honeynet reverse challenge

PrevNext

Answers

Q1: Identify and explain the purpose of the binary.
Q2: Identify and explain the different features of the binary. What are its capabilities?
Q3: The binary uses a network data encoding process. Identify the encoding process and develop a decoder for it.
Q4: Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well.
Q5: Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.
Q6: Identify two tools in the past that have demonstrated similar functionality.

Identify and explain the purpose of the binary.

It is a multiple purpose utility for a variety of DoS attacks, and remote control (e.g. remote access to a root shell).

Identify and explain the different features of the binary. What are its capabilities?

It has 12 different commands (as chosen by the first double-byte of the encrypted payload):

  1. relay 'command' packet to 'others' (send_to_all?)
  2. generate some random IP's.
  3. Execute the decrypted payload under csh and send back the results
  4. DNSFlood DoS
  5. Jolt2 Windows DoS
  6. Open a new network stream listener. Look for connections, check for password 'TfOjG', set up environment, and provide a root shell.
  7. Execute the packet as a csh command
  8. Exits a waiting state of the binary(?)
  9. DNSFlood again, but with different arguments?
  10. SYNFlood DoS attack
  11. SYNFlood with slightly different parameters
  12. DNSFlood2, a very similar function to DNSFlood
The binary uses a network data encoding process. Identify the encoding process and develop a decoder for it.

See here.

Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well.

sniffer looking for NVP packets, or in general, any out of the ordinary traffic which does not look like typical UDP, TCP, or ICMP traffic. And, perhaps looking for packets which the other socket listens for (which looks for a stream connection to provide a shell). Lastly, looking for DoS traffic going outward would be another indication that a tool like this is present on the interior network. A tool like RID can also help test for and indentify DDoS agents.

Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.

No debugging symbols, forks a lot, staticly linked (large bin), compiler optimized (most likely). The binary could have been more obscured (using something like a 'booter' which decrypts the code and then executes it), but was not.

Identify two tools in the past that have demonstrated similar functionality.

Trinoo, and Shaft are similar DDoS agent tools.


PrevNext
analysiscosts