081710_Bilog_report_pcap1
- Which systems (i.e. IP addresses) are involved? (2pts)
Using the IPv4 tab, under the Endpoints button found in the Statistics menu showed all the systems involved.
The IP addresses involved are the ff.:
a) 98.114.205.102 (Attacker) – uses Windows 2000
b) 192.150.11.111 (Victim) – uses Unix/Linux
- What can you find out about the attacking host (e.g., where is it located)? (2pts) Hint: you may use “whois” on the web to find out the details of the location.
As searched through “whois,” the attacking host (98.114.205.102) is located in Southampton city, Pennsylvania, United States, and uses Verizon Internet Services Inc.
- How many TCP sessions are contained in the dump file? (2pts)
There are five (5) recorded TCP sessions/conversations that are in a dump file, using the TCP tab, under ‘Conversation List’ found in the ‘Statistics’ button. Wireshark showed the following:
98.114.205.102:1821 directed to 192.150.11.111:445
--- scans port
98.114.205.102:1828 directed to 192.150.11.111:445
--- triggers overflow, being cracked
192.150.11.111:1957 responds to 98.114.205.102:1924
--- and connects to bind shell
192.150.11.111:36296 directed to 98.114.205.102:8884
--- and connects to the FTP server
98.114.205.102:2152 directed to 192.150.11.111:1080
--- connects to the FTP data port and sends malware
- How long did it take to perform the attack? (2pts)
Since the time of attack started at exactly 11:28:28 and ended at exactly 11:28:44 as recorded, then the duration of 16 seconds is the time-length of the attack, as shown from the Statistics menu in the ‘Elapsed’ field under Summary button.
- Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
The operating system targeted was the Windows XP which can be seen in packet number16 with the field Windows 5.1, that is Windows XP.
The service was Local Security Authority Subsystem Service or the LSASS.
While the vulnerability sends DCE/RPC request to LSASS.DLL which is also a stack overflow that works on Windows XP and Windows 2000.
- Can you sketch an overview of the general actions performed by the attacker? (5pts)
- What specific vulnerability was attacked? (2pts)
The specific vulnerability attacked was LSASRV.DLL which is present within the Active Directory service functions. But I think Question #5 and #7 are just the same.
- Was there malware involved? What is the name of the malware (We are not looking for a detailed malware analysis for this challenge)? (2pts)
Yes. It is the ssms.exe file or the Session Management Subsystem from the FTP server.
- Do you think this is a manual or an automated attack (2pts)? Why?
I think it is automated because of the connection session happened. The connections, scans and delays, were always less than a second which proves that it would be impossible for a human to type everything by himself.
Bonus:
- What actions does the shellcode perform? Please list the shellcode (10 pts)
0040A12D 47 65 74 50 72 6F 63 41 GetProcA
0040A135 64 64 72 65 73 73 00 43 ddress.C
0040A13D 72 65 61 74 65 50 72 6F reatePro
0040A145 63 65 73 73 41 00 45 78 cessA.Ex
0040A14D 69 74 54 68 72 65 61 64 itThread
0040A155 00 4C 6F 61 64 4C 69 62 .LoadLib
0040A15D 72 61 72 79 41 00 77 73 raryA.ws
0040A165 32 5F 33 32 00 57 53 41 2_32.WSA
0040A16D 53 6F 63 6B 65 74 41 00 SocketA.
0040A175 62 69 6E 64 00 6C 69 73 bind.lis
0040A17D 74 65 6E 00 61 63 63 65 ten.acce
0040A185 70 74 00 63 6C 6F 73 65 pt.close
0040A18D 73 6F 63 6B 65 74 00 socket.
(http://www.vividmachines.com/shellcode/shellcode.html)
