Using Wireshark to Identify Malicious Network Activity

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

In this lab, we will learn how to use Wireshark to identify malicious network traffic. We will download two packet captures and analyze them, checking for signs of beaconing and exfiltration via DNS tunneling.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Install Wireshark.
  1. Use your preferred VNC client to connect to the host using the provided public IP on port 5901.
  2. Run the commands sudo apt-get update and sudo apt-get install -y wireshark.
  3. When asked if you want to allow non-superusers to capture packets, select Yes.
Download and analyze packet captures.

Download the following PCAP files to the Downloads directory:

  • https://github.com/linuxacademy/content-cysa-wiresharkanalysis/blob/master/dns-tunneling.pcap
  • https://github.com/linuxacademy/content-cysa-wiresharkanalysis/blob/master/beaconing.pcap
Create the firewall rules.
  1. Use Gedit to create a file named firewall-rules.txt and save it on the Desktop.
  2. Review the two packet captures and identify the source and destination involved in beaconing and DNS tunneling, and create a rule for each of the two activities.
  3. The firewall-rules.txt file should contain two access lists which following the format outlined in the Guide. Remember Linux is case sensitive.
  4. The firewall rule to block beaconing is:
    access-list BLOCK deny TCP 192.168.122.212/32 188.120.247.14/32 eq 80
  5. The firewall rule to block DNS tunneling is:
    access-list BLOCK deny UDP 10.0.2.30/32 10.0.2.20/32 eq 53

Additional Resources

Your supervisor has asked you to review two packet captures from the network team and see if you can identify any DNS tunneling activity or beaconing activity, which are both indicators of a compromise.

Once you connect to the server with VNC, you'll need to install Wireshark so you can analyze the two packet captures.

The packet capture files can be downloaded from the following locations:

  • https://github.com/linuxacademy/content-cysa-wiresharkanalysis/blob/master/dns-tunneling.pcap
  • https://github.com/linuxacademy/content-cysa-wiresharkanalysis/blob/master/beaconing.pcap

After you analyze the packet captures, you'll need to create a firewall rule for each of them. The firewall uses the following format:

access-list BLOCK deny [TCP/UDP] [source IP/subnet mask] [destination IP/subnet mask] eq [port#]

Example:

access-list BLOCK deny TCP 192.168.44.3/32 74.53.1.89/32 eq 80

Your supervisor wants these firewall rules saved to a file named firewall-rules.txt on the desktop of the server. Nano is installed on the server and can be used to create this file. Remember, Linux is case-sensitive, so make sure to follow the case shown in the example.

Note: Because the desktop environment is XFCE, you will need to launch wireshark-gtk, not standard wireshark.

Connecting to the lab:

  1. Use VNC on your computer to connect to the public IP address of the instance on port 5901 (x.x.x.x:5901).
    • Log in with the username and password generated by the lab.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?