문제를 요청한 Kenji Aiko님께 감사 드리며, 출제한 문제에 대한 풀이집을 올립니다.

(Forensic 100)


/////////////////////////////////////////////////////////////////////////////////////////////////////////

 

 

Forensic 100 - writeup

Date. 2016. 11. 07.

Written by crattack

 

 

 

Question.

 

컴퓨터를 사용하다가 컴퓨터가 느려지는 현상이 발견되어, 원인을 파악해 보니 특정 파일에서 지속적으로 인터넷을 연결하는 현상이 감지 되었다. 해당 사이트에 접근해보니 특정 문구가 존재하였다.

해당 사이트에 접근하여 특정 문구인 flag를 획득하시오.

 

コンピュ使用しながらパソコンがくなる現象発見され、原因把握してみると、特定ファイルで続的にインタネットを連結する現象感知された。 当該サイトへアクセスしてみると、特定のフレズが存在した。

当該サイトへアクセスして特定のフレズであるflag獲得しなさい。



Write up.

 

1. 이미지의 정보를 확인 / イメジの情報確認

( http://downloads.volatilityfoundation.org/releases/2.4/volatility_2.4.win.standalone.zip)

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" imageinfo

 

Volatility Foundation Volatility Framework 2.4

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Determining profile based on KDBG search...

 

          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)

                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)

                     AS Layer2 : FileAddressSpace (C:\Forensic_100\forensic_100.raw)

                      PAE type : PAE

                           DTB : 0x34c000L

                          KDBG : 0x80545ce0L

          Number of Processors : 1

     Image Type (Service Pack) : 3

                KPCR for CPU 0 : 0xffdff000L

             KUSER_SHARED_DATA : 0xffdf0000L

           Image date and time : 2016-10-31 05:45:14 UTC+0000

     Image local date and time : 2016-10-31 14:45:14 +0900

 

2. DLL 리스트를 활용하여, 이상 프로세스 확인 / DLLリストを活用して、異常プロセス確認

 

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" dlllist > C:\Forensic_100\dlllist.txt

 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

************************************************************************

System pid:      4

Unable to read PEB for task.

************************************************************************

smss.exe pid:    540

Unable to read PEB for task.

************************************************************************

csrss.exe pid:    604

Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x4a680000     0x5000     0xffff \??\C:\WINDOWS\system32\csrss.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x75b40000     0xb000     0xffff C:\WINDOWS\system32\CSRSRV.dll

0x75b50000    0x10000        0x3 C:\WINDOWS\system32\basesrv.dll

0x75b60000    0x4b000        0x2 C:\WINDOWS\system32\winsrv.dll

0x77f10000    0x49000        0xa C:\WINDOWS\system32\GDI32.dll

0x7c800000    0xf6000       0x1f C:\WINDOWS\system32\KERNEL32.dll

0x7e410000    0x91000        0xa C:\WINDOWS\system32\USER32.dll

0x629c0000     0x9000        0x1 C:\WINDOWS\system32\LPK.DLL

0x74d90000    0x6b000        0x1 C:\WINDOWS\system32\USP10.dll

0x77dd0000    0x9b000        0xd C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000        0x7 C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000        0x5 C:\WINDOWS\system32\Secur32.dll

0x7e720000    0xb0000        0x1 C:\WINDOWS\system32\sxs.dll

************************************************************************

………………………………………………

 

DumpIt.exe pid:   3784

Command line : "C:\Documents and Settings\Administrator\My Documents\Downloads\DumpIt.exe"

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x00400000    0x35000     0xffff C:\Documents and Settings\Administrator\My Documents\Downloads\DumpIt.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll

0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000     0xffff C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll

0x77f60000    0x76000     0xffff C:\WINDOWS\system32\SHLWAPI.dll

0x77f10000    0x49000     0xffff C:\WINDOWS\system32\GDI32.dll

0x7e410000    0x91000     0xffff C:\WINDOWS\system32\USER32.dll

0x77c10000    0x58000     0xffff C:\WINDOWS\system32\msvcrt.dll

0x76390000    0x1d000        0x1 C:\WINDOWS\system32\IMM32.DLL

0x629c0000     0x9000        0x1 C:\WINDOWS\system32\LPK.DLL

0x74d90000    0x6b000        0x1 C:\WINDOWS\system32\USP10.dll

************************************************************************

svchost.exe pid:    1776

Command line : "C:\WINDOWS\svchost.exe"

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x00400000     0x9000     0xffff C:\WINDOWS\svchost.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll

0x10000000     0xa000     0xffff C:\WINDOWS\JDMBackgroundProcess.dll

0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000     0xffff C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll

0x00350000    0x6d000     0xffff C:\WINDOWS\system32\MSVCP140.dll

0x003c0000    0x15000     0xffff C:\WINDOWS\system32\VCRUNTIME140.dll

0x003e0000     0x4000     0xffff C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll

0x00410000    0xd8000     0xffff C:\WINDOWS\system32\ucrtbase.dll

0x003f0000     0x3000     0xffff C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll

0x004f0000     0x3000     0xffff C:\WINDOWS\system32\api-ms-win-core-errorhandling-l1-1-0.dll

…………………………..

************************************************************************

………………………….

IEXPLORE.EXE pid:   2304

Command line : "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2496 CREDAT:79880

Service Pack 3

……………………………………………………

 

 

3. 의심 프로세스 덤프 후 분석 / いプロセスダンプ分析

 

C:\Volatility>vol.py -f "c:\forensic_100\forensic_100.raw" procdump --pid=1776 -D c:\forensic_100\

 

Volatility Foundation Volatility Framework 2.4

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Process(V) ImageBase  Name                 Result

---------- ---------- -------------------- ------

0x81f65da0 0x00400000 svchost.exe          OK: executable.1776.exe

 

 



000000001B68   000000403368      0   C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd


 

4. 접속 정보 확인 / 続情報確認

 

도메인 확인 / ドメイン確認

 




C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" connections > C:\Forensic_100\connections.txt


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(V)  Local Address             Remote Address            Pid

---------- ------------------------- ------------------------- ---

0x8213bbe8 192.168.88.131:1034       153.127.200.178:80           1080

 

Connection 정보와 일치하지 않으므로 도메인 관련 변조가 있을 것으로 추정 / Connection情報一致しないのでドメイン関連変造があると推定

 

5. Hosts 파일 덤프 하기 위해 주소 확인 / Hostsファイルダンプするため住所確認

 

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" filescan > c:\forensic_100\filescan.txt


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(V)  Local Address             Remote Address            Pid

---------- ------------------------- ------------------------- ---

0x8213bbe8 192.168.88.131:1034       153.127.200.178:80           1080

 

Connection 정보와 일치하지 않으므로 도메인 관련 변조가 있을 것으로 추정 / Connection情報一致しないのでドメイン関連変造があると推定


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(P)            #Ptr   #Hnd Access Name

------------------ ------ ------ ------ ----

0x0000000001734038      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x000000000174a270      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x0000000001756cf8      1      0 R--r-d \Device\HarddiskVolume1??????


?

0x00000000017634f0      1      0 -W---- \Device\HarddiskVolume1??????????????

0x0000000001763c60      1      0 R--r-d \Device\HarddiskVolume1?

0x0000000001794b18      3      0 RWD--- \Device\HarddiskVolume1\$Directory

.........................................

0x00000000020f0268      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\svchost.exe

0x00000000020f0a90      2      1 ------ \Device\NamedPipe\PCHHangRepExecPipe

0x00000000020f3888      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt

0x00000000020f4f90      1      1 ------ \Device\NamedPipe\net\NtControlPipe8

0x00000000020f5028      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\041e

0x00000000020f50d0      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0425

0x00000000020f5e38      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x00000000020f5f90      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x00000000020f6108      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\040C

0x00000000020f8658      3      0 RWD--- \Device\HarddiskVolume1\$ConvertToNonresident

.............................

0x000000000217b748      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts

………………………

 

Hosts 파일의 메모리 주소를 활용하여 Dump / Hostsファイルのメモリアドレスを活用してDump

 

C:\Volatility>vol.py -f "c:\forensic_100\forensic_100.raw" dumpfiles -Q 0x217b748 --dump-dir=c:\forensic_100\

 

# Copyright (c) 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host

 

127.0.0.1       localhost

153.127.200.178    crattack.tistory.com

 

http://153.127.200.178/entry/Data-Science-import-pandas-as-pd



------------------------------------------------------

이상으로 write up을 마칩니다.

오랜만에 문제를 만드니까 즐거웠습니다. ( _ _ )

저작자 표시 비영리 변경 금지
신고


1. Threshold 간단하게 표현 하자.



많은 데이터 중에서 특정 값 이상인 데이터 수를 확인 하기 위해서는 다음과 같이 interact 라이브러리를 활용하여

threshold bar로 표현 할 수 있다.



from ipywidgets import interact


@interact

def show_nrows(distance_threshold=(0, 200)):

    return len(data.loc[data.trip_distance > distance_threshold]) 




위 그림과 같이 69보다 큰 데이터가 11개 존재하는 것을 interact 라이브러리로 표현 할 수 있다.


2. Anaconda Package 설치 하기



conda install [package name] -q -y 


[실행결과]


C:\Users\crattack>conda install seaborn -q -y

Using Anaconda Cloud api site https://api.anaconda.org

Fetching package metadata: ....

Solving package specifications: .........


Package plan for installation in environment C:\Anaconda2:


The following packages will be downloaded:


    package                    |            build

    ---------------------------|-----------------

    conda-env-2.6.0            |                0          498 B

    python-2.7.12              |                0        23.5 MB

    ruamel_yaml-0.11.14        |           py27_0         212 KB

    conda-4.2.12               |           py27_0         454 KB

    seaborn-0.7.1              |           py27_0         272 KB

    ------------------------------------------------------------

                                           Total:        24.4 MB


The following NEW packages will be INSTALLED:


    ruamel_yaml: 0.11.14-py27_0

    seaborn:     0.7.1-py27_0


The following packages will be UPDATED:


    conda:       4.0.5-py27_0 --> 4.2.12-py27_0

    conda-env:   2.4.5-py27_0 --> 2.6.0-0

    python:      2.7.11-4     --> 2.7.12-0 




저작자 표시 비영리 변경 금지
신고



데이터 분석을 시작하여 분석을 시작했다면 이젠 Hadoop을 사용하는 방법을 알아야 한다.

아직 데이터를 가져오는 것은 무리가 되겠지만 Hadoop에 접근 가능한 권한을 얻었다면 테스트로 붙어봐야한다.


그럼 테스트로 붙는 방법은 어떻게 해야 할까?

테스트를 하기 위해서 테스트 코드를 작성해도 무관하지만 web 으로 충분히 테스트 가능하다.


우선 Hadoop에서 사용하는 테스트 포트를 확인 해야 한다.


http://blog.cloudera.com/blog/2009/08/hadoop-default-ports-quick-reference/



DaemonDefault PortConfiguration Parameter
HDFSNamenode

50070

dfs.http.address
Datanodes

50075

dfs.datanode.http.address
Secondarynamenode

50090

dfs.secondary.http.address
Backup/Checkpoint node?

50105

dfs.backup.http.address
MRJobracker

50030

mapred.job.tracker.http.address
Tasktrackers

50060

mapred.task.tracker.http.address
? Replaces secondarynamenode in 0.21.


위 Port를 기반으로 접근 테스트를 진행 하면 된다.


http://localhost:50070


위 사이트에 접근이 가능하다면 접근 테스트는 정상적이므로 이젠 코딩을 진행 하면 되겠다.


to be continue........

저작자 표시 비영리 변경 금지
신고