First Packet Capture


<08-0618_Mendoza_report_pcap1.doc>

1.                   Which systems (i.e. IP addresses) are involved? (2pts)
                The systems that are involved in the conversation are 192.150.11.111 that uses Linux 2.4/2.6 (as seen in Statistics->IPv4) and 98.114.205.102 that also uses Windows 5.1/XP (as being shown in the “Follow TCP Stream” window).

2.                   What can you find out about the attacking host (e.g., where is it located)? (2pts)
                The attacker uses the IP Address 98.114.205.102. Using “whois” from the net, the following information has been gathered about the attacking host:

NetRange:       98.108.0.0 - 98.119.255.255
CIDR:           98.108.0.0/14, 98.112.0.0/13
OriginAS:       
NetName:        VIS-BLOCK
NetHandle:      NET-98-108-0-0-1
Parent:         NET-98-0-0-0-0
NetType:        Direct Allocation
RegDate:        2008-04-02
Updated:        2010-09-07
Ref:            http://whois.arin.net/rest/net/NET-98-108-0-0-1

OrgName:        Verizon Online LLC
OrgId:          VRIS
Address:        22001 Loudoun County Parkway
City:           Ashburn
StateProv:      VA [Virginia]
PostalCode:     20147
Country:        US
RegDate:        
Updated:        2010-08-17
Ref:            http://whois.arin.net/rest/org/VRIS
(source: http://whois.domaintools.com/98.114.205.102)

3.                   How many TCP sessions are contained in the dump file? (2pts)
                There are 5 sessions recorded and seen on Statistics->Conversation->TCP



  1. How long did it take to perform the attack? (2pts) –
The attacker took 16.219218

  1. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
                The OS that was targeted was WINDOWS 5.1 or what is known as Windows XP. It uses a service called LAN Manager – from the TCP Stream it is referred to as NTLM. (This data can be viewed under the analysis of SMB protocol at packets 16 and 19 where the system gives a response).

      
              


  This service also happens to be the vulnerability that has been attacked. According to http://davenport.sourceforge.net, this is a suite of authentication and session security protocols and is most likely to best recognized as part of the "Integrated Windows Authentication" stack for HTTP authentication. On the next number you will see how this service is being attacked.
(Source: http://davenport.sourceforge.net/ntlm.html#whatIsNtlm)
  1. Can you sketch an overview of the general actions performed by the attacker? (5pts)
                Following the TCP stream starting 50 (tcp.stream eq 3), the attacker’s actions are captured.  First, the attacker owns j0. Second, he logged in. Then he made some commands at the port – a buffer overflow in order to access the port and retrieved a file ssms.exe. After retrieving the file, he opened it and then transferred/executed it.


**tcp.stream eq 2 may also be considered

  1. What specific vulnerability was attacked? (2pts)
Authentication and Buffer overflow.

  1. Was there malware involved? What is the name of the malware (We are not looking for a detailed malware analysis for this challenge)? (2pts)
Yes there is. It is the file that was retrieved by the attacjer: ssms. Exe.
File ssms.exe is not a Windows system file. The program is not visible. The file is located in the Windows folder, but it is not a Windows core file. ssms.exe is able to record inputs, hide itself, monitor applications. Therefore the technical security rating is 76% dangerous, however also read the users reviews.” – Source: http://www.file.net/process/ssms.exe.html

  1. Do you think this is a manual or an automated attack (2pts)?  Why?
                With the use of the malware and based on the speed of the attack, this is probably an automated attack.

Bonus:
  1. What actions does the shellcode perform? Please list the shellcode (10 pts)
 Packet 29: A respond to packet 28 which is a bind_ack request. This fragments and access the content of a file

00000271  00 00 00 64 ff 53 4d 42  a2 00 00 00 00 18 07 c8 ...d.SMB ........
00000281  00 00 00 00 00 00 00 00  00 00 00 00 00 08 dc 04 ........ ........
00000291  00 08 40 00 18 ff 00 de  de 00 0e 00 16 00 00 00 ..@..... ........
000002A1  00 00 00 00 9f 01 02 00  00 00 00 00 00 00 00 00 ........ ........
000002B1  00 00 00 00 03 00 00 00  01 00 00 00 40 00 00 00 ........ ....@...
000002C1  02 00 00 00 03 11 00 00  5c 00 6c 00 73 00 61 00 ........ \.l.s.a.
000002D1  72 00 70 00 63 00 00 00                          r.p.c...
Mag-subscribe sa: Mga Komento (Atom)