Salaheldin

June 21, 2019

Cyber Quests Spring 2019 | write-up [2]

US Cyber Challenge

CTF Writeup

🕴️ Website : https://uscc.cyberquests.org/

This Cyber Quest covers a wide range of topics on networking, including firewalls, routers, Wi-Fi, and packet analysis.

Tools that you may need include Wireshark, aircrack-ng, and exiftool (all of which are included in many security-focused Linux distributions, including Kali Linux).

Some questions refer to files contained within this ZIP file: 🔗 Spring 2019 Cyber Quest Resources .

The following questions refer to 🔗 attack.pcap :

2️⃣2️⃣ Analyze the 🔗 attack.pcap file. What is most likely occurring?

  • An SMB brute force attack
  • An SSH brute force attack
  • An SSH Man-in-the-Middle attack
  • An SMB Replay attack

✅ Answer:

01) Let's begin with understanding of each attack:

In general a brute force attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly.

  • An SMB brute force attack
    Server Message Block (SMB) is the Internet standard protocol Windows uses to share files, printers, and serial ports. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources, and servers make SMB responses in what's described as a client server, request-response protocol.

  • An SSH brute force attack
    Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.

  • An SSH Man-in-the-Middle attack
    A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other.

  • An SMB Replay Relay attack
    SMB Relay Attack is a type of attack which relies on NTLM Version 2 authentication. it's a Man-In-The-Middle attack in which a malicious user on the local network poisons network traffic to trick the target machine/user into thinking that it is the authentication server.

02) open attack.pcap file in Wireshark :

cyberquest-22b-img-1.jpg

03) Look over the sequence of packet transfer between source and destination captured through Wireshark.
The attacker 10.1.1.165 do ports scanning for victim 10.1.1.133 :

  • Closed ports :
    Source sent SYN packet on the specific port then if the port is closed then the destination will reply by sending RST packet.this scan for close ports.
cyberquest-22b-img-2.jpg

  • Open ports:
    • Source sent SYN packets to the destination
    • Destination sent SYN, ACK packets to the source (An SYN, ACK indicates the port is listening (open))
    • Source sent RST packets to the destination
cyberquest-22b-img-3.jpg


The attacker found port 445 is open.

cyberquest-22b-img-4.jpg

According to Microsoft port 445 is the microsoft-ds (NetBios helper) port and also used for ( SMB Fax Service - SMB Print Spooler - SMB Server - SMB Remote Procedure Call Locator - SMB Distributed File System - SMB Net Logon)

04) Using filter smb2 , We can see that brute-force attempts have been performed by the hacker :

cyberquest-22b-img-5.jpg

The attacker has tried the user KgHZQMzV but is granted a logon failure (STATUS_LOGON_FAILURE).

After that we can see that the user larry has been attempted, but a logon failure has occurred as well STATUS_LOGON_FAILURE.

cyberquest-22b-img-6.jpg

But he continue brute-force attempts until he get in and try different locations at same domain : Tree: \\10.1.1.133\admin$, Tree: \\10.1.1.133\IPC$ but failed ERROR (STATUS_ACCESS_DENIED).

cyberquest-22b-img-7.jpg

Then he trying different domain Domain: oqdwzfFX

cyberquest-22b-img-9.jpg

Until he get access at Domain: LARRY-PC

cyberquest-22b-img-10.jpg

Attack type > An SMB brute force attack

References :
https://www.1337pwn.com/how-to-detect-nmap-smb-brute-force-attack-using-wireshark/
https://intrinium.com/smb-relay-attack-tutorial/
https://www.youtube.com/watch?v=ctLVMi1_zBc
https://www.hackingarticles.in/understanding-nmap-scan-wireshark/


2️⃣3️⃣ Whose account is being targeted in the aforementioned attack?

  • Larry
  • John
  • Michael
  • Sarah

✅ Answer:

From previous answer we know the account targeted is > Larry


2️⃣4️⃣According to the traffic in 🔗 attack.pcap , which ports are open on 10.1.1.133?

  • 135, 139, 443, 2103, 5360
  • 21, 22, 53, 139, 2103
  • 135, 139, 445, 2103, 5357
  • 21, 22, 53, 80, 445

✅ Answer:

01) Open attack.pcap file in Wireshark .

02) As we learned from Q22 that destination send a SYN, ACK packets to the source which indicates the port is listening open

so we need to filter our packets based on this concept, we will use the following filter in Wireshark :

(tcp.flags==0x12) and not tcp.analysis.initial_rtt and ip.src==10.1.1.133

tcp.flags==0x12 looks for SYN/ACK packets (you could also use tcp.flags.syn==1 and tcp.flags.ack==1 ).

The trick is using not tcp.analysis.initial_rtt, because that checks if Wireshark calculated the initial round trip time for the conversation - and that's something it only does if the handshake is complete. So if the field is missing, and the SYN/ACK was seen, you have a half open connection (assuming the SYN is there).

And of course ip.src==10.1.1.133 is to set this host as source of packet.

cyberquest-24-img-1.jpg

You can go to upper menu and select statistics > Conversations for better view and select limit to display filter which we applied.

cyberquest-24-img-2.jpg

cyberquest-24-img-3.jpg

So the open ports from options above on host 10.1.1.133 are > 135, 139, 445, 2103, 5357

References :
https://www.youtube.com/watch?v=Zi1aaEJg5YI
https://osqa-ask.wireshark.org/questions/60995/how-do-i-filter-tcp-connection-with-syn-and-syn-ack-without-ack-response


2️⃣5️⃣ Continue to analyze 🔗 attack.pcap . Who is the author of the exfiltrated file?

  • Michael
  • Sarah
  • John
  • Larry

✅ Answer:

If you Examine the packets you will find the hacker downloaded this file: larry\Documents\files\file.jpg

cyberquest-25-img-1.jpg

To extract the file:

  • Select this packet by click on it .
  • Go to upper menu and select File > Extract Objects > SMB...
cyberquest-25-img-2.jpg

  • Select the file then click save .
cyberquest-25-img-3.jpg

Nice photo :)

cyberquest-25-img-4.jpg

Now let's open the file with exiftool to examine the metadata:

Note: ExifTool does not need to be installed to run. Just download and extract either the full Perl distribution on Mac/Linux, or the Windows EXE version on Windows, and run it directly.

Open terminal and run the following command after change path/to/file.jpg to where you saved the file

exiftool /path/to/file.jpg > data.txt

data.txt where we will save the file metadata, you can run the command without extract the data to file.

ExifTool Version Number         : 11.30
File Name                       : file.jpg
Directory                       : .
File Size                       : 41 kB
File Modification Date/Time     : 2019:06:22 21:31:01+03:00
File Access Date/Time           : 2019:06:22 21:43:43+03:00
File Inode Change Date/Time     : 2019:06:22 21:41:54+03:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.02
Resolution Unit                 : inches
X Resolution                    : 96
Y Resolution                    : 96
DCT Encode Version              : 100
APP14 Flags 0                   : (none)
APP14 Flags 1                   : (none)
Color Transform                 : YCbCr
Exif Byte Order                 : Big-endian (Motorola, MM)
Artist                          : Sarah
Date/Time Original              : 2018:05:29 10:46:42
Create Date                     : 2018:05:29 10:46:42
Sub Sec Time Original           : 46
Sub Sec Time Digitized          : 46
XP Title                        : New York City skyline
XP Author                       : Sarah
Padding                         : (Binary data 2108 bytes, use -b option to extract)
Quality                         : 60%
About                           : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
Creator                         : Sarah
Rating                          : 5
Warning                         : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto
Rating Percent                  : 99
Title                           : New York City skyline
Description                     : New York City skyline
Image Width                     : 580
Image Height                    : 387
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 580x387
Megapixels                      : 0.224
Create Date                     : 2018:05:29 10:46:42.46
Date/Time Original              : 2018:05:29 10:46:42.46

The file author is > Sarah

References :
https://www.youtube.com/watch?v=1rc88RyvCnE
https://www.sno.phy.queensu.ca/~phil/exiftool/install.html


2️⃣6️⃣ What is the title of the exfiltrated file?

  • San Francisco Golden Gate Bridge
  • New York City skyline
  • Chicago Cloud Gate
  • Boston Fenway Park

✅ Answer:

From extracted metadata the file title is > New York City skyline