Sign up to save your podcasts
Or
Share Course 6 - Network Traffic Analysis for Incident Response | Episode 5: Scanning, Covert Data Exfiltration, DDoS Attacks and IoT Exploitation
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 6 - Network Traffic Analysis for Incident Response | Episode 5: Scanning, Covert Data Exfiltration, DDoS Attacks and IoT Exploitation
In this lesson, you’ll learn about: Network Threat Analysis — understanding how common attacks and advanced malware appear in real traffic captures, and how to extract intelligence from them. Part 1 — Analysis of Common Network Threats 1. Network Scanning Techniques Attackers scan networks to discover targets, services, and vulnerabilities. Demonstrations cover several scanning styles: SYN / Half-Open Scan
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- Sends SYN packets without completing the handshake.
- Target responses reveal open vs. closed ports.
- Completes the full TCP three-way handshake.
- More noticeable but highly accurate.
- Uses abnormal TCP flags: FIN + PUSH + URG.
- Leveraged to probe how systems respond to malformed packets.
- Uses an unwitting third-party host (“zombie”) to hide attacker identity.
- Tracks incremental IP ID numbers to infer open ports.
- Worms scan many IPs for a single vulnerable port, such as SMB 445.
- High-volume, repetitive traffic is a key signature.
- Data leaked one byte at a time inside SMB packets.
- Requires:
- Reviewing thousands of similar packets,
- Extracting embedded data,
- Base64 decoding,
- Reversing the result,
- Revealing hidden Morse code.
- Attackers embed data into ICMP type fields, reconstructing files (e.g., a GIF).
- Difficult to detect because ICMP is normally used for diagnostics, not data transfer.
- Floods a port (like HTTP 80) with incomplete handshakes.
- Exhausts server connection capacity.
- Sends massive amounts of GET/POST requests.
- Harder to distinguish from normal traffic.
- Small spoofed request → massive response to victim.
- Examples:
- Cargen protocol: 1-byte request → 748-byte response.
- Memcache: tiny request → multi-megabyte responses from cached data.
- Many IoT devices use default credentials and insecure services like Telnet.
- Attack flow typically involves:
- Logging in via Telnet.
- Attempting to download malware (e.g., Mirai ELF binary).
- When automated delivery (TFTP) fails → manually reconstructing binaries using echo.
- Device joins a botnet and starts scanning other victims.
- Traffic begins with system information reporting from the infected host.
- Followed by persistent command-and-control (C2) communication.
- Malware runs directly in memory, leaving minimal filesystem artifacts.
- Often, network traffic is the only complete copy of the payload available.
- Automate scanning and propagation.
- Look for specific open ports, then exploit and install themselves.
- Downloader retrieves multiple malware families.
- Identifying each stage helps determine full attack scope and remediation steps.
- Network traffic often reveals multiple URLs, payloads, or C2 servers involved.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about: Network Threat Analysis — understanding how common attacks and advanced malware appear in real traffic captures, and how to extract intelligence from them. Part 1 — Analysis of Common Network Threats 1. Network Scanning Techniques Attackers scan networks to discover targets, services, and vulnerabilities. Demonstrations cover several scanning styles: SYN / Half-Open Scan
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- Sends SYN packets without completing the handshake.
- Target responses reveal open vs. closed ports.
- Completes the full TCP three-way handshake.
- More noticeable but highly accurate.
- Uses abnormal TCP flags: FIN + PUSH + URG.
- Leveraged to probe how systems respond to malformed packets.
- Uses an unwitting third-party host (“zombie”) to hide attacker identity.
- Tracks incremental IP ID numbers to infer open ports.
- Worms scan many IPs for a single vulnerable port, such as SMB 445.
- High-volume, repetitive traffic is a key signature.
- Data leaked one byte at a time inside SMB packets.
- Requires:
- Reviewing thousands of similar packets,
- Extracting embedded data,
- Base64 decoding,
- Reversing the result,
- Revealing hidden Morse code.
- Attackers embed data into ICMP type fields, reconstructing files (e.g., a GIF).
- Difficult to detect because ICMP is normally used for diagnostics, not data transfer.
- Floods a port (like HTTP 80) with incomplete handshakes.
- Exhausts server connection capacity.
- Sends massive amounts of GET/POST requests.
- Harder to distinguish from normal traffic.
- Small spoofed request → massive response to victim.
- Examples:
- Cargen protocol: 1-byte request → 748-byte response.
- Memcache: tiny request → multi-megabyte responses from cached data.
- Many IoT devices use default credentials and insecure services like Telnet.
- Attack flow typically involves:
- Logging in via Telnet.
- Attempting to download malware (e.g., Mirai ELF binary).
- When automated delivery (TFTP) fails → manually reconstructing binaries using echo.
- Device joins a botnet and starts scanning other victims.
- Traffic begins with system information reporting from the infected host.
- Followed by persistent command-and-control (C2) communication.
- Malware runs directly in memory, leaving minimal filesystem artifacts.
- Often, network traffic is the only complete copy of the payload available.
- Automate scanning and propagation.
- Look for specific open ports, then exploit and install themselves.
- Downloader retrieves multiple malware families.
- Identifying each stage helps determine full attack scope and remediation steps.
- Network traffic often reveals multiple URLs, payloads, or C2 servers involved.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy