Detecting Long Connections With Zeek/Bro and RITA


Hello and welcome, my name is John Strand and in this video, we’re going to be talking about RITA, Real Intelligence Threat Analytics and how it can quickly do DNS analysis to find DNS backdoors in your environment.

So once again we are using ADHD, if you want to find ADHD just go to ActiveCountermeasures.com go to projects, select ADHD and then you can download it. On that virtual machine, once you login with user ID and password of ADHD, ADHD, you’ll be able to get in, login, and then right on the desktop, you’re going to find our instructions document. Inside of that document, if you select attribution and you go RITA, so if we start at the beginning, close this out. If I go usage, ADHD usage, opens the document and then if I go to attribution and select RITA, it’ll take you right to the instructions that I’m working through.

Once again, we’re using ADHD instead of Security Onion today because ADHD has this packet capture, that I use in my Cyber Deception Active Defense class for various classes like Black Hat and Wild West Hackin’ Fest, built into it.

You would follow these instructions to basically get to the point where I’m at right now. Now as part of following those instructions, I have already done the Julia Child’s thing and I have already generated an HTML output report from RITA. Hello, look, it’s done!

So we’re going to go into DNS Cat, I’m going to go into 2017. Yes, it’s a little bit old, but trust me. TCP, IP, and UDP haven’t changed all that much since then.

We are going to open up this particular capture file. Then we are going to go into DNS.

Now, once we get into DNS, there’s a couple of things I’d like to talk about. First, whenever you’re thinking of DNS, the best thing to think of is a phone book. A very large, automatic phone book that your computer uses to resolve names like www.yahoo.com or Google or Active Countermeasures or Security Weekly, whatever it is you’re going to.

Your computer has no idea what those things are. None, what’s so ever. So it has to resolve that to a number or an IP address. Now, whenever we’re looking at those IP addresses, another analogy is it’s like a phone number right, it’s like a number that you would call to get to a computer. Now the analogy falls apart after a while, but just suffice to say that the analogy of name to a number with a phonebook in the middle works.

Now, whenever you have a backdoor, it can actually use DNS as that covert command and control getting out of the environment.

One of the tools that works very well for doing this is DNScat2 by Ron Bowes, and that’s in fact what you’re seeing here. Now in this example, you can see that the number of subdomains are 23,362 or hosts associated with nanobotninjas. That’s not normal. That’s like, if you think of google.com, right? You have maps.google.com, mail.google.com, you have drive.google.com those are all subdomains or hosts associated with the domain google.com. Now in order for the DNS backdoor to work, it needs to make a full connection for every single DNS lookup. The reason why is if it just did www.nanobotninjas.com again and again, then the local DNS resolver, which in many organizations is there domain controller, would just serve up that cached answer. So it has to set up a randomized request every single time.

I’ll show you what that looks like here. Here you can see that we have 23,362 subdomain requests that’s just, that’s bad.

All right so what we’re going to do is we’re going to drop into the directory in bro where we’ll do some quick bro log analysis for DNS backdoors.

Now you can see our evil domain is nanobotninjas.com and you can see that the file that we are looking at is DNScat_log/2017-03-21. That’s exactly the directory that we’re logged into, so we’re going right to the source.

So RITA said something is weird here so what we’re doing now is we’re actually diving into it a little bit deeper. What I’m going to use is a tool called zgrep. Zgrep allows me to grep out a string inside of compressed archives. DNScat was going to have a whole bunch of DNS queries, we’re going to see that in a second but it’s currently all logged inside of bro data and that bro data is compressed. So instead of going through and trying to decompress absolutely everything, you can see here is a whole bunch of different compressed files and there’s a lot of DNS files there, what we’re going to do instead, is we’re going to use a tool that can grep up out of those compressed archives anything or any line that has the string nanobot, specifically looking at any file with DNS in the name.

I’m going to hit enter, here we go.

Now a couple of things that are going to jump out at you fairly quickly. First, for a lot of people that are new to this, this looks like total complete and utter gibberish. That’s ok. What I want you to notice is here. You can see that we have multiple requests for cat.nanobotninjas.com but if you look, you can actually see that the string before the cat actually is randomized for every single request. That’s because a DNS backdoor is going to have to randomize that request to cause the full DNS query to go all the way to the evil DNS circuit and back every single time. So there’s lots of requests that are being made.

The other thing that’s interesting about this, is if you look, the DNS server that it’s talking to is 8.8 8.8. Now, there are a couple of interesting things. First, this is interesting because it is Google’s DNS server. That’s kind of weird. Does this mean that Google’s DNS server is evil? It just means that Google’s DNS server is receiving that request and then it’s forwarding that request to the nanobotninjas name server. So it’s kind of forwarding that.

Now the reason why this is important to anyone who does enterprise security is because many of your organization’s whitelist everything that goes to Google. Whether it’s www.google.com or 8.8.8.8, it just ignores it. And it does that for the purposes of resource utilization, monitoring network traffic on the edge of your network, it’s just easier to say, “Ah, that’s going to Google, eh, let it go!” and just let it run without actually stopping it at all.

So this is important for two separate reasons. One it’s important because this backdoor is heavily utilized by Black Hills Information Security in our pentests, or variations of this particular backdoor. Two, it doesn’t really get caught all that much. And three, we have found that many organizations that are security products themselves are actually ignoring a lot of the traffic that happens to be relaying through something like Google.

And you’re going to see this a lot more as we progress throughout these videos for things like domain fronting as well.

So once again, my name is John Strand if you have an opportunity to go down and hit subscribe, I see a lot of people that are YouTubers, I think that’s right? They say to do that all the time so I guess I’m going to do it, too? And also, please check us out every Wednesday on Enterprise Security Weekly where we aren’t afraid to name vendors, name names and actually say how well things do or sometimes do not work. Thank you so much and I hope to see you in the next video.



Want to level up your skills and learn more straight from John himself?
You can check out his classes below!

SOC Core Skills

Active Defense & Cyber Deception

Getting Started in Security with BHIS and MITRE ATT&CK

Introduction to Pentesting

Available live/virtual and on-demand