Jasper Bongertz is a Senior Technical Consultant at Airbus Defence and Space CyberSecurity. He is focusing on IT security, Incident Response and Network Forensics.
During the IPv6 summit on Troopers16 he had given a talk on anonymization IPv6 in PCAPs and presented his new tool.
Sometimes you need to share your packet capture files (PCAPs), but distributing them involves a risk of exposing the confidential information. To avoid this, you must sanitize your PCAPs. The goal of sanitization is to remove the critical details but keep enough information for the PCAP to still be useful. The original-to-sanitized ratio is based on your goals.
PCAP sanitization is similar to editing packets for packet replay. The sensitive details which should be removed could be as following:
- user credentials
- network topology details such as IP addresses
- device and software information
- vulnerable protocols
According to Jasper, for the sanitization your goal is analysis, and it is different from the point of view of network analysts and security analysts. Network analysts often require to keep packet content up to TCP layer, they look at the packet loss, timings, and sometimes need higher layer details. Security researches may be not concerned about TCP/UDP/Ethernet/ARP headers, but they need to keep malware/exploit delivery process intact, they are interested in URLs, binary payloads, etc.
Sanitization very often can be a two-step process: first you run tools for automatic replacement, and for the very specific details you would have to go with manual editing. Jasper gives some recommendations on tools for manual editing: 101 Editor, Wireshark Edit (available in GTK version), WireEdit.
There are some challenges in this process, and general ones are related to:
– keeping the balance between removing sensitive details and keeping the packet useful
– editing many packets in comparison to editing one packet (by hands…)
– protocol complexity
– protocol dependencies
– defensive transformation (the mechanism used to prevent accidential exposure of critical information).
So, how to sanitize correctly? You should parse/dissect all packet layers from layer 2 up, sanitize extracted values, and then rebuild the packet layer by layer from the top one down, using the sanitized values only.
Here IPv6 has some advantages: for example, the replacement prefix you use in the rebuilding the PCAP is the same as original prefix, while in PCAPs for IPv4 you could have a problem with subnets.
For batch editing Jasper have mentioned such tools as bittwiste, tcprewrite, pktanon, pcaplib, and then presented his own tool called TraceWrangler.
To see the tool’s demonstration please check the talk recording available now on our Troopers channel.
Sanitize your PCAPs correctly and stay safe!