Capstone Scenario: Alexis is a fictional cybersecurity company with thousands of employees. An attacker has gained unauthorized entry into its premises and has connected their laptop to an unused port on a switch. The attacker now has access to the company’s internal networks. Within the internal network, there is a central server where critical proprietary data is stored. In this capture, the attacker is attempting to collect SSH credentials that they can use to log into the central server.
Question 1. What is the MAC address of the attacker?
We know from the scenario that the attacker is trying to retrieve some ssh credentials so can add a ssh filter and check our results.
The application layer packet is the first one sent after the 3-way handshake is established so we can infer that the source ip is the attacker ip letting the server know “”Hello, I am using the OpenSSH client, and I speak SSH Protocol version 2.0.”
We can verify this by checking the previous packets and seeing who initiated the connection.
Packet 762 shows us the 192.168.5.111 ipv4 address is who initiated the connection which confirms this address is who was probing the network trying to determine if ssh was open.
Selecting either packet 762 or 765 we can find the mac address in the layer 2 section of the OSI model within the packet.
Lastly, I want to see everyone that was talking on ssh by navigating to statistics > conversations:
This confirms that only 2 endpoints were speaking on ssh and our mac address is listed as well. This section also does not list ipv4 addresses by who started communication first it; it lists by alphabetical/numerical order which is why the mac address is listed as “Address B”.
Answer: 08:00:27:3d:27:5d
Question 2. What is the type of attack which is taking place that allows the attacker to listen in on conversations between the central server and another host?
Answer: This would be a Man-In-The-Middle (MITM) attack. I know this from my ethical hacking training but essentially a MITM attacker actively intercepts, relays, and controls the communication between two unsuspecting hosts without either host knowing the connection is compromised.
Question 3. What is the file which was downloaded from the central server?
I tested http as a filter as it is a primary way to download/transfer files and attackers use commands like wget or curl to transfer files. Attackers, could also use this as a way to blend in since exfiltrating through ftp might be obvious.
Http to no avail.
Checking FTP, we got some action. We are looking for a “RETR” or “STOR” command which indicates a file transfer. We see the packet with “RETR” about halfway down.
If we had dozens to hundreds of logs we could follow the tcp stream to make it easier to identify.
It would look like this the image above.
Answer: Alevis_Employee_Information_Chart.csv
Question 4. What department does Borden Danilevich work at?
The attacker stole a file named employee information, so the information of Borden Danilevich is most likely in there. We type ftp since that is the protocol that was used and we follow the TCP stream. There is no data of the file that was transferred on stream 0. It seems ftp establishes a control channel connection and it is used exclusively for exchanging commands and responses between the FTP client and the FTP server. It’s like the telephone line used to manage the session. So, we can increase the stream by 1 and our data of the file transfer should be there.
Every new file transfer in ftp will open and close a new TCP stream. So, if there was another file transfer it would be found on Stream 2.
Answer: Sales
Question 5. What is the SSH password of the Domain Administrator?
The same concept used for question 4 applies here. The file that was transferred has all the user’s credentials even Domain Admin in this case. We should be able to find the ssh password there. We follow the ftp stream and at the top of the file we verify what field of the csv contains the ssh password.
Use the “Find” feature to quickly search “Domain Admin” and we get our answer.
