This document is an analysis performed for the Honeynet Projects Scan of the Month for April 2003.
First, download the log file and verify the MD5 checksum:
[kmaster@christophe kmaster]$ md5sum sotm27.gz b4bfc10fa8346d89058a2e9507cfd9b9 sotm27.gz
Using ethereal, after loading the file, we can see that the first frame arrival time is March 1, 2003 GMT 09:08:09. In the frame 25, we learn the honeynet date
Frame 25 (299 bytes on wire, 299 bytes captured) Arrival Time: Mar 1, 2003 12:47:47.714411000 Time delta from previous packet: 0.814035000 seconds Time relative to first packet: 13178.189207000 seconds Frame Number: 25 Packet Length: 299 bytes Capture Length: 299 bytes ... Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n Server: Microsoft-IIS/5.0\r\n Date: Sat, 01 Mar 2003 12:14:31 GMT\r\n Connection: Keep-Alive\r\n Content-Length: 1270\r\n Content-Type: text/html\r\n Set-Cookie: ASPSESSIONIDGQGQGRSK=PBFPBFNCIFJHFOFDOFOKMJAN; path=/\r\n Cache-control: private\r\n \r\n
Time from the log file, 12:47:47, and from web reply, 12:14:31, don't match.
By checking the timestamp from a request to auto.search.msn.com
, we can see
that snort time is correct.
Frame 3096 (699 bytes on wire, 699 bytes captured) Arrival Time: Mar 5, 2003 05:21:09.236016000 Time delta from previous packet: 0.062556000 seconds Time relative to first packet: 331979.710812000 seconds Frame Number: 3096 Packet Length: 699 bytes Capture Length: 699 bytes ... Hypertext Transfer Protocol HTTP/1.1 302 Object moved\r\n Server: Microsoft-IIS/5.0\r\n Date: Wed, 05 Mar 2003 05:21:09 GMT\r\n P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"\r\n Location: http://auto.search.msn.com/results.asp?cfg=DNSERROR&v=1&FORM=DNSERR&q=users%2Eerol%2Ecom%2Fgmgarner%2Fforensics%2F\r\n Content-Length: 235\r\n Content-Type: text/html\r\n Set-Cookie: ASPSESSIONIDQSSCSCRQ=NDOINAACLPGKNIJNLHJMEELG; path=/\r\n Cache-control: private\r\n \r\n
All IP checksums are wrong. The IP addresses have been altered to protect the privacy of the networks.
By examining the second frame, we can learn three MAC addresses.
Frame 2 (343 bytes on wire, 343 bytes captured) Ethernet II, Src: 00:05:69:00:01:e2, Dst: 00:e0:b6:05:ce:0a Destination: 00:e0:b6:05:ce:0a (00:e0:b6:05:ce:0a) Source: 00:05:69:00:01:e2 (00:05:69:00:01:e2) Type: IP (0x0800) Internet Protocol, Src Addr: 172.16.134.191 (172.16.134.191), Dst Addr: 219.118.31.42 (219.118.31.42) User Datagram Protocol, Src Port: 137 (137), Dst Port: 1025 (1025) NetBIOS Name Service Answers Unit ID: 00:05:69:00:01:56
MAC | IP |
00:05:69:00:01:56 | 172.16.134.191 |
00:05:69:00:01:e2 | Gateway to 172.16.134.191 |
00:e0:b6:05:ce:0a | Gateway to Internet |
MAC address beginning by 00:05:69 corresponds to VMWare (see /etc/ethereal/manuf). The Honetnet is running in a virtual machine as explained here.
Using p0f, we can try to determine OS.
p0f -s sotm27 |sort -u
A listing of attackers can be found in Appendix A Other hosts can be found in Appendix B
IRC is an acronym for Internet Relay Chat
. IRC is a standard allowing users to communicate in real time, by passing simple text messages back and forth. The IRC client and server protocols are defined in RFC 1459.
People meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in groups, or privately.
The largest chat systems on the Internet are based on the IRC protocol. Each consists of a network of servers, forming a "tree". The servers keep track of who is using the chat system at any given time, keep track of channels and deliver messages to users or channels on request. IRC is currently text-based, but client extensions have added sound and even video capabilities.
To join an IRC network, an IRC client identified itself by sending its
nickname, rgdiuggac
in our case.
NICK rgdiuggac
After, it sends USER username hostname servername realname
.
USER rgdiuggac localhost localhost :rgdiuggac
the client can configure its mode, in our example, it ask to not hide its IP address and to be invisible.
MODE rgdiuggac -x MODE rgdiuggac +i
After, it joins a chanel and provide a password for it:
JOIN #xàéüîéðìx :sex0r
Bots are automated IRC clients. A botnet is a term used when you link to or more bots together.
Basically you can talk to other people on the other bots partyline, share users, share channel information, any anything else if you add scripts to all of the bots. Another use is to launch coordinated attacks against computer systems. Various methods are used (extract from http://bre.klaki.net/programs/tircproxy/manual/tircproxy-5.html):
IRC generally uses TCP port 6667 (ircd).
A binary log file is a file capture of binary data 1's and 0's. Binary logging is sometimes referred to as "raw" traffic capture because we are capturing packets in their most raw form (ones and zeros). For network intrusion detection systems placed in high traffic areas of a network, binary capture is much more beneficial. (1) We are in a better position not to lose packets during the capture phase, and (2) binary files are lower in size than say, an ASCII text file. Traffic can be captured in binary form using a promiscuous mode interface, a hub, a tap, or from a span port off a router or switch. The underlying functionality used to capture traffic off the wire is a packet capture library known as the Libpcap library. Libpcap is a standard library used for sniffing traffic on a network segment using tcpdump, snort, and ethereal. A windows version of the libpacp library is winpcap. This allows us to run tools like Ethereal and Snort in a Windows environment as well.
To create a binary log file using Snort: # snort -l /var/log/snort -b To read the file back: # snort -vde -r snort.log To create a binary log file using tcpdump: # tcpdump -w ./log To read the file back: # tcpdump -r log To create a binary log file using Ethereal at the command line: # tethereal -w log To read the file back on the command line: # tethereal -r log You can use Ethereal's GUI to read binary log files as well. Just type ethereal at the command line to run the GUI version of Ethereal.
209.196.44.172 217.199.175.10 63.241.174.144
During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet. But logs from five days of honeypot operation only show 3458 of them (Result of WHO and JOIN)
The aggregate bandwith of the botnet is over 800Mb (15,164*56kbps=829Mbps).
Using snort 2.0, (snort -k none -c snort.conf -r sotm27 -l log
), we can spot some of them:
There is no MS-SQL server on the honeypot and attacks against IIS were unsuccessful. It seems some TCP reset were generated to stop the attacks. (Snort Inline ?)
210.22.204.101 | OS: Windows XP Pro, Windows 2000 Pro TCP -> 172.16.134.191:4899 TCP -> 172.16.134.191:6129 TCP -> 172.16.134.191:99 TCP -> 172.16.134.191:http TCP -> 172.16.134.191:microsoft-ds TCP -> 172.16.134.191:ms-sql-s TCP -> 172.16.134.191:netbios-ssn SMB -> 172.16.134.191 \WINNT\System32\admdll.dll SMB -> 172.16.134.191 \WINNT\System32\r_server.exe SMB -> 172.16.134.191 \WINNT\System32\raddrv.dll SMB -> 172.16.134.191 \\172.16.134.191\C$ SMB -> 172.16.134.191 \\172.16.134.191\IPC$ SMB -> 172.16.134.191 \samr SMB -> 172.16.134.191 \svcctl Wed Mar 5 02:38:10 2003 -> Wed Mar 5 02:48:22 2003 (diff=612s) |
The hacker has installed radmin on the honeypot. He has been able to access to the server using TCP port 4899. | |
61.111.101.78 | OS: Windows XP Pro, Windows 2000 Pro TCP -> 172.16.134.191:microsoft-ds TCP -> 172.16.134.191:netbios-ssn SMB -> 172.16.134.191 \System32\PSEXESVC.EXE SMB -> 172.16.134.191 \System32\inst.exe SMB -> 172.16.134.191 \\172.16.134.191\ADMIN$ SMB -> 172.16.134.191 \\172.16.134.191\IPC$ SMB -> 172.16.134.191 \psexecsvc SMB -> 172.16.134.191 \samr SMB -> 172.16.134.191 \svcctl Thu Mar 6 03:33:49 2003 -> Thu Mar 6 03:38:29 2003 (diff=280s) |
The hacker has installed psexec to execute commands remotely. He has used it to start its IRC bot at 03:36:42. |
\PIPE\Isarpc: NT's Local Security Authority Service \PIPE\NETLOGON: NT Login and Authentication Services \PIPE\srvsvc: NT Administrative Services \PIPE\winreg: NT Registry Services \PIPE\svcctl: NT Service Control Services \PIPE\samr: NT SAM Database Management Services
It's not really easy to tell which attacks were really successful. Don't trust Snort netbios rules.
Well, we really need some automated tools to analyse log.
I don't like packet with wrong checksum, it may confused some tools. BTW it will be interesting to have a copy of the tools used to alter IP address and hostname.
Christophe GRENIER Security Consultant Global Secure mail me personally or at work