1
00:00:00,060 --> 00:00:01,589
In this lesson, we're going to take a look

2
00:00:01,589 --> 00:00:03,240
at some packet captures.

3
00:00:03,240 --> 00:00:05,070
Now, a packet capture is used to be able

4
00:00:05,070 --> 00:00:06,930
to capture all the data going to

5
00:00:06,930 --> 00:00:09,390
or from a given network device.

6
00:00:09,390 --> 00:00:11,880
You can also set up a packet capture over a SPAN port,

7
00:00:11,880 --> 00:00:13,620
and capture all the data going to

8
00:00:13,620 --> 00:00:16,379
and from all of the devices on your network depending

9
00:00:16,379 --> 00:00:19,110
on how you can configure your packet capture software.

10
00:00:19,110 --> 00:00:21,540
Now, when we look at a packet capture in this lesson,

11
00:00:21,540 --> 00:00:22,890
we're going to be looking at snippets

12
00:00:22,890 --> 00:00:24,030
because on the exam,

13
00:00:24,030 --> 00:00:26,100
they're not going to give you a full packet capture

14
00:00:26,100 --> 00:00:28,410
of gigabytes and gigabytes of data,

15
00:00:28,410 --> 00:00:29,820
but instead, they're going to give you something

16
00:00:29,820 --> 00:00:32,430
like five lines or 10 lines or 20 lines

17
00:00:32,430 --> 00:00:33,627
inside of a packet capture

18
00:00:33,627 --> 00:00:35,850
and so that's what we're going to be focusing on here.

19
00:00:35,850 --> 00:00:38,040
Now, as we go through these three packet captures,

20
00:00:38,040 --> 00:00:40,260
I'm going to show you three different types of attacks

21
00:00:40,260 --> 00:00:42,720
that a threat actor might use against your network.

22
00:00:42,720 --> 00:00:44,280
Let's take a look at the first one.

23
00:00:44,280 --> 00:00:45,113
Now, in this first one,

24
00:00:45,113 --> 00:00:46,867
you could see this whole packet capture

25
00:00:46,867 --> 00:00:49,710
that I'm showing you only has 19 lines.

26
00:00:49,710 --> 00:00:51,300
And it's actually going to be the longest packet capture

27
00:00:51,300 --> 00:00:53,670
we're going to look at, but it's also one of the easiest.

28
00:00:53,670 --> 00:00:55,920
Now, as we look at these, you can see that we have a couple

29
00:00:55,920 --> 00:00:58,290
of different columns here going across the top.

30
00:00:58,290 --> 00:01:00,870
The first one that we have is what's known as the number,

31
00:01:00,870 --> 00:01:03,480
and this is the packet number in the capture sequence.

32
00:01:03,480 --> 00:01:05,640
So we start out with one, then two, then three,

33
00:01:05,640 --> 00:01:08,040
and we went all the way down to 19.

34
00:01:08,040 --> 00:01:10,230
The second column we have is the time.

35
00:01:10,230 --> 00:01:11,700
When did this happen?

36
00:01:11,700 --> 00:01:13,920
Now, you'll notice this isn't actually a date and time

37
00:01:13,920 --> 00:01:14,753
like you're used to,

38
00:01:14,753 --> 00:01:17,640
but instead, it's actually written as the amount of time

39
00:01:17,640 --> 00:01:20,550
that has elapsed since we started the packet capture.

40
00:01:20,550 --> 00:01:22,860
So it's important to make sure you capture the time

41
00:01:22,860 --> 00:01:24,450
you begin your packet capture

42
00:01:24,450 --> 00:01:25,740
so you can then coordinate this

43
00:01:25,740 --> 00:01:28,170
as you bring this packet capture into your SIEM

44
00:01:28,170 --> 00:01:30,420
or other types of incident response systems

45
00:01:30,420 --> 00:01:31,834
so you'll be able to consolidate this

46
00:01:31,834 --> 00:01:34,230
and correlate it across all of your different logs

47
00:01:34,230 --> 00:01:35,760
and devices because just knowing

48
00:01:35,760 --> 00:01:38,430
that this happened at 0.002 second

49
00:01:38,430 --> 00:01:40,920
after the ability of us starting this packet capture

50
00:01:40,920 --> 00:01:42,570
isn't as helpful if we can't correlate

51
00:01:42,570 --> 00:01:44,430
that across all of our systems.

52
00:01:44,430 --> 00:01:46,620
The next two columns have IP addresses

53
00:01:46,620 --> 00:01:48,720
and you'll see the source and the destination.

54
00:01:48,720 --> 00:01:51,330
Essentially, it's our perspective based on the sensor

55
00:01:51,330 --> 00:01:52,950
of what the data's coming from

56
00:01:52,950 --> 00:01:54,780
and where the data is going to.

57
00:01:54,780 --> 00:01:57,720
In this case, we have two sample IP addresses being used

58
00:01:57,720 --> 00:02:01,980
of 99.88.77.66 as our source,

59
00:02:01,980 --> 00:02:03,630
and we're trying to go to our destination,

60
00:02:03,630 --> 00:02:07,830
which is 11.22.33.44.

61
00:02:07,830 --> 00:02:10,050
Next, you'll see the column for protocol,

62
00:02:10,050 --> 00:02:13,380
and this will either be TCP, UDP or something else.

63
00:02:13,380 --> 00:02:15,420
For example, if we're operating at layer two,

64
00:02:15,420 --> 00:02:17,580
you might see things like ARP being used.

65
00:02:17,580 --> 00:02:18,930
But since we're here at layer three

66
00:02:18,930 --> 00:02:22,440
and layer four, we're going to be talking about TCP and UDP.

67
00:02:22,440 --> 00:02:24,930
Next, we have length, and this is how long

68
00:02:24,930 --> 00:02:26,700
or how big that packet is,

69
00:02:26,700 --> 00:02:29,310
and all of them are only 74 in this case.

70
00:02:29,310 --> 00:02:31,290
And then we have info which will give you some information

71
00:02:31,290 --> 00:02:32,700
that's being captured from the header

72
00:02:32,700 --> 00:02:34,020
of each of these packets.

73
00:02:34,020 --> 00:02:36,120
In this case, you can see the flag that's being set,

74
00:02:36,120 --> 00:02:38,220
and you can see here that that is the SYN flag

75
00:02:38,220 --> 00:02:40,740
and we don't see any ACK flags or SYN-ACKs.

76
00:02:40,740 --> 00:02:43,320
And then we see the sequence, the window, the length,

77
00:02:43,320 --> 00:02:46,140
the MSS, the SPort, which is your source port,

78
00:02:46,140 --> 00:02:48,540
and your DPort, which is your destination port.

79
00:02:48,540 --> 00:02:50,790
So now I'm going to count down from 10 to zero,

80
00:02:50,790 --> 00:02:53,040
and when I get to zero, I'm going to tell you what type

81
00:02:53,040 --> 00:02:55,293
of attack we're seeing inside of this packet capture

82
00:02:55,293 --> 00:02:56,340
that I'm hoping you'll be able

83
00:02:56,340 --> 00:02:58,260
to figure out in the next 10 seconds.

84
00:02:58,260 --> 00:03:03,260
10, 9, 8, 7, 6, 5, 4, 3, 2, 1.

85
00:03:06,930 --> 00:03:08,490
All right. Did you figure it out?

86
00:03:08,490 --> 00:03:10,500
This is actually a port scan.

87
00:03:10,500 --> 00:03:12,180
Now, in fact, this is actually a port scan

88
00:03:12,180 --> 00:03:14,070
of the top 19 ports.

89
00:03:14,070 --> 00:03:15,330
And this scan actually was going on

90
00:03:15,330 --> 00:03:18,360
to the top 100 ports using an Nmap scanner.

91
00:03:18,360 --> 00:03:21,810
But in this packet capture, I only showed you the first 19.

92
00:03:21,810 --> 00:03:23,460
You'll notice the first port being scanned

93
00:03:23,460 --> 00:03:26,340
is the DPort of 80, which is HTTP

94
00:03:26,340 --> 00:03:28,380
or the Hypertext Transfer Protocol.

95
00:03:28,380 --> 00:03:30,960
The second one is port 23, which is Telnet,

96
00:03:30,960 --> 00:03:33,450
which is an insecure version of remote access.

97
00:03:33,450 --> 00:03:36,840
The third one is port 22, which is going to be for SSH,

98
00:03:36,840 --> 00:03:39,300
which is a secure remote shell capability.

99
00:03:39,300 --> 00:03:42,000
The fourth one is FTP at port 21.

100
00:03:42,000 --> 00:03:46,170
The fifth one is port 443 with HTTPS and so on.

101
00:03:46,170 --> 00:03:49,050
As you can see, each time a SYN-ACK was being sent,

102
00:03:49,050 --> 00:03:50,850
it was being sent with a single SYN

103
00:03:50,850 --> 00:03:53,190
and a port going to there to basically see

104
00:03:53,190 --> 00:03:55,380
if that port was open on the remote server,

105
00:03:55,380 --> 00:04:00,180
which in this case was the destination of 11.22.33.44.

106
00:04:00,180 --> 00:04:02,430
And it kept doing that over and over and over again

107
00:04:02,430 --> 00:04:04,050
so that my Nmap software was able

108
00:04:04,050 --> 00:04:06,810
to see are there any ports open as part of my reconnaissance

109
00:04:06,810 --> 00:04:08,520
during a penetration test?

110
00:04:08,520 --> 00:04:11,160
Let's go ahead and move on to our second packet capture.

111
00:04:11,160 --> 00:04:12,900
Now, here's our second packet capture,

112
00:04:12,900 --> 00:04:14,160
and you'll see that we have a couple

113
00:04:14,160 --> 00:04:16,140
of dot, dot, dots in between.

114
00:04:16,140 --> 00:04:17,820
So as we're going down the first column

115
00:04:17,820 --> 00:04:18,779
with the packet numbers,

116
00:04:18,779 --> 00:04:20,940
you'll see I have the first five packets shown.

117
00:04:20,940 --> 00:04:23,850
Then I skip down to packets 100 through 102,

118
00:04:23,850 --> 00:04:27,630
and then I skip down again to packets 1000 to 1002.

119
00:04:27,630 --> 00:04:28,920
All those dot, dots are saying

120
00:04:28,920 --> 00:04:30,960
is there's other packets happening here,

121
00:04:30,960 --> 00:04:33,210
but I'm not showing it to you in this log snippet.

122
00:04:33,210 --> 00:04:35,730
And you'll see this used on the exam as well.

123
00:04:35,730 --> 00:04:37,200
As we go through, you can see

124
00:04:37,200 --> 00:04:41,400
that this whole packet capture happened within 0.1 seconds.

125
00:04:41,400 --> 00:04:43,140
So this is actually a pretty fast packet capture

126
00:04:43,140 --> 00:04:45,060
to get 1000 packets through.

127
00:04:45,060 --> 00:04:47,550
You'll see the source and you'll see the destination.

128
00:04:47,550 --> 00:04:50,638
Now in this case, we're looking at the protocol as TCP.

129
00:04:50,638 --> 00:04:51,840
The length is 74,

130
00:04:51,840 --> 00:04:54,480
and again, we see a whole bunch of SYN packets there,

131
00:04:54,480 --> 00:04:55,860
and we don't actually see the port numbers

132
00:04:55,860 --> 00:04:57,090
associated with them.

133
00:04:57,090 --> 00:04:58,770
So if you are looking at this

134
00:04:58,770 --> 00:05:01,050
and you see all of these SYN packets happening

135
00:05:01,050 --> 00:05:02,580
from packet one all the way through

136
00:05:02,580 --> 00:05:05,250
to packet 1002 and continuing,

137
00:05:05,250 --> 00:05:07,110
'cause there's still three dots there at the bottom,

138
00:05:07,110 --> 00:05:08,520
what do you think this is?

139
00:05:08,520 --> 00:05:10,260
I'm going to go ahead and count down from 10 again

140
00:05:10,260 --> 00:05:11,640
and see if you can guess.

141
00:05:11,640 --> 00:05:16,640
10, 9, 8, 7, 6, 5, 4, 3, 2, 1.

142
00:05:19,650 --> 00:05:20,790
Did you guess it?

143
00:05:20,790 --> 00:05:22,740
This is actually a type of denial-of-service attack

144
00:05:22,740 --> 00:05:24,450
known as a SYN flood.

145
00:05:24,450 --> 00:05:25,620
Notice in this packet capture,

146
00:05:25,620 --> 00:05:27,750
we are not seeing any acknowledgements coming back

147
00:05:27,750 --> 00:05:30,240
from that destination server to our source,

148
00:05:30,240 --> 00:05:32,010
and we're not seeing any SYN-ACKs going

149
00:05:32,010 --> 00:05:34,230
from our source back to our destination.

150
00:05:34,230 --> 00:05:36,120
So what we have here is the first step

151
00:05:36,120 --> 00:05:38,100
in a three-way handshake, but the second

152
00:05:38,100 --> 00:05:40,560
and third steps are not being completed.

153
00:05:40,560 --> 00:05:42,060
Now, the reason I'm showing you this

154
00:05:42,060 --> 00:05:43,770
is because this is another type of attack

155
00:05:43,770 --> 00:05:45,900
that you're going to see commonly used in your logs

156
00:05:45,900 --> 00:05:47,820
where an attacker will use a SYN packet as a way

157
00:05:47,820 --> 00:05:49,710
to start a half open connection

158
00:05:49,710 --> 00:05:51,420
and they won't finish the connection.

159
00:05:51,420 --> 00:05:53,550
When this happens, it eats up resources

160
00:05:53,550 --> 00:05:55,020
on that destination server

161
00:05:55,020 --> 00:05:57,360
and eventually that server can actually crash

162
00:05:57,360 --> 00:05:59,310
if there's too many open requests.

163
00:05:59,310 --> 00:06:01,590
Let's move on to our third packet capture.

164
00:06:01,590 --> 00:06:02,820
Now, our third packet capture

165
00:06:02,820 --> 00:06:05,130
actually has over 3,500 packets,

166
00:06:05,130 --> 00:06:07,740
but again, I'm only showing you about 10 of them here,

167
00:06:07,740 --> 00:06:09,660
and I'm using a bunch of dot, dots to be able

168
00:06:09,660 --> 00:06:11,430
to hide the fact that there are a bunch of things

169
00:06:11,430 --> 00:06:12,360
that are missing.

170
00:06:12,360 --> 00:06:13,740
Now, as we go through here,

171
00:06:13,740 --> 00:06:16,050
you're going to see it looks very similar to the last one,

172
00:06:16,050 --> 00:06:17,751
so you're probably thinking it's some kind of a denial

173
00:06:17,751 --> 00:06:20,490
of service attack, and you'd be right.

174
00:06:20,490 --> 00:06:22,440
Now, as you look through, one of the differences

175
00:06:22,440 --> 00:06:24,930
of this one versus the last packet capture

176
00:06:24,930 --> 00:06:27,540
is that we all have the same destination being targeted,

177
00:06:27,540 --> 00:06:29,700
but we're using different sources.

178
00:06:29,700 --> 00:06:31,560
Notice that the first 1,000 packets

179
00:06:31,560 --> 00:06:35,940
were all being used from 192.168.1.101.

180
00:06:35,940 --> 00:06:37,770
Now, they were trying to do a SYN flood

181
00:06:37,770 --> 00:06:39,060
as a denial-of-service attack,

182
00:06:39,060 --> 00:06:40,710
and it appears that that wasn't successful

183
00:06:40,710 --> 00:06:42,360
because the server was still responding.

184
00:06:42,360 --> 00:06:44,490
So they started bringing in other hosts as well

185
00:06:44,490 --> 00:06:45,870
to start sending traffic.

186
00:06:45,870 --> 00:06:50,190
So you'll see that the first one was 192.168.1.101.

187
00:06:50,190 --> 00:06:52,293
If we drop down to packet 1500, we can see

188
00:06:52,293 --> 00:06:56,280
that the source there is 192.168.1.102.

189
00:06:56,280 --> 00:06:58,230
If we go down to packet 2000,

190
00:06:58,230 --> 00:07:01,380
we see 192.168.1.103.

191
00:07:01,380 --> 00:07:05,460
We go to 2500, we see 192.168.1.104.

192
00:07:05,460 --> 00:07:08,280
And every 500, we're going to another system

193
00:07:08,280 --> 00:07:10,080
and using a different IP address.

194
00:07:10,080 --> 00:07:12,690
So what this is showing us is this is a distributed denial

195
00:07:12,690 --> 00:07:15,540
of service attack where we have multiple systems all going

196
00:07:15,540 --> 00:07:17,430
and attacking the same server.

197
00:07:17,430 --> 00:07:19,440
Now, in the case of this packet capture, we can see

198
00:07:19,440 --> 00:07:23,610
that we had 3,500 packets being sent in about 1.75 seconds

199
00:07:23,610 --> 00:07:26,280
from across multiple different IP addresses.

200
00:07:26,280 --> 00:07:28,530
And so as we went into something at scale,

201
00:07:28,530 --> 00:07:31,200
you might see hundreds or hundreds of thousands

202
00:07:31,200 --> 00:07:33,450
of these packets from various IP addresses

203
00:07:33,450 --> 00:07:36,150
that are all attacking you as part of a botnet inside

204
00:07:36,150 --> 00:07:37,560
of this type of a packet capture.

205
00:07:37,560 --> 00:07:39,630
But what we're trying to demonstrate here is the idea

206
00:07:39,630 --> 00:07:42,090
that you could see a distributed denial of service attack

207
00:07:42,090 --> 00:07:43,830
inside of a packet capture.

208
00:07:43,830 --> 00:07:45,390
Now, for the exam, it is possible

209
00:07:45,390 --> 00:07:48,330
that you would get a packet capture that has 5, 10, 15,

210
00:07:48,330 --> 00:07:49,830
or 20 lines like this.

211
00:07:49,830 --> 00:07:51,240
And often those people

212
00:07:51,240 --> 00:07:53,227
who already work in the field look at this and go,

213
00:07:53,227 --> 00:07:55,380
"I don't have enough information to make a decision."

214
00:07:55,380 --> 00:07:56,213
And you're right.

215
00:07:56,213 --> 00:07:57,046
In the real world,

216
00:07:57,046 --> 00:07:59,490
I wouldn't call this a distributed denial of service attack

217
00:07:59,490 --> 00:08:02,040
just by seeing these 10 or 15 lines,

218
00:08:02,040 --> 00:08:04,530
but again, you have to ask yourself on the exam,

219
00:08:04,530 --> 00:08:07,620
what are they trying to show me in five or 10 or 15 lines?

220
00:08:07,620 --> 00:08:09,248
And the most obvious thing here would be

221
00:08:09,248 --> 00:08:11,490
that we have a distributed denial-of-service attack

222
00:08:11,490 --> 00:08:13,620
because we are doing these half open connections

223
00:08:13,620 --> 00:08:15,720
to eat up resources on the same server,

224
00:08:15,720 --> 00:08:18,240
and all of the destinations are the same server IP,

225
00:08:18,240 --> 00:08:20,580
but the sources are coming from different places.

226
00:08:20,580 --> 00:08:23,160
So this would be a distributed denial-of-service attack.

227
00:08:23,160 --> 00:08:24,720
Whereas when we looked at number two,

228
00:08:24,720 --> 00:08:26,550
all the sources were one computer

229
00:08:26,550 --> 00:08:28,680
and all the destination was one server.

230
00:08:28,680 --> 00:08:30,960
So that was a regular denial-of-service attack.

231
00:08:30,960 --> 00:08:32,850
Keep this in mind as you're taking the exam

232
00:08:32,850 --> 00:08:33,683
and you'll do really well

233
00:08:33,683 --> 00:08:35,753
when you're looking at these packet captures.