SCAN 23 ANAYSIS

 

Summary:

 

This month’s challenge involved the analysis of a portscan.  The log is provided in tcpdump binary format.  Tcpdump is a UNIX tool used to gather data from the network, decipher the bits, and display the output in an understandable format.¹  Tcpdump requires first that libpcap be installed.  Libpcap implements a portable framework for capturing low level traffic, which can be obtained from ftp://ftp.ee.lbl.gov/libpcap.tat.Z.  For those without access to a UNIX platform, windump (tcpdump for windows) is also available for windows platforms, and can be downloaded from http://netgroup-serv.politico.it/windump.   The latest version of windump includes a version of WinpCap (libpcap for windows) and is installed along with windump.

 

For the purposes of this assignment, the log has already been generated.  The first thing I did was download the binary from http://project.honeynet.org/scans/scan23/sotm23.tar.gz.  Once downloaded, I compared the MD5 check sum to the downloaded zip file with the one on the website using the MD5 utility obtained from http://www.fourmilab.ch/md5/ .  MD5 is a command line utility usable on either UNIX or MS-DOS/Windows, which generates and verifies message digests (digital signatures) using the MD5 algorithm. This program can be useful when developing shell scripts or Perl programs for software installation, file comparison, and detection of file corruption and tampering. The program is provided as md5.zip, a Zipped archive containing a ready-to-run Win32 command-line executable program, md5.exe (compiled using Microsoft Visual C++ 5.0), and in source code form along with a Makefile to build the program under UNIX.²

 

Once the MD5 checksum was verified, I used ethereal to read the log file.  Ethereal is a free network protocol analyzer for UNIX and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.³  Tcpdump (or Windump) can also be used, but I find the GUI of ethereal much better for network analysis.

 

The first thing the attacker at 192.168.0.9 does is to ping the intended portscan target, 192.168.0.99.  No point in scanning a target which is not active.  The 60 byte ICMP frame sent by the attacker gives away his OS as Linux (either the 2.2 or 2.4 kernel).⁴  A TTL of 40 is close to the TTL of Linux and OpenBSD ((TTL = 64).  Next, the attacker sends a flood of null packets,  half-open SYN packets and packets with the URG, PSH and FIN flags set to the destination.  A NULL packet contains a sequence number but no flags, and the proper response for the  destination is a RST for all closed ports.  A SYN packet is sent to the system and if a SYN/ACK packet is received it is assumed that the port on the system is active. In that case a RST/ACK will be sent which will determine the listening state the system is in.   The ports which returned a SYN/ACK were port 22 (SSH), port 53 (domain), port 111 (sunrpc/portmap), port 80 (http), port 443 (HTTPS).  This portscan smells of nmap (http://www.nmap.org).  A quick way to find out is to look at the Maximum Segment Size (MSS) of a packet sent by the attacker.  Most operating systems have a standard MSS value which does not change except when fragmented.  Port scanners typically use fragmentation to hide their intent.  Fyodor, the author of nmap, was nice enough to set the MSS value to 265 on his scanner.  Packet #150652 was the first packet to exhibit this TCP option, which leads me to believe that nmap was the scanner used.  More analysis is necessary, and that is where snort comes in.

 

One can download snort from http://www.snort.org along with a current ruleset and run the command “snort –dr 0826@19-snort.log –c ./snort.conf –l ./logs which will generate an alert file, which is included with this assignment.  The alert file noted the Null Scans, XMAS scans, NMAP Fingerprinting (Packet 150644).  According to snort a machine at 192.168.0.1, 192.168.0.199 and 192.168.0.254 are also performing portscans.  Some of the scans from 192.168.0.1, 199 and 254 are directed to port 42 (Microsoft WINS server and  port 445 (Microsoft SMB).  However, they do perform XMAS scans on  ports 22, 53, 80, 111 and 443 (HTTPS).   This could be the attacker using other machines for attack.  Since these were XMAS packets, I would suspect that these are attacking machines as well . 

 

The attacker was looking for some open ports to exploit.  With ports 22, 53, 80, 111 and 443 to choose from, the attacker can now move to determining what versions of each service is running on each port, then look for known exploits to run.  The OS of the source is not completely clear, although with an ICMP reply with a TTL of 255 and a packet length close to 44 bytes, I would suspect a Solaris box.  Port 111 is a Sun RPC port, present on most UNIX/LINUX variants.

 

 

Questions:

 

1.         What is a binary log file and how is one created?

Most of the time, tcpdump is running in an unattended mode, gathering records for retrospective analysis.  To gather data for retrospective analysis, tcpdump can collect the records in a binary format, also referred to as raw output.  When tcpdump displays records on the console, they are usually in a format that has been translated from the native binary output to a format which is readable.  To collect in raw output mode, one can use the command tcpdump -w filename, in which filename is the name of the file to which records will be written in binary format.

To read this binary output file, one uses the command tcpdump -r filename

If one uses ethereal, you can either type ethereal filename

 

2.         What is MD5 and what value does it provide?

Lance Spitzers provides and excellent explanation at      http://www.enteract.com/~lspitz/md5.html:

 

When you send data over a network, there are three issues most organizations   have, security, authenticity, and integrity.  The security of your data ensures that no one can read your data. This is important for the military, where secrets have to be kept from enemy hands. Authenticity guarantees the originator of the data, you know for certain who sent the data. This is important for the legal world, such as digital signatures. Integrity guarantees that the data has not been altered in transit, that the data you received is the data that was sent. This is important for many industries, such as the financial world. MD5 is such a tool, it    guarantees the integrity of your data.

MD5 can help you in a variety of ways. When you download files from the Internet, you can use MD5 to guarantee you downloaded the correct file. This protects you from Trojans or corrupted files. If you use tools such as Tripwire to protect the integrity of your file system, you are most likely using MD5. You are most likely using MD5 if you are using a public/private key infrastructure.

Developed in 1994, MD5 is a one-way hash algorithm that takes any length of   data and produces a 128 bit "fingerprint" or "message digest". This fingerprint is "non-reversible", it is computationally infeasible to determine the file based on the fingerprint. This means someone cannot figure out your data based on its MD5 fingerprint. Here is an example of a MD5 output for the binary /usr/bin/ls:

homer $md5 /usr/bin/ls

MD5 (/usr/bin/ls) = 1eabd3dbc0746c8a4b5467f99a4f8823

The actual finger print is

1eabd3dbc0746c8a4b5467f99a4f8823

Basically, what MD5 did was apply a mathematical algorithm to the "ls" binary to produce the fingerprint (to learn the     gory mathematical details about the algorithm, check out RFC 1321 at http://www.cis.ohio-state.edu/rfc/rfc1321.txt.)             Everytime you do a MD5 hash of the binary /usr/bin/ls, you should get the exact same fingerprint. If you get a different fingerprint, then the binary has been altered, maybe the result of a system patch or the binary has been trojaned.

When you download a new file or patch, one of the first things you can do is a   MD5 hash of the file. Compare the fingerprint to a known good fingerprint (usually posted on remote site). If the fingerprints match, you can be assured of the file's integrity. This is how the tool Tripwire works. It builds a database of fingerprints for all your binaries, then later on compares the binaries to that database. However, tripwire uses a variety of hash algorithms in addition to MD5, such as snafu.

Since MD5 does not encrypt data, it is not restricted by any exportation rules. You can freely use and distribute this tool anywhere in the world. To learn the history of MD5, check out http://www.rsasecurity.com/rsalabs/faq/3-6-6.html. You can download MD5 at http://www.fourmilab.ch/md5/. ⁵

 

3.         What is the attacker's IP address?

192.168.0.9, 192.168.0.1, 192.168.0.199, 192.168.0.254

 

4.         What is the destination IP address?

192.168.0.99

 

5.   We scanned the honeypot using five different methods. Can you identify the five different scanning methods, and describe how each of the five works?

 

a.         ICMP echo request, used to determine is a host is active.  Not really an attack, but is useful in the overall reconnaissance process

 

b.         TCP Half-Open / Stealth Scan

Description: Instead of completing the full TCP three-way-handshake a full connection is not made. A SYN packet is sent to the system and if a SYN/ACK packet is received it is assumed that the port on the system is active. In that case a RST/ACK will be sent which will determine the listening state the system is in. If a RST/ACK packet is received, it is assumed that the port on the system is not active.⁶

 

c.         TCP NULL packet

Description: A uniquely configured TCP packet that contains a sequence number but no flags. According to RFC 793 a system should send back an RST for all TCP ports closed when they receive a packet without any specified IP flags for a specific port.⁷

 

d.         TCP XMAS packet

Description: The TCP packet with the URG, PUSH(PSH) and FIN flags set to a probable port number. According to RFC 793 a system should send back an RST for all TCP ports closed when they receive a FIN/URG/PUSH packet for a specific port.⁸

 

e.         UDP packet

Description: A uniquely configured UDP packet with empty datagram.             UDP is a connectionless protocol. Therefore no three-way-handshake as with TCP is established to start communication between client and server. If a client sends an UDP packet to a UDP port on a specific system, the system will respond with an ICMP PORT             UNREACHABLE reply. Therefore, if no such answer is received, it can be deducted that the UDP port is active.   Because of this behavior and many factors that can influence the communication results are usually unreliable.⁹

 

f.          Operating System Detection/Fingerprinting

 
Description: One goal of an attacker is to identify which operating system (and its version) is running on a specific target host. All information available from the target host, either from it's TCP/IP stack or specific services active on     the host or any other information known about a system (like combination of services, information displayed by specific services) can be utilized. In addition binary files (programs) can be retrieved from public servers like AnonFTP servers to analyze the file for information about the operating system and hardware of the server.¹⁰

 

 

6.         Which scanning tool was used to scan our honeypot? How were you able to determine this?

Nmap is the scanning tool used.  I ran the log through snort using command snort -dr ./0826@19-snort.log -l ./logs -c /root/.snortrc/snort.conf, using the ruleset obtained from http://www.snort.org/dl/signatures/ .  The alert file created documented the nmap scans.

The Maximum Segment Size of 265 on the XMAS Scans was also a clue, as nmap uses this MSS.

 

7.         What is the purpose of port scanning?

Reconnaissance.  The attacker was looking for open ports with known services to potentially expoitt

 

8.         What ports were found open on our honeypot?

Only ports open I found were ports 22 (SSH), port 53 (domain), port 111 (sunrpc/portmap), port 80 (http), port 443 (HTTPS).  These ports returned SYN/ACKs in response to SYN packets sent by 192.168.0.9

 

Bonus Question: What operating system was the attacker using?

 

Linux uses 60 byte length SYN packets.  Lo and behold, 60 byte length packets are being sent by the attacker

 

 

Bibliography:

 

 

1.                   Northcutt, et al, Network Intrusion Detection, An Analyst’s Handbook, Second Edition, 2001, New Riders Publishing, pp. 20-21

2.                   MD5:  Command Line Message Digest Utility, http://www.fourmilab.ch/md5/

3.                   The Ethereal Network Analyzer, http://www.ethereal.com

4.                   Linux OS Packet Signature, Page 7-11, IDS Signatures and Analysis, Parts 1 and 2, Track 3 – Intrusion Detection In-Depth, SANS Insitute, http://www.sans.org

5.                   What is MD5 and why do I care, http://www.enteract.com/~lspitz/md5.html

6.                   http://ki.sei.cmu.edu/idar/drill_attack.cfm?attack=TCP%20Half%2DOpen%20%2F%20Stealth%20Scan

7.                   http://ki.sei.cmu.edu/idar/drill_attack.cfm?attack=TCP%20Null%20Scan

8.                   http://ki.sei.cmu.edu/idar/drill_attack.cfm?attack=TCP%20Xmas%20Scan

9.                   http://ki.sei.cmu.edu/idar/drill_attack.cfm?attack=UDP%20Scan

10.               http://ki.sei.cmu.edu/idar/drill_attack.cfm?attack=Operating%20System%20Detection