Challenge Analysis

By: Michael Capp

March 31, 2003

The Challenge

In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000 honeypot having a null (blank) administrative password. During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities. Subsequent to a successful attack, the honeypot was joined to a large botnet. The challenge is based on logs from five days of honeypot operation, collected using Snort. The logs have been edited to remove irrelevant traffic and combined into a single file. Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is not readily apparent. Your mission is to analyze the log file in order to answer the questions below.

Binary Verification:

Original	:MD5 (sotm27.gz) = b4bfc10fa8346d89058a2e9507cfd9b9
Download (Win)	:MD5 (sotm27.gz) = b4bfc10fa8346d89058a2e9507cfd9b9 (See Figure 1.0)
Download (Linux)	:MD5 (sotm27.gz) = b4bfc10fa8346d89058a2e9507cfd9b9 (See Figure 1.1)

Figure 1.0:

Figure 1.1:

mcapp@eeyore mcapp $ md5sum sotm27.gz

b4bfc10fa8346d89058a2e9507cfd9b9 sotm27.gz

mcapp@eeyore mcapp $

TABLE OF CONTENTS

The Challenge. 1

Questions. 2

Beginning Questions. 2

1. What is IRC?. 2

2. What message is sent by an IRC client when it asks to join an IRC network?. 3

3. What is a botnet?. 3

4. What are botnets commonly used for?. 3

5. What TCP ports does IRC generally use?. 3

6. What is a binary log file and how is one created?. 4

7. What IRC servers did the honeypot, which has the IP address of 172.16.134.191, communicate with? 4

8. During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?. 4

9. Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet? 5

Intermediate Questions. 5

1. What IP source addresses were used in attacking the honeypot?. 5

2. What vulnerabilities did attackers attempt to exploit?. 5

3. Which attacks were successful?. 6

General Questions. 18

1. What did you learn about analysis as a result of studying this scan?. 18

2. How do you anticipate being able to apply your new knowledge and skills?. 18

3. How can we improve the SotM challenge? What would you like to see added? What would like you like to see done differently?. 18

Questions

Beginning Questions

1. What is IRC?

Internet Relay Chat (“IRC”) is a client/server-based chat system first started in August 1988 by Jarkko Ouikarinen. In order to use IRC, a client is required that sends and receives messages from an IRC server; this can be as simple as a standard telnet client. The IRC server is responsible for ensuring messages are broadcast to those participating in the joined discussion(s). Following are several terms that are common with IRC usage:

Term	Definition
Channel	‘Rooms’ or categorized chat areas where people gather to chat.
DCC	Direct link between clients commonly used to transfer files back and forth on IRC.
IRCops	Net or Server operators. They share responsibility to ensure servers are functioning properly and users “behave”.
Lags & Splits	Splits happen when one or more servers are overloaded and users get bumped off. Lags occur when there are significant delays in transmitting messages between networks.
Nick	Nickname, handle, or pseudonym used instead of real names.
Ops & Operators	Users with administrative authority over a channel or multiple channels that can perform various moderator-type commands.

2. What message is sent by an IRC client when it asks to join an IRC network?

In relation to the packet captures, the first sessions originated with packet 35748 where the IRC server attempts to identify the honeypot via the IDENTification protocol (RFC1413).

Response Line: NOTICE AUTH : *** Looking up your hostname…

Response Line: NOTICE AUTH : *** Checking Ident

Response Line: NOTICE AUTH : *** No Ident response.

The purpose of IDENT is to attempt verification of the source of the connection. When a connection is made, an ident capable service queries the client on port 113 to determine the user that opened the TCP socket. If the client is running a properly configured IDENT daemon, an appropriate response would be returned to the server’s request.

Following the IDENT request, in packet 35753, a request is sent from the attacker or bot to the IRC server providing the nickname or pseudonym that the attacker or bot wanted to initially use:

Request Line: NICK eohisou

Request Line: USER eohisou localhost localhost : eohisou

See Appendix A for the complete logs retrieved from the attacker’s IRC session.

3. What is a botnet?

In order to understand the purpose of a botnet, it is important to understand the basic functionality of a bot, or roBOT. A bot is a computer program that works in conjunction with IRC and performs various functions. Several bots serve a legitimate purpose; to perform such tasks as: keeping channels open if no users are present, protect against net-split attacks, enforce bans/channel security, etc.

Botnets are a collective group of individual bots that typically are the result of a Trojan or strategically placed bot on an individual or company computer.

4. What are botnets commonly used for?

In practice, botnets can act as Trojans, luring the typical home user to run a script, visit a website, or run an infected program that can potentially add their computing power to this collective. Collectively, botnets can be used to perform large distributed denial of service attacks, channel attacks, net splits, or any number of programmatic functions that the bot was designed to perform.

5. What TCP ports does IRC generally use?

RFC1459 does not specifically state reserved ports for use with the IRC Protocol, however, TCP ports 6665-6669 are reserved for IRC usage and it most IRC servers operate on port 6667.

6. What is a binary log file and how is one created?

A binary log file is a file that is created that is unreadable as a standard text file and usually requires specific utilities to interpret or read the data in the file. One substantial benefit is that binary log files are typically smaller than normal text files. Many programs contain the ability to create binary log files and in several circumstances; this is configurable via the configuration file. As an example: Snort contains the ability to write to the tcpdump format by modifying the snort.conf file and including the line:

Output log_tcpdump : snort.log

Additionally, by default, Linux logs information about users that have logged into the system to a binary log file. It is kept up to date by utilities such as login and in.uccpd. The data is viewable with tools such as last, lastb, who, and finger.

7. What IRC servers did the honeypot, which has the IP address of 172.16.134.191, communicate with?

After specifying a filter in Ethereal to limit the Protocol traffic to IRC and the source IP to 172.16.134.191, it was determined that the honeypot communicated with the following three (3) IRC servers:

63.241.174.144

217.199.175.10

209.196.144.172 (irc5.aol.com)

8. During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?

In order to determine the number of distinct hosts that form this botnet, the beginning IRC session was started and “Follow TCP Stream” was used within Ethereal. The IRC stream was then saved into a text file and parsed to remove all excess information. The following command on Linux was used to determine that 3,457 hosts were existent within this channel at that given moment:

mcapp@eeyore mcapp $ wc –w challenge.txt

3457 challenge.txt

mcapp@eeyore mcapp $

Similarly, parsing the file to reveal names in the channel on Microsoft Word reveals the same results:

9. Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?

Based upon the above assumption, the aggregate bandwidth of this botnet would meet or exceed, depending on actual available bandwidth per host:

193, 592 kbps,

193,592,000 bps,

~194 Mbps –or-

the equivalent of approximately 126 T1’s, 4 T3/DS3’s, or 1 OC3 and 24 T1’s.

Intermediate Questions

1. What IP source addresses were used in attacking the honeypot?

Please follow this link for a chart containing the source addresses and their associated attacks.

2. What vulnerabilities did attackers attempt to exploit?

The following are specific vulnerabilities that were targeted and their possible related references:

Vulnerability	Reference
Microsoft Windows 2000 vulnerable to Denial of Service (“DoS”) via malformed packets sent to port 445/tcp.	http://www.kb.cert.org/vuls/id/693099
Hack’a’Tack Trojan	http://www.iss.net/security_center/advice/Intrusions/2001534/default.htm
Windows Shares	http://www.cert.org/advisories/CA-2003-08.html

As you can see from the charter below, the most common attacks were related to Microsoft operating system flaws and vulnerabilities, a few of which were successfully exploited as you will see detailed in Question 3.

3. Which attacks were successful?

As noted by the RED in the chart, there were several successful attacks on this specific honeypot. This link provides a detailed analysis of each attack listed

Attack 1 (Detailed Event Analysis)

03/03/2003 21:55:34 - Initial packets from 195.36.247.77 indicate someone specifically interested in NetBIOS/SMB ports 139 and 445 as well as any vulnerabilities that may exist on port 135 (DCE/RPC/EPMAP).

274	236844.901586	Attacker	Server	TCP	4768 > epmap [SYN] Seq=148910790 Ack=0 Win=16384 Len=0
275	236844.906655	Server	Attacker	TCP	epmap >4768 [SYN, ACK] Seq=2453546201 Ack=148910790 Win=17040 Len=0
280	236846.003387	Attacker	Server	TCP	4792 > microsoft-ds [SYN] Seq=149838612 Ack=0 Win=16384 Len=0
281	236846.003395	Attacker	Server	TCP	4792 > netbios-ssn [SYN] Seq=149921138 Ack=0 Win=16384 Len=0

03/03/2003 21:55:36 - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445. Specifically, the initial protocol negotiation is in progress between the two systems. Once a successful negotiation process has completed, the attacker successfully authenticates anonymously and continues to create a null SMB connection to the IPC service stub.

Attacker Observations:

Domain Name: NULL

User name: NULL

Host name: LIO-UEA8YNL9UE1

Native OS: Windows 2002 2600 (Windows XP)

Native LAN Manager: Windows 2002 5.1

The attacker connects to the \SAMR path in order to enumerate the domain and user information.

315	236860.101949	Attacker	Server	SAMR	OpenDomain request, S-1-5-32
316	236860.104895	Server	Attacker	SAMR	OpenDomain reply
317	236861.346261	Attacker	Server	SAMR	EnumDomains request
318	236861.348643	Server	Attacker	SAMR	EnumDomains reply
321	236863.396376	Attacker	Server	SAMR	OpenDomain request, S-1-5-21-1229272821-706699826-1060284298
322	236863.398944	Server	Attacker	SAMR	OpenDomain reply
323	236864.566463	Attacker	Server	SAMR	EnumDomainUsers request
324	236864.584451	Server	Attacker	SAMR	EnumDomainUsers reply
325	236865.104455	Attacker	Server	SAMR	OpenUser request, rid 0x1f4
326	236865.107606	Server	Attacker	SAMR	OpenUser reply

In the above packet sequence, the following details indicate that the user has compromised the Administrator account and is successfully authenticated (some details intentionally left omitted for clarity):

[+] Frame 325 (194 bytes on wire, 194 bytes captured)

[+] Ethernet II, Src: 00:e0:b6:05:ce:0a, Dst: 00:05:69:00:01:e2

[+] Internet Protocol, Src Addr: 195.36.247.77 (195.36.247.77), Dst Addr: 172.16.134.191

[+] Transmission Control Protocol, Src Port: 4792, Dst Port: Microsoft-ds (445)

[+] NetBIOS Session Service

[+] SMB (Server Message Block Protocol)

[+] SMB Pipe Protocol

[+] DCE RPC

[-] Microsoft Security Account Manager

Operation: OpenUser (34)

[-] Policy Handle: OpenDomain(S-1-5-21-1229272821-70669826-1060284298)

Context Handle: 0000000062D88CB5E74DD711B39D0005…

Frame handle opened: 322

Frame handle close: 387

Access Mask: 0x0002011b

Rid: 500

By default, the Administrator account has a RID of 500 unless the username has been changed. In this case, the packet following the request (326) indicates the user has successfully authenticated as Administrator on this server.

Attacker Successfully Authenticates as the ‘Guest’ Account and Queries User Information

338	236871.159750	Attacker	Server	SAMR	OpenUser request, rid 0x1f5
339	236871.162867	Server	Attacker	SAMR	OpenUser reply

It is now clear that the attacker is accessing each user account in chronological order based upon the RID. Based upon the information the attacker has retrieved, in addition to the Administrator and Guest account, three (3) additional user accounts exist that the attacker retrieved information on.

03/03/2003 21:56:22 - Once the attacker has retrieved this information, he/she proceeds to disconnect from the tree and terminate the connection.

03/03/2003 21:56:28 - The attacker establishes a new connection and this time authenticates as Administrator. Upon establishing administrative privileges, a path is created to \ADMIN$ and immediately following this request; the attacker terminates his/her session and does not return.

Conclusion: The entire session lasted approximately 43 seconds, therefore most likely a script was used in attempting to enumerate the accounts and retrieve all the information specified above.

Attack 2 (Detailed Event Analysis)

03/04/2003 04:17:52 - Initial packets from 66.139.10.15 indicate an attacker specifically looking for NetBIOS/SMB vulnerabilities on ports 139 and 445.

03/04/2003 04:17:52 - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445. Specifically, the initial protocol negotiation is in progress between the two systems. Once a successful negotiation process has completed, the attacker successfully authenticates as Administrator and continues to create a null SMB connection to the IPC service stub.

Attacker Observations:

Domain Name: NULL

User name: NULL

Host name: GLITTER

Native OS: Windows 2000 2195

Native LAN Manager: Windows 2000 5.0

03/05/2003 04:17:53 - Next, a path is created to \SAMR in order to enumerate all of the domain information. Once this information is retrieved, the attacker terminates the session.

469	259783.462836	Attacker	Server	SMB	Tree Connect AndX Request , Path: \\172.16.134.191\IPC$
470	259783.466199	Server	Attacker	SMB	Tree Connect AndX Response
471	259783.693027	Attacker	Server	SMB	NT Create AndX Request, Path: \samr
472	259783.696840	Server	Attacker	SMB	NT Create AndX Response, FID: 0x4000

03/04/2003 04:17:54 - After negotiating a new SMB session, the first authentication attempt fails, but the second is successful.

506	259785.276297	Attacker	Server	SMB	Session Setup AndX Request, NTLMSSP_NEGOTIATE
507	259785.276297	Server	Attacker	SMB	Session Setup AndX Response, NTLMSSP_NEGOTIATE, Error: STATUS_MORE_PROCESSING_REQUIRED
508	259785.365752	Attacker	Server	SMB	Session Setup AndX Request, NTLMSSP_AUTH
509	259785.381039	Server	Attacker	SMB	Session Setup AndX Response, Error: STATUS_LOGON_FAILURE

After querying and retrieving group and user information, the attacker terminates his/her session.

03/04/2003 04:17:58 - Upon establishing another new session, the attacker attempts to authenticate using the Guest account. After the initial fail; the account is disabled, however, the attacker continues an additional five (5) times to authenticate to this account.

576	259789.218588	Attacker	Server	SMB	Session Setup AndX Request, NTLMSSP_NEGOTIATE
577	259789.220276	Server	Attacker	SMB	Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
579	259789.308293	Attacker	Server	SMB	Session Setup AndX Request, NTLMSSP_AUTH
580	259789.310615	Server	Attacker	SMB	Session Setup AndX Response, Error: STATUS_ACCOUNT_DISABLED
581	259789.387040	Attacker	Server	SMB	Logoff AndX Request
582	259789.388147	Server	Attacker	SMB	Logoff AndX Response, Error: Bad userid

03/04/2003 04:18:02 - After failing authentication attempts using the Guest account; the attacker now attempts to login to the ‘IUSR_PC0191’ account seven (7) times and fails. Following this predictable behavior, the attacker attempts to login to the remaining accounts (IWAM_PC0191, TsInternetUser) for a total of seven (7) times, each of which fails.

03/04/2003 04:18:09 - Attacker terminates the session after several authentication failures.

Conclusion: The entire session lasted approximately 43 seconds, therefore most likely a script was used in attempting to enumerate the accounts and retrieve all the information specified above.

Attack 3 (Detailed Event Analysis)

03/04/2003 16:43:26 - Initial packets from 216.170.214.226 indicate an attacker specifically looking for NetBIOS vulnerabilities on port 139.

03/04/2003 16:43:31 - Received packets indicating a successful “attack” or connection to NetBIOS services on port 139. Specifically, the initial protocol negotiation is in progress between the two systems. Once a successful negotiation process was completed, the attacker attempts to make a path to \\PC0191\IPC$ from DISPATCH (their local NetBIOS name). The attacker attempted to use (most likely due to lack of knowledge) their local machine account of DTMILWMANGE\DMMD to create this connection and fails.

Attacker Observations:

Domain Name: DTMILWMANGE

User name: DMMD

Host name: N/A

Native OS: Windows 4.0

Native LAN Manager: Windows 4.0

882	304521.725012	Attacker	Server	SMB	Session Setup AndX Request, User: DTMILWMANGE\DMMD: Tree Connect AndX, Path: \\PC0191\IPC$
883	304521.732667	Server	Attacker	SMB	Session Setup AndX Response, Error: Access denied

03/04/2003 16:43:31 - Access is denied and the attacker terminates the session.

Conclusion: The entire session lasted approximately 5 seconds and was most likely a very inexperienced attacker who gave up after the failed initial attempt.

Attack 4 (Detailed Event Analysis)

03/04/2003 21:38:10 - Initial packets from 210.22.204.101 indicate this attacker started probing the SQL Server port 1433. It is interesting that three (3) different SYN packets were made from the same source port of 4242. Further investigation indicates the “Virtual Hacking Machine” Trojan uses this as a destination port, but I believe this is unrelated in this case as the Trojan is for remote control and not remote attacks. After the three probes on port 1433, further probes were made for open ports 139 and 445.

901	322200.877107	Attacker	Server	TCP	4242 > ms-sql-s [SYN] Seq=1716659376 Ack=0 Win=64240 Len=0
902	322200.883021	Server	Attacker	TCP	ms-sql-s > 4242 [RST, ACK] Seq=0 Ack=1716659377 Win=0 Len=0
903	322201.616173	Attacker	Server	TCP	4242 > ms-sql-s [SYN] Seq=1716659376 Ack=0 Win=64240 Len=0
904	322201.622095	Server	Attacker	TCP	ms-sql-s > 4242 [RST, ACK] Seq=0 Ack=1716659377 Win=0 Len=0

03/04/2003 21:38:14 - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445. Specifically, the initial protocol negotiation is in progress between the two systems. Once a successful negotiation process has completed, the attacker successfully authenticates as anonymous and continues to create a null SMB connection to the IPC service stub.

Attacker Observations:

Domain Name: NULL

User name: NULL

Host name: ST-111

Native OS: Windows 2000 2195

Native LAN Manager: Windows 2000 5.0

03/05/2003 21:38:15 - Next, a path is created to \SAMR in order to enumerate all of the domain information.

33237	412042.452703	Attacker	Server	SMB	NT Create AndX Request, Path: \samr
33238	412042.455590	Server	Attacker	SMB	NT Create AndX Response, FID: 0x4001
33241	412042.792469	Attacker	Server	SAMR	Connect4 request, \\172.16.134.191
33242	412042.794977	Server	Attacker	SAMR	Connect4 reply
33243	412042.972381	Attacker	Server	SAMR	EnumDomains request
33244	412042.991002	Server	Attacker	SAMR	EnumDomains reply
33245	412043.152498	Attacker	Server	SAMR	LookupDomain request
33246	412043.154330	Server	Attacker	SAMR	LookupDomain reply

03/05/2003 21:38:17 - These requests are closed and another path is created to \SAMR in order to enumerate additional information.

966	322211.537960	Attacker	Server	SAMR	OpenDomain request, S-1-5-32
967	322211.539063	Server	Attacker	SAMR	OpenDomain reply
968	322211.784724	Attacker	Server	SAMR	LookupNames request
969	322211.787601	Server	Attacker	SAMR	LookupNames reply

03/05/2003 21:38:21 - The attacker opens the Administrator account in order to retrieve additional information about the honeypot. At this point, the attacker is able to obtain member aliases, RIDs, and groups.

970	322212.045185	Attacker	Server	SAMR	OpenUser request, rid 0x1f4
971	322212.047812	Server	Attacker	SAMR	OpenUser reply
972	322212.343680	Attacker	Server	SAMR	GetGroups request
975	322212.993266	Attacker	Server	SAMR	GetAliasMem request
982	322213.860621	Attacker	Server	SAMR	LookupRIDs request

03/04/2003 21:38:27 - This attacker now opens the next user, which happens to be the Guest account, and proceeds to retrieve additional information.

1012

322217.633301

Attacker

Server

SAMR

OpenUser request, rid 0x1f5

03/04/2003 21:38:32 - Now the attacker starts retrieving information on non-machine created accounts, RIDs 1000 (0x3e8), 1001 (0x3e9), and 1002 (0x3ea).

1049	322222.570546	Attacker	Server	SAMR	OpenUser request, rid 0x3e9
1090	322228.313571	Attacker	Server	SAMR	OpenUser request, rid 0x3ea
1127	322233.201322	Attacker	Server	SAMR	OpenUser request, rid 0x3e8

03/04/2003 21:38:45 - Once information is retrieved on all machine and non-machine accounts created on this honeypot, the attacker terminates the session.

03/04/2003 21:38:46 - Immediately following, the attacker initiates a new session authenticating successfully as Administrator. After authenticating, a path is created to \IPC$ and the attacker terminates the session.

03/04/2003 21:38:48 - A new session initiation occurs and an authentication attempt is made against the Administrator account. Based on the data below, it is possible the attacker sent a misspelled user id, however, Microsoft states the actual reason for the logon failure is not specified for this return value.

1191	322238.838542	Attacker	Server	SMB	Session Setup AndX Request, NTLMSSP_NEGOTIATE
1192	322238.838557	Server	Attacker	SMB	Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
1193	322239.071949	Attacker	Server	SMB	Session Setup AndX Request, NTLMSSP_AUTH
1194	322239.076533	Server	Attacker	SMB	Session Setup AndX Response, Error: STATUS_LOGON_FAILURE
1199	322239.672837	Server	Attacker	SMB	Logoff AndX Response, Error: Bad userid

03/04/2003 21:38:49 - Following the above failed authentication attempt, the attacker attempts nineteen (19) more attempts that fail with the same error.

03/04/2003 21:39:03 - After initiating a new session, the attacker establishes a successful authentication as Administrator and again creates an SMB session to the IPC service stub.

03/04/2003 21:39:04 - After successfully obtaining Administrator privileges, the attacker opens \svcctl and after receiving a DFS_REFERRAL error, the attacker creates a path to \C$.

1373	322254.655965	Attacker	Server	SMB	NT Create AndX Request, Path: \svcctl
1374	322254.661675	Server	Attacker	SMB	NT Create AndX Response, FID: 0x400c
1392	322256.828051	Attacker	Server	SMB	Transaction2 Request GET_DFS_REFERRAL, File: \172.16.134.191\C$
1393	322256.835362	Server	Attacker	SMB	Transaction2 Response GET_DFS_REFERRAL, Error: STATUS_NO_SUCH_DEVICE
1394	322257.058080	Attacker	Server	SMB	Tree Connect AndX Request, Path: \\172.16.134.191\C$

03/04/2003 21:39:06 - The attacker now begins implementation of his/her Trojan. This specific Trojan is called R_SERVER.EXE.

1396	322257.318799	Attacker	Server	SMB	NT Create AndX Request, Path \WINNT\System32\r_server.exe
1397	322257.341355	Server	Attacker	SMB	NT Create AndX Response, FID: 0x400d

03/04/2003 21:39:!2 - Once implemented, the attacker modifies the file information:

[-] SET_FILE_INFORMATION Parameters

FID: 0x400d

Level of Interest: Query File Basic Info (4.2.14.4) (1004)

Reserved: 0000

Padding: 0000

[-] SET_FILE_INFORMATION Data

Created: No time specified (0)

Last Access: No time specified (0)

Last Write: Jul 24, 2001 11:15:54.00000000

Change: Mar 4, 2003 18:23:40.062498092

[+] File Attributes: 0x00000000

Unknown Data: 00000000

03/04/2003 21:39:13 - The attacker now adds supplemental files: \System32\raddrv.dll and \System32\admdll.dll.

1649	322263.704823	Attacker	Server	SMB	NT Create AndX Request, Path: \WINNT\System32\raddrv.dll
1688	322265.566763	Attacker	Server	SMB	NT Create AndX Request, Path: \WINNT\System32\admdll.dll

Further investigation indicates these are supplemental files for Radmin (http://www.famatech.com), which is a remote administration application. Theoretically, it is not classified as a Trojan, however, its’ uses are similar.

03/04/2003 21:39:23 - Once the Radmin application is installed and executed, the attacker starts running a script to exploit a buffer overflow vulnerability in IIS’ Indexing Service, which is the same vulnerability that the Code Red worm took advantage of (http://www.eeye.com/html/Research/Advisories/AD20010618.html).

1839

322275.638746

Attacker

Server

HTTP

GET /NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC…

This particular overflow is caused by sending approximately 240 bytes in the buffer, in this case indicated by the “C’s” that are being sent. Specifically, this buffer overflows in a wide character transformation operation by taking the ASCII (1 byte per character) input buffer and turning it into a wide character/Unicode string (2 bytes per character) byte string.

03/04/2003 21:41:51 - Following this exploit, the attacker initiates a new session and creates a path to \\PC0191\C. Now, the attacker starts communication with port 6129 on the honeypot server. Further investigation yields this port indicative of traffic using the DameWare (http://www.dameware.com) server application, which will allow the attacker full control.

03/04/2003 21:44:24 - Shortly after, communication begins with port 4899 on the honeypot, however, this traffic is encrypted using Radmin’s 128-bit encryption ensuring a secure session with its client/server operation.

03/04/2003 21:48:22 - The Radmin traffic abruptly stops and so does the attacker’s session, however, no normal RST or FIN, ACK packets are received indicating such.

Conclusion: Based upon the exploit time to obtain the user account information; most likely a script was used. In addition, a script was probably used to exploit the buffer overflow in the Indexing Service, however, the attacker now has complete control of the honeypot via the remote administration tool that was implemented.

Attack 5 (Detailed Event Analysis)

03/05/2003 05:40:42 - Initial packets from 80.181.116.202 indicate an attacker specifically looking for NetBIOS/SMB vulnerabilities on ports 139 and 445.

03/05/2003 05:40:44 - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445. Specifically, the initial protocol negotiation is in progress between the two systems. Once a successful negotiation process has completed, the attacker successfully authenticates as Administrator and continues to create a null SMB connection to the IPC service stub.

Attacker Observations:

Domain Name: NOKIA

User name: Administrator

Host name: NOKIA

Native OS: Windows 2000 2195

Native LAN Manager: Windows 2000 5.0

03/05/2003 05:40:46 - Next, a path is created to \srvsvc in order to enumerate all of the share information.

20979	351156.777922	Attacker	Server	SMB	NT Create AndX Request, Path: \srvsvc
20980	351156.777926	Server	Attacker	SMB	NT Create AndX Response, FID: 0x4000
20985	351156.999077	Attacker	Server	SRVSVC	NetrShareEnum request
20986	351157.003386	Server	Attacker	SRVSVC	NetrShareEnum reply

The following is an excerpt from the NetrShareEnum reply that was sent to the attacker as a result of the request:

[-] Microsoft Server Service

Operation: NetrShareEnum (15)

[-] Shares

Info Level: 1

[-] SHARE_INFO_1_CONTAINER: IPC$ ADMIN$ C$

Referent ID: 0x000e3378

Max Count: 3

[-] Share: IPC$

[+] Share: IPC$

Share Type: Hidden IPC (0x80000003)

[+] Comment: Remote IPC

[-] Share: ADMIN$

[+] Share: ADMIN$

Share Type: Hidden Directory tree (0x800000000)

[+] Comment: Remote Admin

[-] Share: C$

[+] Share: C$

Share Type: Hidden Directory tree (0x800000000)

[+] Comment: Default share

Number of entries: 3

03/05/2003 05:40:46 - Once the above share information was retrieved, the attacker abruptly terminated the session. No RST or FIN, ACK was received to indicate the termination.

Conclusion: The entire session lasted 4 seconds; therefore, it is probable that a script was used to obtain this information.

Attack 6 (Detailed Event Analysis)

03/05/2003 05:42:47 - Initial packets from 24.197.194.106 indicate an attacker executing a sequential port scan looking for vulnerable ports to attack.

03/05/2003 05:47:45 - Once the port scan has completed, the attacker attempts to exploit NetBIOS on port 139 by establishing an authenticated SMB connection to the IPC service stub, however, this attempt fails.

21339	351575.901990	Attacker	Server	SMB	Session Setup AndX Request, User: HEWLETTPACKARD\HP AUTHORIZED CUSTOM; Tree Connect AndX, Path: \\PC0191\IPC$
21340	351575.924667	Server	Attacked	SMB	Session Setup AndX Response, Error: Access denied

Attacker Observations:

Domain Name: HEWLETTPACKARD

User name: HP AUTHORIZED CUSTOM

Host name: N/A

Native OS: Windows 4.0

Native LAN Manager: Windows 4.0

03/05/2003 05:47:45 - After the failed attempt, the attacker executes a new port scan.

03/05/2003 05:48:06 - Once the port scan has completed, the attacker runs a script that uses HTTP GET and HEAD commands to determine and retrieve the specified files within IIS and Windows directories due to a vulnerability in the ISAPI script. Due to the specific files and directory structures it scans, it is possible that this is the Nikto script.

03/05/2003 06:10:09 - Once the script has run its course, the attacker terminates the session.

Conclusion: The observation indicating the computer contains default settings as specified by the manufacturer indicates this attacker is a script kiddie without much skill.

Attack 7 (Detailed Event Analysis)

03/05/2003 06:55:05 - Initial packets from 209.45.125.69 202 indicate an attacker specifically looking for NetBIOS/SMB vulnerabilities on ports 139 and 445.

03/05/2003 06:55:05 - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445. Specifically, the initial protocol negotiation is in progress between the two systems. Once a successful negotiation process has completed, the attacker successfully authenticates anonymous and continues to create a null SMB connection to the IPC service stub.

Attacker Observations:

Domain Name: NULL

User name: NULL

Host name: LIMPX001

Native OS: Windows 2000 2195

Native LAN Manager: Windows 2000 5.0

03/05/2003 06:55:06 - Next, a path is created to \SAMR in order to enumerate all of the domain information.

32478	355617.059738	Attacker	Server	SMB	NT Create AndX Request, Path: \samr
32479	355617.071197	Server	Attacker	SMB	NT Create AndX Response, FID: 0x4000
32482	355617.446091	Attacker	Server	SAMR	Connect4 request, \\172.16.134.191
32483	355617.467027	Server	Attacker	SAMR	Connect4 reply
32484	355617.655291	Attacker	Server	SAMR	EnumDomains request
32485	355617.658941	Server	Attacker	SAMR	EnumDomains reply
32486	355617.904413	Attacker	Server	SAMR	LookupDomain request
32486	355617.906452	Server	Attacker	SAMR	LookupDomain reply

03/05/2003 06:55:09 - Once the attacker has retrieved the above information, he/she attempts to authenticate as Administrator and fails.

32516	355619.986146	Attacker	Server	SMB	Session Setup AndX Request, NTLMSSP_NEGOTIATE
32517	355619.988676	Server	Attacker	SMB	Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
32518	355620.206528	Attacker	Server	SMB	Session Setup AndX Request, NTLMSSP_AUTH
32519	355620.222225	Server	Attacker	SMB	Session Setup AndX Response, Error: STATUS_LOGON_FAILURE

03/05/2003 06:55:09 - A second attempt to authenticate as Administrator is successful and further information is retrieved on security objects, groups, etc.

03/05/2003 06:55:15 - After failing authentication attempts using the Guest account and causing it to be disabledt; the attacker now attempts to login to the ‘IUSR_PC0191’ account seven (7) times and fails. Following this predictable behavior, the attacker attempts to login to the remaining accounts (IWAM_PC0191, TsInternetUser) for a total of seven (7) times, each of which fails.

03/05/2003 06:55:27 - Attacker terminates the session after several authentication failures.

Conclusion: The entire session lasted approximately 22 seconds, therefore most likely a script was used similar to that used in Attack 1, if not the same, in attempting to enumerate the accounts and retrieve all the information specified above.

Attack 8 (Detailed Event Analysis)

03/05/2003 19:59:57 - Initial packets from 129.116.182.239 vary in that they target port 57 initially. Following this, the attacker targets the ms-sql-s (port 1433) and then NetBIOS/SMB ports 139 and 445.

03/05/2003 20:00:39 - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445. Specifically, the initial protocol negotiation is in progress between the two systems. Once a successful negotiation process has completed, the attacker successfully authenticates anonymous and continues to create a null SMB connection to the IPC service stub.

Attacker Observations:

Domain Name: NULL

User name: NULL

Host name: FSEL-GMV218UFJ5

Native OS: Windows 2000 2195

Native LAN Manager: Windows 2000 5.0

03/05/2003 20:00:39 - Next, a path is created to \SAMR in order to enumerate all of the domain information.

32928	402750.027365	Attacker	Server	SMB	NT Create AndX Request, Path: \samr
32929	402750.040438	Server	Attacker	SMB	NT Create AndX Response, FID: 0x4001
32934	402750.247772	Attacker	Server	SAMR	Connect4 request, \\172.16.134.191
32935	402750.251504	Server	Attacker	SAMR	Connect4 reply
32938	402750.355152	Attacker	Server	SAMR	EnumDomains request
32939	402750.356178	Server	Attacker	SAMR	EnumDomains reply
32940	402750.404471	Attacker	Server	SAMR	LookupDomain request
32941	402750.410163	Server	Attacker	SAMR	LookupDomain reply

03/05/2003 20:00:42 - Now the attacker starts retrieving information on non-machine created accounts, RIDs 1000 (0x3e8), 1001 (0x3e9), and 1002 (0x3ea).

33028	402753.199432	Attacker	Server	SAMR	OpenUser request, rid 0x3e9
33068	402754.419730	Attacker	Server	SAMR	OpenUser request, rid 0x3ea
33108	402755.622980	Attacker	Server	SAMR	OpenUser request, rid 0x3e8

03/05/2003 20:00:46 - Once the above information is retrieved, the attacker terminates this session.

03/05/2003 20:00:46 - The attacker now authenticates as Administrator and creates a path to \srvsvc and enumerates the network shares.

33175	402757.457742	Attacker	Server	SAMR	NT Create AndX Request, Path: \srvsvc
33176	402757.484226	Server	Attacker	SMB	NT Create AndX Response, FID: 0x4000
33181	402757.637711	Attacker	Server	SRVSVC	NetrShareEnum request
33182	402757.638855	Server	Attacker	SRVSVC	NetrShareEnum reply

03/05/2003 20:00:47 - Immediately after retrieving the above information, the attacker establishes a new anonymous session and after receiving an error while performing GET_DFS_REFERRAL, terminates the session.

33191	402757.930229	Attacker	Server	SMB	Transaction2 Request GET_DFS_REFERRAL, File: \172.16.134.191\C$
33192	402757.960481	Server	Attacker	SMB	Transaction2 Response GET_DFS_REFERRAL, Error: STATUS_NO_SUCH_DEVICE

Attack 9 (Detailed Event Analysis)

03/05/2003 22:33:49 - Initial packets from 61.111.101.78 are received indicating a NetBIOS vulnerability scan based on ports 139 and 445.

03/05/2003 22:35:31 - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445. Specifically, the initial protocol negotiation is in progress between the two systems. Once a successful negotiation process has completed, the attacker successfully authenticates as Administrator and continues to create a null SMB connection to the IPC service stub.

Attacker Observations:

Domain Name: OIL-6II61N0JWTK

User name: Administrator

Host name: OIL-6I61N0JWTK

Native OS: Windows 2000 2195

Native LAN Manager: Windows 2000 5.0

03/05/2003 22:35:31 - Next, a path is created to \SAMR in order to enumerate all of the domain information.

33237	412042.452703	Attacker	Server	SMB	NT Create AndX Request, Path: \samr
33238	412042.455590	Server	Attacker	SMB	NT Create AndX Response, FID: 0x4001
33241	412042.792469	Attacker	Server	SAMR	Connect4 request, \\172.16.134.191
33242	412042.794977	Server	Attacker	SAMR	Connect4 reply
33243	412042.972381	Attacker	Server	SAMR	EnumDomains request
33244	412042.991002	Server	Attacker	SAMR	EnumDomains reply
33245	412043.152498	Attacker	Server	SAMR	LookupDomain request
33246	412043.154330	Server	Attacker	SAMR	LookupDomain reply

03/05/2003 22:35:32 - Once this pertinent information is retrieved, the attacker proceeds to send an OpenDomain request with the server or domain’s SID and retrieves all users on the server based upon the QueryDispInfo (or NetQueryDisplayInfo/samrQueryDisplayInfo as partially documented) with a Level 1 request. This request returns a malformed packet containing all user account names, descriptions, RID’s and other important information.

33247	412043.332745	Attacker	Server	SAMR	OpenDomain request, S-1-5-21-1229272821-706699826-1060284298
33248	412043.334296	Server	Attacker	SAMR	OpenDomain reply
33249	412043.512907	Attacker	Server	SAMR	QueryDispinfo request, level 1, start_idx 0
33250	412043.526833	Server	Attacker	SAMR	QueryDispinfo reply[Malformed Packet]

03/05/2003 22:35:33 - Attacker closes OpenDomain request and terminates active session.

03/05/2003 22:35:34 - The attacker establishes new session and SMB protocol begins its’ protocol negotiation process. Once again, an authentication session with the Administrator account is performed.

03/05/2003 22:35:35 - This time, a connection is made to the \ADMIN$ path. Once this path is created, the attacker proceeds to create the file \System32\PSEXESVC.EXE.

33278	412045.812234	Attacker	Server	SMB	Tree Connect AndX Request, Path: \\172.16.134.191\ADMIN$
33279	412045.816690	Server	Attacker	SMB	Tree Connect AndX Response
33280	412046.012158	Attacker	Server	SMB	NT Create AndX Request, Path: \System32\PSEXESVC.EXE
33281	412046.039320	Server	Attacker	SMB	NT Create AndX Response, FID: 0x4001
33288	412046.743667	Attacker	Server	SMB	Write AndX Request, FID: 0x4001, 61440 bytes at offset 0

The file creation is completed at 22:35:37 and a request to close the file is received by the server.

03/05/2003 22:35:37 - Another null session is created to the IPC service stub and a request to open the \svcctl and attempts to add and execute the newly created PSEXESVC.EXE as a Service.

03/05/2003 22:35:52 - The attacker now performs a basic file info query and an attribute tag query on PSEXESVC.EXE. Apparently the file did not execute properly or was incorrectly created as the attacker now issues a request to delete the file.

33529	412062.986957	Attacker	Server	SMB	Transaction2 Request QUERY_PATH_INFORMATION, Path: \System32\PSEXESVC.EXE
33530	412063.990849	Server	Attacker	SMB	Transaction2 Response QUERY_PATH_INFORMATION
33533	412063.337170	Attacker	Server	SMB	Delete Request, Path: \System32\PSEXESVC.EXE
33534	412063.347662	Server	Attacker	SMB	Delete Response

03/05/2003 22:35:53 - Once the file has been deleted, the attacker successfully creates the PSEXESVC.EXE file again. With the new file in place, the attacker opens \svcctl again and adds the PSEXESVC.EXE to the existing Services.

03/05/2003 22:36:01 - The attacker manually executes \PSEXESVC.EXE and creates and/or overwrites \System32\inst.exe. Once complete, the attacker proceeds to open \svcctl again. Apparently, something fails or does not meet the attacker’s approval because he/she once again sends a request to delete \System32\PSEXESVC.EXE again. For the third time, the attacker creates the file PSEXESVC.EXE and opens \svcctl.

03/05/2003 22:36:33 - The attacker attempts to execute PSEXESVC.EXE and even though SMB reports STATUS_SUCCESS, there is an apparent error in the execution of this file. The attacker again sends a request to Overwrite or Create PSEXESVC.EXE, however, this time they receive a STATUS_SHARING_VIOLATION as the executable is currently running. The attacker then opens \svcctl and stops it as a service. Once this is complete, the attacker executes PSEXESVC.EXE again.

03/05/2003 22:36:39 - Once again, the attacker queries PSEXESVC.EXE and retrieves file information and proceeds to delete this executable. This same procedure happens again approximately five (5) times before either successful or the attacker gave up. The final packets prior to terminating the session indicate it was started as a service again.

03/05/2003 22:36:39 - The attacker establishes a new connection and successfully authenticates as Administrator. The first procedure is to attempt a connection to \ADMIN$ again, however, this time there are some errors that occur.

35725	412170.197378	Attacker	Server	SMB	Tree Connect AndX Request, Path: \\172.16.134.191\ADMIN$
35726	412170.199716	Server	Attacker	SMB	Tree Connect AndX Response, Error: STATUS_BAD_NETWORK_NAME

After receiving this error two (2) times, the attacker terminates his/her session.

General Questions

1. What did you learn about analysis as a result of studying this scan?

Originally, this analysis document was very vague in the detail given to each attack, however, as time went on I decided to create a very detailed analysis of the attacks that took place, including much research on each topic; especially the NetBIOS/SMB file system. I have many years experience with computers and various operating systems, however, the actual forensic analysis field is relatively new to me, but I am enjoying it immensely and look forward to participating in more challenges.

2. How do you anticipate being able to apply your new knowledge and skills?

At this point, I hope to be able to participate in more challenges and eventually create my own honeynet to further this exciting research that is currently being performed and seek new knowledge.

3. How can we improve the SotM challenge? What would you like to see added? What would like you like to see done differently?

The SotM challenges have all been wonderful. I have had the opportunity to review many of the archived challenges and enjoy participating in the new challenges now. The only suggestion I may have is that there be various categories and perhaps multiple SotM’s. For instance, each month there would be a specific scan and analysis for Beginners, Intermediate’s, and Expert’s. This would allow beginner’s to enhance their skills with an opportunity to “win”, without participating in the same class as those who are considered experts in the field.