Tips for an Information Security Analyst/Pentester career - Ep. 63- Security Onion and IoC's

If you want to play with IDs/IPs and practice forensic analysis, you can leverage a very interesting Linux distro called Security Onion.

DISCLAIMER: I'm hereby analyzing case studies excerpted from Principles of Incident Response & Disaster Recovery by Micheal E. Whitman, Herbert J. Matford and Andrew Green, the textbook for my Disaster Recovery & Incident Planning class in the college.

Case a) 

We analyze a capture file available on http://old.honeynet.org/scans/scan19.tar.gz.

As I explained previously, honeynet is a very popular honeypot solution.

We decompress the file and open Sguil interface.

Then we run the sudo tcpreplay -I eth0 -t newdat3.log command to replay the packets contained in the log file and analyze them.

 

In Sguil, we're interested to a specific packet only, a buffer overflow attack against the FTP server .

By right-clicking it and choosing Transcript, we can see all the archived network data.

The transcript shows the attacker performed a buffer overflow attack that allowed to obtain a privilege escalation, listed the contents of several directories, created new ones, deleted the password for the nobody user and created a new user called dns.

The attacker also listed the contents of the /etc/passwd file.

So, we can tell the system was surely compromised and we have indications about what to do in terms of incident response.

Case b)

We know malware was downloaded on the system.

We were given a capture file available at https://forensicscontest.com/contest05/infected,pcap and we need to analyze it in order to understand what was files were downloaded and what malware we're faced up with.

Let's analyze the file with Wireshark.

In this case, we analyze the first HTTP packet (the first GET request) and we use Follow/TCP Stream to follow the whole conversation between the endpoints.

We immediately find what the malicious URL requested by the user was (http://nrtjo.eu), which resolves to the IP address 59.53.91.102.

My ipchecker.bash script returns two important results about this site:

1. It's located in China
2. IP VOID and VirusTotal report it as blacklisted.

At that point, we can analyze the same capture file with Network Miner and reassemble the files that were downloaded.

Upon opening the capture file, Network Miner will reassemble the files that were previously downloaded to the directory /opt/networkminer/AssembledFiles.

Network Miner was able to retrieve all the files that were downloaded, including an executable.

We're therefore able to understand what malware was downloaded, from where and what payload it has, which helps us design our indent response strategy for the best results.

Wrap-up

Security Onion is a very useful and powerful tool and it can help a lot understand whether a system was compromised or not.

Most amazingly, is totally free, so check it out