Simulating and Analyzing an Encrypted Data Leak in WSL with Wireshark on Windows
Scenario: A company suspects an insider is leaking confidential information via encrypted channels. You are given network traffic logs for analysis.
Here's the case study that has been brought to us. After many trials and errors, we're glad to finally come up with a working simulation of the given situation. Every step of the process has been documented so that you can follow along and might even be able to reproduce the same results on your own.
To perform this analysis, we'll be using OpenSSL to set up an SSL/TLS server, generating a large file to represent the data, creating a Bash script to send it periodically, capturing the traffic with tcpdump in WSL, and analyzing it with Wireshark on Windows.
Note: This guide assumes you have basic knowledge of Linux commands and network concepts. All code snippets are written in Bash and should be run in a WSL environment or Linux terminal.
To enable encrypted communication, we need a self-signed certificate for the SSL/TLS server. OpenSSL will generate this for us.
# Generate a self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodesopenssl req: Initiates the certificate request process.-x509: Creates a self-signed certificate instead of a request.-newkey rsa:4096: Generates a 4096-bit RSA private key.-keyout key.pem: Saves the private key to key.pem.-out cert.pem: Saves the certificate to cert.pem.-days 365: Sets the certificate's validity period to 365 days.-nodes: Skips adding a passphrase to encrypt the private key (simplifies the setup).When prompted, press Enter to skip fields like country or organization, or fill them in as desired.
Set up an encrypted server using OpenSSL to listen for incoming connections.
# Start the SSL/TLS server
openssl s_server -accept 8443 -cert cert.pem -key key.pemopenssl s_server: Launches an SSL/TLS server.-accept 8443: Listens on port 8443 (a non-standard port to mimic suspicious activity).-cert cert.pem: Uses the certificate from Step 1.-key key.pem: Uses the private key from Step 1.The server will run until you stop it with Ctrl+C.
Generate a large file (e.g., 10MB) to represent the confidential data being leaked.
# Create a 10MB file
dd if=/dev/urandom of=confidential_data.txt bs=1M count=10dd: A tool for copying and converting data.if=/dev/urandom: Uses random data as the input source.of=confidential_data.txt: Outputs to a file named confidential_data.txt.bs=1M: Sets the block size to 1 megabyte.count=10: Writes 10 blocks, creating a 10MB file.Adjust count to increase or decrease the file size as needed.
Write a Bash script to periodically send the large file to the server, simulating an insider leaking data every 5 minutes.
nano leak.sh) and add:#!/bin/bash
while true; do
cat confidential_data.txt | openssl s_client -connect localhost:8443 -quiet
sleep 300 # Wait 5 minutes
done# Add execute permissions
chmod +x leak.sh# Run the script
./leak.shIf you don't want to see logs and appears anonymous, you can run the script in the background:
# Run the script in the background
./leak.sh &#!/bin/bash: Declares the script runs with Bash.while true; do: Loops indefinitely.cat confidential_data.txt: Reads the file’s contents.openssl s_client -connect localhost:8443 -quiet: Connects to the server on localhost:8443 and sends the file over an encrypted connection. -quiet suppresses extra output.sleep 300: Pauses for 300 seconds (5 minutes).&: Runs the script in the background, freeing up the terminal.tcpdump in WSLUse tcpdump to capture the encrypted traffic in WSL, as Wireshark on Windows can’t directly capture WSL’s loopback traffic. Save it to a .pcap file.
# Install tcpdump
sudo apt update && sudo apt install -y tcpdump# Capture traffic
sudo tcpdump -i lo -w /mnt/c/Users/[YourUsername]/[WhateverChosenFolderPath]/encrypted_traffic_capture.pcap port 8443[YourUsername] and [WhateverChosenFolderPath] with your actual username and chosen folder path.sudo tcpdump: Runs tcpdump with root privileges (needed for capturing).-i lo: Targets the loopback interface (lo), where the server and client communicate.-w /mnt/c/Users/[YourUsername]/[WhateverChosenFolderPath]/encrypted_traffic_capture.pcap: Saves the capture to a .pcap file in your Windows Documents folder (e.g., C:\Users\YourUsername\Documents\capture.pcap).port 8443: Filters traffic to port 8443 only.Run tcpdump for a while (e.g., 30 minutes to catch two transfers), then stop it with Ctrl+C.
Open the captured .pcap file in Wireshark on Windows to analyze the encrypted data leak.
File > Open.C:\Users\[YourUsername]\[WhateverChosenFolderPath]\encrypted_traffic_capture.pcap and open it.tcp.port == 8443 to isolate the server-client communication.These observations will help you spot suspicious activity, such as an insider leaking data.
Ctrl+C.ps aux | grep leak.sh) and running kill <PID>.sudo if tcpdump reports permission errors.tcpdump save path to match your Windows username and preferred location.And that's it!🎉Congratulations on successfully completing the entire process.
Make sure to follow the part 2 where we shared some strategies to trace the leak origin.