Sunday, January 10, 2016

SANS ICS Cyber Security Challenge Write-Up-Part 7

402 – Malicious Traffic Analysis
Objectives 
  • Demonstrate Skills Related to Analyzing and Detecting Malicious Network Traffic.

Background: This challenge will use the traffic capture identified as “Challenge Traffic Capture 2.pcap”. It is important to be able to identify and analyze malicious communications in an ICS. This challenge will test those skills as well as the creation of IDS rules. 

Questions
  1. What two ICS Protocols are in this traffic capture?
  2. How many control system related clients are there and what are their IP addresses?
  3. What malicious activity is occurring in the traffic?
  4. What malicious script is found in the traffic?
  5. What specific actions is the script performing?
  6. What impact could this have on the ICS and why?
  7. Create a Snort IDS Signature that would detect on the malicious activity or capability without generating many false positives. Supplying the text or a screenshot of the signature is sufficient.
Answers
  1. Modbus, DNP3
  2. There are 3 ICS related clients.  The masters, including the IP of malicious intent, are:  10.25.22.101, 10.25.22.103, 10.25.22.105.
  3. I uploaded it to Virus Total because it has snort rules.  Note:  It could have false positives.  Here is what was found:
PROTOCOL-ICMP unassigned type 1 undefined code (Misc activity) [459]
OS-WINDOWS Microsoft Windows SMB unicode invalid server name share access (Generic Protocol Command Decode) [16400]
PROTOCOL-SCADA Modbus read coils from external source (Generic Protocol Command Decode) [17788]
INDICATOR-SHELLCODE ssh CRC32 overflow filler (Executable code was detected) [1325]
PROTOCOL-SCADA Modbus read discrete inputs from external source (Generic Protocol Command Decode) [17787]
PROTOCOL-SCADA Modbus write single coil from external source (Generic Protocol Command Decode) [17784]
FILE-IDENTIFY Microsoft Windows Address Book file magic detected (Misc activity) [9639]
OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode asn1 overflow attempt (Generic Protocol Command Decode) [3000]
DELETED NETBIOS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (Attempted User Privilege Gain) [20541]
FILE-EXECUTABLE Portable Executable binary file magic detected (Potential Corporate Privacy Violation) [15306]
(spp_modbus): Length in Modbus MBAP header does not match the length needed for the given Modbus function. (Generic Protocol Command Decode) [1]
SERVER-SAMBA Samba wildcard filename matching denial of service attempt (Attempted Denial of Service) [15581]
FILE-EXECUTABLE Microsoft Windows executable file load from SMB share attempt (Potential Corporate Privacy Violation) [17210]
INDICATOR-SCAN UPnP service discover attempt (Detection of a Network Scan) [1917]
PROTOCOL-ICMP Destination Unreachable Port Unreachable (Misc activity) [402]
OS-WINDOWS Microsoft Windows Address Book wab32res.dll dll-load exploit attempt (Attempted User Privilege Gain) [18206]
DELETED NETBIOS SMB named pipe bruteforce attempt (Attempted Information Leak) [26322]
PROTOCOL-SNMP public access udp (Attempted Information Leak) [1411]
DELETED OS-WINDOWS Microsoft Windows wab32res.dll dll-load exploit attempt (Attempted User Privilege Gain) [21633]
(spp_dnp3): DNP3 Link-Layer Frame was dropped. (Generic Protocol Command Decode) [2]
PROTOCOL-ICMP IPv6 multicast neighbor add attempt (Misc activity) [24303]
PROTOCOL-ICMP Truncated ICMPv6 denial of service attempt (Detection of a Denial of Service Attack) [27611]
DELETED BAD TRAFFIC Non-Standard IP protocol (Detection of a non-standard protocol or event) [1620]
INDICATOR-SCAN UPnP WANIPConnection (Detection of a Network Scan) [28003]
INDICATOR-SCAN UPnP WANPPPConnection (Detection of a Network Scan) [28002]
DELETED WEB-IIS header field buffer overflow attempt (Web Application Attack) [1768]
OS-WINDOWS Microsoft Windows UPnP malformed advertisement (Misc Attack) [1384]
DELETED NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt (Detection of a Denial of Service Attack) [2102]
PROTOCOL-SNMP request udp (Attempted Information Leak) [1417]  

4.  
:loop
mbtget.pl -w5 1 -a 1 10.25.22.3
mbtget.pl -w5 1 -a 2 10.25.22.5
mbtget.pl -w5 1 -a 3 10.25.22.6
mbtget.pl -w5 1 -a 4 10.25.22.8
mbtget.pl -w5 1 -a 5 10.25.22.25
GOTO loop

5.  It’s writing the word value 1 at addresses 10.25.22.3, 10.25.22.5, 10.25.22.6, 10.25.22.8, and 10.25.22.25.  It’s doing it in a loop, which means that it’s doing it more than once.

6.  It’s changing the value of a single coil on those ICSs, which means that whatever switches those particular ICSs are controlling can turn on.  So, for instance, if it was controlling flood gates, this may cause flood gates to open and flood an area, which would be bad.  I’m also wondering if it’s in a loop because it’s causing a denial of service?  If the ICSs are busy processing those queries, that means that they may not be processing anything else?

7.  __________________________________

Walkthrough (Show How You Got Your Answers)

https://github.com/sourceperl/mbtget

1 and 3)  I uploaded this pcap to Virus Total.  I’m not well versed in analyzing traffic, so I thought that I could use a tool to help me.  Virus Total has snort rules.  I realize that some of the answers could be false positives, and that the rules are only as good as the people who wrote them, but I think that most of the information is true.  For answer 1, it showed a DNP3 frame dropped.  I checked the traffic, and 10.25.22.105 was using port 20000 which is the DNP3 port.

2)  I assume that the client is the master, because that’s the one doing the querying, but considering that I haven’t taken a course on ICSs, I thought that I could try to get partial credit for providing the information that I feel that I’m familiar with.  The slaves are:  10.25.22.3, 10.25.22.5, 10.25.22.6, and 10.25.22.8.

4)  10.25.22.105 was looking a bit suspicious, with all of it’s port activity, so I looked up that particular IP address, followed the TCP traffic, and found the script. *I created a screen filter in Wireshark to show only that IP Address*

5 and 6)  I looked mbtget.pl online to find out what it is and what it does.


7)  I’m not sure how to write Snort rules.  I wish that I had more time.  I will look it up.

1 comment:

  1. Nice blog... This blog provide complete information and importance of ICS cyber security. Thanks for sharing

    ReplyDelete