TryHackMe Advent of Cyber 2023: [Day 17] Traffic analysis I Tawt I Taw A C2 Tat!
SSOC gives you a preconfigured VM. For your convenience, the VM contains a fresh version of SiLK. It also has the required artefacts to work on. Let’s start the VM first, then discover the assigned analysis environment. To run the attached VM, click on the Start Machine button in the upper-right corner of the task. The machine will start in a split-screen view. If the VM isn’t visible, use the blue Show Split View button at the top-right of the page.
Learning Objectives
Gain knowledge of the network traffic data format
Understand the differences between full packet captures and network flows
Learn how to process network flow data
Discover the SiLK tool suite
Gain hands-on experience in network flow analysis with SiLK
Network Traffic Data
The network data is everywhere. It is all around us. Even now in this very task.
Network communication and traffic are the natural behaviours of today’s interconnected computing world. These behaviours represent a constant data flow of daily activities, including personal interactions and business transactions. The data flow offers invaluable network management, troubleshooting, incident response, and threat-hunting insights.
Network traffic comes in various data types and formats. Packet capture (PCAP) format (also known as full packet captures) is the first thing that comes to mind. It provides a granular, raw, and comprehensive view of the network traffic. This format provides all possible data represented in packets in a ready-to-investigate format (this approach is also known as deep packet inspection). Therefore, it is an invaluable artefact for network-level operations.
However, this intensive resource needs storage, processing, and analysis capacities to provide comprehensive insight into network traffic. In other words, while PCAPs are very useful for detailed analysis, they are not practical for fast analysis situations as they enclose the actual payload. This situation becomes a pain point when large amounts of data need to be analysed.
The data richness and level of detail provided by the PCAP format come from the payload it carries. At this point, it will be possible to speed up the process considerably by running the analysis process on a data format that doesn’t enclose the payload data. As a result, it will be possible to process more data in a shorter time with fewer resources, leaving more time for analysis and decision-making.
Network flow data is a lightweight alternative to PCAPs. It’s commonly used in NetFlow format, a telemetry protocol developed by Cisco that focuses on the metadata part of the traffic. In other words, it provides only the “summary” of the traffic; the details appear similarly to how call details appear on your phone bill. Once again, there are no packet content details with this format. This is why storing, processing, and analysing this data format is easier than it is with PCAPs.
How to Collect and Process Network Data
Network data collection and processing typically involves using network monitoring and analysis tools (such as Wireshark, tshark, and tcpdump) to collect information about the traffic on a network and then analyse that data to gain insight, troubleshoot, or conduct blue and purple team operations. Also, product and system-based solutions will help collect network data in flow format. The specific tools and methods you use will depend on the size and complexity of your network and your objectives.
If you would like to learn more about network data capturing and analysis processes, the Wireshark module can help you get started.
Good news: Elf Forensic McBlue has converted all the network traffic data to binary flow format, but you still need to discover how to analyse it.
Follow-Up of Recommendations and Exploration of Tools
Let’s continue with McSkidy’s suggestion: explore and use SiLK to help SSOC in this task.
SiLK, or the System for Internet Level Knowledge tool suite, was developed by the CERT Situational Awareness group at Carnegie Mellon University’s Software Engineering Institute. It contains various tools and binaries that allow users to collect, parse, filter, and analyse network traffic data. In other words, SiLK helps analysts gain insight into multiple aspects of network behaviour.
SiLK can process direct flows, PCAP files, and binary flow data. In this task, you will experiment using SiLK tools on binary formats to help the SSOC team achieve their goals! Elf Log McBlue gives us the network flow data in binary flow format, so we now have enough data sources to get to work.
Getting Started With the SiLK Suite
The SiLK suite has two parts: the packing system and the analysis suite. The packing system supports the collection of multiple network flow types (IPFIX, NetFlow v9, and NetFlow v5) and stores them in binary files. The analysis suite contains the tools needed to carry out various operations (list, sort, count, and statistics) on network flow records. The analysis tools also support Linux CLI pipes, allowing you to create sophisticated queries.
1. Which version of SiLK is installed on the VM?
user@tryhackme:~/Desktop$ silk_config -v
silk_config: part of SiLK 3.19.1; configuration settings:
* Root of packed data tree: /var/silk/data
* Packing logic: Run-time plug-in
* Timezone support: UTC
* Available compression methods: lzo1x [default], none, zlib
* IPv6 network connections: yes
* IPv6 flow record support: yes
* IPset record compatibility: 3.14.0
* IPFIX/NetFlow9/sFlow collection: ipfix,netflow9,sflow
* Transport encryption: GnuTLS
* PySiLK support: /usr/local/lib/python2.7/site-packages
* Enable assert(): no
Copyright (C) 2001-2020 by Carnegie Mellon University
GNU General Public License (GPL) Rights pursuant to Version 2, June 1991.
Some included library code covered by LGPL 2.1; see source for details.
Government Purpose License Rights (GPLR) pursuant to DFARS 252.227-7013.
Send bug reports, feature requests, and comments to netsa-help@cert.org.
'Ans: 3.19.1'
2. What is the size of the flows in the count records?
user@tryhackme:~/Desktop$ rwfileinfo suspicious-flows.silk
suspicious-flows.silk:
format(id) FT_RWIPV6ROUTING(0x0c)
version 16
byte-order littleEndian
compression(id) lzo1x(2)
header-length 88
record-length 88
record-version 1
silk-version 3.19.1
count-records 11774
file-size 152366
command-lines
1 rwipfix2silk --silk-output=test.silk
'Ans: 11774'
3. What is the start time (sTime) of the sixth record in the file?
user@tryhackme:~/Desktop$ rwcut suspicious-flows.silk --num-recs=6
sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime|sen|
175.215.235.223|175.215.236.223| 80| 3222| 6| 1| 44| S A |2023/12/05T09:33:07.719| 0.000|2023/12/05T09:33:07.719| S0|
175.215.235.223|175.215.236.223| 80| 3220| 6| 1| 44| S A |2023/12/05T09:33:07.725| 0.000|2023/12/05T09:33:07.725| S0|
175.215.235.223|175.215.236.223| 80| 3219| 6| 1| 44| S A |2023/12/05T09:33:07.738| 0.000|2023/12/05T09:33:07.738| S0|
175.215.235.223|175.215.236.223| 80| 3218| 6| 1| 44| S A |2023/12/05T09:33:07.741| 0.000|2023/12/05T09:33:07.741| S0|
175.215.235.223|175.215.236.223| 80| 3221| 6| 1| 44| S A |2023/12/05T09:33:07.743| 0.000|2023/12/05T09:33:07.743| S0|
175.215.235.223|175.215.236.223| 80| 3225| 6| 1| 44| S A |2023/12/05T09:33:07.755| 0.000|2023/12/05T09:33:07.755| S0|
'Ans: 2023/12/05T09:33:07.755'
4. What is the destination port of the sixth UDP record?
user@tryhackme:~/Desktop$ rwfilter suspicious-flows.silk --proto=17 --pass=stdout | rwcut --fields=protocol,sIP,sPort,dIP,dPort --num-recs=5
pro| sIP|sPort| dIP|dPort|
17|175.175.173.221|59580|175.219.238.243| 53|
17|175.219.238.243| 53|175.175.173.221|59580|
17|175.175.173.221|47888|175.219.238.243| 53|
17|175.219.238.243| 53|175.175.173.221|47888|
17|175.175.173.221|49950|175.219.238.243| 53|
'Ans: 49950'
5. What is the record value (%) of the dport 53?
user@tryhackme:~/Desktop$ rwstats suspicious-flows.silk --fields=dPort --values=records --count=5
INPUT: 11774 Records for 5713 Bins and 11774 Total Records
OUTPUT: Top 5 Bins by Records
dPort| Records| %Records| cumul_%|
53| 4160| 35.332088| 35.332088|
80| 1658| 14.081875| 49.413963|
40557| 4| 0.033973| 49.447936|
50105| 3| 0.025480| 49.473416|
52345| 3| 0.025480| 49.498896|
'35.332088'
6. What is the number of bytes transmitted by the top talker on the network?
user@tryhackme:~/Desktop$ rwstats suspicious-flows.silk --fields=sIP --values=bytes --count=5 - top
INPUT: 11774 Records for 8 Bins and 1412597 Total Bytes
OUTPUT: Top 5 Bins by Bytes
sIP| Bytes| %Bytes| cumul_%|
175.219.238.243| 735229| 52.048036| 52.048036|
175.175.173.221| 460731| 32.615884| 84.663920|
175.215.235.223| 145948| 10.331892| 94.995813|
175.215.236.223| 66320| 4.694899| 99.690712|
181.209.166.99 | 2744| 0.194252| 99.884964|
'Ans: 735229'
7. What is the sTime value of the first DNS record going to port 53?
user@tryhackme:~/Desktop$ rwfilter suspicious-flows.silk --dport=53 --pass=stdout | rwcut --field=sTime,dport | head -1
sTime| dPort|
2023/12/08T04:28:44.825| 53|
'Ans: 2023/12/08T04:28:44.825'
8. What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )
user@tryhackme:~/Desktop$ rwstats suspicious-flows.silk --fields=dPort,sIP,dIP --values=records,packets --count=10
INPUT: 11774 Records for 5714 Bins and 11774 Total Records
OUTPUT: Top 10 Bins by Records
dPort| sIP| dIP| Records| Packets| %Records| cumul_%|
53| 175.175.173.221| 175.219.238.243| 4160| 4333| 35.332088| 35.332088|
80| 175.215.236.223| 175.215.235.223| 1658| 1658| 14.081875| 49.413963|
40557| 175.219.238.243| 175.175.173.221| 4| 4| 0.033973| 49.447936|
50258| 175.219.238.243| 175.175.173.221| 3| 3| 0.025480| 49.473416|
39121| 175.219.238.243| 175.175.173.221| 3| 3| 0.025480| 49.498896|
52167| 175.219.238.243| 175.175.173.221| 3| 3| 0.025480| 49.524376|
53176| 175.219.238.243| 175.175.173.221| 3| 3| 0.025480| 49.549856|
50105| 175.219.238.243| 175.175.173.221| 3| 3| 0.025480| 49.575335|
44195| 175.219.238.243| 175.175.173.221| 3| 3| 0.025480| 49.600815|
50088| 175.219.238.243| 175.175.173.221| 3| 3| 0.025480| 49.626295|
9. Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )
user@tryhackme:~/Desktop$ rwfilter suspicious-flows.silk --saddress=175.215.235.223 --pass=stdout | rwstats --fields=sIP,flag,dIP --count=10
INPUT: 1781 Records for 1 Bin and 1781 Total Records
OUTPUT: Top 10 Bins by Records
sIP| flags| dIP| Records| %Records| cumul_%|
175.215.235.223| S A | 175.215.236.223| 1781|100.000000|100.000000|
'Ans: 175[.]215[.]236[.]223'
10. What is the sent SYN packet’s number of records?
user@tryhackme:~/Desktop$ rwstats suspicious-flows.silk - fields=sIp,dIP,dPort - values=records - count=10
INPUT: 11774 Records for 5714 Bins and 11774 Total Records
OUTPUT: Top 10 Bins by Records
sIP| dIP|dPort| Records| %Records| cumul_%|
175.175.173.221| 175.219.238.243| 53| 4160| 35.332088| 35.332088|
175.215.236.223| 175.215.235.223| 80| 1658| 14.081875| 49.413963|
175.219.238.243| 175.175.173.221|40557| 4| 0.033973| 49.447936|
175.219.238.243| 175.175.173.221|52167| 3| 0.025480| 49.473416|
175.219.238.243| 175.175.173.221|47920| 3| 0.025480| 49.498896|
175.219.238.243| 175.175.173.221|52345| 3| 0.025480| 49.524376|
175.219.238.243| 175.175.173.221|44195| 3| 0.025480| 49.549856|
175.219.238.243| 175.175.173.221|50088| 3| 0.025480| 49.575335|
175.219.238.243| 175.175.173.221|50258| 3| 0.025480| 49.600815|
175.219.238.243| 175.175.173.221|53176| 3| 0.025480| 49.626295|
'Ans: 1658'