Saturday, March 15, 2025

Network Traffic Analysis #1 (2025-01-25) || Practice


What is the IP address of the infected Windows client?


  • The IP address of the infected Windows client is 10.1.17.215



  • We know that this is the correct IP because we used the http filter to see which IP was interacting with the C2 server IP (5.252.153.241), which we already knew beforehand.



What is the mac address of the infected Windows client?


  • The mac address of the infected Windows client is 00:d0:b7:26:4a:74.We found the MAC address with the arp filter.




What is the host name of the infected Windows client?


  • Using the nbns filter, which checks for NetBIOS traffic we were able to find the host name: DESKTOP-L8C5GSJ



What is the user account name from the infected Windows client?


  • The account name from the infected Windows client was found using the kerberos.CNameString filter. The username, shutchenson, was contained in the “CNameString”. We had to open the packet to investigate its contents.





What is the likely domain name for the fake Google Authenticator page?


  • We found the likely domain name with the tls.handshake.extensions_server_name filter.The likely domain name is authenticatoor.org. We tried different filters like dns or http, but those did not return any results. Once we used the TLS SNI filter above, we received a big list of domains the client was interacting with. We simply scrolled down and looked for a domain related to Google Authenticator. 




What are the IP addresses used for C2 servers for this infection?


  • We already knew one C2 IP address prior, 5.252.153.241.

  • The other C2 IP address we discovered through the filter tls.handshake.extensions_server_name. This gave us a list of packets where our infected client (10.1.17.215) was beginning the first phase of the TLS handshake with different hosts. All of the SNI were domain names, except for one host (45.125.66.32). This stood out to me, so I looked up the IP Address on VirusTotal. 





  • Knowing that C2 channels often will use small and frequent packets for beaconing, I used to filter tcp and frame.len < 128, as if a packet is under 128 bytes it is small. I found our previously discovered C2 address from this filter and an additional one:  45.125.66.252 





Initial Malicious File Download


  • Most malware files are downloaded using HTTP. So we used the filter, http.request.method == "GET", to try to find any evidence of a malicious file being downloaded and we found it at the top of our output.


 


  • We can see our infected client (10.1.17.215) is sending a GET request to the C2 address (5.252.153.241) for the file “ /api/file/get-file/264872
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Help Desk Lab // Part 7-9 // (Mapping Network Drives, Active Directory security groups, NTFS/share-level permissions, Remote Desktop/Remote Registry, Group Policy, RSOP)

 *All credit for this lab goes to Simokid on GitHub. This is my walkthrough.    Security Groups, Mapped Drives, Personal Drives, Permission ...