N.

A OPERATION CHIMERA
NETWORK ANALYSIS MODULE // SECURITY BLUE TEAM

OPERATION CHIMERA – NETWORK ANALYSIS

CONTENTS
[1] What is Networking? This module is designed to give a look into the world of Networking, and Network
[2] What’s Network Analysis? Analysis. It is aimed at individuals who are moving in to Cyber, so the material is
[3] Associated Roles aimed at an entry-level student. We strongly encourage further reading using the
[4] Protocols and Services provided sources and any that you find yourself. Want to talk to other hackers about
[5] Wireshark this specific module? Join the discussion in the “net-analysis-module” channel within
[6] Module Challenge the “Operation Chimera” category in the SBT Discord server. There is also a Chimera
mega-thread on Reddit. Please make use of this to ask questions and talk to other
This information has been gathered participants!
from public sources and combined
with my own knowledge and
experiences for the purpose of WHAT IS NETWORKING?
Operation Chimera, an online, live
blue-team training operation
conducted by myself under the alias “Open source intelligence (OSINT) is information collected from public sources
Known Divide, for the such as those available on the Internet, although the term isn't strictly limited to the
SecurityBlueTeam community. internet, but rather means all publicly available sources.”

Useful Links (copy-paste):

[1]
https://www.computernetworkingnot
WHAT IS NETWORK ANALYSIS?
es.com/networking-tutorials/types-of-
network-protocols-explained-with- Network Analysis is the process of using a live network tap or packet captures
functions.html (PCAPs) to identify malicious or unusual activity to aid an investigation or conduct
[2] threat hunting. Whilst PCAPs can usually be retrieved from network defences such
https://en.wikipedia.org/wiki/List_of_
as firewalls and IDPS. The most commonly used tool is Wireshark, which allows you
TCP_and_UDP_port_numbers
[3]
to capture network traffic or import it and analyze it within the tool.
https://wiki.wireshark.org/SampleCa
ptures
[4] ASSOCIATED ROLES
https://networksecuritytools.com/list-
wireshark-display-filters/
[5] The below roles generally contain work that includes analyzing network traffic for
https://www.varonis.com/blog/how- defensive cyber purposes:
to-use-wireshark/
• Tier One SOC Analyst (Junior Security Analyst)
If you’ve enjoyed this event, Tier 1 analysts will use the SIEM dashboard itself to detect and report on
please consider donating malicious traffic historically or in real-time, that is related to any on-going
whatever you can spare to buy investigations. Endpoint Detection and Response (EDR) solutions can also
me pizza, coffee, and help fund be used to observe network activity on specific endpoints, including any
future events! (even £5/$5 will live or recent connections to websites or IPs.
make a huge difference, and it • Tier Two SOC Analyst (Security Analyst)
only takes a few seconds). Tier 2 analysts will usually be able to retrieve PCAPs from network
defences such as Firewalls and IDS, allowing them to investigate suspicious
activity such as exploitation attempts against internet-facing assets.
• Tier Three SOC Analyst (Senior Security Analyst)
Same as Tier 1 & Tier 2. Tier 3 will likely have more visibility and tools.
https://paypal.me/KDMentoring
• Threat Hunter
Threat Hunters will utilize live network taps, SIEM, EDR, PCAPs and more
to monitor the network and proactively search for signs of malicious or
unusual traffic.
N.A OPERATION CHIMERA
NETWORK ANALYSIS MODULE // SECURITY BLUE TEAM

PROTOCOLS AND SERVICES

TCP and UDP are the two most common protocols used to send packets of data
across the Internet, or within private networks. They both work on the transport
layer of the TCP/IP protocol stack and both use the IP protocol.

Transmission Control Protocol (TCP) is a connection-oriented protocol that systems

use to communicate over the internet. It is one of the main protocols in TCP/IP
networks, and provides error-checking and guarantees delivery of packets, and
that they will be in the correct order. Example: TCP is used in file downloads,
because the recipient needs 100% of the data, otherwise the downloaded file will
be corrupt and not function correctly.

User Datagram Protocol (UDP) is a connectionless protocol that unlike TCP doesn’t
use error-checking and recovery services. UDP continuously sends datagrams to
the recipient whether they receive them or not. Example: UDP is used in live
streaming and online gaming, as the clients typically want speed instead of quality.
This is why sometimes the quality of the video may drop or games may become
‘laggy’, because some packets haven’t been delivered correctly or became
corrupted in transit.

Below is a quick shortlist of some important services/applications and their

associated common ports, as well as why they are important to security
professionals in both red and blue teams:

Protocol Common/Expected Port

FTP (File Transfer Protocol) 20, 21
FTP is used to remotely upload or download files from a file server using
client software. This can be utilized by hackers to upload shells or malware,
allowing them to compromise other systems on the network and move
around. It is important to ensure proper authentication is used, that only
whitelisted hosts are able to connect to the FTP server, and that permissions
are properly configured to only allow access to permitted files.
SSH (Secure Shell) 22
SSH allows one computer to connect to another securely and execute
commands in the context of the remote system using a command terminal.
This can be used by hackers after compromising an initial system to move
(pivot) to other systems that have SSH running and perform information
gathering or further exploitation. Defenders need to ensure strong
credentials are used, and that whitelisting is in place to only allow SSH to be
used where it is needed.
Telnet 23
Telnet, whilst similar to SSH, is older and less secure. SSH uses encryption,
and Telnet doesn’t, which makes it prone to sniffing attacks, where an
attacker is able to ‘listen’ to the connection and retrieve information in
transit, including plaintext usernames and passwords. Defenders should kill
this service and replace it with SSH where needed and applying the same
controls as mentioned under SSH.
SMTP (Simple Mail Transfer Protocol) 25
SMTP is used to send electronic mail by moving it across networks
(including the Internet). This works closely with Mailing Transfer Agent
(MTA) which makes sure emails go to the right inbox. This can be used by
malicious actors to send out malspam emails containing malicious links or
N.A OPERATION CHIMERA
NETWORK ANALYSIS MODULE // SECURITY BLUE TEAM

attachments. SMTP does not need to be enabled on non-webmail systems

and may be a sign that the system is compromised.
DNS (Domain Name Service) 53
DNS is the protocol that makes the whole internet work! By turning IP
addresses into domain names (such as Google.com), we can easily find our
favorite sites, and much more. DNS can also be used for some covert data
exfiltration methods, such as DNS-tunneling, where attackers exfiltrate data
through an encrypted tunnel, so it can’t be read by IDS or other security
tools. Domain fronting is another technique that makes malicious traffic look
like it’s originating from, or going to, known safe domains such as
Google.com (great one to bypass SIEM Analysts and IDS!).
HTTP (Hypertext Transfer Protocol) 80
HTTP is used to let us view and interact with websites on the internet.
Malicious, dodgy, and phishing sites all use HTTP or HTTPS, so monitoring
for this kind of traffic is very important to catch any weird or dangerous
network connections!
HTTPS (HTTP Secure) 443
HTTPS is an improved version of HTTP, as it uses encryption, meaning that
HTTP traffic can’t be intercepted provided HTTPS is being enforced. But
with the same as HTTP, some phishers and malicious sites are using HTTPS
to seem more authentic.
RDP 3389
RDP is the Windows version of SSH, that allows a remote connection
between two systems, but instead of being command-line based, RDP will
provide the user with a graphical user interface (GUI) of the remote
machine, so they can complete actions as if they were using it directly. This
service can be used to move from one compromised system to another,
gather information from the system, and with the BlueKeep vulnerability
(CVE-2019-0708) being exploited in the wild, this should be kept updated
and only used publicly on the internet if absolutely needed.

INTRODUCTION TO WIRESHARK

[1] Introduction
[2] Downloading Wireshark
[3] Using Wireshark – Live Capture + GUI
[4] Using Wireshark – Importing PCAPs
[5] Using Wireshark – Default Color Coding
[6] Using Wireshark - Filters
N.A OPERATION CHIMERA
NETWORK ANALYSIS MODULE // SECURITY BLUE TEAM

Introduction:
Wireshark is an open-source network protocol analyzer that was created in 1998 by
Gerald Combs. This packet sniffer is able to capture network traffic and store it
locally for analysis any time. Whilst this tool is usually used for network
troubleshooting, it can be used for malicious purposes such as sniffing attacks,
passive reconnaissance, and troubleshooting attack scans or exploitation attempts
to make sure they’re working. Wireshark is able to import and export .pcap files,
which is an abbreviation for packet capture.

Downloading Wireshark:
You’ll usually find Wireshark pre-installed in most security-related Linux
distributions, especially the Offensive Security Kali image. Wireshark is available
on Linux, Windows, and MacOS. The download link for Wireshark is:
https://www.wireshark.org/download.html. If you’re running Ubuntu as the root
user, you can use the following command to install Wireshark:
sudo apt-get install wireshark.

Capturing Network Traffic:

Now that Wireshark is installed, I’ll show you how to start sniffing on a network
adapter, walk you through the graphical user interface, and show how to apply
filters to see only specific traffic. When opening the tool, you should see the below
display (however your list of network adapters may be different):

Figure 1 - Wireshark home screen. Select a network adapter to listen on.

The only network adapter I have configured is eth0, so let’s monitor that by clicking
on it to highlight it, then clicking on the shark fin symbol in the top toolbar on the
left so start capturing packets. The main panel will start to fill up with packets that
are being recorded in real-time – yeah it looks confusing, but we’ll go through an
example later to make sure that you’re able to use Wireshark at a basic level!

Figure 2 - Example of logged packets and color coding.

N.A OPERATION CHIMERA
NETWORK ANALYSIS MODULE // SECURITY BLUE TEAM

You can stop recording traffic by pressing the red square button (same as the blue
fin that you pressed to start) in the top left of the tool’s display. Now that we have
some packets to mess around with, we can actually go into analyzing packets to get
useful information.

Wireshark Graphical User Interface:

Figure 3 - Packet List, Details, and Bytes panes.

Wireshark has three panes, which are shown in the above screenshot. From top to
bottom they are:

• Packet List: This section shows the list of packets that Wireshark has
logged, including the time since start, sequential order, source IP/device,
destination IP/device, protocol type, packet length, and a short
description. From here you can right-click on a packet to follow the stream
or apply filters to sort through them all. Packets are color coded to help
better visualize the data.

• Packet Details: This pane shows you much more detail about the packet,
and the information is put into different categories, from frame to protocol,
so it’s easier to read.

• Packet Bytes: This section shows the raw hexadecimal of the packet.

Importing PCAP files:

If you already have a PCAP file, you’re able to import it into Wireshark and analyze
it. To open files in Wireshark, click on File > Open. You’ll now see all of the logged
packets, as if you just captured them yourself!
N.A OPERATION CHIMERA
NETWORK ANALYSIS MODULE // SECURITY BLUE TEAM

Wireshark Default Color Coding:

In Wireshark, packets are colored different due to permanent coloring rules, which
help us to better visualize and understand the traffic we’re seeing quickly. You can
change this and toggle them on/off by going to View -> Coloring Rules. Below
shows all of the colors, and the filters that once met will color that packet in the
Packet List pane. Here we can see that HTTP traffic will be green, ARP will be
yellow, UDP will be light blue, and TCP will be light purple.

Wireshark Filters:
Filters are a really important part of Wireshark that allows us to find specific activity
and look at the results we want to see instead of having to look through everything
contained in the PCAP or live capture.

So, let’s apply a super simple filter. Below we have a screenshot of a pcap that is
currently in time order with no filters. If we only want to see traffic associated with
the HTTP protocol, we can use http. Now on the bottom picture we can see that the
protocol column only features HTTP, allowing us to look specifically at web-based
activity including GET and POST packets.
N.A OPERATION CHIMERA
NETWORK ANALYSIS MODULE // SECURITY BLUE TEAM

Now let’s try following a tcp stream using a filter. If we use the filter “tcp.stream
eq(uals) 0” then this window will pop-up, displaying the first tcp stream in the
packet capture. Remember, streams are like conversations. We can see that in this
conversation the client issued a GET request to view a webpage, which was met
with a HTTP 200 OK message, and below that is the website content.

In the below example, I’m using the “frame contains” filter to look for TCP, HTTP
and DNS activity related to facebook. This is a great way to find activity from
specific sites. A real-world example would be using a PCAP from a firewall to
investigate a user clicking on a malicious website. Using this information, we can
search for “frame contains malicious-site” and see any associated traffic, such as
files downloaded, webpages visited, and any information submitted to the site.

Try out some other filters on your own live captures!

https://networksecuritytools.com/list-wireshark-display-filters/
N.A OPERATION CHIMERA
NETWORK ANALYSIS MODULE // SECURITY BLUE TEAM

You should make sure you’re familiar with the Wireshark GUI, how to follow
conversations (streams), and how to collect information from packets. When
starting, it’s a lot of ‘messing around and seeing what you can find’. Want to get
some more experience before the challenge? Try loading some of these PCAPs
provided by Wireshark and take a look yourself!
https://wiki.wireshark.org/SampleCaptures.

MODULE CHALLENGE
If you think you’re ready for the module challenge, head over to the website and
click on the ‘Challenge Brief’ under the Network Analysis module!
Good luck.