SECURITY/FORENSICS

FORENSICS ์‹œ์ž‘ํ•˜๊ธฐ - ํŒจํ‚ท ๋ถ„์„ ๋„๊ตฌ :: Wireshark, NetworkMiner

\b\t 2020. 9. 17. 21:51

1. Wireshark

 

: ์˜คํ”ˆ ์†Œ์Šค ํŒจํ‚ท ๋ถ„์„ ํ”„๋กœ๊ทธ๋žจ

(๋‹ค์šด๋กœ๋“œ๋Š” ์—ฌ๊ธฐ์„œ ํ•  ์ˆ˜ ์žˆ๋‹ค. -> www.wireshark.org/download.html)

 

(์ฐธ๊ณ ) ์ฒ˜์Œ ๋ฐฐํฌ๋˜์—ˆ์„ ๋•Œ์—๋Š” ์ด๋ฆ„์ด Ethereal(์ด๋”๋ฆฌ์–ผ) ์ด์—ˆ์œผ๋‚˜ ์ƒ์–ด๊ฐ€ ํŒจํ‚ท์„ ์žก์•„๋จน๋Š” ๊ฒƒ๊ณผ ์œ ์‚ฌํ•˜๋‹ค๊ณ  ํ•˜์—ฌ ์ด๋ฆ„์„ ๋ฐ”๊พธ๊ฒŒ ๋˜์—ˆ๋‹ค.

 

pcap ๋„คํŠธ์›Œํฌ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ์ด์šฉํ•˜์—ฌ ํŒจํ‚ท์„ ์žก์•„๋‚ธ๋‹ค.

๋ฌด์ฐจ๋ณ„ ๋ชจ๋“œ(promiscuous mode) ๋ฅผ ์ง€์›ํ•˜์—ฌ ๋ธŒ๋กœ๋“œ์บ์ŠคํŠธ๋‚˜ ๋ฉ€ํ‹ฐ์บ์ŠคํŠธ ํŠธ๋ž˜ํ”ฝ๋„ ์–ป์„ ์ˆ˜ ์žˆ๋‹ค.(100%๋Š” ์•„๋‹˜)

 

 

1.1 Wireshark ์‚ฌ์šฉ๋ฒ•

 

wireshark ๋ฅผ ์‹คํ–‰์‹œํ‚ค๋ฉด ์ด๋Ÿฐ ํ™”๋ฉด์ด ๋‚˜์˜จ๋‹ค.

 

 

 

์›ํ•˜๋Š” ๋„คํŠธ์›Œํฌ๋ฅผ ๋ˆŒ๋Ÿฌ์„œ ํŒจํ‚ท ์บก์ฒ˜๋ฅผ ์‹œ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค.

 

 

์ƒ๋‹จ ๋ฉ”๋‰ด

File ์บก์ฒ˜ ๋ฐ์ดํ„ฐ๋ฅผ ์—ด๊ฑฐ๋‚˜ ์ €์žฅ
Edit ํŒจํ‚ท ์ฐพ๊ฑฐ๋‚˜ ํ‘œ์‹œ, ํ”„๋กœ๊ทธ๋žจ ์†์„ฑ ์„ค์ •
View wireshark ์„ค์ •
Go ์บก์ฒ˜๋œ ๋ฐ์ดํ„ฐ๋ฅผ ํŠน์ • ์œ„์น˜๋กœ ์ด๋™
Capture ์บก์ฒ˜ ํ•„ํ„ฐ ์˜ต์…˜์„ ์„ค์ •ํ•˜๊ณ  ์บก์ฒ˜ ์‹œ์ž‘
Analyze ๋ถ„์„ ์˜ต์…˜ ์„ค์ •
Statistics wireshark ํ†ต๊ณ„ ๋ฐ์ดํ„ฐ ํ™•์ธ
Help ๋„์›€๋ง ๋ณด๊ธฐ

 

ํŒจํ‚ท์ด ์บก์ฒ˜๋˜๋ฉด ์ € ์ฐฝ์—์„œ ํŒจํ‚ท์— ๋Œ€ํ•œ ์ •๋ณด๋“ค์„ ๋ณผ ์ˆ˜ ์žˆ๋Š”๋ฐ, ๊ฐ๊ฐ์ด ๋ฌด์—‡์„ ์˜๋ฏธํ•˜๋Š” ์ง€ ์•Œ์•„๋ณด์ž.

 

No. ํŒจํ‚ท์ด ์ˆ˜์ง‘๋œ ์ˆœ์„œ
Time ํŒจํ‚ท์ด ์ˆ˜์ง‘๋œ ์‹œ๊ฐ„
Source ์ถœ๋ฐœ์ง€ ์ฃผ์†Œ
Destination ๋„์ฐฉ์ง€ ์ฃผ์†Œ
Protocol ํ”„๋กœํ† ์ฝœ type
Length ํŒจํ‚ท ๊ธธ์ด
Info ํŒจํ‚ท ์ •๋ณด

 

์ด๋ ‡๊ฒŒ ํŒจํ‚ท์˜ ์ •๋ณด๋ฅผ ํ•˜๋‚˜ํ•˜๋‚˜ ํ™•์ธํ•  ์ˆ˜๋„ ์žˆ์ง€๋งŒ, ํŒจํ‚ท ํ•„ํ„ฐ๋ง ๊ธฐ๋Šฅ์œผ๋กœ ํ•„์š”ํ•œ ํŒจํ‚ท๋“ค๋งŒ ๋ชจ์•„์„œ ๋ณผ ์ˆ˜ ์žˆ๋‹ค.

 

ํŒจํ‚ท ํ•„ํ„ฐ๋ง์—๋Š” ๋‹ค์Œ์˜ ๋‘ ๊ฐ€์ง€ ๋ฐฉ๋ฒ•์ด ์กด์žฌํ•œ๋‹ค.

 

โ‘  ์บก์ฒ˜ ํ•„ํ„ฐ: ์ฒ˜์Œ๋ถ€ํ„ฐ ์›ํ•˜๋Š” ํŒจํ‚ท๋งŒ ํ•„ํ„ฐ๋งํ•ด์„œ ์บก์ฒ˜ (์„ฑ๋Šฅ์— ์˜ํ–ฅ์„ ๋ผ์น  ์ˆ˜ ์žˆ์Œ)

์ƒ๋‹จ ๋ฉ”๋‰ด Capture -> Capture Filters ... ์—์„œ ์„ค์ • ๊ฐ€๋Šฅ

โ‘ก ๋””์Šคํ”Œ๋ ˆ์ด ํ•„ํ„ฐ: ๋ชจ๋“  ํŒจํ‚ท์„ ์บก์ฒ˜ํ•œ ํ›„, ํ™”๋ฉด์—์„œ ๋‚ด๊ฐ€ ๋ณผ ๊ฒƒ๋งŒ ํ•„ํ„ฐ๋ง (๊ถŒ์žฅ)

์ƒ๋‹จ ๋ฉ”๋‰ด Analyze -> Display Filters ์—์„œ ์„ค์ • ๊ฐ€๋Šฅ

 

 

๋งˆ์ง€๋ง‰์œผ๋กœ Wireshark ์˜ ๊ธฐ๋ณธ ๊ธฐ๋Šฅ์„ ๋ช‡ ๊ฐ€์ง€ ์‚ดํŽด๋ณด๊ฒ ๋‹ค.

- File-Save: ์ˆ˜์ง‘ํ•œ ํŒจํ‚ท ์ €์žฅ

- File-Merge: ์—ฌ๋Ÿฌ ํŒŒ์ผ์„ ํ•ฉ์ณ์„œ ๋ณผ ์ˆ˜ ์žˆ์Œ

- File-Export: ํŒจํ‚ท ๋‚ด๋ณด๋‚ด๊ธฐ (ํŠน์ • ํŒจํ‚ท๋งŒ ๋‚ด๋ณด๋‚ผ ์ˆ˜ ์žˆ์Œ)

- Edit-Find Packet: ํŠน์ • ํŒจํ‚ท ์ฐพ๊ธฐ

- Edit-Mark/Unmark Packet: ํŒจํ‚ท ํŒŒํ‚น

- Edit-Ignore/Unignore Packet: 

- Edit-Preference: ์†Œํ”„ํŠธ์›จ์–ด ์„ค์ •

- View-Colorize Packet List: ํŒจํ‚ท ์ปฌ๋Ÿฌ ์ง€์ •

- Go-Go to packet: ํŠน์ • ํŒจํ‚ท ์ฐพ๊ธฐ

- Capture-Options: ์บก์ฒ˜ ํ•„ํ„ฐ๋ง

- Analyze-Follow: ์„ ํƒํ•œ ํŒจํ‚ท์— ๊ด€๋ จ๋œ ํŒจํ‚ท๋“ค๋งŒ ๋ณด์—ฌ์คŒ

- Statistics-Capture File Properties: ์„ ํƒํ•œ ํŒจํ‚ท์˜ detail

- Telephony: Voip ๋ฅผ ๋ณผ ์ˆ˜ ์žˆ๋Š” ๊ธฐ๋Šฅ

- Wireless: ๋ฌด์„  ํ†ต์‹  ๋ณผ ์ˆ˜ ์žˆ๋Š” ๊ธฐ๋Šฅ

- Tools-Firewall ACL Rules: ์„ค์ •๋œ ํŒจํ‚ท์œผ๋กœ ๋ฐฉํ™”๋ฒฝ ์ƒ์„ฑ

 

 

+ ๋‹จ์ถ•ํ‚ค

Ctrl + d : ์ผ์‹œ์ ์œผ๋กœ ํ•ด๋‹น ํŒจํ‚ท ์‚ญ์ œ

Ctrl + m : ํ•ด๋‹น ํŒจํ‚ท ๋งˆํ‚น

Ctrl + Alt + c : ํ•ด๋‹น ํŒจํ‚ท์— comment

 

 

2. NetworkMiner

 

Wireshark ์ฒ˜๋Ÿผ ๋„คํŠธ์›Œํฌ ํฌ๋ Œ์‹ ๋ถ„์„ ํˆด์ด๋‹ค.

 

์šด์˜์ฒด์ œ, ์„ธ์…˜, ํ˜ธ์ŠคํŠธ ์ด๋ฆ„, ์—ด๋ฆฐ ํฌํŠธ ๋“ฑ์„ ๊ฒ€์ƒ‰ํ•˜๊ธฐ ์œ„ํ•ด ์ˆ˜๋™ ๋„คํŠธ์›Œํฌ ์Šค๋‹ˆํผ, ํŒจํ‚ท ์บก์ฒ˜ ๋„๊ตฌ๋กœ ์‚ฌ์šฉ๋œ๋‹ค.

๊ฐ ํ˜ธ์ŠคํŠธ์— ๋Œ€ํ•œ ๋‹จ๋ง์˜ ํ†ตํ•ฉ์ ์ธ ์ •๋ณด๋ฅผ ํ‘œํ˜„ํ•ด์ฃผ๋ฏ€๋กœ ๋ถ„์„์ž๊ฐ€ ๋ณด๊ธฐ ํŽธ๋ฆฌํ•˜๋‹ค.

 

Wireshark ๊ฐ€ ์ „์†ก๋˜์–ด ๋ถ„ํ• ๋œ ํŒŒ์ผ๋“ค์„ RawData ๋กœ ์•Œ๋ ค์ฃผ๋Š” ๋ฐ˜๋ฉด, NetworkMiner ์€ ์–ด๋–ค ํŒŒ์ผ์ด ์ „์†ก๋˜์—ˆ๋Š”์ง€๋ฅผ ์žฌ๊ตฌ์„ฑํ•˜์—ฌ ๋ณด์—ฌ์ค€๋‹ค. (์ฆ‰, ์–ด๋А ์ •๋„์˜ ๋ณต์› ์ž‘์—…์„ ์ œ๊ณตํ•ด์ค€๋‹ค๋Š” ๊ฒƒ!)

 

youtube ๊ฐ™์€ ์›น ์‚ฌ์ดํŠธ์—์„œ ๋„คํŠธ์›Œํฌ๋ฅผ ํ†ตํ•ด ์ŠคํŠธ๋ฆฌ๋ฏธ์ž‰ ๋˜๋Š” ๋ฏธ๋””์–ด ํŒŒ์ผ์„ ์ถ”์ถœํ•˜๊ณ  ์ €์žฅํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋˜๊ธฐ๋„ ํ•œ๋‹ค.

ํŒŒ์ผ ์ถ”์ถœ์„ ์œ„ํ•ด ์‚ฌ์šฉ๋˜๋Š” ํ”„๋กœํ† ์ฝœ์€ FTP, TFTP, HTTP, SMB ๋“ฑ์ด ์žˆ๋‹ค.

 

https://aaasssddd25.tistory.com/58

 

 

Ref. 

[1] m.blog.naver.com/PostView.nhn?blogId=stop2y&logNo=221033954685&proxyReferer=https:%2F%2Fwww.google.com%2F

[2] websecurity.tistory.com/132

.

๋Œ“๊ธ€์ˆ˜0