Sometimes, after a hacker attack, researchers are left with several compromised computers and a network traffic dump, by examining which they can try to restore the chronology of events. It is this situation that is emulated by the laboratory work BSidesJeddah-Part1 from the CyberDefenders resource, the solution of which we will analyze in detail today. We will learn how to analyze network traffic, extract artifacts and restore the picture of a hack.
According to the scenario, the hacker group used spear phishing and gained access to the information resource of the organization. Our task is to investigate the incident and restore its scenario.
Based on the results, it is necessary to answer questions, but I will only show the solution process itself. You can repeat it yourself to better understand and consolidate the material.
To begin with, let’s download the archive file with artifacts and proceed to their study. The archive contains the network traffic of the compromised host and Suricata rules.
Utilities used
Wireshark is a network protocol analyzer. Brim is a network traffic analyzer. Oleid is a utility for parsing OLE files. Scdbg is a shellcode parsing tool built on top of the libemu emulation library. IDA Pro is an interactive disassembler used for reverse engineering.
Network traffic analysis
Let’s start analyzing network traffic. We will examine the dump in the Wireshark program. Let’s load the file from the archive, to do this, go to the “File → Open” tab.
Analyzing the network dump packets, you can see that, starting with packet 56, there are multiple TCP calls to various ports from the IP address 192.168.112.128.
An attacker from the IP address 192.168.112.128 scans the ports of the network resource 192.168.112.139 to find open ports. Let’s consider this process in more detail.
The figure above shows a three-way TCP connection between network addresses 192 .168.112.128 and 192.168.112.139 on port 25. How the TCP handshake works is described in the Storm Wall knowledge base, a description of the TCP packet flags can be found on the Geeksforgeeks website.
The search for an open port during TCP scanning proceeds as follows. Source 192.168.112.128 sent a SYN packet to destination 192.168.112.139. The receiver responded with SYN and ACK TCP flags (connection established). Next, the source sends an ACK packet and then ends the connection with the RST flag. This indicates that port 25 of resource 192.168.112.139 is open. In the case of a closed port, after the SYN packet, the receiver sends the RST, ACK flags of the TCP packet.
Consider a TCP packet with SYN and ACK flags. To do this, open it, double-click on it, and then expand the Transmision Control Protocol tab and the Flags tab.
We found that when the port is open, the scan source sends a packet with the SYN and ACK flags. Let’s find these packets and find out the number of open ports on the attacked machine, for this we filter the network traffic.
In the Display Filter field of the Wireshark utility, enter the following data:
tcp. flags == 0x12
After analyzing the network traffic dump, we found out the following. On October 1, 2021 at 12:31 pm, an attacker with the IP address 192.168.112.128 started scanning the network resource 192.168.112.139. The MAC address of the attacked machine is 00:0C:29:B7:CA:91. As a result of the scan, it turned out that seven ports were open on the attacked machine: 25, 110, 135, 139, 143, 445, 587.
Let’s consider the attacker’s further actions by continuing to analyze the network traffic dump.
At 12:31:54 PM, the attacker sends an email to the SMTP server (network resource port 25 192.168.112.139). Starting with package 2645, SMTP communication (port 25) can be seen, see the blog for a complete list of protocol commands.
Let’s build a TCP stream and parse the SMTP protocol commands and the message header To do this, right-click the inscription “Follow” and select the item “TCP Stream” in the context menu. The TCP flow number with SMTP communication is 1183 .
The EHLO command is used to present a client to an SMTP server. The client name is kali , the server returns a status of 250 , the connection was successful.