Analyzing a Log4j Exploit with Wireshark (and how to filter for it) // Sample PCAP!
ฝัง
- เผยแพร่เมื่อ 31 ก.ค. 2024
- The Log4j is quite the buzz these days - as it should be! There are lots of videos showing the code of how it works, but let's analyze how CVE-2021-44228 looks on the wire. You can download the pcap with the attack traffic and follow along with me here:
bit.ly/Log4jAttack
(Thanks Brad Duncan from malware-traffic-analysis.net!)
As a side point - there is a possibility that the filter shown will show some false positives if the target server connects to other internal servers. Take that into account when analyzing the filter results!
Link to video on how to configure Wireshark GeoIP: • Map IP Address Locatio...
Other links:
E-mail: packetpioneer@gmail.com
Twitter: / packetpioneer
Full Wireshark Cybersecurity Course - www.bit.ly/wiresharkhunt
TCP Analysis Course - www.bit.ly/wiresharktcp
== More On-Demand Training from Chris ==
▶Getting Started with Wireshark - bit.ly/udemywireshark
▶Getting Started with Nmap - bit.ly/udemynmap
== Live Wireshark Training ==
▶TCP/IP Deep Dive Analysis with Wireshark - bit.ly/virtualwireshark
== Private Wireshark Training ==
Let's get in touch - packetpioneer.com/product/pri...
Timestamps:
0:00 Intro
0:58 PCAP Overview
1:32 Mapping the source IP's
2:51 Analyzing the Log4j Post
4:29 Decoding the Base64 with CyberChef
5:35 Researching the remote server - Virus Total
6:46 Filtering for Log4j
9:40 Wrap-Up - วิทยาศาสตร์และเทคโนโลยี
![อยู่ได้แล้ว - LIPTA feat. Mirrr [OFFICIAL MV]](http://i.ytimg.com/vi/-9-hpntNym4/mqdefault.jpg)
![[ไฮไลต์] แบดมินตันชาย วิว กุลวุฒิ ไทย vs ฟินแลนด์ รอบแบ่งกลุ่ม | โอลิมปิก 2024](http://i.ytimg.com/vi/GIbeFO0tvnQ/mqdefault.jpg)
Let's get some hands-on with Log4j! Download the pcap in the description and follow along. We'll look at how the attack works, how to filter for it, and how to config Wireshark to see where it is coming from. Hope you all enjoy and thank you so much for watching! I appreciate the comments and feedback.
I'm curious to know what you think about Intel ME. There's some claims that ME is spyware from Intel. Do you think it's more of a risk or benefit to keep ME, being there's a way to disable it with me_cleaner
thanks bro
Hi Chris,
It's been 2 years since I started following you. Thanks for making such great video and your video are always to the point, short, simple and easy to understand. No one has explained the Wireshark better than you do. And it really helped in troubleshooting network issues.
I appreciate that! Thanks for the comment!
Thank you Chris, for providing such an incredible packet analysis. Keep up the great work.
Thanks, will do!
You are AMAZING!!!!! The quality and the content and the way you explain is top notch
Thank you!
Amazingly helpful video, thank you for your time putting this together.
Another incredible video with a lot of knowledge to help with analysis. Thanks Chris
My pleasure Derrick!
Amazing Chris. As always awesome. I liked the way you checked to make sure the server hasn't reacted. (was my question)
You are awesome. The way you explain things is clear and I feel excited to learn more. Thanks a lot for this. I have set a goal for myself to complete your Pluralsight courses for the coming holidays :-)
Awesome! Reach out if you have any questions.
Very nice video ! Good references and a lot of stuff learned again ! thanks for your job.
Thanks!
Excellent pace and details- 11/10 !
Thank you Andy!
Chris, sincerely, there has not been a single video from you that didn't provide massive value to me! Just learned about cyberchef and virustotal - great tools, man!
Awesome! Yeah those two are VERY useful. Glad the video helped. I'll be posting another as soon as I can get my hands on that script. Stay tuned!
Thank you so much, Chris, for sharing this video. You explained it very well.
Much appreciated!!!
This is awesome work, Chris. Thanks for this video.
Thanks for the comment Jorge!
Wonderful commentary, useful examples and short video.
Very well done
Glad you liked it! Thank you for the comment.
Chris, outstanding lesson. Thanks for the update.
My pleasure!
A ton of useful information in this video! Thank you.
Thanks Vyas!
I am in TAC for a switch company.
This came to us as an vulnerability issue with device.
But thankfully no device was vulnerable.
And from video I got chance to know about this attack.
Thank you..
Great to hear. Thanks for the feedback!
Hey Chris thanks for this great informative video ..
Woww Most Needed Content for current Situation ❤️👌 Much Appreciated video
Thanks for the comment!
Very helpful video with simple explanation. Thanks!
Glad it was helpful!
Thanks Chris, this was great and with very good explanations
Thank you!
Thanks for sharing this Chris. Very helpful.
Glad it was helpful!
Great explanations and pace!
Glad you liked it! It's always hard to strike a balance in pacing. Keep the advanced folks interested while not losing the new folks. Thank you for the comment.
Wow. I am flashed. This is great (and nicely cat assisted) content. Glad I discovered your channel.
😂 I was wondering when someone would comment on my cat.
Thanks for the info. We are bombarded with tickets and I can now understand whats cooking in the backend
Glad it was helpful! More to come about this vuln as I get more pcaps.
That's very useful, so smart!! Chris
Wow just about to suggest you this idea. You read my mind sir !!
We were thinking the same thing... I just had to get my hands on the pcap!
Thank you very much for such excelent video and very useful links.
You are welcome!
awesome video chris.. thank you so much
Great video at right time!. Thanks a lot.
Glad it was helpful!
Thanks a lot from Egypt keep your great work !!
Thanks, will do!
Very nice video. Really like the explanation !!
Glad you liked it!
Very insightful. Thank you.
Great job Chris many thanks for this.
You are welcome! More to come as I get more pcaps!
Incredible video !👍🏻
Thanks a lot!
Great video
Your content. is AMAZING. THANK YOU FOR THIS!!!!!
Glad you enjoy it!
Great info Chris. Thanks.
Thanks for the comment Kevin!
I'm waiting for this
Thank you Chris, Good explanation.
Glad it was helpful!
Well explained.. nice!
Man ! You are really cool ! Best wireshark stuff ever ;-)👍👍👍
I need one monitor extra for this wireshark map ;-)
Thanks! 👍
Very informative - thank you very much for sharing!!
Glad it was helpful!
Wow this is such a great video
Thanks!
This is great. Thank you for sharing.
You are so welcome!
thank you for this video, very knowledgable
Thanks Fay!
Awesome video, thank you.
Glad you liked it!
Good work, hope we will get more informative videos, like,subscribed !!
Thanks!
Thanks!
Thank you so much Kiran!
Look forward to seeing the next video on log4j. I too want to see the shell code
Thanks for the comment Ryan. No kidding! I do too... as soon as I can get my hands on a clean, share-able pcap I will get the video out.
By watching your videos I realised how important the wireshark is..
Excellent!
Many thanks! Glad you liked it!
Thank you, good video
Thank you too!
hi Chris, i saw your Wireshark course on David Bombal Training platform. do you offer certification for it?
Very cool video, thank you.
Glad you liked it!
Nice one
Thank you 😊
You're welcome 😊
🔥
Thanks for making the video! Is there anything you can share about the shell script referenced?
Not much yet - but the more I learn the more I will share. Thanks for the comment!
Thank you 🤘😎
No problem!
Chris you are a good teacher 😀 Question why my Wireshark don't show the option for map it is grayed out ?
Do you have the geoIP databases loaded?
Hi Chris, Why my wireshark is only capturing 802.11 packets?
Hey - can you tell me a bit more about exactly what you see? by 802.11 do you mean control and mgt frames?
Very interesting! Would it be possible for the server being attacked to initiate a connection back to the malicious IP through UDP? Or is wget always with TCP? Because then the server wouldn't do a SYN (as far as I'm aware it doesn't with UDP) and we would also need to filter for UDP connections originating from the attacked server.
Hey Giorgio! So the server could totally start a stream back to the callback server, no rules against that. It may use another utility to do so however. I haven't tried using wget over UDP so I'm not sure on that one.
@@ChrisGreer Thanks Chris!:)
Thanks for the video. Very informative. Do you know what is in that script that this attack is trying to execute (which you said opens up a connection back to the attacking host). Did you get a copy of that lh.sh script?
Hey! This particular one wasn't captured. However I did get my hands on a pcap with a similar attack and the script was captured too. I'm prepping the content for that video now. Stay tuned!
@@ChrisGreer Thanks !
thx Chris just a question is it useful to the level of ccna200-301 thx
Great question. I think it is great info for a CCNA to know, but it will not be on the exam. As far as TCP and Wireshark goes, the exam is very light on the details.
wooow so cool
Nice
This is exactly right and if this was successful you could see the same dest port outbound as in the Jdni request in your example 1389
Nice detail! Thanks for sharing.
Hi from Colombia @Chris, could you give us a clue on how to tshoot this in wireshark but not for http (port 80) but for https (port 443) conections?
Hey German, good question! So the outbound TCP SYN filter would still work. I would probably add "!ip.dst==10.0.0.0/8" or whatever my internal address range was. Just because even though I might miss lateral movement from the server, I would definitely catch anytime it is going external to connect to somebody out there. I'd also keep a close eye on the number of small https connections that are made and the payload sizes. The post is a TCP connection all its own and is just a quick exchange. If I saw that behavior, followed by the server connecting externally, that would be suspect.
Thanks for great content, I tried GeoIP on Kali linux but when I click "open in browser" it shows blank page
I wonder if it is the way the file is being unzipped?
I downloaded the trace packet but how do you view or open it in WireShark?
I usually just double click it, or find it from within the Wireshark user interface.
@@ChrisGreer Thank you!
Thanks for the video. I'm a web designer. I have some Wireshark courses on thee shelf but, never got to them. watching an expert at the craft was very enliightening. It's funny too. I have been hearing of this Log4J thing I thought it was another language, until a day or so ago I hear that it is a malware. Not really my thing, but important nonetheless. I don;t think I would have been bored had you shared more details, but I understand.
Can you tell by loking at that hack if it is s script kiddie or a major attempt? Thanks again.
Hey Chris thanks for the comment. I was able to get my hands on a pcap with more detail, so I plan to release a follow-on video soon. Stay tuned!
@@ChrisGreer
Sure, sure, I subbed for sure. I have also a ethical hacker course. I really have to fit in with everything else I'm trying to wrap my head. We standing by.
FYI the IP in the Base64 encoded message is still active... the IP may not be static but I found this interesting.
Hmmmm, nice. Thanks for the comment!
Good ☺️
Thanks 😊
Cool stuf
Wokwithlan here
اللي جا من عند أمين رغيب Amine Raghib إعفط على جييييم نحسبكم 👍👍
Welcome!
please update your chrome if you're not in a VM in this vid :D
Thankfully in a VM :-) But still need to update. Good practice anyway!
@@ChrisGreer chrome vulns just scare me so much, so I get triggered 😅
Pub rarib Amin😂😂
you are going very fast, try to explain slowly
Thanks!
Thank you!