SANS Puzzle aurora dissection

SANS has challenged a puzzle . The Puzzle is, they have provided an evidence, a packet capture containing communications from a host and malicious domain exploiting using 0-day vulnerability Aurora.

The puzzle is good, but not difficult and easy that requires some knowledge in analyzing TCP connections over wireshark.
Unfortunately I have no access to use wireshark, hence I opened using IPTools. It is not as friendly as wireshark (lol… it’s the best and incomparable) however presents the frame in understandable fashion.


The questions are quite simple and can easily be answered once you can understand the communication. The Points to be observed are

  • Source 10.70 requested a webpage /index.php to malicious server 10.10
  • Server returned a webpage containing JavaScript
  • Victim 10.70 requested a GIF file
  • <something has happen> (Exploit executed)
  • Victim establishes connection to server on port 4444
  • Victim downloads a exe file (I could find observing the data stream viz., “This program cannot be run in DOS mode”)
  • I could not identify the end of exe L

    Then observed for a packet which is not Max packet size 1500, ACK packet 46 to get Last packet of exe file which is 688 bytes. Also observed PUSH flag set.
    lol .. Wireshark would automatically provide me complete exe by follow that starting packet… However learnt about end of connection… :D.
  • Whenever evidences are made point to be observed are the Timelines.
    • The Time elapsed when the connections made to 4444 port from the original http request?
    • How frequently TCP ID changes?
    • How frequently seq number changes
    • What are the patterns for TCP connections made to port 4444 of malicious server?

 

I found another tool NetworkMiner. It is a simple and interesting tool that provides information about machines (fingerprints) that are communicating and sessions established between them. It also filters out cleartext stream in the communication.

Wesley McGrew, has written a new forensics tool

About wikihead

A security freak
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s