d want to go in and take a look at first. Now, there’s a problem here and the problem is we’re looking at how many who sent the greatest number of SYN packets to what IP address? Well, just because they sent a SYN, doesn’t mean that there was actually connection establishment. It doesn’t mean data actually went anywhere. I could send a send to, let’s say, port 30 and if nothing’s listening on port 30, that system will say reset, act, go away. There’s nothing here. Listening on that port. You need to bother a different port or a different IP address.
Chris Brenton (07:44):
So what if I want to see these systems only when the connection was actually established? Well, instead of looking for a SYN packet, I could look for a SYN-ACK. The way I could do that, TCP flags equals equals 18. Where’s 18 coming from? Bit 16 is my ACK, bit two is SYN. 16 plus two. hey, that gives me 18. So this is saying when the SYN flag is turned on and the ACK flag is turned on, that’s interesting to me. Notice I also swapped destination IP and source IP versus what I did here.
Chris Brenton (08:19):
So think about it this way. My server’s over here, I send a SYN, a SYN-ACK comes back. If I want to visually see who initialized the session on the left hand side, I’m capturing the SYN-ACK packet, so I got to kind of swap that source and destination. So now if I go in and run this, this’ll kind of show me which connections were actually successful between these two systems versus who may just be sending SYN packets. And you can see, yeah, my data’s pretty much the same.
John Strand (08:50):
So, the usefulness on this, if I’m reading it right, I want to make sure I got it right. Is we see, let’s say something gets compromised in the inside of the network, but it’s trying to communicate to a C2 server that is denial listed in the firewall, it’s trying to make the connection again and again and again, but it’s not actually establishing the connection. Correct me if I’m wrong. This is helping you identify that no, this actually made a connection all the way through, correct?
Chris Brenton (09:15):
Correct. So if I look at my first line of output, I can see 247.3 12 times sent a SYN packet to 247.4. Well, if I look at the output down here, that entry’s gone. So what that tells me is those 12 SYN packets went to some port that that system wasn’t actually listening on now. Now, this looks like-
John Strand (09:35):
Or are being dropped somewhere in the middle, like a firewall, maybe.
Chris Brenton (09:38):
Exactly. These two IPs are one right after the other on the same subnet. So I’m assuming I’m looking at the subnet and maybe I got a communication problem here. But yeah, if it was two different subnets, it could be a firewall in the way. Or like I said, that system just isn’t listening on that port. So what’s coming back is not a SYN-ACK, but a reset ACK.
John Strand (10:02):
Chris Brenton (10:04):
Jason Blanchard (10:05):
This reminds me of Spanish class. Where they’re like, here’s a bunch of words and I’m like, Mm-hmm. Eventually, eventually it will make sense.
Chris Brenton (10:17):
Well, we were talking about resets. They’re actually interesting to look at, too. I like resets because it’s an indication of something went wrong. Either somebody tried to connect to a port that was closed or something went wrong with a session. Again, I can go in and I can do my display filter to say, TCP dot flags equals equals four. Four is the reset bit. So what I’m going in and I’m saying here is show me any packets that have the reset flag turned on. Now this will come back and this will tell me, okay, this is who’s sending resets to who. Now, typically what that’s an indication of is this system sent a packet to this one that it wasn’t happy with and that’s why that system sent the reset back to the other.
John Strand (11:02):
Okay. So this also brings up an interesting thing. When you’re looking at the TCP flags and the values that are being set, there’s been people in the industry that are like, oh, we don’t need to know the TCP IP header anymore. But, if you really want to dig, and you want to be effective, you kind of need to understand these flags a little bit, right?
Chris Brenton (11:20):
Right. Right. So for example, one of the things is we’re looking at TCP, the only TCP flag being turned on is the reset flag. That should never really happen. The only time it should happen is if I’m sending a FIN packet to an open port or something where no, this is just horribly wrong. So the fact that we’ve got any in here at all says, we’ve got some weird communication taking place on the network because typically what you’ll get back is a reset ACK.
John Strand (11:50):
Yeah, and for me, looking at this as an attacker, we do that type of reset type scanning sometimes. So we’ll use that. So you’re right, I can’t think of something where it’s totally legit that this would stand up and be like, yeah, this totally makes sense.
Chris Brenton (12:07):
Yeah, exactly. Exactly. So as we were just saying, reset turned on by itself, that’s kind of odd. Usually it’s going to be a reset ACK. So how do I get to see a reset ACK? Well, I could have gone in and said, reset for ACK 16. So TCP dot flags equals equals 20. But if I did that, I’d just be showing you a same filter again. I wanted to also show you that you can actually call out the flag you’re interested in. This will automatically ignore everything else. So this could be a Christmas tree scan with all the flags turned on and it doesn’t care. It’s just looking at this one flag.
John Strand (12:48):
Cool. We had a question from, I’m going to I mispronounce this name, Lameel Velo. So, you can ping with reset to see if that system is alive. Is that correct?
Chris Brenton (12:58):
So actually, that’s not correct because RFC state thou shalt not respond to an error packet. A reset packet is considered an error packet, so you should never respond. Because otherwise, it’s like the systems are in New Jersey. Reset? Oh, reset me? Well, reset you, too. We don’t want the internet going that way.
John Strand (13:18):
So there’s a handful of situations where you’re not supposed to respond. You’re not supposed to respond to errors. You’re not supposed to respond to packets that have an invalid TCP check some, as well.
Chris Brenton (13:27):
John Strand (13:29):
I like this. Damn, Chris. Where were you when I was taking my GCIA? [inaudible 00:13:35] LOL I love [inaudible 00:13:37] No comment.
Chris Brenton (13:39):
Yep. So, in this instance here, I’m just looking at the reset flag. One means it’s turned on. Zero means it’s turned off. So I’m going in and saying, hey, look for the reset flag turned on, ignore all the other flags. I don’t care about those. I don’t care what the status is of those. And then the sort unique sort that I did before. Notice, now that I’m looking for reset ACK, we’ve got very different data than what we got when we were looking for reset set by itself. 560 plus instances. We talked about these should not be New Jersey based systems, they should not be resetting back and forth and yet, I can see this system sent 168 resets to this one, and that one responded with 561 resets. No, no, something’s really, really wrong here.
Chris Brenton (14:30):
If I look at my second two entries, I get the same thing. 136 instances of one system sending a reset to one and another one sending a reset back. Oh no, that should not be happening. So, again, one of the things I like about resets is something is horribly wrong here. Maybe it’s a security issue. Maybe it’s an IT or a networking issue, but either way something’s wrong and is worth paying attention to.
Chris Brenton (15:00):
Cool. So that’s some of the flag stuff.
Jason Blanchard (15:03):
Quick question. Is a New Jersey based system where it’s located or slang for something that’s going wrong with the system?
John Strand (15:10):
When they start fighting with each other for no good reason.
Chris Brenton (15:14):
Yeah, exactly. Exactly. Well, it’s kind of that New York, New Jersey thing where you say a slur to me, I say a slur back at you. So I was using that in the context of reset packets. [inaudible 00:15:26]
Jason Blanchard (15:27):
For a moment, I was like, how’d you know, the system was based in New Jersey?
Chris Brenton (15:33):
Yeah, because it’s doing the reset me? Well, reset you, too.
John Strand (15:34):
He’s got all the IP addresses memorized. [inaudible 00:15:38]
Chris Brenton (15:41):
The ones I don’t know off the top of my head, Stearns knows.
Jason Blanchard (15:44):
That’s why we keep him around that.
John Strand (15:48):
All right, that’s awesome. So that’s a really nice, this is the way you can do some level of filtering from the command line. And the thing I love about this is you can do these filters, and you can do it from the command line. And instead of just being stuck within the ecosystem of Wireshark, all of a sudden you can bring all of bash to the party. You bring sort, you bring unique, you bring head. That’s really cool because it opens up your toolbox as far as what you can do.
Chris Brenton (16:14):
I want to be clear before I trigger haters. I don’t hate Wireshark. Wireshark is a really good tool, but every tool has something it’s strong at and it’s kind of a bummer in other things. So there are times when TShark actually makes a better tool. Like, hey, all I cared about was who was talking to who. Trying to get this out of Wireshark and get it out of it accurately is really hard.
Jason Blanchard (16:42):
Well, I know your TShark blogs have done really well over the years for active kind of measures because people, they find it.
Chris Brenton (16:50):
I know I refer back to them all the time.
Jason Blanchard (16:53):
There was a moment you talked about everyone coming to the party like bash and head, and I just feel like they should be characters and we should actually have a real party where they all come and hang out with Tshark.
John Strand (17:02):
We need that to happen. That’s another t-shirt or a comic. So there we go.
Chris Brenton (17:06):
Yep. Yeah. The advanced threat hunting class that I teach through Antisyphon, I teach folks early on your mantra is sort, unique, sort. Because so much of this stuff, you’re running it through sort then unique and then sort at the end.
John Strand (17:20):
You talk about Bill, and I was running into this last week, and I did sort, unique, sort and I felt dirty. There has to be a more efficient way than using sort twice, and Bill was like, no, John, it’s fine. That happens all the time. It’s totally the way it works and that was pretty cool. All right. So now we got the second one.
Chris Brenton (17:42):
Jason Blanchard (17:43):
Someone figured out where the ASN is coming out. It’s out of AT&T out of Washington DC. [inaudible 00:17:51]
John Strand (17:52):
These are the types of people we like to party with.
Chris Brenton (17:54):
Yeah, exactly. Exactly. So I mentioned there’s some things you can do with TShark that you can’t do at Wireshark. So let’s look at an example of that. So here you can see I’ve got one system pinging another. So we’ve got an echo request, an echo reply, back and forth, back and forth, back and forth. But they’re kind of weird. One of our rules when we ping things, is that whatever was in the payload needs to be reflected back in the echo reply. So if I had a 56 bit echo request, I would expect a 56 to come back, regardless of what that other operating system happens to be. So the fact that this is changing is kind of weird. Now, the only time it might be different and it’s not actually a payload issue is if, let’s say, the larger packet had IP options turned on. There could be record route turned on or something like that. That might explain why it’s a little bigger.
John Strand (18:49):
I don’t think we see that that much anymore, do we?
Chris Brenton (18:52):
Well, except for the folks who go through my class, because there’s actually some cool things you can do with that. TShark would show us that, it would show us that the record route option was turned on or the loose source routing option was turned on or whatever the case may be, and we don’t see that in the output. So this is definitely the payload sizes are different, which is kind of weird. So I’m just going to page through these a little bit. What happened here? So we’ve got a 56 echo request, a 42 echo reply, a 56 echo request, and then that 42 jumps to 46. There’s an extra four bits in there for some reason. That’s kind of odd. And then that causes my echo request to jump up to 160.
Chris Brenton (19:42):
So something’s going on in the payload here, clearly. So one of the things that would be really cool is if I could follow this TCP stream. Oh wait, Wireshark does that. I can go into Wireshark. I can go in and I can say follow, oh wait, I have a TCP option. UDP, DCCP. So those are my only transports that are supported. These are all application level. I don’t have an ICMP option. I could follow TCP. And when you follow TCP, for anybody who hasn’t played with this before, oh, you got to use this. Because what this is showing me is what traffic is going in what direction? And it just takes all the packets and combines them all together, which is kind of cool. It makes this really easy to read. So this is an awesome tool that I like to use a lot.
Chris Brenton (20:27):
But like we said, there’s no follow ICMP. So if I know something weird’s going on here in the payload, but I can’t stream that out, what do I do? Well, luckily, one of the things I can do is I can actually stream that out with TShark. Let me show you what I mean. So we’re going to go in and we’re going to say TShark dash N don’t resolve IPs dash R read this PCAP file dash T fields. So remember that allows us to specify what fields we want to see. I’m saying the field I want to see is dash E the data field, and then I’m creating a display filter that says data.data. Only show me the data.
Chris Brenton (21:11):
Now, I could have just said, put that at the end, but then I couldn’t show you oh, hey look, you can do display filters with dash capital Y, too. Multiple ways to do the same thing. Sometimes it’s fun to have one versus another. So what’s this do for me? Well, let’s go through and let’s just kind of look at what this output looks like. I’m just going to pump this through head dash 20. And we’re going to take a look at what that looks like. And notice what it’s doing. Here is all of my payloads, the hex output from those. Cool.
John Strand (21:40):
Where’s Judy Novak when you need her?
Chris Brenton (21:43):
Yeah, really. Right? And I got a loop going here. Lucky me. All right. So that goes through and that gives me hex output. Wouldn’t it be nice if this was an ASCII? One of my Lennox command line tools is XXD. XXD takes ASCII characters, converts them to hex. So what I’m going to say is XXD dash R, I want you to do it in reverse. So instead of going from ASCII to hex, I want to go from hex to ASCII. And then I’m going to say dash P, I want to print that out as plain text, and then we’re going to do our wonderful less dash capital S command. So what this is going to do is take all of those ICMP payloads and string them all together. [inaudible 00:22:29]
Chris Brenton (22:29):
Now, remember that when we saw the change in the size, we went from 42 to 46 bytes. So we said there was an extra four bytes that went by, and then all of a sudden things got weird. Well, look at my first line. D I R enter, oh, that’s four characters. So the system sending the replies, the echo replies embedded D I R in it, it mirrored that back like it was a terminal running over echo request, echo reply packets, and oh, hey look what came out of the system sending the echo request. Here’s the contents of my temp directory. Oh, hey look. Here’s what happens when you run task list. What is this? This is a command and control channel that’s running over ICMP, but by reassembling the payloads we can clearly see this. Like I said, with Wireshark, yeah, no. There’s no ICMP follow option. You can’t do it here. So if you’ve got ICMP that you need to reassemble and you can’t do it in Wireshark, here’s how to go through and do it in TShark.
Jason Blanchard (23:41):
Awesome. So that felt like in a mystery movie when they were like, and the gun belongs to.
John Strand (23:53):
It’s the prestige, right? You have the different steps of a magic trick and then boom, the prestige. Here’s the files on your system.
Chris Brenton (24:06):
That was really interesting because we were just talking about DNS, and then I had made that video of DNS tunneling and sending information through DNS to command and control. I didn’t know you could do that with ICMP. Great.
Chris Brenton (24:23):
So, John mentioned we’ve been at this for a while. One of the things I did in a past life was back when Y2K was all a thing, the government [inaudible 00:24:37]
Jason Blanchard (24:36):
Some people are like, we weren’t born yet, Chris.
Chris Brenton (24:39):
I know exactly.
Jason Blanchard (24:40):
It’s fine, keep going.
Chris Brenton (24:44):
One of the things the government was worried about was not so much Y2K, they didn’t have a big enough date space, but who would actually try and leverage that to attack systems and try and make it look like it’s a Y2K bug when it’s actually somebody breaking in. As part of this team, I detected a command and control channel running over ICMP echo or excuse me, error packets. I think it was host unreachable packets that were going by. Can you do this over ICMP? Oh yeah. This was actually the first C2 channel I ever found in the wild, was one running over ICMP error packets.
John Strand (25:21):
We had anytime chunker asked, what are some C2s that do this? Loki was probably one of the first ones that was widespread a long time ago. And another one is Nishang, is a full power shell based ICMP backdoor. Our backdoor testing tool for C2 that Bill does it do ICMP, too? I can’t remember. Out of all the things that he does on that one.
Chris Brenton (25:52):
What Bill was using to create the data was Net Cap, and Net Cap does not create ICMP. So what Bill literally just modified and put in my inbox this morning was a version based on hping3 that will do ICMP tunnels. I need to test it and vet it before we release it in the wild. So yeah, the beacon testing tool doesn’t support it today, but probably will by next week.
John Strand (26:20):
Now, another interesting thing about ICMP and malformed ICMP packets, that is usually one of the first rules that security teams disabled because anytime you get a malformed ICMP packet, there’s a ton of legacy rules that deal with things like Loki and things of that nature. But there’s also old vulnerabilities, like Etherleak where you used to be able to leak memory contents off of systems by sending malformed ICMP packets. So what my point is, ICMP as a rule set for IDS systems tends to be very noisy and many organizations just shut it off and it creates a blind spot for them.
Chris Brenton (27:00):
Well, no, you don’t get that alert anymore. So it’s no longer a problem.
John Strand (27:03):
And once again, anytime chunker, we’re not saying Wireshark needs to up its game. Remember these are a lot of the same developers. The use case is very different between these two separate tools. It’s not that one is better or worse than the other.
Chris Brenton (27:16):
Well, they’re both actually part of the same tool set. So Wireshark and TShark is the same code base. The difference is because TShark is command line based, I can manipulate the tool in a way that the developers didn’t think of. So it’s clear from Wireshark, they never thought about reassembling ICMP streams. Why would anybody ever need to do that? It’s a stateless protocol. Well, because they gave me an option to do that in ICMP, we’re able to go through and kind of hit this now. It’s just all a matter of what you’re into.
Jason Blanchard (27:53):
Well rancid X 64, thanks for following. Coffee addicts, thanks for following. PJ slimy, thanks for following. Blood night one, thanks for following.
John Strand (28:04):
Remember, if you follow us, Jason has to try to pronounce your name.
Jason Blanchard (28:08):
So make a second account with an even crazier name and have Jason pronounce it.
Jason Blanchard (28:17):
The worst is when I pronounce a name and I was like, oh, sorry. I really butchered your username and they’re like, it’s my real name. My real name.
John Strand (28:26):
Thank you very much, Mr. A man to hug and kiss. A man to hug and kiss.
Chris Brenton (28:34):
If I can just hit one more real quick because it was brought up, you can do this over DNS. So here’s some DNS traffic. We’ve got a lot of queries taking place here. One of the things, again, I can do with TShark is I can say, just show me what I care about. So I can go in and I can say dash T fields, show me just the DNS query names. And if I go in and do that, those are some weird names, aren’t they? And this is not what I would ever choose to name a system. I’m sure most people here are kind of feeling the same way.
Jason Blanchard (29:08):
That’s the website I get all my medication from.
Chris Brenton (29:10):
There you go.
John Strand (29:10):
That might be a problem.
Chris Brenton (29:16):
Now, notice I got some blank lines in here. The blank lines are simply because not every packet is going to be a DNS query. So anytime a packet is checked, but it doesn’t have this field in it, TShark just prints out a blank line. One of the things I can do to get rid of that is just go in and say, grip dash V anything that’s a blank line. And then once I do that, where’d you go?. Here we go. That’s what I wanted. Now that I do that, hey, here’s all my queries one after another. Now we were just talking about hex. Notice anything interesting about the host portion of this?
John Strand (29:55):
So if I’m looking at this, there’s actually some repeating portions of it. That’s interesting.
Chris Brenton (30:01):
Yeah. And it’s numeric and A through F. What uses numbers and A through F? So one of the things we might want to do, yeah, this looks like hex. So one of the things we may want to do is cut this portion out so we just have the hex and only the hex. Well, I can go in and I can use cut for that. So here’s my grip dash V getting rid of the blank lines. And then I’m saying, cut dash D period. My period is my delimiter between fields. And I’m saying dash F1, just give me the first field. And when I go through and do that, that cuts off the domain name portion of it and just gives me the host. Cool. So now I’ve got that hex.
Chris Brenton (30:42):
Well, now I can go through and I can leverage XXD again to go through and try and decode. What is that hex? Is there anything hidden in there for a message? And when I go through and do that, oh, hey look, default gateway. Oh, this looks like IP config type setups. VM net one. Yeah. That’s usually an interface we’re all going to have if we’re running VMs. There’s some more data that needs to get cleaned up here, obviously. Who am I?
John Strand (31:12):
I think you’re getting a lot of terminal garbage coming in.
Chris Brenton (31:15):
Jason Blanchard (31:17):
For a second, I thought you were summoning a demon or something. Oh God, no. Chris, stop, stop, stop, stop.
Chris Brenton (31:23):
But notice it looks like they tried to run the who am I command and that was successful, and that produced some additional data that they CD’d into the downloads directory and I start seeing a bunch of file names. This is another command and control channel running over DNS.
John Strand (31:40):
Now what happens if you pipe that through Strings? Does it help clean it up a little bit?
Chris Brenton (31:44):
Let’s find out.
John Strand (31:45):
Yeah. I don’t know what it’s going to do with some of those other characters. No, those characters. It was printing those characters the same. Okay. Interesting. Oh, wow. That is so cool. But still it’s enough to let you know, at this point you have badness on your network.
Chris Brenton (32:10):
John Strand (32:12):
This is a bad day.
Chris Brenton (32:13):
Yes. When you see DNS queries leaving your environment that clearly have command sets in them, you’re having a bad day. But again, this is something that’s really easy to go in and kind of tag with Tshark.
John Strand (32:25):
Oh, that is so cool. All right. So that’s the three.
Chris Brenton (32:30):
Just one last comment is that I pull that out of DNS query, but I could pull that out of any field. So if the CRC is being used to embed information, dash E pull out that CRC, recode it the way you need to.
John Strand (32:46):
Wow. That’s cool. Somebody had mentioned, they said, where can we learn more about this? And then we posted in a link to your free network thread hunting class, which I thought was pretty good.
Chris Brenton (32:59):
So this type of content is probably more the pay what you want pack a decoding class that I do.
John Strand (33:05):
Awesome. Very cool. Very cool. All right. So now at the end, we really like to get the tech out of the way up front, because there’s a bunch of really impatient people that are doing do it yourself crap on YouTube. And they’re like, I just get to the point, man. I don’t want to hear knock, knock and fart jokes. So we get those out of the way, we get the tech out of the way. Now it’s open for questions.
John Strand (33:27):
So if anybody that’s listening on Twitch or Discord or Restream or wherever we’re at, has any questions, now is the time to just ask Chris anything. There’s a lot of people, I think that they don’t see this and this gets into something old dudes lament all the time. There’s a lot of people that are getting started in this industry, they don’t bother to learn the basics and fundamentals of these things. And frackery, we’re going to get you a link to the packet decoding course. And that is a pay what you can. A lot of our stuff at Antisyphon… Oh, yeah. Go ahead, Serena.
Okay. For your packet decoding class and the other one that we posted, that six hour threat hunting training, what do you recommend coming in with, like prerequisite knowledge?
Chris Brenton (34:15):
So for the packet decode, you need a basic understanding of IP and how things communicate on the network. You don’t need an in-depth knowledge like we were using here, that’s what the class is for, but at least if I told you one system pinged another, you should kind of understand what that reference is. If you don’t, then yeah. You may need to do a little bit of work before walking into that class. The advanced threat hunting class, that one is more geared towards, I’ve been doing security for a while and what I’m doing doesn’t seem to really be working. I need some better ideas on how to figure out when somebody’s compromised an internal system.
John Strand (34:55):
Just so you all know, I still sit in on Chris’s class periodically and watch this stuff, because I’m still learning all the time. I think that a lot of people in the industry today, we’ve been fronted so much by vendors and abstracted so much from what’s happening, but the problem with that is many times people don’t even know what types of questions they can ask from packets. They don’t know what’s actually there. It’s this black magic thing and their automatic tool decodes a whole bunch of stuff for them, and they don’t even know what’s the limits of the imagination because they don’t know what’s possible.
Chris Brenton (35:34):
I think some of it is also, too, you need to stop and ask yourself, hey, this recommendation I’m getting from the vendor, if I implement that, will it cause them to make more money off of me? Because if it does, there might be a bias there. That’s one of the nice things about the webcast we do and Antisyphon and all of that is, John and I have no agenda beyond point out the stupidness and help everybody lock their networks down. We’re not trying to sell anything.
John Strand (36:02):
Yeah. And by the way, a Hacksaw 786 asked where does one learn the fundamentals, Pluralsite. Yeah, yeah, absolutely. You can go to Pluralsite, Udemy. You can go to YouTube. A lot of our stuff at Antisyphon, and I’m going to disagree with Chris. When I first got started in computer security way back in 2003, I didn’t understand very much of this at all. I was a snot nose punk that knew how to write buffer overflow attacks when we didn’t have a dress based layout randomization. Which, by the way, Dr. Watson did 90% of the work for you back then.
John Strand (36:39):
I’m going to encourage you to check it out and take his class because it’s going to make you stretch and it’s going to get you there much faster than trying to find some basics and fundamentals. We do cover some basics and fundamentals of TCPIP, and like Wireshark and TCP dump, really, really basic stuff in the intro to sock pay what you can class, as well. But like I said, I strongly encourage you, go check out the class from Chris. Yes, some basic understanding helps, but you’re not learning if it doesn’t hurt just a little.
Yeah. For the networking stuff, too. There’s always free courses that are given away on Twitter. But also, if you don’t know where to start, and I think that’s part of the problem is people are like, okay, networking. But they have no idea like where to actually start with that and what that all includes. Look at the network plus, even if you don’t take the cert, just look at what’s on the cert and those topics and just start diving in from there so that you actually know things to Google or what’s going to be relevant to know. I always recommend that. Like I said, even if you don’t take the cert, just look to see what’s on there, their topics and you can start there.
John Strand (37:52):
This is going to get into something that might get me into trouble. The vast majority of security training classes, if you look at their outline, almost a hundred percent of the class is available online somewhere. Chris, we got somebody that just pointed out, anytime chunker said, I think based on what you’ve just shown here, I could script something to detect both types of C2. And I think that’s a good start, I want to bring you back as stupid, awesome TShark tricks, but this is the beginning. This is building. In your class, you actually show people how to build full on detection of this stuff, too.
Chris Brenton (38:30):
Yeah. Oh yeah, absolutely. Absolutely. So some of what I do, I’ll have folks sit in class and say, “Chris, I could have done that in half amount of space with Python.” And absolutely you can. But what I try to do is teach the concepts in a way that anybody can grab onto it. I mentioned hping before. hping3 is a great tool to get used to how do you craft packets? How do you create your own packets that you want to spit out on the wire. ScapeE is far more extensive, but if you don’t have a Python background, you’re going to have a real hard time understanding ScapeE. So I like to use the basic tools that everybody can go in and get started with.
Chris Brenton (39:12):
As far as being able to script things out, one I was kind of playing around with doing beacon detection within Zeek logs is this. This is something I get into in the classes. Basically, what this will do is you can run beacon dash plot and give it two IP addresses that are within Zeek data that are in the current directory. And it’s going to go through and plot out how many times did each IP address connect to each other each hour, over a 24 hour period of time. If you’re familiar with command and control and how it works, their persistent connections, meaning the compromise system is constantly calling out to that command and control server saying, hey, do you have anything for me to do? I’m sitting here bored. What do you want me to do? And that allows you to catch patterns like that. The weird goal I had with this was to go through and use at least 10 different tools.
John Strand (40:11):
Jason Blanchard (40:13):
I just realized I’m…
John Strand (40:15):
Oh, what’s that Jason?
Jason Blanchard (40:15):
I’m sorry. I just realized I’m a command and control channel. Just calling out. Is there anything you need me to do? Is there anything you need me to do?
John Strand (40:23):
Sounds like me on my days off bugging my wife. Hey, do you need anything? If you need to go get a life that doesn’t involve BHIS.
Chris Brenton (40:31):
Yeah, I was going to say, since when do you get days off?
John Strand (40:34):
Oh, my God. Around Christmas I took one and it sucked.
Chris Brenton (40:39):
Actually, I was going to say, getting them and taking them are two different things.
John Strand (40:41):
Two different things. White cyber doc asked is C2 over DNS and ICMP, does a producer responsive terminal? And I’m going to say yes and no. Yes, it is when you’re working with it. It depends on the frequency of the communication. The faster the communication, the more responsive it is, but it also means it’s more detectable. So you’ve got this balance as an attacker. Also, for data transfer for large files, it can be somewhat frustrating to try to transfer large files, but by the nature of DNS and ICMP, it’s stimulus response. ICMP, echo request, ICMP, echo response, DNS request, DNS response. So it does work pretty well for that.
Chris Brenton (41:24):
And it’s a matter of how good of a job can you do at hiding it. So for example, this last one we were looking at, the data is hidden in the DNS query. So how would you detect that? Well, you need to log your DNS queries. Most of us don’t. And if you just looked at it as a raw traffic level, what are you going to say? Oh, my DNS server was a little busier than it usually is. Is anybody really going to flag that? Probably not. So yeah, some of this stuff can be kind of subtle.
John Strand (41:50):
So I just got something from sombrero. Sombrero said, I’m starting as an it intern in a couple of weeks. What should I focus on learning right now to be successful in my role. I just got my permission thanks to Jason’s job hunting plan, which is awesome. Sombrero, we’re going to reach out to you on Discord and Jason will get your contact information. I’m going to get you a free license for the on demand version of intro to sock and intro to security. If you came up through Jason and all that, I’m going to try to set you up the best I can. So we’ll get you access to the on demand version of those two intro classes, start there and then move into Chris’s stuff.
Chris Brenton (42:27):
Yeah. I think there’s kind of two stages to that. There’s the first thing you should learn is what your boss expects you to know. That should be the first thing right out of the gate. After that figure out what your passion is.
John Strand (42:40):
And you’re starting in a couple weeks, so take advantage of this time to learn the fundamentals. You really need to learn the fundamentals.
Yeah, because it is like how Jason was saying. It is a different language. I remember my first job out of college, I was working on servers and I had a background in just campus networking. And so they were talking about a lot of virtualization and concepts and I was sitting there. I was like, I don’t know what you’re saying because I don’t know these words. And so it is just becoming familiar with a lot of the terminology and acronyms, and eventually, over time, I was able to sit in the meetings and contribute because I knew the words then. Just even getting familiar with the terminology could be helpful, even if it’s not very specific to what your job’s going to be.
John Strand (43:31):
I had a nuclear physicist that was a professor at MIT that was coming into security. And she said she hated this industry. And I’m like, well, you’re a nuclear physicist, how hard can this be? And she’s like, you have so many acronyms, so many terms, all of your tools run with completely different switches. Windows is completely different from Linux. And she’s like, really? It seems like computer security is more like this arcane magic where you’re tying in all of this different IT stuff that’s all disparate and it’s all weird and it can be very, very intimidating to get started. I think I can kind of understand that even though it’s the only world I know.
Jason Blanchard (44:16):
Friend of mine got out the acronym book and then there was an acronym within the acronym. So like when you expanded out the acronym, there was actually an acronym within the acronym that expanded out. And I was like, I quit.
John Strand (44:28):
Hey, Jason. Have I told you about my [inaudible 00:44:30] socks with Rock’em Sock’em Robots?
Jason Blanchard (44:32):
We’ll make your sock socks. All right. Sombrero, thanks for following/ Hacksaw. 786, thanks for following. X deadly GG, thanks for following. And Sombrero, go ahead and send me an email.
John Strand (44:42):
We’ll get you something nice.
Chris Brenton (44:43):
Yeah. Yeah. Jason, if he’s already taken the sock class, give him a free seat in mine. I got no problem with that.
John Strand (44:50):
Appreciate that. All right, everybody. That’s 45 minutes. Like we said, we’re trying to keep this dense. We’re trying to keep this very… Thank you.
Chris Brenton (45:00):
Trying to keep it dense, that’s why I’m here.
John Strand (45:01):
We’re trying to keep it dense with the technical stuff. We really appreciate you all coming and hanging out. Like, subscribe or whatever it is that people do, but tell your friends. We’re trying to share as much knowledge as we possibly can because that is ultimately the charter of everyone that you see on the screen right now. So, that’s it.
Jason Blanchard (45:22):
All right. Kill it.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.