1
00:00:12,510 --> 00:00:19,770
So coming back to exploit get traffic let us say we already figured out that what we're the AP requests

2
00:00:19,800 --> 00:00:26,750
that came from the IP the other query that we can look for is what was the response.

3
00:00:26,760 --> 00:00:30,970
Our work was the request response bear from that particular IP.

4
00:00:31,230 --> 00:00:39,090
So we can write a filter with say that actually D-B request or SCDP UDP responds that word from IP address

5
00:00:39,100 --> 00:00:42,570
185 1:58 153rd or 2 0 4.

6
00:00:42,570 --> 00:00:50,790
So if you look at the peak snapshot now you'll see that there is a GET request then followed by a response

7
00:00:50,790 --> 00:00:53,890
which contains 49 595 bytes.

8
00:00:53,950 --> 00:00:59,730
Then there was another request to a pretty long and we're you are right and that was followed by another

9
00:00:59,730 --> 00:01:01,850
text messaging matter response.

10
00:01:01,860 --> 00:01:10,230
Then there was another pretty long GET request that you or I it is pretty long and it's followed by

11
00:01:10,350 --> 00:01:17,020
another response which is basically an application Hexham as download MIME type.

12
00:01:17,070 --> 00:01:24,630
So this is how you can see what was in the quest and what was the corresponding response that came back

13
00:01:24,630 --> 00:01:25,380
to you.

14
00:01:25,680 --> 00:01:32,850
So from this query we have an idea that there were three malicious requests made and they all resulted

15
00:01:32,850 --> 00:01:34,850
in two successful responses.

16
00:01:34,900 --> 00:01:42,480
Had two of them seem to like dexterity M-L pages and the last one looks like an application or probably

17
00:01:42,480 --> 00:01:44,450
in X-C or something like that.

18
00:01:46,460 --> 00:01:49,650
You can further right click on one of those requests.

19
00:01:49,700 --> 00:01:54,340
Click on follow APCP screen to further drill down into what happened.

20
00:01:54,560 --> 00:02:03,260
So let's say we right click on the first request and go to follow tree follow PSAP stream to see what

21
00:02:03,260 --> 00:02:04,090
happens.

22
00:02:04,370 --> 00:02:06,940
So this will launch and the request response.

23
00:02:06,940 --> 00:02:13,360
Bear in the wire charge you and you can see that this is the long get request.

24
00:02:13,370 --> 00:02:16,580
It's pretty long it has a lot lot of characters.

25
00:02:17,060 --> 00:02:20,540
The interesting part here is the reference frame.

26
00:02:20,540 --> 00:02:28,670
It says that the traffic has been referred from this particular domain and this pretty much looks like

27
00:02:28,740 --> 00:02:29,170
India.

28
00:02:29,180 --> 00:02:35,440
So we're now you can go back to your peak out and look for this IP address.

29
00:02:35,440 --> 00:02:37,890
Look for this particular piece.

30
00:02:37,930 --> 00:02:40,980
And you can see what exactly is there inside it.

31
00:02:41,110 --> 00:02:45,570
So once again once you reach to that get request you can right click on it.

32
00:02:45,580 --> 00:02:53,240
Follow VCP stream and you'll see that this web page is pretty small and all it contains is an iPhone

33
00:02:53,240 --> 00:02:53,640
screen.

34
00:02:53,650 --> 00:03:00,700
So I-frame is nothing but redirecting your traffic to the particular source that has been mentioned

35
00:03:00,700 --> 00:03:01,930
in the frame.

36
00:03:01,960 --> 00:03:10,440
So this is how the attacker sends the traffic from a legit make web site using tedious.

37
00:03:10,570 --> 00:03:19,270
All the way to the exploits so we're coming back to or explored get paid you can basically look at the

38
00:03:19,270 --> 00:03:21,630
content of the landing page as well.

39
00:03:21,670 --> 00:03:27,700
Most of the time it's going to be heavily obfuscated and it's going to be very very challenging to be

40
00:03:27,700 --> 00:03:30,970
off it scared them it's not easy it's pretty complicated.

41
00:03:30,970 --> 00:03:40,720
You will have to do some add ones and browser based debugging in order to really get the actual script

42
00:03:40,870 --> 00:03:48,790
or the actual issue DML page which will contain all enumerations scripts in much more readable format.

43
00:03:51,140 --> 00:04:01,950
So here is another example of how explored gets off the station would be visible to you in a bad now

44
00:04:02,480 --> 00:04:06,300
looking to hour another get request.

45
00:04:06,390 --> 00:04:14,460
You'll see that this get request is nothing but an application Shockwave Flash.

46
00:04:14,490 --> 00:04:22,530
So what is happening in this case is that once the browser was able to figure out that you have a wonderful

47
00:04:22,530 --> 00:04:29,360
Waterson of Flash Player running on your machine it basically sends you a flash exploit.

48
00:04:29,370 --> 00:04:31,870
There are two ways of identifying it.

49
00:04:31,890 --> 00:04:34,420
In fact there are three ways of identifying it.

50
00:04:34,500 --> 00:04:41,520
One can be directly from the get request if the get request contains or dark as WFA extension.

51
00:04:41,520 --> 00:04:42,500
We can say that.

52
00:04:42,510 --> 00:04:42,770
OK.

53
00:04:42,810 --> 00:04:44,740
This is a Flash file.

54
00:04:44,880 --> 00:04:50,920
But in this case if you see there is no extension it's a pretty long you tried that.

55
00:04:51,270 --> 00:04:54,740
And it doesn't really contain darters WFA extension.

56
00:04:54,750 --> 00:05:01,730
So from here we were not able to identify that this was a flash file coming down in the response.

57
00:05:01,740 --> 00:05:08,050
You can look at the Content-Type field which basically points out that this is nothing but a shock will

58
00:05:08,050 --> 00:05:09,450
be fine.

59
00:05:09,750 --> 00:05:13,670
The third way is to look at the Magic by it.

60
00:05:13,860 --> 00:05:21,390
So far flash files a magic bytes is CW is in fact there are two different magic bytes for flash fires.

61
00:05:21,390 --> 00:05:28,080
One is CW W-S which is compressed and the other is S-W as they both are basically pretty appropriate

62
00:05:28,080 --> 00:05:31,250
to the shock of the Flash file formats.

63
00:05:31,320 --> 00:05:39,600
So we will go into much more details as to how we can individually analyze these exploits for the time

64
00:05:39,600 --> 00:05:40,130
being.

65
00:05:40,290 --> 00:05:45,780
Let's focus on the malicious traffic or the malicious exploit the traffic itself.

66
00:05:47,600 --> 00:05:48,050
OK.

67
00:05:48,070 --> 00:05:57,250
So this was a quick demonstration on how we could look at the request response how we can look at what

68
00:05:57,250 --> 00:06:01,240
malicious traffic was served by the exploit kids.

69
00:06:01,270 --> 00:06:05,130
What was the actual exploit that was launched on the girls.

70
00:06:05,560 --> 00:06:12,090
And the ones you have the idea is you can also figure out what's the host and you can also write filters

71
00:06:12,100 --> 00:06:13,880
based on the host as well.

72
00:06:15,880 --> 00:06:19,160
You can also look at all the DP requests.

73
00:06:19,180 --> 00:06:26,470
So what happens is once your machine has been infected or ones the exploit was successful and the payload

74
00:06:26,470 --> 00:06:32,770
was dropped on your machine you might want to look at all the issue to be required that get generated

75
00:06:32,770 --> 00:06:38,410
from your machine because once the payload is there on your machine and once it's exit yielder it will

76
00:06:38,410 --> 00:06:45,140
start making a lot more get requests and that's where searching based on IP or searching based on hostname

77
00:06:45,160 --> 00:06:47,160
would not really help you much.

78
00:06:47,200 --> 00:06:56,200
So you can look at and its GDP request filter to basically see what all requests response bears what

79
00:06:56,230 --> 00:06:58,690
all the requests were made on your machine.

80
00:06:58,690 --> 00:07:03,910
Another way would be to just filter out the traffic based on timestamp.

81
00:07:04,150 --> 00:07:13,300
If you can if let's say you know that they first get requests was made at 23 15 then you can basically

82
00:07:13,300 --> 00:07:20,090
filter all your traffic all from 23:15 all the way to let's say five or six minutes.

83
00:07:20,230 --> 00:07:27,700
So that will give you a much more clearer understanding as to what were the traffic that was specifically

84
00:07:27,700 --> 00:07:29,650
generated by the exploit.

85
00:07:29,640 --> 00:07:29,800
Good.

86
00:07:29,820 --> 00:07:32,650
Because a lot of time the gaps can be really huge.

87
00:07:32,650 --> 00:07:34,880
They can contain a lot of medical data.

88
00:07:35,050 --> 00:07:42,280
So filtering the traffic based on time Stan would again be a very helpful way of narrowing down your

89
00:07:42,280 --> 00:07:46,370
search directly to the information that you looking at.

90
00:07:47,590 --> 00:07:55,270
So this was all about smart kids and the next video will start analyzing and playing with some big gaps

91
00:07:55,270 --> 00:07:57,610
that contains exploited traffic.

92
00:07:57,610 --> 00:07:58,740
Thanks for watching the video.