Since we know it’s a Windows machine, we can probably count on the nbns (NetBIOS Name Service) protocol to be there, which Windows uses to advertise hosts that make themselves available on the network. In the Ethernet II field we see the Src: equal to 00:16:17:18:66:c8. For MAC address, we filter out only that traffic that originates from the source IP with the filter ip.src=10.0.0.201. Most of these can be found with some pretty simple CloudShark filters and packet analysis. This not only helps us identify the offending machine, but also the user logged in while downloading files via BitTorrent. For this, Brad asks us to find the MAC address, host name, Windows user account name, and Windows version. First off all is identifying the user and host that is using BitTorrent. The exercise wants us to find several details. Since BitTorrent is a distributed Peer-to-Peer (P2P) download platform, traffic between each node involved in the transfer gets marked as a threat! When looking at this in CloudShark Threat Assessment, we see over one hundred threat alerts (!) all going to the same target address, in this case, 10.0.0.201, which is seeding the BitTorrent and sharing the file with other peers. The Suricata threat rules will flag BitTorrent traffic by default.
It might be that we’ve received these alerts from an independent regulatory body like the RIAA, or it may be that our Intrusion Detection System (IDS) is flagging the traffic because of some threat rules.Īs part of the exercise, we’re given this packet capture. The scenario we’re given is that we’re receiving alerts that someone on our network is using the BitTorrent protocol to download files. This exercise is from July 2018, shortly after Sharkfest that year. This exercise is great if you’re in IT or network security and are tasked with finding out who is using peer-to-peer software in your organization, and whether or not they should be! The Exercise - So someone’s BitTorrenting on your network You can see the retrospective of Sharkfest US 2018 here. Sharkfest is an international meeting of packet enthusiasts run by the folks behind Wireshark.
This time however, we’re going through one armed with tools that we learned from Brad’s class (the author of malware-traffic-analysis) at Sharkfest US 2018, where he gave an in-depth class on using packet captures for malware analysis, as well as a presentation on Analyzing Windows malware traffic. We love the exercises at, and occasionally we’ll pick some that we try to solve using CloudShark and its tools. Tracking down BitTorrent activity with packet captures
0 kommentar(er)
