the honeynet project & forensic challenges 2010
TRANSCRIPT
![Page 1: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/1.jpg)
The Honeynet Project &
Forensic Challenges 2010
A Contestant's Point of View - Franck Guénichot
Organization Director Member Ŕ Sébastien Tricaud
![Page 2: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/2.jpg)
Speaker Sébastien Tricaud
• Co-Founder with P. Saadé of PicViz Labs
• Honeynet Project CTO
• Intrusion Detection specialist & big volumes
logs analyst
• Former contributor of Linux PAM, OSSEC,
SanCP, Prelude IDS etc.
![Page 3: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/3.jpg)
Speaker Franck Guénichot
15 years in the networking field (« Packet geek »)
Honeynet project's challenge contestant
• Challenge #1 : 2nd place
• Challenge #2 : 1st place (tied with 3 other contestants)
• Challenge #3 : 4th place
SANS Network Forensic Contest contestant
• Challenge #1: finalist
• Challenge #2: 1st place (tied with one other contestant)
• Challenge #3: finalist
malphx
![Page 4: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/4.jpg)
Agenda
• Honeynet project organization
• Highlight of a few software
• Our Challenges (with someone who does several!)
• Conclusion
![Page 5: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/5.jpg)
Buzzwords
Worms
Virus
Trojans
Botnets
Zombies
Phishing
Spam
Fast-flux
SPIT
![Page 6: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/6.jpg)
Our Goal
ŖImprove the Security of the Internet at no
cost to the Publicŗ
![Page 7: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/7.jpg)
Organisation
The Honeynet Project
Directors
Officers
Advisors
Full Members Members
Contributors
Chapters
![Page 8: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/8.jpg)
Chapters
![Page 9: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/9.jpg)
Learn
Trap our enemies
Analyze their activities
Getting information
Discuss, exchange
![Page 10: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/10.jpg)
Provide information based on
our observations
Papers
KYE: Know Your Enemies
KYT: Know Your Tools
Website
http://www.honeynet.org
Blog, Twitter
![Page 11: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/11.jpg)
Know Your Enemy: Containing
Conficker
![Page 12: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/12.jpg)
Know Your Tools: Picviz
![Page 13: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/13.jpg)
Provide Tools
Capture BAT
Capture HPC
Glastopf
Google Hack
Honeypot
HIHAT
HoneyBow
HoneyC
Honeyd
Honeywall CDROM
• Honeymole
• Honeysnap
• Honeystick
• Honeytrap
• Nepenthes
• Pehunter
• PicViz
• Sebek
• Tracker
![Page 14: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/14.jpg)
Tools Landscape
Servers Clients
High interaction
Low interaction
Analysis
![Page 15: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/15.jpg)
Nepenthes
![Page 16: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/16.jpg)
Nepenthes Logs
[2010-01-01T00:10:06] 88.173.53.163 -> 192.168.0.23
link://88.173.53.163:3737/MPe2+A==
725c1f3ef623cbd811a9acc6c40ad07c
[2010-01-01T00:12:56] 88.185.87.220 -> 192.168.0.23
link://88.185.87.220:46509/D2oeOQ==
954a98c971fda498f9d1211f18e75cd7
[2010-01-01T00:24:36] 88.83.48.36 -> 192.168.0.23
link://88.83.48.36:35368/+BmAdg==
be36334377890a52b56c9023de688fe7
![Page 17: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/17.jpg)
Nepenthes: some stats
2010 April 1st
2211 binairies retrieved
597 unique binaries (different MD5)
![Page 18: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/18.jpg)
32 virus non-detected by
ClamAV
![Page 19: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/19.jpg)
PhoneyC
http://code.google.com/p/phoneyc
Client honeypot written in Python
Written by Jose Nazario and Angelo Dell'Aera
![Page 20: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/20.jpg)
PhoneyC
Web
pageRequest
Response
Mime
Modules
SGML
Parser
Parser…
Script engine libEMU AV
Alert
![Page 21: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/21.jpg)
endstream
endobj
9 0 obj
<</Extensions<</ADBE<</BaseVersion/1.7/ExtensionLevel 3>>>>/Metadata 2 0 R/Names 19 0 R/Pages 6 0 R/Type/Catalog>>
endobj
10 0 obj
<</Filter[/FlateDecode]/Length 1101>>stream
xœ•VmkÜ8þ^È•0GvÙônô>"Ù÷;ÒbôJÚ$ì&iJ¹ÿ~��u�®gcYÒ£yf43²�9†‡a7<Ý•c
åúâÃ3¦¾Ŕ;L®>´Ø„��)x�§§ñæŔÕ§»�¸¿¿Âz7?›Ô¸»µµ®÷‡uŒ�Ţ®�ÞŒ�-ø>·þv§7ÚË?.·ŕOŕ
Ûqüóø��pŒWzs}(�O‡»aµþg2�w«§ýñÛŕÇã·ú|ÿx¸¿º=>ÿ€�ÕÃ�÷üÎř�zs����‡Û�a´¢4Ý«Í�¶•Ù•-ëÔ�¶ƒ$4<��"×fhr Ŗ
‹c�ßÂN�i•§><�ť·~�Ê��š®��Ò4}¤©7•ÉM§Øþb‡�ÂŖ#J§Ks©m,Œ-ËyO¬Ûø¿¿•ZŢg}¿Ï�þ-Œ��ř�ºµNV7�©�…‰±¯£�F�Inš'E�j-
®Fùn¢ Ò»�‰�uþUßi´Ř¥�˜dº}�tÍr4_³}¯º·Ü)±Ô��<z¶;8�ÎÎM0,Ð9†FÁ�Ï�‰X±¢³ü¤Ŗ¬Ř�Yü�³�gÈŗx·…›•ÎáôhÏãÓý•�Ť»�˜�Wÿ
Ü�=«{ř�q�ˆ´&‡^È�Ţŗ.�4Œ´$$§h���9�ŒDE¨�CřY&�®4•©¤
·ø'ŘÞp)«u)�¸À�B^¸`\‚]K\/�k�v²_�ü†[#¬ x‰/�;/*•à¸Zè•Ø*2¢Ú%¾ÐO8Îæ`ŔøB•-ţ©pťK|¡ťÞस^ê÷¬G#ŕ
ørÿˆK®.‹%~Ò�(ÃV�ªUŠ³¶µÆ"=�±Ò-¹J×â•ÛuŔ@X"u~�ť@ÍM6t/ř��„�üLz,�Œ[5FAG£#ÐL���L²�\�ŠY¥›{N,5^عS•8EŔ
ŘH²LV*�{Z�řŠ¡�~Ţ[®�Ŗ\Pl¨
tÏrHjÈ)*Ŗ�lƒ„Ø´£€¯®W.ţ�…Íŕó.e•�ÛWk�-„o¡Æ#´…ý&�LŘ�řŤr6
tz�Ût�•VÔ�¢�ŕ
ªÙ_¸ù íÅÔöÛ@üT÷¥iLÕͶD(ÁŤš*#+lšKlþ¯þ�̧�¶DLÞb„\HÆY[bû>ãÛùÅùÆvÙdô,%§ÚœJ>#d~ƒÊYX§$L«JûäCÖ")$ HP,Uª
![Page 22: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/22.jpg)
Google Summer of Code
20 projects proposed
18 students paid by Google
Projects: logs anonymization, honeeebox
interface, uniform sandbox/sandnet for
data collection, pcap replayer to exploit the
source, DNS analysis of an infected
machine, Dionaea, PhoneyC, …
![Page 23: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/23.jpg)
Agenda
Introduction / Why should you participate ?
How to prepare a challenge ?
Challenge #1 : PCAP attack trace
Challenge #2 : Browsers under attack
Challenge #3 : Banking Troubles
Challenge #4 : VoIP challenge
Conclusion
![Page 24: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/24.jpg)
Introduction
or
Why should you participate ?
![Page 25: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/25.jpg)
Challenge Objectives
Giving the Sec. Community opportunities:
To analyze real and current threats
To share their findings
![Page 26: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/26.jpg)
Thematics
PCAP Analysis
Browser Exploits Analysis
Windows Memory Forensics
Malicious PDF Analysis
Malicious Javascripts Analysis
Malware Analysis
VoIP Attacks Analysis
...
![Page 27: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/27.jpg)
Benefits for a contestant
Learning tools and techniques to
analyze real threats
Sharing knowledge with the community
and seeing write-ups from others
Having fun !
![Page 28: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/28.jpg)
Challenge Timeline
2 months cycle
Challenge Published the 1st of a month
1 month to submit your solution
Results are annouced in the third week of
the next month
![Page 29: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/29.jpg)
Challenge Prizes
Top 3 submissions are published on the
Honeynet Project's website
Top 3 submissions are awarded small
prizes (books,...)
![Page 30: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/30.jpg)
How to prepare a challenge ?
![Page 31: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/31.jpg)
Contestant's Host
Physical / Virtual ?
Some challenges involve « playing » with
real threats and malwares
Be careful to not infect yourself !
![Page 32: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/32.jpg)
Contestant's Tools
Packet analysis tools (wireshark, tshark, ...)
Memory forensic tools (Volatility, ...)
Data carving tools (Foremost, Scalpel, ...)
Dissassembler / Debugger (Ollydbg, IDA, …)
Compiler (GCC, CL, ...)
Custom/own tools (perl, python, ruby, ...)
Virtualization product of your choice
Online sandboxes (Cwsandbox, Anubis, ...)
![Page 33: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/33.jpg)
Contestant's Skills
To play with challenges
Knowledge of Networking
Knowledge of Security Threats
Basic Reverse-Engineering skills
To have fun with challenges
Good knowledge of Networking
Good knowledge of Security Threats
Good Reverse-Engineering skills
![Page 34: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/34.jpg)
A Quick Tour of
The Challenges
![Page 35: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/35.jpg)
#1 : PCAP ATTACK TRACE
Author(s)
Tillmann Werner (from the Giraffe chapter)
Objective
Network attack analysis
LSASS buffer overflow (CVE-2003-0533 / MS04-011)
Challenge Material
PCAP file
Tools I've used to solve it:
Wireshark(Tshark), p0f, snort, IDA, ...
![Page 36: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/36.jpg)
#1 : PCAP ATTACK TRACE
Attacker connects to the victim IPC$ share...
Attacker exploits a well-known vulnerability (CVE-2003-0533, LSASS buffer overflow)
Snort detects it...
![Page 37: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/37.jpg)
#1 : PCAP ATTACK TRACE
A shellcode is injected...
Shellcode
A shellcode is injected...
NOP slide
![Page 38: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/38.jpg)
#1 : PCAP ATTACK TRACE
Mkcarray
helps !
Converting shellcode raw data to C source...
![Page 39: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/39.jpg)
#1 : PCAP ATTACK TRACE
Shellcode analysis reveals the compromission...
A shell was bound to 1957/TCP
![Page 40: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/40.jpg)
#1 : PCAP ATTACK TRACE
Commands are sent by the attacker to the shell
And a malware is retrieved...
![Page 41: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/41.jpg)
#1 : PCAP ATTACK TRACE
Official solution
http://www.honeynet.org/files/Forensic%2
0Challenge%202010%20-
%20Scan%201%20-
%20Solution_final.pdf
![Page 42: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/42.jpg)
#2 : BROWSERS UNDER ATTACK
Authors
Nicolas Collery (Singapore chapter)
Guillaume Arcas (French chapter)
Objective
Analysis of browser under attack
Challenge Material
PCAP file
Tools I've used to solve it:
Wireshark(Tshark), malzilla, spidermonkey-js,
Ollydbg, custom ruby script, ...
![Page 43: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/43.jpg)
#2 : BROWSERS UNDER ATTACK
Using tshark
Protocol
Hierarchy
Statistics
To guess the attack
vector
![Page 44: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/44.jpg)
#2 : BROWSERS UNDER ATTACK
Using tshark
To gather various
informations and
statistics on victims
and attackersNetbios names
MAC addresses
Browsers User-Agent
Looks like VirtualBox
Default MAC addresses
Same hostname
![Page 45: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/45.jpg)
#2 : BROWSERS UNDER ATTACK
But also... DNS queries
HTTP hosts
![Page 46: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/46.jpg)
#2 : BROWSERS UNDER ATTACK
![Page 47: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/47.jpg)
#2 : BROWSERS UNDER ATTACK
*picture is taken from the official solutionScenario 1
![Page 48: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/48.jpg)
#2 : BROWSERS UNDER ATTACK
Obfuscated javascript
& invisible IFRAME
![Page 49: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/49.jpg)
#2 : BROWSERS UNDER ATTACK
*picture is taken from the official solutionScenario 2
![Page 50: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/50.jpg)
#2 : BROWSERS UNDER ATTACK
Offensive javascript (browser attacked)
![Page 51: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/51.jpg)
#2 : BROWSERS UNDER ATTACK
Offensive javascript (Decrypted)
CVE-2006-0003
![Page 52: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/52.jpg)
#2 : BROWSERS UNDER ATTACK
*picture is taken from the official solutionScenario 3
![Page 53: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/53.jpg)
#2 : BROWSERS UNDER ATTACK
Part of an
Offensive
javascript
Shellcode
Next exploit to launch
exploit
![Page 54: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/54.jpg)
#2 : BROWSERS UNDER ATTACK
Shellcodes (Download & eXecute)
![Page 55: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/55.jpg)
#2 : BROWSERS UNDER
ATTACK
Official solution
http://www.honeynet.org/files/Forensic%2
0Challenge%202010_-_Challenge_2_-
_Solution.doc
![Page 56: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/56.jpg)
#3 : BANKING TROUBLES
Authors
Josh Smith & Matt Cote (Rochester Institute of Tech. chapter)
Angelo Dell'Aera (Italian chapter)
Nicolas Collery (Singapore chapter)
Objectives
Memory dump analysis / Malicious PDF analysis
Challenge Material
Memory dump
Tools I've used to solve it:
Volatility, pdfid.py, pdf-parser.py, Ollydbg, ...
![Page 57: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/57.jpg)
#3 : BANKING TROUBLES
Memory dump inspection with Volatility...
Here the running processes list
![Page 58: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/58.jpg)
#3 : BANKING TROUBLES
Memory dump inspection with Volatility...
![Page 59: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/59.jpg)
#3 : BANKING TROUBLES
Strange behavior can be observed...
![Page 60: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/60.jpg)
#3 : BANKING TROUBLES
Malicious PDF analysis
Only 1 page
Embedded Javascript
= Suspicious !
![Page 61: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/61.jpg)
#3 : BANKING TROUBLES
Malicious Javascript deobfuscation & analysis
CVE-2007-5659Collab.collectEmailInfo() exploit
![Page 62: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/62.jpg)
#3 : BANKING TROUBLES
Shellcode extraction from malicious javascripts
![Page 63: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/63.jpg)
#3 : BANKING TROUBLES
Malware extraction from injected processes memory
A Zeus/Zbot infection
is found...
A banking trojan causing
« Banking Troubles »
![Page 64: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/64.jpg)
#3 : BANKING TROUBLES
Official solution
http://www.honeynet.org/files/Forensic
_Challenge_3_-
_Banking_Troubles_Solution.pdf
![Page 65: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/65.jpg)
#4 : VoIP CHALLENGE
Authors
Ben Reardon (Australian chapter)
Sjur Eivind Usken (Norwegian chapter)
Objective
VoIP (SIP) attacks analysis
Challenge Material
Log file + PCAP file
Tools I've used to solve it (I hope !):
Wireshark/Tshark, Custom scripts, PicViz, ...
![Page 66: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/66.jpg)
#4 : VoIP Challenge
Log of a SIP honeypot
was given...
A custom tool was needed
to parse it...
89833 lines !!!
![Page 67: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/67.jpg)
#4 : VoIP Challenge
SIPlogparser.rb
« Awful » but working ruby script.
![Page 68: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/68.jpg)
#4 : VoIP Challenge
Gives some stats...
![Page 69: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/69.jpg)
#4 : VoIP Challenge
Generates PicViz .pcv file
![Page 70: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/70.jpg)
#4 : VoIP Challenge
PicViz graph reveals interresting points...
![Page 71: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/71.jpg)
#4 : VoIP Challenge
An « extension scan » made with svwar from the
SIPVicious Tools Suite.
![Page 72: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/72.jpg)
#4 : VoIP Challenge
Filtering a bit, now evidences appear...
SIPVicious Ŕ svcrack was used against a small
subset of extensions !
![Page 73: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/73.jpg)
#4 : VoIP Challenge
The SIP server (honeypot) was used by an attacker
to call international phone numbers...
![Page 74: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/74.jpg)
#4 : VoIP CHALLENGE
Official solution
To be published...
![Page 75: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/75.jpg)
Conclusion
For the Beginners :
Challenges are a good way to start
learning tools and techniques to
analyze threats.
For the Experts :
A good way to share your knowledge and
findings with the community.
![Page 76: The Honeynet Project & Forensic Challenges 2010](https://reader030.vdocument.in/reader030/viewer/2022012011/613d78ff736caf36b75dbca8/html5/thumbnails/76.jpg)
Thank You
Questions ?
http://www.honeynet.org/challenges