Honeynet Scan of the Month for September 2002

Analysis:

1. Downloaded the file from honeynet's website using Mozilla and ran md5sum against the tar file.

It matches the MD5 sum that is posted on the Honeynet Website.

2. Next, extracted the tar file. It contained two files in it.

Verified using md5sum again.

Which matches the hash value in 08226@19-snort.log.md5.

3. Launched ethereal with the log file

4. I also extracted the binary file to text files

Answers to the Questions:

1. What is a binary log file and how is one created?

A binary log file is a file that is written to with system or program information, and instead of writing the information in readable text, the information is formated in such a why that a program is needed to interpret it. One of the best reason to do this is that a binary log file is normally much smaller than if all of the information is written to in text. For example, the 0826@19-snort.log file, which is our biinary log file for this Scan of the Month, is about 12MB, but when I extracted the file to text using snort and the -l option, the files took about 45MB on disk. There are many ways to create a binary log file. It is dependent on the program you are using to write the log file. Using snort again as an example, it can create tcpdump formatted log files. To do this, you can either edit the snort.conf file to include the line: output log_tcpdump: snort.log (or whatever file name you wish) or you can use the -b flag if you run snort from the command line.

2. What is MD5 and what value does it provide?

According to whatis.com, MD5 is "an algorithm that is used to verify data integrity through the creation of a 128 bit message digest from data input ... that is claimed to be unique to that specific data as a fingerprint to the specific individual." In other words, MD5 takes data as an input to its algorithm and creates a 128-bit string that is unique to that data. If the data is changed in anyway, the M5 string would be different. The value of MD5 is that, with a great degree of certainty, you will know if the data has changed from its original value. NOTE: You can never be 100% certain but with MD5 you can be pretty close. Programs such as tripwire use MD5 hashes to monitor critical system files for any changes. A great way to know if a hacker as replaced a binary with a Trojan copy.

3. What is the attacker's IP address?

The scans seem to be coming from multiple machines, namely 192.168.0.9, 192.168.0.1, 192.168.0.199, and 192.168.0.254. 192.168.0.9 seems to be doing the most scanning but other IP addresses are doing some scanning as well, namely the TCP XMAS scan. Now this could be an option in nmap (-D for decoy) to hide the true scanner's IP address by doing scans from what seems to be multiple IP address.

4. What is the destination IP address?

The destination IP address is 192.168.0.99. No matter which IP address was doing the port scanning, 192.168.0.99 was always the destination.

5. We scanned the honeypot using 5 different methods. Can you identify the five different scanning methods, and describe how each of the five works?

I used www.networkice.com for the definitions of most of the scanning types.

a. ICMP echo/reply - This is not really a port scan, but it is used by most security tools to test if a host is up. Of course no response to an ICMP echo doesn't mean that host is always down. It could be filtering ICMP echo requests. Use nmap -P0 to truly find out.

b. SYN Scan - Also known as a stealth scan because it does not complete the TCP handshake. It will send a SYN packet to a TCP port, and then move on to the next port. It is known as stealth because most machines will not log these connections. You can see if a port is open because if a port is open, it will send a SYN,ACK packet back. If not, it will send a RST,ACK packet.

Here is an example of a SYN scan:

08/26-20:14:03.298387 192.168.0.9:52198 -> 192.168.0.99:56836
TCP TTL:53 TOS:0x0 ID:9523 IpLen:20 DgmLen:40
******S* Seq: 0x40E6DA2 Ack: 0x0 Win: 0x800 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/26-20:14:03.298395 192.168.0.99:56836 -> 192.168.0.9:52198
TCP TTL:255 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0 Ack: 0x40E6DA3 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


This port (56836) on 192.168.0.99 is closed, hence the TCP flags ACK and RST being set on the return TCP packet.

c. XMAS Scan - The is an illegal TCP packet what has the FIN, URG, and PSH flags set in the TCP options. It known as the XMAS scan because it is lit up like a Christmas tree. The theory behind this is that a closed port will respond differently than an open port when it receives this TCP packet. Typically, an open port will discard this packet while a closed port might send a TCP RST packet back.

Here is an example of a XMAS scan:

08/26-20:27:15.503163 192.168.0.1:35965 -> 192.168.0.99:111
TCP TTL:38 TOS:0x0 ID:61616 IpLen:20 DgmLen:40
**U*P**F Seq: 0x0 Ack: 0x0 Win: 0xC00 TcpLen: 20 UrgPtr: 0x0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


This scan is looking for a listening program on Sun's RPC port.

d. NULL Scan - Another illegal TCP packet, but this time all of the TCP flags are null. This is used just like the XMAS Scan. The NULL Scan and XMAS scan can get through some firewalls that only look for valid TCP flags settings. This exposes internal servers to the outside, which is bad because internal servers are normally less locked down than a firewall.

Here is an example of a NULL scan:

08/26-20:21:27.873570 192.168.0.9:42294 -> 192.168.0.99:2
TCP TTL:39 TOS:0x0 ID:34811 IpLen:20 DgmLen:40
******** Seq: 0x0 Ack: 0x0 Win: 0x1000 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/26-20:21:27.873578 192.168.0.99:2 -> 192.168.0.9:42294
TCP TTL:255 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


This port is closed since it responded back with TCP RST packet.

e. UDP Scan - This scan looks for open UDP ports. It is not as fancy as the XMAS or NULL scan, but it can be used to find DNS servers, TFTP servers, or other UDP openings that could be overlooked.

Here is an example of a UDP Scan:

08/26-20:24:54.378417 192.168.0.9:40531 -> 192.168.0.99:1
UDP TTL:55 TOS:0x0 ID:41888 IpLen:20 DgmLen:328 Len: 308
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


The destination host responds back to the attacker's IP address with a Port Unreachable ICMP reply. The attacker knows that nothing is listening on that port.

6. Which scanning tool was used to scan our honeypot?How were you able to determine this?

The tool that was used in this port scanning was Nmap by Fyodor . The reason why I feel nmap was used is because of the versitility of nmap. It can do XMAS scans ( using the -sX flag ), NULL scans ( using -sN ), SYN scans ( using -sS ), and UDP scans ( using -sU ), plus many more things like using decoy IP addresse to hide the true attacker. All of these were used in the snort log that was provided. Also, to prove that it was nmap, I tried using it a few times to see it in action. I captured the scans using tcpdump, and nmap would always do an ICMP echo request plus send an ACK ping to TCP port 80 before it starts to scan, which this snort capture shows.

7. What is the purpose of port scanning?

The purpose of port scanning to gather information about a host. The more information you have about a system, the easier it is to crack into or to secure. What you are mainly looking for in a port scan is open ports, and if you are using a tool like nmap, the operating system of the host. When you know what are the open ports are on a system, and the type of system it is, then you know what vulnerabilities to look for. On the flip side, if you are a security administrator, you would use port scanning to find out where you are vulnerable and to even find out if you have been cracked. For example, if you know a machine on your network should only be listening to port 22 (ssh), then when you do a port scan on that machine, and it returns both port 22 and 313337 it probably means that it has been cracked.

8. What ports were found open on our honeypot?

The way that I determined which ports were open on 192.168.0.99 was to look for all packets from 192.168.0.99 that have their ACK and SYN flags set. This is the second step in the three-way handshake for TCP. By doing so, these are the ports that I found open:

9. Bonus Question: What operating system was the attacker using?

I tried many things to determined what the operating system the attacker was using, most got me no where. First, I thought that since I know the attacker is using namp it could imited the operating systems to different flavors of Unix, but now nmap is supported in Windows. I then tried to see how nmap determines a remote operating system when using the -o option, but that only seems useful in determining a system that you are attacking. Next, I thought of the ICMP payload. I know that Windows uses the Alphabet in its payload while Linux uses a number sequence. Well that didn't help either because nmap doesn't have any ICMP payload when it does its ping. Finally, I did notice that the default TCP Window Size in the snort log is 2048, which is the same size of that is used in an nmap scan running under Windows XP. So my guess for the attacker's operating system is Windows XP Pro. Not much of a proof, but I'm sticking with it.