Network Traffic analysis using Zeek | Digital Forensics
You will learn how to analyze network traffic using Zeek. Zeek is the world's leading passive network security monitoring tool that sits on the network and reads all traffic passing through the network, parsing it into high level events that can then be passed through Zeek's software policy that then creates a comprehensive log(s) for each connection Seen on the wire including all HTTP sessions with required URIs, key headers, MIME types, and server responses; DNS requests with responses; SSL Certificates; The main content of SMTP sessions.
Analyze Network Traffic using Zeek
If you check on the logs directory, Zeek generates quite a number of logs including:
- the
http.logwhich contains information about HTTP requests and replies. - You can also see log files like
conn.logwhich contains information about TCP/UDP/ICMP connections. - Other log file of interest, is
notice.logwhich is about Zeek notices. dns.log: Contains DNS related logsdhcp.log: DHCP leases logsftp.log: FTP related logs
Country dataset : United States
Honeypot IP : 172.31.1.17
after download dataset for honypot I will extract the file into one folder name PCAP using this command.
Merging multiple capture files into one
Mergecap is a program that combines multiple saved capture files into a
single output file specified by the -w argument. Mergecap knows how to read
libpcap capture files, including those of tcpdump, Wireshark, and other tools
that write captures in that format.
use this command to Merging multiple capture files into one pcap file
Summary Statistics
To view summary statistic i use kibana to upload PCAP file kibana is a piece of
data visualization software that provides a browser-based interface for
exploring Elasticsearch data and navigating the Elastic Stack a collection of
open-source products (Elasticsearch, Logstash, Beats).
Network Map
Analyze IP communications between devices and used protocols. Found
fingerprints like OS/installed software.
Ethernet Devices
Find fingerprints of ethernet devices and detect used ethernet broadcast
addresses.
Telnet
Show Telnet sessions data
Connections
Visualize IP connections, display endpoints and transferring data volume on
world map.
Transferring Bytes For Each Country
Open Ports
Open TCP ports fingerprints found in the captured traffic.
Found credentials
found plain text passwords or hashes for various authentication protocols.
Display HTTP requests, responses and transferring data.
Find attack attempts for one (or more) country
To extract a possible attack on a pcap file, we will use zeek, zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a network security monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
extract LOG file from pcap we used before :
If you check on the logs directory, Zeek generates quite a number of
logs including:
- the http.log which contains information about HTTP requests and replies.
- You can also see log files like conn.log which contains information about TCP/UDP/ICMP connections.
- Other log file of interest, is weird.log which is about Zeek notices.
- dns.log: Contains DNS related logs
- dhcp.log: DHCP leases logs
- ftp.log: FTP related logs
We will use the Zeek generated log files to analyze the network
traffic , There are various ways in which you can analyze network
traffic using Zeek
1. manually using zeek-cut command
2. Integrating Zeek with other visualization tools such as ELK/Brim.
conn.log, is our log file of interest, that will at least contain the connection
information including the number of packets/bytes involved in every
connection, To extract these fields, use the command
You can sort the output by the number of bytes involved, for example, column 3, which is the orig_bytes.
As you can see from the output, there is a lot communication between the IP,
172.31.1.17, and the remote IP, 223.197.229.66,223.190.89.47..., which
actually might be the C&C server.
When I was looking in the log file I found something interesting someone try to
upload payload name shell.jsp on path POST /helloworld/greetig HTTP/1.1
kibana dashboard :
shell.jsp contain Basic RCE payload Like :
<?php system($_GET["cmd"]);?>
Suspicious user agent strings:
Most talkative hosts (originator):
unique list for all domain:
Geolocation Information for attacker
This script will allow to Traced their IP Addresses and know more information.
https://github.com/maldevel/IPGeoLocation
Features
• Retrieve IP or Domain Geolocation.
• Retrieve your own IP Geolocation.
• Retrieve Geolocation for IPs or Domains loaded from file.
• Define your own custom User Agent string.
• Proxy support.
• Select random proxy from file. Each proxy URL in new line.
• Open IP geolocation in Google Maps using the default browser.
• Export results to csv, xml and txt format.
Simulation To Retrieve IP Geolocation Information
Every responsible business is try to deploy some level of cybersecurity to keep
their data safe, but why a firewall? Firewalls act as the security guard that
determines whether Internet traffic is allowed to enter or leave your business’s
private network. Packets of data are constantly streaming back and forth
between the open wild west of the public Internet and your specific, private
silo of data (your network).