Category: Writeups

Home / Category: Writeups

Register yourself if you have not yet.

Access the challenge at http://ringzer0team.com/challenges/11

Download the subject,  the checksum:

  • f6816b590d2021a16ba8005aa235e6a3 (md5)
  • b8c18db3e4678e09683e3b20e9004d1183c2420b (sha1)

The challenge clearly instruct as to utilize GDB. In this case, I have customize my GDB using init script which can be downloaded from my github.

After downloading the binary, ran ‘file’ then ‘readelf’ to get some initial information about the file.

# file 88eb31060c4abd0931878bf7d2dd8c1a
88eb31060c4abd0931878bf7d2dd8c1a: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=a5f44b829c4727ed369f823f19d575087673f34e, not stripped

# readelf -h 88eb31060c4abd0931878bf7d2dd8c1a
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048380
  Start of program headers:          52 (bytes into file)
  Start of section headers:          4508 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         9
  Size of section headers:           40 (bytes)
  Number of section headers:         30
  Section header string table index: 27

We know the entrypoint which is 0x8048380 and certain that the file is ELF32.

Load the binary to GDB, we use Intel syntax instead of AT&T syntax and break to entrypoint. We then run the binary so we can reach our breakpoint.

# gdb 88eb31060c4abd0931878bf7d2dd8c1a
gdb$ set disassembly-flavor intel
gdb$ break *0x8048380
gdb$ run

If you are using my .gdbinit script you can see the all the registers. If not, see the disassembly of $eip and let’s analyze the code.

gdb$ disassemble $eip

See the code and learn that there are interesting parts.

...
   0x080484ae <+66>:	mov    DWORD PTR [eax],0x47414c46
   0x080484b4 <+72>:	mov    DWORD PTR [eax+0x4],0x3930342d
   0x080484bb <+79>:	mov    WORD PTR [eax+0x8],0x32
...
   0x080484e9 <+125>:	mov    DWORD PTR [eax],0x75393438
   0x080484ef <+131>:	mov    DWORD PTR [eax+0x4],0x6a326f69
   0x080484f6 <+138>:	mov    WORD PTR [eax+0x8],0x66
...
   0x08048530 <+196>:	mov    DWORD PTR [eax],0x6a736c6b
   0x08048536 <+202>:	mov    DWORD PTR [eax+0x4],0x6c6b34

All of them are pushing the code into some region of memory pointed by eax. It’s ASCII, if you know. Let’s search it in our ASCII table.

0x47414c46   ==> GALF
0x3930342d   ==> 904-
0x32         ==> 2
...
0x75393438   ==> u948
0x6a326f69   ==> j2oi
0x66         ==> f
...
0x6a736c6b   ==> jslk
0x6c6b34     ==> lk4

Well, it doesn’t make sense, unless you remember they are pushed in reverse order for each word. So, the flag would be

FLAG-4092849uio2jfklsj4kl

Submit the flag!

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 20 above.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 20

ssh [email protected]

pass:

There exist an executable file “suconnect”. It makes a connection to localhost on the port we specify as commandline argument. It then reads a line of text from the connection and compares it to the password in the current level. If the password is correct, it will transmit the password for level 21.

All we need to do is run nc listening on a random port, then connect to it with suconnect. Then we send the password throuch the nc session and suconnect sends back the new password.

$ nc -l 13510 < /etc/bandit_pass/bandit20 &
$ ./suconnect 13510

Level 21

ssh [email protected]

pass:

There is a cron job that we need to look at. In /etc/cron.d there exist some cron files, but our objective is cronjob_bandit22 which look promising. Investigate it to see what this script do.

The script will execute a script on /usr/bin/cronjob_bandit22.sh which will dump /etc/bandit_pass/bandit22 to /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv file.

$ cat /etc/cron.d/cronjob_bandit22
$ cat /usr/bin/cronjob_bandit22.sh
$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22

ssh [email protected]

pass:

Another cronjob. This time, the script used by cronjob is copying /etc/bandit_pass/bandit23 as something in /tmp. There’s no need for you to figure out the filename, we can always recreate the condition.

$ cat /etc/cron.d/cronjob_bandit23
$ cat /usr/bin/cronjob_bandit23.sh
$ cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)

Level 23

ssh [email protected]

pass:

Another cronjob.

In this level, we need to create our own shell script to run. The cronjob script will execute (and later delete) scripts on /var/spool/bandit24. That way, we can create a script on that directory which dump password from /etc/bandit_pass/bandit24 to anywhere we desire. We just need to make sure the script is executable.

The script we create:

#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit24xathpass
chmod 777 /tmp/bandit23xathpass

Then we do:

cat /tmp/bandit24xathpass

Level 24

ssh [email protected]

pass:

Another tedious level.

There exist a service running on port 30002. It asks two words: password for bandit25 and secret number 4-digit pincode. Those two words are separate by a space. Our only option is bruteforcing all 10000 combinations.

This is one line command but arranged in multiline for clarity.

pass=$(cat /etc/bandit_pass/bandit24)
for i in {0000..9999}; do {
   if 
      echo "$pass $i" | nc localhost 30002 | grep Wrong > /dev/null;
   then 
      echo $i;
   else 
      echo "$pass $i" | nc localhost 30002 && exit;
   fi 
}
done

Level 25

ssh [email protected]

pass:

Logging in to bandit26 from bandit25 should be easy. But when we try to login something strange happen. It’s because the shell is not /bin/bash. Let’s see what it is.

$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

It’s /usr/bin/showtext,  what’s the content?

$ cat /usr/bin/showtext
#!/bin/sh

more ~/text.txt
exit 0

more on text.txt. It turns out we can escape to ‘vim’ by pressing ‘v’. Once in vim, invoke this.

:r /etc/bandit_pass/bandit26

Level 26

ssh [email protected]

pass:

Not Available Yet.

Level 27

ssh [email protected]

pass:

Not Available Yet.

Level 28

ssh [email protected]

pass:

Not Available Yet.

Level 29

ssh [email protected]

pass:

Not Available Yet.

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 10 to level 19.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 10

ssh [email protected]

pass:

File data.txt is indeed a plaintext. However the password is encoded with base64 inside. Decoding is simple using base64 utility.

base64 -d data.txt

Level 11

ssh [email protected]

pass:

The password is written inside data.txt. This time is is encrypted by ROT13 (or Caesar Cipher). It means every character in the text has been rotated 13 letters. We can use tr utility to reverse it.

cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'

Level 12

ssh [email protected]

pass:

This problem is not hard, but tedious. The direction gives us information that the data has been compressed several way and we need to decompress it accordingly. However we cannot use home directory, thus we use /tmp dirctory to store temporary file.

mkdir /tmp/secretbase
cp ~/data.txt /tmp/secretbase/data.txt
cd /tmp/secretbase
xxd -r data.txt > data.bin
file data.bin
mv data.bin data.gz
gzip -d data.gz
file data
mv data data.bz2
bzip2 -d data.bz2
file data
mv data data.gz
gzip -d data.gz
file data
tar -xvf data
file data5.bin
tar -xvf data5.bin
bzip2 -d data6.bin
file data6.bin.out
tar -xvf data6.bin.out
file data8.bin
mv data8.bin.out
file data8.bin
mv data8.bin data8.gz
gzip -d data8.gz
file data8
cat data8

Level 13

ssh [email protected]

pass:

It is quite simple. When we login to account bandit13, we see a private SSH Key in the home directory. Supply SSH utility with it to login as bandit14. After that, we aim at /etc/bandit_pass directory and search for /etc/bandit_pass/bandit14 to know the password for bandit14 password. Here is how we do that:

ssh [email protected] -i sshkey.private
cat /etc/bandit_pass/bandit14

Level 14

ssh [email protected]

pass:

In this level our objective is to submit our current password to the server on port 30000. A simple command using netcat can be used here.

cat /etc/bandit_pass/bandit14 | nc localhost 30000

Level 15

ssh [email protected]

pass:

Similar to level14, we need to send our current password to port 30001. However, this time we need to use SSL.

cat /etc/bandit_pass/bandit15 | openssl s_client -quiet -connect localhost:30001

Another solution:

ncat --ssl localhost 30001
# (paste password for level15)

Level 16

ssh [email protected]

pass:

The direction gives us a range of ports, 31000-32000. Our target port is using SSL and will give us the next password if we supply with our current password. First we need to port scan it to detect which port is active. We also use nmap to scan service version if possible.

nmap -p31000-32000 localhost -sV

Here we have several open ports:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-13 23:03 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00100s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE VERSION
31046/tcp open  echo
31518/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31691/tcp open  echo
31790/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31960/tcp open  echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.31 seconds

However 31046, 31691, and 31960 is out, since those are echo or SSH server. The possible ones are 31518 and 31790, so we will just try both of them.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31518

Port 31518 doesn’t gives anything back so our hope is now 31790.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31790

We get a RSA private key, save the key as /tmp/bandit17.privkey then login to bandit17 and get the password.

chmod +x /tmp/bandit17.privkey
ssh [email protected] -i bandit17.privkey
cat /etc/bandit_pass/bandit17

Level 17

ssh [email protected]

pass:

We are given two files: password.old and password.new. The new password is the only line different between two, so we can use diff to find it.

diff password.new password.old

Level 18

ssh [email protected]

pass:

Someone has modified .bashrc to immediately log us out when we are trying to login. We can run commands as we login and then see the password stored in ~/readme.

ssh [email protected] -t 'cat readme'

Level 19

ssh [email protected]

pass:

In this level we are given setuid binary in the home directory. We don’t know yet what to do so we see the usage by run it without arguments. After learning how to run it, we can use it for our purpose.

./bandit20-do cat /etc/bandit_pass/bandit20

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 0 to level 9.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 0

ssh [email protected]

pass: bandit0

The simplest challenge. You only need to login to the system via SSH. Once you are in, get the password for next level by:

cat readme

Level 1

ssh [email protected]

pass:

Another simple challenge. Once you are login, you will notice a file on home directory named ‘-‘. Since the dash is a special character, we need special treatment.

cat ./-

Level 2

ssh [email protected]

pass:

Another simple challenge. Once you are login, you will notice a file on home directory named “spaces in this filename” (without quote). There are spaces in the filename, so we need extra treatment. There are two ways to solve this: write the filename in the quote, use escape character. Pick one.

cat "spaces in this filename"
cat spaces\ in\ this\ filename

Level 3

ssh [email protected]

pass:

There is a folder called inhere. It apperas blank at the first glance. However it’s not the case, there is a hidden file there.

cd inhere
ls -la
cat .hidden

Level 4

ssh [email protected]

pass:

Still, there is a directory called inhere. There we have few files inside. The direction said, password is the only human readable file, so with the file command we can see that the only ASCII text file is “-file07”

cd inhere
file ./*
cat "file07"

Level 5

ssh [email protected]

pass:

A folder with a bunch of folders inside, recursively. The direction told us the file containing password is 1033 bytes and we have to find a file with specific size.

cd inhere
find . -type f -size 1033c
cat ./maybehere07/.file2

Another solution:

cd inhere
ls -Rla . | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep 1033

Level 6

ssh [email protected]

pass:

Nothing on our home directory. The file is located somewhere on the server with the user bandit7 and the group bandit6. It also has 33 byets in size.

find / -type f -user bandit7 -group bandit6 -size 33c 2> /dev/null
cat /var/lib/dpkg/info/bandit7.password

Another solution:

ls -Rla / | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep '33|bandit5'

Level 7

ssh [email protected]

pass:

There is a file called data.txt in our home directory. It is a huge file we need to parse through. The password is located next to word millionth. We can simply use grep to solve this.

grep "millionth" data.txt

Level 8

ssh [email protected]

pass:

Password is found on the only unique line in the file data.txt. We can use sort and uniq to find it.

sort data.txt | uniq -u

Level 9

ssh [email protected]

pass:

Now it’s on binary file. We can’t easily grep through it. However we can use strings then grep through it. The direction said that the password is on one of the only lines beginning with an equal sign.

strings data.txt | grep =

Digital Forensics : Ann’s Aurora

December 11, 2015 | Labs, Writeups | No Comments

Ann’s Aurora is a digital forensic challenge created by SANS Digital Forensics & Incident Response (DIFT). This problem is released as a public challenge for communities. The problem can be considered as network forensic released as per 2011 with not so complicated difficulty. The challenge can be seen on this link.

This article will discuss about solution for Ann’s Aurora case.

All steps performed here has been tested on following environment:

  1. Windows 8.1 64-bit
  2. Linux Slackware 14.1 64-bit
  3. Sans Institute Forensics Toolkit (SIFT) Linux version 3.0

And tools used here is:

  1. Wireshark

Most of screenshot taken here are result of test performed on machine [1], however we have ensure that all steps are applicable to machine [2] and [3].

Incident Description

Ann Dercover want to steal secret recipe from SaucyCorp. She then tailing lead developer Vick Timmes and investigate how to access SaucyCorp server. Ann know Vick login with his laptop computer (IP 10.10.10.70) and do VPN connection to SaucyCorp.

Ann then use 0-day exploit for Internet Explorer and attack with Client-Side Spear Phising Attack to fool Vick Timmes browser.

List of Goals

Basically, this case has following foals:

  1. Know full URI of web request done by Vick Timmes.
  2. Know content of 1300-element wide array labeled as COMMENT which is response from Ann.
  3. Know second HTTP request done by Vick
    • Requested file name
    • MD5 hash value of requested file name
  4. Know time of TCP session establishment on port 4444
  5. Know time of TCP session closed on port 4444
  6. Know type and MD5 hash value of packet 17 from server.
  7. To Analyze Vick’s computer behavior when trying to establish connection to server on port 4445 after disconnected from port 4444.
    • How fast TCP Initial Sequence Number does changed.
    • How fast IP ID does changed.
    • How fast source port does changed.
  8. Know time of connection to port 4445 successfully established.
  9. Know MD5 hash value of data sent on port 4445 by server.
  10. Know time of TCP closed on port 4445.

These goals is summary of questions / goals proposed by the challenge, which can be seen on following link.

Evidences

The only evidence we have is a pcap formatted file “evidence06.pcap”. This file is records of all activities in network at incident time. The evidence can be downloaded freely on this link. To download it, you have to login to member area, which you can register there free.

Analysis

Preliminaries

File evidence06.pcap has MD5 hash: efac05c50c0ae92bf0818e98763920bd

Following screenshot prove it. This value should be similar to value written on challenge page.

uas_1

Know we want to know some general information about it.

  1. How many IP address involved?
  2. How many pair of (source,destination) port involved?

This means to grab raw estimation about scope of analysis.

For first goal, we use tshark which is command line version of wireshark. Our attention go to source and destination address recorded on this file.

Sender addresses can be extracted by:

tshark –r evidence06.pcap –T fields –e ip.src | sort | uniq

Which has following result:

uas_2

It should be clear that there are two unique address as sender address on this file:

  • 10.10.10.10
  • 10.10.10.70 (Vick Timmes)

We guess that 10.10.10.10 is Ann Dercover machine.

Destination addresses can be extracted by:

tshark –r evidence06.pcap –T fields –e ip.dst | sort | uniq

Which has following result:

uas_3

It is clear that the addresses which involved as destination address are:

  • 10.10.10.10 (probably Ann Dercover)
  • 10.10.10.70 (Vick Timmes)
  • 10.10.10.255

Address 10.10.10.10 and 10.10.10.70 exists on both side, we then make a hypothesis that both machine has direct communication each other. While address 10.10.10.255 only appear on destination side. We guess that this address is server of SaucyCorp server which is targeted by Ann Dercover.

Next we want to know pair of port used for data exchange. There are two type of transfer protocols: TCP and UDP.

tshark –r evidence06.pcap –T fields –e tcp.port | sort | uniq

Following is the result:

uas_4

And UDP port pairs:

tshark –r evidence06.pcap –T fields –e tcp.port | sort | uniq

With following result:

uas_5

Note that all pairs are not representing established connection. We know that one connection might use different pair on runtime which is quite common.

Attack Vector used by Ann is Microsoft Internet Explorer “Aurora” Memory Corruption. This exploit is indexed as MS10-002 pada bulletin Microsoft Security (https://technet.microsoft.com/library/security/ms10-002) or CVE-2010-0249 on Common Vulnerabilities and Exposures (http://www.cvedetails.com/cve/2010-0249).

Basically, this exploit attack browser Internet Explorer by the way Internet Explorer handle deleted objects. This exploit first create massive-size temporary garbage data. Next when the data is deleted, exploit will point to that memory location and attack can plan malware there. In this case, the payload used is Trojan Hydraq.

Goal I Solution (Full URI)

Seeing first packet we can get full URI as following:

uas_6

uas_1a

In other words, URI accessed by Vick is: http://10.10.10.10:8080/index.php

First packet is a part of HTTP request to get index page. Response to this request is packet indexed as packet 2 to packet 6 and also packet 8, which are subject to Goal 2.

Goal II Solution (Response String)

Second packet is an ACK message of first HTTP request, while the response text are given as packet 3 to packet 6 and also packet 8. Five of them are pieces of HTML file which is content of index page.

To get all of those fragments, we should track every packet involved. Right click on the first packet and use “Follow TCP Stream”. Make sure we use “Raw” option. The message is plaintext, so we can copy the content directly.

The content of that file can be seen on this link.

To ease analysis, we can do identifier substitution. Identifier substitution can be done without alter the script logic. The modification can be seen on this link.

In this part, we wan to know what the content of 1300 object array are. This can be done by source code analysis which refer to simplified and deobfuscated code.

The code will execute function “func2(event)” when the page is loaded for first time. Function func2() will then create a time which will execute func3 on next 50 milliseconds. This means, func3() will be executed, whatever it is. While func1() only executed once when executing func2(). Based on our knowledge that attack vector used is CVE-2010-0249, we know that func1() is responsible to generate massive-size temporary object which later be deleted.

About 1300 object created on array var2. Data on this array is a unicode-escaped string. The string is:

\u0c0f\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d

Or can be interpreted as following strings:

ఏ఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍఍

This massive object is used to flood the system and create perfect condition to execute the exploit, see further on (http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit).

Goal III Solution (Second HTTP Request)

Second HTTP request is done to obtain http://10.10.10.70:8080/ index.phpmfKSxSANkeTeNrah.gif

It is a GIF file on iframe which is automatically downloaded by browser. Request to this file is pointed by packet 9. While the response itself is on packet 11.

The requested file is a GIF file which can be seen by the signature in header as following:

uas_8

Right click on “Compuserve GIF, Version: GIF89a” in packet content and choose “Export Selected Packet Bytes”. Save it as GIF.

Our MD5 value calculation give us df3e567d6f16d040326c7a0ea29a4f41.

uas_9

Goal IV Solution ( Opening TCP Session Port 4444 )

To know time of connection establishment, we need to build basic understanding:

  • Destination IP address is 10.10.10.10
  • Destination port is 4444

Thus, we can set rule on Wireshark as following:

ip.dst==10.10.10.10 && tcp.dstport==4444

Knowing TCP three-way handshake, we know that connection is established when TCP handshake finished. It is marked by ACK message from initiator (one who want to connect). In this case, 10.10.10.70 to 10.10.10.10.

Inspection will lead us to packet 13 and 15. Packet 13 is a SYN message to start TCP handshake and packet 15 is ACK acknowledge and finish TCP handshake. Beyond this point, TCP session has been established.

Packet 15 is on 1.3 seconds offset relative to first packet seen on this file. It means the connection is opened on 1.3.

Goal V Solution ( Closing TCP Session Port 4444 )

To know time of connection closed, we need to build basic understanding:

  • Destination IP address is 10.10.10.10
  • Destination port is 4444

Thus, we can set rule on Wireshark as following:

(ip.dst==10.10.10.10 && tcp.dstport==4444) || (ip.dst==10.10.10.70 && tcp.srcport==4444)

Knowing TCP four-way handshake to close connection, we got idea about how TCP connection closed. It is marked by ACK from initiatior. However, we cannot point yet who become initiator, whether 10.10.10.10 or 10.10.10.70 both have possibilities. Therefore we need to look it on two conditions.

Inspection will lead us to pair packet 1563, 1565 and 1562,1564. Packet 1562 and packet 1563 are packet [FIN,ACK] where packet 1562 is sent first from 10.10.10.10 to 10.10.10.70.Therefore we can conclude that the server has initiative to end the connection after it finish transmitting. ACK packet is sent by 10.10.10.10 on packet 1564 to state end of connection.

Packet 1564 is on 87.6 second, which means the connection ended on 87.6

Goal VI Solution( Sent File Type )

Inspected packet is packet 17. We need to check header of the payload and search for some signatures.

uas_7

Here, we see that MZ is a signature for PE32 executable file. We then have confidence after see string “This program cannot be run in DOS mode” which is backward compatibility offered by Microsoft to ensure program is still recognized by older Windows but not for running purpose.

Therefore, the file sent is a Windows executable or PE32.

To do extraction, we need to collect fragments by using “Follow TCP Stream” on packet 17. Click “Save As” to store it, let say as “suspect1.exe”

MD5 checksum can be computed by following: b385b7cf73ba0e75b20e4fdb310717c2

uas_10

Goal VII Solution ( Vick’s Computer Behavior )

For this goal, we need to use following understanding

  • Destination IP address is 10.10.10.10
  • Destination port is 4445

Thus, we can set rule on Wireshark as following:

(ip.dst==10.10.10.10 && tcp.dstport==4445) || (ip.dst==10.10.10.70 && tcp.srcport==4445)

By previous goal (goal VI), we know that connection to port 4444 is closed on packet 1564, 87.6 second. Therefore we focus our attention to packet after 1564, which are 1566 and 1656 (when 10.10.10.10 send RST notification and 10.10.10.70 send SYN back).

1. Initial Sequence Number

Initial Sequence Number is a unique 32-bit embedded to any new connection on TCP-based connection. ISN value expected to be random. Sequence number is the 4th octet on TCP header.

On packet 1566, ISN is 26. Here is the table of first 5 ISN number:

Initial Sequence Number # Packet Entry
26 1557 (6 entries)
27 1568 (6 entries)
28 1574 (6 entries)
29 1580 (6 entries)
30 1586 (6 entries)

 

In this pattern we get conclusion that ISN changing is done for every three packets. This is based on knowledge that the entries are actually pair of request-response.

2. IP ID

IP ID or Internet Protocol Identification is 16-bit number used to identify fragment groups from IP datagram. IP ID is the 4th octet of IP header.

On packet 1566, IP ID is 553. Here is table of first 10 IP ID seen:

IP Identification # Packet Entry
553 1566 ( 2 entries)
554 1568 ( 2 entries)
555 1570 ( 2 entries)
556 1572 ( 2 entries)
557 1574 ( 2 entries)
558 1576 ( 2 entries)
559 1578 ( 2 entries)
560 1580 ( 2 entries)
561 1582 ( 2 entries)
562 1584 ( 2 entries)

 

By this pattern, we can conclude that IP ID is changing for every packet sent. This is based on knowledge that the entries are actually pair of request-response.

Note: IP header in this file is referred to IPv4 header.

3. Source Port

Source Port is 16-bit number used identify port for sending packet. This number is the 0-th octet on TCP header.

Packet 1566 has Source Port 1041. Here we present table of 4 first Source Port seen:

Source Port # Packet Entry
1041 1533 (35 entries, 12 seconds)
1042 1568 (30 entries, 12 seconds)
1043 1598 (30 entries, 11 seconds)
1044 1628 (30 entries, ~ seconds)

 

In this pattern, we can conclude that Source Port is changing in interval between 10 and 15 seconds from previous port usage.

Goal VIII Solution ( Opening TCP Session Port 4445)

For this goal, we need to use following understanding

  • Destination IP address is 10.10.10.10
  • Destination port is 4445

Thus, we can set rule on Wireshark as following:

(ip.dst==10.10.10.10 && tcp.dstport==4445) || (ip.dst==10.10.10.70 && tcp.srcport==4445)

From goal VII we get that connection establishment are tried until packet 1656 [SYN]. In packet 1657 we see that 10.10.10.10:445 gives response [SYN,ACK] signaling that TCP three-way handshake is on the way.

TCP three-way handshake for port 4445 is finished on packet 1657 when 10.10.10.70 send packet ACK so connection is established on packet 1657.

Packet 1567 happen on 123.7 which means the connection is open on 123.7.

Goal IX Solution ( MD5 Hash of Executable File )

Ann (10.10.10.10) has initiative to send executable file to Vick (10.10.10.70), seen from packet 1659 which is [PSH,ACK] message. The message itself is sent from packet 1660. Using “Follow TCP Stream” on packet 1660, we can see whole data exchange. However the data itself is defected with following message: “[1436350345 bytes missing in capture file]”

Save the PE32 data as suspect2.exe and click “Save As”. Open up suspect2.exe using editor capable of viewing hex number (however hexeditor is recommended). Delete the first 42 bytes so we have MZ signature.

MD5 calculation gives us efbf686f09de864bd0058dab650ac34a as result of checksum.

uas_11

Goal X Solution (Closing TCP Session Port 4445)

For this goal, we need to use following understanding

  • Destination IP address is 10.10.10.10
  • Destination port is 4445

Thus, we can set rule on Wireshark as following:

(ip.dst==10.10.10.10 && tcp.dstport==4445) || (ip.dst==10.10.10.70 && tcp.srcport==4445)

Knowing TCP four-way handshake, we know that connection closed when TCP handshake is over. It is marked by ACK from initiator. However, we don’t know for sure yet who the initiator is.

Inspection lead us to pair packet 2552, 2554 and 2551,2553. Packet 2552 and packet 2553 are packet [FIN,ACK] where packet 2552 is sent first from 10.10.10.70 to 10.10.10.10. Therefore we can get conclusion that client has initiative to end the connection after server finish sending the data. Packet ACK is sent by 10.10.10.70 on entry 2554, present us to fact that connection is ended.

Packet 2554 happen on 198.4 which means the connection is closed roughly at 198.4 seconds relative to first of packet.

Conclusion

Ann Dercover has done break-in activity and has been proved planting malware to Vick Timmes.

To know what data stolen are, further investigation is needed.


Satria Ady Pradana
I3510030
School of Electrical Engineering & Informatics
Institut Teknologi Bandung

Social media & sharing icons powered by UltimatelySocial