Room: Advent of Cyber 2023 Day 17

Similar to day 7, we’re diving into log analysis. Using command line tools to manipulate data.

We find something suspicious, there is a lot of communication from 1 IP address with an extremely high frequency. This is a sign of a Dos attack.

Our suspicions are confirmed when doing more analysis. The suspicious address didn’t send any ACK request, represented in the TCP three-way handshake process. This means there’s a high probability of a SYN-Flood attack.

Rwcut, rwfilter, and rwstats are command-line tools commonly used in network traffic analysis with the RITA (Real Intelligence Threat Analytics) framework. Here’s a brief explanation of each:

rwcut

Purpose: rwcut is a tool used to extract specific fields or columns from network traffic data.

rwfilter

Rwfilter is a powerful filtering tool that allows users to apply conditions to network traffic data and filter out the relevant information based on criteria such as time, source/destination IP addresses, ports, etc.

rwstats

Rwstats is used for statistical analysis of network traffic data. It provides insights into various aspects of the traffic, such as the number of connections, bytes transferred, and more.

These tools, part of the RITA framework, are valuable for network security analysts and researchers, helping them efficiently process, filter, and analyze large volumes of network traffic data to identify potential threats or anomalies.

Task 1: Which version of SiLK is installed on the VM?

Going to the desktop folder we can execute the following command:

silk_config -v

Which will give us the version of SilK suite.

Task 2: What is the size of the flows in the count records?

rwfileinfo suspicious-flows.silk

Will give us the answer to both Task 1 and Task 2.

Task 3: What is the start time (sTime) of the sixth record in the file?

rwcut suspicious-flows.silk — fields=stime — num-recs=6

Notice we are asking for 6 records and only want the time column, in the command above.

Task 4: What is the destination port of the sixth UDP record?

rwfilter suspicious-flows.silk — proto=17 — pass=stdout | rwcut — num-recs=6

Notice we are asking for 6 records that have the UDP protocol. (UDP protocol nuber = 17)

Task 5: What is the record value (%) of the dport 53?

rwstats suspicious-flows.silk — fields=dPort — values=records,packets,bytes,sIP-Distinct,dIP-Distinct — count=10

That is a lot of traffic on port 53!

Task 6: What is the number of bytes transmitted by the top talker on the network?

rwstats suspicious-flows.silk — fields=sIP — values=bytes — count=10 — top

Now aggregating by IP, to see which IP has sent the most data.

Task 7: What is the sTime value of the first DNS record going to port 53?

rwfilter suspicious-flows.silk --aport=53 --pass=stdout | rwstats --fields=sIP,dIP --values=records,bytes,packets --count=10 

Filtering out all traffic through port 53, we notice 2 IP addresses that are communicating with each other.

What is alarming, is the frequency they talk to each other. And that again we see the same suspicious IP coming back.

rwfilter suspicious-flows.silk — saddress=175.175.173.221 — dport=53 — pass=stdout | rwcut — fields=sIP,dIP,stime | head -10

Also 1 of them is not talking at all.

Task 8: What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )

Defang the suspicious IP we found in Task 7 and you’re good to go!

Task 9: Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )

rwfilter suspicious-flows.silk — aport=80 — pass=stdout | rwstats — fields=sIP,dIP,dPort — count=10

Since the C2 server is sending requests so frequently, we can filter on port 80 and aggregate our data on that.

Half of the port 80 traffic is going to a certain IP.

Task 10: What is the sent SYN packet’s number of records?

The data aggregation in Task 9 should give you enough information to get the answer to this question!

Happy Hacking!

💡 If you want to stay updated with what I’m working on. Follow me and Subscribe! 🔔

Medium — LinkedIn — Twitter — Substack