This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Prove that my network was hacked into

0

Hi guys and girls, like the title says I have to prove that my network was hacked into and data was exfiltrated. I'm a total newbie on this program with about 6 hours in watching tutorials and messing around with it. It's for my Ethical hacking class and any comments on where to start first or what I should be on the lookout for would be greatly appreciated. Thank you

asked 27 Oct '17, 09:57

fame346's gravatar image

fame346
6112
accept rate: 0%


One Answer:

0

Bad news - Wireshark can only show you what is/was going on while a network traffic capture is/was running. So if your network has been hacked into for a one-time theft of data and that theft has already been completed, capturing network traffic any time after that cannot give you any clue about what has happened.

If you do have network captures from the suspected time of being hacked, you may use Wireshark to analyse them. But even in that case, it is normally close to impossible to find out the ultimate destination of the stolen data / ultimate source of the attack, as the IP addresses you eventually find to be involved are typically just proxies (whose admins have no clue that they were used for the attack as these boxes have themselves been also hacked before).

If some machines in your network got infected by malware and e.g. act as proxies for further attacks as described above, capturing the traffic and analysing it may highlight that - if you are lucky enough to be capturing while the malware is active.

answered 27 Oct '17, 13:41

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

First off thank you for the response. As for the network capture my teacher did say the provided capture that was given to me was during the time that the network may or may not have been infiltrated. To give you an idea of how large this file is it's 148mb of pure network traffic. Is there any anomalies that I should look out for?

(27 Oct '17, 14:51) fame346

With such traffic volume I'd take the other way round, filter out everything that obviously is not malicious (e.g. hacking of a network cannot start from an ARP packet as only local machines can send ARP), and then filter out other things which seem normal.

Unless the network contains some servers made accessible from outside, a hacker needs to trick one of the machines in the network into actively downloading the malware as part of a web page (so usually the web server in the internet must be hacked first and its pages then contain some malicious scripts), or as part of an executable file which the user executes either after actively downloading it or after receiving it as an e-mail attachment.

So the whole exercise is to see from the capture how the network is organised (i.e. are there any connections initiated from outside the subnet? If so, there are servers made available for access from the internet), check every single traffic flow for type and, if capable of transferring code, for detailed contents. Audio and video streams or files may also contain malware as they may exploit bugs of popular media players, but I wouldn't expect this kind of attack in a school assignment.

Another approach is to observe order of things happening. If after finishing an SSL session (where you have no clue about the contents of the data being transferred) the receiving machine in that session starts doing funny things, like sending DNS queries with weird fqdns and then setting up connections to them, it can be an indicator of it just running a piece of malware. The mere fact that a web server uses SSL doesn't guarantee that it could not be hacked.

Good luck and let us know whether it was of any use.

(28 Oct '17, 01:12) sindy