From canacar@ee.eee.metu.edu.tr Fri Jan 26 16:45:57 2001 Date: Mon, 22 Jan 2001 11:33:14 +0200 From: Can Erkin Acar To: project@honeynet.org Subject: Scan of the month #11 ok, I know the challenge is over and we have a brand new forensics challenge (which is great btw.) but I could not stop myself ... Scanning tool: Windows telnet ;-) Why: 1. The passive fingerprint matches... 2. It is a distant host (128-111=17 hops away) 3. I believe windows telnet uses something similar to SO_SNDLOWAT (as suggested by Lars Gaarden) 4. Windows telnet sends 0x0d 0x0a (CRLF) when enter is pressed 5. Windows telnet sends 0x08 when backspace is pressed :-) 6. It is a simpler solution :-) Scenario: I have extracted the packets sent from the remote side and analyzed timings ('del' is in miliseconds) _time____ _del_ _hex________ _char_ _comment________________ 46.458282 - handshake 1 (syn) 46.734157 28 handshake 2 (ack) 47.973665 124 48 H a brief pause 48.330383 36 45 E 48.722711 39 41 44 AD 'ad' can be typed much faster 49.102466 38 20 2F / 49.499083 39 20 51.430835 194 20 48 54 54 08 HTT. what was next ... oops! 52.227849 79 0D 0A .. damn! (press enter) 53.073680 85 0D 0A .. no output - press enter again 53.306817 23 ack for remote FIN 56.230167 297 close program after 3sec? 1. our friend telnets to port 80, the initial handshake completes in 28 ms. This can be assumed as the rtt (round trip time) of the connection. 2. After a brief pause, she starts typing. note the packet delays are almost constant - 36-39 ms so there is a timing mechanism that determines when to flush the buffer. Also note that 'A' and 'D' keys are close together and can be typed faster. 3. After typing 'HEAD/ ', she briefly contemplates what to type next (I know, I always have a hard time remembering the correct HTTP syntax) 4. Remembering, she types HTT really fast, then thinks she made a mistake and presses 'backspace' instinctively. 5. a brief pause, realizing 'backspace' was a mistake, she ends the transaction by pressing ENTER (telnet sends CRLF simultaneously) 6. seeing no response, she presses ENTER again, and gets the error response (and a connection closed popup) 7. after contemplating on the results for about 3sec, she closes the dialog. Well, I think that is a possible scenario (why would whisker send 0x08?) I have done some tests on the behavior of windowsNT telnet. I could not send multiple characters by typing, but a paste operation sends the whole buffer at once, so there is definitely a timing mechanism. Perhaps a slow link, a slower computer, or a different IP stack (win95?) could enable a fast typist to send multiple characters at once... I have not sent my analysis previously (it seemed so obvious) but after seeing the published results, I did the timing analysis, and here it is ... So, if you disagree with the above analysis please correct me After all it is all about learning ;-) Can E. Acar Note: I can not believe I have spent so much time on a simple telnet connection. But it was fun :-)