Content

1 SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 1 / 59 This document is my chronological workbook for solving the SANS Holiday Challenge 2013. It shows how I went through the challenge with each step detailed out and thoughts as they occurred. It may contain some wrong details or dead ends viewed retrospectively. The collection of evidence is lined out detailed in here. Content 1. Resources / References .. 3 Web Sites .. 3 Tools .. 3 2. Preparation .. 3 3. First Steps .. 3 Glance Through the PCAP .. 3 Get Quick Wins .. 4 Get Network PDF .. 4 Analyze Portal Login (#3455) .. 5 Big Traffic between and .. 5 RST for Connections from / to .. 7 4. Detailed Analysis .. 8 MAC addresses .. 8 Web Server .. 9 Other IP Addresses .. 9 Analyze POP Traffic for Server .. 11 Downloaded File ( ) .. 12 MAC Addresses .. 13 Traffic .. 14 Traffic 14 Traffic .. 14 Traffic .. 14 Traffic.

2 14 Traffic .. 15 Traffic .. 15 Other Traffic (Internet) .. 16 Download of modscan .. 16 Download modbus .. 16 Get File .. 17 SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 2 / 59 Update Network Chart .. 18 5. Chronological Analyzes .. 19 Walk through the PCAP .. 19 Data Connections between PLC and Traffic Lights (Summary) .. 20 Further Traffic in Segment .. 21 Further down the PCAP ..: Web App waterqual .. 22 Further Analysis: Traffic in .. 33 Attacker .252 accesses Web Server on . 34 Attacker .252 accesses Web Server on . 35 Web Browsing from .253 and related .. 37 Connections to Train Mgm Workstation .. 38 Other Traffic .. 42 Windows Traffic from .253 to .58 .. 42 VNC Traffic .. 44 Further Traffic .. 47 Other Traffic .. 48 Bringing back Webcam Traffic .. 49 6. Browser Finger Printing .. 56 .. 56 .. 56 .. 56 .. 56 .. 57 7. Indicators for Attacker.

3 58 8. Questions .. 58 Unsuccessful Attacks .. 58 Defenses in Place .. 58 Damage .. 58 Suggested Defenses .. 58 9. Suggestions .. 59 SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 3 / 59 1. Resources / References Web Sites others for research Tools Wireshark REMnux MS Office 2. Preparation install / update Wireshark configure Wireshark ( "Delta" column, see ) get PCAP: MD5: b5915c7deec04d020188760766624aad 3. First Steps Glance Through the PCAP ignore the challenge questions as of now; we want to get familiar with the PCAP and get some quick wins open PCAP in Wireshark sort by delta time, go to the bottom (biggest delta time) scroll up and look for interesting packets ( up to delta > ): o #16 seems to contain a Network map PDF o #3455 seems to contain a login to a portal of a Siemens box o #13712 and up: seems to be used by 00:0c:29:4e:85:2a and 00:0f:73:03:82:d1 o #513: RST packet from web server ( ) to client ( ) o #21691 seems to be a continuation of a big traffic from web server ( ) to client ( ) o #16684: RST packet from web server ( ) to client ( ) SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 4 / 59 Get Quick Wins Get Network PDF filter: == 16 client: , server: follow TCP stream save entire conversation as " " open in hex editor, search for "% " delete everything before and save MD5 hash of PDF.

4 Dc3260c0491f727626826c37fc0394dc open in PDF viewer (Acrobat Reader is not preferred .. ;-) ) "Bedford Falls Traffic System Network Map" - NICE! SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 5 / 59 Analyze Portal Login (#3455) filter: == 3455 follow TCP stream nothing useful in here as of now Big Traffic between and filter: == or == no real start found follow TCP stream: --myboundary Content -Type: image/jpeg Content -Length: 68757 save as " " refresh memory regarding JPG format ( / wikipedia): o HTML header ends: 0d 0a 0d 0a o JPEG starts: ff d8 dd e0 o JPEG ends: ff d9 open " " in hex editor delete everything before ff d8 dd e0 delete everything after byte 68757 (last characters of JPEG: ff d9) save as "10-16-92-103 part " hmmm - seems to be a web cam stream .. SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 6 / 59 OK, let's get another image from the stream: open " " again in hex editor go to byte 90342191 delete everything before search for ff d9 delete everything below save as "10-16-92-103 part " let's bulk extract the pictures from the webcam stream save the webcam stream to a new PCAP: "sansholidayhack2013 webcam " / 34547ba81bd98914caa7188d9f20d91b use tcpxtract in REMnux to extract pictures tcpxtract --file.

5 /sansholidayhack2013\ webcam\ viewed in gallery mode some pictures seem indeed interesting import all pictures in Windows Movie Maker and create a movie "webcam " play movie: o train is moving, lights are on, everything looks normal o someone is remotely using the notebook in the foreground (one can see menus being opened and windows being moved) o a command prompt is opened (picture quality is too bad to read what is typed) o the generator power is turned off, all lights go out, the train stops SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 7 / 59 o a text editor is opened, and "Merry Christmas, George Bailey. You Lose!" is typed in huge letters: OK, let's make the working PCAP smaller (this TCP stream contains 142285 frames) open original PCAP filter: not ( == 453) there should be 170574 - 142285 = 28289 frames left export specified packets (displayed only) as "sansholidayhack2013 " close, then open "sansholidayhack2013 " MD5 hash of filtered PCAP: 4a54b098287dbe85433a236385745adf all frame numbers below this line and the one in the XLS refer to this filtered PCAP RST for Connections from / to filter: == is hosted at GoDaddy ( ) requests seem to be OCSP (Online Certificate Status Protocol) lookups working hypothesis: can be ignored SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 8 / 59 4.

6 Detailed Analysis MAC addresses we already know about a supposedly spoofed MAC address (see quick wins) so let's line out what MAC addresses we find for every IP address in the stream from systems we already know filter: == <IP Address> find the / a respective MAC address filter: == <IP Address> && !( == <MAC Address>) look for other MAC addresses and extend the filter with "&& !( == <MAC Address n>" repeat for every IP address resulting network chart SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 9 / 59 Web Server this is the web server where we found the network map downloaded from perhaps something else useful there? filter: == stream #1: the download of the network map packet #19150 / 19151: ping from to nothing useful Other IP Addresses let's look for other IP addresses not seen so far statistics -> endpoints (see "Endpoints" in ) statistics -> conversation list -> IPv4 (see "IPv4 Conversations" in ) interesting in the first place are only IP addresses filtering out the ones we already know we get the following list of unknown systems: o o o o o o o o o o o o o o o o o o o for each of these IP addresses: o filter for the IP address ( == <IP Address>) o have a look at the traffic, and guess the role of the system o have a look if different MAC addresses can be found (&& !))

7 ( == <MAC Address>) SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 10 / 59 IP Address MAC Address(es) supposed purpose e0:2f:6d:35:ab:20 e0:2f:6d:35:ab:41 router; communicates with and (d/l :8081 , [1]); mostly http traffic to be done: analyze MAC addresses [2] e0:2f:6d:35:ab:41 seems to be mail server (POP); communicates with 00:0c:29:f7:f4:9a mostly ICMP traffic pings this host and does a light port scan for typical control system ports [3] (filter: ( == ) && ( == 0x0014); ports: 80/TCP, 102/TCP, 443/TCP, 502/TCP, 1089/TCP, 1090/TCP, 1091/TCP, 4000/TCP, 4848/TCP, 20000/TCP, 34962/TCP, 34963/TCP, 34964/TCP, 44818/TCP), see e0:2f:6d:35:ab:41 00:0c:29:f7:f4:9a does a port scan on [1,10,22-24] for typical control system ports [4] (filter: == && ( == 0x0014); ports: 80/TCP, 102/TCP, 443/TCP, 502/TCP, 1089/TCP, 1090/TCP, 1091/TCP, 4000/TCP, 4848/TCP, 20000/TCP, 34962/TCP, 34963/TCP, 34964/TCP, 44818/TCP more interesting traffic; to be investigated 00:50:56:b2:0f:d9 ; web server (Water Monitoring & Alarm System) 00:a0:45:6f:c9:ee only pinged by d4:be:d9:6c:8a:42 only pinged by 00:00:bc:d0:34:3e suspicious traffic, to be investigated [5] 00:1d:9c:a8:3a:08 only pinged by 00:0f:73:03:82:d1 traffic light web server suspicious traffic, to be investigated [6] 00:1c:06:0d:3d:3f ICMP / web traffic with (MAC: 00:0c:29:de:4f:d9) 00:a0:45:37:43:74 only pinged by 00:a0:45:69:aa:55 only pinged by 00:d0:7c:04:6e:98 web server suspicious traffic, to be investigated [7] 00:0c:29:01:40:92 Windows/Samba System.)

8 VNC traffic suspicious traffic, to be investigated [8] 00:a0:45:6c:bc:0e only pinged by 00:0c:29:4e:85:2a client, accesses web servers interesting: accessing looking for default user name / password suspicious traffic, to be investigated [9] e0:2f:6d:35:ab:41 ICMP destination unreachable / fragmentation needed message to (original packet: from :1753 to :443 (Google)) may be a router (MAC suggests Cisco) n/a broadcast SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 11 / 59 Analyze POP Traffic for Server filter: == found user and password for POP account: dsawyer / Fashionista packets #: 3372 / 3375 and 17473 / 17476 found mail in #3382: From Fri Dec 06 10:53:05 2013 -0500 Delivered-To: Return-Path: From: George Bailey Content -Type: text/plain; charset=us-ascii Content -Transfer-Encoding: quoted-printable Subject: Configuration Change Reqeust Message-Id: Date: Fri, 6 Dec 2013 10:53:05 -0500 To: Don Sawyer Mime-Version: (Mac OS X Mail \(1822\)) X-Mailer: Apple Mail ( ) Don, I'm running around trying to take care of a bunch of tasks today.

9 Can you monitor the Simatic S7-1200 PLC while I am out today? Just click the link below and keep the window open; if the controller shows "red", then let me know. :3000 Thanks, ~Goerge SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 12 / 59 found mail in #17482 From Fri Dec 24 19:22:11 2013 -0400 Delivered-To: Return-Path: From: George Bailey Content -Type: text/plain; charset=us-ascii Content -Transfer-Encoding: quoted-printable Subject: Configuration Change Reqeust Message-Id: Date: Fri, 24 Dec 2013 19:24:15 -0400 To: Don Sawyer Mime-Version: (Mac OS X Mail \(1822\)) X-Mailer: Apple Mail ( ) Don, A significant vulnerability in the Allen Bradley controller we are testing was just disclosed. I was able to grab the firmware update. Can you run this patch executable from the control host? The release notes say it will run silently to completion. :8081 Thanks, ~George Downloaded File ( ) see [1]: download :8081 by filter: == and == frame #17505: follow TCP stream (#389) save as " " open in hex editor, search for 2nd occurrence of 0d 0a 0d 0a delete everything before 4d 5a save MD5 hash: b9d10800d4e77984c4903aa002cebeab suspicious domain, analyze IP resolution remove filter, go to frame 17502 interesting: just before the download of the file the same host accessed the mails and read the patch mail (frame #17482) no IP resolution for found, working hypothesis: is a proxy working hypothesis: is evil SANS Holiday Challenge 2013 Chronological Workbook Gebhard Zocher 2014-01-05 Page: 13 / 59 analysis by pescanner.

10 ######################################## ######################################## Record 0 ######################################## ######################################## Meta-data ======================================== ======================================== File: Size: 68070 bytes Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: b9d10800d4e77984c4903aa002cebeab SHA1: e013f18a3e2fc28fc0b7ef49c7e56a8a91cdb40d ssdeep: 1536:IJQR/wCohOmLkjvqo/jxvI2mHH6Z31 XMb+KR0Nc8 QsJq8W:Uu1oAmLcBS239e0Nc8 Qso Date: 0x4A7D546F [Sat Aug 8 10:33:19 2009 UTC] EP: 0x404312 .text 0/4 CRC: Claimed: 0x0, Actual: 0x1ae5a [SUSPICIOUS] Sections ======================================== ======================================== Name VirtAddr VirtSize RawSize Entropy ---------------------------------------- ---------------------------------------- .text 0x1000 0xa966 0xb000.