SPYWARE Analysis with Wireshark - STOLEN LOGINS!
Vložit
- čas přidán 28. 06. 2024
- In this video we are going to take a look at how Agent Tesla Spyware works. Using an exercise from malware-traffic-analysis.net, we will learn what indicators to look for as this Spyware steals user credentials.
Let's dig!
Get the pcaps here - malware-traffic-analysis.net/...
== More On-Demand Training from Chris ==
▶Getting Started with Wireshark - bit.ly/udemywireshark
▶Getting Started with Nmap - bit.ly/udemynmap
== Live Wireshark Training ==
▶TCP/IP Deep Dive Analysis with Wireshark - bit.ly/virtualwireshark
== Private Wireshark Training ==
Let's get in touch - packetpioneer.com/product/pri...
Questions? Comments?
You know what to do below!
Chapters:
0:00 Intro
0:40 Get the PCAP
1:52 Victim's IP Address
3:48 Stolen Credentials
5:50 Decoding Base64 Logins - Věda a technologie
These small videos of yours are so fun and informative. I didn't even know you could decode base64 inside Wireshark before 🤯
Just adding this side note, I watched the Unit42 Wireshark series, but the way Chris dives into this Wireshark is 360 degree different. This is my opinion but please watch and compare. Thank you so much Chris.
@@vq8gef32 what you mean? which one is better to understand?
Awesome vid! I am now intrigued enough that I will be analyzing much more malware. Thank you good sir!
Wow Chris. This calls to for serious learning Wireshark. Damn how people steal logins using malware. Thanks for sharing the video and keep informing us.
Chris , Chris, you are Master Shark! :) Big Thank you.
I love this content. Every time I learn something new. I have very little experience looking at logs but I'm picking stuff up. Thanks for sharing. I really need to try some of those real world examples. My eyes jumped to the port 80 right away and you basically got everything from smtp instead.
I get it, it's easy to focus on the wrong thing... I do it all the time!
Learning a ton of information from you, keep it up!
Excellent, I love this kind of videos with real files !... Keep going.
Thanks, will do!
Compressed and rich video. Thank you sir ✌️✌️✌️✌️✌️
very nice video ! thanks
These malicious pcap traffic analysis videos are awesome !
Glad you like them! I gotta make some more then...
Woow Chris always a good subject and smart analyze thx and keep givin jsut question where to get any wirshark certificat Chris thx for u re help
1%
That's how much of your wireshark knowledge that I hope to retain some day! Just 1%!
Amazing!
that base64 decode in wireshark was a great tip - i've been copy/pasting strings to external websites to do the same 👍
Glad it helped! I was too... until someone showed me that lil' trick.
nice. thank you.
please do more of these
ty chris
Hi Chris, If we try to open this PCAP file using Python Scapy library should we still be careful about it?
Thanks a lot , keep it up
Thanks for the comment!
Hi Chris,
After clicking on follow stream, I got only binary code nothing readable. Anything I need to do to get readable data.
all of these stuff included on your course?
Love the content you made but here comes to my mind a question at the end. If smtp auth process had been done by user on port 465 with ssl, would we able to see the base64 encoded username and password?
If it was encrypted over SSL/TLS then no, we wouldn't see the content, nor the base64 encoded username/passwords. To find suspect traffic in encrypted streams we would need to look for strange IP conversations (Which could possibly be spoofed), unusual port numbers, or other unusual conversation patterns. It can get tough these days! But I like showing the unencrypted pcaps because they are much better for learning how the spyware/malware works.
@@ChrisGreer 👍
I am not able to download any pcap from this site. Please help
👍
hi bro my client to server scenario TCP connection intermittently getting RESET from client side initiation after successful SYN first packet and SYN+ACK second packet received at my client machine. Then my client machine send sudden RESET to server instead of completing the 3-way handshake. on analysis Out of 100 TCP connection i can seen 25 RESET from my client machine to server. i believe something unusual at my CLIENT machine.. i differentiated all successful request and failed reset request. There i found whenever my client machine sent RESET above the wireshark line of each stream on received SYN+ACK delta time is above >500ms to 900ms... On all successful TCP request there syn+ACK received delta time on my client side wireshark shows below than >450ms . So i believe my side machine expecting that SYN+ACK packet receiving to my client machine should below the value of
thanks. smtp trick is a big help.