PCAP Analysis using Zeek
You're being handed a really large network data capture and you want to figure out if theres anything malicious in it? But, there is too much data to manually go through? How can you easily tell if anything evil has happened or if there is totally normal traffic? There a variety of awesome free tools, like for example: Zeek.
I will be looking at The Zeek Network Security Monitor which is an awesome open source networking security monitoring tool.
We can download packages for the latest feature release build here. I will chose Ubuntu since I'm doing this in a REMnux VM. After you chose your OS, select Add respository and install manually.
Since REMnux is currently based on Ubuntu 20.04. I will run the following commands:
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_20.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_20.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek
Once this done, Zeek has been installed into /opt/zeek/bin/
remnux@remnux:/opt/zeek/bin$ ls
adtrace bro-config btest-ask-update btest-diff btest-rst-include gen-zam rst spicy-driver trace-summary zeek-config zkg
bifcl broctl btest-bg-run btest-diff-rst btest-rst-pipe hiltic spicy-build spicy-dump zeek zeekctl
binpac bro-cut btest-bg-run-helper btest-progress btest-setsid hilti-config spicyc spicy-precompile-headers zeek-archiver zeek-cut
bro btest btest-bg-wait btest-rst-cmd capstats paraglob-test spicy-config spicyz zeek-client zeek-wrapper
In this demo, I will be using zeek-cut and zeek.
For this, we'll need a .pcap file. This can be any .pcap file you wish to analyze. I will be using an example from Malware-Traffic-Analysis. My example is a network capture from a Lokibot infection which was pushed through an Excel Spreadsheet.
I'll be creating a clean folder, with nothing in it to work with:
remnux@remnux:~/Downloads$ cd /tmp/
remnux@remnux:/tmp$ mkdir zeek
remnux@remnux:/tmp$ cd zeek/
remnux@remnux:/tmp/zeek$ ls
remnux@remnux:/tmp/zeek$
First, we point zeek at the .pcap and let it run:
remnux@remnux:/tmp/zeek$ /opt/zeek/bin/zeek -r ~/Downloads/2020-10-12-Lokibot-infection-traffic.pcap
remnux@remnux:/tmp/zeek$ ls
conn.log dns.log files.log http.log packet_filter.log pe.log ssl.log x509.log
Zeek will generate a couple of log files. These files have different names to describe what they're a log of.
conn.log: Tells you the Source and Destination IPs, Ports, Protocolsdns.log: Every DNS requestfiles.log: List of fileshttp.log: Every HTTP transactionpe.log: Portable executablesssl.log: TLS/SSL Connectionsx509.log: TLS/SSL Connections
As we can see, Zeek acts kind of like a prism. You put a .pcap file in and a bunch of .log files come out.
First, let's look at conn.log as follows:
``` title="conn.log" remnux@remnux:/tmp/zeek$ less -S conn.log
Looking at the screenshot above, we have a bunch of columns. Everything is a little bit distanced from where it should be, so not every column is perfectly aligned. We can ignore the `#types` line, we are only interested in the `#fields` line.
From the screenshot above, the abbreviations mean the following:
- `ts` : Timestamp
- `uid` : A unique identifier
- `id_orig_h` : Source IP address
- `id_resp_p` : Source Port
- `id_resp_h` : Destination IP
- `id_resp_p` : Destination Port
- `proto_count` : Protocol used
```title="dns.log"
remnux@remnux:/tmp/zeek$ less -S dns.log
This shows us all dns requests that were being made, notice that this also provides us the unique identifiers.
```title="http.log" remnux@remnux:/tmp/zeek$ less -S http.log
As we can see here, that person was making a `POST` request to `104.223.143.132 /ecflix/Panel/five/fre.php`.
This gives us a great way to sort through the data in a `.pcap` file, whether its large or small.
## Cutting out columns of interest
Let's say we want to know exactly what Domain Names someone was going to within that `.pcap`. We can do this using `zeek-cut`:
This will give us a unique list, of all domains that were looked up.
If we want to see the count of how many times a domain was looked up we can do it as follows:
We see 1 request for `ctldl.windowsupdate.com`, 6 requests for `wpad.localdomain` and so on.
This is a quick way of cutting through the pcap and getting a hold of all the dns requests.
## Looking at PE
Let's look at the `pe.log`. The fact that there is a `pe.log` means that someone downloaded an executable. Since we know, this was a malicious infection its pretty obvious that we are interested in that executable.
```title="pe.log"
remnux@remnux:/tmp/zeek$ less -S pe.log
We don't have a lot info on the network connection but we have information that we can correlate against other log files, for example the id field which is a unique identifier as we've seen before.
We can correlate this against other log files as follows:
remnux@remnux:/tmp/zeek$ grep FkmfCx13mub2PIRUO7 *.log
From the screenshot above, we can see, http.log shows us where that executable download occured:
- Request from
10.10.12.101, source port49979 - to
45.14.112.133destination port80 - it was a
GETrequest tomillsmiltinon[.]com - to
/long random string/Xehmigm.exe - with a
Mozilla User Agent
As we can see above, it shows up in our pe.log as well. We can do this any identifier from conn.log.
That's Zeek in a nutshell.
It gives us all of these files to look through massive amounts of data, using the CLI or what is much, much better taking the files and putting them into a centralized collection source like a SIEM. Through this, we are taking our actual network packets into logs and metadata about the transactions that happened in those packets, then putting those logs into a SIEM where we can search them and corrolate them across all the other data we might have.