Networkforensic

Threat hunting

Network forensic tools and traning

Wireshark undervisning
Jeg tilbyder en 2 dag kursus i brugen af wireshark som omhandler følgende:

Dag1:
- Networkforensic information
- Statistic
- Display filters
- Capture filters
- File Carving
- Opbygning af profiler
- Metodikker
- Support tools

Dag2:
- Demo
Metodikker og teknikker trænes.
- Gennemgang af networkforinsic sager fra det virkelige liv.

Skriv til mig for mere information kontakt.

Wireshark profiles

IEC-104
IEC-104 is a transmission protocols used for things like controlling a powergrid.
When analysing this protocol i can recommend the documentation TR-IEC104. Be aware that Wireshark do not interpet all element types. So this is the best it can be for now.

JA3 and JA3S
When hunting for malware there are using TLS, then it is nice to know the JA3 ore the JA3S of the TLS connection. This is possible with a plugin from Github. I have made this aviable as an easy packet, to implement in your own Wireshark here as a plugin. Be aware that this ONLY covers TCP port 443

Extract the
zip file and copy to your Wireshark profiles folder "\AppData\Roaming\Wireshark"
I have also made a
Wireshark JA3 profile as well. This just needs to be implemented as a regular profile.



IcedID TLS Inspection
Hunting for the malware framework IcedID it is nessary to look for what names a certificate was issued with. Quite often it it a self signed certificate with bogus names. like this on with the name "localhost".


 

GQUIC or QUIC Profile (Updated 01-10-2021)
Looking for information about QUIC ore GQUIC. The newest protocol schould only be QUIC and was released in 2021 v.1. - GQUIC is obsolete.

ICMP Profile
Hunting for ICMP tunneling is quite easy with this Wireshark profile. Exampel of a pTunnel running below.

iSCSI profile
Hunting for iSCSI auth traffic and authentications. Easy to spot with this profile 

DHCP Profile (Updated 03-01-2021)
Often you will hunt for a rough DHCP server placed on your network. This profile will make this very easy.
Optimized for Wiresharek 3.x versions.

DNS Profile
This will make DNS identification easy and bring DNS traffic to life in Wireshark

SMB Profile (Many updates for this profile as of 02-01-2020)
This will bring the analysis of SMB, SMB2 and SMB3 network traffic to life in Wireshark. What you typically is looking for, is right there...
More information about MS implementation
here


DDOS profile (Updated 03-03-2022)
Based on my work for an ISP and the manage of Advanced DDOS mitigation. This is based on known DDOS attacks. You can analyze the type of attack quite fast. Tested Wireshark V2.6.3



Magic numbers profile
Based on file types and there magic numbers it is easy to look for different file types in network traffic like exe files and so on, hidden in network traffic. Tested Wireshark V2.6.3


Geolite2 databases for Wireshark
Wireshark can do name resolution on captured traffic.
To get the free updated
Maxmind databases you need to sign up for a profile first. (please do so)
You can get an older Maxmind databease
from here.