Had been switching jobs which has kept myself busy from updating the blog. But this time around I had made myself up with yet another post. Sans has hosted a fantastic puzzle, this time around on APT. The puzzle is a pcap file that contains a zero day exploit for IE (most commonly AURORA - ms_10_002). Quite an exciting puzzle I must say. Lets get things rolling,
Q1. What was the full URI of Vick Timmes' original web request? (Please include the port in your URI.)
When we first load the pcap in the wireshark we see that there are two hosts (ignoring those broadcasts address) - 10.10.10.10 (the attacker) and 10.10.10.70 (the victim).
At first glance we see that in the first we can see that the victim is requesting for index.php. We the request is constructed as http://10.10.10.10/index.php.And that particular is request is sent over the port 8080. Reconstructing the request by port will lead us to the answer for the first question - http://10.10.10.10:8080/index.php.
Q2.In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled "COMMENT", then filled their data element with a string. What was the value of this string?
As a result of the request that was sent over the port 8080, the server responds with an html file with a certain javascript in it ;) The javascript starts with declaring an array as,
var qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR = new Array();
following that inside a for loop it's data element is filled with a string like,
qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR[i].data = "vEI";
that answers our second question - vEI
Q3.Vick's computer made a second HTTP request for an object.
0000000: 4749 4638 3961 0100 0100 8000 0000 0000 GIF89a..........
0000010: 0000 0021 f904 0100 0000 002c 0000 0000 ...!.......,....
0000020: 0100 0100 0002 0244 0100 3b .......D..;
Q4.When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
Wireshark will help with with this ;) To filter off those communication that happened over port 4444 use the filter tcp.port eq 4444 and the first packet will tell us the answer ;) - 1.3
Q5.When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
Again the same filter as used in Q4 will suffice for this question as well. The last packet in the window (when the filter tcp.port eq 4444 is used) is the answer to the question - 87.6
Q6.In packet 17, the malicious server sent a file to the client.
To answer Q6.b we got to extract the executable (dll to be specific ;)) from the data stream. There are lot of tools out there. But still preferring the manual way I just filter of the data stream from the server end to the client end and then manually carve out the file.
And you may question about the file size? That stream easily gives that away in the start - 00 6a 0b 00. When you convert them to decimal it should be 748032 bytes. That's the size of our file. When the complete dll is carved out you may notice that it is metsrv.dll (component of metasploit meterpreter). You may very well search for the text metsrv.dll in the packet and you are sure to hit atleast couple of them.
The MD5 hash is - b062cb8344cd3e296d8868fbef289c7c
Q7.Vick's computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:
a.How often does the TCP initial sequence number (ISN) change? (Choose one.)
The answer is Every Third Packet. Look at the picture from wireshark for yourself.
b. How often does the IP ID change? (Choose one.)
c.How often does the source port change? (Choose one.)
Q8.Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
We prepare another filter for this purpose to check when did the compelete 3 way handshake complete between the two hosts on port 4445. The below filter when applied on wireshark will get you the result.
tcp.port eq 4445 and tcp.flags eq 18
That returns a single packet which has the timestamp as 123.7 which answers Q.8
Q9.Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?
The executable that was sent over on port 4445 is same as the earlier executable. The MD5 hash is - b062cb8344cd3e296d8868fbef289c7c
Q10.When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
The connection was closed at 198.4
You may very well use the below filter to fetch the answer, but then only the 2nd packet (when the filter is applied) to be considered
tcp.port eq 4445 and tcp.flags eq 17
That answers all the question, meet you in another post.
-binaryhax0r
Q1. What was the full URI of Vick Timmes' original web request? (Please include the port in your URI.)
When we first load the pcap in the wireshark we see that there are two hosts (ignoring those broadcasts address) - 10.10.10.10 (the attacker) and 10.10.10.70 (the victim).
At first glance we see that in the first we can see that the victim is requesting for index.php. We the request is constructed as http://10.10.10.10/index.php.And that particular is request is sent over the port 8080. Reconstructing the request by port will lead us to the answer for the first question - http://10.10.10.10:8080/index.php.
Q2.In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled "COMMENT", then filled their data element with a string. What was the value of this string?
As a result of the request that was sent over the port 8080, the server responds with an html file with a certain javascript in it ;) The javascript starts with declaring an array as,
var qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR = new Array();
following that inside a for loop it's data element is filled with a string like,
qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR[i].data = "vEI";
that answers our second question - vEI
Q3.Vick's computer made a second HTTP request for an object.
- What was the filename of the object that was requested?
- What is the MD5sum of the object that was returned?
0000000: 4749 4638 3961 0100 0100 8000 0000 0000 GIF89a..........
0000010: 0000 0021 f904 0100 0000 002c 0000 0000 ...!.......,....
0000020: 0100 0100 0002 0244 0100 3b .......D..;
Q4.When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
Wireshark will help with with this ;) To filter off those communication that happened over port 4444 use the filter tcp.port eq 4444 and the first packet will tell us the answer ;) - 1.3
Q5.When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
Again the same filter as used in Q4 will suffice for this question as well. The last packet in the window (when the filter tcp.port eq 4444 is used) is the answer to the question - 87.6
Q6.In packet 17, the malicious server sent a file to the client.
- What type of file was it? Choose one:
- Windows executable
- GIF image
- PHP script
- Zip file
- Encrypted data
- What was the MD5sum of the file?
To answer Q6.b we got to extract the executable (dll to be specific ;)) from the data stream. There are lot of tools out there. But still preferring the manual way I just filter of the data stream from the server end to the client end and then manually carve out the file.
And you may question about the file size? That stream easily gives that away in the start - 00 6a 0b 00. When you convert them to decimal it should be 748032 bytes. That's the size of our file. When the complete dll is carved out you may notice that it is metsrv.dll (component of metasploit meterpreter). You may very well search for the text metsrv.dll in the packet and you are sure to hit atleast couple of them.
The MD5 hash is - b062cb8344cd3e296d8868fbef289c7c
Q7.Vick's computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:
a.How often does the TCP initial sequence number (ISN) change? (Choose one.)
- Every packetEvery 60 seconds
- Every third packet
- Every 10-15 seconds
- Every 30-35 seconds
The answer is Every Third Packet. Look at the picture from wireshark for yourself.
b. How often does the IP ID change? (Choose one.)
- Every packet
- Every third packet
- Every 10-15 seconds
- Every 30-35 seconds
- Every 60 seconds
c.How often does the source port change? (Choose one.)
- Every packet
- Every third packet
- Every 10-15 seconds
- Every 30-35 seconds
- Every 60 seconds
Q8.Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
We prepare another filter for this purpose to check when did the compelete 3 way handshake complete between the two hosts on port 4445. The below filter when applied on wireshark will get you the result.
tcp.port eq 4445 and tcp.flags eq 18
That returns a single packet which has the timestamp as 123.7 which answers Q.8
Q9.Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?
The executable that was sent over on port 4445 is same as the earlier executable. The MD5 hash is - b062cb8344cd3e296d8868fbef289c7c
Q10.When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
The connection was closed at 198.4
You may very well use the below filter to fetch the answer, but then only the 2nd packet (when the filter is applied) to be considered
tcp.port eq 4445 and tcp.flags eq 17
That answers all the question, meet you in another post.
-binaryhax0r
No comments:
Post a Comment