CIT 481: Cybersecurity Capstone
Assignment #9: Exploit Kits
Due November 13thin class
Name: ______
The objective of this assignment is to learn how to use network data to detect and respond to malware attacks. We will use PCAP tools like Wireshark, the snort IDS, and a few new tools: Clam AV, foremost, and justniffer. To install these tools run the following commands on Security Onion:
# sudo apt-get update
# sudo apt-get install clamav foremost
# sudo freshclam
These commands will install the two tools and update the ClamAV signatures database. Justniffer is already installed on your VM.
Clam AV is a free anti-virus program, which we can use to determine whether executables found in network traffic are malware or not. In addition to ClamAV, we can upload extracted files (or entire pcap files) to VirusTotal to evaluate files using dozens of anti-virus programs. Note that VirusTotal archives uploaded files, so the site should only be used with files that do not contain confidential or sensitive information. Uploading malware executables or example PCAPs from this assignment is fine. Packet captures from corporate networks typically need to have data removed or altered to avoid giving away confidential data and non-confidential but still sensitive data like IP addresses.
Justniffer is a command line network sniffer with a focus on HTTP. We will use justniffer HTTP protocol analysis features to more easily investigate HTTP traffic than we can using Wireshark or tcpdump. Justniffer also comes with a script to extract files from HTTP traffic. This script has some advantages over using Wireshark’s Export HTTP Objects feature. We will also examine the usability of foremost, a program designed to carve data files from disk images, to find files in PCAP data.
1: Exploit Kit Analysis
Exploit kits are a toolkit for cybercriminals to exploit systems and install malware on them. Exploit kits are typically deployed on web servers and work as follows.
- Contact. The attacker uses social engineering to entice a user to click on a link to the server hosting the exploit kit. The first contact server may be owned by the criminal or it may be a legitimate web site compromised by the criminal.
- Redirect. The software component on the web server screens the user’s browser to see if it matches certain criteria desired by the criminal, such as being located in a certain country. Browsers that pass the screening are redirected to the exploit kit’s landing page.
- Exploit. The landing page examines information about the user’s browser and OS, starting with the browser’s User-Agent string, to determine which vulnerabilities are present that match exploits in the kit. If a match is found, the landing page sends an appropriate exploit to the victim’s browser.
- Infect. After successfully exploiting a vulnerability, the attacker now downloads and executes malware on the victim system.
If a user’s OS and browser have all currently available security patches, then it will be highly unlikely that an exploit kit can infect that user. Zero day exploits can infect fully patched systems but are highly valuable and used only on the most valuable targets. Criminals can purchase exploit kits for around $1000, while sale prices of zero day vulnerabilities start at $5000 and go up to $250,000. Fortunately for users of exploit kits, relatively few users have fully patched systems at all times.
The data for this section can be found in 2014-11-16-traffic-analysis-exercise.pcap. Load the data in Wireshark and start by identifying the participants, including the victim and the web servers hosting exploit kit components. Since most of the traffic is web-based, the display filter http.request inWireshark can be useful in getting an overview of what is happening. When using this filter, I recommend adding the web server hostname as a column in the packet overview pane, by selecting the HTTP data from one packet, left clicking on the HTTP Host: header, then right clicking and selecting the Apply as Column from the right-click menu.
Answer the following questions about the victim using Wireshark. Information about the victim PC can be found in DHCP and HTTP packets. When examining HTTP packets, user agent strings provide the most information about a client. Information about how to interpret user agent strings can be found at sites like or
- What is the IP address of the victim PC?
- What is the hostname of the victim PC? Check DHCP packets for this information.
- Which web browser is the victim using? Include version number.
- Which version of Windows is running on the victim PC? Note that it is often reported as Windows NT x.y. Translate that to a named Windows version like XP, 7, Vista, etc.
1.1: Exploit Kit Analysis with Justniffer
Use justniffer to analyze the HTTP traffic in the file with the command below. The –u option indicates to print binary characters as periods, while the pipe to fgrep eliminates most binary only data lines that describe non-HTTP flows. The –l option lets us specify what features of each HTTP flow to print. Use man justniffer to learn about all the possible data to print with this option. We print the webserver hostname, the URL being accessed, and the HTTP response code. Remember that 2xx response codes indicate success, 3xx are redirects, and 4xx and 5xx are errors. See RFC 2616 for details on the meaning of individual response codes.
$ justniffer -u -l "%request.header.host %request.url %response.code" -f 2014-11-16-traffic-analysis-exercise.pcap | fgrep –v … | less
/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=3.7.2 200
/wp-content/plugins/sitemap/css/page-list.css?ver=4.2 200
/wp-content/themes/cini/js/functions.js 200
/ 200
/wp-content/themes/cini/style.css 200
HTTP requests are listed in the order they occurred. Add %request.timestamp to your –l option string if you want to know the time an HTTP flow occurred. Adding %source.ip to the –l option is useful in most situations, but this particular PCAP has data for only a single browser using HTTP, so the IP address is always that of the victim. As a result, the list of HTTP flows provided by Justniffer is an ordered list of the servers and URLs the victim contacted during their web browsing session.
Answer the following questions about the exploit kit using Wireshark and Justniffer:
- What is the IP address of the contact server?
- What is the domain name of the contact server?
- What web servers does the victim contact in order? To answer this easily, you can eliminate everything from the justniffer –l string except "%request.header.host.
When looking at the list of web servers in your answer to question 7, the hostnames of three web servers appear many times, whereas a couple of web servers like appear only once. The servers that appear only once are most likely advertisements or trackers that are not part of the exploit kit. The web servers that are components of the exploit kit are the servers that appear multiple times. Based on this information, answer the following questions:
- What is the domain name of the EK’s redirect server?
- What is the domain name of the EK’s server that contains the exploit?
Looking at the output of the original Justniffer command, there is only one HTTP redirect (as indicated by a 301 response code). How is user’s browser transferred from one component of the exploit kit to the next without HTTP redirects? Use the ngrep command in the form ngrep –I filename hostname where hostname represents the name of the one of the EK’s components. The hostname of the redirect server must be found somewhere in the HTML, CSS, or JavaScript content of the contact page in order for the contact page to transfer control to the redirect server. Similarly, the hostname of the server with the exploit server must be found somewhere in the content provided by the redirect server.
- What type of content is the URL of the redirect server found in?
- What is the IP address of the server that sends the redirect to the redirect server? Does this IP address match that of the contact server?
- What type of content is the URL of the exploit server found in?
- What is the IP address of the server that redirects the browser to the exploit server? Does this IP address match that of the redirect server?
1.2: File Carving from HTTP Traffic
File carving is the process of extracting and reassembling file data from raw disk images or captured network traffic. It is a key part of forensic analysis, which gives us the ability to retrieve files that would not otherwise be accessible. Most HTTP data is not saved to disk, and attackers often delete files to prevent investigation of their actions. However, if the network packets containing the file transfer of that file were captured, it is often possible to reconstruct the file. Note that files cannot be carved from encrypted network traffic without knowing and using the encryption key.
We have two options for carving files from HTTP traffic. The foremost command cancarve files from either disk images or pcap files, regardless of the network protocol used. The script justniffer-grab-http-traffic that comes with justniffer can only carve files out of HTTP flows stored in a pcap file. However, justniffer-grab-http-traffic will typically find more files and make fewer errors (such as including non-file data in a file or merging two files) than foremost when working with HTTP traffic. While foremost organizes files in directories by filetype, justniffer-grab-http-traffic organizes files by domain, which is often more useful when working with HTTP. Both tools are useful in different circumstances.
Let us use foremost first. It will store carved files from the captured packets into a directory named output. That directory will contain the file audit.txt that lists the files extracted and their sizes. Subdirectories of output are named after file formats and contain extracted files of those formats. In our example, we recover 12 files with foremost.
$ foremost –i 2014-11-16-traffic-analysis-exercise.pcap
$ ls -l output
total 20
-rw-r--r-- 1 studentstudent 1334 Nov 3 12:49 audit.txt
drwxr-xr-- 2 studentstudent 4096 Nov 3 12:49 gif
drwxr-xr-- 2 studentstudent 4096 Nov 3 12:49 htm
drwxr-xr-- 2 studentstudent 4096 Nov 3 12:49 jpg
drwxr-xr-- 2 studentstudent 4096 Nov 3 12:49 zip
$ find output –type f | wc -l
12
Let’s compare the results of foremost with those of justniffer:
$ mkdir just
$ justniffer-grab-http-traffic -d just -f 2014-11-16-traffic-analysis-exercise.pcap >/dev/null
$ ls -l just
total 16
drwxr-xr-x 2 studentstudent 4096 Nov 3 13:14 24corp-shop.com
drwxr-xr-x 2 studentstudent 4096 Nov 3 13:14 adultbiz.in
drwxr-xr-x 2 studentstudent 4096 Nov 3 13:14 stand.trustandprobaterealty.com
drwxr-xr-x 2 studentstudent 4096 Nov 3 13:14
$ find just -type f | wc -l
33
We see that justniffer finds 33 files, almost three times as many as carved by foremost. Of particular interest when tracking HTTP malicious activity, foremost finds only one HTML document and no JavaScript or CSS files. Justniffer retrieves multiple files of all of those types, which we need in order to understand how the redirection between sites works in the exploit kit. Wireshark’s Export HTTP Objects functions can return the same files as justniffer-grab-http-traffic, without the organization into directories by server name and without the appropriate file suffixes. While foremost is not as effective as justniffer or Wireshark for HTTP file carving, foremost can carve files transferred using any network protocols, including those which Wireshark cannot decode.
Use grep and less to examine files in the directories associated with the appropriate web servers to answer the following questions. Note that HTML elements can and often are created by JavaScript adding components to the DOM in the browser, so do not limit your searches to just HTML files.
- Which HTML element is used by the contact server to redirect the user to the redirect server?
- Which HTML element is used by the redirect server to redirect the user to the exploit server?
- Using your knowledge of the web or by looking up materials online, what is the purpose of the HTML element(s) used in the redirections above?
Use the file command as follows to identify file types while in the just directory. Notice that two of the types are filetypes that can be executed in a browser with appropriate plugins: Java archive data (JAR) and Macromedia Flash data (compressed), version 22.
$ file –b */*
HTML document, ASCII text, with CRLF line terminators
GIF image data, version 89a, 348 x 378
HTML document, ASCII text, with very long lines
Java archive data (JAR)
Java archive data (JAR)
data
data
data
Macromedia Flash data (compressed), version 22
Macromedia Flash data (compressed), version 22
Omit the –b option to see the names of the files. The four executable files consist of two pairs of identical files, indicating that the SWF (Macromedia Flash) and JAR (Java) executables were each sent twice to the victim. Upload the files to also scan them with clamscanto see if they are malicious.
- Which server sent the SWF and JAR files to the victim?
- What is the SHA-256 hash of the SWF file? The command sha256sum can compute this hash.
- Was the SWFfile malware according to VirusTotal? If it was, provide one of its names.
- Was the SWF file malware according to clamscan? If it was, what was the name?
- What is the SHA-256 hash of the JAR file?
- Was the JAR file malware? If it was, provide one of its names.
- Was the JAR file malware according to clamscan? If it was, what was the name?
- Which step of the exploit kit process do these files carry out?
1.3: Identifying the Exploit Kit with Snort
Run snort with the pcap file as input. First, create a directory to store snort’s output files, then run the following commands, moving the pcap file into the newly created directory before running the snort command.
$ mkdir snort
$ cd snort
$ sudo snort --daq pcap -l . -q -A full -c 2014-11-16-traffic-analysis-exercise.pcap >/dev/null
Answer the following questions based on the alerts. You can use the command grep ET alert to view a summary of the alerts, with one alert per line.
- How many alerts were generated by the captured packets?
- What are two names for the exploit kit reported by the alerts?
- In addition to alerting on the specifics of the exploit kit, snort alerts on both of the executable files be transferred for other reasons. What are those reasons?
2: Investigation
The file 2014-11-16-traffic-analysis-exercise.pcap contains packets from an attack involving a different exploit kit. Using the techniques above, investigate the incident captured in this data file. Using snort, identify which exploit kit is used in the attack. Identify the victim PC (MAC, IP, and hostname if available), determine which web sites serve as which parts of the exploit kit attack (contact, redirect, and exploit servers),
Follow our standard report format, include a timeline of alerted activities involving the potential attacker on the Internet as well as those involving the target, and be sure to support all statements with evidence from the alerts or captured packets. Identify events using packet numbers and/or timestamps. Identify files with filenames and MD5 hash values.
If clamscan or VirusTotal reports a file as exploit or malware, include one of the malware or vulnerability identifiers from each tool along with the hash value. Lookup vulnerability identifiers on to explain how that part of the attack worked. Lookup malware identifiers with any search engine, but be aware that not all identifiers will have public descriptions.
At the end of your report, provide a list of recommendations to recover the systems and protect them against future attacks of this type. Be specific as possible with recommendations and indicate which user accounts and IP addresses need remediations.
Offline References
- Chris Sanders and Jason Smith. Applied Network Security Monitoring. Chapter 9. Syngress. 2014.
Online References
- Cisco. Snort Users Manual 2.9.9. 2016.
- CVE. CVE Details.
- Exploit kit.
- IETF. RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1.
- VirusTotal.
Deliverables
This assignment does not require a formal report. Instead, answers should be insertedinto this lab document in the format(s) requested in each section. Bring a copy of this assignment to class on the day on which it is due for discussion.