This report contain the findings of a forensics investigation of attack scene on a series of packet Capture(PCAP) nad the vpn and access log. This report provides evidence that the attack scene & how they create this malformed connection in victim server. Suspect established the cross Connection via the vpn connection from the ducducgo services to permoed the malformed attack In the victim server by user & root in the valid ssh connection.
This Report attachment services & the evidence also finds the attack & the addressing of the ips.
The tools used in this investigation were:
Sha1sum
Wireshark
Python 3
Visual Studio code Cyberchef Geolocation Founder Cat
Grep
wc
Access.log ( f33e0edc100c7746ce2892926b64209455245423 )
Route_1.pcapng ( a552dec3e454f94e9c91921be9832c3823e9aa93 )
Route.pcap ( 49b557c22ed66589ac05556860301a345b012565 )
Capture 1 ( Access.log )
Information given to the forensics investigator indicated the suspect download files which contained important or sensitive information from the authentication log file. Its included successful login attempt, invalid login, attack on user login, protocol and others various scenario. Upon Analysis, there were files transferred using various protocol using ssh & openvpn local server connection, protocol commonly used to access or tried authentication in the victim router network by their ovpn connection. All ip address can be found from this log that was tried to attempt.
Network Diagram:
Access.log File or auth.log file with openvpn.log files can be found from setup virtual machine file system log directory. Like /var/log
Here are some invalid login user attempt by the hacker connection tried to access in
server.
Like Length, How much tried to attempt using to user login & root access login included fault login attempt & successful login attempt in this attack.
Its also means the Authentication failure s list from this log, seen in given below image.Remote host also included in this log by the consider with openvpn connection. We need to find the attackers multiple changing ip address that we can clarify that their tried connection where its from. List will be shown in below.
Logname with uid & euid with the server response
*All IP addresses list & their details will be shown in attachment files. We can check from these.
Here is the exact Accepted publickey means accepted user from the tried section. Hacker using a random server by using open vpn connection and established the connection. SHA256 hash for RSA encryption secure connection presented in this log.
Capture 2 ( Openvpn.log )
Openvpn file .ovpn connection for attack and attempt to the user & root session in the Target server.
Openvpn log data also included in the authentication access log dataset.
Capture 2 ( router packet from Destination site )
De-authentication & Acknowledgement
● Account was used to log into the local server via TELNET- (username and password)
p2-server login: sstevenson
Password: R3@LLYG00Dp@$$w0rd!
● Account was used to log into the local router via HTTP- http_id=TIDd60f245957fb603a
Associated js & source File Attached.
This is the source file screenshot and main source file attached with the evidence
section.
● According to DNS in the capture, IP address hosts the duckduckgo.com website–
IP: 40.89.244.232
In this section, we can see that hacker using duckduckgo service for hide the source connection. From the previous authentication log files we saw that multiple ip connection attempt for authentication in pam_unix. We can find from dns packet section for ducducgo.
● DNS server(s) is/are being used to resolve names to IPs-
Here we found the most phase of network forensics, dns resolve names ips for The openvpn connection.
Capture 2 ( router packet from source site )
Routing Information packet Generation for Deauthentication & Acknowledgement
Capture source site packet when attacker used openvpn connection for setup and target the attack
Wireless Packet Statistics
We are extracted the packet for the wireless to check the hacker activities. We found their Malformed source code here(Also attached in evidence)-
//
wl_ifaces = [
['eth1','0',0,-1,'FreshTomato24','A0:04:60:CA:6C:B6',1,16,'ap','00:00:00:00:00:00']];
//
wl_bands = [ [ '2'] ];
//
nvram = {
'wl_nband': '2',
'wl0_nband': '2',
'wl_unit': '0',
'http_id': 'TIDd60f245957fb603a',
'web_mx': 'status,bwm',
'web_pb': ''};
function wl_fface(uidx) {
return wl_ifaces[uidx][1];
}
function wl_unit(uidx) {
return wl_ifaces[uidx][2];
}
function wl_sunit(uidx) {
return wl_ifaces[uidx][3];
}function wl_uidx(unit) {
for (var u = 0; u < wl_ifaces.length; ++u) {
if (wl_ifaces[u][2] == unit) return u;
}
return -1;
}
function wl_ifidx(ifname) {
for (var u = 0; u < wl_ifaces.length; ++u) {
if (wl_ifaces[u][0] == ifname) return u;
}
return -1;
}
function wl_ifidxx(ifname) {
for (var u = 0; u < wl_ifaces.length; ++u) {
if (wl_ifaces[u][1] == ifname) return u;
}
return -1;
}
function wl_display_ifname(uidx) {
return wl_ifaces[uidx][0]+(wl_sunit(uidx) < 0 ?
' (wl'+wl_fface(uidx)+')' : '')+((wl_bands[uidx].length == 1) ?
((wl_bands[uidx][0]
== '1') ? ' / 5 GHz' : ' / 2.4 GHz') : ((nvram['wl'+wl_unit(uidx)+'_nband'] ==
1)
?
' / 5 GHz' : ' / 2.4 GHz'));
}
And the status section is-
From Analyze the source packet & the source code, we can identify the pptp server ip stat and The netmask of hacker connection. We can prove it from the Authentication log file again. Check that-
