Note: Our instructions assume you have customized your Wireshark column display as previously described in “ Customizing Wireshark – Changing Your Column Display.”. Today, we will examine HTTPS activity from a Dridex malware infection. With this key log file, we can decrypt HTTPS activity in a pcap and review its contents. Decryption is possible with a text-based log containing encryption key data captured when the pcap was originally recorded. This Wireshark tutorial describes how to decrypt HTTPS traffic from a pcap in Wireshark. When reviewing pcaps from malware activity, it’s very helpful to know what’s contained within post-infection traffic. But like most websites, various types of malware also use HTTPS. Why? Because most websites use the Hypertext Transfer Protocol Secure (HTTPS) protocol. When reviewing suspicious network activity, we often run across encrypted traffic. The instructions assume you are familiar with Wireshark, and it focuses on Wireshark version 3.x. The graph, as shown in Figure 6, depicts the result of the HTTP responses (delta time).This tutorial is designed for security professionals who investigate suspicious network activity and review packet captures (pcaps) of the traffic. Step 7: In order to display only the HTTP response, add a filter http.time >=0.0500 in the display filter. Step 6: To calculate the delta (delay) time between request and response, use Time Reference ( CTRL-T in the GUI) for easy delta time calculation. > I/O graph Figure 6: Visualisation of HTTP responses Syntax: http.time >= 0.050000 Figure 5: Statistics. Step 5: Create a filter based on the response time as shown in Figure 4, and visualise the HTTP responses using an I/O graph as shown in Figure 5. Procedure: Right-click on any HTTP response packet -> Protocol preference -> uncheck ‘Reassemble HTTP headers spanning multiple TCP segments’ and ‘Reassemble HTTP bodies spanning multiple TCP segments’.If ‘Allow sub-dissector to reassemble TCP streams’ is on and the HTTP reassembly preferences have been left at their defaults (on), http.time will be the time between the GET request and the last packet of the response.If the TCP preference ‘Allow sub-dissector to reassemble TCP streams’ is off, the http.time will be the time between the GET request and the first packet of the response, the one containing ‘OK’.Go to Protocol preference and then uncheck the sub-dissector to reassemble TCP streams (marked and shown in Figure 3). Step 4: In order to view the response of HTTP, right-click on any response packet (HTTP/1.1). Syntax: ip.addr= 91.198.174.192 & ip.addr = 192.168.155.59 Figure 3: Allow sub-dissector to reassemble TCP streams Figure 4: Response time Start filtering the IP of (a simple traceroute or pathping can reveal the IP address of any Web server) and your local PC IP (a simple ipconfig for Windows and ifconfig for Linux can reveal your local PC IP). Step 3: We now filter the requests and response sent from the local PC to Wikipedia and vice versa. Now filter all the HTTP packets as shown in Figure 2, as follows: syntax: http ‘200 OK’ implies that the response contains a payload, which represents the status of the requested resource (the request is successful). Step 2: Here, we make a request to and, as a result, Wikipedia sends an HTTP response of ‘200 OK’, which indicates the requested action was successful. Figure 1: Interface selection Figure 2: Filtering HTTP
0 Comments
Leave a Reply. |