Wednesday, December 5, 2012

dfir-challenge-networktraffic


Network Analysis


For this incident we were provided a pcap of the offending traffic that initially kicked off this incident.  Looking at the sessions in the pcap, using argus, we see the following:

argus -r jackcr-challenge.pcap -w - |ra

26 Nov 12 18:01:58            tcp   172.16.150.20.1097   ->   58.64.132.141.http  5        437          CON
26 Nov 12 18:02:57            tcp   172.16.150.20.1098   ->   58.64.132.141.http  11       1131         CON
26 Nov 12 18:04:13            tcp   172.16.150.20.1099   ->   58.64.132.141.http  6        2630         CON
26 Nov 12 18:04:13            tcp   172.16.150.20.1097   ->   58.64.132.141.http  1        54           CON
26 Nov 12 18:06:21  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:06:34            tcp   172.16.150.20.1099   ->   58.64.132.141.http  463      31939        RST
26 Nov 12 18:07:13  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:07:31            tcp   172.16.150.20.1098   ->   58.64.132.141.http  6        605          CON
26 Nov 12 18:08:41            tcp   172.16.150.20.1098   ->   58.64.132.141.http  6        585          CON
26 Nov 12 18:10:13  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:10:25            tcp   172.16.150.20.1098   ->   58.64.132.141.http  3        493          CON
26 Nov 12 18:11:36            tcp   172.16.150.20.1098   ->   58.64.132.141.http  3        418          CON
26 Nov 12 18:12:26            tcp   172.16.150.20.1156   ->   58.64.132.141.http  7        2811         CON
26 Nov 12 18:12:26            tcp   172.16.150.20.1097   ->   58.64.132.141.http  1        54           CON
26 Nov 12 18:13:27            tcp   172.16.150.20.1156   ->   58.64.132.141.http  6        4959         RST
26 Nov 12 18:14:58  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  7        931          CON
26 Nov 12 18:15:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:16:11            tcp   172.16.150.20.1098   ->   58.64.132.141.http  4        742          CON
26 Nov 12 18:18:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:19:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:21:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:22:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:24:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:25:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:27:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:28:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:30:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:31:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:33:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:34:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:36:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:37:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:39:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:40:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:42:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:43:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:45:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:46:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:48:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:49:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:51:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:52:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:54:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:55:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:57:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 18:58:14  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  7        1331         CON
26 Nov 12 19:00:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:00:53            tcp   172.16.150.20.1098   ->   58.64.132.141.http  3        518          CON
26 Nov 12 19:01:56            tcp   172.16.150.20.1098   ->   58.64.132.141.http  3        497          CON
26 Nov 12 19:03:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:02:58            tcp   172.16.150.20.1098   ->   58.64.132.141.http  1        384          CON
26 Nov 12 19:04:57            tcp   172.16.150.20.1098   ->   58.64.132.141.http  5        981          CON
26 Nov 12 19:06:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:06:33            tcp   172.16.150.20.1098   ->   58.64.132.141.http  4        658          CON
26 Nov 12 19:09:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:09:55            tcp   172.16.150.20.1098   ->   58.64.132.141.http  6        2608         CON
26 Nov 12 19:12:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:13:44  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  5        676          CON
26 Nov 12 19:15:26  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:16:59  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:18:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:19:59  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:21:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:22:59  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:24:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:25:59  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:27:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:28:59  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:30:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:31:59  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:33:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:34:59  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:36:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:37:59  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:39:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:40:59  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:42:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:43:59  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:45:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:47:00  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:48:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:48:19            tcp   172.16.150.20.1098   ->   58.64.132.141.http  5        787          CON
26 Nov 12 19:49:27            tcp   172.16.150.20.1238   ->   58.64.132.141.http  6        2675         CON
26 Nov 12 19:49:27            tcp   172.16.150.20.1097   ->   58.64.132.141.http  1        54           CON
26 Nov 12 19:50:28            tcp   172.16.150.20.1238   ->   58.64.132.141.http  4        1486         CON
26 Nov 12 19:52:06  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:52:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:53:36  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:55:06  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:55:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 19:56:36  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  4        2175         CON
26 Nov 12 19:57:20            tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        214          CON
26 Nov 12 19:57:46            tcp   172.16.150.20.1238   ->   58.64.132.141.http  4        1009         CON
26 Nov 12 19:58:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:00:20  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:00:50  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:01:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:01:39            tcp   172.16.150.20.1098   ->   58.64.132.141.http  1        135          CON
26 Nov 12 20:01:51            tcp   172.16.150.20.1238   ->   58.64.132.141.http  6        3031         CON
26 Nov 12 20:05:23  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:04:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:04:39  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:07:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:07:39  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:08:23  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:10:39  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:11:23  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:10:27  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:12:28            tcp   172.16.150.20.1098   ->   58.64.132.141.http  3        501          CON
26 Nov 12 20:13:28  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:14:10            tcp   172.16.150.20.1098   ->   58.64.132.141.http  3        607          CON
26 Nov 12 20:14:23  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:15:28            tcp   172.16.150.20.1238   ->   58.64.132.141.http  32       28354        CON
26 Nov 12 20:16:28  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:17:48  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:19:28  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:18:44  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:20:48  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:21:44  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:22:28  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:23:48  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:24:44  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:25:28  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:25:50            tcp   172.16.150.20.1098   ->   58.64.132.141.http  2        267          CON
26 Nov 12 20:27:03            tcp   172.16.150.20.1098   ->   58.64.132.141.http  5        579          CON
26 Nov 12 20:26:47            tcp   172.16.150.20.1238   ->   58.64.132.141.http  3        409          CON
26 Nov 12 20:28:28  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:29:47  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:30:08  *         tcp   172.16.150.20.1098   ->   58.64.132.141.http  4        359          CON
26 Nov 12 20:31:28  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:31:13            tcp   172.16.150.20.1098   ->   58.64.132.141.http  5        592          CON
26 Nov 12 20:32:47  *         tcp   172.16.150.20.1238   ->   58.64.132.141.http  2        109          CON
26 Nov 12 20:32:36            tcp   172.16.150.20.1098   ->   58.64.132.141.http  4        975          CON
26 Nov 12 20:34:56            tcp   172.16.150.20.1267   ->   58.64.132.141.http  1        62           RST
26 Nov 12 20:34:56            tcp   172.16.150.20.1267   ->   58.64.132.141.http  1        62           RST
26 Nov 12 20:34:57            tcp   172.16.150.20.1267   ->   58.64.132.141.http  1        62           RST
26 Nov 12 20:34:24            tcp   172.16.150.20.1098   ->   58.64.132.141.http  0        0            RST
26 Nov 12 20:34:27            tcp   172.16.150.20.1238   ->   58.64.132.141.http  0        0            RST
26 Nov 12 20:34:28  *         tcp   172.16.150.20.1097   ->   58.64.132.141.http  2        109          RST

From this output we see that we have a single host communicating with the known bad ip address on port 80 (http).  Lets take a closer look at the traffic and see if we can tell whats going on.  Taking a quick glance at the pcap in wireshark we see

Gh0st........x.Kc``....@....\..L@:8..,39U! 19[.."....!
(+.`.V......(Q!....`....
Q...2...&..w...?@CI.a..8C.Q!.)B...@9....f.a........L.I.K.--..../.54.` ...1.o...Gh0st........x.c......Gh0st........x.....).)Gh0st........x.c......Gh0st........x.c......Gh0st........x.c......

It's apparent just by looking at the strings this is not http traffic.  The Gh0st string we see is pretty much a dead give away we have a Gh0st backdoor communicating with a C2.  Our initial indicator was an alert notifying us that we had a host communicating with a known bad ip address. Unfortunately we did not have any alerts notifying us that this host was compromised with a Gh0st backdoor.  We need to correct this so that we can be notified should we have additional machine beaconing.

We could write a simple snort rule just looking for the string Gh0st, but we may want to tighten this rule up a bit.  If we look deeper into the pcap we will see the following.

tcpdump -r jackcr-challenge.pcap -vvnnX |more

18:01:58.229548 IP (tos 0x0, ttl 127, id 631, offset 0, flags [DF], proto: TCP (6), length: 199) 172.16.150.20.1097 > 58.64.132.
141.80: P, cksum 0xac7b (correct), 1:160(159) ack 1 win 17520
0x0000:  4500 00c7 0277 4000 7f06 f7c7 ac10 9614  E....w@.........
0x0010:  3a40 848d 0449 0050 9f1d 317c 6e44 3d06  :@...I.P..1|nD=.
0x0020:  5018 4470 ac7b 0000 4768 3073 749f 0000  P.Dp.{..Gh0st...
0x0030:  00e0 0000 0078 9c4b 6360 6098 03c4 ac40  .....x.Kc``....@
0x0040:  cc08 c41a 5c0c 0c4c 403a 38b5 a82c 3339  ....\..L@:8..,39
0x0050:  5521 2031 395b c118 22f7 9299 8121 0d28  U!.19[.."....!.(
0x0060:  2bc3 6001 56c3 c0c2 c0f0 0728 5121 c300  +.`.V......(Q!..
0x0070:  078c 6095 10d0 c30a 51a3 c20c 3293 c513  ..`.....Q...2...
0x0080:  269e 1077 8609 a83f 4043 499c 6182 a238  &..w...?@CI.a..8
0x0090:  43c3 5121 8629 4210 b9c5 4039 0605 0606  C.Q!.)B...@9....
0x00a0:  66b0 618c 0c1f b819 18d6 084c 1349 cd4b  f.a........L.I.K
0x00b0:  d72d 2d2e a9c8 c82f d535 34b1 6020 0608  .--..../.54.`...
0x00c0:  0031 006f a519 07                        .1.o...

If you begin to look at the pcap in detail you will see that 0x789c is 8 bytes past the Gh0st identifier.  0x789c just happens to be the header for zlib which we will get into in a bit.  We can now write a little tighter rule considering we have the string Gh0st -> 8 bytes -> 0x789c

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Gh0st Beacon Detected"; flow:to_server,established; content:"Gh0st"; depth:5; content:"|78 9c|"; distance:8;  within:2; classtype:trojan-activity; sid:1000000; rev:1;)

This rule basically looks for the string Gh0st in the first 5 bytes, then skips 8 bytes and starts looking for the bytes 78 9c in the next 2 bytes.  Now if we place this rule where snort can find it and test with the provided pcap we should see several alerts fire.

snort -r jackcr-challenge.pcap -c /etc/snort/snort.conf -A console

11/26-18:01:58.229548  [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1097 -> 58.64.132.141:80
11/26-18:02:57.870733  [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:02:58.429619  [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:03:04.004551  [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:03:10.239151  [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:03:15.051393  [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:03:21.285494  [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:03:21.725537  [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80

Now that we have some detection in place we know we have at least one machine to look at.

Gh0st Decode

Like I said above, Gh0st traffic is just zlib compressed data.  So I would like to talk about how we can decode this traffic.  I worked at this a few months ago, before I knew anything about Mitre's Chopshop tool.

The default identifier for a Gh0st back door is simply "Gh0st".  It can really be anything, what matters when decoding the traffic is whether the zlib header is at a consistent location after the identifier.  Fortunately for us it is.  There are 8 bytes between the identifier and the header.

I carved out the first beacon in the pcap and removed the first 13 bytes.  We now have the zlib header at the beginning.

0000000: 789c 4b63 6060 9803 c4ac 40cc 08c4 1a5c  x.Kc``....@....\
0000010: 0c0c 4c40 3a38 b5a8 2c33 3955 2120 3139  ..L@:8..,39U! 19
0000020: 5bc1 1822 f792 9981 210d 282b c360 0156  [.."....!.(+.`.V
0000030: c3c0 c2c0 f007 2851 21c3 0007 8c60 9510  ......(Q!....`..
0000040: d0c3 0a51 a3c2 0c32 93c5 1326 9e10 7786  ...Q...2...&..w.
0000050: 09a8 3f40 4349 9c61 82a2 3843 c351 2186  ..?@CI.a..8C.Q!.
0000060: 2942 10b9 c540 3906 0506 0666 b061 8c0c  )B...@9....f.a..
0000070: 1fb8 1918 d608 4c13 49cd 4bd7 2d2d 2ea9  ......L.I.K.--..
0000080: c8c8 2fd5 3534 b160 2006 0800 3100 6fa5  ../.54.` ...1.o.
0000090: 1907 e6f4 b350 5ba5 0300 4c00 0000 4c00  .....P[...L...L.
00000a0: 0000 000c 295d b3d4 000c 2922 fa98 0800  ....)]....)"....
00000b0: 4500 003e 07b1 4000 8006 f216 3a40 848d  E..>..@.....:@..
00000c0: ac10 9614 0050 0449 6e44 3d06 9f1d 321b  .....P.InD=...2.
00000d0: 5018 43d1 6106 0000                                    P.C.a...

Now I'll use a little python to decode this.

Jacks-MacBook-Pro:gh0st comanche$ python
Python 2.7.1 (r271:86832, Jul 31 2011, 19:30:53) 
[GCC 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2335.15.00)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import zlib
>>> testfile = open('/tmp/1.data', 'rb').read()
>>> zw = zlib.decompress ( testfile )
>>> print zw
f?(
Service Pack 3?f8?x?$I`^?P("?!????^? ?
                                      ??eng-ustxhou-148
>>> 

It looks like it's reporting os information and hostname to the C2.

Now what we want to do is loop through the pcap because it's a pain in the ass to carve every transaction out.  We also want to write this data to a file so we have the chance of carving data out.

Here's the script I wrote to do just that.  Thanks to @vulp1n3 for helping me with the looping.

#!/usr/bin/python

import sys
import struct
import zlib
from optparse import OptionParser

parser = OptionParser()
parser.add_option("-i", "--infile", dest="infile", help="select input file", metavar="Infile")
parser.add_option("-o", "--outfile", dest="outfile", help="select output file", metavar="Outfile")
parser.add_option("-m", "--magicname", dest="magicname", help="Magic name for gh0st backdoor", metavar="Magicname")
(options, args) = parser.parse_args()

if options.infile == None:
        print "-i flag is required.  Please see help for more information"
        sys.exit()

if options.outfile == None:
        print "-o flag is required.  Please see help for more information"
        sys.exit()

f = open(options.outfile, 'wb')
g = open(options.infile, 'rb')
ifile = g.read()

start = 0
while True:
    beginpacket = ifile.find(options.magicname,start)
    if beginpacket == -1:
        break

    startzlib = beginpacket + len(options.magicname)  + 8
    zw1 = ifile[startzlib:]
    try:
        zw = zlib.decompress(zw1)
    except zlib.error:
        print "[!] zlib error"
        next
    f.write(zw)
    start = beginpacket + len(options.magicname)

f.close()

Now lets run it against our pcap.

python gh0st-decode.py -i /tmp/jackcr-challenge.pcap -o /tmp/C2-Decoded -m Gh0st

Now if we run strings against /tmp/C2-Decoded we see:

Service Pack 3
eng-ustxhou-148
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd ..
cd ..
C:\WINDOWS>mkdir webui
mkdir webui
C:\WINDOWS>cd webui
cd webui
C:\WINDOWS\webui>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 172.16.150.20
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 172.16.150.2
C:\WINDOWS\webui>
Removable Disk
Local Disk
NTFS
CD Drive

Skipping...





No comments:

Post a Comment