------------------------------------------------------------------------------- #################### #Question 1 #################### There were two exploits used in the compromise of the WindowsNT computer. The first was the "Directory traversal vie extended Unicode in url"(http://www.kb.cert.org/vuls/id/111677). The second exploit used was the RDS/IIS 4.0 Vulnerability (http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=7). The intruder even used RFP's tool, msadc.pl, to conduct this attack. The tool uses a "!ADM!ROX!YOUR!WORLD!" signature that appears very often in the packet capture. #################### #Question 2 #################### The attacker first used the directory traversal vulnerability in order to do some recon. Boot.ini was checked first then the attacker checked to see if msadc.dll was available. After seeing that msadc.dll was available the attacker proceeded to use the msadc.pl script against btcustmr.mdb. To test if the exploit was successful, the attacker echoed "werd" to the file "fun" on the C:\ drive. Then they used the directory traversal vulnerability to view c:\fun. Success Next order of business was to import tools to the compromised computer. To do this the attacker used the RDS exploit in order to write ftp information to a file, ftpcom. the information included USER, PASS, tools to GET and a QUIT command. The tools the attacker was trying to get were: Pwdump, netcat and samdump.dll. The first ftp server the attacker tried failed, so they used the ftp server on the machine they were coming from(213.116.251.162). After more failed attempts the attacker makes a copy of cmd.exe and through directory traversal, tries to ftp to the server. The attacker finally succeeds and downloads the tools. Using directory traversal the attacker runs nc -l -p 6969 -e cmd.exe. This tells netcat to bind cmd.exe to port 6969 and listen for incoming connection. The attacker then can just telnet to port 6969 and have a command prompt. Also through directory traversal the attacker attempts to use pwdump to extract the password hashes from the SAM and send them to a file, yay.txt. #################### #Question 3 #################### The attacker telnets to port 6969 on the compromised machine and finds the command prompt. They also attempt to use pwdump again. Through the command prompt the attacker proceeds to look around the system. Again they try to use pwdump, still no success. Now the attacker turns their attention to accounts on the server. Through directory traversal, the attacker runs 'net users >> heh.txt' to get a list of accounts. This was perhaps a test because the attacker was getting no where using 'net session' through the command line on port 6969. After viewing heh.txt the attacker deleted it. A file, READ.me.NOW.hax0r, was created which contained "Hi, I know that this is a lab server, but patch holes!" Next the attacker turned their attention back to the accounts on the system. Through a lot of trial and error, the attacker placed the accounts, IWAM_KENNY and IUSR_KENNY, into the Administrator group. Again the attacker tried to use pwdump, still nothing. The attacker attempted to create two accounts using the 'net user' command, testuser and higuy. These attempts were not successful. Once again the attacker goes after the password hashes. This time the attacker goes to winnt\repair and tries to use the 'rdisk /s' command in order to dump the SAM to a file. After more trial and error the attacker succeeds in placing the SAM in a file, har.txt. In order to retrieve har.txt, the attacker places it in c:\inetpub\wwwroot and access's it via the web. After more searching through the hard drive the attacker makes a file that contains: "best honeypot i've seen till now :)" Then it looks like the attacker attempts to change IWA_KENNY's password but fails. Next the attacker starts to look at the web directories. The attacker makes a file (test.txt) in the wwwroot directory that says, "this can't be true". Default.htm is copied to default.html and the attacker places an extra '.' at the end of default.htm. The last thing of importance that the attacker does is initiate an ftp connection back to the box they are coming from and upload whiskers.tar.gz. Perhaps the attacker thought this was a new unreleased version. #################### #Question 4 #################### The directory traversal vulnerability could have been avoided by patching IIS. More detailed information can be found at: http://www.securityfocus.com/bid/1806 The RDS vulnerability could have been avoided by removing MDAC functionality. If MDAC was needed, it should have been upgraded. Detailed instructions can be found at: http://www.securityfocus.com/bid/529 ###################### #Question 5 ###################### I spent about 5 hours on analysis and writeup. ##################### #Bonus Question ##################### I feel that the attacker suspected that it might be a honeypot. The obvious clue to this is that he left a file that said, "best honeypot i've seen till now." There is some evidence to suggest that they began to second guess themselves. The file placed in the wwwroot directory said, "this can't be true." The attacker also did repeated tests to see if the changes he made to the default.htm took. The fact that the attacker uploaded the whiskers file was also odd. Whiskers is publicly available so the attacker may have thought it was an unreleased version, making the server possibly real. #################### #Tools used #################### To read the binary snort file I used snort: snort -vdr snort.log > temp.log Websites: http://www.cert.org http://www.securityfocus.com http://www.wiretrip.net/rfp -------------------------------------------------------------------------------