1
00:00:01,440 --> 00:00:08,470
Let's now open another Katcher final one of the easiest ways to check what's been happening in the network

2
00:00:08,530 --> 00:00:10,550
is to analyze the DNS protocol

3
00:00:14,200 --> 00:00:19,660
wireshark allows you to filter the data by selecting something in the packets details pane then choosing

4
00:00:19,720 --> 00:00:22,660
apply as a filter or preparer's filter.

5
00:00:23,820 --> 00:00:30,470
In our case which is the protocol name and the packet type data can be filtered in many different ways.

6
00:00:31,790 --> 00:00:36,870
Let's see how much information we can get from DNS.

7
00:00:36,900 --> 00:00:43,970
We can choose the protocol we're interested in and corresponding field in our case it's source.

8
00:00:44,060 --> 00:00:48,620
When you click on it with the right mouse button and choose preparer's filter option you can create

9
00:00:48,620 --> 00:00:51,700
more complex filters.

10
00:00:51,720 --> 00:00:58,350
Now we can observe the DNS communication of the chosen client after a short time we'll be able to tell

11
00:00:58,350 --> 00:01:02,270
what programs have been running on the computer and what its user has been doing.

12
00:01:04,050 --> 00:01:07,450
The DNS has a protocol that can give us all of this information.

13
00:01:08,220 --> 00:01:13,790
As you can see to connect to a device and then that work you must first get to know its address.

14
00:01:14,010 --> 00:01:16,680
You must first send the request to the DNS server.

15
00:01:17,810 --> 00:01:19,220
Let's see another example.

16
00:01:23,970 --> 00:01:26,550
We've captured data concerning network users.

17
00:01:27,410 --> 00:01:30,910
In this case someone is connected to HTP servers.

18
00:01:32,740 --> 00:01:35,810
To get a general overview of what happens in a capture file.

19
00:01:35,890 --> 00:01:39,280
Let's start with the statistics menu.

20
00:01:39,350 --> 00:01:46,830
We'll examine that HTP statistics and the packet statistics you can apply data filters to the statistics

21
00:01:46,830 --> 00:01:48,860
to in our case.

22
00:01:48,860 --> 00:01:56,820
We will create the statistics based on all the packets the capture file contains the following information.

23
00:01:57,950 --> 00:02:02,750
The client we've chosen sent 144 get packets.

24
00:02:02,870 --> 00:02:06,570
This is 100 percent of the activities performed by the user.

25
00:02:06,800 --> 00:02:09,770
We see the responses below.

26
00:02:09,780 --> 00:02:16,360
Is there something in these responses that may be troubling not necessarily from the security perspective

27
00:02:16,390 --> 00:02:18,210
but from the management perspective.

28
00:02:19,500 --> 00:02:26,960
Let's have a look at the HTP servers responses right now we don't know what service they were or what

29
00:02:26,980 --> 00:02:35,350
happened to the data we see 140 responses out of which there were 80 OK responses and 57 redirection

30
00:02:35,350 --> 00:02:36,200
responses.

31
00:02:37,310 --> 00:02:43,610
Where a server responded to a client that some data had been moved to another location interestingly

32
00:02:43,750 --> 00:02:48,780
not found message of the TTP protocol indicates a client error.

33
00:02:48,900 --> 00:02:53,820
The client wanted to connect to something that doesn't exist the server isn't responsible for the missing

34
00:02:53,820 --> 00:02:57,640
content.

35
00:02:57,680 --> 00:03:03,430
We can analyze the data using various statistics for the same item.

36
00:03:03,430 --> 00:03:06,960
Let's see the endpoint list for TCAP.

37
00:03:07,050 --> 00:03:12,030
It turns out that servers redirected our request not only to different addresses but also to different

38
00:03:12,030 --> 00:03:14,430
ports so we're not able to trace the data.

39
00:03:24,020 --> 00:03:29,300
We managed however to generate a list of IP addresses of hosts that were involved in the communication

40
00:03:30,680 --> 00:03:33,040
from the number of packets generated by the host.

41
00:03:33,050 --> 00:03:38,560
We can guess that the selected addresses the client's computer.

42
00:03:38,690 --> 00:03:41,170
The list contains the IP addresses of all computers.

43
00:03:41,180 --> 00:03:42,620
We were redirected to

44
00:03:52,980 --> 00:03:56,290
let's see what other information we can get from the DNS server.

45
00:03:57,880 --> 00:04:01,430
Let's open a file with the data captured when the computer was starting up.

46
00:04:03,980 --> 00:04:07,850
An interesting experience is to monitor the computers left unattended.

47
00:04:07,920 --> 00:04:15,170
That is those with no one at the keyboard What does a computer do when no one uses the keyboard.

48
00:04:16,130 --> 00:04:19,670
Some of the programs installed on the computer are very chatty.

49
00:04:19,940 --> 00:04:24,720
Particularly interesting is what happened with the computer when it was starting up.

50
00:04:24,800 --> 00:04:29,900
We know that to find out who the computer was connected to we should filter the data for the information

51
00:04:29,900 --> 00:04:34,320
from the DNS protocol.

52
00:04:34,360 --> 00:04:40,060
We can see that the computer has the McAfee antivirus installed on it.

53
00:04:40,070 --> 00:04:42,560
We also see that the program tried to perform an update

54
00:04:47,870 --> 00:04:48,170
next.

55
00:04:48,180 --> 00:04:52,650
There's a query sent to the virtue modem COM server which isn't a McAfee server.

56
00:04:54,930 --> 00:04:59,910
If we did some research about this server we would learn that this is a Web site that virus is connected

57
00:04:59,910 --> 00:05:02,930
to to get instructions concerning further actions.

58
00:05:07,050 --> 00:05:10,940
It was the site used to coordinate attacks.

59
00:05:11,090 --> 00:05:14,730
Normally the detection of such a situation is not all that easy.

60
00:05:15,230 --> 00:05:19,970
But the capture file and the filter on the DNS server will show us all such information.

61
00:05:22,650 --> 00:05:27,280
If you learned the computers you look after connect to the Web sites that you know nothing about.

62
00:05:27,450 --> 00:05:30,440
Check them out and everything will become clear.

63
00:05:31,730 --> 00:05:37,520
To achieve all this we only needed to know how to use wireshark for data capture and how to filter this

64
00:05:37,520 --> 00:05:39,820
data according to simple rules.