I have a bunch of pcap files captured by Wireshark and I’d like to discover malicious traffic. I have written a program that parses said pcap files, creates devices (according to the MAC address found in these files) and adds packets (sent and received) to these devices. Furthermore, I merge packets which are sent to the same IP address. In the end I write the result to disk accordingly.
Thus, I am able to inspect every IP address a device has contacted and the packets sent and received.
It should also be mentioned that these devices were in “passive” mode. This means that they weren’t actually used at the moment of the capture and the screen was turned off most of the time.
So far, I have analysed the traffic of three of my smartphones, my wife’s phone and my parent’s phone and luckily (or sadly) most traffic is encrypted and sent to port 443. (I’m focusing on sent packets and Android at the moment because I want to discover data leakage on Android phones).
Given that most traffic apparently uses Amazon’s cloud I thought I might not discover anything. However, when taking a look at the encrypted Payload I am able to see some human readable data. For instance the IP 126.96.36.199 which resolves to ec2-34-235-195-44.compute-1.amazonaws.com is in fact used by Signal, because of the string textsecure-service.whispersystems.org. Furthermore, I discovered that the ES FileReader leaks a bunch of information (on partially unencrypted) traffic, due to my father’s “there is an app for it” mindset.
Along with that, if WhatsApp is running on the device it makes up a large portion of the network traffic, while Signal doesn’t use much.
I have thought about browsing through the ports and looking at non-conventional ones, but as mentioned above, the most heavily used port is 443.
Also, aside from ES FileReader, I discovered various Adnetworks being contacted on devices with a bunch of apps installed.
Do you guys have any other ideas on what to look for, or any other additional input?
Taken from the link for anyone else interested: any traffic that is not passing via a path that libpcap can latch on to cannot be captured. < Which makes it pretty simple. It does not capture everything. End of story
General advice, it’s not the most mental health promoting thing to dabble in (at least not in the long run)
if you set up a proxy with https certificate and trust that on your own devices you could man in the middle your https traffic and inspect it that way.
if wireshark can’t capture something it’s because the traffic isn’t traversing that interface. it captures ethernet frames; so long as it is an ethernet frame it will capture it.
also. if you’re in a switched network then unless you have wireshark inline between your devices and the router it won’t caputre the traffic either unless you configure a SPAN sesson for it on your switch.
and yes almost everything is over port 443 these days in order to traverse firewalls, encrypt the data, etc.
Thanks for the info concerning Wireshark, but I’m aware of that Which is why I configured a spare notebook as access point and connected it to my router via an ethernet cable. Even though @Bruger has already said that it is quite possible to hide from Wirehsark I have thus far found some interesting traffic. Some Ad-providers leak information through port 80, which yielded some interesting preleminary results. And - even if the traffic uses port 443 - there is still some information to gather that enabled me do figure out which App a device might have running.
In Windows you can also look at performance monitor and filter network connections by process. This will enable you to see the application or process that has a network connection open on the client.
Obviously, this only works if you have administrative control of the client, and can do the analysis in real time, but is a way to see what process your port 443 traffic is generated by without the ability to inspect it in flight.