# # SCAN OF THE MONTH #6: 9 September # # Contest to see who can determine which tool # was used for this scan. Signatures captured here # using snort (http://www.snort.org). # # The following signatures were captured in the wild. A site # is being probed for its OS version. QUESTION -------- 1. What can we tell about the source of the system with the following signature capture (see bottom of page for actual packet capture)? This system made an unauthorized telnet connection to a system to determine what version the OS was. What can we tell about the source? ANSWER ------ From: mister scarbaci To: Lance Spitzner Subject: scan of the month well in the "first" packet, the client is performing subnegotations for NAWS, terminal speed, X display location, New Environment variables, and terminal type. Since subnegotations dont occur until the Do/Will handshake is performed, we can tell, some vital packets have been missed. We also see that it doesnt contain the client side echo bug, as well as that the server Will Echo, but its not determined if the client sent a Do Echo (missing packets) we can also see the attacker is 15 hops away. His host name is hail, 24.x.x.x is a cable modem. I dont have the information on me, but i can get you his os type based on his telnet information (off hand looking at the packet info bsdi or freebsd, perhaps slackware( the odd linux). with the high source port address, looks like he's scanning a bunch, or this is a nicely used network machine) its also interesting that the tos isnt set to 0x10. Author's Note: First, the OS in question has been confirmed as Solaris 8, x86. Second, you can determine what variables your telnet session are using with the telnet 'toggle options' and 'environ list' commands: shell-1 $telnet telnet> toggle options Will show option processing. telnet> environ list LOGNAME bsmith EXINIT set autoindent SSH_TTY /dev/ttyr9 TERM vt100 SSH_CLIENT 216.80.71.97 13283 22 HOME /home/bsmith EAMAILDIR /usr/local/maildirs/bsmith/Maildir/ MAIL /var/mail/bsmith USER bsmith BLOCKSIZE K SHELL /usr/local/bin/ksh EDITOR vi PATH /bin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin PS1 shell-1 $ PAGER more _ /usr/bin/telnet telnet> open shell.enteract.com Trying 207.229.143.40... Connected to shell.enteract.com. Escape character is '^]'. SENT DO SUPPRESS GO AHEAD SENT WILL TERMINAL TYPE SENT WILL NAWS SENT WILL TSPEED SENT WILL LFLOW SENT WILL LINEMODE SENT WILL NEW-ENVIRON SENT DO STATUS RCVD DO TERMINAL TYPE RCVD DO TSPEED RCVD DO XDISPLOC SENT WONT XDISPLOC RCVD DO NEW-ENVIRON RCVD DO OLD-ENVIRON SENT WONT OLD-ENVIRON WILL SUPPRESS GO AHEAD RCVD DO NAWS SENT IAC SB NAWS 0 111 (111) 0 39 (39) RCVD DO LFLOW RCVD DO LINEMODE SENT IAC SB LINEMODE SLC SYNCH DEFAULT 0; IP VARIABLE|FLUSHIN|FLUSHOUT 3; AO VARIABLE 15; AYT VARIABLE 20; ABORT VARIABLE|FLUSHIN|FLUSHOUT 28; EOF VARIABLE 4; SUSP VARIABLE|FLUSHIN 26; EC VARIABLE 127; EL VARIABLE 21; EW VARIABLE 23; RP VARIABLE 18; LNEXT VARIABLE 22; XON VARIABLE 17; XOFF VARIABLE 19; FORW1 NOSUPPORT 255; FORW2 NOSUPPORT 255; SENT DO SUPPRESS GO AHEAD RCVD WILL STATUS RCVD IAC SB TERMINAL-SPEED SEND SENT IAC SB TERMINAL-SPEED IS 9600,9600 RCVD IAC SB NEW-ENVIRON SEND SENT IAC SB NEW-ENVIRON IS RCVD IAC SB TERMINAL-TYPE SEND SENT IAC SB TERMINAL-TYPE IS "VT100" RCVD DO ECHO SENT WONT ECHO RCVD WILL ECHO SENT DO ECHO RCVD IAC SB TOGGLE-FLOW-CONTROL RESTART-ANY RCVD DONT LINEMODE SENT WONT LINEMODE RCVD IAC SB LINEMODE SLC SYNCH NOSUPPORT 0; IP VARIABLE|ACK|FLUSHIN|FLUSHOUT 3; AO VARIABLE|ACK 15; AYT VARIABLE|ACK 20; ABORT VARIABLE|ACK|FLUSHIN|FLUSHOUT 28; EOF VARIABLE|ACK 4; SUSP VARIABLE|ACK|FLUSHIN 26; EC VARIABLE|ACK 127; EL VARIABLE|ACK 21; EW VARIABLE|ACK 23; RP VARIABLE|ACK 18; LNEXT VARIABLE|ACK 22; XON VARIABLE|ACK 17; XOFF VARIABLE|ACK 19; FORW1 NOSUPPORT|ACK 255; FORW2 NOSUPPORT|ACK 255; FreeBSD/i386 (shell-1.enteract.com) (ttyre) THE ASCII SIGNATURE ------------- !"'# #'!" #'$ 38400,38400#hail:0.0'DISPLAYhail:0.0XTERM Red Hat Linux release 6.2 (Zoot) Kernel 2.2.14-5.0 on an i586 THE ACTUAL PACKETS ------------------ 09/09-06:03:14.375396 24.115.174.2:33358 -> 172.16.1.105:23 TCP TTL:49 TOS:0x0 ID:29046 DF *****PA* Seq: 0x5AE76E9B Ack: 0x813A69C7 Win: 0x60F4 FF FA 1F 00 8D 00 24 FF F0 FF FA 20 00 33 38 34 ......$.... .384 30 30 2C 33 38 34 30 30 FF F0 FF FA 23 00 68 61 00,38400....#.ha 69 6C 3A 30 2E 30 FF F0 FF FA 27 00 00 44 49 53 il:0.0....'..DIS 50 4C 41 59 01 68 61 69 6C 3A 30 2E 30 FF F0 FF PLAY.hail:0.0... FA 18 00 58 54 45 52 4D FF F0 ...XTERM.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/09-06:03:14.377127 172.16.1.105:23 -> 24.115.174.2:33358 TCP TTL:64 TOS:0x0 ID:2030 DF *****PA* Seq: 0x813A69C7 Ack: 0x5AE76EE5 Win: 0x7D78 FF FD 01 ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/09-06:03:14.500366 24.115.174.2:33358 -> 172.16.1.105:23 TCP TTL:49 TOS:0x0 ID:29047 DF *****PA* Seq: 0x5AE76EE5 Ack: 0x813A69CA Win: 0x60F4 FF FC 01 ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/09-06:03:14.501811 172.16.1.105:23 -> 24.115.174.2:33358 TCP TTL:64 TOS:0x0 ID:2031 DF *****PA* Seq: 0x813A69CA Ack: 0x5AE76EE8 Win: 0x7D78 FF FB 01 0D 0A 52 65 64 20 48 61 74 20 4C 69 6E .....Red Hat Lin 75 78 20 72 65 6C 65 61 73 65 20 36 2E 32 20 28 ux release 6.2 ( 5A 6F 6F 74 29 0D 0A 4B 65 72 6E 65 6C 20 32 2E Zoot)..Kernel 2. 32 2E 31 34 2D 35 2E 30 20 6F 6E 20 61 6E 20 69 2.14-5.0 on an i 35 38 36 0D 0A 586..