Tuesday, October 29, 2013

Network Forensics with Tshark: Psexec intrusion

I love Tshark for network forensics; I think the command line version of Wireshark can be really efficient if it used wisely to detect a big amount of anomalies/attacks in our network. Let's see the next case.

The internal server ( of a certain organization has been compromised several times. The fact that the server is not accessible from the outside led us to think that an internal user had also been compromised, and the attacker was doing "pivoting" from that machine to the server. Another option was that an infected USB had been the root of the problem. However, after checking that the firewall did not filter the traffic DMZ ---> Internal Network, we could confirm that this was the origin of the intrusion. The web server ( in the DMZ was compromised, and from here the attacker could access the internal LAN using the Administrator account. To do this the attacker used Mimikatz to get the credentials of that machine and then ran Psexec against the internal server with the Administrator account.

We realized this when we checked the traffic from DMZ to the Internal LAN as follows (note the use of the flag SYN = 1 and ACK = 0 to show only connections initiated from the DMZ):

bmerino@Mordor:~$ tshark -r pivo.pcap -T fields -e ip.src -R "ip.src == && ip.dst== && tcp.flags.syn==1 && tcp.flags.ack==0" | sort -u

According to this information the machine (the web server) started some kind of connection with the internal server.

The following output shows an excerpt of the type of traffic generated between both machines:

bmerino@Mordor:~$ tshark -r pivo.pcap -o column.format:'"Info","%i","Protocol","%p"' -R "ip.src == && ip.dst==" | head  -4
Tree Connect AndX Request, Path: \\\IPC$ SMB Redirect (Redirect for host) ICMP
[TCP Retransmission] Tree Connect AndX Request, Path: \\\IPC$ SMB
Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \PSEXESVC.EXE SMB

As shown in the output, the web server initiated a NETBIOS connection with the internal server (something totally suspicious). From there, he ran Psexec to authenticate to the server machine. You can also see the plaintext password and the user used to login the server (surely he uses Psexec with -u option, which sends the password in clear text):

bmerino@Mordor:~$ tshark -r pivo.pcap -x "ip.src == && ip.dst==" | grep "A.D.M.l" -m 1 -A 1 | awk -F " " '{print $3}'

If you want to see more useful examples with Tshark for dealing with network security incidents take a look at  Instant Traffic Analysis with Tshark How-to


  1. Buenas tardes,

    Primero felicitarle por su página y por su libro que tiene un material excelente. Quería preguntar donde podría descargarme los códigos y/o script q y se encuentran en la página de su libro (47,48,56)

  2. Hola Giovanni,
    lamentablemente no se publicó ningún repositorio con los scripts. Si se publica una nueva versión/edición subiré todos los scripts y las pruebas realizadas a github.

  3. Hola Borja,

    Gracias por tu respuesta. Esperemos que salga pronto la nueva edición. Saludos