SANS Digital Forensics and Incident Response Blog: Tag - Wireshark

Deconstructing a Webserver Attack

by Michael Cloppert

I was looking for a good example to highlight two very useful and often overlooked features of Wireshark: the flexibility of tshark and the tool suite's HTTPS/SSL decryption capability. The following example covers both, and goes a bit further to describe one way of investigating an attack to assess the likelihood of compromise. While contrived, make no mistake about it, this is reflective of a real-world attack seen recently, later linked to sophisticated adversaries.

We are in the business of risk management. As such, our response to suspicious activity should be guided by the components that risk is the product of. While terminology may vary, the breakdown I use is:

  • Impact
  • Vulnerability
  • Threat

An understanding of risk components in the context of a computer security incident is often


Pulling binaries from pcaps

When I started writing this post, my intention was to show off some of the capabilities of NetworkMiner for recovering files from network packet captures. I have used NetworkMiner a few times to recover malware from pcaps. I like it because it automates the process. My plan was to contrast NetworkMiner's automated process against the more manual process of extracting files using Wireshark and a hex editor or the `foremost` command.

However, NetworkMiner failed to automatically extract all the files that were being downloaded in the pcap file I was using. This underscores the importance of testing your tools. I have successfully used NetworkMiner with other pcaps to extract all files, so you mileage may vary. If you've got a packet capture that you want to extract files from, my suggestion would be to try NetworkMiner, it will