Honeynet Project Challenge - Jan Forensic Challenge 2010

This is one of the first of many challenges that was released by Project Honeynet in 2010. The challenge consisted of a packet capture file and some questions related to attack. This post is going to demonstrate analyze the pcap, recognize shellcodes and extract artifacts from evidence logs. 

We are provided with a single pcap file. Let’s analyze the file with wireshark. The wireshark conversations summary states that there are 6 TCP streams. TCP stream represents communication between two IP addresses and on two TCP ports. (http://stackoverflow.com/questions/6076897/follow-tcp-stream-where-does-field-stream-index-come-from).

There are in total two unique IP addresses communicating between themselves in this pcap (192.150.11.111 and 98.114.205.102). 

The first stream is a classic example of TCP full connect port scan. 98.114.205.102 is scanning 192.150.11.111 for open port 445. So, 98.114.205.102 is the attacker.

Port 445 is reserved for Microsoft SMB communication over TCP/IP. This service has been plagued by multiple exploits for a long time. One of the most famous exploit on this port was MS08-067 which was used by conficker worm back in 2008. Some other exploits for this port were MS06-040, MS04-011, MS06-025 etc. 

Now, the next stream shows a SMB communication between the endpoints and at one point 98.114.205.102 issues a RPC request to 192.150.11.111 containing the operation “DsRoleUpgradeDownlevelServer”. 

This is the exploit for MS04-011 vulnerability. Wireshark shows the value which contains a large number of 0x90. 0x90 is the opcode for intel x86 instruction NOP (No Operation). During exploit writing, 0x90 is often used as NOP sled which acts as a buffer leading to the shellcode.Using wireshark the attack payload is exported as raw data file. Manually deleting the NOP sled, the shellcode starts from 0xeb. 

Using scdbg, the shellcode is analyzed. We can see that the GetProcAddress calls are made for functions like CreateProcessA, WSASocketA, bind, listen etc. Looking at the function calls, it’s definitely a Windows port bind shellcode. It binds to port 1957 and executes CreateProcessA with cmd as argument and STDIN and STDOUT redirected to the socket handle. This is how the bind shellcode works.

The next TCP stream contains communication over the shell obtained on port 1957. The command passed over to the target generates a FTP command file and execute the ftp with the command file. After executing the ftp command, it deletes the command file and executes an executable (ssms.exe). 

The executable is obtained from the FTP running on port 8884. This executable can be extracted by wireshark as well.

The executable is a windows PE executable which is extracted by saving the raw data obtained from “following the tcp stream” in wireshark.

Virus total states the executable is rBot variant (https://www.virustotal.com/file/b14ccb3786af7553f7c251623499a7fe67974dde69d3dffd65733871cddf6b6d/analysis/1356283562/)