Tolkien Ring - Wireshark Practice walkthrough
By now we should be ready to start out first challenge as part of the Tolkien Ring, which is in relation to Wireshark
Difficulty Rating: 1/5
Hints
Just have to follow thorough the questions asked in terminal, by analysing the suspicious.pcap file in Wireshark
Solutions
1.What kinds of objects can be exported in the pcap file ? HTTP
Open up suspicious.pcap file in Wireshark, using the export objects option available in Wireshark. Now we can export different types of objects depending on what’s been captured in this pcap. When you choose to export HTTP objects you get to see 3 files, while the export options will be empty.
2. Name of the biggest file you can export ? app.php (808kB)
Within Wireshark in the object export tab for HTTP, you get to see 3 files, among which the biggest file by size 808kb is app.php
3. Packet number where app.php starts ? 687
In the object export tab within Wireshark, first column indicated the starting packet number of the conversation for that specific conversation highlighted. App.php conversation traffic starts at packet number 687
4. IP Address of the Apache Server ? 192.85.57.242
When we click on the app.php (808kB) file, the Wireshark window in highlights on the starting packet for this conversation at 687th packet, where the source address is the Apache server IP address.
5. What file is saved on the infected host? Ref_Sept24-2020.zip
There are 2 options to look for this information.
Option 1: Follow HTTP Stream
After step 4 which is selecting the 687th packet from Wireshark main window, right click and choose “Follow HTTP Stream”, which will open a new window that allows you to see the entire HTTP conversation. In the conversation you should be able to see a GET request for the file app.php and followed by a JavaScript payload blob1 being saved as a file named Ref_Sept24-2020.zip
Option 2: Export app.php and analyse
Another way would be, in Export HTTP objects window, select app.php 808kB and click save. Which should export and save the app.php file to your local disk, after which you can inspect with any text editor/IDE to look at the php code, where after the initial blob of text near the end will be the JavaScript code where blob1 is being saved as Ref_Sept24-2020.zip file.
6. List the countries of the bad TLS certificates being used by the attackers in alphabetical order. – Israel, South Sudan
To Identify bad TLS certificates there are a few indicators that we can look at, first let’s filter the suspicious.pcap file in Wireshark to list all the TLS certificates captured by applying a display filter “ssl.handshake.type==11”. Now within the presented results, lets pick a random packet and look for certificate validity. drop down as per below screenshot on TLS layer until we see not After under validity field, which indicates the date of certificate expiry. Right click on that field and apply a column.
Now sort the utcTime column by clicking on the column name, you should see the last 5 packets from 2 sources 151.236.219.181 and 62.98.109.30 has certificates that have expired. Now to confirm if it’s a bad certificate, export the certificates to see if the root certificate is untrusted. As per below screenshot right click on the certificate field and choose to “export packet bytes” option and save as .Cer file.
Once exported open the .cer file as per the underlying OS you are using, and we see that both the certificates from sources 151.236.219.181 and 62.98.109.30 are untrusted. The other Name fields lists acronyms for two countries IL for Israel and SS for South Sudan
7. Is this host infected? Yes
To answer this question, you can copy the whole blob of text from the app.php code starting from UEsDBBQ……and ending at DSJAAAA. Paste it into https://gchq.github.io/CyberChef/, choose from Base64 option and save the output file as .zip format matching the JavaScript.
Now if you upload the file into Virus total, we can see that the file is being flagged as resemblance to Dridex malware family which is known to be banking related malware. From the screenshot below you can also see the past submission of a same file has been in the name download (2).dat which is the default name CyberChef provides when saving files. So, someone gone this extra mile before me ;)
Troubleshoots
- If you are experiencing hiccups with menu bar navigation, for troubleshooting purposes am using Wireshark latest version 4.0.2 (for this exercise Wireshark does not need to run with sudo/super user privileges.)
- Wireshark Download link: https://www.wireshark.org/#download
Comments
Post a Comment