Identifying Hosts: DHCP, NetBIOS and Kerberos

When investigating a compromise or malware infection activity, a security analyst should know how to identify the hosts on the network apart from IP to MAC address match. One of the best methods is identifying the hosts and users on the network to decide the investigation's starting point and list the hosts and users associated with the malicious traffic/activity. Protocols that can be used in Host and User identification:

DHCP Analysis

DHCP protocol, or Dynamic Host Configuration Protocol (DHCP), is the technology responsible for managing automatic IP address and required communication parameters assignment.

  • Global search: dhcp or bootp
  • Filtering the proper DHCP packet options is vital to finding an event of interest.
    • DHCP Request packets contain the hostname information dhcp.option.dhcp == 3
    • DHCP ACK packets represent the accepted requests dhcp.option.dhcp == 5
    • DHCP NAK packets represent denied requests dhcp.option.dhcp == 6
  • Note: Due to the nature of the protocol, only "Option 53" ( request type) has predefined static values. You should filter the packet type first, and then you can filter the rest of the options by "applying as column" or use the advanced filters like "contains" and "matches".
  • DHCP Request options for grabbing the low-hanging fruits: dhcp.option.hostname contains "keyword"
    • Option 12:Hostname.
    • Option 50:Requested IP address.
    • Option 51:Requested IP lease time.
    • Option 61:Client's MAC address.
  • DHCP ACK options for grabbing the low-hanging fruits: dhcp.option.domain_name contains "keyword"
    • Option 15:Domain name.
    • Option 51:Assigned IP lease time.
  • DHCP NAK options for grabbing the low-hanging fruits: As the message could be unique according to the case/situation, It is suggested to read the message instead of filtering it. Thus, the analyst could create a more reliable hypothesis/result by understanding the event circumstances.
    • Option 56:Message (rejection details/reason)

NetBIOS (NBNS) Analysis

NetBIOS or Network Basic Input/Output System is the technology responsible for allowing applications on different hosts to communicate with each other.

  • Global search : nbns
  • NBNS options for grabbing the low-hanging fruits: nbns.name contains "keyword"
  • Queries:Query details. (Query details could contain "name, Time to live (TTL) and IP address details")

Kerberos Analysis

Kerberos is the default authentication service for Microsoft Windows domains. It is responsible for authenticating service requests between two or more computers over the untrusted network. The ultimate aim is to prove identity securely.

  • Global search: kerberos
  • User account search:
    • kerberos.CNameString contains "keyword"
    • kerberos.CNameString and !(kerberos.CNameString contains "$" )
  • Note: Some packets could provide hostname information in this field. To avoid this confusion, filter the "$"value. The values end with"$"are hostnames, and the ones without it are user names.
  • Kerberos options for grabbing the low-hanging fruits:
    • kerberos.pvno == 5
    • kerberos.realm contains ".org"
    • kerberos.SNameString == "krbtg"
  • pvno:Protocol version.
  • realm:Domain name for the generated ticket.
  • sname:Service and domain name for the generated ticket.
  • addresses:Client IP address and NetBIOS name.
  • Note: the "addresses" information is only available in request packets.
  • Registration requests: nbns.flags.opcode == 5