Analyzing PCAP with Zeek - HTB Sherlocks - KnockKnock
00:00 - Going over the Scenario
01:30 - Talking about why I'm using Zeek and running it in a docker
05:20 - Showing a Corelight Zeek Cheat Sheet, which is tremendously helpful
08:00 - Showing Zeek-Cut on the x509 log, then looking at the SSL Log
11:50 - Looking for a single IP that sent multiple SSH Banners
13:20 - Creating an alias for zeek-grek (alias zeek-grep='grep -e "^#" -e'), which lets us easily filter logs
17:00 - Looking at the HTTP Log, discovering a wget downloading ransomware
21:10 - Looking at the FTP Log, and showing the passwords are hidden. Editing the Zeek Config to unmask the password
24:30 - Editing the FTP Logged commands to add PASS so we see failed logins too
34:10 - Using the DNS Log to see that our attacker was likely using Amazon EC2
36:15 - Looking at how many connections each IP made, discovering our attacker doing a port scan using date -d @epoch to convert to human readable time
42:30 - Editing our zeek config to also extract_files, then looking at the ransomware download
53:15 - Looking at the files downloaded over FTP
1:07:00 - Start answering the questions. Doing some Grep Fu to see all the open ports during initial recon
1:18:10 - Finding when the port knock happened
Watch video Analyzing PCAP with Zeek - HTB Sherlocks - KnockKnock online, duration hours minute second in high quality that is uploaded to the channel IppSec 10 December 2023. Share the link to the video on social media so that your subscribers and friends will also watch this video. This video clip has been viewed 10,420 times and liked it 290 visitors.
![Is A 360Hz Monitor Worth It For Gaming? [Simple]](https://images.reviewsvideo.ru/videos/GMQM75HnW1I)
