Profiling Tools: Tcptracer Log Analysis
Performance monitoring and tracking tools can provide a wealth of information about a running system and its applications. The information can help in determining performance bottlenecks in an application and fine-tune its performance for a given architecture.
Okay, but as a security researcher, what value can I get out of these tools?
This information can also be useful for a security researcher as these tools reveal a lot of details about which files are being accessed, which libraries are being used, information on disk and network activity, and a lot more!!
In some cases, they can help identify anomalies that could have been caused by a security incident.
This might not be very obvious immediately but let’s jump right in and analyze the logs of a script named “tcptracer”. That will make a lot of things clearer :)
Lab Scenario
We have set up the below scenario in our Attack-Defense labs for our students to practice. The screenshots have been taken from our online lab environment.
In this lab, we will analyze Tcptracer script’s trace logs to unearth suspicious activity. Please analyze the logs and answer the provided questions.
Q1. Identify the port on which SSH is running.
Answer: 3603
Command: grep ssh logs
SSH server was running on port 3306 on the target machine.
Q2. What is the IP address of the client that logged into the machine using SSH?
Answer: 192.168.161.36
Command: grep ssh logs
The client having IP address “192.168.161.36” logged into the compromised server over SSH.
Q3. A remote machine is running a service on port 2701. The local system downloads some files from that service. What is the IP address of the remote machine?
Answer: 10.10.79.35
Command: grep 2701 logs
The remote machine having IP address “10.10.79.35” had a server running on port 2701 which served the files.
Q4. What the name of the utility used to download the files from the remote service running on port 2701?
Answer: wget
Command: grep 2701 logs
“wget” utility was used to download files from the remote service running on port 2701.
Q5. The machine sends system metrics to a remote machine using curl. What is the IP address of the remote machine?
Answer: 172.17.3.36
Command: grep curl logs
The compromised machine sends the system metrics to the machine having IP address “172.17.3.36” using “curl”.
I hope you got a new and valuable tool added under your toolbelt today :)
Stay Safe and Happy Hacking!
References: