practical packet analysis for network incident response ... · sniff-target=ip.of.wireshark.box...
TRANSCRIPT
![Page 1: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/1.jpg)
Practical Packet Analysis for Network Incident Response with MikroTik RouterOS
25 October 2019, Kuta BaliMikroTik User Meeting Indonesia
Michael Takeuchi
![Page 2: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/2.jpg)
Hello, I am Michael Takeuchihttps://www.linkedin.com/in/michael-takeuchi
https://www.facebook.com/mict404
MikroTik Certified Engineer & Consultant from Jakarta, Indonesia
![Page 3: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/3.jpg)
Contoso Ltd.3
Why Packet Analysis?
![Page 4: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/4.jpg)
Contoso Ltd.4
Why Packet Analysis?
○ Information of 5W + 1H• What▪ DDoS? Spam? Flood?
• Who▪ Router? PC? Server?
• When▪ Now? Yesterday?
• Where▪ AS? Network?
• Why▪ Virus?
• How▪ TCP? UDP?
○ Action/Decision• Fix
• Stop
• Deny
![Page 5: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/5.jpg)
Contoso Ltd.5
Who do Packet Analysis?
○ Researchers: Access to RAW Data
○ Administrator: Debugging Network Problems
○ Analyst: Analyze the Traffic
○ Incident Responders: Tracing the Incident
![Page 6: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/6.jpg)
Contoso Ltd.6
How We Do Packet Analysis?
CAPTURE ANALYZE&
![Page 7: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/7.jpg)
Contoso Ltd.
○ Also known as SNIFFING
○ PCAP is the common format of Packet Capture
○ Perspective is Important• In-band• Out-band
7
Capturing Packets
![Page 8: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/8.jpg)
Contoso Ltd.8
In-Band Capturing Packets/Sniffing
User
Network
Devices
Hacker
![Page 9: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/9.jpg)
Contoso Ltd.9
Out-Band Capturing Packets/Sniffing
User
Network
Devices
Hacker
Port Mirroring/TZSP Streaming
![Page 10: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/10.jpg)
Contoso Ltd.10
Out-Band Capturing Packets/Sniffing
UserHacker
XPort Mirroring/TZSP Streaming
HUB
![Page 11: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/11.jpg)
Contoso Ltd.11
Capturing Packets in MikroTik –HTTP
/tool sniffer
set file-name="example.pcap"
set file-limit="1000"
set filter-ip-protocol="tcp"
set filter-port="80"
start
/file print where name="example.pcap"
![Page 12: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/12.jpg)
Contoso Ltd.12
Capturing Packets in MikroTik –HTTP
![Page 13: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/13.jpg)
Contoso Ltd.13
Capturing Packets in MikroTik –HTTP
![Page 14: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/14.jpg)
Contoso Ltd.
Expense storage quickly!!!
○ 10Mbps * 3600 (second) * 24 (hours) = 864000Mb
○ 864000Mb / 8 = 108000 Megabyte for 1 Day
10Mbps Bandwidth need 100+ Gigabyte storage for 1 Day
Double for full-duplex (200+ Gigabyte)
How big is your storage?
Solution? Use Out-Band Capturing Packets/Sniffing method with Port Mirroring, TZSP Streaming or use HUB
14
Capturing Packets in MikroTik – Storage Expense
![Page 15: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/15.jpg)
Contoso Ltd.
○ Port Mirroring is Switch Chip Feature
○ MikroTik devices without switch chip can’t do Port Mirroring/interface ethernet switch
set switch1 mirror-source=ether2
set switch1 mirror-target=ether3
15
Capturing Packets in MikroTik –Port Mirroring
![Page 16: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/16.jpg)
Contoso Ltd.
/tool sniffer
streaming-server=ip.of.wireshark.box
set streaming-enabled=yes
start
TZSP is run on UDP/37008, you can listen on UDP/37008 with your sniffing tools like wireshark (will introduced more in analyze step)
16
Capturing Packets in MikroTik –TZSP Configuration
![Page 17: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/17.jpg)
Contoso Ltd.
/ip firewall mangle
add action=sniff-tzsp chain=prerouting
sniff-target=ip.of.wireshark.box
sniff-target-port=port.of.wireshark.box
By default TZSP is run on UDP/37008, so you can listen on UDP/37008 with your sniffing tools like wireshark(will introduce wireshark more in analyze step)
17
Capturing Packets in MikroTik –TZSP Configuration (Alt.)
![Page 18: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/18.jpg)
Contoso Ltd.
Are you done?
Let’s continue to analyze the PCAP!
18
Capturing Packets in MikroTik –Done
![Page 19: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/19.jpg)
Contoso Ltd.
Fire on your tools:• Wireshark▪Open Source (GNU Public License)▪Multi-Platform (Windows, Linux, *BSD & MacOS)▪Advanced Filtering & Analyzing▪Used for Live Sniffing & Packet Analysis
• Some people use Wireshark for:▪Network Administrators: troubleshoot network problems▪Network Security Engineers: examine security problems▪Developers: debug protocol implementations▪Peoples: learn network protocol internals
19
Analyzing Packets – Fire On The Tools
![Page 20: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/20.jpg)
Contoso Ltd.
○To getting started with wireshark you can open the pcap file that you have from capturing packets
20
Analyzing Packets –Getting Started with Wireshark
![Page 21: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/21.jpg)
Contoso Ltd.
○Or you can capture the new packets ☺
21
Analyzing Packets –Getting Started with Wireshark
![Page 22: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/22.jpg)
Contoso Ltd.22
Analyzing Packets –Wireshark Interfaces
![Page 23: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/23.jpg)
Contoso Ltd.23
Analyzing Packets –Packet Filtering
○We can filter specific packet type in wireshark
○You can check the cheat sheet on http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
![Page 24: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/24.jpg)
Contoso Ltd.24
Analyzing Packets – Fetching a Messages
![Page 25: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/25.jpg)
Contoso Ltd.25
Analyzing Packets – Fetching a Messages
○Now we got a messagesfrom email ☺ and now wecan analyze the email
![Page 26: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/26.jpg)
Contoso Ltd.26
Analyzing Packets –Exporting Object (PDF, JPG, PNG, etc.)
![Page 27: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/27.jpg)
Contoso Ltd.27
Analyzing Packets – Flood Example (DNS)
![Page 28: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/28.jpg)
Contoso Ltd.28
Analyzing Packets – Flood Example (TELNET)
![Page 29: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/29.jpg)
Contoso Ltd.29
Analyzing Packets – Flood Example (WINBOX)
![Page 30: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/30.jpg)
Contoso Ltd.30
Analyzing Packets – Flood Example (SMB)
![Page 31: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/31.jpg)
Contoso Ltd.
○Wireshark Websitehttp://www.wireshark.org
○Wireshark Documentationhttp://www.wireshark.org/docs/
○Wireshark Wikihttp://wiki.wireshark.org
○Network analysis Using Wireshark Cookbook http://www.amazon.com/Network-Analysis-Using-WiresharkCookbook/dp/1849517649
31
Analyzing Packets –Wireshark Reference
![Page 32: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/32.jpg)
Contoso Ltd.
○ OpenIXP is one of the biggest Internet Exchange in Indonesia
○ and Parabot, a Bot in Telegram that brewed by @ericksetiawan and the Infrastructure was provided by @mtakeuchi using MikroTik RouterOS as a Probe & BGP router in OpenIXP, also Powered by Maxindo Networks
○ Parabot help to notify us when the router receiving broadcast or flood on OpenIXP interface
○ Parabot will do Torch and start Packet Sniffer on your Router
32
Study Case –Parabot OpenIXP
![Page 33: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/33.jpg)
Contoso Ltd.
Secure ≠ Easy
33
Conclusion
![Page 34: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/34.jpg)
Contoso Ltd.
Feel so hard to analyze?
Let me help you!
https://www.facebook.com/mict404
https://www.linkedin.com/in/michael-takeuchi/
34
![Page 35: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/35.jpg)
Contoso Ltd.35
Question & Answer
![Page 36: Practical Packet Analysis for Network Incident Response ... · sniff-target=ip.of.wireshark.box sniff-target-port=port.of.wireshark.box By default TZSP is run on UDP/37008, so you](https://reader034.vdocuments.us/reader034/viewer/2022043017/5f39a15db42d74138245a8c7/html5/thumbnails/36.jpg)
Contoso Ltd.36
Add a footer
Slide is available in my GitHub repositoryhttps://github.com/mict404/slide/