Name: Leendert Pieter van Drimmelen 

Description: 
=================================================================================================
Narrative
=================================================================================================
Before starting any analysis, we first check the integrity of the evidence06.pcap file:

leendert-pieter@lenovo:~/contest6$ md5sum evidence06.pcap 
efac05c50c0ae92bf0818e98763920bd  evidence06.pcap

The MD5 matches with the MD5 hash provided on the website.

First, let's check what kind of data is in the capture file:

leendert-pieter@lenovo:~/contest6$ tshark -r evidence06.pcap -q -n -z io,phs

===================================================================
Protocol Hierarchy Statistics
Filter: frame

frame                                    frames:2554 bytes:2330820
  eth                                    frames:2554 bytes:2330820
    ip                                   frames:2554 bytes:2330820
      tcp                                frames:2553 bytes:2330577
        http                             frames:3 bytes:967
          image-gif                      frames:1 bytes:201
        tcp.segments                     frames:1 bytes:86
          http                           frames:1 bytes:86
            data-text-lines              frames:1 bytes:86
        data                             frames:1652 bytes:2269642
      udp                                frames:1 bytes:243
        nbdgm                            frames:1 bytes:243
          smb                            frames:1 bytes:243
            mailslot                     frames:1 bytes:243
              browser                    frames:1 bytes:243
===================================================================

We see that the majority is tcp traffic, including some http and a lot of a to tshark unknown protocol (data). There is also one udp frame. Let's have a look at that:

leendert-pieter@lenovo:~/contest6$ tshark -r evidence06.pcap -n -R udp
1243  55.409175  10.10.10.70 -> 10.10.10.255 BROWSER Host Announcement SAUCYDEV, Workstation, Server, NT Workstation

Seems likely that the machine at 10.10.10.70 is a Windows based machine, named SAUCYDEV.




Now, let's look at the http tracffic:

leendert-pieter@lenovo:~/contest6$ tshark -r evidence06.pcap -n -R http
  1   0.000000  10.10.10.70 -> 10.10.10.10  HTTP GET /index.php HTTP/1.1 
  8   0.345929  10.10.10.10 -> 10.10.10.70  HTTP HTTP/1.1 200 OK  (text/html)
  9   0.462112  10.10.10.70 -> 10.10.10.10  HTTP GET /index.phpmfKSxSANkeTeNrah.gif HTTP/1.1 
 11   0.567143  10.10.10.10 -> 10.10.10.70  HTTP HTTP/1.1 200 OK  (GIF89a)

So, there are two successful GET requests from 10.10.10.70 (Vick's computer) to 10.10.10.10. We are of course interested in the complete URI of these requests. We also need to look at the http host header field for this:

leendert-pieter@lenovo:~/contest6$ tshark -r evidence06.pcap -n -R http -T fields -e http.host -e http.request.uri
10.10.10.10:8080	/index.php
	
10.10.10.10:8080	/index.phpmfKSxSANkeTeNrah.gif


The second one is at least 'not normal'. I never name pictures like that.

Let's also check which http port was used:

leendert-pieter@lenovo:~/contest6$ tshark -r evidence06.pcap -n -T fields -e frame.number -e tcp.port http
1	8080
8	1035
9	8080
11	1035

So, the two URI's are:
http://10.10.10.10:8080/index.php
http://10.10.10.10:8080/index.phpmfKSxSANkeTeNrah.gif




Let's look deeper into these two http request and extract the objects from the pcap file:

leendert-pieter@lenovo:~/contest6$ tcpxtract -f evidence06.pcap -o tcpxtract-out/
Found file of type "html" in session [10.10.10.10:36895 -> 10.10.10.70:2820], exporting to tcpxtract-out/00000000.html
Found file of type "gif" in session [10.10.10.10:36895 -> 10.10.10.70:2820], exporting to tcpxtract-out/00000001.gif

Of course, the next thing we do is create a md5sum of these two objects:

leendert-pieter@lenovo:~/contest6$ md5sum tcpxtract-out/*
a0b6322a2e09183a6a3b2533b6c8dba2  tcpxtract-out/00000000.html
df3e567d6f16d040326c7a0ea29a4f41  tcpxtract-out/00000001.gif

Looking at the html file, we see some obfuscated java script:

<html>
<head>
<script>
var UWnHADOfYHiHDDXj = "COMMENT";
var qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR = new Array();
for (i = 0; i < 1300; i++)
{
  qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR[i] = document.createElement(UWnHADOfYHiHDDXj);
  qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR[i].data = "vEI";
}

... most part removed for clarity ...

</script>
</head>
<body>
<span id="jWfnzfLhenIemfKFynaujTIQUhzZVHTcZuJaeFtmqBXYrwn"><iframe src="/index.phpmfKSxSANkeTeNrah.gif" onload="CkoNbET(event)" /></span></body></html>
</body>
</html


This answers the second question: "vEI".

Near the end of the java script we also see the source for the second http GET request.

Let's check whether this is really a gif file:

leendert-pieter@lenovo:~/contest6$ file tcpxtract-out/00000001.gif 
tcpxtract-out/00000001.gif: GIF image data, version 89a, 1 x 1

Aha! It's a 1 x 1 pixel picture. Out of the ordinary! Maybe, these actions let to a successful execution of an exploit in Vick's browser. Let's see whether we can find more evidence of unuseful network data to/from Vick's IP address:

leendert-pieter@lenovo:~/contest6$ tshark -r evidence06.pcap -q -n -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
                                               |       <-      | |       ->      | |     Total     |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
10.10.10.10:4444     <-> 10.10.10.70:1036         424    120920     979   1293203    1403   1414123
10.10.10.10:4445     <-> 10.10.10.70:1044         263     26876     664    869359     927    896235
10.10.10.10:4445     <-> 10.10.10.70:1043          15       930      15       900      30      1830
10.10.10.10:4445     <-> 10.10.10.70:1042          15       930      15       900      30      1830
10.10.10.10:4445     <-> 10.10.10.70:1041          15       930      15       900      30      1830
10.10.10.10:4445     <-> 10.10.10.70:1040          15       930      15       900      30      1830
10.10.10.10:4445     <-> 10.10.10.70:1039          15       930      15       900      30      1830
10.10.10.10:4445     <-> 10.10.10.70:1038          15       930      15       900      30      1830
10.10.10.10:4445     <-> 10.10.10.70:1037          15       930      15       900      30      1830
10.10.10.10:8080     <-> 10.10.10.70:1035           5       946       8      6463      13      7409
================================================================================

This information shows us that (some) data is exchanged between 10.10.10.10 and Vick's computer using strange TCP ports (4444 and 4445).

Let's look at some timestamps to see whether we can build a timeline. We filter on http traffic or packets with SYN flag (i.e. connection open attempts):

leendert-pieter@lenovo:~/contest6$ tshark -r evidence06.pcap -n -R "tcp.flags==2 or http " -T fields -e frame.time_relative -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport
0.000000000	10.10.10.70	1035	10.10.10.10	8080
0.345929000	10.10.10.10	8080	10.10.10.70	1035
0.462112000	10.10.10.70	1035	10.10.10.10	8080
0.567143000	10.10.10.10	8080	10.10.10.70	1035
1.265851000	10.10.10.70	1036	10.10.10.10	4444
35.947030000	10.10.10.70	1037	10.10.10.10	4445
36.283659000	10.10.10.70	1037	10.10.10.10	4445
36.830543000	10.10.10.70	1037	10.10.10.10	4445
36.831187000	10.10.10.70	1037	10.10.10.10	4445
37.377416000	10.10.10.70	1037	10.10.10.10	4445
37.924270000	10.10.10.70	1037	10.10.10.10	4445
37.925236000	10.10.10.70	1037	10.10.10.10	4445
38.471172000	10.10.10.70	1037	10.10.10.10	4445
39.018031000	10.10.10.70	1037	10.10.10.10	4445
39.018689000	10.10.10.70	1037	10.10.10.10	4445
39.564910000	10.10.10.70	1037	10.10.10.10	4445
40.002407000	10.10.10.70	1037	10.10.10.10	4445
40.003062000	10.10.10.70	1037	10.10.10.10	4445
40.549287000	10.10.10.70	1037	10.10.10.10	4445
40.986795000	10.10.10.70	1037	10.10.10.10	4445
47.732517000	10.10.10.70	1038	10.10.10.10	4445
48.096126000	10.10.10.70	1038	10.10.10.10	4445
48.643028000	10.10.10.70	1038	10.10.10.10	4445
48.643685000	10.10.10.70	1038	10.10.10.10	4445
49.080522000	10.10.10.70	1038	10.10.10.10	4445
49.627402000	10.10.10.70	1038	10.10.10.10	4445
49.628045000	10.10.10.70	1038	10.10.10.10	4445
50.174260000	10.10.10.70	1038	10.10.10.10	4445
50.721124000	10.10.10.70	1038	10.10.10.10	4445
50.721794000	10.10.10.70	1038	10.10.10.10	4445
51.268007000	10.10.10.70	1038	10.10.10.10	4445
51.705524000	10.10.10.70	1038	10.10.10.10	4445
51.706172000	10.10.10.70	1038	10.10.10.10	4445
52.252400000	10.10.10.70	1038	10.10.10.10	4445
52.689887000	10.10.10.70	1038	10.10.10.10	4445
59.462957000	10.10.10.70	1039	10.10.10.10	4445
59.799260000	10.10.10.70	1039	10.10.10.10	4445
60.346159000	10.10.10.70	1039	10.10.10.10	4445
60.346789000	10.10.10.70	1039	10.10.10.10	4445
60.783661000	10.10.10.70	1039	10.10.10.10	4445
61.330528000	10.10.10.70	1039	10.10.10.10	4445
61.331197000	10.10.10.70	1039	10.10.10.10	4445
61.877383000	10.10.10.70	1039	10.10.10.10	4445
62.424279000	10.10.10.70	1039	10.10.10.10	4445
62.424907000	10.10.10.70	1039	10.10.10.10	4445
62.971152000	10.10.10.70	1039	10.10.10.10	4445
63.518033000	10.10.10.70	1039	10.10.10.10	4445
63.518696000	10.10.10.70	1039	10.10.10.10	4445
64.064902000	10.10.10.70	1039	10.10.10.10	4445
64.502399000	10.10.10.70	1039	10.10.10.10	4445
71.257992000	10.10.10.70	1040	10.10.10.10	4445
71.721121000	10.10.10.70	1040	10.10.10.10	4445
72.268020000	10.10.10.70	1040	10.10.10.10	4445
72.269203000	10.10.10.70	1040	10.10.10.10	4445
72.705513000	10.10.10.70	1040	10.10.10.10	4445
73.252354000	10.10.10.70	1040	10.10.10.10	4445
73.253234000	10.10.10.70	1040	10.10.10.10	4445
73.689887000	10.10.10.70	1040	10.10.10.10	4445
74.237248000	10.10.10.70	1040	10.10.10.10	4445
74.237406000	10.10.10.70	1040	10.10.10.10	4445
74.674266000	10.10.10.70	1040	10.10.10.10	4445
75.221155000	10.10.10.70	1040	10.10.10.10	4445
75.221770000	10.10.10.70	1040	10.10.10.10	4445
75.768009000	10.10.10.70	1040	10.10.10.10	4445
76.205487000	10.10.10.70	1040	10.10.10.10	4445
82.993986000	10.10.10.70	1041	10.10.10.10	4445
83.533640000	10.10.10.70	1041	10.10.10.10	4445
83.971132000	10.10.10.70	1041	10.10.10.10	4445
83.971783000	10.10.10.70	1041	10.10.10.10	4445
84.518004000	10.10.10.70	1041	10.10.10.10	4445
85.064858000	10.10.10.70	1041	10.10.10.10	4445
85.065523000	10.10.10.70	1041	10.10.10.10	4445
85.502380000	10.10.10.70	1041	10.10.10.10	4445
86.049253000	10.10.10.70	1041	10.10.10.10	4445
86.049894000	10.10.10.70	1041	10.10.10.10	4445
86.486740000	10.10.10.70	1041	10.10.10.10	4445
87.033625000	10.10.10.70	1041	10.10.10.10	4445
87.034258000	10.10.10.70	1041	10.10.10.10	4445
87.471121000	10.10.10.70	1041	10.10.10.10	4445
88.018010000	10.10.10.70	1041	10.10.10.10	4445
94.878166000	10.10.10.70	1042	10.10.10.10	4445
95.346120000	10.10.10.70	1042	10.10.10.10	4445
95.783618000	10.10.10.70	1042	10.10.10.10	4445
95.784286000	10.10.10.70	1042	10.10.10.10	4445
96.330494000	10.10.10.70	1042	10.10.10.10	4445
96.877352000	10.10.10.70	1042	10.10.10.10	4445
96.877994000	10.10.10.70	1042	10.10.10.10	4445
97.424240000	10.10.10.70	1042	10.10.10.10	4445
97.971093000	10.10.10.70	1042	10.10.10.10	4445
97.971767000	10.10.10.70	1042	10.10.10.10	4445
98.517996000	10.10.10.70	1042	10.10.10.10	4445
99.065247000	10.10.10.70	1042	10.10.10.10	4445
99.065511000	10.10.10.70	1042	10.10.10.10	4445
99.502362000	10.10.10.70	1042	10.10.10.10	4445
100.049240000	10.10.10.70	1042	10.10.10.10	4445
106.838688000	10.10.10.70	1043	10.10.10.10	4445
107.377358000	10.10.10.70	1043	10.10.10.10	4445
107.924210000	10.10.10.70	1043	10.10.10.10	4445
107.924872000	10.10.10.70	1043	10.10.10.10	4445
108.471111000	10.10.10.70	1043	10.10.10.10	4445
109.017960000	10.10.10.70	1043	10.10.10.10	4445
109.018627000	10.10.10.70	1043	10.10.10.10	4445
109.565184000	10.10.10.70	1043	10.10.10.10	4445
110.002354000	10.10.10.70	1043	10.10.10.10	4445
110.003011000	10.10.10.70	1043	10.10.10.10	4445
110.549238000	10.10.10.70	1043	10.10.10.10	4445
110.986727000	10.10.10.70	1043	10.10.10.10	4445
110.987385000	10.10.10.70	1043	10.10.10.10	4445
111.533578000	10.10.10.70	1043	10.10.10.10	4445
111.971102000	10.10.10.70	1043	10.10.10.10	4445
118.746261000	10.10.10.70	1044	10.10.10.10	4445
119.080451000	10.10.10.70	1044	10.10.10.10	4445
119.627342000	10.10.10.70	1044	10.10.10.10	4445
119.627991000	10.10.10.70	1044	10.10.10.10	4445
120.174220000	10.10.10.70	1044	10.10.10.10	4445
120.721071000	10.10.10.70	1044	10.10.10.10	4445
120.721729000	10.10.10.70	1044	10.10.10.10	4445
121.267963000	10.10.10.70	1044	10.10.10.10	4445
121.705443000	10.10.10.70	1044	10.10.10.10	4445
121.706096000	10.10.10.70	1044	10.10.10.10	4445
122.252337000	10.10.10.70	1044	10.10.10.10	4445
122.689815000	10.10.10.70	1044	10.10.10.10	4445
122.690468000	10.10.10.70	1044	10.10.10.10	4445
123.236717000	10.10.10.70	1044	10.10.10.10	4445
123.674199000	10.10.10.70	1044	10.10.10.10	4445

This info shows us that after the HTTP GET requests and responses, Vick's computer tried to connect to 10.10.10.10 at tcp port 4444 and after about 34 seconds, it repeatedly tries to connect to port 4445 at 10.10.10.10.

Let's also check the end time of the connection to the 4444 TCP port. We use a python script 'analyse_ts.py' for this. The script is included below:

leendert-pieter@lenovo:~/contest6$ python stream_ts.py evidence06.pcap 'tcp.port==4444'
============================================================
Connection: 10.10.10.70:1036 -> 10.10.10.10:4444
Connection established at: Apr 29, 2010 01:40:00.577135000. Relative timestamp: 1.3 (1.265851000)
Connection closed at: Apr 29, 2010 01:41:26.898764000. Relative timestamp: 87.6 (87.587480000)
============================================================


This indicates that the connection attempts to port 4445 are already started before the previous connection (to port 4444) is closed.

It's time to look at the data that is exchanged in the session to port 4444. First save all packets belonging to the session into a new file (and create a MD5 of it):

leendert-pieter@lenovo:~/contest6$ tshark -r evidence06.pcap -R 'tcp.port==4444' -w tcpsession4444.pcap
leendert-pieter@lenovo:~/contest6$ md5sum tcpsession4444.pcap 
8a6b9248656bd1d546b3baf32e064b16  tcpsession4444.pcap

Next, see whether tcpxtract recognizes something:

leendert-pieter@lenovo:~/contest6$ tcpxtract -f tcpsession4444.pcap 
leendert-pieter@lenovo:~/contest6$ 

Nope. Let's have a closer look at the contents:

leendert-pieter@lenovo:~/contest6$ tcpflow -r tcpsession4444.pcap
leendert-pieter@lenovo:~/contest6$ md5sum 010*
3b7f836dd107cf58c8aa94ff8b5720f6  010.010.010.010.04444-010.010.010.070.01036
490b1a399fdf7bd66cbe11e507a9d686  010.010.010.070.01036-010.010.010.010.04444

tcpflow extracts the data (removing ethernet, IP and TCP headers) and saves both directions of the conversation in separate files. Let's look at the data flowing from 10.10.10.10:4444 towards Vick's computer: 

leendert-pieter@lenovo:~/contest6$ xxd 010.010.010.010.04444-010.010.010.070.01036 | more
0000000: 006a 0b00 4d5a e800 0000 005b 5245 5589  .j..MZ.....[REU.
0000010: e581 c3cb 1100 00ff d389 c357 6804 0000  ...........Wh...
0000020: 0050 ffd0 68f0 b5a2 5668 0500 0000 50ff  .P..h...Vh....P.
0000030: d300 0000 0000 0000 0000 0000 0000 0000  ................
0000040: d800 0000 0e1f ba0e 00b4 09cd 21b8 014c  ............!..L
0000050: cd21 5468 6973 2070 726f 6772 616d 2063  .!This program c
0000060: 616e 6e6f 7420 6265 2072 756e 2069 6e20  annot be run in 
0000070: 444f 5320 6d6f 6465 2e0d 0d0a 2400 0000  DOS mode....$...
0000080: 0000 0000 8ae2 9dd8 ce83 f38b ce83 f38b  ................
0000090: ce83 f38b c7fb 778b e483 f38b c7fb 668b  ......w.......f.
00000a0: d283 f38b ce83 f28b 6683 f38b e945 888b  ........f....E..
00000b0: c583 f38b c7fb 708b 3182 f38b c7fb 618b  ......p.1.....a.
00000c0: cf83 f38b c7fb 628b cf83 f38b 5269 6368  ......b.....Rich
00000d0: ce83 f38b 0000 0000 0000 0000 5045 0000  ............PE..
00000e0: 4c01 0400 03bf b64b 0000 0000 0000 0000  L......K........
... data removed for clarity ...

That looks like a Dos header at byte offset 4! Next we use pextract on the pcap file. It should be able to extract the Windows executable. pextract is a tool I wrote to extract PE files from pcap files or wire. It accepts BPF filters and as an extra also tries to find executables that are XOR 'encrypted', or better phrased, obfuscated.

leendert-pieter@lenovo:~/contest6$ ./pextract -f tcpsession4444.pcap 
pextract: reading from tcpsession4444.pcap [tcp]
Connection: 10.10.10.70:1036-10.10.10.10:4444
Saving MS exectuable as 10.10.10.70:1036-10.10.10.10:4444.0._exe (0 used as xor key)

"0 used as XOR key" means that the file wasn't 'encrypted', although we already knew that. Of course, we calculate its MD5 hash:

leendert-pieter@lenovo:~/contest6$ md5sum 10.10.10.70\:1036-10.10.10.10\:4444.0._exe 
b062cb8344cd3e296d8868fbef289c7c  10.10.10.70:1036-10.10.10.10:4444.0._exe

Check the file type:

leendert-pieter@lenovo:~/contest6$ file 10.10.10.70\:1036-10.10.10.10\:4444.0._exe 
10.10.10.70:1036-10.10.10.10:4444.0._exe: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

And display its file size:

leendert-pieter@lenovo:~/contest6$ ls -l 10.10.10.70\:1036-10.10.10.10\:4444.0._exe 
-rw-r--r-- 1 leendert-pieter leendert-pieter 748032 2010-06-23 11:56 10.10.10.70:1036-10.10.10.10:4444.0._exe

So, clearly this is a Windows executable, with a file size of 748032 bytes.

But wait. The total size of the webserver to Vick's computer conversation is much larger:

leendert-pieter@lenovo:~/contest6$ ls -l 010.010.010.010.04444-010.010.010.070.01036 
-rw-r--r-- 1 leendert-pieter leendert-pieter 1239098 2010-06-23 11:48 010.010.010.010.04444-010.010.010.070.01036

Maybe, the first 4 bytes of the conversation indicate the size of the file: 006a 0b00

leendert-pieter@lenovo:~/contest6$ printf '%d\n' 0x006a0b00
6949632

No. Maybe we must reverse the byte ordening:

leendert-pieter@lenovo:~/contest6$ printf '%d\n' 0x000b6a00
748032

Yes! Now, let's look at the data at offset 748032 (filesize) + 4 (size marker):

leendert-pieter@lenovo:~/contest6$ xxd -s 748036 010.010.010.010.04444-010.010.010.070.01036 | more
00b6a04: 1603 0000 4a02 0000 4603 004b d948 22e9  ....J...F..K.H".
00b6a14: 09d0 ccd2 afad bca5 8a75 0f94 aa1f 5aac  .........u....Z.
00b6a24: fc2b f6a9 c188 9d30 59a4 9a20 1fc8 ef9e  .+.....0Y.. ....
00b6a34: 25ca 155c ae58 3f50 353c 83d4 7167 54d5  %..\.X?P5<..qgT.
00b6a44: 7ef9 4ee6 90d3 5711 6800 484e 0039 0016  ~.N...W.h.HN.9..
00b6a54: 0300 033d 0b00 0339 0003 3600 0333 3082  ...=...9..6..30.
00b6a64: 032f 3082 0298 a003 0201 0202 0463 c8b6  ./0..........c..
00b6a74: 1630 0d06 092a 8648 86f7 0d01 0105 0500  .0...*.H........
00b6a84: 306c 310b 3009 0603 5504 0613 0255 5331  0l1.0...U....US1
00b6a94: 0b30 0906 0355 0408 0c02 4b53 3118 3016  .0...U....KS1.0.
00b6aa4: 0603 5504 070c 0f55 6a51 6953 6a50 4d55  ..U....UjQiSjPMU
00b6ab4: 4f4e 474c 4744 311f 301d 0603 5504 0a0c  ONGLGD1.0...U...
00b6ac4: 1669 4f61 4872 4171 4770 784e 5345 6f71  .iOaHrAqGpxNSEoq
00b6ad4: 627a 7054 6254 4d31 1530 1306 0355 0403  bzpTbTM1.0...U..
00b6ae4: 0c0c 446a 6a62 424f 5645 4261 5575 301e  ..DjjbBOVEBaUu0.
00b6af4: 170d 3130 3034 3134 3131 3234 3432 5a17  ..100414112442Z.
00b6b04: 0d31 3030 3531 3431 3834 3435 395a 305e  .100514184459Z0^
00b6b14: 310b 3009 0603 5504 0613 0255 5331 0b30  1.0...U....US1.0
00b6b24: 0906 0355 0408 0c02 414b 3113 3011 0603  ...U....AK1.0...
... bytes left out for clarity ...

It seems that this part is somehow encrypted or obfuscated. To get to know how to interpret this data, we need to analyse (i.e. reverse engineer) the shellcode or executable that was sent by the webserver to Vick's computer. As this is a network forensics exercise, we decide not to do that. Of course, another logical thing to do is to check whether the executable that was downloaded is known in the anti-virus community (but also this is out of scope for this exercise).



Next, let's focus on the connection attemps to port 4445. First, we determine how many connection attemps are availiable in the pcap file:

leendert-pieter@lenovo:~/contest6$ tshark -r evidence06.pcap -n -R "tcp.dstport == 4445 and tcp.flags==2" | wc -l
120

Then, let's find out about used intial sequence numbers. These should in normal circumstances be chosen randomly for each new connection attempt. We use python script analyse_syn_packets.py to determine this. analyse_syn_packets.py (included below) tries to find how often a certain field in the output of tshark changes:

leendert-pieter@lenovo:~/contest6$ python analyse_syn_packets.py evidence06.pcap 10.10.10.10 4445 tcp.seq
Found 120 packet(s) that match the supplied parameters
tcp.seq changes every 3 packet(s).

This is abnormal. More proof of malicious behaviour. Let's check the IP ID:

leendert-pieter@lenovo:~/contest6$ python analyse_syn_packets.py evidence06.pcap 10.10.10.10 4445 ip.id
Found 120 packet(s) that match the supplied parameters
ip.id changes every 1 packet(s).

No surprises here. Finally, let's check the source port:

leendert-pieter@lenovo:~/contest6$ python analyse_syn_packets.py evidence06.pcap 10.10.10.10 4445 tcp.srcport
Found 120 packet(s) that match the supplied parameters
tcp.srcport changes every 15 packet(s).
tcp.srcport changes every 12 second(s).

Abnormal. Usually, source port numbers change with each connection attempt.

It is obvious that the repeated connection attempts to 10.10.10.10 at port 4445 are not part of normal behaviour.



Let's check whether a connection was established to port 4445. We use stream_ts.py for this:

leendert-pieter@lenovo:~/contest6$ python stream_ts.py evidence06.pcap 'tcp.port==4445'
============================================================
Connection: 10.10.10.70:1044 -> 10.10.10.10:4445
Connection established at: Apr 29, 2010 01:42:02.985483000. Relative timestamp: 123.7 (123.674199000)
Connection closed at: Apr 29, 2010 01:43:17.753022000. Relative timestamp: 198.4 (198.441738000)
============================================================


This shows us that a connection was established on port 4445. Let's see if we can determine what kind of data is exchanged at port 4445:

leendert-pieter@lenovo:~/contest6$ ./pextract -f evidence06.pcap "port 4445"
pextract: reading from evidence06.pcap [port 4445]
Connection: 10.10.10.70:1044-10.10.10.10:4445
Saving MS exectuable as 10.10.10.70:1044-10.10.10.10:4445.0._exe (0 used as xor key)

leendert-pieter@lenovo:~/contest6$ md5sum 10.10.10.70\:1044-10.10.10.10\:4445.0._exe 
b062cb8344cd3e296d8868fbef289c7c  10.10.10.70:1044-10.10.10.10:4445.0._exe

That's the same executable Vick's computer received from the webserver at 10.10.10.10 through port 4444. 




This gives the following timeline:
- [T=0.0] Our victim Vick was pursuated to open this malicious link http://10.10.10.10:8080/index.php
- [T=0.3] The webserver responded by sending back obfuscated java script, which was executed in our Vick's browser, resulting in
- [T=0.5] The browser obtaining a 1x1 pixel gif picture.
- [T=1.3] These actions seem to successfully exploit a vulnerability in Vick's browser as we consequently see a lot of data flowing between Vick's PC and 10.10.10.10 using a newly created TCP session (using port 4444) including a Windows executable, but also other encrypted/obfuscated data.
- [T=35.9] After ~34 seconds, Vick's PC continuously tries to connect to the webserver at port 4445.
- [T=87.6] Connection between Vick's PC and webserver at port 4444 is closed.
- [T=123.7] A connection is established from Vick's PC to 10.10.10.10 at port 4445. No further connection attempts are made. A PE executable (identical to the one from port 4444) but also other (obfucated/encrypted) data is exchanged.
- [T=198.4] Connection between Vick's PC and 10.10.10.10 at port 4445 is closed.