[brian@denicolafamily.com]
Sent: Monday, September 16, 2002 9:45 PM
To: sotm@honeynet.org
Subject: Scan of the month

Honeynet Scan of the Month for September 2002

Brian Denicola

Analysis:

1. Downloaded the file from honeynet's website using Mozilla and ran md5sum against the tar file.

[bdenicol-linux] ~/honeypot.org/scan23 -> md5sum sotm23.tar.gz
9d28c5ee9ce7b77e3099a07ad303811f sotm23.tar.gz

It matches the MD5 sum that is posted on the Honeynet Website.

2. Next, extracted the tar file. It contained two files in it.

08226@19-snort.log - the snort binary log file
08226@19-snort.log.md5 - contains the m5 sum of the snort log file

Verified using md5sum again.

[bdenicol-linux] ~/honeypot.org/scan23 -> md5sum 0826@19-snort.log
0ce142f18c23d9ab00f992a57ad097d4 0826@19-snort.log

Which matches the hash value in 08226@19-snort.log.md5.

3. Launched ethereal with the log file

[bdenicol-linux] ~/honeypot.org/scan23 -> ethereal -r 0826@19-snort.log &

4. I also extracted the binary file to text files

[bdenicol-linux] ~/honeypot.org/scan23 -> snort -r 0826@19-snort.log -l scans

Answers to the Questions:

1. What is a binary log file and how is one created?

A binary log file is a file that is written to with system or program information, and instead of writing the information in readable text, the information is formated in such a why that a program is needed to interpret it. One of the best reason to do this is that a binary log file is normally much smaller than if all of the information is written to in text. For example, the 0826@19-snort.log file, which is our biinary log file for this Scan of the Month, is about 12MB, but when I extracted the file to text using snort and the -l option, the files took about 45MB on disk. There are many ways to create a binary log file. It is dependent on the program you are using to write the log file. Using snort again as an example, it can create tcpdump formatted log files. To do this, you can either edit the snort.conf file to include the line: output log_tcpdump: snort.log (or whatever file name you wish) or you can use the -b flag if you run snort from the command line.

2. What is MD5 and what value does it provide?

According to whatis.com, MD5 is "an algorithm that is used to verify data integrity through the creation of a 128 bit message digest from data input ... that is claimed to be unique to that specific data as a fingerprint to the specific individual." In other words, MD5 takes data as an input to its algorithm and creates a 128-bit string that is unique to that data. If the data is changed in anyway, the M5 string would be different. The value of MD5 is that, with a great degree of certainty, you will know if the data has changed from its original value. NOTE: You can never be 100% certain but with MD5 you can be pretty close. Programs such as tripwire use MD5 hashes to monitor critical system files for any changes. A great way to know if a hacker as replaced a binary with a Trojan copy.

3. What is the attacker's IP address?

The scans seem to be coming from multiple machines, namely 192.168.0.9, 192.168.0.1, 192.168.0.199, and 192.168.0.254. 192.168.0.9 seems to be doing the most scanning but other IP addresses are doing some scanning as well, namely the TCP XMAS scan. Now this could be an option in nmap (-D for decoy) to hide the true scanner's IP address by doing scans from what seems to be multiple IP address.

4. What is the destination IP address?

The destination IP address is 192.168.0.99. No matter which IP address was doing the port scanning, 192.168.0.99 was always the destination.

5. We scanned the honeypot using 5 different methods. Can you identify the five different scanning methods, and describe how each of the five works?

I used www.networkice.com for the definitions of most of the scanning types.

6. Which scanning tool was used to scan our honeypot?How were you able to determine this?

The tool that was used in this port scanning was Nmap by Fyodor . The reason why I feel nmap was used is because of the versitility of nmap. It can do XMAS scans ( using the -sX flag ), NULL scans ( using -sN ), SYN scans ( using -sS ), and UDP scans ( using -sU ), plus many more things like using decoy IP addresse to hide the true attacker. All of these were used in the snort log that was provided. Also, to prove that it was nmap, I tried using it a few times to see it in action. I captured the scans using tcpdump, and nmap would always do an ICMP echo request plus send an ACK ping to TCP port 80 before it starts to scan, which this snort capture shows.

7. What is the purpose of port scanning?

The purpose of port scanning to gather information about a host. The more information you have about a system, the easier it is to crack into or to secure. What you are mainly looking for in a port scan is open ports, and if you are using a tool like nmap, the operating system of the host. When you know what are the open ports are on a system, and the type of system it is, then you know what vulnerabilities to look for. On the flip side, if you are a security administrator, you would use port scanning to find out where you are vulnerable and to even find out if you have been cracked. For example, if you know a machine on your network should only be listening to port 22 (ssh), then when you do a port scan on that machine, and it returns both port 22 and 313337 it probably means that it has been cracked.

8. What ports were found open on our honeypot?

The way that I determined which ports were open on 192.168.0.99 was to look for all packets from 192.168.0.99 that have their ACK and SYN flags set. This is the second step in the three-way handshake for TCP. By doing so, these are the ports that I found open:

9. Bonus Question: What operating system was the attacker using?

I tried many things to determined what the operating system the attacker was using, most got me no where. First, I thought that since I know the attacker is using namp it could imited the operating systems to different flavors of Unix, but now nmap is supported in Windows. I then tried to see how nmap determines a remote operating system when using the -o option, but that only seems useful in determining a system that you are attacking. Next, I thought of the ICMP payload. I know that Windows uses the Alphabet in its payload while Linux uses a number sequence. Well that didn't help either because nmap doesn't have any ICMP payload when it does its ping. Finally, I did notice that the default TCP Window Size in the snort log is 2048, which is the same size of that is used in an nmap scan running under Windows XP. So my guess for the attacker's operating system is Windows XP Pro. Not much of a proof, but I'm sticking with it.

Port Program
TCP 22 SSH Server
TCP 111 Sun RPC
TCP 32768 ???
TCP 80 HTTP Server
TCP 443 Secure HTTP Server
TCP 53