Overview
For this challenge we’ll be using Wireshark to investigate whether an endpoint has been compromised, types of scans conducted, which ports were open, and identify login attempts.
Scenario
Festiva has many ideas for Winter Wonderland one of which includes mass manufacturing of stew to make sure everyone is fed over this sometimes harsh period of the year.
With all the recent issues with Glacier happening she wants to make sure that her Chemical Plant where the stew is getting made is okay. Can you help threat hunt and see if everything is okay?
All the questions are related to a network capture we got off one of the Monitoring Workstations in the plants DMZ.
Q1
The host machine in the capture has the highest amount of traffic, what is the host endpoints IP?
We can use Wireshark’s Endpoint Statistics to determine which host had the most traffic.
After loading the window, we’ll sort it by Packets.
Endpoint statistics
Answer
192.168.1.120Q2
The engineers on site tell us that this machine connects into the DMZ but also has internet access. That means the endpoint must have two network [blank]
Computers connect to networks via a network interface, therefore…
Answer
interfaceQ3
hmm if there are two of those then that must mean there is another IP. If I were an attacker I’d probably start with one of the first steps of the cyber kill chain. What network reconnaissance tool is used and what is the string in the info column where the name first appears? (Format: tool, XXXX /XXX XXXX/X.X)
We’ll start by checking the Conversations Statistics to see if we can spot a port scan.
After opening the window, we’ll navigate to the TCP pane and sort by lowest Packet counts.
Apparent port scan targeting 192.168.90.5
We can see many packets from 192.168.90.3 to 192.168.90.5, this looks like a classic port scan.
Using this new information, we’ll pivot and filter for the IP addresses we discovered.
Wireshark filtered for the IPs
Looking at the results we can see that the client’s user-agent is Nmap.
Answer
nmap, POST /sdk HTTP/1.1Q4
This can then help us get the other IP of the host machine
We discovered this in the previous question.
Answer
192.168.90.3Q5
Looking at what happened before the nmap scan it looks like there was another type of scan run. We just need the generic name and not the tool
We’ll start by filtering for events that occurred before the nmap scan. We can do this by selecting one of the conversations we discovered in Q3.
With that, we’ll filter based on the timestamp and change the == to <.
Filtering for events before the nmap scan
Looking through the results we can see a clear ARP scan being carried out by the previously discovered IP.
ARP Scan
Answer
arp scanQ6
What’s the IP of the endpoint in the DMZ with our host?
We already discovered the target of the nmap scan, which was in the same subnet as the host conducting the scan.
Answer
192.168.90.5Q7
Based on the scan from Q3 what two ports are open? (Format: port, port)
We’ll filter Wireshark for the communications from 192.168.90.5 and 192.168.90.3.
Specifically, we want the source to be 90.5 because it is the target of the scan, so its response will indicate if a port is open.
With the IPs filtered, we need to filter for responses that signify an open port.
We can do this in a number of ways, whether by filtering out any RST packets or by filtering for SYN, ACK packets.
Filtering for responses from the scanned host.
With our filters in place, we can see that the only ports that replied with SYN, ACK.
Answer
8009, 8080Q8
What protocol is running on the higher port? (Format: protocol)
We’ll adjust our filter for traffic between the two IPs on port 8080.
Filtering for traffic on 8080
We see as we would expect, it is HTTP traffic.
Answer
httpQ9
We know the plant has some operations software running on that endpoint. What is the login URL, and what are the credentials to access? (Format: http://x.x.x.x:port/something, username:password)
To discover the URL we’ll adjust our filter to limit the traffic to HTTP.
Because we’re looking for a login we’ll start by looking for POST traffic.
POST Traffic the endpoint
With our quick filter, we can see a POST request to a /login.htm page.
A quick check of the form data gives us the login information used by the attacker.
the POST request's form fields
Answer
Refang the URL for submission.
hxxp[://]192[.]168[.]90[.]5:8080/ScadaBR/login[.]htm, admin:admin
Q10
Oh no this is bad. Looks like Glacier might have gotten into the network. I’m going to cut-the-wire between OT and IT but can you find the packet number which corresponds to the redirect after the credentials are entered? (Format: Number)
Wireshark provides us with the packet number of the response.
