From Robert.Hanson@guardent.com Fri Apr 20 20:32:09 2001 Date: Thu, 19 Apr 2001 13:24:30 -0400 From: Robert.Hanson@guardent.com To: project@honeynet.org Subject: Scan of the month # SCAN OF THE MONTH #14: April, 2001 # # Challenge to decode a successful NT attack with only the snort binary log capture for # analysis. # 1. Which exploit(s) were used to attack the system? The attacker is using two exploits to compromise the target. · NT IIS MDAC RDS Vulnerability (CVE-1999-1011) · Microsoft IIS Extended Unicode Directory Traversal Vulnerability. One of the tools used by the attacker is MSADC/RDS (msadc.pl) created by Rain Forest Puppy. This is identified as the traffic matches up with the function of this perl script. Most notably is the following syntax: ---------------------------------------------------------------------------- ------- ADCClientVersion:01.06 Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=$bb --!ADM!ROX!YOUR!WORLD! Content-Type: application/x-varg ---------------------------------------------------------------------------- ------- Snort was used to dump the payload of the packets. The following was found in the traffic logs. ---------------------------------------------------------------------------- ------- 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 ..Content-Type: 6D 75 6C 74 69 70 61 72 74 2F 6D 69 78 65 64 3B multipart/mixed; 20 62 6F 75 6E 64 61 72 79 3D 21 41 44 4D 21 52 boundary=!ADM!R 4F 58 21 59 4F 55 52 21 57 4F 52 4C 44 21 3B 20 OX!YOUR!WORLD!; 6E 75 6D 2D 61 72 67 73 3D 33 0D 0A 0D 0A 2D 2D num-args=3....-- 21 41 44 4D 21 52 4F 58 21 59 4F 55 52 21 57 4F !ADM!ROX!YOUR!WO 52 4C 44 21 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 RLD!..Content-Ty 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F pe: application/ 78 2D 76 61 72 67 0D 0A 43 6F 6E 74 65 6E 74 2D x-varg..Content- 4C 65 6E 67 74 68 3A 20 33 36 34 0D 0A 0D 0A 02 Length: 364..... ---------------------------------------------------------------------------- ------- 2. How were the exploits used to access and control the system? Once access was gained to the system via the exploits listed above, the attacker created several files, ftpcom and ftpcom2. These files were populated with ftp commands, including the attackers username and password on a remote system, as well as get commands to retrieve additional files to further compromise the target. The attacker then ftp these tools from www.nether.net, 212.139.12.26, and 213.116.251.162. One of the tools that were retrieved was netcat (nc.exe). The attacker launches netcat with the -l -p 6969 -e cmd.exe options. The attacker then returns with a telnet to tcp 6969, launching a cmd.exe shell as SYSTEM. 3. What was done once access was gained? The attacker essentially performs the same sequences of steps using the MDAC, Unicode, and Netcat access they have gained. That is, the attacker creates an ftp command script and downloads multiples tools (pdump.exe, samdump.dll, nc.exe). Once downloaded, the attacker will run one or more of these tools. Multiple net session and net users commands are run. The attacker creates users and adds them along with the IWAM_KENNY to the domain admins and administrators groups. The attacker then repeats this sequence using another download site and ftp command script, then deletes many of the files that they created. The attacker obviously has compromised the system at this point. However, they continue gather information from the system (sam database and passwords). 4. How could this attack been prevented? The MDAC RDS Vulnerability requires configuration changes to remove the vulnerability. Details of the specific changes needed are available at http://www.microsoft.com/technet/security/bulletin/fq99-025.asp. If MDAC is not required, MDAC should be disabled by removing the IIS virtual directory and associated registry keys. The Unicode Vulnerability requires a patch from Microsoft. These patches can be found at the following locations. IIS 4: http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp IIS 5: http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp The system should be installed with virus protection software. This would have denied access to the downloaded nc.exe backdoor. 5. How much time did you spend on this analysis and writeup? I spent approximately 1 ½ hours on the analysis and ½ hour on the write-up. If additional time was available, further analysis would be done to correlate the times between the accesses via Unicode, MDAC, and netcat exploits. My initial method analyzed these exploits separately. Bonus Question: Do you feel that the attacker in question knew if this was a honeypot? Yes. If so, why or why not? Once netcat is ftp'ed to the victim and activated, the intruder connects to tcp 6969, launching a cmd.exe shell with system privileges. During this shell access, that attacker moves around directories, creates and deletes some attack files, and runs multiple NetBIOS net commands. But more interestingly, the attacker echos "hi. I know this is a lab server but patch the holes! :-) >> readme.now.haXor." The attacker continues on perusing directories, and adding users "himan pass:harHar666 via the netcat session." <> Rob Hanson, CISSP Senior Network Security Consultant W: 651.221.1920 F: 651.221.2692 M: 612.209.8552 380 St. Peter Street, Suite 510, Saint Paul, Mn 55102 PGP: A978 6332 4A77 1A5B 2618 4CBF 8223 A3B6 0471 ECA0 ________________________________________________ G U A R D E N T Enterprise Security and Privacy Programs <> [ Part 2, Text/PLAIN (Name: "som.txt") 156 lines. ] [ Unable to print this part. ] [ Part 3, Text/PLAIN (Name: "som.txt") 125 lines. ] [ Unable to print this part. ]