Exercise 1 – a noob's keylogger

Consider a scenario where an attacker has planted a keylogger on one of the systems in the network. Your job as an investigator is to find the following pieces of information:

• Find the infected system
• Trace the data to the server
• Find the frequency of the data that is being sent
• Find what other information is carried besides the keystrokes
• Try to uncover the attacker
• Extract and reconstruct the files that have been sent to the attacker

Additionally, in this exercise, you need to assume that the packet capture (PCAP) file is not available and that you have to do the sniffing-out part as well. Let's say that you are connected to a mirror port on the network where you can see all the data traveling to and from the network.

We can begin our process as follows. We already know that we are connected via a mirror port. Let's sniff around on the interface of choice. If connected to the mirror port, choose the default interface and proceed with collecting packets, as shown in the following screenshot:

Most keyloggers work on the web (HTTP), FTP, and email for delivering the keystrokes back to the attacker. We will try all of these to check whether there's anything unusual with packets from these protocols.

Let's try HTTP first by setting the http filter, as shown in the following screenshot:

There is HTTP data, but everything seems fine.

Let's try a couple of protocols, SMTP and POP, to check for anything unusual with the email protocol, as shown in the following screenshot:

Everything seems fine here as well.

Let's try FTP as well, as shown in the following screenshot:

Well, we have plenty of activity on the FTP! We can see that the FTP packets contain the USER and PASS commands in the capture, which denotes a login activity to the server. Of course, this can be either the keylogger or a legitimate login from any user on the network. Additionally, we can see a STOR command that is used to store files on the FTP server. However, let's note down the credentials and filenames of the uploaded files for our reference and investigate further. Since, we know that the STOR command is used to store data on the server.

Let's view these data packets by changing filter to ftp-data, as shown in the following screenshot:

Let's see what we get when we follow the TCP stream of the packet, we can see that we have the following data being posted to the server:

We can see that the data being transmitted contains the word Ardamax, which is the name of a common piece of keylogger software that records keystrokes from the system it has infected and sends it back to the attacker. Let's save the packet capture in PCAP format by selecting File | Save As and choosing the .pcap format. We will be using the .pcap format only since the free version of NetworkMiner support only PCAP files and not the pcapng format.

Let's open the saved file using NetworkMiner as shown in the following screenshot:

We can see we have a number of hosts present in the network capture.

Let's navigate to the Credentials tab, as shown in the following screenshot:

We can see that we have the username and password captured in the PCAP file displayed under Credentials tab in NetworkMiner. We previously saw the STOR command, which is commonly used in uploading files to an FTP from the Wireshark dump.

Let's browse to the Files tab and see the files that we are interested in:

We can see plenty of files. Let's open the files that we found using the STOR command in the browser, as shown in the following screenshot:

The attacker was not only keylogging, but was also fetching details such as the active window title along with the key logs. So, to sum this up, we have the following answers to the questions that we asked at the beginning of the exercise:

• Find the infected system: 192.168.76.131
• Trace the data to the server: 140.82.59.185
• Find the frequency of the data that is being sent: The difference between two consecutive STOR commands for a similar file type is 15 seconds
• Find what other information is carried alongside the keystrokes: Active window titles
• Try to uncover the attacker: Not yet found
• Extract and reconstruct the files sent to the attacker: Keys_2018-11-28_16-04-42.html

We have plenty of information regarding the hacker. At this point, we can provide the details we found in our analysis in the report, or we can go one step further and try to uncover the identity of the attacker. If you chose to do so, then let's get started in finding out how to uncover this information.

We already found their credentials in the server. Let's try logging into the FTP server and try to find something of interest, as shown in the following screenshot:

We can see that we are easily able to log into the server. Let's use an FTP client, such as Royal TSX in Mac (FileZilla for Windows), to view the files that reside on the server, as shown in the following screenshot:

Wow! So much information has been logged; however, we can see two directories named John and Jo. The directory Jo is empty but we may have something in the directory named John.

Let's view the contents of John, as shown in the following screenshot:

It looks as though the attacker is applying for jobs and keeps their updated resume on their server. The case-study analysis proves that the keylogger is a newbie. In answering the last question regarding the identity of the attacker, we have successfully conducted our first network forensic analysis exercise. The resume we found might have been stolen from someone else as well. However, this is just the tip of the iceberg. In the upcoming chapters, we will look at a variety of complex scenarios; this was an easy one.

In the next example, we will look at TCP packets and try figuring out what were the event causing such network traffic.