Download Air Display Host For Mac 3.4.2

Oracle VM VirtualBox enables you to install and execute unmodified versions of Mac OS X guests on supported host hardware. Note that this feature is experimental and thus unsupported. Oracle VM VirtualBox is the first product to provide the modern PC architecture expected by OS X without requiring any of the modifications used by competing. Your Mac's hosts file is a small but important text document that has the ability to map hostnames to specified IP addresses. While the modern Internet uses a variety of public and private DNS. AT90USB1286 - 8-bit AVR Microcontroller, 128KB Flash, 64-pin, USB Controller. AT90USB1287 - 8-bit AVR Microcontroller, 128KB Flash, 64-pin, USB Controller. AT90USB162 - 8-bit AVR Microcontroller, 16KB Flash, 32-pin, USB Controller. AT90USB646 - 8-bit AVR Microcontroller, 64KB Flash, 64.

By

Category: Unit 42

Tags: pcap, tutorial, Wireshark, Wireshark Tutorial

This post is also available in: 日本語 (Japanese)

As a Threat Intelligence Analyst for Palo Alto Networks Unit 42, I often use Wireshark to review packet captures (pcaps) of network traffic generated by malware samples. To better accomplish this work, I use a customized Wireshark column display as described my previous blog about using Wireshark. Today's post provides more tips for analysts to better use Wireshark. It covers display filter expressions I find useful in reviewing pcaps of malicious network traffic from infected Windows hosts.

Pcaps for this tutorial are available here. Keep in mind you must understand network traffic fundamentals to effectively use Wireshark. And you should also have a basic understanding of how malware infections occur. This is not a comprehensive tutorial on how to analyze malicious network traffic. Instead, it shows some tips and tricks for Wireshark filters. This tutorial covers the following areas:

  • Indicators of infection traffic
  • The Wireshark display filter
  • Saving your filters
  • Filters for web-based infection traffic
  • Filters for other types of infection traffic

This tutorial uses examples of Windows infection traffic from commodity malware distributed through mass-distribution methods like malicious spam (malspam) or web traffic. These infections can follow many different paths before the malware, usually a Windows executable file, infects a Windows host.

Indicators consist of information derived from network traffic that relates to the infection. These indicators are often referred to as Indicators of Compromise (IOCs). Security professionals often document indicators related to Windows infection traffic such as URLs, domain names, IP addresses, protocols, and ports. Proper use of the Wireshark display filter can help people quickly find these indicators.

Wireshark's display filter a bar located right above the column display section. This is where you type expressions to filter the frames, IP packets, or TCP segments that Wireshark displays from a pcap.

Figure 1. Location of the display filter in Wireshark.

If you type anything in the display filter, Wireshark offers a list of suggestions based on the text you have typed. While the display filter bar remains red, the expression is not yet accepted. If the display filter bar turns green, the expression has been accepted and should work properly. If the display filter bar turns yellow, the expression has been accepted, but it will probably not work as intended.

Figure 2. Wireshark's display filter offering suggestions based on what you type.

Figure 3. Wireshark's display filter accepts an expression, and it works as intended.

Figure 4. Example of Wireshark's display filter accepting an expression, but it does not work as intended.

Wireshark's display filter uses Boolean expressions, so you can specify values and chain them together. The following expressions are commonly used:

  • Equals: or eq
  • And: && or and
  • Or: (double pipe) or or

Examples of these filter expressions follow:

  • ip.addr eq 192.168.10.195 and ip.addr192.168.10.1
  • http.request && ip.addr192.168.10.195
  • http.request http.response
  • dns.qry.name contains microsoft or dns.qry.name contains windows

When specifying a value exclude, do not use != in your filter expression. For example, if you want to specify all traffic that does not include IP address 192.168.10.1, use !(ip.addr eq 192.168.10.1) instead of ip.addr != 192.168.10.1 because that second filter expression will not work properly.

As noted in my previous tutorial on Wireshark, I often use the following filter expression as a way to quickly review web traffic in a pcap:

http.request or ssl.handshake.type1.

The value http.request reveals URLs for HTTP requests, and ssl.handshake.type1 reveals domains names used in HTTPS or SSL/TLS traffic.

My previous tutorial contains web traffic generated when a user viewed a URL from college.usatoday[.]com in August 2018. In the pcap, the user was on a Windows 10 computer using Microsoft's Edge web browser. Filtering on http.request or ssl.handshake.type1 outlines the flow of events for this web traffic.

Figure 5. Filtering on web traffic using the previous tutorial's pcap.

However, I also generate pcaps of traffic using Windows 7 hosts, and this traffic includes HTTP requests over UDP port 1900 during normal activity. This HTTP traffic over UDP port 1900 is Simple Service Discovery Protocol (SSDP). SSDP is a protocol used to discover Plug & Play devices, and it is not associated with normal web traffic. Therefore, I filter this out using the following expression:

(http.request or ssl.handshake.type1) and !(udp.port eq 1900)

You can also use the following filter and achieve the same result:

(http.request or ssl.handshake.type1) and !(ssdp)

Filtering out SSDP activity when reviewing a pcap from an infection on a Windows 7 host provides a much clear view of the traffic. Figure 6 shows Emotet activity with IcedID infection traffic from December 3rd, 2018 on a Windows 7 host. It is filtered on web traffic that contains SSDP requests. Figure 7 shows the same pcap filtered on web traffic excluding the SSDP requests, which provides a clearer picture of the activity.

Figure 6. Reviewing web traffic with Emotet and IcedID infection activity in Wireshark without filtering out SSDP traffic.

Figure 7. Reviewing web traffic with Emotet and IcedID infection activity in Wireshark while filtering out SSDP traffic.

In Figure 7, we see some indicators of infection traffic, but not every indicator of the infection is revealed. In some cases, an infected host may try to connect with a server that has been taken off-line or is refusing a TCP connection. These attempted connections can be revealed by including TCP SYN segments in your filter by adding tcp.flags eq 0x0002. Try the following filter on the same traffic:

(http.request or ssl.handshake.type1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)

Including the TCP SYN segments on your search reveals the infected host also attempted to connect with IP address 217.164.2[.]133 over TCP port 8443 as shown in Figure 8.

Figure 8. Including TCP SYN segments in your filter can reveal unsuccessful connection attempts by an infected host to other servers.

In some cases, post-infection traffic will not be web-based, and an infected host will contact command and control (C2) servers. These servers can be directly hosted on IP addresses, or they can be hosted on servers using domain names. Some post-infection activity, like C2 traffic caused by the Nanocore Remote Access Tool (RAT), is not HTTP or HTTPS/SSL/TLS traffic.

Therefore, I often add DNS activity when reviewing a pcap to see if any of these domains are active in the traffic. This results in the following filter expression:

(http.request or ssl.handshake.type1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)

In Figure 9, I use the above filter expression to review a pcap showing a Nanocore RAT executable file downloaded from www.mercedes-club-bg[.]com to infect a vulnerable Windows host. The initial download is followed by attempted TCP connections to franex.sytes[.]net at 185.163.45[.]48 and franexserve.duckdns[.]org at 95.213.251[.]165. Figure 10 shows the correlation between the DNS queries and the TCP traffic.

Figure 9. Including DNS queries reveals attempted TCP connections to additional domains.

Figure 10. Correlating DNS traffic to the TCP activity.

Some infection traffic uses common protocols that can easily be decoded by Wireshark. Figure 11 shows post-infection traffic caused by this malware executable that generates FTP traffic. Using a standard web traffic search that also checks for DNS traffic and TCP SYN flags, we find traffic over TCP port 21 and other TCP ports after a DNS query to ftp.totallyanonymous[.]com.

Figure 11. Activity from malware generating FTP traffic.

MacHost

Realizing this is FTP traffic, you can pivot on ftp for your display filter as shown in Figure 12. When filtering on ftp for this pcap, we find the infected Windows host logged into an FTP account at totallyanonymous.com and retrieved files named fc32.exe and o32.exe. Scroll down to later FTP traffic as shown in Figure 13, and you will find a file named 6R7MELYD6 sent to the FTP server approximately every minute. Further investigation would reveal 6R7MELYD6 contains password data stolen from the infected Windows host.

Figure 12. Using ftp as a filter and finding the name of files retrieved by the infected host when viewing the FTP control channel over TCP port 21.

Figure 13. The FTP control channel over TCP port 21 also shows information stored to the FTP server as a file named 6R7MELYD6.

In addition to FTP, malware can use other common protocols for malicious traffic. Spambot malware can turn an infected host into a spambot designed to send dozens to hundreds of email messages every minute. This is characterized by several DNS requests to various mail servers followed by SMTP traffic on TCP ports 25, 465, 587, or other TCP ports associated with email traffic.

Let's try this filter expression again:

(http.request or ssl.handshake.type1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)

When viewing spambot traffic, you'll find DNS queries to mail servers and TCP traffic to SMTP-related ports as previously described.

Figure 14. Wireshark filtered on spambot traffic to show DNS queries for various mail servers and TCP SYN packets to TCP ports 465 and 587 related to SMTP traffic.

If you use smtp as a filter expression, you'll find several results. In cases where you find STARTTLS, this will likely be encrypted SMTP traffic, and you will not be able to see the email data.

Figure 15. Filtering on SMTP traffic in Wireshark when viewing spambot traffic.

In recent years, email traffic from spambots is most likely encrypted SMTP. However, you might find unencrypted SMTP traffic by searching for strings in common email header lines like:

  • smtp contains 'From: '
  • smtp contains 'Message-ID: '
  • smtp contains 'Subject: '

Keep in mind the Wireshark display filter is case-sensitive. When searching spambot traffic for unencrypted SMTP communications, I often use smtp contains 'From: ' as my filter expression as shown in Figure 16.

Figure 16. Filtering in Wireshark to find email header lines for unencrypted SMTP traffic.

After filtering for SMTP traffic as show in Figure 16, you can follow TCP stream for any of the displayed frames, and you'll find one of the emails sent from the spambot.

Download Air Display Host For Mac 3.4.2 Download

Figure 17. TCP stream showing unencrypted SMTP traffic from a spambot-infected host.

Some filter expressions are very tedious to type out each time, but you can save them as filter buttons. On the right side of the Wireshark filter bar is a plus sign to add a filter button.

Figure 18. Saving a filter expression as a filter expression button in Wireshark.

Click on that plus sign to save your expression as a filter button. You have the following fields:

  • Label
  • Filter
  • Comment

The comment is optional, and the filter defaults to whatever is currently typed in the Wireshark filter bar. Once you have typed your label, then click the OK button as shown in Figure 19.

Figure 19. After typing a filter label, click the OK button.

Download Air Display Host For Mac 3.4.2

In the above image, I typed 'basic' for the filter (http.request or ssl.handshake.type1) and !(udp.port eq 1900) to save as my basic filter. Figure 20 show that filter button labeled 'basic' to the right of the plus sign.

Figure 20. My 'basic' filter button at the far right of the filter bar.

For my normal filter setup in Wireshark, I create the following filter buttons:

  • basic (http.request or ssl.handshake.type1) and !(udp.port eq 1900)
  • basic+(http.request or ssl.handshake.type1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)
  • basic+DNS(http.request or ssl.handshake.type1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)

Figure 21. Filter buttons I routinely use on Wireshark.

This tutorial covered the following areas:

  • Indicators of infection traffic
  • The Wireshark display filter
  • Filters for web-based infection traffic
  • Filters for other types of infection traffic
  • Saving your filters

Proper use of Wireshark display filters can help security professionals more efficiently investigate suspicious network traffic. Pcaps used in this tutorial can be found here.

Get updates from
Palo Alto
Networks!

Sign up to receive the latest news, cyber threat intelligence and research from us

Say Hello to AirPlay + Google Cast + Miracast

AirServer is the most advanced screen mirroring software receiver for Mac, PC and Xbox One. It allows you to receive AirPlay, Google Cast and Miracast streams, similar to an Apple TV or a Chromecast device.

AirPlay + Google Cast + Miracast

Download Air Display Host For Mac 3.4.2 -

With the help of a PC, or any other supported hardware, AirServer can transform a simple big screen or a projector into a universal screen mirroring receiver. It does this by implementing all the major screen mirroring technologies such as AirPlay, Google Cast and Miracast into one universal receiver. With AirServer enabled on your big screen, users can use their own devices such as an iPhone, iPad, Mac, Android, Nexus, Pixel, Chromebook, or a Windows 10 PC to wirelessly mirror their display over to the big screen, instantly turning the room into a collaborative space.

Use this technology to screen mirror iPads, Windows laptops and Chromebooks in classrooms, wirelessly project your desktop in meeting rooms, or supercharge your Xbox One at home by turning it into a wireless multimedia hub.

AirServer Universal turns your Windows PC into a universal mirroring receiver, allowing you to mirror your device's display using the built-in AirPlay, Google Cast or Miracast based screen projection functionality; one-by-one or simultaneously to AirServer (patent pending).

3.4.2

On a PC, users can mirror or cast their screen from any AirPlay, Google Cast or Miracast compatible device such as an iPhone, iPad, Mac, Windows 10, Android or Chromebook. Windows 7 and Linux are also supported using the screen casting sender built into the Google Chrome browser.

AirServer for Mac turns your Mac into a universal mirroring receiver, with the exception of Miracast, allowing you to mirror your device's display using the built-in AirPlay or Google Cast based screen projection functionality; one by one or simultaneously to AirServer.

On a Mac, users can mirror or cast their screen from any AirPlay or Google Cast compatible device such as an iPhone, iPad, Mac, Android or Chromebook. Windows and Linux platforms are also supported using the screen casting sender built into the Google Chrome browser.

AirServer Xbox Edition transforms your Xbox One into an all-in-one AirPlay + Google Cast + Miracast receiver which can be used to beam over your favorite music from Spotify or Apple Music on your iOS device, into your favorite games. Or simply use AirServer to showcase your mobile gameplay on a bigger screen.

AirServer Surface Hub Edition supercharges your Surface Hub into an all-in-one AirPlay + Google Cast + Miracast receiver with its own guest access point for mirroring so the guests can connect directly to the Surface Hub without needing access to the corporate network.

AirServer is intrinsically optimized for both 55' and 84' Surface Hubs and fully supports its incredible 120Hz display, and as a result delivers a true end-to-end buttery smooth 60 FPS mirroring experience. There is nothing like it!

AirServer Philips TV Edition is a universal screen mirroring receiver which is intrinsically optimized for the Philips TV hardware. It supercharges your Philips TV with content sharing capabilities enabling your guests to project their own content and playlists, making them feel at home.

See AirServer in action

Take a tour of AirServer Universal for PC

Bring Your Own Device

Now also available on Xbox One, Surface Hub and Philips TV!

  • “AirServer is a Mac app that turns your computer into a receiver for AirPlay. We have seen this kind of thing before, but AirServer works better, and adds functionality.”
  • “Faculty and students also utilize AirServer which enables the display and sharing of iPad content in the classroom.”
  • “AirServer turns your Mac into a AirPlay receiver, letting you stream audio, photos, and even videos to your computer, right over the air.”
  • “AirServer is clearly a more complete solution for all kinds of AirPlay streams with dedicated features for audio, video, and Mirroring.”
  • “Great for demoing iOS apps, and a more professional feature set than...”
  • “AirServer for Mac, one of our favourite AirPlay receivers, features long-awaited HD recording with post processing filters.”
  • “What could be better than sending Temple Run or Angry Birds in Space to a large screen, competing side by side with a friend?”
  • “AirServer app clearly blows away all the competition.”
  • “With AirServer you can take advantage of the better audio and visuals of your Mac by using the app to transform it into a Apple TV type of device that can be used to stream audio and video.”
  • “AirServer is so easy to use, we wonder why Apple didn’t implement it themselves.”
  • “With AirServer running, you’ll see your Mac show up in your iPad’s AirPlay menu, and you can just select it to play back video, movies or games on the big screen. It even supports mirroring so you can use it with apps that don;t yet support AirPlay properly.”