Challenge Analysis

By: Michael Capp

September 13, 2002

 

The Mission:

Members from the South Florida Honeynet team manually generated five different types of port scans from the Internet to a single honeypot. These are not ports cans captured from the wild. The term "the wild" is used to describe any host we don't know about outside of our network. In other words, any host other than our own connected to the Internet involved in reconnaissance, an intrusion, and/or system compromise is a system in the wild. During each scan, our network intrusion detection sensor captured each scan and saved it to a binary log file. We used snort to capture each scan in tcpdump format. It's important to note that tcpdump and snort use the libpcap library to capture and store packets from off the wire. So you can learn more about the packet capture technologies used to capture the port scans during this challenge, we have provided links to help get you on the right foot. It is up to you-the beginner analyst-to pull the binary file into a packet decoder such as tcpdump, or ethereal to analyze each scan. Your mission, if you choose to accept it is to answer the questions below the best that you can.

 

Binary Verification:

MD5 (sotm23.tar.gz) = 9d28c5ee9ce7b77e3099a07ad303811f

 

Questions:

 

1.       What is a binary log file and how is one created?

 

Binary log files are useful for those networks that expect a significant amount of network traffic to be passed through the intrusion detection sensor.  Binary mode logs packets into a “tcpdump” format to a single binary file in a specified logging directory.  If utilizing Snort as the intrusion detection sensor, the following command line option will generate a binary log file:

 

./snort -1 ./<log directory> -b

 

The above command line does not require the specification of a “home network” since all data will be saved into a binary log file.  The second parameter is the path to the logging directory and the “-b” parameter is the binary logging switch. 

 

In order to read the packets with binary logging enabled, one must use a sniffer that supports the “tcpdump” style binary format such as Ethereal, tcpdump, or Snort (using the –r switch).

 

 

2.       What is MD5 and what value does it provide?

The MD5 algorithm takes as input a message of arbitrary length and produces, as output, a 128-bit “fingerprint” or “message digest” of the input.  By generating the 128-bit fingerprint and by utilizing an MD5 Checksum utility (such as md5sum), the authenticity and security of a file or message can be verified.  RFC 1321 contains all relevant information regarding the MD5 message-digest algorithm.

 

 

3.       What is the attacker’s IP address?

Each packet contains a source address of 192.168.0.9 (the attacker).  In addition, the source was using a 3Com NIC.

 

 

4.       What is the destination IP address?

Each packet contains a destination address of 192.168.0.99 (the destination).  In addition, the destination was using a Xircom NIC.

 

 

5.       We scanned the honeypot using five different methods.  Can you identify the five different scanning methods and describe how each of the five works?

The following scanning methods were used during this port scan challenge:

 

a.       Scan Type: ACK Scan

Scan Parameter(s): -sA

Description:

 

No.

Time

Source IP

Destination IP

Protocol

Info

3

0.000044

192.168.0.9

192.168.0.99

TCP

52218 > http [ACK] Seq=2347237379 Ack=4094787819 Win=2048 Len=0

4

0.000119

192.168.0.99

192.168.0.9

TCP

http > 52218 [RST] Seq=4094787819 Ack=0 Win=0 Len=0

 

This technique is typically used to map out firewall rule sets.  This scan sends an ACK packet (with a random looking acknowledgement/sequence numbers) to the specified port.  If an RST is returned, the port is classified as “unfilterable”.  If nothing is returned, the port is classified as “filtered”.  As shown above, an ACK packet was sent to the http (port 80) of the destination machine and an [RST] packet was received indicating the port is unfilterable.

 

b.       Scan Type: TCP SYN Scan

Scan Parameter(s): -sS
Description: 

 

No.

Time

Source IP

Destination IP

Protocol

Info

5

10.346091

192.168.0.9

192.168.0.99

TCP

52198 > 52156 [SYN]  Seq=68054434 Ack=0 Win=2048 Len=0

6

10.346199

192.168.0.99

192.168.0.9

TCP

52156 > 52198 [RST, ACK]  Seq=0 Ack=68054434 Win=0 Len=0

 

This technique does not open a full TCP connection [SYN], [SYN, ACK], [ACK]; instead, it sends an initial SYN packet and expects a [SYN, ACK] if the port is open and listening or an [RST, ACK] if the port is a non-listener.  If a [SYN, ACK] is received, an [RST] is immediately sent to tear down the connection (usually this is handled by the OS kernel).

 

c.       Scan Type: TCP Null Scan

 Scan Parameter(s): -sN

Description: 

 

No.

Time

Source IP

Destination IP

Protocol

Info

148011

1284.924394

192.168.0.9

192.168.0.99

TCP

42294 > 1393 []  Seq=0 Ack=0 Win=4096 Len=0

148012

1284.924445

192.168.0.99

192.168.0.9

TCP

1393 > 42294 [RST, ACK]  Seq=0 Ack=0 Win=0 Len=0

150604

1306.922009

192.168.0.9

192.168.0.99

TCP

42295 > https []  Seq=0 Ack=0 Win=4096 Len=0

150605

1306.922051

192.168.0.9

192.168.0.99

TCP

42294 > 2998 []  Seq=0 Ack=0 Win=4096 Len=0

 

All flag bits in the packet sent were set to a value of 0, which is indicative of this type of scan.  A normal scan would expect replies from the probe packet with an RST indicating that the port is open; no response or dropped packet, if it is not.  This type of scan does not work against Microsoft operating systems.  As shown above, https (port 443) responded as open; if it was not an [RST, ACK] would response from the destination.

 

d.       Scan Type: UDP ICMP Port Unreachable Scanning

Scan Parameter(s): -u

Description:

 

No.

Time

Source IP

Destination IP

Protocol

Info

155846

1504.127658

192.168.0.9

192.168.0.99

UDP

Source port: 40531  Destination port: 1

155847

1504.127684

192.168.0.99

192.168.0.9

ICMP

Destination unreachable

 

The above UDP Unreachable Scan shows a random source port attempting a UDP request to port 1.  The response from the destination was “Destination Unreachable” indicating the port was closed.  This technique is used to determine which UDP ports are open.  If a reply is received other than the above, the port is assumed to be open. 

 

e.       Scan Type: TCP Xmas Scan

Scan Parameter(s): -sX –D 192.168.0.1, 192.168.0.254, 192.168.0.199, ME

Destination: 

 

No.

Time

Source IP

Destination IP

Protocol

Info

156008

1612.404870

192.168.0.1

192.168.0.99

TCP

35964 > 368 [FIN, PSH, URG]  Seq=0 Ack=0 Win=3072 Urg=0 Len=0

156009

1612.404914

192.168.0.254

192.168.0.99

TCP

35964 > 368 [FIN, PSH, URG]  Seq=0 Ack=0 Win=3072 Urg=0 Len=0

156010

1612.404949

192.168.0.9

192.168.0.99

TCP

35964 > 368 [FIN, PSH, URG]  Seq=0 Ack=0 Win=3072 Urg=0 Len=0

156011

1612.404972

192.168.0.99

192.168.0.9

TCP

368 > 35964 [RST, ACK]  Seq=0 Ack=1 Win=0 Len=0

 

In the above packets, the FIN (Finish), URG (Urgent), and PSH (Push) flags were set as well as the sequence set to 0.  This Xmas Scan is typically used to trick IDS sensors that are normally looking for the SYN and FIN bits to be set.  In detail, the flags indicate:

·         [FIN]   Finish

·         [PSH]  Push (Informs the receiver to pass on the data as soon as possible)

·         [URG] Urgent (Indicates the urgent pointer is valid; often caused by an interrupt)

The flags within this scan would not be seen as part of normal network traffic.  By sending the above bits in the constructed packet, this technique expects an RST back for all TCP ports that are closed.  This type of scan does not work against Microsoft operating systems.  In addition, this scan was used with the –D (decoy) parameter making it appear as though there are multiple hosts sending the packets.

 

 

6.       Which scanning tool was used to scan our honeypot?  How were you able to determine this?

NMAP (www.insecure.org) was the tool used to scan the destination.  There are several indications leading us to this conclusion.  The first is that, by default, NMAP will send a standard ICMP request prior to its’ attempted to scan to ensure the destination is up and running.  Secondly, an additional commonality of NMAP is its use of high source ports.  In certain cases, IDS and firewall applications will not flag these scans because of their use of the high source ports.  Lastly, during a Xmas Scan, NMAP uses an Urgent Pointer set to 0, which in the case of the challenge, it does.

 

 

7.       What is the purpose of port scanning?

Port scanning can be used ethically and maliciously to determine and identify vulnerabilities in operating systems.  They can accomplish this by sending normal and abnormal packets to the specified destination and based upon the return response determine whether a port is open.  Depending on the port, the service listening on the port could have an exploitable vulnerability that can be used by the hacker to gain access or cause malicious damage.  In addition, these tools can be used ethically to determine the same information as specified above to give the System Administrator or security personnel the appropriate information on patching these exploitable holes.

 

 

8.       What ports were found open on our honeypot?

The following ports were found to be open during this port scan:

 

Protocol

Port

SSH

22

HTTP

80

Domain/DNS

53

SunRPC

111

HTTPS

443

 

 

9.       Bonus Question:  What operating system was the attacker using?

Based upon the information in the Echo (ping) requests to the destination machine, the attacker’s machine is based upon a Linux 2.2.x or 2.4.x kernel.  This is based upon the TTL (Time to Live) having an initial starting value of 64, while the packet sent to the destination is 52.  In addition, the content offset from the ICMP header is 8, which is standard for a Linux-based kernel.

 

 

Tools:

SlavaSoft Optimizing Checksum Utility v1.55 (MD5 Checksum Verification)

Ethereal v0.9.6

 

 

References:

Intrusion Detection Level Analysis of Nmap and Queso by Toby Miller

http://online.securityfocus.com/infocus/1225

 

Nmap Network Security Scanner Man Page

http://www.insecure.org/nmap/nmap_manpage.html

 

ICMP Usage in Scanning

http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.pdf