0 1 00:00:10,250 --> 00:00:16,760 Hello everyone and welcome to on video of Expert Malware analysis and reverse engineering course. In this 1 2 00:00:16,760 --> 00:00:17,170 video 2 3 00:00:17,170 --> 00:00:22,200 We're going to talk about Packet capture and how we analyzed those packet captures. 3 4 00:00:22,310 --> 00:00:28,340 So the bigger question for us to answer is what exactly is a packet capture packet capture is nothing 4 5 00:00:28,340 --> 00:00:33,260 but a replica of the traffic that is flowing over your network. 5 6 00:00:33,260 --> 00:00:39,800 It can either be to a single device either your laptop or your desktop or it can be a capture 6 7 00:00:39,800 --> 00:00:46,540 of the entire traffic of a network of different machines that are sitting in the network. 7 8 00:00:46,570 --> 00:00:48,560 So why packet captures. 8 9 00:00:48,580 --> 00:00:54,220 There is a popular saying in the information security community or other the network security community 9 10 00:00:54,220 --> 00:00:59,920 that if you do not have packet capture or any security incident you just consider that the incident 10 11 00:01:00,010 --> 00:01:01,330 never happened. 11 12 00:01:01,460 --> 00:01:10,450 And this is said because packet captures can be really vital in investigating any breach or any security 12 13 00:01:10,450 --> 00:01:13,110 incident that might happen inside network. 13 14 00:01:13,370 --> 00:01:18,610 packet capture can give us a very clear indication as to what was the direction in which the traffic 14 15 00:01:18,610 --> 00:01:19,440 flowed. 15 16 00:01:19,480 --> 00:01:26,380 What are the machines that might have been infected you might be able to capture just one machine but 16 17 00:01:26,500 --> 00:01:30,690 there can be many more machines that might have been infected to the same malware. 17 18 00:01:30,820 --> 00:01:37,060 And those things becomes easy to identify if you have the packet captures because the malware definitely 18 19 00:01:37,080 --> 00:01:39,700 be communicating outside with its host. 19 20 00:01:39,880 --> 00:01:45,320 So there will be some other network activity from all the infected machines. 20 21 00:01:45,550 --> 00:01:51,040 And that's where packet captures can be really really useful in determining what all the machines have 21 22 00:01:51,040 --> 00:01:52,720 been infected in the network. 22 23 00:01:52,720 --> 00:01:56,510 And that's packet capture has become one of the most widely resources. 23 24 00:01:56,560 --> 00:02:02,390 When you're doing manual analyses or analyzing any security incident. 24 25 00:02:02,600 --> 00:02:06,270 So what can be the different aspects of packet capture. 25 26 00:02:06,500 --> 00:02:13,350 We can do small scale Packet capturers which basically involves the analysis of any existing protocols. 26 27 00:02:13,460 --> 00:02:21,320 For example if you want to analyze the headers of let's say a DNS protocol and you can do that using 27 28 00:02:22,310 --> 00:02:27,620 any kind of packet capture tool or if let's say you are designing some new protocols or if you are 28 29 00:02:27,620 --> 00:02:33,050 designing the tools that are involved in network communication you can use packet capture for these 29 30 00:02:33,050 --> 00:02:38,440 kinds of activities and there can be large scale packet captures as well. 30 31 00:02:38,480 --> 00:02:43,070 These was traffic analysis and gaining statistics over your network. 31 32 00:02:43,070 --> 00:02:46,000 How much of traffic is flowing within your network. 32 33 00:02:46,000 --> 00:02:49,270 What is the classification of all the traffic and things like that. 33 34 00:02:49,370 --> 00:02:55,880 You can also do a lot of capacity planning using large scale packet captures and you can basically create 34 35 00:02:55,910 --> 00:03:03,260 and implement traffic policies around your network activity by using the capture packets. 35 36 00:03:03,650 --> 00:03:10,610 The third aspect is network attack and the attack prevention and that's where the malware analysis and the 36 37 00:03:10,600 --> 00:03:13,070 incident response people come into picture. 37 38 00:03:13,220 --> 00:03:19,070 So the packet captures can help you in identifying attacks that can help you in designing rules designing 38 39 00:03:19,070 --> 00:03:21,770 policies that can prevent attacks. 39 40 00:03:21,830 --> 00:03:28,390 It can help you in capturing of credentials which are not encrypted. 40 41 00:03:28,520 --> 00:03:34,920 It can also help you in setting up and applying security policies across your network. 41 42 00:03:35,030 --> 00:03:42,260 So one of the considerations for captioning packets we have to make sure that we do not introduce 42 43 00:03:42,350 --> 00:03:48,440 any latency into our network because of our packet capturing because we don't want the network to be 43 44 00:03:48,440 --> 00:03:54,890 slowed down because of the ongoing process of replicating the packet captures in your software or 44 45 00:03:54,890 --> 00:04:01,290 hardware. You'll capture device can only capture traffic that reaches its network interface. 45 46 00:04:01,420 --> 00:04:06,490 You just cannot capture network traffic that is not hitting your interface. 46 47 00:04:06,490 --> 00:04:13,360 For example if you are trying to capture traffic from your laptop you're only going to capture their 47 48 00:04:13,360 --> 00:04:18,850 traffic that in and out of a laptop you cannot really capture the traffic that is flowing in and 48 49 00:04:18,850 --> 00:04:24,040 out of that let's a second laptop that is being used in your home network. 49 50 00:04:25,380 --> 00:04:31,200 The usual behavior of packet capturing is that it will just filter out the traffic that doesn't match 50 51 00:04:31,200 --> 00:04:36,430 an interface address and it only captures the traffic and there is a particular match. 51 52 00:04:36,570 --> 00:04:40,120 So these are some of the considerations for packet captures. 52 53 00:04:40,960 --> 00:04:44,750 Now what are the ways by which the packet capture can be done. 53 54 00:04:44,830 --> 00:04:45,760 There can be two ways. 54 55 00:04:45,760 --> 00:04:53,380 One is hardware oriented where you set up a separate appliance that is capable of capturing the packet 55 56 00:04:54,040 --> 00:04:55,680 in your network. 56 57 00:04:55,750 --> 00:05:00,280 The appliance is basically a custom host with multiple network interfaces. 57 58 00:05:00,400 --> 00:05:05,090 The appliance can be inserted into an existing network link 58 59 00:05:05,140 --> 00:05:11,740 And once it's sitting inside your network it can basically start capturing all the activities that are 59 60 00:05:11,740 --> 00:05:13,720 going on in the network. 60 61 00:05:13,750 --> 00:05:17,050 Most are hardware appliances use software for that analysis. 61 62 00:05:17,080 --> 00:05:20,620 So these hardware tools have lot of analysis capabilities as well. 62 63 00:05:20,620 --> 00:05:25,820 For example they can give you an indication of the amount of traffic that is flowing in and out, what 63 64 00:05:25,890 --> 00:05:30,640 are the classifications of the traffic, which are the top talking hosts inside your network and 64 65 00:05:30,670 --> 00:05:31,490 things like that. 65 66 00:05:31,540 --> 00:05:36,630 So usually for all these kinds of analysis the hardware capturing devices use specialized software that 66 67 00:05:36,630 --> 00:05:37,860 are present inside them. 67 68 00:05:39,630 --> 00:05:46,740 The second type of capturing is software capture where an existing host has captured software installed 68 69 00:05:46,740 --> 00:05:52,980 on the machine and it can help you in capturing the packets without 69 70 00:05:53,070 --> 00:05:55,140 needing any specialized hardware. 70 71 00:05:55,320 --> 00:06:00,110 And one most common example of this is packet capturing tools like 71 72 00:06:00,180 --> 00:06:06,960 tcpdump and wireshark. We'll be going into much more details on software capturing in the later videos. 72 73 00:06:07,200 --> 00:06:10,400 The host interface is operated promiscuously. 73 74 00:06:10,410 --> 00:06:15,610 So what this means is that basically the filtering of packets is completely disabled. 74 75 00:06:15,630 --> 00:06:25,350 So this allows the software packet capturing tool to capture all packets without dropping anything. 75 76 00:06:25,380 --> 00:06:28,330 We have the example of captures scenarios. 76 77 00:06:28,340 --> 00:06:34,640 So if you look here's the diagram on the entire of the left is basically an hardware captioning scenario 77 78 00:06:34,640 --> 00:06:39,440 where you have a separate hardware that sits at the entry point of network. 78 79 00:06:39,470 --> 00:06:45,680 The data basically enters from the left it goes into the hardware where you have a three-port bridge from there, 79 80 00:06:45,690 --> 00:06:52,010 the copy of the packet capture received onto the disk and then there is an analyzer software that 80 81 00:06:52,010 --> 00:06:59,390 does the networking analysis work and after that the traffic basically goes into the network. On the 81 82 00:06:59,390 --> 00:07:01,310 right hand side if you look at the top. 82 83 00:07:01,300 --> 00:07:04,390 It's basically normal 83 84 00:07:04,430 --> 00:07:08,080 capturing scenario where promiscuous mode is not enabled. 84 85 00:07:08,270 --> 00:07:14,330 So you are basically bridging the network and the host so that whatever traffic comes in and goes out 85 86 00:07:14,340 --> 00:07:16,200 gets basically captured. 86 87 00:07:16,280 --> 00:07:21,530 Something similar happens in the promiscuous mode as well. 87 88 00:07:21,530 --> 00:07:28,440 There you have a software based packet capturing where you are again bridging your interface and your 88 89 00:07:28,440 --> 00:07:32,470 host to intercept all the traffic that goes in and out. 89 90 00:07:32,720 --> 00:07:39,580 So this was just a quick presentation of how exactly the packet capture can happen in different scenarios. 90 91 00:07:39,590 --> 00:07:46,850 We will be more focusing on a local software packet capturing scenarios and the same concepts and same 91 92 00:07:46,850 --> 00:07:51,160 ideas can be implemented on large scale hardware captures as well. 92 93 00:07:51,620 --> 00:07:56,760 So one tool that is very helpful in packet capture that is Wireshark. 93 94 00:07:56,870 --> 00:08:02,150 It's a free protocol analyzer software that is available for both Windows and Linux platforms. 94 95 00:08:02,420 --> 00:08:08,330 And in the later videos we'll start going into much more details of Wireshark and how to set it up in 95 96 00:08:08,330 --> 00:08:12,710 our virtual environment and how we can begin capturing by using it. 96 97 00:08:12,710 --> 00:08:15,960 So there's sort of a quick introduction to packet captures. 97 98 00:08:16,160 --> 00:08:17,570 That's it for this video. 98 99 00:08:17,570 --> 00:08:18,570 Thanks a lot for watching.