Posted: Mon Apr 08, 2013 6:55 am Post subject: Packet Capture Analyzer
Hey Everyone. I have a team working on analyzing a packet capture file for a practice case we've been given by our club.
We have 2 .PCAP files. We have to figure out whether our company's server has been compromised, and which data the attacker had access to, and which attack has been used, and have to figure out what the attacker took. The problem is that we do not have in-depth knowledge in analyzing packet capture data. We suspect that the attacker had connected to a few specific ports and had access to http, https, and ssh. But the problem is that we do not know what method the attack used to get in, and we don't know exactly what the attacker had access to, viewed, or downloaded from or to the company's server. We have already opened up the PCAP files in wireshark and run filters but we still aren't sure about how to determine exactly what has been accessed. Once we have the figured out what has occurred, we can move onto other forensic tools that we are more accustomed to for other files related to this case.
Are there any freeware tools and/or tutorials that you could recommend to help us in the right direction. Any advice would be greatly appreciated.
You should have most of valuable evidences in you PCAP If the files was captured during the whole hacking event. But at least , I assume you have some info. 1st , when you mention specific ports http, https. Do you guys run web service on the server? If thats the case , its more likely the attack surface is your web service. Then attacker possibly get your etc/passwd or shadow password file somehow. After that they can ssh in. 2nd, keep in mind an attacker can always brute force a weak password and ssh in. So you need to check the PCAP how they ssh in or logs on the server. I also assume you already decrypt the encryption traffic in PCAP. So you should see what had happen as they are plaintext. 3rd, Attacker can also run exploit to grant server access. So you can do VulnScan against your server. 4th, to determine what information is accessed is related to server side forensic + PCAP files (if it records). 5th, firewall rules are also need to be examined. It's not a simple job until you are security professional and have the knowledge in different domains. So I suggest to contact IR/forensic people to deal it ASAP.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum