PCAP Challenge
1 Objective
The objective of this lab is simple (although some of the questions will prove quite challenging), all you need to do is use the pcap file provided and investigate what transpired between 2 or more system using Wireshark and NetworkMiner. This is an extra credit lab that can be completed and used to earn additional points toward your overall lab score. I also assigned this as additional homework as it seems that historically many of you are not yet proficient in reading, investigating, and examining network traffic captures and could use the practice.
All answers should clearly show your logic, reasoning, and solution including screenshots. Partial answers or answers with no backing or proof will not receive ANY credit on this assignment. CLEARLY document your work! Printscreen and MSPaint are your friends to capture screenshots, crop, mark them up, etc. to show your work
Materials
For the purposes of this lab, you will need the following:
- Time and patients and Google and some luck...
- The pcap file in this zip file as well as a version of Wireshark on your system to open and filter
- A Windows desktop on which you can run NetworkMiner (also included in the zip)
The Setup
You are a security analyst at a company who has been asked to review a network capture between some internal systems. It is suspected that someone in the organization was attempting to access resources to which they don't, or shouldn't, have access to. The activity was discovered by a sysadmin who was cleaning up an FTP directly when she noticed an unusual file in the directory. Upon looking at the file she noted it may be a tool that could be considered a hacking tool and notified security (she didn't run it so she is uncertain, just guessing that it is a bad sign). The pcap provided was trimmed so that only activity around the event was captured, so consider the pcap to contain ALL of the traffic related to this event.
What follows are a series of questions that may go through an investigator's mind as they try to unravel what has transpired. I'd suggest loading the pcap into the two tools (Wireshark and NetworkMiner), examine the output, and then answer the following questions. I do expect, and where possible, that you will find the relevant information in BOTH of the tools. While NetworkMiner is good for the high-level questions I would also expect that you utilize Wireshark to get the details where needed:
Q1. How many systems are involved in the communications in this capture? What are their operating systems (including version information if you can tell), MAC addresses, IPs, services presented to the network (that you know of based on the pcap), system names? It may be helpful to create a table with this information with the systems in rows and the columns used to store the elements such as IP, name, etc. that you can updated throughout this lab
Q2. Based on the MAC addresses, what do we know about these systems? What is the network address, broadcast, and range (or can you not tell from what you have been provided)?
Q3. Which systems received the greatest amount of network traffic by bytes? Which received the least by bytes? Which system sent the greatest amount of network traffic by bytes, and which the least by bytes?
Q4. Back to their operating systems, focus on the Windows systems involved. If you examine the NetworkMiner output you may notice that it attempts to run the capture through Ettercap and p0f among other passive OS fingerprinting tools. What did these tools think the OS was? How could you validate this information (based on the pcap and information you have, not theoretically...you can't answer "I'd run an nmap -O scan")?
Q5. Were there any DNS queries and responses in this capture? If not then how are these machines communicating with each other?
Q6. Based on what you know to this point, and looking though the pcap in Wireshark, which system(s) is/are the victim(s)? Which system(s) do you think is/are the attacker(s)? Which system(s) is/are passive observer(s)?
Q7. With the basics out of the way, let's start to build a timeline of the potential attacker's activities. Focusing on the system you think is the attacker, what did they do first? Was this automated or manual (Hint: look at the patterns, timing, etc.)? What did the attacker gain from running this first test and what systems were involved as the potential victims?
Q8. Is there anything in this first test that "may" tip you off as to the operating systems used for both of these systems (i.e. is there something that is different between the two systems that may be used to help validate your answers above)? Look at the TCP settings/options in the captured traffic for clues
Q9. What did the attacker do next? Can you tell what kind of scan was performed? Do you know which TCP ports are open on the systems included in this scan? It may be helpful to add this to your table that you created above. Is there anything about the scan that may expose what tool is being used?
Q10. Was this a manual or automated scan? How do you know? Again, examine the structure, timing, type of packets sent/received, etc.
Q11. The attacker takes a break for approximately 23 seconds and then connects to a service. What is this service, including the detailed version? What system is he attacking? Does anything here help validate your answers to the operating system questions above, and if so what is it?
Q12. To test your Wireshark-fu, what is the real sequence number used by the attacker that results in a TCP connection between attacker and victim using the service from Q11?
Q13. What user names and passwords does the attacker try until he successfully guesses a correct username and password for the service? What is the valid username/password combination that allows him access? Are there any security flaws you can see in this service/protocol? What response code from this service indicates an unsuccessful log in, what response indicates a successful log in?
Q14. What are all of the commands run by the attacker in order? What does each command do and/or provide the attacker? How many systems did the attacker use and what were they? May be helpful to update your table with an additional column that shows if it is a victim or attacker...
Q15. What ports are used in this communication and what is each used for? How can you be sure?
Q16. Were any files transferred during this session? What was/were the name(s) of the file(s)? What is the contents of the file exactly and did it provide any additional information for the attacker?
Q17. What file (filename) does the attacker try to transfer in his first attempt? Was it successful yes or no, and how can you tell? What was the response code?
Q18. What does the attacker do next? How do you know? I'd expect you'd see a SYN- SYN/ACK-ACK to a new service...which is also a good hint to find new sessions to new services as they have been created. What source and estination ports were used in this new connection? What is the T.125 protocol? Can we view this data/traffic in clear test, why or why not? (Hint: use the Follow TCP stream option from the initial SYN and then view information about the protocol on line)
Q19. How long was the attacker using this service to access the system in seconds?
Q20. The attacker now goes back to the original attempt to transfer and attempts another transfer via a service. Is this transfer successful? What is the file name? How many times is the file transferred if successful? How many seconds have elapsed between the three transfer attempts, assuming the first attempt is time zero (t=0)?
Q21. Did the attacker disconnect from his session or leave it open? Better yet, what session were active when? Can you draw a timeline of activity in terms of systems connected to the victim(s) and the use of the two services?
Q22. The filename of the file he is attempting to transfer may be misleading, however the attacker had changed to a mode that allowed us to view inside the file he transferred, what is this mode called? View the file transfer, is there anything in the file that would confirm (or not) your suspicions about what the file is? Prove it is, or is not, the file you think it is based on its name.
Q23. The attacker then makes another attempt to access the victim(s). What is this new service he is using and what could he possibly use it for?
Q24. He seems to connect and then disconnect form the service (i.e. looking at the 4-way disconnect sequence of FIN/ACK-FIN/ACK-ACK. He then appears to connect to this service again. What is he attempting to access? You can see a bunch of filenames in this second connection, do you know what the attacker has done that has generated this traffic? Hint: If you think you know the answer you could test this out on your own systems and evaluate the traffic to see if you were correct.
Q25. What authentication protocol was used to authenticate the attacker to this service during the second attempt (i.e. the answer is in the packets, not the Protocol field in Wireshark)? What user account does the attacker use to connect (i.e. not the anonymous one, it is an actual username)?
What is the NTLM Client Challenge for this authentication?
Q26. Go back to Q16. For a moment and review your answer. Did the attacker use any of the information provided in the file(s), maybe in an authentication using a username and password from the file? Did the attacker know any of this information prior to viewing the file, and if so what did he know and how do you know this?
Q27. Did the attacker ever run the file he attempted to transfer? How do you know you are correct in your assumption? This one is going to take some serious thought, so put your attacker hat on, think about when it was transferred and what the attacker was, or was not, connected to and if that would allow execution across the network or on the victim(s) it was transferred to.
Attachment:- pcap_challenge01.rar