Keep Tryin'

CeSeNA Security Network & Application

This packet capture seems to show some suspicious traffic

PCAP Analysis

  1. DNS request to init.c2VjcmV0LnR4dHwx.totallylegit.com

  2. DNS request to 0.0ejXWsr6TH-P_1xkEstaVwi7WDy8AcxufnGotWXH3ckb2Lh5A-qFljIWOAOLUS0.T1W8P4CpiCZbCM7_QKcv-r0JG29RpsyYY5YkZRxo7YDIYUJpHlGgxu5PWV1G_DA.KNrmnrktfbeDgzcpPJBjPTeMYx3Qs1Q6bAuFhROWXemJ80gPTYIz0xl8usJQN3m.w.totallylegit.com

  3. POST request to totallylegit.com/flag with data TryHarder.

  4. POST request to totallylegit.com/lootz with data S2VlcCB0cnlpbmcsIGJ1ZmZ5Cg==

The PCAP is short and we can see 2 DNS requests and 2 POST:

DNS Abuse

Cache Poisoning

 

DNS Tunneling

 

DNS Hijacking

 

NXDOMAIN Attack / Phantom Domains

 

DNS Amplification DDoS

 

DNS DDoS

DNS - "Enterprise" Setup

DNS Data Exfiltration

DNSMessenger

MULTIGRAIN

Wekby

JAKU

C3PRO-RACOON

BerhnardPOS

FrameworkPOS

PlugX

FeederBot

Mort

DNS Data Exfiltration - Test

https://asciinema.org/a/183832

https://github.com/m57/dnsteal

Back to the challenge...

  1. DNS request to init.c2VjcmV0LnR4dHwx.totallylegit.com

  2. DNS request to 0.0ejXWsr6TH-P_1xkEstaVwi7WDy8AcxufnGotWXH3ckb2Lh5A-qFljIWOAOLUS0.T1W8P4CpiCZbCM7_QKcv-r0JG29RpsyYY5YkZRxo7YDIYUJpHlGgxu5PWV1G_DA.KNrmnrktfbeDgzcpPJBjPTeMYx3Qs1Q6bAuFhROWXemJ80gPTYIz0xl8usJQN3m.w.totallylegit.com

  3. POST request to totallylegit.com/flag with data TryHarder.

  4. POST request to totallylegit.com/lootz with data S2VlcCB0cnlpbmcsIGJ1ZmZ5Cg==

Back to the challenge...

  1. DNS request to init.secret.txt|1.totallylegit.com

  2. DNS request to 0.Ñè×ZÊúL.OU¼?€©ˆ&[Î.(Ú枹-}·ƒƒ7)<c=7ŒcгT:l ……–]é‰óHM‚3Ó|ºÂP7y.w.totallylegit.com

  3. POST request to totallylegit.com/flag with data TryHarder.

  4. POST request to totallylegit.com/lootz with data

    Keep trying, buffy

http totallylegit.com
HTTP/1.1 301 Moved Permanently
Connection: keep-alive
Content-Length: 185
Content-Type: text/html
Date: Tue, 29 May 2018 07:01:43 GMT
Location: http://www.rent.com/

Decoding

init.<filename>|1.<domainname>

0.<base64garbage>.<base64garbage>.<base64garbage>.<base64garbage>.<domainname>

base64 encoding for <filename>

base64 encoding for <base64garbage> (?)

<domainname> = "totallylegit.com"

<filename> = "secret.txt"

Identification

http://bfy.tw/ILgP

Arno0x/DNSExfiltrators

Identification

Client - Infected Machine

Server - Attacker Machine

Implementation

def decode(msg):
    # base64URL
    msg = msg.replace("_", "/").replace("-", "+")
    # Padding for base64
    msg += "=" * ((4 - len(msg) % 4) % 4)
return bytearray(b64decode(msg))


domainName = "totallylegit.com"
qname = "0.0ejXWsr6TH-P_1xkEstaVwi7WDy8AcxufnGotWXH3ckb2Lh5A-qFljIWOAOLUS0."
qname += "T1W8P4CpiCZbCM7_QKcv-r0JG29RpsyYY5YkZRxo7YDIYUJpHlGgxu5PWV1G_DA."
qname += "KNrmnrktfbeDgzcpPJBjPTeMYx3Qs1Q6bAuFhROWXemJ80gPTYIz0xl8usJQN3m."
qname += "w.totallylegit.com"
password = "" # password unknown, blank?
rc4Decryptor = RC4(password)

msg = qname[0:-len(domainName)]  # Remove the top level domain name
chunkNumber, chunkData = msg.split('.', 1)
chunkNumber = int(chunkNumber)  # We have only one chunk with index 0

dataChunks = []
dataChunks.append(chunkData.replace(".", ""))
fileData = ''.join(dataChunks)

with open("./secret.zip", 'w') as fileHandle:
    fileHandle.write(rc4Decryptor.binaryDecrypt(decode(fileData)))
fileHandle.close()

Solution

$ python2 decrypt.py

Traceback (most recent call last):
  File "decrypt.py", line 47, in <module>
    rc4Decryptor = RC4(password)
  File "decrypt.py", line 14, in __init__
    self.init(key)
  File "decrypt.py", line 19, in init
    self.x = (ord(key[i % len(key)]) + self.state[i] + self.x) & 0xFF
ZeroDivisionError: integer division or modulo by zero

PCAP Analysis - Again

  1. POST request to totallylegit.com/flag with data TryHarder.

  2. POST request to totallylegit.com/lootz with data

    Keep trying, buffy

/flag?

 

I will not take the bait!!!!!

Keep trying, buffy

password = "Keep trying, buffy" # from POST /lootz
$ python2 decrypt.py
$ unzip secret.zip

Archive:  secret.zip
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of secret.zip or
        secret.zip.zip, and cannot find secret.zip.ZIP, period.

TryHarder 

password = "TryHarder" # from POST /flag..........
$ python2 decrypt.py
$ unzip -p secret.zip

HTB{$n3aky_DN$_Tr1ck$}

HTB{$n3aky_DN$_Tr1ck$}

Fin

  • https://cesena.ing2.unibo.it/
  • https://github.com/cesena
  • cesena.team@gmail.com
  • Facebook Group: "Ce.Se.N.A. Cesena Security Networks & Applications"

Keep Tryin'

By Edoardo Rosa

Made with Slides.com

Keep Tryin'

  • 5,302

More from Edoardo Rosa