Decoding the Metasploit shell

Let's start investigating the file in Wireshark to try to deduce what happened. We will focus on gathering the following details:

  • C2 server IP
  • C2 server port
  • Infected system IP
  • Infected system's port
  • Actions performed by the attacker
  • Time of the attack
  • Duration of the attack

Let's fire up Wireshark and choose Statistics | Conversations | TCP tab:

We can see that we have two conversations primarily between 192.168.46.128 and 192.168.46.129 on port 80 and 4433. Let's filter the conversation using TCP as the filter and analyze the output:

We can see that the first TCP packets (23-25) are nothing but the three-way handshake. However, next, we have a separate conversation starting from packet 71. Another strange thing is that the communication port being used is port 80. However, for some reason, the data being displayed is still in TCP encapsulation and not in the application layer data (HTTP). This is strange and occurs in cases where port 80 is being used for non-HTTP communications. Let's right-click on packet 71 and follow the TCP stream:

Well, it looks as though we have our culprit! We can see a dir command being pushed and data being received. It is a case of C2 where the attacker might have executed the dir command and the response was sent to them. However, we have plenty of commands in the filtered streams. Additionally, the number of streams present in the pcap file is equal to the number of streams displayed in the TCP tab of the conversations. Hence, we know that there are four streams in the file, which are as follows:

  • The three-way handshake
  • The setup for C2 on port 80
  • The dir command
  • Communication on port 4433

While stream 2, which contains the dir command, is placed beneath stream 1, it was observed that stream 1 ended way after stream 2, as it was a continuous stream of a live shell.

Coming back to the commands in stream 1, the following command was executed:

cmd.exe /c "echo. | powershell get-host"&echo STJEXrMKAkjOshArBckoeWYztVtWXdpt

The preceding command runs get-host from PowerShell, which displays the following output:

    Name : ConsoleHost
    Version: 2.0
    InstanceId : 12db3119-6933-4952-926a-b57f6d910559
    UI: System.Management.Automation.Internal.Host.InternalHostUserI
    nterface
    CurrentCulture : en-US
    CurrentUICulture : en-US
    PrivateData: Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
    IsRunspacePushed: False
    Runspace: System.Management.Automation.Runspaces.LocalRunspace
    
    
    
    STJEXrMKAkjOshArBckoeWYztVtWXdpt

We can also see an identifier being echoed in the command. This identifier is generally used to identify unique output from a compromised host while also denoting the end of the output. Let's look at the next command:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset