All right, so I've been getting a lot
of questions about how log4j looks on the wire. What does Wireshark see
and how can we analyze it and better yet catch it at the packet level? I was finally able
to get my hands on some packets. Brad Duncan over at Malware Traffic Analysis.net went ahead
and did a capture and gave us permission to go ahead and use this trace file for this video. So
i've linked that in the description down below, so you can download that trace file and follow
right along with me as i go through it. So log4j, it's a big vulnerability and there's a lot of
things going on around the internet talking about what it does, and how it works. But my goal here
for this video is to show you how to catch it on the wire with Wireshark and understand the packets
that we're looking at, and to show you some pretty cool stuff that Wireshark shows us about this
particular attack. Now before we get into the weeds, let's remember that this server that we
see in this pcap wasn't necessarily compromised, but this pcap does show us what was going on with
the actual attack. All right so let's go ahead and take a look at what a log 4j attack looks
like at the packet level. Okay so here I'm in my tcp plain profile and I have the pcap in front
of me, this is the one that you can open as well. And just to head check yourself, you can look
down at the number of packets that you have, and you should have just above 45 000 packets open
in Wireshark. Now just to give us an initial lay of the land, here this 198.71 box, this was the
server that was being attacked, and here we can see there's a lot of different addresses that are
coming in and trying to talk to it. And as we can see here on this profile, I have my tcp SYNs lit
up green, I like that, and here I can see there's a lot of SYNs coming in. In fact let's go ahead
and map those SYNs and see where they're coming from. If I go up to statistics, and I come down
to end points, here I see I have 4912 individual stations in this pcap. That's quite a bit! But
what I want to do, is take a look at that country code there. So you have my country and city. Now
I'm going to come down to map, and I'm going to say open in browser, and if I bring that map in,
what wireshark is able to do is take the GeoIP information and throw it on a map of the world for
me. Now here I can see I have a lot of different source IPs that are coming into this one server
and trying to attack it. So clearly this is a distributed attack. It's coming from a lot of
different places, and likely this is all part of a bot army that's just hammering on this server
trying to open up several ports. Now it's possible that these SYNs are related to a different scan
that's going on. They aren't necessarily directly related to the log4j attack. Since we do see
them in this pcap, I wanted to show you how we could put them on a map of the world. And we can
see how an attack looks when it's coming from so many different source IPs. But how do I get this
to work? Well basically we have to enable a GeoIP feature of Wireshark to do that. I went ahead and
linked a video in the description down below to show you how you can enable that with Wireshark.
All right, so let's get back to our packets. So a big part about this vulnerability is the
jndi api. Now that's an api for java software, it provides naming and directory interface. Now
i'm not going to go too deep in the weeds on what that is and how it's misused, but just for the
purposes of our capture, what I want you to do is come up to your display filter, and what we're
going to do is we're going to type in "ip contains jndi". What that will do is it'll show us all
of the IP packets that we have in this trace file that have those four letters in it. So
as we can see that results in quite a few HTTP GETs coming in as well as a post is the very first
one. Now keep in mind that that filter will only work for attacks that happen over port 80 or open
web. If it's over 443 or a tls connection is first set up, then this filter is not going to work
because we won't be able to see the clear text. In that case we would just be relying on the ip
and tcp behavior in order to find an attack like this. But for our purposes since we do have the
open http to tinker with let's go ahead and see what's inside it. Now if I take a look at that
first packet and I'm going to go ahead and come down here to the details. If I expand http, and I
come down here, I can see the user agent. That's where that jndi api information is so basically
what we're saying here is we're calling for ldap, and here's our ip address, and basic command
base64. So there's a base64 code over here and this is what we're going to focus on. So basically
out there, so 45.137.21.9, is sending this post to this server and hoping that it reacts based
on what this user agent is saying. So let's go and take a closer look at that user agent. What
I want to focus on is this base64 string here. So what I'm going to do, is I'm just going
to right click it, and I want to come down to copy value. So then I'm going to come out to
cyber chef and what I want to do is just toss that in the input. Just going to say paste and I'm
going to clean up my string a little bit here. So I just have those codes so take out all the way
up to base 64. Let's go ahead and remove this. I want to take out that last bracket and what i'm
going to do is come over here from base 64. So I want to go from base64 and bring that into our
output here. So went ahead and said bake and here we go. So this is the instruction that's being
posted to this server. So basically what we're doing is we're saying hey server go ahead and do a
wget, so go get at this server this shell script, and go ahead and give it executable privileges.
Right so what is this shell script and who is this guy out here? Let's go and do a bit of a
deeper dive here. So here's our IP address so 62.210.130.250. I'm just going to copy that
guy. And I'm going to head over to VirusTotal, because that has some good information as far
as ip addresses or malicious software that's out there. And i'm going to come over here to
search, gonna pop in that IP, and here I can get some community help as far as what is that IP
and what is it actually out there doing. So here we can see pretty clearly that this is a malicious
IP here. Bitdefender, CyRadar, Fortinet, Sophos, all of them are reporting this as malicious.
In fact if I come over here to community, this is where I can see that this IP is related to
what several people have seen as far as the log4j shell vulnerability, and it's being listed on
indicators of compromise. So I know that that post coming in from that 45 address. Let's go ahead
and go back to our packets. So I know this post coming in is a part of that attack. The attacker
is hoping that we will execute that shell script and basically start a c2 channel back to
that 62 address that we saw in VirusTotal. So remote code execution, that would allow
an attacker to then take control of this box, and basically do whatever he wants. So one thing
that I could do if I'm interested in taking a look at an attack pattern for the log4j vulnerability,
is I can come up here and I can just save this as a filter. In fact i'm going to do that. I'm
just going to switch over from this profile to my security profile and I'm going to keep that filter
in there, and i'm going to come over here to plus and what I do, is I have for my label
I'm just going to say Signatures - I'm just going to say log4j. So if I
ever have packets that match that filter, then I know that that's part of that attack.
The next thing that i want to find out is did this server react? Did it actually go
try to do that c2 callback to that server? uh in the 62 range? Well let's find out. I'm going to
go ahead and flip from this profile back to my TCP Plain profile. And here I'm going to
go ahead and leave that filter there, and I'm going to add one more to it. First I'm
going to put parentheses around that filter, so I want to leave any packets that have that
value in there. And then I'm going to say "or" and then what I want to do is find out does
this server at 198.71 - so my server that i have - does that then go do a TCP SYN to any
other server out there? Do I see it actually do that c2 callback somewhere? Or is it patched and
is it behaving as it should? Is it not reacting to that shell script? Well let's find
out. So I'm going to go ahead and say "or" and I'm going to say "tcp.flags == 0x002
what this is is this sets a filter for any TCP SYNs. This wouldn't be for TCP SYN/ACKs,
this would be just the TCP SYNs. And then I'm going to say, and i want to see "ip.src ==" so the
source of those TCP SYNs would be "198.71.247.91". And i'm going to go ahead and close bracket.
And so I'm going to go ahead and say enter to apply it. So here what I can see is I still
have those original packets with the jndi string in there. So I still see those original
packets but I don't see any packets that met the secondary part of my filter. I don't
see this server then go out and say, "Oh great let's go ahead and start a TCP SYN off
to this server hey go ahead and take control of me thankfully it's not doing that now just to
test to make sure i got that filter correct what i am going to do is just change the direction
here from source to dst destination uh this would make sure that this filter does show us something
i just flip the direction show me where that server is the destination for a tcp sin and here
we get quite a few packets coming in from all over the world so we already saw that on our [ __ ] map
but i'm just going to turn this back around src so this might be another filter that i want to
save does this server ever react does it act as a client and go out and initiate that connection
outbound as a part of that log4j vulnerability so there's more interesting stuff going on in
this pcapp but just to keep it simple for you this is how this attack looks at the packet level
also you saw some filters that you can set and save in wireshark and also you got to take a look
at that attack from a global perspective and see all of those sins coming in so i'm still going
to try to get my hands on a truly compromised system to see how that system then reacts to
that shell script but for now this gives us an idea of how that attack actually works thanks
for stopping by everybody i'll see you again you
