Skip to main content

Using Wireshark to Identify Malicious Network Activity

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Beginner

In this lab, we will learn how to use Wireshark to identify malicious network traffic. We will download two packet captures and analyze them, checking for signs of beaconing and exfiltration via DNS tunneling.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Using Wireshark to Identify Malicious Network Activity

Introduction

In this lab, we will learn how to use Wireshark to identify malicious network traffic. We will download two packet captures and analyze them, checking for signs of beaconing and DNS tunneling.

To accomplish this, we will complete the following tasks:

  • Install Wireshark
  • Download and analyze two packet captures
  • Configure two firewall rules to block malicious traffic

The packet capture files can be found here and here.

Setting Up the Environment

We will connect to our lab server using VNC. The IP address and login credentials are provided on the lab instructions page.

VNC connections will be different for each operating system.

For Mac users:

  1. Open Finder.
  2. Press Command + K on your keyboard to bring up the Connect to Server window.
    • Alternatively, expand Go in the menu at the top of the screen and click Connect to Server.
  3. In the Connect to Server window, connect to vnc://<IP_ADDRESS>:5901, making sure to replace <IP_ADDRESS> with the IP address you were provided on the lab instructions page.

Install Wireshark

  1. Open your terminal application.
    • Run an update.
      sudo apt-get update
    • Enter your password at the prompt.
    • Install Wireshark.
      sudo apt-get install -y wireshark
    • When asked if you would like to allow non-superusers to capture packets, click Yes.
    • From your desktop, launch Wireshark (GTK+) (not standard Wireshark).

Download the Packet Captures

  1. Open your internet browser.
    • Enter this URL in your browser address bar.
    • On the GitHub page, click Download.
    • Save the file to your Downloads directory.
    • Repeat steps 2 through 4 with this URL.

Analyze the Packet Captures and Create the Firewall Rules

DNS Tunneling

  1. Go back to Wireshark.
    • Click File > Open > Downloads, and select dns-tunneling.pcap.
    • Click Open.
    • Note the evidence of DNS tunneling in the file.
    • In your terminal application, change to the Desktop directory.
      cd Desktop
    • Create a file called firewall-rules.txt, and save it to your Desktop.
      nano firewall-rules.txt
    • Create a firewall rule to block DNS tunneling.
      access-list BLOCK deny UDP 10.0.2.30/32 10.0.2.20/32 eq 53

Beaconing

  1. Go back to Wireshark.
    • Click File > Open > Downloads, and select beaconing.pcap.
    • Click Open.
    • Click Statistics > Conversations > TCP.
    • Click Packets to sort by the number of packets.
    • Highlight the first address entry, and right-click.
    • Select Apply as Filter > Selected > A<->B.
    • Close the Conversations window.
    • Click Time to sort by time, and note the evidence of beaconing in the file.
    • Switch to your terminal window.
    • Create a firewall rule to block DNS tunneling.
      access-list BLOCK deny TCP 192.168.122.212/32 188.120.247.14/32 eq 80
    • Press Ctrl + X to exit the terminal application.
    • When asked whether you would like to save the file, press Y, then Enter.
    • A file called firewall-rules.txt should be saved to your desktop.

Conclusion

Congratulations, you've successfully completed this hands-on lab!