IR 381: TAXII (15 pts extra)

What You Need for This Project

Purpose

To examine the TAXII exchange protocol and collect open-source threat intelligence.

Introducing TAXII

In a Web browser, go to

https://oasis-open.github.io/cti-documentation/

Read the description of TAXII, as shown below.

A TAXII Request with Curl

In your Linux machine, execute the following commands. Note that the backslash is a continuation character, so the last four lines comprise a single command.
sudo apt update
sudo apt install curl -y

curl --location --request POST 'http://hailataxii.com/taxii-discovery-service' \
     --header 'Content-Type: application/xml' \
     --header 'X-TAXII-Content-Type: urn:taxii.mitre.org:message:xml:1.1' \
     --data-raw '<Discovery_Request xmlns="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" message_id="1"/>' 
The response is a big blob of XML data that's difficult to read, as shown below.

Installing Burp

If you are using a virtual Linux machine, I recommend installing Burp on your host machine.

You can install it on the Linux machine itself if you prefer, as long as it's a desktop version with a GUI.

Download and install Burp Suite Community Edition here:

https://portswigger.net/burp/communitydownload

Finding the Gateway Address

In your Linux machine, execute this command.
traceroute 1.1.1.1 
The response shows the hops a packet makes getting to the Internet. Find the "gateway" address, as shown below.

Adjusting the Listening Address

Launch Burp Suite.

At the "Welcome to Burp Suite" page click the orange Next button.

At the "Select the configuration" page click the orange "Start Burp" button.

In the next window, at the top left, in the second row, click the Proxy tab, outlined in green in the image below.

Turning off Intercept

At the top center, click the blue "Intercept is on" button, as shown below, so the text changes to "Intercept is off".

Then click the Options tab, outlined in green in the image below.

Adjusting the Listening Address

At the top center, click "127.0.0.1:8080" to highlight it, as shown below.

Then click the Edit button, outlined in green in the image below.

In the "Edit proxy listener" box, in the "Specific address" drop-down list box, select the gateway address you found earlier, as shown below.

Then click OK.

Sending a TAXII Request to the Proxy

In your Linux machine, execute the following command. Adjust the IP address at the end to match your gateway address.
curl --location --request POST 'http://hailataxii.com/taxii-discovery-service' \
     --header 'Content-Type: application/xml' \
     --header 'X-TAXII-Content-Type: urn:taxii.mitre.org:message:xml:1.1' \
     --data-raw '<Discovery_Request xmlns="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" message_id="1"/>' \
     -x 172.16.123.1:8080
You should see the same response you saw earlier, as shown below.

Viewing the TAXII Request in Burp

In Burp, at the top left, in the third row, click the "HTTP history" tab, outlined in green in the image below.

In the center pane, you see a line showing a POST request to "http://hailataxii.com". Click that line to highlight it, as shown below.

The lower pane shows the HTTP request you sent, in a more readable form than the Curl command, as shown below.

Notice that the last line begins with Discovery_Request.

Viewing the TAXII Response in Burp

In Burp, in the lower pane, click the Response tab, outlined in green in the image below.

This is the response from the TAXII server. This server offers three services, outlined in red in the image below:

Sending a Request to the Repeater

In Burp, in the lower pane, click the Request tab.

In the lower pane, right-click and click "Send to Repeater", outlined in green in the image below.

Using Burp Repeater

In Burp, at the top, in the second row, click the Repeater tab, outlined in green in the image below.

In the lower pane, make these changes to the request, outlined in red in the image below:

At the top left, click the orange Send button.

Viewing Available Collections

In Burp, in the lower pane, click the Response tab.

You see the available thread feed collections. The first two are outlined in red in the image below.

In the lower pane, scroll to the bottom and find guest.phishtank_com, as shown below. This is the feed we'll poll.

Sending the Request to the Repeater Again

In Burp, in the lower pane, click the Request tab.

In the lower pane, right-click and click "Send to Repeater",

You see a copy of the request on a tab named 2, outlined in green in the image below.

Polling from Phishtank

In Burp, in the lower pane, replace line 10 with these lines, as shown below:
<Poll_Request xmlns="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" 
message_id="1" collection_name="guest.phishtank_com">
  <Exclusive_Begin_Timestamp>2018-05-25T02:00:00Z</Exclusive_Begin_Timestamp>
  <Inclusive_End_Timestamp>2018-05-25T02:10:00Z</Inclusive_End_Timestamp>
  <Poll_Parameters allow_asynch="false">
    <Response_Type>FULL</Response_Type>
  </Poll_Parameters>
</Poll_Request>
At the top left, click the orange Send button.

IR 381.1: Folder (15 pts)

In the Response, scroll down a page or so and find the flag, covered by a green rectangle in the image below.

Posted 10-14-21