Alabaster Snowball is in dire need of your help. Santa's file server has been hit with malware. Help Alabaster Snowball deal with the malware on Santa's server by completing several tasks.
For hints on achieving this objective, please visit Shinny Upatree and help him with the Sleigh Bell Lottery Cranberry Pi terminal challenge.
Objective 9.1: Assist Alabaster by building a Snort filter to identify the malware plaguing Santa's Castle.
Note: Shinny Upatree can be found on Floor 1, on the South Eastern side of the lobby area
Have you heard that Kringle Castle was hit by a new ransomware called Wannacookie? Several elves reported receiving a cookie recipe Word doc. When opened, a PowerShell screen flashed by and their files were encrypted. Many elves were affected, so Alabaster went to go see if he could help out. I hope Alabaster watched the PowerShell Malware talk at KringleCon before he tried analyzing Wannacookie on his computer. An elf I follow online said he analyzed Wannacookie and that it communicates over DNS. He also said that Wannacookie transfers files over DNS and that it looks like it grabs a public key this way. Another recent ransomware made it possible to retrieve crypto keys from memory. Hopefully the same is true for Wannacookie! Of course, this all depends how the key was encrypted and managed in memory. Proper public key encryption requires a private key to decrypt. Perhaps there is a flaw in the wannacookie author's DNS server that we can manipulate to retrieve what we need. If so, we can retrieve our keys from memory, decrypt the key, and then decrypt our ransomed files.
The objective can be accessed directly via this link:
Connect to the Snort Challenge console or navigate to:
_ __ _ _ _____ _ _ | |/ / (_) | | / ____| | | | | | ' / _ __ _ _ __ __ _| | ___| | __ _ ___| |_| | ___ | < | '__| | '_ \ / _` | |/ _ \ | / _` / __| __| |/ _ \ | . \| | | | | | | (_| | | __/ |___| (_| \__ \ |_| | __/ |_|\_\_| |_|_|_|_|\__, |_|\___|\_____\__,_|___/\__|_|\___| / ____| __/ | | | | (___ |___/ ___ _ __| |_ \___ \| '_ \ / _ \| '__| __| ____) | | | | (_) | | | |_ |_____/|_|_|_|\___/|_|_ \__| |_ _| __ \ / ____| | | | | | | (___ _____ | | | | | |\___ \ __ / ____| _| |_| |__| |____) | /_ | | (___ |_____|_____/|_____/ _ __ | | \___ \ / _ \ '_ \/ __|/ _ \| '__| | | ____) | __/ | | \__ \ (_) | | | | |_____/ \___|_| |_|___/\___/|_| |_| ============================================================ INTRO: Kringle Castle is currently under attacked by new piece of ransomware that is encrypting all the elves files. Your job is to configure snort to alert on ONLY the bad ransomware traffic. GOAL: Create a snort rule that will alert ONLY on bad ransomware traffic by adding it to snorts /etc/snort/rules/local.rules file. DNS traffic is constantly updated to snort.log.pcap COMPLETION: Successfully create a snort rule that matches ONLY bad DNS traffic and NOT legitimate user traffic and the system will notify you of your success. Check out ~/more_info.txt for additional information.
Check the contents of the file ~/more_info.txt
elf@59f9a5f70ada:~$ cat more_info.txt MORE INFO: A full capture of DNS traffic for the last 30 seconds is constantly updated to: /home/elf/snort.log.pcap You can also test your snort rule by running: snort -A fast -r ~/snort.log.pcap -l ~/snort_logs -c /etc/snort/snort.conf This will create an alert file at ~/snort_logs/alert This sensor also hosts an nginx web server to access the last 5 minutes worth of pcaps for offline analysis. These can be viewed by logging into: http://snortsensor1.kringlecastle.com/ Using the credentials: ---------------------- Username | elf Password | onashelf tshark and tcpdump have also been provided on this sensor. HINT: Malware authors often user dynamic domain names and IP addresses that change frequently within minutes or even seconds to make detecting and block malware more difficult. As such, its a good idea to analyze traffic to find patterns and match upon these patterns instead of just IP/domains. elf@59f9a5f70ada:~$
Login to http://snortsensor1.kringlecastle.com/
Download one or more of the .pcap files
Open the .pcap file in Wireshark. Notice that some DNS requests are sent to non-standard DNS ports. Exclude the good traffic using this filter
!(udp.dstport == 53)
The packets to non-standard DNS ports all contain the string "77616E6E61636F6F6B69652E6D696E2E707331"
356 3.606484 126.96.36.199 10.126.0.26 Standard query response 0xedf0 TXT 58.77616E6E61636F6F6B69652E6D696E2E707331.rehrugnbsa.org TXT 57608 DNS 425 2 0.010593 188.8.131.52 10.126.0.19 Standard query response 0xa4b6 TXT 77616E6E61636F6F6B69652E6D696E2E707331.nsaehrgrub.org TXT 38663 DNS 167
The string "77616E6E61636F6F6B69652E6D696E2E707331" is a unique identifier that can be used to create the Snort rule. Add a snort rule as follows:
elf@524792a816b4:~$ echo 'alert udp any any -> any any (msg:"Bad DNS"; sid:10000001; rev:001; content:"77616E6E61636F6F6B69652E6D696E2E707331";)' > /etc/snort/rules/local.rules
Shortly after the line is added, the Congratulation message appears
elf@524792a816b4:~$ echo 'alert udp any any -> any any (msg:"Bad DNS"; sid:10000001; rev:001; content:"77616E6E61636F6F6B69652E6D696E2E707331";)' > /etc/snort/rules/local.rules elf@524792a816b4:~$ [+] Congratulation! Snort is alerting on all ransomware and only the ransomware!