Profiling Tools: Tcptracer Log Analysis

Performance monitoring and tracking tools can provide a wealth of information about a running system and its applications. The information can help in determining performance bottlenecks in an application and fine-tune its performance for a given architecture.

Okay, but as a security researcher, what value can I get out of these tools?

This information can also be useful for a security researcher as these tools reveal a lot of details about which files are being accessed, which libraries are being used, information on disk and network activity, and a lot more!!
In some cases, they can help identify anomalies that could have been caused by a security incident.

This might not be very obvious immediately but let’s jump right in and analyze the logs of a script named “tcptracer”. That will make a lot of things clearer :)

Lab Scenario

We have set up the below scenario in our Attack-Defense labs for our students to practice. The screenshots have been taken from our online lab environment.

Lab: Tcptracer: Log Analysis

In this lab, we will analyze Tcptracer script’s trace logs to unearth suspicious activity. Please analyze the logs and answer the provided questions.

Q1. Identify the port on which SSH is running.

Answer: 3603

Command: grep ssh logs

Retrieving logs having keyword “ssh” to determine the port on which SSH was running on the target server

SSH server was running on port 3306 on the target machine.

Q2. What is the IP address of the client that logged into the machine using SSH?

Answer: 192.168.161.36

Command: grep ssh logs

Retrieving logs having keyword “ssh” to get the IP address of the client using SSH to login into the target server

The client having IP address “192.168.161.36” logged into the compromised server over SSH.

Q3. A remote machine is running a service on port 2701. The local system downloads some files from that service. What is the IP address of the remote machine?

Answer: 10.10.79.35

Command: grep 2701 logs

Getting the log entries where “2701” is present. Notice that the remote machine has IP address: “10.10.79.35”

The remote machine having IP address “10.10.79.35” had a server running on port 2701 which served the files.

Q4. What the name of the utility used to download the files from the remote service running on port 2701?

Answer: wget

Command: grep 2701 logs

Getting the log entries where “2701” is present. Notice that wget command is listed in all the entries!!

“wget” utility was used to download files from the remote service running on port 2701.

Q5. The machine sends system metrics to a remote machine using curl. What is the IP address of the remote machine?

Answer: 172.17.3.36

Command: grep curl logs

Getting the log entries having “curl” keyword.

The compromised machine sends the system metrics to the machine having IP address “172.17.3.36” using “curl”.

I hope you got a new and valuable tool added under your toolbelt today :)

Stay Safe and Happy Hacking!

References:

1. Tcptracer script
2. Tcptracer Examples
3. BCC Tools