DataSets
File Name: Honeypot Resit Exam Data Set.pcap
SHA1 Hash : 7faf4833c2ba08c9ded62ec416c5e356ade34e5d
To analyse
pcap file , we will use zeek , zeek is a
passive, open-source network traffic analyzer.
Many
operators use Zeek as a network security monitor (NSM) to support
investigations of suspicious or malicious activity. Zeek also supports a wide
range of traffic analysis tasks beyond the security domain, including performance
measurement and troubleshooting.
Zeek logs
First, to
split the PCAP into Bro logs, use the following command :
># /opt/zeek/bin/zeek -r honeypot2.pcap -C
Running ls within the directory that contains this .pcap should show you something like this:
* The http.log which contains information about HTTP requests.
* You can also see log files like conn.log
which contains information
about TCP/UDP/ICMP
connections.
* Other log file of interest, is weird.log which is about Zeek notices.
* Dns.log : Contains DNS
related logs.
* Dhcp.log : DHCP leases
logs.
* Ftp.log : FTP related logs.
conn.log is our log file of interest, that will at least contain the connection information including the number of packets/bytes involved in every connection.
To extract these fields, use the command :
You can sort the output by the number of bytes involved,for example,column3, which is the orig_bytes.
cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes resp_bytes orig_pkts resp_pkts | sort -k3 -nr
Number of packets originator sent Number of originator IP bytes (via IP total_length header field) :
less -S
conn.log | zeek-cut orig_pkts orig_ip_bytes | head -10
Unique identifier of connection - Transport layer protocol of connection :
less -S conn.log | zeek-cut uid proto | head -10
Number of payload bytes originator sent - Number of payload bytes responder sent - Connection state :
less -S conn.log | zeek-cut resp_bytes orig_bytes conn_state | head -10
Source IP address - Destination IP address :
less -S conn.log | zeek-cut id.orig_h id.resp_h duration | head -10
Finding the Longest Connections :
less -S conn.log | zeek-cut id.orig_h id.resp_h duration | sort -k 3 -rn | head -10
Source ports (TCP and UDP) :
cat conn.log | zeek-cut id.orig_p | sort | uniq -c | sort -n | tail -n 5
Destination ports (TCP and UDP) :
cat conn.log | zeek-cut id.resp_p | sort | uniq -c | sort -n | tail -n 5
Unique sources observed : black-pearl-2.local
less -S dns.log | zeek-cut query | sort | uniq -c | sort -n
Most talkative hosts : less -S conn.log | zeek-cut id.orig_h | sort | uniq -c | sort -n | tail -n 5
This
script will allow to Traced their IP Addresses and know more information.
https://github.com/maldevel/IPGeoLocation
Features
• Retrieve IP or Domain Geolocation.
• Retrieve your own IP Geolocation.
• Retrieve Geolocation for IPs or Domains loaded from file.
• Define your own custom User Agent string.
• Proxy support.
• Select random proxy from file. Each proxy URL in new line.
|
Attacker |
Country |
City |
Latitude |
longitude |
|
96.9.184.86 |
Singapore |
Singapore |
1.29027 |
103.85196 |
|
99.107.190.255 |
United States |
Redmond |
47.66930 |
-122.12180 |
|
59.163.16.54 |
India |
Gujarat |
23.01101 |
72.50292 |
This python code will help us to convert Logs in to csv format.
with open(countries.log') as file:
lines
= file.read().splitlines()
lines
= [lines[x:x+3] for x in range(0, len(lines), 3)]
with
open(countries.csv', 'w+')
as csvfile:
w
= csv.writer(csvfile)
w.writerows(lines)
upload csv file to google maps to visualize the location:
Simulation To Retrieve IP Geolocation Information
Conclusions and
recommendations
In
2022, there are still enough ssh servers that use default credentials out
there, to make it an “attractive” business case for attackers to continue to
crawl the internet looking for vulnerable systems.
Virus total is not 100% reliable when it comes to detecting malware.
this is not a criticism of Virus Total, but a reminder that there’s always
going to
be a delay between when a new piece of malware is released into the wild and
when antivirus software can detect it, I believe that it is upon all of us as engineers
and security professionals to contribute to the community by reporting and
uploading malware samples to reduce that delay as much as
possible