August 16, 2024
For this challenge we’ll be using Wireshark to investigate whether an endpoint has been compromised, types of scans conducted, which ports were open, and identify login attempts.
Festiva has many ideas for Winter Wonderland one of which includes mass manufacturing of stew to make sure everyone is fed over this sometimes harsh period of the year.
With all the recent issues with Glacier happening she wants to make sure that her Chemical Plant where the stew is getting made is okay. Can you help threat hunt and see if everything is okay?
All the questions are related to a network capture we got off one of the Monitoring Workstations in the plants DMZ.
The host machine in the capture has the highest amount of traffic, what is the host endpoints IP?
We can use Wireshark’s Endpoint Statistics to determine which host had the most traffic.
After loading the window, we’ll sort it by Packets.
The engineers on site tell us that this machine connects into the DMZ but also has internet access. That means the endpoint must have two network [blank]
Computers connect to networks via a network interface, therefore…
hmm if there are two of those then that must mean there is another IP. If I were an attacker I’d probably start with one of the first steps of the cyber kill chain. What network reconnaissance tool is used and what is the string in the info column where the name first appears? (Format: tool, XXXX /XXX XXXX/X.X)
We’ll start by checking the Conversations Statistics to see if we can spot a port scan.
After opening the window, we’ll navigate to the TCP pane and sort by lowest Packet counts.
We can see many packets from 192.168.90.3 to 192.168.90.5, this looks like a classic port scan.
Using this new information, we’ll pivot and filter for the IP addresses we discovered.
Looking at the results we can see that the client’s user-agent is Nmap.
This can then help us get the other IP of the host machine
We discovered this in the previous question.
Looking at what happened before the nmap scan it looks like there was another type of scan run. We just need the generic name and not the tool
We’ll start by filtering for events that occurred before the nmap scan. We can do this by selecting one of the conversations we discovered in Q3.
With that, we’ll filter based on the timestamp and change the == to <.
Looking through the results we can see a clear ARP scan being carried out by the previously discovered IP.ARP Scan
What’s the IP of the endpoint in the DMZ with our host?
We already discovered the target of the nmap scan, which was in the same subnet as the host conducting the scan.
Based on the scan from Q3 what two ports are open? (Format: port, port)
We’ll filter Wireshark for the communications from 192.168.90.5 and 192.168.90.3.
Specifically, we want the source to be 90.5 because it is the target of the scan, so its response will indicate if a port is open.
With the IPs filtered, we need to filter for responses that signify an open port.
We can do this in a number of ways, whether by filtering out any RST packets or by filtering for SYN, ACK packets.
With our filters in place, we can see that the only ports that replied with SYN, ACK.
What protocol is running on the higher port? (Format: protocol)
We’ll adjust our filter for traffic between the two IPs on port 8080.
We see as we would expect, it is HTTP traffic.
We know the plant has some operations software running on that endpoint. What is the login URL, and what are the credentials to access? (Format: http://x.x.x.x:port/something, username:password)
To discover the URL we’ll adjust our filter to limit the traffic to HTTP.
Because we’re looking for a login we’ll start by looking for POST traffic.
With our quick filter, we can see a POST request to a /login.htm page.
A quick check of the form data gives us the login information used by the attacker.
Refang the URL for submission.
hxxp[://]192[.]168[.]90[.]5:8080/ScadaBR/login[.]htm, admin:admin
Oh no this is bad. Looks like Glacier might have gotten into the network. I’m going to cut-the-wire between OT and IT but can you find the packet number which corresponds to the redirect after the credentials are entered? (Format: Number)
Wireshark provides us with the packet number of the response.
Previous post
Next post