Blue Team Village - Moloch: An Introduction Into OPENSOC CTF TOOLS
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 374 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/49806 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Asynchronous Transfer ModeFreewareOpen sourceComputer networkPrice indexFile formatStandard deviationGraphical user interfaceDatabaseWebsiteComputer-generated imageryMultiplication signLatent heatAsynchronous Transfer ModeTrailOpen setIncidence algebraVolume (thermodynamics)SoftwareFront and back endsRange (statistics)Internet forumFrequencyInformationSampling (statistics)View (database)Open sourceMereologyField (computer science)Information securityCommunications protocolComputer forensicsWave packetType theoryMotion captureCASE <Informatik>Arithmetic meanSystem callEmailComputer fileStaff (military)WebsiteMedical imagingFreewareFigurate numberLoginDebuggerPhysical systemComputer animation
05:41
Asynchronous Transfer ModeOpen sourceCASE <Informatik>BitFlow separationArmProjective planeIncidence algebraCommunications protocolCodeMultiplication signField (computer science)Web pageWebsiteSoftware testingCybersexShift operatorIP addressUniqueness quantificationEvent horizonWeb browserQuery languageData compressionMereologyEmailDifferent (Kate Ryan album)Open setTraffic reportingSpacetimeSubject indexingComputer programDisk read-and-write headComputer animation
11:22
Asynchronous Transfer ModeLibrary (computing)Link (knot theory)Different (Kate Ryan album)Multiplication signPublic domainString (computer science)Formal languageMechanism designCodierung <Programmierung>Computer-assisted translationComputer fileFile systemStructural loadIP addressBackdoor (computing)Uniform resource locatorCodeSign (mathematics)Software testingMessage passingPosition operatorEqualiser (mathematics)Latent heatMusical ensembleQuicksortHexagonCASE <Informatik>Medical imagingOpen sourceCuboidWebsiteServer (computing)Web browserMathematical analysisPoint (geometry)Spherical capUtility softwareUniqueness quantificationSubject indexingCybersexConnected spaceTwitterOpen setWeb portalWindowTrailOnline helpNumberData conversionWeightGraphical user interfaceWater vaporDoubling the cubeWeb 2.0Boss CorporationPerfect groupArithmetic meanSpring (hydrology)Computer animation
Transcript: English(auto-generated)
00:15
And welcome back everybody to DEFCON 28 safe mode Continuing on with the blue team village open sock CTF walk through
00:23
we're going to be talking about Moloch today and we have Bashar Shama here to give us a quick discussion and a walkthrough on the tool Welcome Bashar Thank you. Hello, everyone. I am Bashar and I'm gonna go over how are you gonna use tomorrow during the CTF?
00:42
It was actually introduced to Moloch two years ago playing the same exact CTF that you're gonna play tomorrow I played it two years ago, and I really really fall in love with Moloch. So since then I started Playing with it, stinking with it, just use it as much as I can and I keep using it to end the day today
01:02
The goal today is to really prepare you on how to use Moloch on the CTF tomorrow, so We're gonna have time for questions at the end Please post any questions that you have to the text workshops track one channel in the discord The moderators will monitor your questions and we're coming down
01:22
Ask him at the end towards the end of the session. So keep your questions thrown away We have some time at the end to go over some questions So, let's go ahead and get started So a very brief intro on what Moloch is, it's a pretty much a free open source tool
01:42
It's really a network analysis tool that you can use to analyze a large volume of packet data or PCAPs If you want to, the simplest way to think about it is if you've ever used Wireshark It's like a Wireshark Front-end with a huge database back-end so you can search tons of tons of PCAP data
02:03
100% PCAPs very easily, very quickly That's a very very very 10,000 over 10,000 foot storm of view of Moloch For our purpose here and for the CTF tomorrow. What I have done is actually I
02:22
Have Moloch set up and I got some about 4 gigs of data as a sample from the network forensic training of first 2015 and all of these PCAPs and I pretty much loaded them into Moloch to kind of show you how we can use this tool to do our investigation and answer the questions
02:44
during the CTF tomorrow so our scenario for today is And you got your part of the security team and you receive the call Saying hey around 1 p.m. Today Or not today 1 p.m. On March 12, 2015
03:02
Our main company site has been defaced somebody has changed the way our website looks like all we know is we have this image of a file Showing as a frog on our main site and we don't know how this happens Can you please help us and all you know is you have access to packet capture
03:22
You know packet capture and that's what you do and you have access to Moloch. So let's walk right through it So if you have never seen Moloch before this is what it looks like This is the general over general This is when you land or you log in you will land pretty much in the sessions tab And that's where you're gonna probably spend most of your time tomorrow in the session staff
03:45
Usually I would like to go and just do Drop down here on the time on the date and I will do all time all day just to have a understanding of helping the incidents You know for the purpose of tomorrow again, it's gonna be a very specific time period
04:01
but this is where I would start and Let's go ahead and deep dive into the investigation and how can we use Moloch? So the first piece of information we know is the the date of the incident So we know it's on 2015 so as you can see Moloch and give us this ability to just click through and
04:24
Decide on the dates that we want to investigate I'm gonna do 12. So we have our date here That's not gonna be our starting date and then I'm gonna just copy it paste it here and I'm gonna change this to 13 Which will show us here now. Oh, you're looking at one date time range
04:42
So I have my team range set up, I'm gonna go search And now I cannot narrow it down to that 24 hours period to kind of figure out what happened during that day Now the other piece of information that we were given was it was our main company's website. So
05:01
How can I search for that? Probably I want to look for our hosting. So what I can do is I can type post And the Moloch would automatically parse the different fields based on the protocols that Exist in the packet. So if it was HTTP traffic and Moloch will say, okay
05:22
Well, this is a HTTP host me if it's an email then it's a email host name and so on in my case because I want to see everything all kind of posting back on just a host and To specify one looking for Moloch. I would just so I would just say equal equal So equal equal means show me everything that matches exactly
05:44
our Post me on Okay That's the first bit of it and I can run that. I also know since it's our website. I want to say Well, it's a website. It's gonna run on two ports, for example
06:02
So to kind of add more queries into Moloch what you need to do is program science As an end and I'm gonna open parentheses and add the ports that we need support equals 80 just like we did before and
06:22
Port Equal For 43 which we know they both are HTTP ports now before we go any further, you know and the reports I can say well I can specify I want to be a destination port. I can't be a source port Or so on for just to keep it general and we can see everything here. I'm just gonna say, okay these ports
06:45
This was named and let's see what we find Oh I'm saying and here and that should be or so it's either port 80 or 4 or 43 I'm not cool. So that kids are just new to
07:04
Pipelines Pipelines and run that pipes and now I'm saying okay show me everything before do this host on port 80 and for four and Now I can see the traffic So let's go and back deeper on this traffic I can see all kind of requests
07:28
And let's just open something very randomly Just open up this request and I see it's a get request and before we go down We'll spend some time here. So I didn't see Moloch where well parts all the fields in the packet
07:44
So I can click on any of these and I can say okay Well, what protocol did it come from which IP which ports? Because HTTP Packet then as well also parse the method status code all of these things
08:00
Will also parse the user agents. Let's say I'm interested in knowing all the user agents that Happen to happen in that specific day that visited our website I can easily click on user agents and I can say okay export unique user agents What counts once I click that I will see new page showing me
08:23
the unique user agents along with home many times we've seen this in that specific day and The other one so we only see two different user agents nothing abnormal and suspicious so Nothing to worry about here We scroll a bit now we can actually see the actual requests
08:44
Raw the raw request so I can see which hosts they're requesting where they you are either going after and so on Because I know we had an incident and I know The the website has been defaced The attacker must have sent some kind of data To our website. So most likely they're not being doing I get requests when we see get is just just pulling it up on our website
09:07
They're gonna be posting or sending some kind of data. So this includes exclude this so I'm gonna click Yes, and we don't want to get any more. So I'm just gonna say nothing gets medically adds that to our query
09:23
And let's head search see what we find So now we went down to only 12 entries, okay, that's much easier to kind of go through and like investigates Again, we're not sure what happens but one thing I can search source for is by time to kind of understand the
09:45
timeline of these different requests and the events and This just opens on the random So again same kind of feels like it's parts and so on the stroke of the request or now it's a post request and
10:03
It's just a question index that PHP And I see a test and sleep I'm not sure what this all this stuff really means and I also see this gibberish stuff. What is this? So if you look at the header, which more according to space for you
10:23
It's actually encoded with GZ These are just a method of compression that web browsers used to compress the data to transfer the least amount of traffic So the nice thing with more like what we can do is I can just click uncompress and now Automatically will decode this packet for us and now I can easily read it and see oh, okay
10:44
this is what loaded this is what the pages showing and From what we see here Nothing of interest yet. Okay, that was useful Let's keep going. Let's find out what happened. So another request and
11:01
See this but this is like this looks like an IP address, but what is all this? I don't know Well, what we can do is Moloch has cyber shift built in well cyber shift is a separate open source project, but That we can actually just go and do cyber chef and you can load it a set outside of
11:27
And you can just want it outside of Moloch and you can do your decoding but let's get back here The beauty of this is when we wanted to Moloch it will automatically take that packet data and put it in for us
11:44
So what is cyber shift? It's pretty much a tool or web GUI that you can use to Do different decoding of different languages Decoding mechanism and so on. So in this case is taking the hex code and just decoding it and
12:01
While looking at this I can see these percentage signs Center sign means it's a URL kind of thing. So we can easily just drag the old decals And now I cannot see the decoded message here Now you can see oh, it's trying to ping This IP address which is the same position same IP that's trying to visit. Okay, this is interesting
12:27
I'm not sure if they were actually able to pay but It looks like this IP and trying to do something here Let's keep going see what else can we find next packets same thing
12:47
test Here next packet So on Oh visit and see okay. What what is this? Hold on a second. Let's put it up again in cyber chef
13:02
Do the same method? Decode the URL and now we see an NC IP address important so NC stands for net cat Which is the utility attackers can use to have a server connect back to them and get shown that box So what this is saying is, okay connect back to my IP
13:23
over this port So what this means of this actually succeeded that means This our server connected but back on this IP address Well, let's see if this actually happens. I'm gonna take that port. I'm gonna clean all this up and
13:43
then I'm gonna add the IP address It's not going to be the source and Ports equals The point that we're looking for the search for it and we have traffic. Oh
14:01
This is not good looks like our box Which is the source here connected back to the server over this port? We can see how many packets and the home amount of data that was sent back and forth. So Immediately, I would say okay. Well, this is the first Connection that has the highest number of packets that might have something interesting in it. So
14:23
Let me open it up Scroll down and we can actually see the whole Conversation back and forth now what it looks like that attacker ran a command Which is ID or which is equal to who am I from Windows to figure out who that?
14:43
Attackers running as on this box and the run as Apache Then they try to figure out which folder they're in and they try to access Five systems, okay, this is not good and then they did this cat index PHP Which is looks like it's our website there. So they're
15:04
Looking into what's inside our main file and so on and okay. What is all this? Oh, and then I see another net cap command here and Saving the connection as a CM zero PHP file and
15:20
Our boss hopefully So I really I'm interested to know what this is, but let's let's keep going. Let's see what all they did they go in this box And if we get here they actually did it for us they did a cat on this file that they created Okay When they did that we can see oh, it's a PHP backdoor. This is not good. So they use the PHP backdoor our site
15:45
So how am I gonna now figure out? What did they do? I know Because I'll back doors work. They have to visit this PHP file Explicitly to kind of load the command they want to run. So what I can say to Monique is well
16:01
Show me all the your eyes So when we say you are I as Pretty much everything after The domain would be a your eyes waiting from here on that's the you are I so I want to say Show me everything that has this And it's and since I can't just do like all
16:21
What I do in mall like is I just use wildcards at the beginning So I don't care what's before this and the end meaning I don't care what's after it Show me anything that this has the spring and they were And when I search it now Here we can see all these your aisles for your eyes with all these different links in them
16:45
What's that they're trying to do? Well, how can I know like how can I get all this one nice place? I can just click and above and I want to say export unique your I was counts Now Okay, well this command was run five times this command was run three times and so on so now I kind of know
17:09
Which command they ran because I can see it's a command equal cats That's or whatever. They're trying to do and I kind of see here. There's a JPEG file as well Okay
17:22
So this is how they probably got that JPEG file or the image with the fraud or websites So let's let's let's find out Where did they like? How did they do this? Go back here and
17:41
Let's do Instead of this we are looking for that specific JPEG file So I'm going to do wildcard and show me anything that has JPEG in it Put it up and it's going to show me all that stuff I'm gonna say probably it's gonna be the biggest file. So I'm gonna sort by the size of the data
18:08
And this is the biggest one that we have it's flowing and here I can see yeah, it's a image file
18:21
And But I'm not sure what it looks like so I can do more like is I can just click on show images and files And it will actually render it for us right here in the browser Now if let's say, you know, I'm not couple with doing this or I want to make it deeper to it. I want to understand
18:41
What actually happens? Here's a wire short because I never use more like before at any session at any point You can always just click on double cap pick up and it will kind of like save the peak apps for you so you can open up in the water shark and you know do your analysis manually if you like to
19:04
pretty much that's How they get in the file and that's how they do fits our website using a backdoor If we have time, I think we have another I think that's pretty much it. Okay. So with that being said, I think that's
19:22
The highlight of Moloch and how to use it. I want to keep some time for questions Please let me know what kind of questions you got I'm also going to be in this chord be on Twitter if you need anything else, but I'm gonna be here We're waiting for any questions that you guys have Oh
19:41
Thank You Bashar I went ahead and put a note in the text window under the workshop track one With a link over to recon episode open sock Moloch discord channel So definitely check that out obviously hit the shower up on Twitter and discord but we're trying to help everybody kind of connect with the
20:03
The right people here so you can get the help you need Perfect. Thanks a lot Bashar. Appreciate it. Thank you. Thank you. Appreciate your time. Thank you. Take care