On Sun, 22 Sep 2002, Jim Aldridge wrote:

> 1)  A binary log file stores packets captured by a packet sniffer, 
> which may be part of a Network-based Intrusion Detection System 
> (NIDS), such as SNORT.  The sniffer application is configured to 
> capture packets based on certain criteria.  When a packet is received 
> that meets the criteria, it is recorded in its entirety.  This is an 
> important tool to later recreate a sequence of events for analysis.
> 
> 2)  MD5 creates a 128-bit message digest given a message which is used 
> to ensure its integrity in a potentially hostile environment.  The 
> algorithm is publicly available, and has been deemed "computationally 
> infeasible to produce two messages having the same message digest, or 
> to produce any message having a given prespecified target message 
> digest." [RFC1321] The compressed version of the binary log file for 
> this contest was signed using MD5, and the fingerprint was also made 
> known.  By applying MD5 on the downloaded file and comparing the 
> result with the fingerprint of the known-authentic file, it can be 
> determined whether the file has been altered.
> 
> 3)  The attacker's IP address is 192.168.0.9.
> 
> 4)  The target's IP address is 192.168.0.99.
> 
> 5)
> 
> Method 1:  TCP half-open scan
> 
> Using this method, the attacker sends SYN packets to the target.  If 
> the target is listening on the destination port, it will reply with a 
> SYN/ACK, as step two of the TCP 3-way handshake. If the target isn't 
> listening, it will reply with a RST/ACK.  If the attacker gets a 
> SYN/ACK, it will respond with an RST, thus preventing the 3-way 
> handshake from completing, and possibly evading logging mechanisms on 
> the target.
> 
> 
> Method 2 (148007): ACK scan
> 
> Using this method, the attacker sends an ACK packet to the target, and 
> measures the time-to-live (TTL) value and/or TCP window size of the 
> response (RST) packet. A TTL value that is noticeably lower than other 
> values may indicate an open port.  Likewise, a non-zero window may 
> indicate an open port. (Works on several early versions of UNIX only, 
> supposedly patched in recent versions)
> 
> Method 3 (148011): NULL scan
> 
> Using this method, the attacker sends packets with no flags set to the 
> target.  If the tested port is open, the target should reply with an 
> RST packet.  If the port is closed, the target should simply ignore 
> the packet. This behavior is specific to the target operating system.  
> In this case, the target apparently is replying with RST, ACK packets 
> when a port is closed, and no reply is generated when the port is 
> open.
> 
> Method 4 (150759): Christmas tree (XMAS) scan
> 
> Using this method, the attacker sends packets with the FIN, PSH, and 
> URG flags set.  These flags would never be set simultaneously for any 
> normal operation, as they send conflicting messages about what the 
> sender intends.  If an open port is found, no response will be 
> produced, a closed port will elicit a RST response from the target.
> 
> Method 5(153164): UDP scan
> 
> The attacker sends three UDP packets to port 1 (TCPMUX). With this 
> scan, if the port is closed (here, it is), an ICMP destination 
> unreachable message will be returned to the attacker.  Otherwise, it 
> can be assumed open.  Note that since UDP is unreliable, this scan may 
> return false positives.  The packet was sent three times to reduce the 
> chances it may have gotten lost along the way and leading to a false 
> positive. The TCPMUX port is queried to help determine the OS used on the target.
> 
> 6)  I believe NMAP is being used.  This conclusion is mostly drawn 
> from the following article by Toby Miller entitled "Intrusion 
> Detection Level Analysis of Nmap and Queso", available at 
> http://online.securityfocus.com/infocus/1225.  The following details 
> from the binary log of the scan compare to items pointed out in this 
> document which indicate an NMAP scan:
> 
> 	- The attacker's scanner does a ping of the target to make sure
> it is 	up.  
> 	- The attacker's scanner sends an ACK packet to the webserver port
> 	(80), also to determine if the host is up, and to determine
> whether 
> 	port 80 is open.  The ACK number is not zero as expected,
> however.
> 	- High source port numbers are used, indicative of NMAP usage.  
> 	- During the XMAS scan, the urgent pointer is always set to 0. 
> 	- Late in the log, starting around packet # 155987, decoy scans
> spoofing source addresses of 192.168.0.1, 192.168.0.199, and
> 192.168.0.254 start to appear; NMAP supports this feature.  
> 	
> 	
> 7)  Port scanning is analogous to a burglar checking the entry points 
> to houses he might wish to burglarize.  A properly performed port scan 
> will give a potential intruder a good idea of where to mount an attack 
> on the system.  For instance, if the port scan reveals the common port 
> for HTTP
> (80) to be open, the attacker might then connect to this port to see if
> a banner can be retrieved.  This banner might then reveal that the
> target is running a web-server with a known vulnerability which could be
> exploited by an intruder to gain control over the system. 
> 
> 8)  The following ports were found open on the Honeypot: 22 (SSH), 53 
> (DNS), 80(HTTP), 111(Portmap), 443(HTTPS), 32768(possibly SUN RPC).
> 
> 
> 
> Additional References Used:
> 
> "Examining port scan methods -- Analysing Audible Techniques," Dethy, 
> http://www.synnergy.net/downloads/papers/portscan.txt
> 
> Hacking Exposed 3ed, McClure/Scambray/Kurtz, 2001
> 

-- 
Lance Spitzner
http://www.tracking-hackers.com