PoisonedCredentials Challenge Walkthrough

PoisonedCredentials Blue Team Challenge

Platform: CyberDefenders

Challenge link: PoisonedCredentials

Ps: We are going to use zeek but the challenge can be solved using Wireshark

Scenario:

Your organization’s security team has detected a surge in suspicious network activity. There are concerns that LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) poisoning attacks may be occurring within your network. These attacks are known for exploiting these protocols to intercept network traffic and potentially compromise user credentials. Your task is to investigate the network logs and examine captured network traffic.

uncompressing the file using 7z

zeek -C -r poisoned_credentials.pcap # C: no checksums, r: read file

zeek -C -r poisoned_credentials.pcap # C: no checksums, r: read file

Q1: In the context of the incident described in the scenario, the attacker initiated their actions by taking advantage of benign network traffic from legitimate machines. Can you identify the specific mistyped query made by the machine with the IP address 192.168.232.162?

we are searching for a dns mistyped query made by 192.168.232.162
heading to dns.log file

cat dns.log | zeek-cut id.orig_h , id.resp_h query | sort | uniq

the infected machine sent a DNS query to broadcast address

FILESHAARE

Q2: We are investigating a network security incident. For a thorough investigation, we need to determine the IP address of the rogue machine. What is the IP address of the machine acting as the rogue entity?

now we need to look for the IP who provided the response to the previous request

cat dns.log| zeek-cut ts id.orig_h , id.resp_h , query AA answers | sort -k1 | grep "T" | head -5  

AA: Authoritative Answer, in a response, indicates if the DNS server is authoritative for the queried hostname

also we can see that most of the connections are made by this IP

192.168.232.215

Q3: During our investigation, it’s crucial to identify all affected machines. What is the IP address of the second machine that received poisoned responses from the rogue machine?

using the same search as the previous question, just looking at the late connections

cat dns.log| zeek-cut ts id.orig_h , id.resp_h , query AA answers | sort -k1 | grep "T" 

192.168.232.176

Q4: We suspect that user accounts may have been compromised. To assess this, we must determine the username associated with the compromised account. What is the username of the account that the attacker compromised?

the answer to the last questions resides in the ntlm.log file

use head ntlm.log to know the variables names, then get them using zeek-cut

janesmith

Q5: As part of our investigation, we aim to understand the extent of the attacker’s activities. What is the hostname of the machine that the attacker accessed via SMB?

AccountingPC

I hope this has been helpful.

Feel free to add any suggestions or thoughts.