26
Feb
2012

CODEGATE 2012 – Network 200

Challenge description

To whom it may concern to DoS attack.

What is the different between attack and normal traffic?
Attached PCAP file is from suspicious client PC which may be infected.
If you find TOP 4 targeting address, let me know exactly information such as below.

Answer: COUNTRY_NAME_TOP1(3)COUNTRY_NAME_TOP2(13)COUNTRY_NAME_TOP3(2)COUNTRY_NAME_TOP4(5)_1.1.1.1_2.2.2.2_3.3.3.3_4.4.4.4

EX)
kind_1.1.1.1_2.2.2.2_3.3.3.3_4.4.4.4
TOP1 1.1.1.1 __k___
TOP2 2.2.2.2 ____________i___
TOP3 3.3.3.3 _n___
TOP4 4.4.4.4 ____d____


So we got another pcap binary with network traffic. This time we had to find the malicious traffic to 4 targets and create and answer from the ipaddresses and the location of the targets. We assumed the top 4 should be sorted by the amount of packets to them. First thing we did was to create a list of targeted ip addresses and sort them by amount of packages. We saved the data from Wireshark in plain text and command line tools to create a list of ip addresses and the amount of packages:

$ egrep -o 'Dst:[^B]*\([^)]*\)' net200.txt | egrep -o '([0-9]*\.){3}[0-9]*' >> net200.dst
$ for i in $(cat net200.dst|sort -u) ; do echo -n "$i: " ; grep $i net200.dst|wc -l; done | sort -nrk 2 -t: | head -20
111.221.70.11: 105240
1.2.3.4: 25340
109.123.118.42: 5920
174.35.40.44: 1274
220.73.139.203: 904
123.214.170.56: 750
199.7.48.190: 622
220.73.139.201: 560
8.8.8.8: 496
74.125.71.94: 416
208.46.163.42: 372
175.158.10.55: 292
174.35.40.43: 290
74.125.71.120: 240
74.125.71.104: 232
69.171.234.16: 206
66.150.14.48: 198
61.110.213.19: 188
184.28.147.55: 168
174.35.40.45: 164

Next thing we did was just look up the ip addresses (top first) in Wireshark to see if it was malicious code. After trying some ip addresses we came with the following list:

  • 111.221.70.11 – a lot of TCP SYN requests
  • 109.123.118.42 – a lot of HTTP requests
  • 199.7.48.190 – POSTs met Content-Length: 100000000
  • 66.150.14.48 – Strange http->http requests

Using the following script we were able to create the answer string.

#!/bin/bash
RESULT=""
LETTERS=""

if [ $# == 4 ];
then
    IPS=$*
else
    IPS=`python2 net200.py | tail -n 4`
fi
COUNT=0
for i in $IPS;
do
    echo $i;
    GEO=`geoiplookup $i`;
    echo $GEO;
    SUB=`python -c "num=[2,12,1,4];print '$GEO'.split(', ')[1][num[$COUNT]];"`
    LETTERS="$LETTERS$SUB"
    COUNT=$COUNT+1
done



for k in $IPS;
do
    RESULT=`echo -n "$RESULT" ; echo -n "_$k"`
done

RESULT=$LETTERS$RESULT

echo "ANSWER:"
echo $RESULT

Running gives us the following key:

$ sh net200.sh 111.221.70.11 109.123.118.42 199.7.48.190 66.150.14.48
111.221.70.11
GeoIP Country Edition: SG, Singapore
109.123.118.42
GeoIP Country Edition: GB, United Kingdom
199.7.48.190
GeoIP Country Edition: US, United States
66.150.14.48
GeoIP Country Edition: US, United States
ANSWER:
none_111.221.70.11_109.123.118.42_199.7.48.190_66.150.14.48

Comments are closed.