Scenario: A PCAP analysis exercise highlighting attacker’s interactions with honeypots and how automatic exploitation works.. (Note that the IP address of the victim has been changed to hide the true location.) As a soc analyst, analyze the artifacts and answer the questions.
Tools: BrimSecurity, NetworkMiner, Wireshark, Libemu (sctest), scdbg, IP LookUp
- What is the attacker’s IP address?
Looking into the protocol hierarchy for the PCAP, we observe traffic first starting with socks protocol. Looking into this stream we can see an .exe being transmitted based on the magic bytes “MZ”:
- What is the target’s IP address?
The target IP address is the server that is receiving the .exe.
- Provide the country code for the attacker’s IP address (a.k.a geo-location).
Searching by the IP in Virustotal we can find the country code for the IP address.
- How many TCP sessions are present in the captured traffic?
Utilizing TCP Stream graph we can identify how many streams are present.
- How long did it take to perform the attack (in seconds)?
Looking at the Wireshark Capture File Properties, we can find the elapsed time for this attack.
- Provide the CVE number of the exploited vulnerability.
Looking into some of the traffic from the attacker IP, we can see attempts to dsroleupgradedownlevelserver. A quick Google search and we can identifiy the CVE used in the attack.
- Which protocol was used to carry over the exploit?
Stream 2 gives the answers for the next couple of questions.
- Which protocol did the attacker use to download additional malicious files to the target system?
- What is the name of the downloaded malware?
- The attacker’s server was listening on a specific port. Provide the port number.
- When was the involved malware first submitted to VirusTotal for analysis? Format: YYYY-MM-DD
We can export the .exe, calculate the file hash, and search on Virustotal to find the first date of submission.
- What is the key used to encode the shellcode?
To find the shellcode, we can look for packets that contain 0x90 (NOPs) (or could attempt to do some dynamic analysis on the host to pull the shellcode). Within stream 1 we find data surrounded by multiple NOPs.
We can extract out this shellcode and use scdbg to read it. This gives us the key of 0x99.
- What is the port number the shellcode binds to?
scdbg /f .\shell.bin /s -1
We can see the shellcode binds to port 1957.
- The shellcode used a specific technique to determine its location in memory. What is the OS file being queried during this process?
The Windows API GetProcAddress is used to determine location in memory, that API comes from the Kernel32.dll.
Thanks for reading!
Link to exercise: https://cyberdefenders.org/blueteam-ctf-challenges/honeybot/
