Challenge Details: A PCAP analysis exercise highlighting attacker’s interactions with honeypots and how automatic exploitation works.
As the part of this challenge a pcap file, HoneyBot.pcap is provided and based on it we have to answer questions. As part of this writeup and analysis, I will refrain from posting exact answers and would recommend you to go through the challenge before reading ahead.
Before jumping to the questions lets take a quick look of the pcap file in wireshark and document the observations.
- As always, I start with the Statistics—->Conversations and you will see below window :
- We can see only 2 IPs in the IPV4 tab
- TCP Tab shows number 5, pretty much pointing that in total there are 5 TCP streams
- Packet capture duration is almost 16 seconds. Usually such brief timeframes indicate some sort of automated attack.
2. Next lets take a look at Statistics —- > Protocol Hierarchy
- We can see Socks Protocol. This was probably used for downloading data
- Active Directory Setup
From the above point we can make a reasonable guess that attacker used SMB protocol to make a connection and then used RPC to execute code remotely.
Now, lets jump into the questions
Q1 : What is the attacker’s IP address?
In the above snippet we can see that 220.127.116.11 is initiating a TCP handshake with 18.104.22.168. Now 2 things stand out here 22.214.171.124, a public IP is making a SMB connection with 126.96.36.199, a internal server and from this we can conclude the attacker ip.
Q2: What is the target’s IP address?
From above we can conclude easily conclude that the target ip is 188.8.131.52
Q3: Provide the country code for the attacker’s IP address (a.k.a geo-location).
Since we have the public IP of the attacker we can easily track the geo location by any Geo-IP tracker tool available online.
Q4:How many TCP sessions are present in the captured traffic?
The easiest way to answer this question is to refer to the TCP tab in conversations window. Also, you can add Stream Index column and then sort it in descending order as shown below
Q5:How long did it take to perform the attack (in seconds)?
Again refer to the Conversations window and you will get the answer under IPv4 tab—>Duration
Q6: What is the operating system of the target host?
To get the answer , filter by smb protocol and then move to the packet where you can see NTLM_CHALLENGE and you will get the answer under Session Setup and Response.
Q7:Provide the CVE number of the exploited vulnerability
By now you must have realized that attacker is trying to establish a SMB connection and then will exploit some vulnerability/weakness as attack vector. Lets take a closer look at the communication in TCP stream 1
From above snippet we can make below observations :
- Attacker uses DCERPC protocol to send a Bind call to the victim. Before moving ahead lets understand what this means
Distributed Computing Environment/Remote Procedure Call (DCE/RPC)
DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol. A DCE/RPC server’s endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will be accessed on a different connection. After that, the client can request calls to the server.
In short we can say that client can execute code remotely on the server via this protocol.
- We see Bind_ACK from the server meaning it will accept execution of remote code .
- From the attacker we see “DsROLEUpgradeDownLevelServer request“
- Now we can assume that the above command will some how help the attacker in exploiting the victim
- Next we will do google-search to check for any known vulnerabilities related to DsROLEUpgradeDownLevelServer and you will get the answer to the question.
Note: Do not move ahead without understanding this particular point.
Q8:Which protocol was used to carry over the exploit?
If you have come this far, this question should not pose any challenge.
Hint: Refer explanation for question 7
Q9: Which protocol did the attacker use to download additional malicious files to the target system?
Since we only have 5 TCP streams, the easiest way is to follow each TCP stream. Lets follow tcp stream 2
From above snippet we can see that attacker is trying to download a file using ftp connection and on following tcp stream 3 we can see
ftp command “RETY ssms.exe“
From above we can conclude protocol used for downloading malware
Q10. What is the name of the downloaded malware?
From our analysis above we can see that smss.exe was copied on the server
Q11: The attacker’s server was listening on a specific port. Provide the port number.
Lets follow TCP stream 3
From the highlighted section we can see a new TCP connection from server to attacker was initiated from port 36296 to 8884.
Q12 : When was the involved malware first submitted to VirusTotal for analysis? Format: YYYY-MM-DD
To answer this question we need to download the executable . For downloading the file :
- Follow Stream 4
2. Show data as Raw
3. Save as malware.exe
Once we have the file, upload it on VirusTotal to get the answer
Q14: What is the port number the shellcode binds to?
To answer this question, lets take a look at TCP stream 2
We can see that after sending DsRoleUpgradeDownlevelServer command a new TCP connection is initiated from attacker on port 1957 and 3 way TCP handshake occurs. From this we can answer the question.
Q15:The shellcode used a specific technique to determine its location in memory. What is the OS file being queried during this process?
After downloading the executable, lets execute strings against it. After running this you will observe function calls like:
GetProcAddress and LoadLibraryA. Based on this clue you can easily answer the question.
We can conclude the post with a summary of attack:
- A port scan was done against the server over port 445
- After this attacker initiates a SMB connection over port 445
- Then attacker exploits CVE-2003-0533 by calling DsRoleUpgradeDownlevelServer function which with a long szDomainName parameter containing a shellcode of type “bind shell” .
- Shell code gets executed and binds to port 1957.
- Attacker then connects to the victim on port 1957 and executes below ftp command
- ssms.exe is downloaded and executed on the victim machine