In this walkthrough, we will be analyzing a packet capture (PCAP) file, rogue_user.pcap. The challenge was to identify the rogue user that was created by the attacker.
My tool of choice for this type of analysis is Wireshark.
The first step I typically take when analyzing a PCAP is to take a look at the captured protocols. This is done by accessing Statistics > Protocol Hierarchy. This is intentionally a pretty pared down capture, so we only see a few protocols listed.
Note that the protocols are listed in a hierarchical fashion as the name implies, following the TCP/IP stack, which makes it relatively easy to drill down to the items of interest.
Since we are likely looking for evidence of user creation, probably remotely via command line, I am going to drill down on “Data”. This can be done quickly by right-clicking on the Data line and selecting Apply as Filter > Selected.
Now we are viewing all the frames marked as data and, in this case, there are 28 of them. Note the PSH, ACK TCP flags, which also indicate an exchange of data.
I have customized my display columns to include the “Stream Index” value. A stream essentially reflects a conversation between two nodes. We can see from the above image that stream 0 starts at frame number 4 and stream 1 starts at frame number 40. Both of these are of interest, so we will take a look at each. We can “follow” the stream by right-clicking and selecting Follow > TCP.
Below are the results from following stream 0:
Interesting, but no rogue user creation there. Next, we try following stream 1:
It looks like stream 1 has some potential for relevant activity. The pink text represents the request to our victim box and the blue text represents the response. This activity looks like remote shell access. We can see in the above image that the attacker ran the following commands: whoami, finger, ls, and then catted a file rather enticingly titled “passhash.txt” that appears to be the output of the /etc/shadow file.
We will take a look further in stream 1 and see if we can find evidence of the rogue user creation.
From the above image we can observe the use of the adduser command to create a user named “marcelle” with a password of “password”. Directly after creation of the marcelle account, the attacker checks the contents of /etc/shadow to see if the user was successfully created. From the results shown below, we can see that they did succeed. Further, based on the attacker’s access to the privileged shadow file it would appear that they have root access — not good!
I created this challenge in virtual machine environment using Wireshark to capture the traffic and netcat to establish the remote shell.