Differences
This shows you the differences between two versions of the page.
|
cdci:labs:3 [2021/04/09 18:03] mihai.chiroiu |
cdci:labs:3 [2025/01/21 19:20] (current) mihai.chiroiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab03. Network discovery ====== | + | ====== Lab03. Malware sample analysis ====== |
| - | <note warning> | + | ===== Objectives ===== |
| - | Important read to be graded! | + | |
| - | {{page>:cdci:rec&nofooter&noeditbutton&noheader}} | + | |
| - | </note> | + | |
| - | ===== Objectives ===== | + | * Investigate a possible malware using Windows tools |
| + | * Consider the network traffic of a malware | ||
| + | * Analyze the files and registers used by a malware | ||
| + | * Modify a malware and see the behavior of an anti-virus solution | ||
| - | * Network discovery using nmap | ||
| - | * Wireshark usage for protocol dissection | ||
| ===== Topology ===== | ===== Topology ===== | ||
| - | For this lab you will have to discover the topology manually. | + | For this exercise you will need a Windows 10 virtual machine. |
| ===== Tasks ===== | ===== Tasks ===== | ||
| ==== 01. [5p] Virtual machine setup ==== | ==== 01. [5p] Virtual machine setup ==== | ||
| - | First, make sure that your virtual machine is updated, run the provided update.sh script. | + | <note warning> |
| - | Next, in one terminal start the provided Mininet topology. | + | **If your VM networking is connected to your computer network, your computer might get infected during this lab activity. Create a snapshot for the VM before you continue.** |
| - | <code> | + | |
| - | root@cdci:/# cd cdci/lab03 | + | |
| - | root@cdci:/# /usr/bin/python3 topology.py | + | |
| - | </code> | + | |
| - | If there are any problems with starting the topology (if all is good you should see the Mininet prompt ">") use the given cleanup script and try to restart the topology. | + | </note> |
| - | ==== 02. [10p] Connecting to the network ==== | + | Open the Windows 10 virtual machine and make sure that it is not connected to the local network and it does have Internet access via NAT interface (not bridged). Turn off your Windows defender protection (Windows Settings->Update & Security->Windows Security->Virus & threat protection->Virus & threat protection Settings->Turn off Real-time protection). |
| - | The main goal of the lab is to discover the network infrastructure and protocols available. The attacker is connected directly into sw0 using eth0. First, login into the attacker's docker using the "attacker_bash.sh" script. | + | {{ :cdci:labs:cdci_lab01_disable-windows-defender.png?600 |}} |
| + | ==== 02. [5p] Lab setup ==== | ||
| - | The network uses DHCP, so you can get an IP address. Investigate the obtained resources via the DHCP protocol (IP address, routes, etc.) and write them down. | + | Download the [[https://drive.google.com/open?id=11WTT3NYUfVk7UopVnUc-uf9SKgvzIcOf|lab setup]] files from the assistant. Install the programs and extract the sample files. |
| - | <solution> | + | <note> |
| - | <code> | + | The sample archive contain one malware and uses the "malware" password. |
| - | root@attacker:/# ip a f attacker-eth0 | + | |
| - | root@attacker:/# dhclient attacker-eth0 | + | |
| - | root@attacker:/# ip r s | + | |
| - | 10.0.0.0/8 via 10.255.255.249 dev attacker-eth0 | + | |
| - | 10.255.255.0/24 dev attacker-eth0 proto kernel scope link src 10.255.255.207 | + | |
| - | root@attacker:/# ip a s | + | |
| - | 165: attacker-eth0@if164: | + | |
| - | inet 10.255.255.207/24 brd 255.255.255.255 scope global dynamic attacker-eth0 | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | ==== 03. [10p] DHCP protocol inspection ==== | + | |
| - | + | ||
| - | <note important> | + | |
| - | For tcpdump to work inside the Docker container use '-Z root' as an argument. This will force tcpdump to run as a root. | + | |
| </note> | </note> | ||
| + | ==== 03. [10p] Initial file analysis ==== | ||
| - | Now, that you are connected to the network re-run the DHCP protocol and save it using "tcpdump". First, make sure that you flush the IP addresses on the interface ("ip a f"). You might need to open a second terminal to the attacker's docker. Open the saved capture on your local computer using Wireshark and inspect the DHCP process. Try to answer the following questions. | + | Your network administrator has provided you with 10 files that look suspicious and where caught by the network security equipment. Your job is to determine if there is any suspicious file and find out as much information about it as possible. Fill in the following data for each file. Try to do this using a (PowerShell) script. |
| - | * How can you filter the traffic to view only the DHCP packets? | + | |
| - | * What is the duration of the lease? | + | |
| - | * Can you identify the DHCP option regarding routing information? What number is it? Which is the network and next hop information? | + | |
| - | ==== 04. [15p] Basic topology discovery ==== | + | ^ Filename ^ Type of file (EXE,DLL,etc.) ^ Original filename ^ Date modified ^ MD5 hash ^ |
| + | | - | - | - | - | - | | ||
| + | ==== 04. [5p] File compare ==== | ||
| - | Now that you know what your network is, find out all available hosts within your subnet. For this job you can use the "nmap" tool and perform a very fast ping scan. You got a hint that all the networks use a /24 mask and that the default gateway uses .1 as its IP address. Optimize the nmap scanning time, search in the nmap manual for timing and performance options (in the virtual environment the RTT is typically less than 5ms). | + | Is the previous information enough? Does it really help? Use the WinMergePortable.exe program and compare “test1.exe” against “test2.exe”. What about their hashes, how close are them? Consider the file properties and spot the differences. |
| + | ==== 05. [15p] Behaviour analysis ==== | ||
| - | <note tip> | + | <note> |
| - | To scan only for a [[https://nmap.org/book/man-target-specification.html|specific range]] of IP addresses you can use nmap range for target specification, e.g., 192.168.0-255.1. | + | Sometimes this malware versions needs a second re-execution just to speed it up. Do not restart your computer. |
| - | </note> | + | </note> |
| - | <note tip> | + | Find out which of the files are executables and start them. Observe their behavior. |
| - | You should discover 5 gateways/networks in the topology. | + | * Write down the commands that the program is trying to execute (we will investigate those later). |
| - | </note> | + | * What happened to your test folder (from which the ransomware was started)? |
| + | * Wait for the computer to get fully infected, consider your “Documents” or “Desktop” folder and see if you can see the decryptor shortcut. Try to create a new text file and wait for it to be encrypted. | ||
| - | <solution> | + | <note warning> |
| - | <code> | + | |
| - | nmap --min-hostgroup 256 -n -sn -T5 --max-retries 1 --min-parallelism=256 --max-rtt-timeout 5ms --min-rate 1024 10.0-255.0-255.1 | + | |
| - | Nmap scan report for 10.5.140.1 | + | **Revert to the previously created snapshot and re-open the VM.** |
| - | Host is up (0.00040s latency). | + | |
| - | Nmap scan report for 10.7.6.1 | + | |
| - | Host is up (0.0011s latency). | + | |
| - | Nmap scan report for 10.88.205.1 | + | |
| - | Host is up (0.0010s latency). | + | |
| - | Nmap scan report for 10.155.20.1 | + | |
| - | Host is up (0.00063s latency). | + | |
| - | Nmap scan report for 10.255.255.1 | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | ==== 05. [15p] Routes discovery ==== | + | </note> |
| + | ==== 06. [10p] Malware network activity monitoring ==== | ||
| - | After finding out the IP addresses in use on the topology, let's find the routes to each subnet. Use traceroute to identify the path. | + | In this exercise you will monitor the network connections of the malware. Start Wireshark before running the malware and save the captures. You can copy/paste the pcap file outside the VM and analyze it. Please write down the followings: |
| - | * What type of packets does the traceroute tool sent? Can you change it to use ICMP for discovery? | + | * What are the types of connections created (DNS, TCP, HTTP). |
| - | * What’s the TTL values in these packets? | + | * What are the destinations (IP addresses and DNS domains)? Try to verify their reputation against a threat intelligence source such as the one provided by Cisco Talos (https://www.talosintelligence.com). |
| - | * What type of ICMP packet does the host receive? | + | * Can you examine the traffic or is it encrypted? |
| - | ==== 06. [10p] Virtual machine setup ==== | + | ==== 07. [5p] Active connections ==== |
| - | Send an ICMP echo request to one of the remote hosts and notice the ICMP redirect message. | + | For a proper analysis of the malware traffic you can use the netstat tool to view all active connection. It helps to narrow down the traffic from a specific process. Open it before running the application and see the outgoing connections. You can also use TcpLogView to save the data in a readable format. |
| - | * Who sends this message? | + | ==== 08. [10p] Windows registry activity analysis ==== |
| - | * How is this message used? Can you block this message? (Hint: [[https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt|accept_redirects]]) | + | |
| - | * Are there any (temporary) updates in the Linux routing table (use "ip route get" IP command)? | + | |
| - | * Update the network topology to include the new information. | + | |
| - | ==== 07. [10p] Port scanning ==== | + | Besides network access, a malware will try to make itself hard to find and to remove, adding different registry entries. Use the Procmon tool to monitor the entries in the registers done by the malware. |
| - | + | * Use the filtering options to show only registry activity. Save the data for later analysis (outside the virtual machine). | |
| - | Now, it is time to discover the running services for each remote network. Ignore the services on the local network for the next exercises (i.e., 10.255.255.0/24). Write down the IP addresses and the open ports. | + | * You can also create a custom filter to limit the output to files containing only the “@WanaDecryptor@.exe” process name. Are these entries the only one created by the malware? |
| - | + | * Try to filter also based on result, only the one with “SUCCESS”. | |
| - | <solution> | + | * Try to find the registry location that allows the malware to run at boot time. (Hint: https://docs.microsoft.com/en-us/windows/desktop/setupapi/run-and-runonce-registry-keys). Remove it using Registry Editor. |
| - | <code> | + | |
| - | root@attacker:/# nmap -T4 10.5.140.0/24 | + | |
| - | Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 17:02 UTC | + | |
| - | Nmap scan report for 10.5.140.1 | + | |
| - | Host is up (0.000020s latency). | + | |
| - | All 1000 scanned ports on 10.5.140.1 are closed | + | |
| - | + | ||
| - | Nmap done: 256 IP addresses (1 host up) scanned in 26.00 seconds | + | |
| - | </code> | + | |
| - | <code> | + | |
| - | root@attacker:/# nmap -T4 10.7.6.0/24 | + | |
| - | Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 17:04 UTC | + | |
| - | Nmap scan report for 10.7.6.1 | + | |
| - | Host is up (0.000019s latency). | + | |
| - | All 1000 scanned ports on 10.7.6.1 are closed | + | |
| - | + | ||
| - | Nmap scan report for 10.7.6.2 | + | |
| - | Host is up (0.000023s latency). | + | |
| - | Not shown: 999 closed ports | + | |
| - | PORT STATE SERVICE | + | |
| - | 8080/tcp open http-proxy | + | |
| - | + | ||
| - | Nmap done: 256 IP addresses (2 hosts up) scanned in 24.93 seconds | + | |
| - | </code> | + | |
| - | <code> | + | |
| - | root@attacker:/# nmap -T4 10.88.205.0/24 | + | |
| - | Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 17:02 UTC | + | |
| - | Nmap scan report for 10.88.205.1 | + | |
| - | Host is up (0.000017s latency). | + | |
| - | All 1000 scanned ports on 10.88.205.1 are closed | + | |
| - | + | ||
| - | Nmap scan report for 10.88.205.2 | + | |
| - | Host is up (0.000023s latency). | + | |
| - | Not shown: 999 closed ports | + | |
| - | PORT STATE SERVICE | + | |
| - | 53/tcp open domain | + | |
| - | + | ||
| - | Nmap done: 256 IP addresses (2 hosts up) scanned in 17.87 seconds | + | |
| - | </code> | + | |
| - | <code> | + | |
| - | root@attacker:/# nmap -T4 10.155.20.0/24 | + | |
| - | Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 17:04 UTC | + | |
| - | Nmap scan report for 10.155.20.1 | + | |
| - | Host is up (0.000016s latency). | + | |
| - | All 1000 scanned ports on 10.155.20.1 are closed | + | |
| - | + | ||
| - | Nmap scan report for 10.155.20.2 | + | |
| - | Host is up (0.000023s latency). | + | |
| - | Not shown: 999 closed ports | + | |
| - | PORT STATE SERVICE | + | |
| - | 80/tcp open http | + | |
| - | + | ||
| - | Nmap done: 256 IP addresses (2 hosts up) scanned in 25.98 seconds | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | ==== 08. [10p] Services scanning ==== | + | |
| - | + | ||
| - | As you have already noticed, there is an DNS server running in the remote network. Use it to find out what is the named of the other two servers you discovered. | + | |
| - | + | ||
| - | <solution> | + | |
| - | root@attacker:/# nslookup 10.7.6.2 10.88.205.2 | + | |
| - | 2.6.7.10.in-addr.arpa name = vulnerable.iot.dashboard. | + | |
| - | </solution> | + | |
| - | + | ||
| - | ==== 09. [15p] Virtual machine setup ==== | + | |
| - | + | ||
| - | Lets try and see what the webserver offers. Unfortunately, the text-only version of Kali provides only a text-based browser, lynx. Start a capture on the interface and save it for later analysis, while browsing the website and reading Instructions webpage. The username and password for the site are admin / password. | + | |
| - | * Use Wireshark to view the passwords sent and to save the page opened. Use File->Export Objects->HTTP and change the file extension to HTML so that you can open it locally. | + | |
| - | + | ||
| - | <note tip> | + | |
| - | Use 'tcpdump -Z root' to prohibit privileges dropping. | + | |
| - | </note> | + | |
| - | <solution> | + | ==== 09. [10p] File creation monitoring ==== |
| - | <code> | + | |
| - | root@attacker:~/#tcpdump -Z root -n -i attacker-eth0 -w http.pcap | + | |
| - | tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes | + | |
| - | ^C55 packets captured | + | |
| - | 55 packets received by filter | + | |
| - | 0 packets dropped by kernel | + | |
| - | root@kali:~# lynx 10.155.20.2 | + | |
| - | </code> | + | |
| - | </solution> | + | |
| + | Use the previous data saved (or re-run the procmon tool) and look at the files created and opened by the malware. | ||
| + | * Filter based on the Process name for both ““@WanaDecryptor@.exe” and “testXX.exe” (the malware sample). | ||
| + | * Create a file on desktop, and try to see if this is opened by the malware. | ||
| + | * The malware sample is known to use the tor proxy network, look for the “tor.exe” file on the disk. | ||
| + | ==== 10. [5p] Malware morphing ==== | ||
| + | Modify the malware using the ResourceHacker tool (e.g., version number) and make sure that that hashes changes. Enable the Windows Defender Virus and Threat Defender. See if it can find the old executable as malware, what about the new one? | ||
| + | ==== 11. [10p] Threat intelligence ==== | ||
| + | For more information of the malware please search for the hash on “https://www.virustotal.com”. What about the new hash, did the virustotal website find it? You can also upload the new file and see the results. Try to see if you can also spot other types of behavior that the malware does in the security report provided. | ||
| + | ==== 12. [10p] Threat hunting ==== | ||
| + | The selected malware uses bitcoin as a payment alternative. Investigate how much money did they earned. | ||
