Network Forensics Village | By Alexander Kot

Network Forensics Village

Back Story:

If you don’t know who Rockie Brockway is; he is one of the core organizers of Bsides Cleveland and an awesome contribution to the InfoSec community.  Rockie reached out to me on twitter asking if I was able to put together a Hardware Hacking Village. The event, Bsides Cleveland, just go access to another part of the building a couple of weeks before the conference.  They want to fill this separate room with more events. I didn’t feel as confident doing hardware hacking. Though I recently did a Network Forensic lab at my local (Atlanta) hackerspace (CounterPoint) which went very well.  So I decided to offer to doing that.

Types of Villages:

I have been to many villages at various conferences.  I notice a different consistency to the way that they are ran. The more typical and simpler Lockpick village.  Which has a really easy barrier to entry; either a video showing how it works and/or usually someone always there to help show to how to accomplish the task.  To more complicated hardware hacking which assume you understand tools such as binwalk and have the knowledge of typical web attacks like command injection or authentication bypass techniques.  To the even more nuance ones that buy a bunch of voting machine hardware from craigslist and hope someone can find something about them with no agenda. In the spirit of Bsides I want to create a village with the lowest entry to barrier I could think of.  This will be harder since you need a lot of networking knowledge to do this.

Setup:

So I wanted to create a realistic approach to this village.  I also wanted to make sure everyone could figure out all the challenges and have no excuse to not take part.  For the realistic side I wanted to showcase what a good Network Security Monitoring solution would look like. To keep it in the realm of Bsides I provided one using all open source tools. I actually provide training last year on engineering this solution.  This is one I deployed at my current company (as of this week). It uses Moloch (full pcap retention and analysis), Suricata with PulledPork (IDS signature rules using Emerging Threat Open), and Bro (for traffic fingerprinting) all using AF_Packet for full performance.  The purpose of this tool is to allow both Suricate Fast logs and Bro logs to be shipped to your SIEM of choice to create alerts. While using a local copy of Moloch to gather PCAP data to fully analyze the data during an Incident Response. Though a lot of this sounds technical, none of this matters.  All the end users needed to know is there was an IDS alert that was kicked off. From there they can either go into Moloch and use wireshark based commands to analyse the data or download the full PCAP off the FTP server. In this environment I provided wireless access to a router running Tomato Firmware which hosted a FTP server which provided a single file using a USB flash Drive.  Wired into the router was an Intel Nuc running the NSM software I mentioned. I previously loaded the traffic using tcpreplay.

Kick Off:

So as I mentioned I wanted to create a challenge that anyone can take part in and have no excuse.  So I decided to put together a presentation that was about a hour long. This went over everything I felt would give people a fundamental understanding and a realistic approach with knowledge of common problems.  The main common problem I wanted to address is you can’t assume things are the way they are supposed to be. Things like file obfuscation techniques, DHCP which you can’t assume the client IP is correct, and vhost which could have 1,000 different WordPress sites under the same IP.  At the end of the presentation I provided an IDS alert which the person will use during the investigation. From there I posted on twitter that the challenge was live and how to access the information.

You can view the presentation here.

https://docs.google.com/presentation/d/1UUzU6zYzXc0YjsXHR6fNiRamIQdPP42wNwyILljabzw/edit#slide=id.g3bfbfd7d05_0_5

For some reason google docs doesn’t like the fact videos are embedded into a presentation and requires some weird permissions.  So I have a separate folder with the videos referenced in the presentation.

https://drive.google.com/drive/folders/1F-kTgdmDBfE4y72xym5d_ZlAtT11_Wht

Winners:

First place clocking in about an hour and half was @ralphdhat.

As you can see he is holding the Wifi Pinapple Nano which the sponsors at Hak5 provided.  In the background is the last slide of the presentation which provided the IDS alert and info how to gain access to this network traffic.  It was very humbling seeing the excitement of people learning new tools and also being proficient with them so quickly. He did get stuck on the last item which “was DC also infected provide evidence”.  I pointed him in the direction to use Parameters Tab in NetworkMiner and look for Server Message Block calls. Only a few mins later he was awarded the prize.

Second place clocking in a little less than 2 hours was @raypeltz.

He won the Lan Turtle which the sponsors at Hak5 provided.  I was surprised because he managed to get all the challenges using wireshark.  Don’t get me wrong wireshark is definitely the most powerful tool. Though some features in NetworkMiner makes analyzing data quicker.

Answers:

Below are the list of acceptable answers.  Though some other parts can be interpreted differently if users provide additional information.

External Infected sources

First one is not an actual part of the malware. Though strange behavior that a client would use an API call to pull a text file which has its public IP address.

Frame 675 (text.txt) (WhatismyIP.com) 158.69.26.138)

Frame 749 (90352[4]).exe (www.ownhive.com) 209.105.227.32)

Frame 879 (2[4].doc) (r2consulting) 184.168.230.1

Obfuscated files (7 in total)

*.png

Toler

Table

Worming

Infected host Host

Lin-Wood-PC (192.168.200.95)

Domain Controller

Oyster-DC.OysterTaiment.com (192.168.200.4)

Check SMB params for DC exploit

The link to the PCAP.  !!!WARNING!!!this pcap is actual malware and should be handle with care.  If you don’t feel comfortable, don’t worry I am sure I’ll be doing this type of village again.  

The PCAP is a replayed version of Brad Ducan’s (@malware_traffic) traffic he generated (https://www.malware-traffic-analysis.net/2018/06/15/).  I also used a separate pcap from that site in the presentation. If I ever see Brad at a conference you have a beer on me!

Pitfalls:

As I mentioned in the back story I had limited time to put this together.  Nothing to do with the organizers, they literally got the news about the separate area as quick as they knew what they could fill it with.  This being my first Village I figured it wasn’t going to be an easy task. All said and done I spent about 40 hours putting everything together and practicing.  So if anyone is doing their first village and wants some advice hit me up on Twitter @Alex_S_Kot DMs are open. My original concept was going to download some malware in the Lab (isolated network) I have at the hackerspace and create real traffic.  Though due to time constraints I wasn’t able to fully set this up. I ended up using some examples from malware-traffic-analysis as mentioned above. During replay of this traffic on the NSM device, I didn’t have Suricata properly setup. After Moloch digested the data I realized the fast.log where empty.  So I quickly ran Suricata on the pcap itself to generate the fast.log. Props for Tyler Hudak for pointing out the time stamps of the IDS alerts where off since I manually changed them. If you don’t know who Tyler is; he does an amazing Malware Analysis class and I was very humbled for him to try my village even after the prizes where already claimed.

Side Note:

Bsides Cleveland is definitely one of my favorite Bsides.  Granted I am bias since I am originally from that area and I am good friends with a lot of the organizers.  Though I was glad I got the opportunity to put together the Network Forensic Village for them. I had a lot of great feedback and felt very happy when heard people learned a lot that they can take back to their jobs.  Bsides Cleveland also has some of the best presenters. Including Amanda Berlin (@InfoSystir) who is a great contribution to the infosec community. I hope to get to meet her in person someday.

Originally posted on LinkedIn : https://www.linkedin.com/pulse/network-forensics-village-alexander-kot/

July 16, 2018

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013