Network Forensics with FOSS

TSHARK

tshark provides all of Wireshark's power in a script-able, console-based tool. Because tshark uses the same code as Wireshark, nearly any Wireshark feature can be used in the console. Analysis can transition from the research phase to a larger scale by shifting from Wireshark to tshark. The -T fields output mode enables simple yet powerful shell-based analytics.

Parse User Agents and Frequency with Standard Shell Commands

tshark -r nitroba.pcap -Y http.request -T fields -e http.host -e http.user_agent | sort | uniq -c | sort -nr

Additional HTTP filters in Analysis

tshark -r nitroba.pcap -Y http.request -T fields -e http.host -e ip.dst -e http.request.full_uri | sort | uniq -c | sort -nr

TCPdump

sudo tcpdump -n -s 0 -i ens33 -w out.pcap 'host 1.2.3.4 and port 80'

Convert a lot of timestamps at once

sudo cat /var/log/some.log | awk '{$1=strftime("%F %T", $1, 1); print $0}'

Calamaris Tool

calamaris -a access.log

Or you can use grep as seen below

grep -v "\"CONNECT " access.log | awk '{ print $7 }' | awk -F/ '{ print $3 }' | sort | uniq -c | sort -nr

Let's use WireShark to identify and isolate relevant TCP stream from a full content pcap file, extract payload data from TCP stream, and analyze reconstructed data to establish investigative value.

Simple WireShark filters such as the http filter below can help hone in on certain domain names of interest.

http.host contains "google"

We can further our search by clicking on any packet, focusing in on HTTP traffic, and add "Referer" to the column. Below we can see that "pastesite.com" was a site searched for using google.

Focusing deeper on "pastesite" we can apply post filters like the one below we will yield some eye opening results.

http.request.method == "POST" and http.host contains "pastesite.com"

Our first packet for posting data to pastesite.com yields that this could be a test?

Our next packet yeilds some very interesting base64 encoded data sent to pastesite.com.

Finally, we will dig deeper and accomplish a few tasks. - Export Packet Bytes of Value [Truncated]: - Save the contents of the extracted byets. - Hash the file. - Decode the extracted file using uridecode.py - Hash the decoded file. - Decode the original base64 file to reveal contents.

cat base64_extraction.txt | uridecode.py > base64_native.txt
md5sum base64_native.txt
cat base64_extraction.txt | uridecode.py > base64_native.txt
md5sum base64_native.txt
base64 -di base64_native.txt > base64_decoded.bin
md5sum base64_decoded.bin
base64 -di base64_native.txt > base64_decoded.bin
md5sum base64_decoded.bin
file base64_decoded.bin
unzip -t base64_decoded.bin

As you can see below we hae our end result which reveals the contents of the base64 encoded data. Here is a link for the uridecode.py script. https://github.com/philhagen/for572-scripts/blob/main/uridecode.py