HoneyBOT Blue Team Challenge
Category: Network Forensics
A PCAP analysis exercise highlighting attacker’s interactions with honeypots and how automatic exploitation works.. (Note that the IP address of the victim has been changed to hide the true location.)
Based on the name of the challenge, what is HoneyBOT?
“Honeypots” refer to a cybersecurity technique or strategy used to detect, deflect, or study unauthorized access attempts or malicious activities on computer networks or systems. A honeypot is essentially a decoy system or a trap that appears to be a legitimate part of a network but is designed to attract and lure potential attackers.
As a SoC analyst, analyze the artifacts and answer the questions.
The first step briefer look at the network graph for connections
using lab.dynamite.ai → upload Pcap file → Display Netwok Gragh
we have connections between two IP, now lets go to investigate in pcap file and answer the questions.
What is the attacker’s IP address?
using Brim and Suricata rules to detect suspicious activity → look at alerts
we find only one alert from ip “98.114.205.102”
using wireshark to deeply investigate → look at TCP traffic Stream → we are find commands that were sent from 98.114.205.102 to 192.150.11.111
What is the target’s IP address?
From the Prev question, target ip “192.150.11.111”
Provide the country code for the attacker’s IP address (a.k.a geo-location).
using whatismyipaddress to search about attacker ip “98.114.205.102”
How many TCP sessions are present in the captured traffic?
in wireshark → open Statistics Tab → Conversations → TCP
How long did it take to perform the attack (in seconds)?
The last frame number is 348. We can use the filter: frame.number == 1 or frame.number == 348 and substract the difference:
The attack started at 03:28:28 UTC and ended at 03:28:44 UTC. 44-28 equals (16 sec).
Or in Wireshark click in pcap icon to display Capture file Properties → look at a Time
Provide the CVE number of the exploited vulnerability.
Using the Statistics → Protocol Hierarchy option, we can see that there was an Active Directory set-up under the SMB protocol
Now, filtering the pcap with smb and looking at the frame containing the Active Directory Setup, the request was done by IP 98.114.205.102
search about “DsRolerUpgradeDownlevelServer” in cve.mitre.org
Look at the description to understand the exploit.
Which protocol was used to carry over the exploit?
From the Prev question, the answer is SMB Protocol
Which protocol did the attacker use to download additional malicious files to the target system?
What is the name of the downloaded malware?
The attacker’s server was listening on a specific port. Provide the port number.?
To retrieve this command using Wireshark, you can display the TCP stream.
The attacker utilized FTP to download a malicious file named “ssms.exe” onto the system, which was listening on port 8884.
When was the involved malware first submitted to VirusTotal for analysis? Format: YYYY-MM-DD
from TCP Stream 4 and then save it (in Raw mode) to calc MD5 hash
using Linux command line to calc MD5 hash:
Searching for the Hash on VirsTotal → Details Tab → History
What is the key used to encode the shellcode?
What is the port number the shellcode binds to?
The CVE corresponding to the exploited vulnerability, relies on a buffer overflow attack. If we filter the pcap for SMB, we can see its process:
the request and response for DCE/RPC. This is basically how the arbitrary code is ‘allowed’ to be sent over, and exploit the DsRolerUpgradeDownlevelServer function. Thus, the shellcode must be between frame 28 and 33. Frame 29 contains suspicious data:
We can save it as Raw and examine it further with scdbg
the port that the shellcode binds to is port 1957
The shellcode used a specific technique to determine its location in memory. What is the OS file being queried during this process?
The shellcode uses multiple calls to GetProcAddress, which is a function of Kernel32.dll
