Analyzing PCAP with Zeek – HTB Sherlocks – KnockKnock

00:00 – Going over the Scenario
01:30 – Talking about why I’m using Zeek and running it in a docker
05:20 – Showing a Corelight Zeek Cheat Sheet, which is tremendously helpful
08:00 – Showing Zeek-Cut on the x509 log, then looking at the SSL Log
11:50 – Looking for a single IP that sent multiple SSH Banners
13:20 – Creating an alias for zeek-grek (alias zeek-grep=’grep -e “^#” -e’), which lets us easily filter logs
17:00 – Looking at the HTTP Log, discovering a wget downloading ransomware
21:10 – Looking at the FTP Log, and showing the passwords are hidden. Editing the Zeek Config to unmask the password
24:30 – Editing the FTP Logged commands to add PASS so we see failed logins too
34:10 – Using the DNS Log to see that our attacker was likely using Amazon EC2
36:15 – Looking at how many connections each IP made, discovering our attacker doing a port scan using date -d @epoch to convert to human readable time
42:30 – Editing our zeek config to also extract_files, then looking at the ransomware download
53:15 – Looking at the files downloaded over FTP
1:07:00 – Start answering the questions. Doing some Grep Fu to see all the open ports during initial recon
1:18:10 – Finding when the port knock happened


Leave a Reply

Your email address will not be published. Required fields are marked *