2015/10/12

Network Forensics – Round 6: Ann’s Aurora

:Network Forensics – Round 6: Ann’s Aurora:

The puzzle: Ann’s Aurora

Ann Dercover is after SaucyCorp’s Secret Sauce recipe. She’s been trailing the lead developer, Vick Timmes, to figure out how she can remotely access SaucyCorp’s servers. One night, while conducting reconnaissance, she sees him log into his laptop (10.10.10.70) and VPN into SaucyCorp’s headquarters.

Leveraging her connections with international hacking organizations, Ann obtains a 0-day exploit for Internet Explorer and launches a client-side spear phishing attack against Vick Timmes. Ann carefully crafts an email to Vick containing tips on how to improve secret sauce recipes and sends it. Seeing an opportunity that could get him that Vice President of Product Development title (and corner office) that he’s been coveting, Vick clicks on the link. Ann is ready to strike…

 

You are the forensic investigator. Your mission is to analyze the packet capture containing Ann’s exploit, build a timeline, and submit your evidence including…

  1. What was the full URI of Vick Timmes’ original web request? (Please include the port in your URI.)
  2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled “COMMENT”, then filled their data element with a string. What was the value of this string?
  3. Vick’s computer made a second HTTP request for an object.
    • What was the filename of the object that was requested?
    • What is the MD5sum of the object that was returned?
  4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  6. In packet 17, the malicious server sent a file to the client.
    • What type of file was it? Choose one:
      • Windows executable
      • GIF image
      • PHP script
      • Zip file
      • Encrypted data
    • What was the MD5sum of the file?
  7. Vick’s computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:
    • How often does the TCP initial sequence number (ISN) change? (Choose one.)
      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
    • How often does the IP ID change? (Choose one.)
      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
    • How often does the source port change? (Choose one.)
      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
  1. Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  2. Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?
  3. When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

This round, we utilize some of the same tools, but also introduce a couple new ones as well. There are always other commercial and open source tools that you could utilize for this challenge, but the below tools are what I used:

*Wireshark*

*Notepad++*

*NetworkMiner*

*010 Editor*

*Hashcalc*

*tshark*

 

After verifying the packet capture (evidence06.pcap) has the correct hash (efac05c50c0ae92bf0818e98763920bd), we are ready to start the round. First, we are looking for the full URI of Vick Timmes’ original web request, including the port. The following wireshark filter can be used to obtain this answer: http.request.method == “GET”. After applying the filter, you will see two GET requests, where the first one (packet 1) will give you the answer to question 1, http://10[.]10[.]10[.]10:8080/index[.]php. See Figure 1 below:

Question 1
Figure 1

For question 2, we are trying to answer the question of: In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled “COMMENT”, then filled their data element with a string. What was the value of this string? First, you need to extract the file “index.php”. If you are unfamiliar with file carving, view one of my previous posts from this network forensics series. Open the file with Notepad++ (or your favorite text editor). At the top of the code, you can see “var UWnHADOfYHiHDDXj = “COMMENT”;“. Looking down a couple lines, you’ll see that the variable “UWnHADOfYHiHDDXj” is found within the document.createElement(UWnHADOfYHiHDDXj). One line below you see that the data element is equal to “vEI“, which is the answer you are looking for: qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR[i].data = “vEI”

Question 2
Figure 2

Question 3 has a couple parts to it. First off, we need to find the filename of the second HTTP request that Vick’s computer made. If you put the same filter we used from question 1 back into wireshark (http.request.method == “GET”), you’ll quickly see the second GET request for the object named “index.phpmfKSxSANkeTeNrah.gif” (Figure 3a below):

Question 3a
Figure 3a

The second part of this question, we need to find what the MD5 sum of the above object is. You can carve the file out manually with Wireshark and 010 editor, or you can parse the pcap with networkminer. After obtaining the file, hash the file with any tool of your liking (I used hashcalc), and you will get an MD5 of df3e567d6f16d040326c7a0ea29a4f41.

 

Question 3b.1
NetworkMiner
Question 3b.2
Manual Carve

For question 4, it asks us to find when the TCP session on port 4444 was opened. If you input the following filter into wireshark,you will find your answer: “tcp.port == 4444”. The first packet in the list (packet 13) gives time of 1.3 seconds from the start of the packet capture.

Question 4
Figure 4

Question 5 asks, when was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds). If we apply the wireshark filter “tcp.port == 4444”, and scroll down to the last entry, you’ll find packet 1565, at 87.6 seconds since the start of the packet capture.

Question 5
Figure 5

Question 6 also has a couple parts. In packet 17, the malicious server sent a file to the client. Part A: What type of file was it? Choose one:

* ***Windows executable***

* GIF image

* PHP script

* Zip file

* Encrypted data

For Part A, navigate (scroll down) to packet 17. Right click and “follow tcp stream” on packet 17. In the TCP stream, you will notice the MZ file header at the top of the stream. That shows you that it is a Windows Executable file. You also see “This program cannot be run in DOS mode.” which is clue that it is a Windows Executable.

Question 6a
Figure 6a

For Part B: What was the MD5sum of the file? With the TCP already being viewed from the prior question, we should now save that stream. Save it and call it “maliciousfile.exe”. Open that file in 010 editor (or your favorite hex editor) then we need to carve the file out of the stream. Find the MZ file header and find the bottom where the end of the transfer finishes. Save that file, and throw that file into hashcalc and you should get an MD5 hash of b062cb8344cd3e296d8868fbef289c7c

Question 6b
Figure 6b

Question 7 is broken up into 3 parts:

  1. Vick’s computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:
  2. How often does the TCP initial sequence number (ISN) change? (Choose one.)

* Every packet

* Every third packet – Since we are looking for packets related to traffic over port 445, first input the wireshark filter tcp.port == 4445. From there, go to Statistics –> Flow Graph. In that dialog box, make sure the “displayed packets”, “tcp flow” and “standard source/destination addresses” radio buttons are selected, then hit OK. You will now be viewing a graph of the TCP flow for the selected packets to port 4445. You can easily see that every third packet, the initial sequence number (ISN) increments.

* Every 10-15 seconds

* Every 30-35 seconds

* Every 60 seconds

Question 7a
Figure 7a
  1. How often does the IP ID change? (Choose one.)

* Every packet – Utilizing a different tool in our arsenal, let’s use tshark to list out the count of all IP ID fields, to see how often they change. Use the tshark filter “tshark -r evidence06.pcap -T fields -e ip.id | sort | uniq -c | sort -r > evidence06.csv. Open the CSV that you just created and you will see that they all have a count of one, showing that the IP ID changes every packet.

* Every third packet

* Every 10-15 seconds

* Every 30-35 seconds

* Every 60 seconds

Question 7b
Figure 7b
  1. How often does the source port change? (Choose one.)

* Every packet

* Every third packet

*Every 10-15 seconds* – You could just eye ball the packets to figure out the answer to this question. If you didn’t want to do that, here is a command to accomplish the task via tshark.

* tshark -o tcp.analyze_sequence_numbers:FALSE -n -r evidence06.pcap ‘tcp.dstport == 4445 and tcp.flags == 0x02’ > evidence06_syn.txt. Open the file and you’ll quickly see when the source port changes:

35.947030

47.732517

59.462957

71.257992

82.993986

94.878166

106.838688

118.746261

* Every 30-35 seconds

* Every 60 seconds

Question 7c
Figure 7c

Question 8 says: Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds). Lets first apply the wireshark filter of tcp.port == 4445. With that in place you’ll see that there is still a lot of packets to sort through. Below, in Figure 8.1, you’ll see some failed connection attempts. We need to look for a successful attempt: SYN –> SYN/ACK –> ACK.

Question 8.1
Figure 8.1

Throw in the filter tcp.port == 4445 && tcp.flags.ack==1 && tcp.flags.reset==0 this will get rid of all the reset packets and show you the SYN/ACK and ACK of the first successful connection in packets 1657 and 1658, respectively, and 123.7 seconds from the beginning of the packet capture.

Question 8.2
Figure 8.2

Question 9 says: Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file? If you recall back to question 6B, you’ll see that we already have the hash of this file: b062cb8344cd3e296d8868fbef289c7c.

 

Question 10, and the final question of our challenge wants to know: when was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds). Use the filter “tcp.port == 4445 && tcp.flags.ack==1 && tcp.flags.fin==1” to find the port 4445 traffic where the FIN and ACK flags are set. In packet 2552 you’ll see the FIN/ACK packet which indicates the closing of the connection which occurs at 198.4 seconds from the beginning of the packet capture.

Question 10
Figure 10

 


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Monday
2018/01/22