Full Packet Capture for the Masses

first thank you for the slot because on the schedule the two first presentation representation based on offand web offensive talk so how to break a laptop how to do some web team operation and so on but my current job experience I'm working on the blue team site so I like to to track bad guys to find them and to investigate incident that's also that's a perfect at perfect transition for the rest of the day I think so let's speak about full packet capture for the masses this presentation normally runs on a one over time slot so I only left 30 minutes so it means that I will speed up and we'll skip some slides anyway I will be

able all day so feel free to come to chat with some to take pictures to to take some drains I'm open to everybody

okay so I say Demetra I'm back duration or for me and I like grease I like the food I like atmosphere I like a tense tomorrow I will drive to kalamata because we have friends that we spent a wonderful week in Greece oh I like it thank you for having me again at the conference but now let's take about the issue that we have today I'm pretty sure that everybody in your network you have the same issue with talking on your wire you have plenty of computer servers you have maybe multiple sides with multiple you are monitoring customers in your day to day job so it's really important to have a good overview of what's going on

all the time so what can we do to better see the the bad guys and to dating them and I will just start from one issue that that's a perfect example I'm a son's Internet's home center handler so it means that I'm on duty from time to time yeah I don't know we who knows the internet stone Center yeah plenty of people nice so I write probably every time you heard exactly or in the dado in the podcast and so on it's me I'm writing a lot for the IC and this is a real case that we had to investigate a few days ago a guy contacted us and say ok my wordpress website was compromised

so nothing really malicious because it was just the WordPress was used to send spam to the visitors instead of the normal website but the guy would I read to know okay my web my wordpress was fully patched as usual I'm taking care of my web server but I don't know how the attackers came in and I would like to know why first question do you have locks yes locks and the guys and melee Apache logs and you saw plenty of post requests to its man opposite of PHP which is the classic way to exploit a wordpress instance but by default when you have an Apache server when you get post HTTP requests it will be locked but you will

never see all the parameters sent to the post requests by default if you have a full packet capture you will see everything you will be able to track better and to see it was it a brute-force attack which was the ad to compromise alone and stuff like this so that's the perfect example so to track network traffic we have two ways to do it at layer 3 of at layer on layer 3 it's quite simple it exists for years basically everybody knows net flows developed by Cisco in the years ago in more than 10 years ago and basically on layer 3 you have a timestamp or society source port destination IP the scenes from poly

that's it so you know and yeah you have outdoor feels like the total bytes total packets and so on so basically you you you you know that there were some communications between the different hosts but you don't know exactly what's in the packet a player servers on the application layer we can have all the stuff plus whole headers and payloads so the full packet capture today we have this in next nation firewalls ideas systems so when they detect another they can start a packet capture for a few minutes a few seconds to try to catch the bad guy so that's the domain issue do we have to go with layer 3 on assessment because of

course both solution is pro and con based on flaws it's quite easy to set up main big switches you can deploy NetFlow you can ask them to send the data to a server it's really my storage so you can have gigabyte of flow stored and you can have any story of yours if you have enough disk space but of course as I said you lack of visibility for packet capture of course we have to fools you so you can extract artifact you can extract all the pictures for example you can extract binaries you can extract usernames and so on you can replay you have tools to just replay the TCP packets with full packet capture and

really see on your screen what happened and of course if you are doing foreign 6 you have nice evidences but it costs you a lot in terms of disk storage of course because all the traffic is love is stored on your disk privacy because you have in the pedals always interesting stuff logins passwords stuff like this performances and you need more sensor because you need to deploy sense also application which will listen at critical point on the network to : traffic regarding the privacy why not so this is not a brand new talk I presented the tolkien for the first time in January January everybody was preparing gdpr I presume that everybody in this room is

aware about gdpr but it was not in place today it is full packet capture means that you get plenty of data on your disk so it's your responsibility to take care of gdpr it's not mine to just be want ok next step for packet tracker basically you don't need a lot of tools you don't need a lot software to do is just the basic tcpdump are commands present in every modern linear distribution can do this this is a quite complex command but if you execute this on your server you will get full packet capture what does it mean you will just listen to an interface you will be sniff a packet length of zero it

means you will get the full packet length all the time and the most interesting parameters are minus C minus G and minus W which will in fact create some files some pick up files based on the time stamp in specific territory with the rotation refer to the main page to see what what it means but we will create specific files every hour we will keep 24 hours or two days of history and if the file is more than five early maybe a mess we will switch it and of course we drop some interesting post if you will take this on your server you will get two days of full packet capture basically if you operate a small

web server you run the VPS today to deploy your your WordPress your your drupal your CMS you can run this and you will get two days of full packet carry but the issue is today most people work in this kind of clothes you have virtualized systems local servers which we have ETSU have closed solution maybe you change data with partners with colocation servers and so on so it's a mess it's quite difficult to run these commands on every systems and then we need to investigate you have to jump on all the servers to collect correlate the data it's it's impossible to do so the solution is to centralize everything in one place to optimize the retention but we have some

requirements so that have it was my requirements but basically it's the same for for for most of you must be free because I don't have a lot of money like everybody so if I can use free software by the way I remove free by open because a free software is really free you can use it for free but it has always a cost to deploy to maintain it and fun it must be easy to deploy on different OSS because we have different flavors of Linux you can have Mac Bob's Windows System whatever so it must be compatible with many operating system and it must be deployed on systems which are not directly connected on the same location like on the land

if you if all the systems on the land it's quite easy to stand try something but if you have systems split across multiple location you can may become an issue very quickly so the first tool that I'm using to do this is Maalik with aware of MODOK one - not a lot of people Murdoch is very very a very nice tool so I will not do it that's just a description of MODOK but in my opinion that's the the best full packet capture tool because in one web interface you can search for packets it's like a Google for packets in fact you can apply filters it's a mix of Google and TCP dump in a web interface but you can also

extract fire you can extract flows you can extract pictures you can respond through return you can risk contract all the flows and it's very powerful and most important scalable what are the different component of malaga you have the first one is a capture which is real - which will sniff the packets it can sniff online of offline for example - I'm using malach to do investigations if a customer sent you a peek at file you can just offline injected in almalik and you can review it and make your investigation you choose of course you use database based on elastic search and it has a viewer which is read the web GUI and this is a nice screenshot of

Malaga so it's like a mix of Splunk TCP you have your history you can see from where a packet are coming because it is doing your localization automatically based on the IP addresses and you have all the flows with so this mission dub of packets aside and if you click and expand the flow if there are some pictures are some interesting DNS sutras so everything related to layer 7 you will be able to process them so the solution basically will be based on what the next door I'm a very big fan of docker yeah doctor basically I'm I used it because you can read on also any operating system so it's quite quite easy the support is not so bad I had

some nightmare stories with doctor because from time to time it thrashing you have to restart everything but usually you can run it it's quite stable second warning about docker misconception a lot of people think that docker is virtualization it's not the same from a security point of view docker is a mess so it does not mean that if you run an application in the docker container it will be fully segmented and it won't be able to access the post operating system and so on so I'm using docker only as a way to quickly deploy which is the go the primary goal of docker basically docker is a tool for developers it's not the tool for security analysts security

people the goal of docker is ritu for example run multiple version of the same tool in development systems just to test debug and some it's not a security tool so later I will show you so the configuration is made in the way that it's not very secure but I have to do it so when you have an idea okay I will do food packet capture I need some some Ivan ID but I need some tool the first thing that you do is release you google for it because probably somewhere in the world another guy I had to say issue and already write something that's what I did and I don't know do you but a few years ago

a guy Bobby Shaw Espinoza Gomez wrote a jihad paper about this so it's exactly what I'm looking for a full packet capture centralized system with multiple sensors Oh perfect so I read the paper I he may I reuse it and the first approach of the guy is what's very nice it's fully automated using Tibet another tool well no my developers son mainland son but for me the biggest issue was the multiple nodes in Malacca because if the guy deployed on Barak on every sense source and Moloch was because Moloch can also be used in Djibouti way but you had multiple instance of Moloch and maroc is quite resource extensive so for me it was not the the biggest ally the most it

was not really interesting and also alas teachers must be reachable from sensors probably you know that putting Elysee SERPs online of facing the Internet is a very bad idea so it means that to deploy this solution you need to run it on top of a VPN or MPLS cloud stuff like this so it was quite annoying for me so I decided ok my approach and the goal is to deploy docker containers as a sensor with very limited set of tools and to just send pickup files to a central Malaki at regular intervals quite easy so the infrastructure is very simple you have the Red Cloud can be the Internet can be MPLS can be whatever you want it can be

trusted or not as you want you deploy a multiple sensor they sent to Moloch and miraculously so I have a single instance of do stores and my sensor is really really small the goal was wave the a very small footprint so to not interact with other application running on different hosts and the analyst so the handler that's me I'm just connecting to my Moloch using a remote access and so on and I'm apparently Murdoch so there are some good containers because if you run containers to deploy the sensors you can also run containers to deploy Moloch but again you are searching for an existing one and you find it nice but you can improve it so

what I did is to have some persistence because of course I will if I need to restart my translator I need to get my pickup back and also an automatic indexing of all the pickup's no live mode this is the command to run the Moloch capture so in the docker blah blah blah tation I'm speaking up sorry because I don't have a lot of time this is the configuration from the docker container compose to start the demo log server slides will be online so you will be able to like it and it's everything is available omitted then you start your Moloch server just by composer and you can access it on port 8000 fine which is

default one the sensor in fact has two components TCP dump and send the files using a CP so to deploy a sensor is quite easy because everything is in detail so you go to your euros you do a git clone see the sensor you burn the doctor you configure it because of course you need to specify some minimum configuration like which kind of interface you would like to sniff capture size how many files you would like to get this one is quite interesting to remove non-interesting traffic of course the sensor name the target so it means in fact that is the Millat so you see the pickup file will be sent to this server you can of course provide

some agreements for example I'm really on the hype or not on the default 22 and that's bad but I will not check the SSH keys all the time and when you boot the sensor for the first time you get of course a generator SSH key and only manually for me a manual action to do today is just this sh t you have to copy it and install it on the Milaap server to automate the the configuration and the there is the reception of the pick up fights big warning so I say that the doctor is not a security tool to let docker access the physical interface to be able to sniff packets you need to

specify dotnet across so it means that you break all the signal tissue between docker and the O's and the container will have access to the O's so big warning about this but I don't if if somebody - as as an ID but I don't found an alternative today so tips so use bps filters to reduce the noise if you know that you have you are using RDP SSH to maintain your network and it's a trusted protocol skip it so you will not block the you will not increase the size of the pickups and a very interesting feature you can also don't say DTF from some ports but you can also say for specific collection like SSL - HTTP by

default today plenty of websites are running over HTTPS so you will connect gigabyte of HTTPS traffic but if you don't have the key will not be able to decrypt it so using this specific command bought twenty to ten it means that you will only love the ten first packet of the flow so you will look the flow you will have a full packet capture but only for the tent first packets which is nice and you will not through your list with unreadable data I found this one it's a working model in fact anticipating you can run you can sniff on a specific interface - I achieve zero each one whatever you want but you can if you don't specify if to

specify an interface it will run by default on any interfaces but the pickup file will be different if you run which one is it yeah if you do any you have a Linux cooked TCP pickup file if you specify an interface you will have an internet capture blah blah file the format is not the same and millat will not be able to handle this one so my solution no footprint on the sensor because it's a docker so to just drop the docker and you don't have any component remaining on the on the stem node you don't have remaining libraries binary stuff like this if it runs on docker you can run it on any system I'm

using SSH to transfer to TTF files it's quite easy to tune because using environment variables you can specify the interface the size of your pickups and so on the big issue you don't have real time processing so it means that on my infrastructure I'm pushing the bigger files every 30 minute I think so it means that if I need to investigate something I will need to wait 30 minutes to get the last packets it's not real time but form it's completely acceptable small risk of broken froze and also all the packets envelope we as Malaki will index local files all the packets will be packed as for me from the same node so we will not be able to surf for

packets coming from the server once / - you need to search on the IP address of of the node if you want to test evidence online I think I should have read some files soon because there are some optimization that I have in my mind I just need to find time to implement them but it's it's its life and it's my flashlight thank you very much

[Applause]