Day 17

Traffic analysis I Tawt I Taw A C2 Tat!

Learning Objectives

• Gain knowledge of the network traffic data format

• Understand the differences between full packet captures and network flows

• Learn how to process network flow data

• Discover the SiLK tool suite

• Gain hands-on experience in network flow analysis with SiLK

This room is again a very straightforward one with all commands and instructions already given. We just need to follow along and run them.

Which version of SiLK is installed on the VM? Submit Hint
[REDACTED]

ubuntu@ip-10-10-191-161:~/Desktop$ silk_config -v
[REDACTD]
    * Root of packed data tree:         /var/silk/data
    * Packing logic:                    Run-time plug-in
    * Timezone support:                 UTC
    * Available compression methods:    lzo1x [default], none, zlib
    * IPv6 network connections:         yes
    * IPv6 flow record support:         yes
    * IPset record compatibility:       3.14.0
    * IPFIX/NetFlow9/sFlow collection:  ipfix,netflow9,sflow
    * Transport encryption:             GnuTLS
    * PySiLK support:                   /usr/local/lib/python2.7/site-packages
    * Enable assert():                  no
Copyright (C) 2001-2020 by Carnegie Mellon University
GNU General Public License (GPL) Rights pursuant to Version 2, June 1991.
Some included library code covered by LGPL 2.1; see source for details.
Government Purpose License Rights (GPLR) pursuant to DFARS 252.227-7013.
Send bug reports, feature requests, and comments to netsa-help@cert.org.

What is the size of the flows in the count records?
[REDACTED]

rwfileinfo suspicious-flows.silk
suspicious-flows.silk:
  format(id)          FT_RWIPV6ROUTING(0x0c)
  version             16
  byte-order          littleEndian
  compression(id)     lzo1x(2)
  header-length       88
  .
  .
  .
  file-size           152366
  command-lines       
                   1  rwipfix2silk --silk-output=test.silk

What is the start time (sTime) of the sixth record in the file?
[REDACTED]

ubuntu@ip-10-10-191-161:~/Desktop$ rwcut suspicious-flows.silk --num-recs=6
sIP|dIP|sPort|dPort|pro|packets|bytes|flags|sTime|duration|eTime|sen|
[REDACTED]

What is the destination port of the sixth UDP record?
[REDACTED]

ubuntu@ip-10-10-191-161:~/Desktop$ rwcut suspicious-flows.silk --fields=protocol,sIP,sPort,dIP,dPort --num-recs=6

pro|            sIP|sPort|            dIP|dPort|
  6|175.215.235.223|   80|175.215.236.223| 3222|
  6|175.215.235.223|   80|175.215.236.223| 3220|
  6|175.215.235.223|   80|175.215.236.223| 3219|
  6|175.215.235.223|   80|175.215.236.223| 3218|
  6|175.215.235.223|   80|175.215.236.223| 3221|
  [REDACTED]

What is the record value (%) of the dport 53?
[REDACTED]

rwstats suspicious-flows.silk --fields=dPort --values=records,packets,bytes,sIP-Distinct,dIP-Distinct --count=10

INPUT: 11774 Records for 5713 Bins and 11774 Total Records
OUTPUT: Top 10 Bins by Records
[REDACTED]

What is the number of bytes transmitted by the top talker on the network?
[REDACTED]

buntu@ip-10-10-191-161:~/Desktop$ rwstats suspicious-flows.silk --fields=sIP --values=bytes --count=10 --top

INPUT: 11774 Records for 8 Bins and 1412597 Total Bytes
OUTPUT: Top 10 Bins by Bytes
[REDACTED]

What is the sTime value of the first DNS record going to port 53?
[REDACTED]

ubuntu@ip-10-10-191-161:~/Desktop$ rwfilter suspicious-flows.silk --saddress=175.175.173.221 --dport=53 --pass=stdout | rwcut --fields=sIP,dIP,stime | head -10

INPUT: 11774 Records for 9 Bins and 11774 Total Records
OUTPUT: Top 10 Bins by Records
[REDACTED]

What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )
[REDACTED]

Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )
[REDACTED]

What is the sent SYN packet's number of records?
[REDACTED]

ubuntu@ip-10-10-191-161:~/Desktop$ rwfilter suspicious-flows.silk --saddress=175.215.236.223 --pass=stdout | rwstats --fields=sIP,flag,dIP --count=10
[REDACTED]