Thursday, October 27, 2016

SANS Cyber Defense Challenge-Day 3 Solution

I used John The Ripper and Security Onion's tool bro to answer these questions.

Crack is Whack - (10 pts)
You are a newly-hired security engineer at KVWN (channel 4), San Diego. You are tasked with securing the enterprise, beginning with auditing existing password security.

Inspect the following:

---

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
btamland:1006:aad3b435b51404eeaad3b435b51404ee:1745892e12bc8aaab1b81a927600d67a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ckind:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
eharken:1007:aad3b435b51404eeaad3b435b51404ee:0e8b0d78cada2f22e733d1b6e6021da2:::
vcorningstone:1001:aad3b435b51404eeaad3b435b51404ee:af1d0a042ecee784095d368b7f831168:::
meterpreter > 

---

What is vcorningstone's password?

You copy/past vcorningstone's line into a text editor and save it as vcorningstone on a Linux machine with John the Ripper.  You add a format.  Then you simply let john do its job.
john ./vcorningstone --format=NT
sekrit

Crack me Up - (10 pts)
Inspect the following:

---

mysql> select user,password from mysql.user;
+------------------+-------------------------------------------+
| user | password |
+------------------+-------------------------------------------+
| root | *2CAB1C0BB01BDEE1CFB157535AE9E788C3A966D3 |
| debian-sys-maint | *992B89066D80745163BF9828B1CBE9F7F2ECD1AE |
| drupal7 | *2CAB1C0BB01BDEE1CFB157535AE9E788C3A966D3 |
| ronburgundy | *599075AEF85B14C3CFAFCBCA3CEE1715AABD56DE |
+------------------+-------------------------------------------+
4 rows in set (0.00 sec)

---

What is ronburgundy's password?

This one is a little weird because you have to know how John The Ripper takes input.  You have to remove everything except for the MySQL 4.1+ SHA1 hash/hashes that you want.  That way John The Ripper can detect as mysql.  This one is anchorman.

john ./passwordlist3.txt --wordlist=wordlist.txt


You have answered this question correctly. Points earned: 10 
Your total score from this question is: 10
Jimmy Crack Corn - (15 pts)
Inspect the following:

---

ckind:$6$/lDBMLNZ$pdajNb.NySSswRSmDE2FXw2WCYFnjjAcNI7sCbZ/8Tyx00lPpGUp4egCsHXqDX11Yunn5KYTzYmpnFQFNj5Wd0:17091:0:99999:7:::
btamland:$6$WsSuXR2A$GQ1kj1F4hV7FACaUEjLxNorYrTily1LOqOl6MgaJzVIMRLVkKrdMLyAjzRSk/LGEyGbIt8DN0nhuN56UOLRfq/:17091:0:99999:7:::
vcorningstone:$6$Q3NQpOeX$4GJa7DyFOsaq4WxrM/2urOHHm4fgMqeVrr1ieVM2p6SVGKmZmMxVbRMMWEq2.ut4dx71XRArYNagsky4AfK43/:17091:0:99999:7:::
eharken:$6$Q0bL6Gy3$/RLMMwsj5vlOxyI2OnVd1IOsP6nFKROonJbUw4TOdvw5OLC94C1vWMqLQ2d0wDUXYsP603Pi4V7vOTp658tEg1:17091:0:99999:7:::

---

A colleague has run CeWL (Custom Word List generator) against the KVWN website, providing this custom wordlist: https://sanschallenge.org/files/sd2016-wordlist.txt

What is btamland's password?
This one is a SHA 512 hash.  You're given a word list.  So you have to use it to crack this one.  You can tell because the $6$ tells what kind of hash it is.
john ./passwordlist2.txt --wordlist=wordlist.lst --rules
The --rules add mangling rules.  Read the John The Ripper documentation for more information.
heinie!

You have answered this question correctly. Points earned: 15 
Your total score from this question is: 15
Bro - (10 pts)
The next series of questions are based on Bro logs. 

Download https://sanschallenge.org/files/bro.zip and uncompress it.

The 'bro-cut' command will be quite handy.

Bro may be installed on a Debian-style Linux system (including Kali) by typing:

$ sudo apt-get install bro-aux

These questions may be answered without Bro, by simply analyzing with Unix/Linux text-based tools such as grep, sed, etc. Bro will make the challenges easier, for example:

$ cat dns.log | bro-cut query 

More information on Bro is available at: https://www.bro.org/

----

Inspect dns.log


What is the most common DNS name successfully resolved via UDP port 53? Respond with the full name, for example: 'www.google.com' without the quotes.

With DNS, it is usually UDP 53, so you didn't have to add the protocol to this query.  So if you look at the logs, They have headers at the top that help bro find what you want.  So, you just cat the log-which prints it to the screen, then ask bro to cut out the headers and information that you want, then you sort it, grab the unique queries and count them, then you sort according to the number of occurrences-recursively-which means backwards.  Then you grab the first 10 entries in the file.  Now, I didn't take out the non valid entries.  I just looked at the first 10 entries for the most dns queries with an rcode of 0, which means that it successfully resolved.  My query was something like this:

cat dns_log | bro_cut query, rcode | sort | uniq -c | sort -r -n > file
cat file | head -n 10

proxim.ircgalaxy.pl

Longest DNS Query - (5 pts)
How long is the longest DNS query in dns.log? 

For example, this DNS query is 17 bytes long:

sanschallenge.org
cat dns.log | bro-cut query, | awk '{ print length; }' > file
sort -n file > file2

Then I just picked the one with the longest query.


Longest User Agent - (10 pts)
How long is the longest user agent in http.log? 

You don't have to know the name.  You just need how long it is.  So, I did something like this:

cat http.log | bro-cut user_agent | sort | uniq -c | awk { ‘print length;‘} | sort -n


Shortest user_agent - (10 pts)

What is the shortest non-blank user_agent in http.log? Ignore blank user agents (such as '-').

Hint: it is comprised of capital letters only. For example: 'FOO' without the quotes.

There is probably a lot better way to do this.  I did this:
cat http.log | bro-cut user_agent | sort | uniq -c | sort -r -n | awk {'print $2'} | sort -r -n > file
cat tail -n 20

IE

Longest duration - (15 pts)

What socket pair has the longest duration in conn.log?

Answer in the following format: srcip[colon]srcport[space]dstip[colon]dstport

For example, if the source IP 10.10.10.10 from port 12345 sent traffic to 8.8.8.8 on port 80, your answer (without the quotes) would be: '10.10.10.10:1234 8.8.8.8:80’

cat conn.log | bro-cut duration id.orig_h id.orig_p id.resp_h id.resp_p | sort -n > file2
cat file2 | tail -n 10
The longest one was at the bottom.  168.131.48.242:1076 143.215.15.145:80

Inspect conn.log

How many TCP sessions had a duration longer than 24 hours?

The time was expressed in seconds and milliseconds, so I divided each time by 60, then divided each time by 60 again to get how many days that the connections were active.  If it was greater than 24, I printed it.

9


No comments:

Post a Comment