Tate | Security+ | CDSA | CCD
Trident Lab [CyberDefenders]
Scenario:
As a soc analyst, a phishing attack attributed to a popular APT group targeted one of your customers. Given the provided PCAP trace, analyze the attack and answer challenge questions.
From the conversations view in Wireshark, we can see that there are tons of unique IP addresses sending SYN packets to the 192.168.112.139 endpoint, which is indicative of port scanning using SYN packets.
Now that we know which endpoint is the target of this attack, I’ll look for packets containing the SYN/ACK flags turned on in the TCP header, this will give me more of an idea of which open ports have potentially been discovered.
To detect open ports found by the attacker, I am specifically looking for a tcp stream where:
- Attacker [SYN] -> Victim
- Victim [SYN/ACK] -> Attacker
- Attacker [ACK] -> Vicim
- Attacker [RST, ACK] -> Victim
Wireshark Filter: ip.dst==192.168.112.139 && tcp and tcp.flags == 0x014
Following this logic, the following 7 ports are found open on the victim machine:
- 587 [SMTP]
- 135 [RPC client-server comms]
- 139 [SMB]
- 143 [IMAP]
- 25 [SMTP relaying]
- 445 [NetBIOS]
- 110 [POPv3]
Checking out the TCP stream of the conversation on port 25, we notice a few alarming things:
- “EHLO kali”
- An email message with an urgent call to action.
- An attached microsoft .docx file with a subsequent blob of base64 encoding.
- Coming from the internal IP address 192.168.112.128, this SMTP message seems to have been sent from a previously infected machine.
Using NetworkMiner to check out this filer, I see that the real file extension is .zip and the “docx” file extension was only to mask what the file really was.
I will use 7z x 'web server.docx' -owebserver to unzip the file, and extract the output to a folder named “webserver”
This folder is made up of multiple files and folders, so what I will do is use grep to search these plain text files for any hardcoded ip addresses or URL’s.
IP’s:
URL’s:
Lets check out that html file…