Author Archives: HatsOffSecurity

Decrypting Traffic in Wireshark

If you have a HTTPS session captured and are looking at unlocking the secrets that lie within, you are probably looking at Wireshark with eternal optimism hoping that somehow the magical blue fin will answer all of problems…. Sadly that’s … Continue reading

Posted in Cryptography, Encrypted Traffic, Network Analytics, Network Forensics | Tagged , , , , , , , | Leave a comment

Identifying Sites in Encrypted Traffic

There is some mis-information around; that encrypted traffic is useless, and you should go back to netflow and statistical analysis only. I disagree. I will be doing a few posts showing clear-text information leakage we can use to our advantage. … Continue reading

Posted in Encrypted Traffic, Network Analytics, Network Forensics | Tagged , , , , , , , | Leave a comment

SMB2 Protocol Negotiation

This is one of the few times when looking at SMBv2 you will need to use SMBv1 commands. The initial negotiation request will always be sent out as SMBv1. It makes sense when you think about it, SMB does not … Continue reading

Posted in Network Analytics, SMB | Tagged , , , | Leave a comment

SMB2 – File/Directory Metadata

Using SMB it is possible to retrieve data that is typically only expected when carrying out host based forensics.  The MACB (Modification, Access, Change and Birth) data is sent across regardless of if a file is accessed or not. With … Continue reading

Posted in Network Analytics, Network Forensics, SMB | Tagged , , | 1 Comment

SMB Tree Connect/Response Details

If you want to play along at home, the sample PCAP I will be using for SMB2+ is here, the SMB v1 PCAP is not something I can give away sadly. Tree Connect Request/Response When the SMB protocol connects to … Continue reading

Posted in Network Analytics, Network Forensics, SMB | Tagged , , , | Leave a comment

SMBv2+ SYNC Header Explained

SMB2 Header The SMB2 Header will either be ASYNC or SYNC, you need to look this up from the flags. SYNC is the most common header as this can be in the form of a request or a response, where … Continue reading

Posted in Network Analytics, Network Forensics, SMB | Tagged , , , , | Leave a comment

SMB Quick Introduction

SMB There are currently 3 major versions of SMB version 3 is quite new (2012) and has been implemented on the latest versions of Windows (8, 2012), Samba 4.1+ and macOS 10.10 Yosemite. I say ‘quite new’ as it takes … Continue reading

Posted in Network Analytics, Network Forensics, SMB | Tagged , , , | Leave a comment

Unique Usernames!

I recently created a cloud based virtual machine, the purpose of this will be for an HTTP honeypot, but I thought first off I would leave it for a few days to see what happened. This VM has only port … Continue reading

Posted in Attack, Brute force, Network Analytics, Network Forensics, Protocol, SSH | Tagged , , | Leave a comment

Ringzer0team – Forensics Challenge 35 – Poor internet connection

This writeup is to explain how to get the answer (flag) to the Forensic Challenge named “Poor Internet Connection” I will not be posting the flag here as I am giving you all of the instructions to get it yourself! … Continue reading

Posted in Competitions, Cyber, Network Analytics, Network Forensics, PCAP Analysis | Tagged , , , , , , | 1 Comment

TTLs and where to find them

Recently I have been conducted a lot of interviews for SOC Analysts; one of the questions I ask is as follows: You are reviewing your DNS logs and find an answer to a DNS query which shows rabbitcoldhotel.evil.com on <AnyExternalIP> … Continue reading

Posted in Network Analytics, Network Forensics, Uncategorized | Tagged , , , , | 2 Comments