rita

LAB - Advanced C2 PCAP Analysis | Using RITA as an “Easy Button”

This a description of my experience working on the labs offered by Black Hills Information Security called “Advanced C2 PCAP Analysis” and “RITA.” I completed these labs in May of 2022 as part of the “Active Defense - Cyber Deception” live class offered by John Strand and Antisyphon Training. If you want to do the labs yourself, check out their class here! The lab walkthroughs are also available on GitHub.

These labs show two ways of analyzing packet capture data, also known as PCAP analysis. The “manual” way is by using tcpdump to look at SYN packets, while the “easy” way is to use an open source tool called RITA.

The first step of the “manual way” was to open a Windows terminal as Administrator. I then opened an Ubuntu tab, as seen in the image below.

Next, I moved into the directory where the pcap file was stored and ran the following command (see below) to analyze the file with tcpdump. As stated in the lab instructions, “the –nA option tells tcpdump not to resolve names (n) and print the ASCII text of the packet (A).” The “-r” option allows us to read the file, and piping it through “less” allows us to view the data section by section.

sudo tcpdump -nA -r covertC2.pcap | less

Running this command opens a tcpdump session. The information displayed here is certainly not easy to parse if you are just getting started looking at pcap data. The interesting data here is the SYN packets that are all 30 seconds apart. To see the SYN packets, run the following command:

sudo tcpdump -r covertC2.pcap 'tcp[13] = 0x02'

This filters the data by showing “all packets with the SYN bit (0x02) set in the 13th byte offset in the TCP/IP header (tcp[13]).” This confirms that the packets are all 30 seconds apart. We can also grep any instances of “hidden” using the following command:

sudo tcpdump -nA -r covertC2.pcap | grep "hidden"

This returns some random-looking data followed by an “=” sign. This indicates Base64 encoded data, which could be malicious or benign. Either way, it should encourage us to dig deeper and look into this data more. In this case, this data appears to be a malicious PowerShell command to “download and execute Powersploit, which then invokes a Metasploit Meterpreter on the system.”

Without a solid understanding of tcpdump and python, malicious code like this might go unnoticed on a network. An easier way to detect this type of code is by using an open source tool such as RITA.

The “beacons” tool in RITA sorts connections by the consistency of their “heartbeat.” A value of “1” is considered perfect, where a connection is happening at a consistent interval. The image above shows the destination IP of 138.197.117.74 with a nearly perfect “heartbeat score.” A consistent heartbeat is not inherently dangerous, but the egregious number of connections (4532) in this case is very suspicious. This is an indication of a beacon that is calling home to wait for commands from an attacker.

Another way to use RITA is to look at when specific requests are being made for certain domains. By clicking “DNS,” we can see that there were over 40,000 requests for a website called “nanobotninjas.” This is a strong indicator of a backdoor present on the network that is receiving (or waiting for) commands from an attacker.

Open source tools like RITA are great for visualizing data patterns over longer time spans. Understanding the data in this context allows defenders to see trends and take appropriate actions to protect their networks. You can learn more about RITA here. Thanks for reading!