BLATSTING C&C transcript
(this showed a terminal session from showterm.io of a session controlling BLATSTING, but the content is no longer available)
-
At the left side it shows the listening post output, this is what the operative controlling it would see.
-
At the right side scrolls by corresponding debugging output of the emulation framework. This shows the (decrypted) packets in transfer and what the emulated implant is doing.
No actual Fortinet/TOS routers were harmed in this process. The setup is the same as in previous post, however many more modules are
succesfully loaded and emulated. Almost the entire framework besides TADAQUEOUS and SECONDDATE, which have their own
means of C&C that I may come back to at some other time, and file and install which deal with affairs that are
simply not part of the emulation.
Overview:
-
Connect to VM domain. Start listening post.
-
1: Open a session. -
LP connects to the implant, and loads the LP modules corresponding to the implant modules (to populate the menu). Apparently it fails to load the LP module for the sniffer (
m10000000). We don’t be sniffing any packets today.
Attempting to open a session.
CHALLENGE Type packet received.
AUTH_RESP Type packet received.
You are accessing BLATSTING.
Session opened.
dlopen error: ./lpconfig/m10000000/m10000000.lpmod: undefined symbol: bp_bf_bpf_validateProgram
Corresponding LP module not found for (16 0 0).
...
Operation succeeded.
Connected to node 00000000
Firewall Type : 00000000 Firewall Version: 00000000
Remote Code Version: 666.6.6
Remote IP Addr: 192.168.001.002
Remote interface : 0000
Listen IP Addr : 000.000.000.000
Listen IP timeout (on remote node) : none
Remote IP Sticky?: True
LP IP: 192.168.001.001
Source Port: 4000 Destination Port: 3000
Session Start Time (on remote node): Thu Sep 8 11:44:36 2016
- LP shows menu*:
----- Base Commands
1) Open a session with the remote node
2) List loaded LP modules
3) Toggle expert mode [currently OFF]
6) Re-synchronize LP module list (will not unload explicitly loaded modules)
7) Toggle logging [currently ON]
8) Toggle menu display [currently ON] (Recommended ON)
9) Close session
999) BURN
0) Quit Program
----- core interface
0,0,0) Retrieve the list of exported interfaces
0,0,1) Retrieve the current time on the remote node
----- crypto interface
----- network interface
3,0,0) Read interfaces
3,0,2) Send ARP
----- command and control interface
7,0,0) Get comms state
7,0,1) Set filter addresses
----- hash interface
----- tunnel interface
9,0,0) Query tunnel module state
9,0,1) Add a tunnel via command line
9,0,2) Add a tunnel interactively
9,0,3) Remove a tunnel
9,0,4) Toggle printing active connections (expert only)
----- bpf interface
----- network profiler interface
13,0,0) Query state
13,0,1) Start scan
13,0,2) Stop scan
13,0,3) Restart scan
13,0,4) Reset
13,0,5) Get records
13,0,6) Get records; dump to file
-
8: Toggle “show menu” off otherwise it will print the screen-full menu after every command and it’s impossible to see any output without scrolling back all the time. -
0,0,1: Print time on remote node.
Time on remote node (GMT): Thu Sep 8 15:44:48 2016
0,0,0: Show the list of loaded modules and interfaces.
Exported interfaces:
Module ID Module type Provider ID Provider type
0 0 3 core 0 0 3 core
1 1 0 crypto 1 1 1 crypto
3 1 1 network 3 1 0 network
16 0 0 sniffer 16 0 1 sniffer
7 0 0 cnc 7 0 1 cnc
8 1 0 hash 8 1 1 hash
9 0 0 tunnel 9 0 2 tunnel
12 1 0 bpf 12 1 1 bpf
13 0 0 networkProfiler 13 0 1 networkProfiler
13,0,0: Show networkProfiler configuration.
(13 0 0) networkProfiler module configuration:
networkProfiler module not configured.
13,0,1: Start networkProfiler scan. This shows the command line option help output:
Please enter your networkProfiler command line (-h for help, CTRL-n to cancel)?
-S/--scantype <scan name> name of predefined scan (enter ? to be provided with a list)
-i/--interface <interface index (as from interface listing)> limit to the specified interface
-t/--traffictypes <traffic queue flags> receive traffic of the specified types only (enter ? to be provided with a list)
-P/--prefilter netmask <netmask length> netmask length for prefilter (0-32, default 0)
-p/--prefilter <pcap filter string> pcap pre-filter definition (enclose this in double quotes)
-s/--duration_seconds <seconds> test duration in seconds
-m/--duration_minutes <minutes> test duration in minutes
-r/--duration_hours <hours> test duration in hours
-y/--duration_days <days> test duration in days
-N/--nperiods <# of scan periods> number of periods to scan (default: 1)
-n/--maxNRecords <# of records> maximum number of records to keep per period
--hashTableSize <# of entries> size of the hash table
-h/--help print this usage message
- Show list of predefined scans (these are the files in
Firewall/BLATSTING/BLATSTING_201381/LP/lpconfig/m0d000000/predefinedScans):
TCPUDP_condense_bytes_512 IPv4 TCP/UDP connection information, ports above 512 condensed, with total byte count (IPs, IP protocol, condensed ports, ttl, byte count)
TCPUDP_bytes IPv4 TCP/UDP full connection information with byte count (IPs, IP protocol, ports, ttl, byte count)
TCPSYN_condense_256 IPv4 TCP/UDP connection information, ports above 256 condensed, with SYN count (IPs, IP protocol, condensed ports, ttl, SYN count)
TCPSYN IPv4 TCP/UDP connection information with SYN count (IPs, IP protocol, ports, ttl, SYN count)
TCPSYN_condense_bytes_3072 IPv4 TCP/UDP connection information, ports above 3072 condensed, with SYN and total byte count (IPs, IP protocol, condensed ports, ttl, SYN count, total byte count)
TCPSYN_condense_1536 IPv4 TCP/UDP connection information, ports above 1536 condensed, with SYN count (IPs, IP protocol, condensed ports, ttl, SYN count)
TCPSYN_condense_2560 IPv4 TCP/UDP connection information, ports above 2560 condensed, with SYN count (IPs, IP protocol, condensed ports, ttl, SYN count)
TCPUDP_condense_1536 IPv4 TCP/UDP connection information, ports above 1536 condensed (IPs, IP protocol, condensed ports, ttl)
TCPSYN_condense_bytes_1024 IPv4 TCP/UDP connection information, ports above 1024 condensed, with SYN and total byte count (IPs, IP protocol, condensed ports, ttl, SYN count, total byte count)
TCPUDP_condense_1024 IPv4 TCP/UDP connection information, ports above 1024 condensed (IPs, IP protocol, condensed ports, ttl)
TCPUDP_condense_2560 IPv4 TCP/UDP connection information, ports above 2560 condensed (IPs, IP protocol, condensed ports, ttl)
MAC2MAC Ethernet (MAC) src/dst address collection
TCPUDP_condense_bytes_256 IPv4 TCP/UDP connection information, ports above 256 condensed, with total byte count (IPs, IP protocol, condensed ports, ttl, byte count)
IP2IP_bytes source, destination IP collection with total byte count
TCPUDP_condense_256 IPv4 TCP/UDP connection information, ports above 256 condensed (IPs, IP protocol, condensed ports, ttl)
TCPSYN_condense_bytes_2048 IPv4 TCP/UDP connection information, ports above 2048 condensed, with SYN and total byte count (IPs, IP protocol, condensed ports, ttl, SYN count, total byte count)
IP2IP IPv4 IP-to-IP address collection (who is calling whom?)
TCPSYN_condense_bytes_2560 IPv4 TCP/UDP connection information, ports above 2560 condensed, with SYN and total byte count (IPs, IP protocol, condensed ports, ttl, SYN count, total byte count)
TCPUDP_condense_2048 IPv4 TCP/UDP connection information, ports above 2048 condensed (IPs, IP protocol, condensed ports, ttl)
srcMACIP source Ethernet (MAC) and source IP address collection
TCPSYN_condense_1024 IPv4 TCP/UDP connection information, ports above 1024 condensed, with SYN count (IPs, IP protocol, condensed ports, ttl, SYN count)
TCPUDP_condense_bytes_1536 IPv4 TCP/UDP connection information, ports above 1536 condensed, with total byte count (IPs, IP protocol, condensed ports, ttl, byte count)
TCPSYN_condense_bytes_256 IPv4 TCP/UDP connection information, ports above 256 condensed, with SYN and total byte count (IPs, IP protocol, condensed ports, ttl, SYN count, total byte count)
TCPSYN_condense_bytes_1536 IPv4 TCP/UDP connection information, ports above 1536 condensed, with SYN and total byte count (IPs, IP protocol, condensed ports, ttl, SYN count, total byte count)
TCPUDP_condense_bytes_2560 IPv4 TCP/UDP connection information, ports above 2560 condensed, with total byte count (IPs, IP protocol, condensed ports, ttl, byte count)
TCPUDP_condense_bytes_1024 IPv4 TCP/UDP connection information, ports above 1024 condensed, with total byte count (IPs, IP protocol, condensed ports, ttl, byte count)
srcIP source IP address collection
TCPUDP IPv4 TCP/UDP full connection information (IPs, IP protocol, ports, ttl)
TCPSYN_condense_512 IPv4 TCP/UDP connection information, ports above 512 condensed, with SYN count (IPs, IP protocol, condensed ports, ttl, SYN count)
TCPSYN_condense_bytes_512 IPv4 TCP/UDP connection information, ports above 512 condensed, with SYN and total byte count (IPs, IP protocol, condensed ports, ttl, SYN count, total byte count)
TCPSYN_condense_3072 IPv4 TCP/UDP connection information, ports above 3072 condensed, with SYN count (IPs, IP protocol, condensed ports, ttl, SYN count)
TCPUDP_condense_3072 IPv4 TCP/UDP connection information, ports above 3072 condensed (IPs, IP protocol, condensed ports, ttl)
TCPSYN_condense_2048 IPv4 TCP/UDP connection information, ports above 2048 condensed, with SYN count (IPs, IP protocol, condensed ports, ttl, SYN count)
TCPUDP_condense_bytes_3072 IPv4 TCP/UDP connection information, ports above 3072 condensed, with total byte count (IPs, IP protocol, condensed ports, ttl, byte count)
TCPUDP_condense_512 IPv4 TCP/UDP connection information, ports above 512 condensed (IPs, IP protocol, condensed ports, ttl)
TCPUDP_condense_bytes_2048 IPv4 TCP/UDP connection information, ports above 2048 condensed, with total byte count (IPs, IP protocol, condensed ports, ttl, byte count)
- Create a
-STCPUDPpredefined scan, using default settings, and start it:
traffic types: IP4
total scanning time: 0 days 03:00:00
scan period duration: 0 days 03:00:00
number of scan periods: 1
record size: 18 table size: 96 hash table size: 64
memory usage for scan results: 1754 bytes
approximate run-time memory usage: 2266 bytes
Prefilter: n Link layer filter: n Network layer filter: y
Tracking the following elements:
IPv4 source address
IPv4 destination address
IPv4 protocol
TCP/UDP source port
TCP/UDP destination port
IPv4 TTL (recorded once, not tracked)
This configuration could be established with the following command line:
-S <scan type> -t IP4 -s 10800 -N 1 -n 96 --hashTableSize 64
Sending start request to implant. Are you sure (y/n) [y]? y
networkProfiler scan started.
-
8: Re-show menu. -
13,0,5: Show records of ongoing networkProfiler scan.
(13 0 0) networkProfiler module data:
Scan period 0:
total packets collected: 2
packets discarded due to error: 0
number of records collected: 1
number of records dropped: 0
scan start (target box time, displayed as GMT): Thu Sep 8 15:45:37 2016
scan end (target box time, displayed as GMT) : Thu Sep 8 18:45:37 2016A
scan in progress
Records:
IPv4 source address : 192.168.001.001
IPv4 destination address : 192.168.001.002
IPv4 protocol : 0x11
TCP/UDP source port : 3000
TCP/UDP destination port : 4000
IPv4 TTL (recorded once, not tracked) : 64
count: 2
-
This shows one record which summarizes the two UDP packets exchanged between the implant and LP. Nothing else is happening on the simulated network. To get a better idea of what it is doing it would make sense to inject some fake traffic.
-
7,0,0: Get comms state. This simply shows the same information again as when connecting.
Connected to node 00000000
Firewall Type : 00000000 Firewall Version: 00000000
Remote Code Version: 666.6.6
Remote IP Addr: 192.168.001.002
Remote interface : 0000
Listen IP Addr : 000.000.000.000
Listen IP timeout (on remote node) : none
Remote IP Sticky?: True
LP IP: 192.168.001.001
Source Port: 4000 Destination Port: 3000
Session Start Time (on remote node): Thu Sep 8 11:44:36 2016
7,0,1: Set a filter. Apparently I botched this as it loses contact to the implant.
Please enter the new filter IP/netmask [255.255.255.255/32]: 192.168.1.0/24
Please enter the filter timeout in minutes (0 for no timeout) [0]: 100
About to install filter IP 192.168.001.000/24, timeout 100 minutes.
Are you sure? (y/n) [n]? y
Operation succeeded.
2016-09-08 11:44:48 Menu Selection>? 0,0,0
11:44:55 2016-09-08 ===> selection 0 0 0
Timed Out
createSendRecv_5iHelper: attempt 1 of 3 timed out.
0: Exit session.
* 999) BURN sure sounds enticing, but can’t demonstrate it as the necessary interface is not simulated. Drats.
Written on September 9, 2016
Filed under
Reverse-engineering