Room: Advent of Cyber 2023 Day 17
Similar to day 7, we’re diving into log analysis. Using command line tools to manipulate data.
We find something suspicious, there is a lot of communication from 1 IP address with an extremely high frequency. This is a sign of a Dos attack.
Our suspicions are confirmed when doing more analysis. The suspicious address didn’t send any ACK request, represented in the TCP three-way handshake process. This means there’s a high probability of a SYN-Flood attack.
Rwcut, rwfilter, and rwstats are command-line tools commonly used in network traffic analysis with the RITA (Real Intelligence Threat Analytics) framework. Here’s a brief explanation of each:
Purpose: rwcut is a tool used to extract specific fields or columns from network traffic data.
Rwfilter is a powerful filtering tool that allows users to apply conditions to network traffic data and filter out the relevant information based on criteria such as time, source/destination IP addresses, ports, etc.
Rwstats is used for statistical analysis of network traffic data. It provides insights into various aspects of the traffic, such as the number of connections, bytes transferred, and more.
These tools, part of the RITA framework, are valuable for network security analysts and researchers, helping them efficiently process, filter, and analyze large volumes of network traffic data to identify potential threats or anomalies.
Going to the desktop folder we can execute the following command:
silk_config -v
Which will give us the version of SilK suite.
rwfileinfo suspicious-flows.silk
Will give us the answer to both Task 1 and Task 2.
rwcut suspicious-flows.silk — fields=stime — num-recs=6
Notice we are asking for 6 records and only want the time column, in the command above.
rwfilter suspicious-flows.silk — proto=17 — pass=stdout | rwcut — num-recs=6
Notice we are asking for 6 records that have the UDP protocol. (UDP protocol nuber = 17)
rwstats suspicious-flows.silk — fields=dPort — values=records,packets,bytes,sIP-Distinct,dIP-Distinct — count=10
That is a lot of traffic on port 53!
rwstats suspicious-flows.silk — fields=sIP — values=bytes — count=10 — top
Now aggregating by IP, to see which IP has sent the most data.
rwfilter suspicious-flows.silk --aport=53 --pass=stdout | rwstats --fields=sIP,dIP --values=records,bytes,packets --count=10
Filtering out all traffic through port 53, we notice 2 IP addresses that are communicating with each other.
What is alarming, is the frequency they talk to each other. And that again we see the same suspicious IP coming back.
rwfilter suspicious-flows.silk — saddress=175.175.173.221 — dport=53 — pass=stdout | rwcut — fields=sIP,dIP,stime | head -10
Also 1 of them is not talking at all.
Defang the suspicious IP we found in Task 7 and you’re good to go!
rwfilter suspicious-flows.silk — aport=80 — pass=stdout | rwstats — fields=sIP,dIP,dPort — count=10
Since the C2 server is sending requests so frequently, we can filter on port 80 and aggregate our data on that.
Half of the port 80 traffic is going to a certain IP.
The data aggregation in Task 9 should give you enough information to get the answer to this question!
Happy Hacking!
💡 If you want to stay updated with what I’m working on. Follow me and Subscribe! 🔔