HTTP in Wireshark
HTTP traffic shows up as a light green in Wireshark and can be filtered using http. However, since HTTP runs over TCP and http only shows packets using the HTTP protocol, this can miss many of the packets associated with the session because they are TCP packets (SYN, ACK and so on). Wireshark reassembles all of the actual data packets containing a particular webpage and displays it within the packet labeled as the HTTP response.
The image above shows the structure of an HTTP request in Wireshark. This includes the requested URL and a variety of different HTTP headers, including the host, user-agent and several others. These headers are under the control of the user and are intended for use by the server, so they can be modified by an attacker who controls both ends of the connection, making them ideal for passing data during an attack.
The image above shows the structure of an HTTP response in Wireshark. It is very similar to that of an HTTP request, except that it substitutes an HTTP response message for the URL and uses a different collection of headers. The actual data being carried by the HTTP protocol (the requested web page) is encapsulated within the data section of the HTTP packet.
HTTP analysis for incident response
Since HTTP is used for requesting and serving webpages, it is the most common type of traffic present on most networks and is not blocked at the network perimeter. As a result, it can be abused in a variety of different ways by a hacker. HTTP analysis for incident response.
Malicious/phishing pages
Since HTTP is the backbone of the web, any type of malicious website uses HTTP for delivery. This includes phishing pages, websites containing drive-by downloads and so on. Since HTTP is designed as a plaintext protocol, it is straightforward to scan web pages for malicious content before they reach the user if they are using HTTP or the organization uses a web proxy or other solution for HTTPS decryption. This functionality is built into intrusion detection and prevention systems, but analysis of malicious content in Wireshark can be useful for extracting signatures or indicators of compromise (IoCs) for identifying and preventing future attacks.
Web application attacks
HTTP traffic is also used for attacking legitimate webpages. If an attacker is attempting to perform an SQL injection attack against a website, the traffic will be carried in HTTP requests and responses. Examining malicious traffic in Wireshark can help to understand how a particular attack works and the potential impacts of the attack.
Credential stuffing
Many people use weak or common passwords for online accounts, and an estimated 10% use one of the 25 most common passwords. If an attacker can run through a list of common passwords on a set of several accounts, there is a high probability that at least one account will use an easily-guessable password. HTTP can be used for credential stuffing on a wide variety of different types of pages. An organization may have restricted access webpages for internal use, a login portal for user accounts for their service or use web-based email like O365 or Gmail. An attacker can use these publicly-accessible web pages to test lists of potential passwords for user accounts, so organizations should monitor for failed authentication attempts, including those that only try a few different passwords on a number of different accounts.
Data exfiltration
The structure of the HTTP packet makes it ideal for malicious use. In addition to the data field, HTTP packets contain a number of different fields that can be modified by the user or the server with no impact on the usability of the service. These include things like the URL and HTTP headers. Since HTTP requests and responses are often allowed through network firewalls, this flexibility makes HTTP extremely useful for data exfiltration. Malware inside a target’s network could request a legitimate webpage on an attacker-controlled server and include exfiltrated data in the HTTP headers. Alternatively, the URL of the webpage could be used to carry the stolen data. When looking for data exfiltration using HTTP, it is important to look for abnormalities in the use of that type of traffic. An attacker can exfiltrate a great deal of sensitive information in a single packet using URLs or HTTP headers, but it is more detectable. Alternatively, many packets can be used to exfiltrate very small amounts of data (like using a few different versions of an HTTP user agent to represent different binary values), but this could dramatically change the volume and composition of traffic leaving a target machine. Looking for deviations in header values and traffic composition can help with detection of data exfiltration via HTTP.
Malware command-and-control
Since HTTP can be used for exfiltrating data, it is logical that it can also be used in both directions. Many different variants of malware use the HTTP protocol for implementing command-and-control protocols, since it is a common type of traffic that is allowed through network firewalls.
The detectability of C2 over HTTP depends on the sophistication of the malware. For example, the image above shows a summary of some HTTP GET requests from the Seaduke malware. The malware blatantly uses HTTP cookies for command-and-control. However, other malware variants could be more subtle about their use of HTTP for C2. Identifying these communications may require correlating odd HTTP traffic with suspicious activity on a host.
Multi-stage malware
One of the purposes of HTTP is to fetch files from web servers. Some malware takes advantage of this functionality to download second-stage malware once an initial infection of a machine is completed. The use of HTTP by multi-stage infections can be detected in a few different ways. Inspection of HTTP traffic may detect the actual download of the second-stage malware. Alternatively, monitoring DNS and HTTP requests may indicate C2 traffic to multiple unusual domains. This can indicate the presence of multiple malware samples on a system, and correlation of traffic timestamps can help detect the malware download, allowing it to be extracted for analysis.
Monitoring HTTP in Wireshark
HTTP is a popular protocol for malware authors since it is commonly allowed through firewalls and has numerous places to store command-and-control data. When monitoring HTTP traffic in Wireshark, it’s a good idea to monitor high-level connection statistics for anomalies as well as more detailed analysis like tracking user-agents and looking for encoded data.
Sources
Hyper Text Transfer Protocol (HTTP), Wireshark The most popular passwords of 2018 revealed: Are yours on the list?, WeLiveSecurity seaduke.exe, Hybrid Analysis