SANS Holiday Hack 2015 - Part 1

Traffic from Gnome to C&C

I used python to decode this to begin with.  Python as nice command line features in Linux that make decoding things fairly easy.  Then I remembered that the clue was to use Scapy.  Scapy decodes both the image and these responses.  You can see it later in my image write up. (Scroll-down - doesn't display well in my browser.)

NONE:NONE:NONE:NONE:NONE:NONE:NONE:EXEC:iwconfig EXEC:START_STATEEXEC:wlan0 IEEE 802.11abgn ESSID:"DosisHome-Guest"

EXEC:
EXEC: EXEC: EXEC: EXEC: EXEC: EXEC:lo EXEC: EXEC:eth0 EXEC:STOP_STATENONE:NONE:NONE:EXEC:cat /tmp/iwlistscan.txt EXEC:START_STATEEXEC:wlan0 Scan completed :
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC: 2D1A8C131BFFFF000000000000000000000000000000000000000000
ESSID:"CHC"
Extra:tsf=000000412e67cddf
Extra: Last beacon: 5408ms ago
IE: Unknown: 010882848B960C121824 IE: Unknown: 030101
IE: Unknown: 200100
IE: IEEE 802.11i/WPA2 Version 1
IE: Unknown: 32043048606C
IE: Unknown: DD180050F2020101040003A4000027A4000042435E0062322F00 IE: Unknown:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC:
EXEC: EXEC:STOP_STATENONE:NONE:NONE:NONE:FILE:/root/Pictures/snapshot_CURRENT.jpg FILE:START_STATE,NAME=/root/Pictures/snapshot_CURRENT.jpgFILE: (There's a jpg file here, but I didn't think that you'd want the gobbly gook that it printed out in my text file. It's the jpeg file that Josh needed the text from.)

Mode:Managed Frequency:2.412 GHz Cell: 7A:B3:B6:5E:A4:3F Tx-Power=20 dBm

Power Management:off no wireless extensions.

no wireless extensions.

EXEC:

Frequency:2.412 GHz (Channel 1) Quality=29/70 Signal level=-81 dBm Encryption key:on

Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s

Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master

IE: Unknown: 00055837335A36

Group Cipher : CCMP Pairwise Ciphers (1) : CCMP Authentication Suites (1) : PSK

IE: Unknown: 2A0100

Frequency:2.412 GHz (Channel 1) Quality=59/70 Signal level=-51 dBm Encryption key:on ESSID:"DosisHome"

EXEC:

Image From DNS C&C Traffic in the PCAP

I used Scapy to find the image in the pcap. Someone had completed a similar challenge before, so I just used their solution to help me:

https://cyberchallenge.com.au/pdf/CySCA2014_Network_Forensics.pdf

I had to add the method to write a file because in their first iteration, they just printed the output to the Terminal screen. Obviously, that would be a bit difficult to copy. I remembered that Scapy used Python, so I looked up how to print to a file using Python.

pkts = rdpcap('giyh-capture.pcap') 
from base64 import *
for pkt in pkts:
    if DNSRR in pkt:
        data = pkt[DNSRR].rdata
        data = b64decode(data[1:])
        decodedata = ' '.join("{0:02x}".format(ord(c)) for c in data)
        print decodedata
        f = open('log.txt',"a") 
        f.write(str(decode data))

I took all the hex that was printed in the log.txt file and pasted it into Bless Hex Editor. I found the characteristic header for a jpeg image: FF D8 JFIF and the footer FF D9. (I don't know headers off the top of my head.  I saw that this was a jpeg when I was analyzing traffic.  If you don't know headers and footers, a quick Google search will give you the information that you need.)  I selected all of those bytes and saved them into another file with the jpg extension. I still couldn’t get the file to open, even though I saved the file with a jpg extension. I reopened the file in Bless Hex Editor. Then I noticed that there were a lot of “FILE:”’s. I was fairly certain that a jpeg didn’t require all of those. They were probably there for the web traffic so that the machine at the other end can reassemble things that go together. I used the find and replace function in Bless Hex Editor to replace all of them with a backspace. Then I saved the file again. When I opened the file, I got the image of the gnome's legs in the living room. The phrase to give to Joshua was “GnomeNET-North America”.

Firmware Analysis

I used bin walk to extract files from the firmware dump. The first thing that I did was to use “strings <filename> | less” to see what strings were in the file. I found a string that said, “squashfs”. I used my favorite search engine to find out what that was and how to mount it. Turns out that there is a file system called “Squashfs”. I installed the squash tools on Linux, and used, “unsquashfs <nameoffile>” to unsquash the file system.
I studied the etc folder because that usually contains items of interest. I found the mongodb path. I found the O/S in the /etc directory. It is OpenWRT.
I found the first super gnome IP Address in etc/hosts.
I explored the other folders as well.
To find the password, I browsed to the /opt/mongodb directory and used Bless Hex Editor to look at the gnome.0 file. Then I searched for the text “password” and found the password. It is SittingOnAShelf.
I found the web framework in /www/node_modules. It is Express.
I found a hidden file in the root directory using ls -a. It was .monit.id.
I found the vulnerable node.js scripts for the super gnomes in /www/routes/index.js.

Finding the IP Addresses of the Rest of the Gnomes

I used Shodan and searched for the first IP. Then I realized that I could search for the phrase, "GIYH::SuperGnome by Atnascorp” to find the rest of the super gnomes. I talked to Tom Hessman in Holiday Hack Quest to make certain that the IP Addresses were in scope.