Episode Details

Back to Episodes
Course 6 - Network Traffic Analysis for Incident Response | Episode 4: Mapping, Decoding, and Decrypting Network Traffic Intelligence

Course 6 - Network Traffic Analysis for Incident Response | Episode 4: Mapping, Decoding, and Decrypting Network Traffic Intelligence

Published 6 months, 1 week ago
Description
In this lesson, you’ll learn about: Intelligence Collection from Network Traffic Captures — focusing on anomalies, attacker behavior, and extracting actionable intelligence. 1. Network Mapping & Visualization
  • Humans struggle with long lists → visualizing traffic helps you feel the environment.
  • Tools like pcap viz generate maps at different OSI layers:
Layer 3 (IP Addresses)
  • Shows which machines talk to each other.
  • Helps detect unusual communication paths.
Layer 4 (TCP/UDP Ports)
  • Shows communication between applications.
  • Unusual ports (e.g., 900) may indicate custom or C2 protocols.
2. Content Deobfuscation Attackers often hide traffic with simple encodings (not strong encryption).
Goal → recover the original content, often a payload or second-stage executable. XOR Encoding
  • Common in malware traffic.
  • Repeated patterns in streams (especially when encoding zeros) reveal the key.
  • Example: fixed-length 4-byte key like MLVR.
Base64 (B64)
  • Seen in C2 frameworks like Onion Duke.
  • Recognizable by:
    • A–Z, a–z, 0–9, “+”, “/”
    • Ends with “=” padding
  • Easy to decode using built-in libraries or online tools.
3. Credential Capture from Insecure Protocols Focus: credentials leaking in plaintext protocols. Telnet & IMAP
  • Send usernames/passwords in clear text.
  • Easy to extract directly from the TCP stream.
SMTP
  • Encodes credentials in Base64 → trivial to decode.
  • Python or online decoders reveal username + password.
  • Reinforces the need for TLS encryption.
4. SSL/TLS Decryption in Wireshark Encrypted traffic looks like random “gibberish” unless you have the right keys. Using RSA Private Keys
  • If the RSA private key is available, Wireshark can decrypt sessions directly.
Ephemeral Keys (ECDHE)
  • Cannot be decrypted using the server’s private key.
  • Must capture the session keys using a pre-master secret log file:
    • Often done by setting an SSL key log file environment variable in browsers.
  • Without that log, the sessions are not recoverable.
5. Web Proxy Interception (Deep Packet Inspection) Enterprise method for inspecting encrypted HTTPS traffic. How it works
  • A corporate proxy (e.g., Burp Suite) intercepts connections:
    • Breaks the client → server TLS session.
    • Decrypts → inspects → re-encrypts all traffic.
Requirements
  • Clients must install the proxy’s self-signed root certificate.
  • Needed to bypass controls like HSTS.
Risks
  • Proxy becomes a single high-value target for attackers.
  • Raises privacy concerns, especially when employees do personal browsing (banking, etc.).


You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us