Class Details

Packet Capture Analysis Level 3 Price: $1,950

Training promotions may be available, contact a training consultant at 240-667-7507 for more information!

This course will continue with additional concepts of advanced attacks and their artifacts, the latest attack methods at the packet level will be explored, the students will receive a collection of PCAP files based on the latest malware that has been seen in the wild. The course will also show what the attack techniques of tunneling and obfuscation look like when analyzed. Characteristics and components of web shells will be reviewed. The course will conclude with static and dynamic PCAP challenges. This training course is part of a 4 level series in Packet Capture Analysis, learn more about the other courses in the series below:

Price Match Guarantee Phoenix TS

Packet Capture Analysis Level 3 Course Includes:

  • Class exercises in addition to training instruction
  • Courseware books, notepads, pens, highlighters and other materials
  • Course retake option
  • Full breakfast with variety of bagels, fruits, yogurt, doughnuts and juice
  • Tea, coffee, and soda available throughout the day
  • Freshly baked cookies every afternoon - *only at participating locations

Course Outline

Module One: Mastering tshark

-        Capturing data using tshark

-        Performance challenges

-        Capture filters

Lab 1-1: Data capture with tshark

-        Using the -G option

-        Contains and matches

-        Dissectors and customizing them

-        Using bridges in Linux with tshark

-        Remote capture

o   rpcapd

-        Using ARP Spoofing

o   Ettercap

o   Cain and Able

Lab 1-2: Redirecting traffic to tshark

Module Two: Malware Traffic Analysis Process

-        What is the purpose?

-        How did it get in?

-        Who – what are their capabilities

-        How can we recover

-        Identify what was compromised

Lab 2-1: Stage one malware processes

-        Items of interest

o   Network indications

o   Hosts involved

o   Persistence mechanisms

o   Compilation and installation

Lab 2-2: Stage two malware processes

Module Three: APT characteristics and analysis

-        Determining the command and control parameters

-        Identify the infrastructure

o   Well known APT/malware sites

o   Custom

-        Types of beaconing

Lab 3-1: APT command and control analysis

-        Identifying asset discovery and methods of persistence

-        Methods of data exfiltration

Lab 3-2: APT artifacts

Module Four: Detecting Tunneling

-        ASCIII traffic in ICMP

-        Ratio technique

-        Endpoint identifications

Lab 4-1: Tunneling concepts

-        VPN protections

-        SSH

-        L2TP

-        IPSEC

-        IPv4 and IPv6

-        DNS

Lab 4-2: Advanced tunneling concepts

Module Five: Web Shells 101

-        Characteristics of web shells

-        Types of Web Shells

o   ASP

o   JSP

o   PHP

§  China Chopper

§  B374k

§  C99

§  Cknife

Lab 5-1: Web Shell Fundamental Analysis


Module Six: Web Shell Artifacts

-        Adversary web shell trends

-        Directory enumeration methods

-        Identifying obfuscation

o   Use of the eval()

Lab 6-1: Web Shell Artifacts

-        Detecting the user agents to evade detection

o   Avoiding crawling and Google dorks

-        Authentication methods

o   Password

o   IP address block

-        Register_globals

o   Methods of checking for it

Lab 6-2: Web Shell authentication methods

-        Breaking down China Chopper

-        Breaking down the follow on Cknife

Lab 6-3: China Chopper detailed breakdown and PCAP analysis

Module Seven: Decoding and Decrypting pcap files

-        Identifying the method

o   Hashing

o   Base64

o   Encryption

Lab 7-1: Decoding PCAP files

-        Dealing with encryption algorithms

o   TLS

o   SSL

o   Unknown

Lab 7-2: Decrypting PCAPS

-        Using Berkeley Packet Filters (BPF)

o   Excluding IP addresses

o   Filter syntax

Lab 7-3: BPF PCAP filtering

Module Eight: Practical preparation of Static analysis of web shells and malware

Lab 8-1: Web Shell analysis

Module Nine: Live malware and web activity

Lab 9-1: Practical assessment of live command and control traffic




Register for Class

Date Location
02/04/19 - 02/08/19, 5 days, 8:30AM – 4:30PM Columbia, MD Sold Out!