Advanced-Labs
Advanced Lab

Objective

Use Arkime (formerly Moloch) and Driftnet.io to analyze network traffic, extract JA4T fingerprints, and identify suspicious network activity. Utilize JA4DB for fingerprint lookup to gain insights into the observed traffic.

Tools Required

  • Arkime: An open-source large scale packet capture and search tool. We'll use demo.arkime.com.
  • Driftnet.io: An online network traffic analysis tool.
  • JA4DB: An online database of JA4T fingerprints.

Prerequisites

  • Completion of the Beginner Lab or equivalent experience.
  • Familiarity with web-based network analysis tools.
  • Internet access to use demo.arkime.com and driftnet.io.

Lab Steps

Step 1: Accessing Arkime Demo

  1. Visit Arkime Demo:

    • Open your web browser and navigate to demo.arkime.com.
    • You may need to register for an account or log in if required.

  2. Understanding Arkime Interface:

    • Familiarize yourself with the dashboard, including the Sessions, SPI View, and Connections sections.

Step 2: Searching for JA4T Fingerprints in Arkime

  1. Access Sessions:

    • Click on the Sessions tab to view captured network sessions.

  2. Apply a Filter for TCP SYN Packets:

    • In the search bar, enter the following filter to find TCP SYN packets:
tcpflags == syn && !tcpflags == ack
  • Click Search to apply the filter.

  1. View Session Details:

    • Click on a session from the list to view detailed information.

  2. Locate JA4T Fingerprints:

    • In the session details, look for fields related to TCP options, window size, and TTL.
    • Arkime may display the JA4T fingerprint directly or provide the necessary information to construct it.

Step 3: Analyzing Traffic with Arkime's SPI View

  1. Navigate to SPI View:

    • Click on the SPI View tab to see aggregated data.

  2. Group by JA4T Fingerprint:

    • In the Fields dropdown, select relevant fields such as TCP Options, Window Size, and TTL.
    • This will group sessions based on these attributes.

  3. Identify Common Fingerprints:

    • Observe the most common fingerprints and note any anomalies.

Step 4: Using Driftnet.io for Further Analysis

  1. Visit Driftnet.io:

    • Open a new browser tab and navigate to Driftnet.io.

  2. Upload a PCAP File (Optional):

    • If you have a PCAP file from previous captures, you can upload it for analysis.
    • Alternatively, explore the sample data provided by Driftnet.io.

  3. Analyze Network Traffic:

    • Driftnet.io will display images and data extracted from the network traffic.
    • Review the extracted content for any suspicious or unexpected items.

  4. Identify Suspicious Activity:

    • Look for unusual images or data that might indicate malicious activity.

Step 5: Cross-Referencing with JA4DB

  1. Extract JA4T Fingerprints:

    • From Arkime or Driftnet.io, collect the JA4T fingerprints identified.

  2. Access JA4DB:

    • Go to JA4DB in your web browser.

  3. Search for Fingerprints:

    • Enter each JA4T fingerprint into the search bar.
    • Review the results to determine if the fingerprints are associated with known clients or potential threats.

  4. Document Findings:

    • Note any fingerprints that are not found in JA4DB or are associated with malicious activity.

Step 6: Identifying Suspicious Network Activity

  1. Compare Fingerprints:

    • Look for fingerprints that deviate from common patterns observed in your analysis.

  2. Investigate Anomalies:

    • For fingerprints not found in JA4DB, consider them as potential unknown clients or threats.
    • Analyze the associated sessions in Arkime for further details such as source IP, destination IP, and payload data.

  3. Correlate with Driftnet.io Findings:

    • If Driftnet.io revealed any suspicious content, correlate it with the sessions and fingerprints identified in Arkime.

Step 7: Document and Report

  1. Create a Detailed Report:

    • Summarize the steps taken and tools used.
    • Present your findings, including any suspicious fingerprints and associated network activity.
    • Include screenshots where applicable.

  2. Security Implications:

    • Discuss the potential risks identified.
    • Recommend actions for monitoring or mitigating threats.

Expert Lab

Objective

Develop an advanced network analysis workflow that combines the use of Wireshark, Arkime, Driftnet.io, and JA4DB. Utilize a custom version of Terminal.js to emulate real-world scenarios, guiding the user through capturing traffic, identifying suspicious activity, and using the tools effectively.

Tools Required

  • Wireshark: For capturing network traffic.
  • Arkime: For large-scale packet capture and search (using demo.arkime.com).
  • Driftnet.io: For analyzing network traffic and extracting content.
  • JA4DB: For JA4T fingerprint lookup.

Prerequisites

  • Completion of the Intermediate Lab or equivalent experience.
  • Proficiency in JavaScript and familiarity with web development.
  • Understanding of network security concepts and tools.

Lab Steps

Step 1: Setting Up the Environment

  1. Install Required Tools:

    • Ensure Wireshark is installed and functioning.
    • Access to demo.arkime.com and Driftnet.io.

  2. Prepare Sample Network Traffic:

    • Use Wireshark to capture network traffic that includes both normal and suspicious activities.
    • Alternatively, obtain sample PCAP files that contain malicious traffic for analysis.

Step 2: Customizing Terminal.js for Emulation

  1. Create a New Project Directory:

    • Create a folder for your project, e.g., ja4t-expert-lab.

  2. Set Up a Basic HTML Page:

  • Create an index.html file in your project directory.
  • Include Terminal.js and any necessary CSS.
<!DOCTYPE html>
<html>
<head>
    <title>JA4T Expert Lab</title>
    <link rel="stylesheet" href="terminal.css">
    <style>
        body { background-color: black; }
    </style>
</head>
<body>
    <div id="terminal"></div>
    <script src="terminal.js"></script>
    <script src="app.js"></script>
</body>
</html>
  1. Initialize the Terminal in app.js:
const term = new Terminal({
selector: '#terminal',
prompt: 'user@ja4t-lab:~$ ',
history: true,
greetings: 'Welcome to the JA4T Expert Lab Emulation.\nType "help" to see available commands.'
});
 
term.onCommand(async function (command, terminal) {
// Handle commands here
});
  1. Define Commands and Workflow:
  • Implement commands to guide the user through the lab steps.
  • Example commands: capture, analyze, arkime, driftnet, ja4db, help.
  1. Sample Command Implementation:
term.onCommand(async function (command, terminal) {
switch (command.trim()) {
    case 'help':
        terminal.print('Available commands: capture, analyze, arkime, driftnet, ja4db, help, exit');
        break;
    case 'capture':
        terminal.print('Capturing network traffic using Wireshark...');
        // Simulate capturing traffic
        await simulateCapture();
        break;
    case 'analyze':
        terminal.print('Analyzing captured traffic for JA4T fingerprints...');
        await simulateAnalysis();
        break;
    case 'arkime':
        terminal.print('Accessing Arkime for detailed session analysis...');
        window.open('https://demo.arkime.com', '_blank');
        break;
    case 'driftnet':
        terminal.print('Using Driftnet.io for content extraction...');
        window.open('https://driftnet.io', '_blank');
        break;
    case 'ja4db':
        terminal.print('Searching JA4DB for fingerprint information...');
        window.open('https://ja4db.com', '_blank');
        break;
    case 'exit':
        terminal.print('Exiting the emulation. Goodbye!');
        terminal.disable();
        break;
    terminal.print('Exiting the emulation. Goodbye!');
    terminal.disable();
    break;
default:
    terminal.print(`Unknown command: ${command}`);
}
});

Simulate Actions

Implement functions like simulateCapture() and simulateAnalysis() to emulate the steps.

async function simulateCapture() {
await delay(2000); // Simulate delay
term.print('Network traffic captured and saved as "capture.pcap".');
}
 
async function simulateAnalysis() {
await delay(2000); // Simulate delay
term.print('JA4T fingerprints extracted:');
term.print(' - fS_o7a5b6_ws65535_ttl128_ip000');
term.print(' - fS_obc9d1_ws29200_ttl64_ip000');
term.print('You can now use "arkime", "driftnet", or "ja4db" to further analyze these fingerprints.');
}
 
function delay(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}

Enhance User Interaction

Provide prompts and guidance within the emulation to assist the user. Handle incorrect commands gracefully.

Step 3: Capturing and Analyzing Traffic with Wireshark

Capture Network Traffic

Open Wireshark and start capturing traffic as in the Beginner Lab. Aim to include both normal and suspicious network activities.

Save the Capture File

Save the captured traffic as capture.pcap for use in Arkime and Driftnet.io.

Step 4: Uploading and Analyzing Traffic in Arkime

Access Arkime Demo

Visit demo.arkime.com. Log in if necessary.

Upload the PCAP File

Note: The Arkime demo may not allow uploading files due to restrictions. If you have access to a local instance of Arkime, proceed to upload capture.pcap. Alternatively, use sample data provided in the Arkime demo.

Analyze Sessions

Apply filters to identify TCP SYN packets and extract JA4T fingerprints as before. Use the SPI View to group and identify anomalies.

Identify Suspicious Activity

Look for sessions with unusual JA4T fingerprints or unexpected source/destination IPs.

Step 5: Using Driftnet.io for Content Extraction

Upload the PCAP File to Driftnet.io

Visit Driftnet.io. Upload capture.pcap.

Review Extracted Content

Examine images and other content extracted from the network traffic. Identify any suspicious or unauthorized data transfers.

Correlate with Arkime Findings

Match suspicious content with sessions identified in Arkime.

Step 6: JA4DB Fingerprint Lookup

Collect JA4T Fingerprints

From your analysis in Arkime and Wireshark, compile a list of JA4T fingerprints.

Search in JA4DB

Go to JA4DB. Enter each fingerprint to find matching client profiles.

Interpret Results

Determine if fingerprints correspond to known clients or potential threats. Document fingerprints not found in JA4DB.

Step 7: Integrate Findings in the Emulation

Update Terminal.js Emulation

In simulateAnalysis(), include the actual fingerprints you obtained. Provide prompts to guide the user to use arkime, driftnet, and ja4db commands at appropriate times.

async function simulateAnalysis() {
await delay(2000);
term.print('JA4T fingerprints extracted:');
term.print(' - fS_o7a5b6_ws65535_ttl128_ip000 (Possible Windows client)');
term.print(' - fS_obc9d1_ws29200_ttl64_ip000 (Possible Linux client)');
term.print(' - fS_oxyz12_ws5840_ttl64_ip000 (Unknown - Potential Threat)');
term.print('Use "ja4db" to search for more information on these fingerprints.');
}

Enhance Interactivity

Allow users to input fingerprints directly in the terminal for lookup. Implement command parsing to handle ja4db <fingerprint>.

case command.startsWith('ja4db'):
const fingerprint = command.split(' ')[1];
if (fingerprint) {
terminal.print(`Searching JA4DB for ${fingerprint}...`);
window.open(`https://ja4db.com/search?q=${fingerprint}`, '_blank');
} else {
terminal.print('Usage: ja4db <fingerprint>');
}
break;

Step 8: Combining Tools for Comprehensive Analysis

Workflow Integration

Use the emulation to guide the user through a logical workflow:

  • Capture traffic with Wireshark.
  • Analyze sessions and fingerprints with Arkime.
  • Extract content with Driftnet.io.
  • Lookup fingerprints in JA4DB.

Emphasize the importance of each step in identifying suspicious activity.

Identify and Report Suspicious Activity

In the emulation, simulate discovering a suspicious JA4T fingerprint. Provide guidance on investigating the associated network session. Encourage the user to consider security implications and possible responses.

Step 9: Document and Reflect

Create a Comprehensive Report

Summarize the entire workflow and tools used. Include code snippets of your customized Terminal.js implementation. Provide screenshots of the emulation and analysis tools.

Discuss Security Strategies

Explain how integrating these tools enhances network security monitoring. Suggest best practices for detecting and responding to network threats.

Conclusion

By completing these labs, you have:

  • Learned how to capture and analyze network traffic using Wireshark.
  • Utilized Arkime and Driftnet.io to identify and investigate network sessions.
  • Applied JA4T fingerprinting to identify client behaviors and potential threats.
  • Used JA4DB to lookup fingerprints and gain insights.
  • Developed a custom Terminal.js emulation to simulate real-world network analysis workflows.
  • Integrated multiple tools to create a comprehensive network security monitoring strategy.

Additional Resources

JA4TScanAdvanced Labs Overview