Featured image of post Cyber Quests Spring 2019 | write-up [2]

Cyber Quests Spring 2019 | write-up [2]

Detailed technical write-up for Cyber Quests Spring 2019 CTF

🕴️ CTF Website : https://uscc.cyberquests.org/

This Cyber Quest covers a wide range of topics on networking, including firewalls, routers, Wi-Fi, and packet analysis.

Tools that you may need include Wireshark, aircrack-ng, and exiftool (all of which are included in many security-focused Linux distributions, including Kali Linux).

Some questions refer to files contained within this ZIP file : 🔗 Spring 2019 Cyber Quest Resources. Let’s start the fun.


The following questions based on 🔗 attack.pcap :

2️⃣2️⃣ Analyze the 🔗 attack.pcap file.

What is most likely occurring?

  • An SMB brute force attack
  • An SSH brute force attack
  • An SSH Man-in-the-Middle attack
  • An SMB Replay attack

✅ Answer:

  1. Let’s begin with understanding of each attack:

In general a brute force attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly.

  • An SMB brute force attack
    Server Message Block (SMB) is the Internet standard protocol Windows uses to share files, printers, and serial ports. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources, and servers make SMB responses in what’s described as a client server, request-response protocol.

  • An SSH brute force attack
    Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.

  • An SSH Man-in-the-Middle attack
    A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other.

  • An SMB Replay Relay attack
    SMB Relay Attack is a type of attack which relies on NTLM Version 2 authentication. it’s a Man-In-The-Middle attack in which a malicious user on the local network poisons network traffic to trick the target machine/user into thinking that it is the authentication server.

  1. open attack.pcap file in Wireshark :

cyberquest-22b-img-1.jpg
cyberquest-22b-img-1.jpg

  1. Look over the sequence of packet transfer between source and destination captured through Wireshark.
    The attacker 10.1.1.165 do ports scanning for victim 10.1.1.133 :
  • Closed ports :
    Source sent SYN packet on the specific port then if the port is closed then the destination will reply by sending RST packet.this scan for close ports.\

cyberquest-22b-img-2.jpg
cyberquest-22b-img-2.jpg

  • Open ports:
    • Source sent SYN packets to the destination
    • Destination sent SYN, ACK packets to the source (An SYN, ACK indicates the port is listening (open))
    • Source sent RST packets to the destination\

cyberquest-22b-img-3.jpg
cyberquest-22b-img-3.jpg


The attacker found port 445 is open.\

cyberquest-22b-img-4.jpg
cyberquest-22b-img-4.jpg

According to Microsoft port 445 is the microsoft-ds (NetBios helper) port and also used for ( SMB Fax Service - SMB Print Spooler - SMB Server - SMB Remote Procedure Call Locator - SMB Distributed File System - SMB Net Logon)

  1. Using filter smb2 , We can see that brute-force attempts have been performed by the hacker :

cyberquest-22b-img-5.jpg
cyberquest-22b-img-5.jpg

The attacker has tried the user KgHZQMzV but is granted a logon failure (STATUS_LOGON_FAILURE).

After that we can see that the user larry has been attempted, but a logon failure has occurred as well STATUS_LOGON_FAILURE.

cyberquest-22b-img-6.jpg
cyberquest-22b-img-6.jpg

But he continue brute-force attempts until he get in and try different locations at same domain : Tree: \\10.1.1.133\admin$, Tree: \\10.1.1.133\IPC$ but failed ERROR (STATUS_ACCESS_DENIED).

cyberquest-22b-img-7.jpg
cyberquest-22b-img-7.jpg

Then he trying different domain Domain: oqdwzfFX

cyberquest-22b-img-9.jpg
cyberquest-22b-img-9.jpg

Until he get access at Domain: LARRY-PC

cyberquest-22b-img-10.jpg
cyberquest-22b-img-10.jpg

Attack type An SMB brute force attack

References :
https://www.1337pwn.com/how-to-detect-nmap-smb-brute-force-attack-using-wireshark/
https://intrinium.com/smb-relay-attack-tutorial/
https://www.youtube.com/watch?v=ctLVMi1_zBc
https://www.hackingarticles.in/understanding-nmap-scan-wireshark/


2️⃣3️⃣ Whose account is being targeted in the aforementioned attack?

  • Larry
  • John
  • Michael
  • Sarah

✅ Answer:

From previous answer we know the account targeted is Larry


2️⃣4️⃣ According to the traffic in 🔗 attack.pcap,

which ports are open on 10.1.1.133?

  • 135, 139, 443, 2103, 5360
  • 21, 22, 53, 139, 2103
  • 135, 139, 445, 2103, 5357
  • 21, 22, 53, 80, 445

✅ Answer:

  1. Open attack.pcap file in Wireshark .

  2. As we learned from Q22 that destination send a SYN, ACK packets to the source which indicates the port is listening open

We need to filter our packets based on this concept, we will use the following filter in Wireshark :

(tcp.flags==0x12) and not tcp.analysis.initial_rtt and ip.src==10.1.1.133

tcp.flags==0x12 looks for SYN/ACK packets (you could also use tcp.flags.syn==1 and tcp.flags.ack==1 ).

The trick is using not tcp.analysis.initial_rtt, because that checks if Wireshark calculated the initial round trip time for the conversation

  • and that’s something it only does if the handshake is complete. So if the field is missing, and the SYN/ACK was seen, you have a half open connection (assuming the SYN is there).

of course ip.src==10.1.1.133 is to set this host as source of packet.

cyberquest-24-img-1.jpg
cyberquest-24-img-1.jpg

You can go to upper menu and select statistics Conversations for better view and select limit to display filter which we applied.

cyberquest-24-img-2.jpg
cyberquest-24-img-2.jpg

cyberquest-24-img-3.jpg
cyberquest-24-img-3.jpg

So the open ports from options above on host 10.1.1.133 are 135, 139, 445, 2103, 5357

References :
https://www.youtube.com/watch?v=Zi1aaEJg5YI
https://osqa-ask.wireshark.org/questions/60995/how-do-i-filter-tcp-connection-with-syn-and-syn-ack-without-ack-response \


2️⃣5️⃣ Continue to analyze 🔗 attack.pcap.

Who is the author of the exfiltrated file?

  • Michael
  • Sarah
  • John
  • Larry

✅ Answer:

If you Examine the packets you will find the hacker downloaded this file: larry\Documents\files\file.jpg

cyberquest-25-img-1.jpg
cyberquest-25-img-1.jpg

To extract the file:

  • Select this packet by click on it .
  • Go to upper menu and select File Extract Objects SMB...\

cyberquest-25-img-2.jpg
cyberquest-25-img-2.jpg

  • Select the file then click save .\

cyberquest-25-img-3.jpg
cyberquest-25-img-3.jpg

Nice photo :)

cyberquest-25-img-4.jpg
cyberquest-25-img-4.jpg

Now let’s open the file with exiftool to examine the metadata:

Note: ExifTool does not need to be installed to run. Just download and extract either the full Perl distribution on Mac/Linux, or the Windows EXE version on Windows, and run it directly.

Open terminal and run the following command after change path/to/file.jpg to where you saved the file

exiftool /path/to/file.jpg > data.txt

data.txt where we will save the file metadata, you can run the command without extract the data to file.

ExifTool Version Number         : 11.30
File Name                       : file.jpg
Directory                       : .
File Size                       : 41 kB
File Modification Date/Time     : 2019:06:22 21:31:01+03:00
File Access Date/Time           : 2019:06:22 21:43:43+03:00
File Inode Change Date/Time     : 2019:06:22 21:41:54+03:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.02
Resolution Unit                 : inches
X Resolution                    : 96
Y Resolution                    : 96
DCT Encode Version              : 100
APP14 Flags 0                   : (none)
APP14 Flags 1                   : (none)
Color Transform                 : YCbCr
Exif Byte Order                 : Big-endian (Motorola, MM)
Artist                          : Sarah
Date/Time Original              : 2018:05:29 10:46:42
Create Date                     : 2018:05:29 10:46:42
Sub Sec Time Original           : 46
Sub Sec Time Digitized          : 46
XP Title                        : New York City skyline
XP Author                       : Sarah
Padding                         : (Binary data 2108 bytes, use -b option to extract)
Quality                         : 60%
About                           : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b
Creator                         : Sarah
Rating                          : 5
Warning                         : [minor] Fixed incorrect URI for xmlns:MicrosoftPhoto
Rating Percent                  : 99
Title                           : New York City skyline
Description                     : New York City skyline
Image Width                     : 580
Image Height                    : 387
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 580x387
Megapixels                      : 0.224
Create Date                     : 2018:05:29 10:46:42.46
Date/Time Original              : 2018:05:29 10:46:42.46

The file author is Sarah

References :
https://www.youtube.com/watch?v=1rc88RyvCnE
https://www.sno.phy.queensu.ca/~phil/exiftool/install.html \


2️⃣6️⃣ What is the title of the exfiltrated file?

  • San Francisco Golden Gate Bridge
  • New York City skyline
  • Chicago Cloud Gate
  • Boston Fenway Park

✅ Answer:

From extracted metadata the file title is > New York City skyline


Powered by 🐍 Python
Built with Hugo
Theme Stack designed by Jimmy