CloudShark developer and packet guru Tom Peterson gives us another example from malware-traffic-analysis.net to learn how to best use CloudShark and our Threat Assessment add-on to get to the root of malicious activity. Let’s join him now for his latest exercise.
The exercise: 6 different pcaps with different malicious activity The 2017-11-21 malware traffic analysis exercise is a bit different than the past two I’ve dug into. This exercise is simply 6 PCAPs and our task is to just figure out what’s happening in each one.
CloudShark developer and packet guru Tom Peterson has been deep in the trenches doing malware analysis exercises from malware-traffic-analysis.net to learn how to best use CloudShark and our Threat Assessment add-on to get to the root of malicious activity. Let’s join him now for his latest exercise.
What’s up with this Windows 10 PC? Hi all! Tom here from CloudShark Support. One of the latest exercises from malware-traffic-analysis.net involves seeing some malicious traffic coming from a Windows 10 PC, as set up in the 2017-10-21 malware traffic analysis exercise.
Trying to debug a web application that is dependent on running over a secure connection is difficult. It used to be that it required you to have the private key (in RSA format) in order to do so, and for those situations, CloudShark Enterprise’s RSA Key Management system is ideal.
The alternative is to grab a “keylog” file from your browser and use that within CloudShark to decrypt the stream.
Hi all! Tom here. You may remember me as the face of CloudShark Support, and your host in our last malware analysis packet capture challenge.
I’ve been working through more of the traffic analysis exercises posted at malware-traffic-analysis.net, that we featured in our challenge. These exercises have been a great way to learn how to jump to packet captures first when looking at a potential malware attack.
I found them really fun to go through and really digging deep into specific examples of malware and how it infects hosts and networks.
Deep in the explosive and risky CloudShark laboratory, we’ve been cooking up a special Chrome extension just for CloudShark users.
Download the extension
The extension adds the ability for Chrome users to right-click on a capture in the capture list view and go directly to an analysis tool, rather than opening the packet viewer first. It’s definitely something that’s been asked for by our users!
In addition, we’ve uploaded the source of the extension as an open-source project on github.
Troubleshooting wireless problems often requires a deep dive down to the packet level. But with so much information in there, how do you know where to look first?
CloudShark’s new Wireless profile preset helps set up your view to give you the summary columns you need. It’s a quick and easy way to get the most information about your network traffic.
It all starts with the right profile Building on our own analysis experience, CloudShark has created a default profile for looking at 802.
If you’re a Managed Service Provider or other IT outsourcing company, chances are you’ve had to use packet capture on many occasions to help customers solve network problems. With the right analysis tools, packet captures can be your go-to resource to help you get to the root of problems faster and make customer interactions easier.
Packet Capture: Your Greatest Asset For the Managed Service Provider, packet capture files are generally the quickest way to get to the root cause of a network, application, or security problem.
When an wireless access point wants to advertise its available networks, it sends out 802.11 beacon frames. These frames are seen by other 802.11 receiving radios, and if you can capture those frames, you can use CloudShark’s Wireless Networks tool to see all of the wireless networks (named with their SSIDs) nearby.
Alternatively, when Wifi stations come online, they may send out a frame called a “Probe Request”. An access point can respond to these requests with a “Probe Response”.
Ever since the folks at Aerohive decided to integrate HiveManger NG with CloudShark, we’ve been excited to play around see what exactly we can learn from looking at packet captures from wireless networks. So, naturally, our CloudShark dev and support guru Tom was happy to jump on it when we got some of their Access Points here at CloudShark.
Our network is a bit tricky, since our sister product CDRouter is busy testing all sorts of broadband routers and wireless APs with their networks on, so he brought it out of the noise and tested it at home for a night.
Today’s Wireless Access Points have multiple radio interfaces (for the 2.4 GHz and 5 GHz ranges) that can both host Wifi clients. What if you want to see capture data from both? Aerohive’s HiveManagerNG lets you capture on both of these interfaces at the same time. This makes two different captures, but with CloudShark’s Merge feature you can put them together and view all of the packets going through your AP at once.
The news cycle about cyber-security has been more active than ever before. When we launched CloudShark back in 2010, we knew there would be some hesitation in putting something as sensitive as packet captures in the cloud. While the world has grown since then, we wanted to write a quick note for transparency about how CloudShark data is contained and shared.
How CloudShark Sessions Work Each upload to CloudShark generates a unique “session” URL.
Watch the video. Cyber attacks today are bigger, faster, and happening more frequently than ever. Intrusion detection system alerts are only the beginning of the story.
CloudShark Threat Assessment quickly takes you from the network alert all the way down to the individual packets, so you can determine the root cause and protect your network.
This article is the full text of our white paper on the same topic
Packet Capture Files: Valuable but Vulnerable Packet capture files - files that record network traffic—are invaluable resources for network administrators, help desk staff, and IT security experts. Filled with application data and protocols, timestamps, and error codes, these files provide IT engineers with a detailed view of what took place on a network during a specific period of time.
Note: We here at CloudShark aren’t HIPAA experts, we just think its neat to talk about. Don’t take this as “official” advice.
Recently we’ve been having some “water-cooler” (we don’t have a water cooler, it’s actually a shark tank) discussion around the security of packet captures in general, and naturally, how that applies to regulations like HIPAA, the “Health Insurance Privacy and Accountability Act”.
HIPAA and packet captures The relevant parts of HIPAA to packet capture security include sections on workstation use and security, device and media controls (including rules for backup and storage), access controls to electronic resources, and a section that addresses transmission security, which requires encryption of those record during transmission.
We were pretty excited when the developers at OpenWRT decided to build packet capture and CloudShark upload support into the popular open source software for broadband routers. It got us thinking - what are some other ways you could build a useful network probe? It turns out one of our other users decided to take the leap into building such capability using a Raspberry Pi.
The great news is you can do it easily by installing tshark on your system and running a simple script from one of our developers, Tom.
We all know that Wireshark filters can be used to help you in your analysis and narrow down what you are looking for. But, with CloudShark, they present a new opportunity for use when sharing your captures with colleagues in order to both present the view you are looking at, or to help navigate to a section of the capture you want them to see. Here’s three tricks we use when getting around town in CloudShark.
The folks at Google Security recently discovered a vulnerability in glibc’s getaddrinfo() library function, allowing attackers to execute malicious code transmitted in oversized DNS replies. Scary stuff!
Luckily, there’s already a patch, and the developers generated some proof of concept code to demonstrate the vulnerability. We took that code and ran it against some of our own systems. You can see a packet capture of the whole thing here:
Watch the video. Export captures to a new session based on filter rules Merge captures from multiple sources or times into a single capture
When we first made CloudShark, we stuck to making the best and easiet to use packet capture analysis tool out there. As we made more and more improvements to CloudShark and its host of analysis tools, we’ve gotten many requests for the ability to manipulate the captures themselves - whether it be splitting them into smaller, more manageable sizes or performing a capture merge that can put two sets of packet data in order and remove duplicates.
Watch the video. One of our most requested features that we added to CloudShark 2.6 was the ability to have captures automatically delete after a certain time period has expired. Since CloudShark can hold a virtually unlimited number of captures, this is useful for those who wish to preserve disk space or have specific retention rules due to their company’s security policy or from regulations like HIPPA.
Using this feature is very simple!
Well, it’s official; the IETF has officially deprecated SSLv3.0. This means that it’s now a protocol violation to fall back to it. This is good news, since the number and types of attacks have been on the rise for awhile now. We’d like to take the opportunity to explore how to debug web applications that use HTTPS over SSL/TLS in CloudShark.
It’s undeniable that debugging HTTP traffic is one of the most common use-cases for a packet decoder.
In CloudShark 2.5, we added the ability to use SSL key log file data in order to decrypt SSL streams in the packet viewer. But what exactly is an SSL key log file, and how do you get them so that you can do web site and web service debugging?
A key log is a log of the values used by your web browser to generate TLS session keys. Your browser does this every time, but it doesn’t do anything else with those values once they are used.
CloudShark 2.5, added a cool new feature: the ability to view a small sparkline graph of each of your captures packets-per-second (bandwidth). You can add this to your index view by editing the table options in your capture file index.
How might such a thing be useful?
Quickly noticing patterns Some issues can be seen in the regularity of certain traffic patterns. For instance, seeing packet rate spikes occur at regular intervals can point to a rogue agent on your network attempting some funny business, or issues with applications trying to accomplish some network heavy task, then repeating it when it is unsuccessful.
We now know a lot about the NSA’s various techniques in its QUANTUM program. One of the most prolific (and sneaky) of these attacks is the “QUANTUMINSERT”, which exploits a long-known TCP vulnerability that will cause, effectively, a redirect to a malicious resource. It’s tricky, since it requires careful timing; the spoofed packet needs to arrive before the expected packet.
One of our most engaging customers, Fox-IT, is an active team of hackers, programmers, and cybersecurity experts that provides innovative solutions for government, defense, law enforcement, critical infrastructure, banking, and commercial enterprise clients worldwide.
Check out how to do it here:
Watch the video. We’re pleased to say you can now easily install CloudShark on Amazon Web Services with just a few simple steps. CloudShark on AWS lets you maintain full control over your server without the added headaches of managing physical servers or VM infrastructure. You can get set up in minutes, whether you’re running a CloudShark trial or you’ve just purchased CloudShark and are ready to get going.
If there’s one thing we noticed about 2014, it was a year of many security announcements. It is becoming obvious that perimeter security is not sufficient and each constituent system in a network must be regarded as a public system, regardless of assumption. Systems will be compromised, and preparing for what to do after an attack is just as important as preventing attacks in the first place.
In any case, we thought we’d do a quick review:
Watch the video. If you are new to CloudShark Enterprise or diving into our 30-day free trial, or even just curious about how you can organize, analyze, and collaborate on packet captures in your browser, please join the CloudShark support team as we show you the basics:
Your first log-in to CloudShark Enterprise Searching, tagging, and organizing Annotating and analyzing in the packet capture viewer Sharing links and embedding views Using CloudShark with the Wireshark plug-in
We’re always geeking out over the multitude of things you can do with packet capture and CloudShark upload support in the popular open source OS for embedded devices, OpenWrt.
In addition to the ability to troubleshoot packet-level detail on home gateways, or monitoring wireless traffic, OpenWrt’s packet capture feature can turn any embedded device to a packet capture node that can instantly upload its data to CloudShark.
Accessing OpenWrt To turn a device into a network probe, you’ll need to be able to access the web user-interface of OpenWrt.
Have you ever wanted to capture and analyze what network traffic your smartphone or tablet is sending? Maybe you are developing a new app and need to debug a network issue, or maybe you are just curious about what network traffic an app is sending. Using a wireless router running OpenWrt with the CloudShark package makes capturing this traffic easy!
Once you have the OpenWrt CloudShark package installed connect your device to your OpenWrt wireless network and browse to the Status page of the OpenWrt router.
Have you ever wanted to embed a packet trace right into the blog post you were writing? We know you have. You’ve told us you want that! When a screenshot of the decode won’t do, you can use CloudShark to share individual frame decodes in blog posts, documentation, help forums, and pretty much anywhere else you can write HTML.
Let’s see it in action!
Here’s packet #2 from our TCP Fast open example.
Those in the CPE world are probably very familiar with OpenWrt, an open source linux implementation for embedded devices, including home gateways or wireless routers. OpenWrt is popular and extensible, with over 3000 available packages.
Recently, an OpernWrt package was developed that adds QA Cafe CloudShark capture and upload capability. The new package supports packet capture and viewing directly in the browser. A home router can be instantly transformed into a network troubleshooting tool or probe.
Here in the CloudShark QA Department, we use many open source tools to accelerate our testing process - Capybara, JMeter, and Vagrant are each friends and family to our QA lab. When new product development zooms past the faithful heartbeat of test automation, every QA department in the world needs to fess up - manual testing helps get the job done.
One of the most useful ways of testing future versions of CloudShark is also a way to get some extra testing for free: the robust CloudShark API allows for hands-free manipulation of CloudShark packet capture assets.
The pcap capture file format has been the universal packet capture format since the early days of computer networking. Almost all capture tools support the pcap format. And while vendors have created new formats over the years, most tools support conversion into the pcap format.
While pcap continues to be used today, it does have some limitations that make other formats more attractive. A new format called “pcapng” has been under development for a number of years.
As many are aware (as it’s now become national news), a vulnerability was recently discovered in OpenSSL dubbed Heartbleed. The attack centers around the implementation of the Heartbeat extension in OpenSSL which causes a server to return the contents of memory that should be protected. This blogpost by Troy Hunt describes the vulnerability in detail: Everything you need to know about the Heartbleed SSL bug.
Being packet geeks, naturally we wanted to get a capture of the Heartbleed attack in action.
CloudShark 2.0 added a lot of cool new features to CloudShark, but perhaps the most powerful (and most complex) was the addition of search capability to the CloudShark API. The search API function takes the already robust search features of CloudShark that were available through the user interface and brings them to anyone who wants to integrate CloudShark with their existing tools or work CloudShark seamlessly into their automation environment.
In CloudShark 1.9 we added the ability to play back RTP streams so that you can replay voice data embedded in packet captures for call quality analysis. When we launched this feature, CloudShark supported G.711, G.729, and GSM voice codecs, used by many voice and mobile providers.
Since then, we’ve gotten a lot of calls (ha!) for the addition of other audio codecs to the system to be able to play them back as well.
We’ve been talking a whole lot about integration lately. From our recent bout at Cisco Toolapalooza, to the great work that’s being done with Meraki, we’re finding that the best way people get comfortable with CloudShark is by incorporating it into their existing tools. There are a great many tools out there that can produce packet captures, and each one can find a different way to get those captures into CloudShark for easier collaboration and management.
We know how life can be when someone else drives your car, and all of your “preferences” - the seat position, mirror views, and your “greatest hits of 1991” satellite radio station are all modified. Or worse, imagine if you had to set them every time you got in the car! We can see how that would be super annoying (like the greatest hits of 1991*).
Fortunately for CloudShark, you can actually configure certain packet capture view preferences and save them so that you’ll see things the way you want to every time you look at a capture.
CloudShark 1.9 includes the ability to visualize RTP streams and play them back if they contain audio. For SIP calls, CloudShark will automatically decode the conversation as an RTP stream. However, for other protocols RTP will generally use a random port - not immediately apparent to CloudShark.
You can easily work around this using CloudShark’s “decode as” feature, which tells CloudShark to treat data on a given port as a particular protocol of your choice.
One of CloudShark’s main and most useful features is the ability to add annotations to individual packets, or to import packet comments from the pcap-ng format into CloudShark annotations. Not only does this make your own note-taking on your analysis easier, but allows you to share your annotations with your colleagues or customers when sharing the capture file URL. They can see your notes and get to the root of the problem faster.
UPDATE: Here is Intel’s official statement - it is important to note that this had little to do with Intel and only a specific manufacturer.
The creator of AstLinux, Kristian Kielhofner, recently discovered a bug in certain model and version of Intel based Gigabit Ethernet implementations that can result in a “packet of death” that will bring down the network interface, requiring a power cycle of the interface in order to restore functionality.
Last weekend, an apparent Man-In-The-Middle (MITM) Attack on the popular code sharing site github.com occurred, which seemed to originate from China for users trying to traverse the “Great Firewall”. This was strange, as there had been many news stories not even two days before about China blocking and then subsequently unblocking access to github.
Whatever the reason, a subject of the attack was able to create a packet trace of it, and uploaded it to our free cloudshark.
The great thing about CloudShark’s capture decode is that it supports all of the standard Wireshark display filters. You may know the common ones, such as searching on ip address or tcp port, or even protocol; but did you know you can search for any ASCII or Hex values in any field throughout the capture?
It’s true. The “frame contains” filter will let you pick out only those packets that contain a sequence of any ASCII or Hex value that you specify.