From: mcater@ci.capitola.ca.us Sent: Friday, September 20, 2002 8:18 PM To: sotm@honeynet.org Subject: Scan of the month What is a binary log file and how is one created? Binary log files are created by logging applications such as snort, tcpdump, ethereal, etc. What is MD5 and what value does it provide? Quoting from rfc1321: " The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA." In other words, MD5 computes a 128-bit key, which allows anyone to verify the file(s) they recieve are the exact same files which were used to generate the key. What is the attacker's IP address? 192.168.0.9 What is the destination IP address? 192.168.0.99 We scanned the honeypot using five different methods. Can you identify the five different scanning methods, and describe how each of the five works? 1. SYN scan - The attacker attempts to connect to the target by sending TCP packets with the SYN flag set. This works by sending a signal to the possible ports on the target where services might be running, and any SYN/ACK response to these connection attempts means the service is running, a RST means the port is closed. 2. TCP Connect - Calling TCP Connect() on any possible open ports. Open ports allow a connection, closed ports return a RST packet. The Nmap Man page lumps the following together, based on the fact that they should all return a RST packet if closed, and ignore the packet if open 3. FIN scan - This scan sends FIN packets 4. NULL scan - Sends empty packets with no options set 5. XmasTree - Sends packets with the FIN, URG, and PSH options set. Which scanning tool was used to scan our honeypot? How were you able to determine this? This was most likely done with nmap. Starting in frame 155987, we see the start of an attemp at spoofing the source address, which is one of the features in nmap. I don't believe that nmap currently has the ability to spoof the MAC address of the attacker, which happens to be the same for the original attacker and the new attackers: 00:10:a4:c5:7c:38 What is the purpose of port scanning? Port scanning allows an attacker to determine what ports are open to connections and what services are running. It also frequently allows the attacker to know which version of a service is running, allowing for easier discovery of possible exploits, allowing them to determine how to best gain control of the target system. One simply has to do a google on SSH exploit to know how to break into a server running ssh. What ports were found open on our honeypot? sunrpc(111) ssh(22) 32768 http(80) https(443) domain (dns?)(53) Bonus Question: What operating system was the attacker using? My best guess, based on the paper discussing OS fingerprinting by ICMP type by Ofir Arkin is that the attacker is using a Windows platform, because the ping packet size of 60 bytes. It's not much to go on, I know... The most important tool I used in this analysis is ethereal. It allowed me to filter and display data as I needed (for example, (ip.src == 192.168.0.99 and TCP reset != present) allowed me to see what services did not send a RST packet from the target, therefore what ports were open). Resources used in this analysis: http://www.google.com http://www.ethereal.com http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html http://project.honeynet.org/papers/ http://www.rfc-editor.org/ http://www.insecure.org/ http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.pdf Matthew Cater, Information Systems Specialist City of Capitola 420 Capitola Ave, Capitola CA 95010 (831)475-7300 ext.206 mcater@ci.capitola.ca.us -- Optimists have more fun, pessimists are usually right --