Wednesday, June 30, 2010

Sans Forensics Challenge Puzzle - 6

Had been switching jobs which has kept myself busy from updating the blog. But this time around I had made myself up with yet another post. Sans has hosted a fantastic puzzle, this time around on APT. The puzzle is a pcap file that contains a zero day exploit for IE (most commonly AURORA - ms_10_002). Quite an exciting puzzle I must say. Lets get things rolling,

Q1. What was the full URI of Vick Timmes' original web request? (Please include the port in your URI.)

When we first load the pcap in the wireshark we see that there are two hosts (ignoring those broadcasts address) - 10.10.10.10 (the attacker) and 10.10.10.70 (the victim).

At first glance we see that in the first we can see that the victim is requesting for index.php. We the request is constructed as http://10.10.10.10/index.php.And that particular is request is sent over the port 8080. Reconstructing the request by port will lead us to the answer for the first question - http://10.10.10.10:8080/index.php.

Q2.In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled "COMMENT", then filled their data element with a string. What was the value of this string?

As a result of the request that was sent over the port 8080, the server responds with an html file with a certain javascript in it ;) The javascript starts with declaring an array as,

var qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR = new Array();

following that inside a for loop it's data element is filled with a string like,

qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR[i].data = "vEI";

that answers our second question - vEI
Q3.Vick's computer made a second HTTP request for an object.
  1. What was the filename of the object that was requested?
  2. What is the MD5sum of the object that was returned?
Followed by the initial /index.php request another request is sent to the same server on the same port. This time around /index.phpmfKSxSANkeTeNrah.gif is requested. That answers Q3.a. The server responds with a series of data following the request from the client. If you filter the conversation and rip the hex data from the packet you should be getting the md5 hash as - df3e567d6f16d040326c7a0ea29a4f41 which answer Q3.b. Below is that data that is ripped from the packet.

0000000: 4749 4638 3961 0100 0100 8000 0000 0000 GIF89a..........
0000010: 0000 0021 f904 0100 0000 002c 0000 0000 ...!.......,....
0000020: 0100 0100 0002 0244 0100 3b .......D..;

Q4.When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

Wireshark will help with with this ;) To filter off those communication that happened over port 4444 use the filter tcp.port eq 4444 and the first packet will tell us the answer ;) - 1.3

Q5.When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

Again the same filter as used in Q4 will suffice for this question as well. The last packet in the window (when the filter tcp.port eq 4444 is used) is the answer to the question - 87.6

Q6.In packet 17, the malicious server sent a file to the client.
  1. What type of file was it? Choose one:
    • Windows executable
    • GIF image
    • PHP script
    • Zip file
    • Encrypted data
  2. What was the MD5sum of the file?
We move on to packet 17 in the wireshark window. Clicking on the packet and viewing the data tells us that the file that was transferred was a windows executable. The MZ header in the data stream gives that away indeed. So that answers Q6.a.

To answer Q6.b we got to extract the executable (dll to be specific ;)) from the data stream. There are lot of tools out there. But still preferring the manual way I just filter of the data stream from the server end to the client end and then manually carve out the file.



And you may question about the file size? That stream easily gives that away in the start - 00 6a 0b 00. When you convert them to decimal it should be 748032 bytes. That's the size of our file. When the complete dll is carved out you may notice that it is metsrv.dll (component of metasploit meterpreter). You may very well search for the text metsrv.dll in the packet and you are sure to hit atleast couple of them.

The MD5 hash is - b062cb8344cd3e296d8868fbef289c7c

Q7.Vick's computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:

a.How often does the TCP initial sequence number (ISN) change? (Choose one.)
  • Every packetEvery 60 seconds
  • Every third packet
  • Every 10-15 seconds
  • Every 30-35 seconds

The answer is Every Third Packet. Look at the picture from wireshark for yourself.



b. How often does the IP ID change? (Choose one.)
  • Every packet
  • Every third packet
  • Every 10-15 seconds
  • Every 30-35 seconds
  • Every 60 seconds
That happens on Every packet. when you look into each packet IP ID you can see that it changes from 0x01b3 to 0x01b4 and so on.

c.How often does the source port change? (Choose one.)
  • Every packet
  • Every third packet
  • Every 10-15 seconds
  • Every 30-35 seconds
  • Every 60 seconds
When you filter those packets that are communicating over port 4445 you can see that from packet 1503 the source port remains to be on the same port 1040 till 1532 and changes the port on the packet 1533. If we calculate the time between those packet range we would get 82.9 - 71.2 which is like 10-15 seconds difference between the switch over of ports.

Q8.Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

We prepare another filter for this purpose to check when did the compelete 3 way handshake complete between the two hosts on port 4445. The below filter when applied on wireshark will get you the result.

tcp.port eq 4445 and tcp.flags eq 18

That returns a single packet which has the timestamp as 123.7 which answers Q.8

Q9.Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?

The executable that was sent over on port 4445 is same as the earlier executable. The MD5 hash is - b062cb8344cd3e296d8868fbef289c7c

Q10.When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

The connection was closed at 198.4
You may very well use the below filter to fetch the answer, but then only the 2nd packet (when the filter is applied) to be considered
tcp.port eq 4445 and tcp.flags eq 17

That answers all the question, meet you in another post.

-binaryhax0r

No comments:

Post a Comment