After finding the suspicious artifact, we move on to Task 2. Unfortuately I do not feel like this task was well designed, but I’ll leave my rant to the end.
Task 2 - The hunt continues - (Network Forensics)
Description
With your help, the team concludes that there was clearly a sophisticated piece of malware installed on that endpoint that was generating some network traffic. Fortunately, DAFIN-SOC also has an IDS which retained the recent network traffic in this segment.
DAFIN-SOC has provided a PCAP to analyze. Thoroughly evaluate the PCAP to identify potential malicious activity.
Downloads:
- PCAP to analyze (traffic.pcap)
Prompt:
- Submit all the IP addresses that are assigned to the malicious device, one per line
We’re given quite a large PCAP file to analyze. There are 2344 packets total, with quite a bit of protocols.
Most of the traffic is noise, but there are some interesting tidbits, such as FTP traffic being used to transfer files including 3 router configuration files and an RFC, some DNS traffic, an SSH session, and a weird TCP session that sends an RSA public key.
There are a lot of ways to begin approaching this, but my main breakthrough happened after finding the 3 router configs. They felt really suspicious to me, especially combined with the fact that we were meant to submit IP addresses assigned to a malicious device, something that these router configs would definitely have.
Here are the 3 configs:
config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.1.7.1' option netmask '255.0.0.0'
config globals 'globals' option ula_prefix 'fd10:95e0:f1b::/48' option packet_steering '1'
config device option name 'br-lan' option type 'bridge' list ports 'eth0'
config interface 'lan' option device 'br-lan' option proto 'static' option ipaddr '192.168.1.254' option netmask '255.255.255.0' option ip6assign '60'
config interface 'to_devnet' option proto 'static' option device 'eth1' option ipaddr '192.168.4.1' option netmask '255.255.255.240'
config route option interface 'lan' option target '192.168.1.0/24' option gateway '192.168.1.254'
config route 'to_lan2' option target '0.0.0.0/0' option gateway '192.168.4.2' option interface 'to_devnet'config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.0.8.2' option netmask '255.0.0.0'
config globals 'globals' option ula_prefix 'fd45:7f60:3ad5::/48' option packet_steering '1'
config device option name 'br-lan' option type 'bridge' list ports 'eth0'
config interface 'lan' option device 'br-lan' option proto 'static' option ipaddr '192.168.2.254' option netmask '255.255.255.0'
config interface 'wan' option device 'eth1' option proto 'dhcp'
config interface 'to_devnet' option proto 'static' option device 'eth1' list ipaddr '172.16.1.254/24'
config interface 'to_lan1' option proto 'static' option device 'eth2' list ipaddr '192.168.4.2/28'
config interface 'to_lan3' option proto 'static' option device 'eth3' list ipaddr '192.168.5.2/28'
config interface 'to_host_nat' option proto 'dhcp' option device 'eth4'
config route 'route_to_devnet' option interface 'to_devnet' option target '172.16.1.0/24' option gateway '172.16.1.254'
config route option interface 'lan' option target '192.168.2.0/24' option gateway '192.168.2.254'
config route 'route_to_lan1' option target '192.168.1.0/24' option gateway '192.168.4.1' option interface 'to_lan1'
config route option target '192.168.3.0/24' option gateway '192.168.5.1' option interface 'to_lan3'config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.4.1.3' option netmask '255.0.0.0'
config globals 'globals' option ula_prefix 'fdf2:87c7:eb73::/48' option packet_steering '1'
config device option name 'br-lan' option type 'bridge' list ports 'eth0'
config interface 'lan' option device 'br-lan' option proto 'static' option ipaddr '192.168.3.254' option netmask '255.255.255.0' option ip6assign '60'
config interface 'to_openwrt2' option device 'eth1' option proto 'static' list ipaddr '192.168.5.1/28'
config interface 'host_nat' option proto 'dhcp' option device 'eth2'
config route option target '192.168.3.0/24' option gateway '192.168.3.254' option interface 'lan'
config route option target '0.0.0.0/0' option gateway '192.168.5.2' option interface 'to_openwrt2'After filtering for only packets related to 192.168.[1,2,3].254, one thing I noticed was that they all have DNS requests to archive.ubuntu.com.
The response from the third router, 192.168.3.254, is suspicious, as it returns 203.0.113.108 as the query response, unlike the other two routers which return legitimate Ubuntu archive IPs. This IP address is in the TEST-NET-3 range, which is reserved for documentation and examples, meaning it is highly likely that this third router is the malicious device we are looking for.
Going back to the router configs, we can see that router 3 has these three configuration blocks, one for loopback, one for LAN, and one for to_openwrt2.
config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.4.1.3' option netmask '255.0.0.0'
config interface 'lan' option device 'br-lan' option proto 'static' option ipaddr '192.168.3.254' option netmask '255.255.255.0' option ip6assign '60'
config interface 'to_openwrt2' option device 'eth1' option proto 'static' list ipaddr '192.168.5.1/28'Together, we get the following IP addresses assigned to this device:
127.4.1.3192.168.3.254192.168.5.1
Which we can submit as our final answer.