Scan of the Month 27 - Analysis by Christophe GRENIER

Introduction

This document is an analysis performed for the Honeynet Projects Scan of the Month for April 2003.

Analysis

Verify the log signatures

First, download the log file and verify the MD5 checksum:

[kmaster@christophe kmaster]$ md5sum sotm27.gz
b4bfc10fa8346d89058a2e9507cfd9b9  sotm27.gz

Using ethereal, after loading the file, we can see that the first frame arrival time is March 1, 2003 GMT 09:08:09. In the frame 25, we learn the honeynet date

Frame 25 (299 bytes on wire, 299 bytes captured)
    Arrival Time: Mar  1, 2003 12:47:47.714411000
    Time delta from previous packet: 0.814035000 seconds
    Time relative to first packet: 13178.189207000 seconds
    Frame Number: 25
    Packet Length: 299 bytes
    Capture Length: 299 bytes
    ...
Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    Server: Microsoft-IIS/5.0\r\n
    Date: Sat, 01 Mar 2003 12:14:31 GMT\r\n
    Connection: Keep-Alive\r\n
    Content-Length: 1270\r\n
    Content-Type: text/html\r\n
    Set-Cookie: ASPSESSIONIDGQGQGRSK=PBFPBFNCIFJHFOFDOFOKMJAN; path=/\r\n
    Cache-control: private\r\n
    \r\n

Time from the log file, 12:47:47, and from web reply, 12:14:31, don't match. By checking the timestamp from a request to auto.search.msn.com, we can see that snort time is correct.

Frame 3096 (699 bytes on wire, 699 bytes captured)
    Arrival Time: Mar  5, 2003 05:21:09.236016000
    Time delta from previous packet: 0.062556000 seconds
    Time relative to first packet: 331979.710812000 seconds
    Frame Number: 3096
    Packet Length: 699 bytes
    Capture Length: 699 bytes
    ...
Hypertext Transfer Protocol
    HTTP/1.1 302 Object moved\r\n
    Server: Microsoft-IIS/5.0\r\n
    Date: Wed, 05 Mar 2003 05:21:09 GMT\r\n
    P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"\r\n
    Location: http://auto.search.msn.com/results.asp?cfg=DNSERROR&v=1&FORM=DNSERR&q=users%2Eerol%2Ecom%2Fgmgarner%2Fforensics%2F\r\n
    Content-Length: 235\r\n
    Content-Type: text/html\r\n
    Set-Cookie: ASPSESSIONIDQSSCSCRQ=NDOINAACLPGKNIJNLHJMEELG; path=/\r\n
    Cache-control: private\r\n
    \r\n

Packet checksum

All IP checksums are wrong. The IP addresses have been altered to protect the privacy of the networks.

MAC address observation

By examining the second frame, we can learn three MAC addresses.

Frame 2 (343 bytes on wire, 343 bytes captured)
Ethernet II, Src: 00:05:69:00:01:e2, Dst: 00:e0:b6:05:ce:0a
    Destination: 00:e0:b6:05:ce:0a (00:e0:b6:05:ce:0a)
    Source: 00:05:69:00:01:e2 (00:05:69:00:01:e2)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 172.16.134.191 (172.16.134.191), Dst Addr: 219.118.31.42 (219.118.31.42)
User Datagram Protocol, Src Port: 137 (137), Dst Port: 1025 (1025)
NetBIOS Name Service
   Answers
   Unit ID: 00:05:69:00:01:56

MAC address beginning by 00:05:69 corresponds to VMWare (see /etc/ethereal/manuf). The Honetnet is running in a virtual machine as explained here.

Protocol hierarchy

Passive OS fingerprinting

Using p0f, we can try to determine OS.

p0f -s sotm27 |sort -u

A listing of attackers can be found in Appendix A Other hosts can be found in Appendix B

Beginning Questions

What is IRC?

IRC is an acronym for Internet Relay Chat. IRC is a standard allowing users to communicate in real time, by passing simple text messages back and forth. The IRC client and server protocols are defined in RFC 1459. People meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in groups, or privately. The largest chat systems on the Internet are based on the IRC protocol. Each consists of a network of servers, forming a "tree". The servers keep track of who is using the chat system at any given time, keep track of channels and deliver messages to users or channels on request. IRC is currently text-based, but client extensions have added sound and even video capabilities.

What message is sent by an IRC client when it asks to join an IRC network?

To join an IRC network, an IRC client identified itself by sending its nickname, rgdiuggac in our case.

NICK rgdiuggac

After, it sends USER username hostname servername realname.

USER rgdiuggac localhost localhost :rgdiuggac

the client can configure its mode, in our example, it ask to not hide its IP address and to be invisible.

MODE rgdiuggac -x
MODE rgdiuggac +i

After, it joins a chanel and provide a password for it: JOIN #xàéüîéðìx :sex0r

What is a botnet?

Bots are automated IRC clients. A botnet is a term used when you link to or more bots together.

What are botnets commonly used for?

Basically you can talk to other people on the other bots partyline, share users, share channel information, any anything else if you add scripts to all of the bots. Another use is to launch coordinated attacks against computer systems. Various methods are used (extract from http://bre.klaki.net/programs/tircproxy/manual/tircproxy-5.html):

• Flooding involves sending large amounts of random data to the victim, in order to disrupt his IRC session or even saturate his network connection.
• Channel takeovers occur when an unfriendly person takes control of the victim's channel. When this happens the channel usually becomes unusable.
• Nick collisions occur when two users try to use the same nickname simultaniously - the IRC protocol doesn't allow this, so both users are usually disconnected.
• Clone bots are automated IRC clients, usually used in large numbers to help implement attacks 1, 2 or 3.
• Nukes are TCP/IP attacks used to disrupt the IRC network itself, creating an opportunity to launch 2 or 3.
• Bugs in various IRC clients are frequently exploited.
• Trojans can be sent via DCC, allowing the attacker to gain an essentially arbitrary amount of control over the victim's computer - if the victim can be tricked into accepting and activating the trojan. Bugs occasionally make "social engineering" unnecessary.
• The IP address of the client is made available to the attacker by a simple server query, allowing crackers to make abitrary attacks, not limited by the IRC network.

What TCP ports does IRC generally use?

IRC generally uses TCP port 6667 (ircd).

What is a binary log file and how is one created?

A binary log file is a file capture of binary data 1's and 0's. Binary logging is sometimes referred to as "raw" traffic capture because we are capturing packets in their most raw form (ones and zeros). For network intrusion detection systems placed in high traffic areas of a network, binary capture is much more beneficial. (1) We are in a better position not to lose packets during the capture phase, and (2) binary files are lower in size than say, an ASCII text file. Traffic can be captured in binary form using a promiscuous mode interface, a hub, a tap, or from a span port off a router or switch. The underlying functionality used to capture traffic off the wire is a packet capture library known as the Libpcap library. Libpcap is a standard library used for sniffing traffic on a network segment using tcpdump, snort, and ethereal. A windows version of the libpacp library is winpcap. This allows us to run tools like Ethereal and Snort in a Windows environment as well.

To create a binary log file using Snort:

# snort -l /var/log/snort -b

To read the file back:

# snort -vde -r snort.log

 

To create a binary log file using tcpdump:

# tcpdump -w ./log

To read the file back:

# tcpdump -r log

 

To create a binary log file using Ethereal at the command line:

# tethereal -w log

To read the file back on the command line:

# tethereal -r log

You can use Ethereal's GUI to read binary log files as well. Just type ethereal at the command line to run the GUI version of Ethereal.

What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?

209.196.44.172
217.199.175.10
63.241.174.144

During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?

During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet. But logs from five days of honeypot operation only show 3458 of them (Result of WHO and JOIN)

Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?

The aggregate bandwith of the botnet is over 800Mb (15,164*56kbps=829Mbps).

Intermediate Questions

What IP source addresses were used in attacking the honeypot?

What vulnerabilities did attackers attempt to exploit?

Using snort 2.0, (snort -k none -c snort.conf -r sotm27 -l log), we can spot some of them:

• MS-SQL Worm propagation attempt
• WEB-IIS attacks: ISAPI .ida attempt, cmd access, script access, .htr access, examples...

Which attacks were successful?

There is no MS-SQL server on the honeypot and attacks against IIS were unsuccessful. It seems some TCP reset were generated to stop the attacks. (Snort Inline ?)

\PIPE\Isarpc:   NT's Local Security Authority Service
\PIPE\NETLOGON: NT Login and Authentication Services
\PIPE\srvsvc:   NT Administrative Services
\PIPE\winreg:   NT Registry Services
\PIPE\svcctl:   NT Service Control Services
\PIPE\samr:     NT SAM Database Management Services

General Questions

What did you learn about analysis as a result of studying this scan?

It's not really easy to tell which attacks were really successful. Don't trust Snort netbios rules.

How do you anticipate being able to apply your new knowledge and skills?

Well, we really need some automated tools to analyse log.

How can we improve the SotM challenge? What would you like to see added? What would you like to see done differently?

I don't like packet with wrong checksum, it may confused some tools. BTW it will be interesting to have a copy of the tools used to alter IP address and hostname.

Christophe GRENIER
Security Consultant
Global Secure
mail me personally or at work