Objective 12: Filter Out Poisoned Sources of Weather Data
Use the data supplied in the Zeek Json logs to identify the IP addresses of attackers poisoning Santa’s Flight Mapping Software. The hints are given by Wunorse Openslae, who is in the Sleigh Room. The link for the zeek logs is this: https://downloads.elfu.org/http.log.gz. The link for the Flight Mapping Software is: https://srf.elfu.org/. The links for the hints are: https://pen-testing.sans.org/blog/2019/12/03/parsing-zeek-json-logs-with-jq-2 and https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS), https://en.wikipedia.org/wiki/Shellshock_(software_bug), and https://www.owasp.org/index.php/SQL_Injection.
I couldn’t get the syntax to work that was given in the SANS Pen Testing Blog, so I did this: cat http.log | jq .[]| grep host. It's not the prettiest, but it works.
To be honest, I didn't consult the links. I've done these challenges for 5 years now. Also, in my day job, I look at logs, so I see plenty of attacks. At first, I did long tail analysis. What that means is that I searched for the outliers in the hosts, uris, username, and user_agent fields. cat http.log | jq .[] | grep host | sort | uniq | sort -nr. There was one misspelled host that looked suspicious that was related to some attacks. ssrf.elfu.org. There were many user agents that were misspelled or had other typos, but keep in mind that some of these were related to scans - like the kind used in Nessus scans, so they weren't necessarily bad traffic. So, obviously, long tail analysis did not find all the bad traffic, but it was still helpful. I had to look a little further than just the outliers. I thought I'd found the 100 IPs that I needed.
After finding all the IPs I thought were malicious, I tried to login to
srf.elu.org, but I didn't have the credentials. Then I remembered the document that I decrypted in Objective 10- the credentials were mentioned in the Sleigh Router Finder document. It
said that the credentials were in the readme on the laboratory's
git repository. Also, Kent Tinseltooth said that it was running on default creds in
the IP Tables Terminal. Having read many a Gihub page, I remembered
that there is usually a README.md file. I also saw this in the traffic
in the zeek logs with the attacker IPs. So, I navigated to
srf.elfu.org/README.md, got the creds, and used them to login. Unfortunately, the 100 IPs that I'd gotten were not correct. So, I tried a different tactic.
After finding ~62 known bad IPs because they were trying LFI, SQLi, XSS, and Shell Shock, I used those to pivot based on the user agent that they were using. This was tricky. Some of the user agents were the same as the attacker's user agents, but they weren’t bad IPs, so I had to distinguish the bad traffic from the good. I found a pattern. Most of the attacks only used 1-2 IPs per user agent. Any more than that, and it was probably ok traffic.
Then, I gave the firewall a comma-separated list of the bad IDs and got a RID. I would've preferred to whitelist known good IPs instead of trying to blacklist the bad IPs, but the default 0.0.0.0/0.0.0.0 seems to always want to be Default Allow.
The RID seems to be the dates that Real Genius and Mary Poppins were released.
Really liked the end credits this year. Everybody wants to rule the world. :)
No comments:
Post a Comment