Honeynet Project Scan of the Month Challenge (Scan 27) By Skeets Norquist 4/34/03 Introduction I have just recently learned of the Honeynet Project and this is my first attempt at a Scan of the Month Challenge. 1. What is IRC? A quick search on www.rfc-editor.org yields several RFC's detailing IRC which stands for Internet Relay Chat. IRC is an internet protocol allows users to send instant text messages to each other. IRC uses a client/server architecture -- a client connects to a single IRC server which can then forward messages on to other clients or other IRC servers. Messages can be sent to a single user or broadcast to various groups of users. Additionally, users can create and manage "channels" which are clusters of users who all receive each others messages. 2. What message is sent by an IRC client when it asks to join an IRC network? This is accomplished by the JOIN message. RFC2812 describes the syntax as: Command: JOIN Parameters: ( *( "," ) [ *( "," ) ] ) / "0" The client can supply a list of channels to join and an optional list of keys (passwords). 3. What is a botnet? A Google search on "What is a botnet?" returns this informative webpage http://zine.dal.net/previousissues/issue19/botnet.php. This page describes a botnet as a collection of fake IRC users created by trojan programs that have spread throughout the internet. These Trojans are programmed to connect to IRC networks, join a pre-determined channel, and then wait for their creator to issue them commands through this same IRC channel. 4. What are botnets commonly used for? The previously referenced web page describes the damage botnets can do: attempt to create more bots by spamming other IRC channels with the address of a trojanned web page, maliciously flood other IRC channels, glean nickname/password information from infected IRC users, or launch Denial of Service attacks. These Denial of Service attacks can be especially devastating as they are of the distributed variety, since the botnets consist of numerous bots spread throughout the Internet. 5. What TCP ports does IRC generally use? A little Googling for "IRC" brought up a good IRC FAQ page (http://www.irchelp.org/irchelp/altircfaq.html) that says that the most commonly used TCP port used for IRC is 6667. 6. What is a binary log file and how is one created? A binary log file contains the data captured from a network interface using a tool like tcpdump or Snort. You can analyze this data to see what sort of network traffic a host has. 7. What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with? I used Ethereal to analyze the honeypot log file. I filtered the packets to those where the IP source address was the address of the honeypot (1.7.16.134.191) and the TCP port indicated IRC traffic (port 6667). My filter looked like this: tcp.port == 6667 and ip.src == 172.16.134.191 Then I sorted the listing by destination IP address and saw that there were these unique hosts: 66.33.65.58 63.241.174.144 217.199.175.10 209.196.44.172 209.126.161.29 8. During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172? First I tried this filter in Ethereal: tcp.port == 6667 and ip.dst == 209.196.44.172 and irc But this only showed where the honeypot was talking to 209.196.44.172. What I really wanted to know is where 209.196.44.172 was talking to other hosts in the botnet. So I modified my filter: tcp.port == 6667 and ip.src == 209.196.44.172 and irc At first I thought this was a failure since the IP destination field in this list was just the address of the honeypot. Well duh, of course it is -- the log only captures data sent to and from the honeypot, not between third party hosts. But closer inspection of these packets showed that they indeed had the data I was looking for: They contained IRC messages about bots (and their associated hosts) entering and leaving the botnet. So I opened up the filter a little bit to show both traffic sent from the honeypot to 209.196.44.172 and traffic from 209.196.44.172 to the honeypot (so I could see both sides of the conversation): tcp.port == 6667 and ip.addr == 209.196.44.172 and irc I saved this data to a new file so that I had all my IRC traffic of interest in one place. At this point I could probably glean the host addresses from these IRC messages using a combination of tcpdump and perl. Printing out data that matched the regular expression "@[^ ]* " (an at symbol followed by any number of non-spaces followed by a space) would do it. Then I could use the Unix "sort" and "unique" commands to generate a list of unique hosts. The last step would be to count the list with "wc". Unfortunately all I have at my disposal right now is a Windows box and so I don't have the necessary tools. However the number of hosts accessing 209.196.44.172 must be less than 9796, which is the number of IRC packets sent between the honeypot and 209.196.44.172. 9. Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet? Using my number above, it must be less than 9796 x 56 kbps = 548576 kbps = 535 Mbps Conclusion This was an interesting and enjoyable challenge. I now have a much firmer handle on IRC and network traffic in general. This was my first time using a tool like Ethereal and I can see it's usefulness. I'm hoping to set up a Linux box and dig into other tools as well such as tcpdump and snort.