Analyze indicators of compromise
Activity 12.1 Identify a Network Scan
In this excercise I will walk through how to initiate and then identify a network scan occurring on a Linux machine.
- I will startup both my Kali and Metaploitable VM.
- On Kali, open wireshark and a terminal window.
- Determine the IP address of the Metaploitable VM by running
ifconfig. In my case it is 10.0.2.4
- Start the Wireshark Capture from the Kali machine using the active interface, in my case this is “eth0.” Intially you may only see DHCP and ARP messages.
- Now we will start the nmap scan on the Kali Machine. Type in:
nmap -p 1-65535' <IP of the metasploitable VM>
- Notice all the exciting ports which are open on the Metasploitable VM. Lets try navigating to some of them via the ip address + port number in the Kali Ice Weasel Browser.
- Not surprisingly, the VM is running a web server on port 80.
- More surprisingly, the VM is running FTP, NFS, etc.
- Stop the wireshark capture.
- Using filters, we can review the traffic captured.
- Entering
tcp.port==80will display the connections our Kali machine made to the Metasploitable VM.
- Now lets investigate the scan we conducted.
- Navigate to Edit > Preferences > Appearence > Columns. Adjust the layout to include both the “Src Port (unresolved)” and “Dest port (unresolved)”
- This will allow us to easily see all the ports scanned in order. Enter the following filter:
ip.dist == <IP of the metasploitable VM>Now sort the columns by time. Now we can sift through all our glorious sequential port scans.
Glossary
A glossary of all the terms, acronyms and slang I run across for this chapter.
| Active Network Monitoring | Reaches out to remote systems to gather data. Gathers data about availability, routes, packet delay/loss and bandwidth. Ping and iPerf are two examples. |
| Bandwidth Consumption | Can cause service outages and disruptions of security functions - a serious concern |
| Baseline Detection | Aka anomaly detection. Alerts when thresholds are exceeded. |
| Beaconing | Heartbeat traffic sent to a hackers command and control server -- usually over http or https |
| DDoS | Distributed Denial of Service Attack -- DOS attack which comes from multiple networks simultaneously |
| Detecting Malware Techniques | Central management tools, antimalware tools, software files and blacklisting, application whitelisting. |
| df | Linux tool - displays a report of a system's disk usage |
| Heuristics | Behaviour based detection. Alerts when strange behaviours are detected. |
| Host-related Checking Techniques | Processor monitoring, Memory monitoring, Drive capacity monitoring, filesystem changes and anomalies |
| iPerf | Measures max BW that an IP Network can handle. Allows remote testing of link BW in addition to internal BW testing. Useful for establishing a network baseline. |
| Linux Services | Managed by running service --status-all and by checking "/etc/init.d/service name/ status" |
| Malicious Scheduled Tasks | Check cron in Linux and task scheduler in windows |
| Memory Leak | Occurs when a program does not release its memory even after it is no longer being used - this will result in increased consumption until the program crashes |
| Passive Monitoring | Captures network data as traffic passes along a location on a network, such as collecting tap data. V |
| perfmon | Windows performance monitoring utility - best for more detailed graphing |
| Potentially Malicious Windows Tools | cmd.exe, at.exe, schtasks.exe, wmic.exe, powershell.exe, net.exe, reg.exe, sc.exe |
| Protocol Analysis | Captures packets and looks for unexpected traffic types in order to detect an attacker |
| PRTG | Paessler Router Traffic Grapher, tool which provides packet sniffing, flows, SNMP and WMI |
| ps | Linux tool - provides cpu and mem utilisation |
| Registry Run Keys | Located at: HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER |
| resmon | Windows Resource Monitoring utility - best for checking basic metrics |
| Rogue Checking Techniques | Valid MAC address checking, MAC address vendor checking, Network Scanning, Site Surveys, Traffic Analysis |
| Rogue Devices | An unwanted device connected to your network |
| Router-based Monitoring | Available options include Netflow, RMON, SNMP |
| SCOM | System Center Operations Manager - Windows monitoring tool |
| sysinternals | Additional advanced windows monitoring tools |
| top | Linux tool - provides cpu and mem utilisation along with stats about processes |
| w | Linux tool - indicates which accounts are logged in |
| Windows Services | Managed in services.msc |
| Wire Rogue Checking Techniques | MAC Port Security or Network Access Control can prevent this |
| WMI | Windows Management Instrumentation |