malphx://blog

Aller au contenu | Aller au menu | Aller à la recherche

dimanche, décembre 26 2010

Honeynet Project's FC6 "Analyzing Malicious Portable Destructive File": my submission

Honeynet Project The Honeynet Project's team has published the results for the 6th Forensic Challenge 2010.

My official results:

{{For this 6th challenge, we received a total of 21 submissions. With your score of 20, you came into position 7.

Below you will find your score per answer:

   Answer 1: 1 points 
   Answer 2: 2 points 
   Answer 3: 3 points 
   Answer 4: 1 points 
   Answer 5: 0.5 points 
   Answer 6: 1 points 
   Answer 7: 2.5 points 
   Answer 8: 4 points 
   Answer 9: 2 points 
   Answer 10: 1 points 
   Answer Bonus 1: 1 points 
   Answer Bonus 2: 1 points

This was a competitive challenge. The top three submissions were within a point of a total score and many submissions that didnt place in the top three were close. We hope you enjoyed the challenge and learned a bit.

The top three submissions have been posted to the challenge web page at http://honeynet.org/challenges/2010_6_malicious_pdf and we encourage you read through them.

We will be taking a little break, but will continue our challenges in 2011. We hope to see your submissions! }}

Well, this time the competition was really hard, as you can see with a score of 20/22 I came in position 7. Others were better ! :-)

If you're interrested my submission for FC6 is in attachment.

Feel free to leave a comment !

lundi, août 23 2010

Playing with SIP, NMAP and NSE, now writing a SIP library...

nmap.png


Since my last post, I finally decided to start writing a SIP library for nmap.
This lib will be minimalist and be largely based on the http.lua library taken from Nmap 5.0


It will be used by two NSE scripts:

  • sip-extscan.nse: a script which try to list (find) valid SIP extensions on a SIP registrar
  • sip-brute.nse: a script that try to bruteforce SIP extensions password on a registrar
Here are the first result:
The target used for the test is a Tribox based host (Asterisk PBX 1.6.0.26-FONCORE-r78)
With actually four extensions:
  • 5000 : protected with a good password
  • 5001: protected with a weak password
  • 5002: protected with the same weak password
  • 5003: not protected
Actually, sip-brute only try a dictionnary attack against the password and use the unpwdb library
sudo nmap -sU -p U:5060 -T5 --script sip-map2,sip-extscan3,sip-brute2 --script-args exten_range="5000-5010" 172.17.0.53
Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-23 23:20 CEST
Interesting ports on 172.17.0.53:
PORT STATE SERVICE
5060/udp open sip
|_ sip-map2: SIP 2.0 device detected
| sip-extscan3:
| Unprotected Extensions
| 5003
| Protected Extensions
| 5000
| 5001
|_ 5002
| sip-brute2:
| exten: 5001 Password: 1234
|_ exten: 5002 Password: 1234

Nmap done: 1 IP address (1 host up) scanned in 107.24 seconds
It seems that the work is in the good way, however, a lot of testing must still be done.

mardi, août 17 2010

Playing with SIP, NMAP and NSE

nmap.png


In the last Honeynet Project's Forensic Challenge (FC4), one question (Section 1, question 2) caught my attention.
It was about the possibility that the given log file could have been generated using a "simple" Nmap UDP scan.
In the challenge, the answer was : No.
Because a "simple" Nmap's UDP scan uses UDP packets without any payload and thus could not generate valid SIP requests.
But, Nmap offers a powerful scripting engine: Nmap Scripting Engine or NSE.

With NSE it is possible to interact with the targetted host using simple to complex communication exchanges.

After having read the NSE part of the Nmap book, I decided to give a try at NSE.
My first NSE script (modestly) behaves like the SIPvicious tool: svmap.py.

This script, named sip-map.nse tries to find valid SIP server by sending a SIP OPTIONS request using the UDP protocol.

Usage:

# Without version (User-Agent) information
sudo nmap -sU -p U:5060 --script sip-map.nse
# With version information
sudo nmap -sU -p U:5060 -sV --script sip-map.nse
Output:
Interesting ports on X.X.X.X:
PORT STATE SERVICE VERSION
5060/udp open sip Asterisk PBX 1.6.0.26-FONCORE-r78
|_ sip-map: SIP 2.0 compliant device detected

sip-map.nse is the first script from a series of scripts I wish to write.
These scripts will be about SIP scanning with a behaviour close to the SIPvicious tools but using Nmap.

You can download it here: sip-map.nse

Feel free to leave a comment !

dimanche, juillet 25 2010

Honeynet Project's FC4 "VoIP": my submission

The Honeynet Project's team has published the results for the 4th Forensic Challenge 2010 VoIP.


My official results:

Thank you for participating in the 4th Honeynet Project Forensic Challenge 2010: VoIP.
Sjur, Ben, Jianwei, Roland, and Julia finished evaluating your submission. You have received a total of 62 of 63 points.
Below you will find your score per answer:

  • Answer 1.1 (1point): 1 points
  • Answer 1.2 (1point): 1 points
  • Answer 1.3a (1point): 1 points
  • Answer 1.3b (1point): 1 points
  • Answer 1.3c (2points): 2 points
  • Answer 1.4a (2points): 2 points
  • Answer 1.4b (6points (2 each)): 6 points
  • Answer 1.5 (1point): 1 points
  • Answer 1.6 (3points): 3 points
  • Answer 1.7 (5points): 5 points
  • Answer 1.8a (3points): 3 points
  • Answer 1.8b (3points): 3 points
  • Answer 2.1 (4points): 4 points
  • Answer 2.2a (1points): 1 points
  • Answer 2.2b (1points): 0 points
  • Answer 2.3 (2points): 2 points
  • Answer 2.4 (2points): 2 points
  • Answer 2.5a (10points): 10 points
  • Answer 2.5b (3points): 3 points
  • Answer 2.5c (2points): 2 points
  • Answer 2.6 (3points): 3 points
  • Answer 3.1 (2points): 2 points
  • Answer 3.2 (2points): 2 points
  • Answer 3.3 (2points): 2 points

A sample solution as well as the submissions of the winners has been posted to the challenge web page at http://honeynet.org/challenges/2010_4_voip. Sjur, Ben, Jianwei, Roland, and Julia will be summarizing highlights from various submissions in a blog post shortly.

We are still finalizing our next challenge. Please subscribe to our RSS feed or check our web sites for announcements.

For this 4th challenge, we received a total of 21 submissions. With your score of 62, you came into position 1. Congratulations!!!!

You could find my submission for FC4 on the Honeynet Project's site. For this one, I've used a great visualization tool named PicViz written by Sébastien Tricaud from the French Chapter.
You should read his paper about his tool: Know Your Tools: use Picviz to find attacks

Feel free to leave a comment !

vendredi, mai 14 2010

My submission to the Honeynet Project Forensic challenge 2010/3

The Honeynet Project's team has published the results for their last forensic challenge.

Congratulations to the Winners !

This time, luck was not with me and I was not in the top 3, but came only in 4th position.

Because only the winners submissions are published on the Challenges official site, I publish mine here for review and comments.

Unfortunately, I misunderstood question 5...

This challenge was really good and again taught me a lot of new things and new tools.

My official results:

For this 3rd challenge, we received a total of 22 submissions. With your score of 41, you came into position 4. You placed into the top third. With the many great submissions and the competitive field, this is a great accomplishment. Congratulations.

Below you will find your score per answer:
    Answer 1: 2 points
    Answer 2: 4 points
    Answer 3: 2 points
    Answer 4: 4 points
    Answer 5: 1 points
    Answer 6: 8 points
    Answer 7: 2 points
    Answer 8: 6 points
    Answer 9: 4 points
    Answer 10: 5 points
In addition, you have received 3 bonus points.

You could find my submission here: franck_dot_guenichot_at_orange_dot_fr_Forensic_Challenge_2010_-_Challenge_3.pdf

Feel free to leave a comment !

- page 1 de 4