Network Analysis
For this incident we were provided a pcap of the offending traffic that initially kicked off this incident. Looking at the sessions in the pcap, using argus, we see the following:
argus -r jackcr-challenge.pcap -w - |ra
26 Nov 12 18:01:58 tcp 172.16.150.20.1097 -> 58.64.132.141.http 5 437 CON
26 Nov 12 18:02:57 tcp 172.16.150.20.1098 -> 58.64.132.141.http 11 1131 CON
26 Nov 12 18:04:13 tcp 172.16.150.20.1099 -> 58.64.132.141.http 6 2630 CON
26 Nov 12 18:04:13 tcp 172.16.150.20.1097 -> 58.64.132.141.http 1 54 CON
26 Nov 12 18:06:21 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:06:34 tcp 172.16.150.20.1099 -> 58.64.132.141.http 463 31939 RST
26 Nov 12 18:07:13 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:07:31 tcp 172.16.150.20.1098 -> 58.64.132.141.http 6 605 CON
26 Nov 12 18:08:41 tcp 172.16.150.20.1098 -> 58.64.132.141.http 6 585 CON
26 Nov 12 18:10:13 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:10:25 tcp 172.16.150.20.1098 -> 58.64.132.141.http 3 493 CON
26 Nov 12 18:11:36 tcp 172.16.150.20.1098 -> 58.64.132.141.http 3 418 CON
26 Nov 12 18:12:26 tcp 172.16.150.20.1156 -> 58.64.132.141.http 7 2811 CON
26 Nov 12 18:12:26 tcp 172.16.150.20.1097 -> 58.64.132.141.http 1 54 CON
26 Nov 12 18:13:27 tcp 172.16.150.20.1156 -> 58.64.132.141.http 6 4959 RST
26 Nov 12 18:14:58 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 7 931 CON
26 Nov 12 18:15:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:16:11 tcp 172.16.150.20.1098 -> 58.64.132.141.http 4 742 CON
26 Nov 12 18:18:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:19:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:21:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:22:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:24:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:25:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:27:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:28:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:30:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:31:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:33:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:34:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:36:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:37:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:39:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:40:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:42:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:43:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:45:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:46:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:48:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:49:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:51:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:52:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:54:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:55:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:57:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 18:58:14 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 7 1331 CON
26 Nov 12 19:00:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:00:53 tcp 172.16.150.20.1098 -> 58.64.132.141.http 3 518 CON
26 Nov 12 19:01:56 tcp 172.16.150.20.1098 -> 58.64.132.141.http 3 497 CON
26 Nov 12 19:03:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:02:58 tcp 172.16.150.20.1098 -> 58.64.132.141.http 1 384 CON
26 Nov 12 19:04:57 tcp 172.16.150.20.1098 -> 58.64.132.141.http 5 981 CON
26 Nov 12 19:06:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:06:33 tcp 172.16.150.20.1098 -> 58.64.132.141.http 4 658 CON
26 Nov 12 19:09:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:09:55 tcp 172.16.150.20.1098 -> 58.64.132.141.http 6 2608 CON
26 Nov 12 19:12:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:13:44 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 5 676 CON
26 Nov 12 19:15:26 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:16:59 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:18:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:19:59 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:21:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:22:59 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:24:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:25:59 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:27:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:28:59 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:30:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:31:59 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:33:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:34:59 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:36:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:37:59 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:39:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:40:59 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:42:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:43:59 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:45:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:47:00 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:48:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:48:19 tcp 172.16.150.20.1098 -> 58.64.132.141.http 5 787 CON
26 Nov 12 19:49:27 tcp 172.16.150.20.1238 -> 58.64.132.141.http 6 2675 CON
26 Nov 12 19:49:27 tcp 172.16.150.20.1097 -> 58.64.132.141.http 1 54 CON
26 Nov 12 19:50:28 tcp 172.16.150.20.1238 -> 58.64.132.141.http 4 1486 CON
26 Nov 12 19:52:06 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:52:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:53:36 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:55:06 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:55:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 19:56:36 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 4 2175 CON
26 Nov 12 19:57:20 tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 214 CON
26 Nov 12 19:57:46 tcp 172.16.150.20.1238 -> 58.64.132.141.http 4 1009 CON
26 Nov 12 19:58:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:00:20 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:00:50 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:01:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:01:39 tcp 172.16.150.20.1098 -> 58.64.132.141.http 1 135 CON
26 Nov 12 20:01:51 tcp 172.16.150.20.1238 -> 58.64.132.141.http 6 3031 CON
26 Nov 12 20:05:23 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:04:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:04:39 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:07:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:07:39 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:08:23 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:10:39 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:11:23 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:10:27 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:12:28 tcp 172.16.150.20.1098 -> 58.64.132.141.http 3 501 CON
26 Nov 12 20:13:28 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:14:10 tcp 172.16.150.20.1098 -> 58.64.132.141.http 3 607 CON
26 Nov 12 20:14:23 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:15:28 tcp 172.16.150.20.1238 -> 58.64.132.141.http 32 28354 CON
26 Nov 12 20:16:28 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:17:48 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:19:28 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:18:44 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:20:48 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:21:44 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:22:28 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:23:48 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:24:44 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:25:28 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:25:50 tcp 172.16.150.20.1098 -> 58.64.132.141.http 2 267 CON
26 Nov 12 20:27:03 tcp 172.16.150.20.1098 -> 58.64.132.141.http 5 579 CON
26 Nov 12 20:26:47 tcp 172.16.150.20.1238 -> 58.64.132.141.http 3 409 CON
26 Nov 12 20:28:28 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:29:47 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:30:08 * tcp 172.16.150.20.1098 -> 58.64.132.141.http 4 359 CON
26 Nov 12 20:31:28 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:31:13 tcp 172.16.150.20.1098 -> 58.64.132.141.http 5 592 CON
26 Nov 12 20:32:47 * tcp 172.16.150.20.1238 -> 58.64.132.141.http 2 109 CON
26 Nov 12 20:32:36 tcp 172.16.150.20.1098 -> 58.64.132.141.http 4 975 CON
26 Nov 12 20:34:56 tcp 172.16.150.20.1267 -> 58.64.132.141.http 1 62 RST
26 Nov 12 20:34:56 tcp 172.16.150.20.1267 -> 58.64.132.141.http 1 62 RST
26 Nov 12 20:34:57 tcp 172.16.150.20.1267 -> 58.64.132.141.http 1 62 RST
26 Nov 12 20:34:24 tcp 172.16.150.20.1098 -> 58.64.132.141.http 0 0 RST
26 Nov 12 20:34:27 tcp 172.16.150.20.1238 -> 58.64.132.141.http 0 0 RST
26 Nov 12 20:34:28 * tcp 172.16.150.20.1097 -> 58.64.132.141.http 2 109 RST
From this output we see that we have a single host communicating with the known bad ip address on port 80 (http). Lets take a closer look at the traffic and see if we can tell whats going on. Taking a quick glance at the pcap in wireshark we see
Gh0st........x.Kc``....@....\..L@:8..,39U! 19[.."....!
(+.`.V......(Q!....`....
Q...2...&..w...?@CI.a..8C.Q!.)B...@9....f.a........L.I.K.--..../.54.` ...1.o...Gh0st........x.c......Gh0st........x.....).)Gh0st........x.c......Gh0st........x.c......Gh0st........x.c......
It's apparent just by looking at the strings this is not http traffic. The Gh0st string we see is pretty much a dead give away we have a Gh0st backdoor communicating with a C2. Our initial indicator was an alert notifying us that we had a host communicating with a known bad ip address. Unfortunately we did not have any alerts notifying us that this host was compromised with a Gh0st backdoor. We need to correct this so that we can be notified should we have additional machine beaconing.
We could write a simple snort rule just looking for the string Gh0st, but we may want to tighten this rule up a bit. If we look deeper into the pcap we will see the following.
tcpdump -r jackcr-challenge.pcap -vvnnX |more
18:01:58.229548 IP (tos 0x0, ttl 127, id 631, offset 0, flags [DF], proto: TCP (6), length: 199) 172.16.150.20.1097 > 58.64.132.
141.80: P, cksum 0xac7b (correct), 1:160(159) ack 1 win 17520
0x0000: 4500 00c7 0277 4000 7f06 f7c7 ac10 9614 E....w@.........
0x0010: 3a40 848d 0449 0050 9f1d 317c 6e44 3d06 :@...I.P..1|nD=.
0x0020: 5018 4470 ac7b 0000 4768 3073 749f 0000 P.Dp.{..Gh0st...
0x0030: 00e0 0000 0078 9c4b 6360 6098 03c4 ac40 .....x.Kc``....@
0x0040: cc08 c41a 5c0c 0c4c 403a 38b5 a82c 3339 ....\..L@:8..,39
0x0050: 5521 2031 395b c118 22f7 9299 8121 0d28 U!.19[.."....!.(
0x0060: 2bc3 6001 56c3 c0c2 c0f0 0728 5121 c300 +.`.V......(Q!..
0x0070: 078c 6095 10d0 c30a 51a3 c20c 3293 c513 ..`.....Q...2...
0x0080: 269e 1077 8609 a83f 4043 499c 6182 a238 &..w...?@CI.a..8
0x0090: 43c3 5121 8629 4210 b9c5 4039 0605 0606 C.Q!.)B...@9....
0x00a0: 66b0 618c 0c1f b819 18d6 084c 1349 cd4b f.a........L.I.K
0x00b0: d72d 2d2e a9c8 c82f d535 34b1 6020 0608 .--..../.54.`...
0x00c0: 0031 006f a519 07 .1.o...
If you begin to look at the pcap in detail you will see that 0x789c is 8 bytes past the Gh0st identifier. 0x789c just happens to be the header for zlib which we will get into in a bit. We can now write a little tighter rule considering we have the string Gh0st -> 8 bytes -> 0x789c
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Gh0st Beacon Detected"; flow:to_server,established; content:"Gh0st"; depth:5; content:"|78 9c|"; distance:8; within:2; classtype:trojan-activity; sid:1000000; rev:1;)
This rule basically looks for the string Gh0st in the first 5 bytes, then skips 8 bytes and starts looking for the bytes 78 9c in the next 2 bytes. Now if we place this rule where snort can find it and test with the provided pcap we should see several alerts fire.
snort -r jackcr-challenge.pcap -c /etc/snort/snort.conf -A console
11/26-18:01:58.229548 [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1097 -> 58.64.132.141:80
11/26-18:02:57.870733 [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:02:58.429619 [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:03:04.004551 [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:03:10.239151 [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:03:15.051393 [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:03:21.285494 [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
11/26-18:03:21.725537 [**] [1:1000000:1] Gh0st Beacon Detected [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.150.20:1098 -> 58.64.132.141:80
Now that we have some detection in place we know we have at least one machine to look at.
Gh0st Decode
Like I said above, Gh0st traffic is just zlib compressed data. So I would like to talk about how we can decode this traffic. I worked at this a few months ago, before I knew anything about Mitre's Chopshop tool.
The default identifier for a Gh0st back door is simply "Gh0st". It can really be anything, what matters when decoding the traffic is whether the zlib header is at a consistent location after the identifier. Fortunately for us it is. There are 8 bytes between the identifier and the header.
I carved out the first beacon in the pcap and removed the first 13 bytes. We now have the zlib header at the beginning.
0000000: 789c 4b63 6060 9803 c4ac 40cc 08c4 1a5c x.Kc``....@....\
0000010: 0c0c 4c40 3a38 b5a8 2c33 3955 2120 3139 ..L@:8..,39U! 19
0000020: 5bc1 1822 f792 9981 210d 282b c360 0156 [.."....!.(+.`.V
0000030: c3c0 c2c0 f007 2851 21c3 0007 8c60 9510 ......(Q!....`..
0000040: d0c3 0a51 a3c2 0c32 93c5 1326 9e10 7786 ...Q...2...&..w.
0000050: 09a8 3f40 4349 9c61 82a2 3843 c351 2186 ..?@CI.a..8C.Q!.
0000060: 2942 10b9 c540 3906 0506 0666 b061 8c0c )B...@9....f.a..
0000070: 1fb8 1918 d608 4c13 49cd 4bd7 2d2d 2ea9 ......L.I.K.--..
0000080: c8c8 2fd5 3534 b160 2006 0800 3100 6fa5 ../.54.` ...1.o.
0000090: 1907 e6f4 b350 5ba5 0300 4c00 0000 4c00 .....P[...L...L.
00000a0: 0000 000c 295d b3d4 000c 2922 fa98 0800 ....)]....)"....
00000b0: 4500 003e 07b1 4000 8006 f216 3a40 848d E..>..@.....:@..
00000c0: ac10 9614 0050 0449 6e44 3d06 9f1d 321b .....P.InD=...2.
00000d0: 5018 43d1 6106 0000 P.C.a...
Now I'll use a little python to decode this.
Jacks-MacBook-Pro:gh0st comanche$ python
Python 2.7.1 (r271:86832, Jul 31 2011, 19:30:53)
[GCC 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2335.15.00)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import zlib
>>> testfile = open('/tmp/1.data', 'rb').read()
>>> zw = zlib.decompress ( testfile )
>>> print zw
f?(
Service Pack 3?f8?x?$I`^?P("?!????^? ?
??eng-ustxhou-148
>>>
It looks like it's reporting os information and hostname to the C2.
Now what we want to do is loop through the pcap because it's a pain in the ass to carve every transaction out. We also want to write this data to a file so we have the chance of carving data out.
Here's the script I wrote to do just that. Thanks to @vulp1n3 for helping me with the looping.
#!/usr/bin/python
import sys
import struct
import zlib
from optparse import OptionParser
parser = OptionParser()
parser.add_option("-i", "--infile", dest="infile", help="select input file", metavar="Infile")
parser.add_option("-o", "--outfile", dest="outfile", help="select output file", metavar="Outfile")
parser.add_option("-m", "--magicname", dest="magicname", help="Magic name for gh0st backdoor", metavar="Magicname")
(options, args) = parser.parse_args()
if options.infile == None:
print "-i flag is required. Please see help for more information"
sys.exit()
if options.outfile == None:
print "-o flag is required. Please see help for more information"
sys.exit()
f = open(options.outfile, 'wb')
g = open(options.infile, 'rb')
ifile = g.read()
start = 0
while True:
beginpacket = ifile.find(options.magicname,start)
if beginpacket == -1:
break
startzlib = beginpacket + len(options.magicname) + 8
zw1 = ifile[startzlib:]
try:
zw = zlib.decompress(zw1)
except zlib.error:
print "[!] zlib error"
next
f.write(zw)
start = beginpacket + len(options.magicname)
f.close()
Now lets run it against our pcap.
python gh0st-decode.py -i /tmp/jackcr-challenge.pcap -o /tmp/C2-Decoded -m Gh0st
Now if we run strings against /tmp/C2-Decoded we see:
Service Pack 3
eng-ustxhou-148
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>cd ..
cd ..
C:\WINDOWS>mkdir webui
mkdir webui
C:\WINDOWS>cd webui
cd webui
C:\WINDOWS\webui>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.150.20
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.150.2
C:\WINDOWS\webui>
Removable Disk
Local Disk
NTFS
CD Drive
Skipping...
No comments:
Post a Comment