Additional post about Fun with Packet Analysis by Marcelle Lee
After reading through the solutions document I noticed a few pcaps that didn’t have any explanations so I thought I would crack them open and see if I could understand what was going on.
Files available here.
At first glance the pcap looks like a mess of 33,247 packets but with a few clicks you can get wireshark to sort and organize all the data. The first thing I did was go to Statistics>Conversations, select the tcp tab, then sort by port to get a grasp of what is going on. I follow a few ftp, port 21, streams because they are in plaintext and you can see what files were downloaded. If you want to grab the actual data you have to find the corresponding ftp-data, port 20, stream. Right away I see something interesting, here is a list of actions from 192.168.245.3 (attacker) on 192.168.245.12 (victim):
This is concerning because PwDump7.exe is a password hash dumper for windows and BFK.exe is a key logger!
I keep scrolling down past a lot of web traffic noise, I’ll export http objects later, and I find clear text traffic on port 1337, hmmmmm.
Following that stream quickly reveals a remote cmd shell, probably via netcat. As I’m looking through this I want to get a timeline of events. Since I sorted all conversations by ports, it showed ftp packets before the remote shell and threw off the sequence of events. When I use filters on the whole pcap I see that the remote shell was established well before the ftp. Someone was working on the system before transferring files via ftp. Another way to ascertain the chronology is to look at the “tcp.stream eq ##” in the title bar of the individual tcp stream.
The attacker looked around the system, created a GMTMP directory in C:\Inetpub\ftproot then redirected commands in the favicon.ico in order to exfil the data by hiding it in plain sight. They looked around the filesystem before collecting a few files and then changed passwords for Administrator, John, and nonadmin. They used PwDump to grab hashes and started the keylogger.
I wanted to look at some the FTP files that were transferred so I went through the arduous task of filtering out streams until I found the ones that I wanted to save.
ftp-data and !(tcp.stream eq 601) and !(tcp.stream eq 602) and !(tcp.stream eq 603) and !(tcp.stream eq 605) and !(tcp.stream eq 606)
Then I saved the raw data as the file type based off the file header. For example, the first few bytes in this stream show “PK” which is the header for a zip file.
The zip file contains 5 txt files with cyrpto puzzles. See if you can crack them!
Afterwords I thumbed through the web traffic but didn’t find anything too interesting but this was my favorite picture, it appeases my OCD.