Scan of the Month 27 - Analysis by Christophe GRENIER

Introduction

This document is an analysis performed for the Honeynet Projects Scan of the Month for April 2003.

Analysis

Verify the log signatures

First, download the log file and verify the MD5 checksum:

[kmaster@christophe kmaster]$ md5sum sotm27.gz
b4bfc10fa8346d89058a2e9507cfd9b9  sotm27.gz

Using ethereal, after loading the file, we can see that the first frame arrival time is March 1, 2003 GMT 09:08:09. In the frame 25, we learn the honeynet date

Frame 25 (299 bytes on wire, 299 bytes captured)
    Arrival Time: Mar  1, 2003 12:47:47.714411000
    Time delta from previous packet: 0.814035000 seconds
    Time relative to first packet: 13178.189207000 seconds
    Frame Number: 25
    Packet Length: 299 bytes
    Capture Length: 299 bytes
    ...
Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    Server: Microsoft-IIS/5.0\r\n
    Date: Sat, 01 Mar 2003 12:14:31 GMT\r\n
    Connection: Keep-Alive\r\n
    Content-Length: 1270\r\n
    Content-Type: text/html\r\n
    Set-Cookie: ASPSESSIONIDGQGQGRSK=PBFPBFNCIFJHFOFDOFOKMJAN; path=/\r\n
    Cache-control: private\r\n
    \r\n

Time from the log file, 12:47:47, and from web reply, 12:14:31, don't match. By checking the timestamp from a request to auto.search.msn.com, we can see that snort time is correct.

Frame 3096 (699 bytes on wire, 699 bytes captured)
    Arrival Time: Mar  5, 2003 05:21:09.236016000
    Time delta from previous packet: 0.062556000 seconds
    Time relative to first packet: 331979.710812000 seconds
    Frame Number: 3096
    Packet Length: 699 bytes
    Capture Length: 699 bytes
    ...
Hypertext Transfer Protocol
    HTTP/1.1 302 Object moved\r\n
    Server: Microsoft-IIS/5.0\r\n
    Date: Wed, 05 Mar 2003 05:21:09 GMT\r\n
    P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"\r\n
    Location: http://auto.search.msn.com/results.asp?cfg=DNSERROR&v=1&FORM=DNSERR&q=users%2Eerol%2Ecom%2Fgmgarner%2Fforensics%2F\r\n
    Content-Length: 235\r\n
    Content-Type: text/html\r\n
    Set-Cookie: ASPSESSIONIDQSSCSCRQ=NDOINAACLPGKNIJNLHJMEELG; path=/\r\n
    Cache-control: private\r\n
    \r\n

Packet checksum

All IP checksums are wrong. The IP addresses have been altered to protect the privacy of the networks.

MAC address observation

By examining the second frame, we can learn three MAC addresses.

Frame 2 (343 bytes on wire, 343 bytes captured)
Ethernet II, Src: 00:05:69:00:01:e2, Dst: 00:e0:b6:05:ce:0a
    Destination: 00:e0:b6:05:ce:0a (00:e0:b6:05:ce:0a)
    Source: 00:05:69:00:01:e2 (00:05:69:00:01:e2)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 172.16.134.191 (172.16.134.191), Dst Addr: 219.118.31.42 (219.118.31.42)
User Datagram Protocol, Src Port: 137 (137), Dst Port: 1025 (1025)
NetBIOS Name Service
   Answers
   Unit ID: 00:05:69:00:01:56
MACIP
00:05:69:00:01:56172.16.134.191
00:05:69:00:01:e2Gateway to 172.16.134.191
00:e0:b6:05:ce:0aGateway to Internet

MAC address beginning by 00:05:69 corresponds to VMWare (see /etc/ethereal/manuf). The Honetnet is running in a virtual machine as explained here.

Protocol hierarchy

Passive OS fingerprinting

Using p0f, we can try to determine OS.

p0f -s sotm27 |sort -u

A listing of attackers can be found in Appendix A Other hosts can be found in Appendix B

Beginning Questions

What is IRC?

IRC is an acronym for Internet Relay Chat. IRC is a standard allowing users to communicate in real time, by passing simple text messages back and forth. The IRC client and server protocols are defined in RFC 1459. People meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in groups, or privately. The largest chat systems on the Internet are based on the IRC protocol. Each consists of a network of servers, forming a "tree". The servers keep track of who is using the chat system at any given time, keep track of channels and deliver messages to users or channels on request. IRC is currently text-based, but client extensions have added sound and even video capabilities.

What message is sent by an IRC client when it asks to join an IRC network?

To join an IRC network, an IRC client identified itself by sending its nickname, rgdiuggac in our case.

NICK rgdiuggac

After, it sends USER username hostname servername realname.

USER rgdiuggac localhost localhost :rgdiuggac

the client can configure its mode, in our example, it ask to not hide its IP address and to be invisible.

MODE rgdiuggac -x
MODE rgdiuggac +i

After, it joins a chanel and provide a password for it: JOIN #xàéüîéðìx :sex0r

What is a botnet?

Bots are automated IRC clients. A botnet is a term used when you link to or more bots together.

What are botnets commonly used for?

Basically you can talk to other people on the other bots partyline, share users, share channel information, any anything else if you add scripts to all of the bots. Another use is to launch coordinated attacks against computer systems. Various methods are used (extract from http://bre.klaki.net/programs/tircproxy/manual/tircproxy-5.html):

What TCP ports does IRC generally use?

IRC generally uses TCP port 6667 (ircd).

What is a binary log file and how is one created?

Extract from http://project.honeynet.org/scans/scan23/answer.html

A binary log file is a file capture of binary data 1's and 0's. Binary logging is sometimes referred to as "raw" traffic capture because we are capturing packets in their most raw form (ones and zeros). For network intrusion detection systems placed in high traffic areas of a network, binary capture is much more beneficial. (1) We are in a better position not to lose packets during the capture phase, and (2) binary files are lower in size than say, an ASCII text file. Traffic can be captured in binary form using a promiscuous mode interface, a hub, a tap, or from a span port off a router or switch. The underlying functionality used to capture traffic off the wire is a packet capture library known as the Libpcap library. Libpcap is a standard library used for sniffing traffic on a network segment using tcpdump, snort, and ethereal. A windows version of the libpacp library is winpcap. This allows us to run tools like Ethereal and Snort in a Windows environment as well.

To create a binary log file using Snort:

# snort -l /var/log/snort -b

To read the file back:

# snort -vde -r snort.log

 

To create a binary log file using tcpdump:

# tcpdump -w ./log

To read the file back:

# tcpdump -r log

 

To create a binary log file using Ethereal at the command line:

# tethereal -w log

To read the file back on the command line:

# tethereal -r log

You can use Ethereal's GUI to read binary log files as well. Just type ethereal at the command line to run the GUI version of Ethereal.

What IRC servers did the honeypot, which has the IP address 172.16.134.191, communicate with?

209.196.44.172
217.199.175.10
63.241.174.144

During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?

During operation of the honeypot, a total of 15,164 distinct hosts were seen entering the botnet. But logs from five days of honeypot operation only show 3458 of them (Result of WHO and JOIN)

Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?

The aggregate bandwith of the botnet is over 800Mb (15,164*56kbps=829Mbps).

Intermediate Questions

What IP source addresses were used in attacking the honeypot?

A listing of attackers can be found in Annexe A Other hosts can be found in Annexe B

What vulnerabilities did attackers attempt to exploit?

Using snort 2.0, (snort -k none -c snort.conf -r sotm27 -l log), we can spot some of them:

But it doesn't detect the Netbios attacks.

Which attacks were successful?

There is no MS-SQL server on the honeypot and attacks against IIS were unsuccessful. It seems some TCP reset were generated to stop the attacks. (Snort Inline ?)

210.22.204.101
OS: Windows XP Pro, Windows 2000 Pro
TCP -> 172.16.134.191:4899
TCP -> 172.16.134.191:6129
TCP -> 172.16.134.191:99
TCP -> 172.16.134.191:http
TCP -> 172.16.134.191:microsoft-ds
TCP -> 172.16.134.191:ms-sql-s
TCP -> 172.16.134.191:netbios-ssn
SMB -> 172.16.134.191 \WINNT\System32\admdll.dll
SMB -> 172.16.134.191 \WINNT\System32\r_server.exe
SMB -> 172.16.134.191 \WINNT\System32\raddrv.dll
SMB -> 172.16.134.191 \\172.16.134.191\C$
SMB -> 172.16.134.191 \\172.16.134.191\IPC$
SMB -> 172.16.134.191 \samr
SMB -> 172.16.134.191 \svcctl
Wed Mar 5 02:38:10 2003 -> Wed Mar 5 02:48:22 2003 (diff=612s)
The hacker has installed radmin on the honeypot. He has been able to access to the server using TCP port 4899.
61.111.101.78
OS: Windows XP Pro, Windows 2000 Pro
TCP -> 172.16.134.191:microsoft-ds
TCP -> 172.16.134.191:netbios-ssn
SMB -> 172.16.134.191 \System32\PSEXESVC.EXE
SMB -> 172.16.134.191 \System32\inst.exe
SMB -> 172.16.134.191 \\172.16.134.191\ADMIN$
SMB -> 172.16.134.191 \\172.16.134.191\IPC$
SMB -> 172.16.134.191 \psexecsvc
SMB -> 172.16.134.191 \samr
SMB -> 172.16.134.191 \svcctl
Thu Mar 6 03:33:49 2003 -> Thu Mar 6 03:38:29 2003 (diff=280s)
The hacker has installed psexec to execute commands remotely. He has used it to start its IRC bot at 03:36:42.

\PIPE\Isarpc:   NT's Local Security Authority Service
\PIPE\NETLOGON: NT Login and Authentication Services
\PIPE\srvsvc:   NT Administrative Services
\PIPE\winreg:   NT Registry Services
\PIPE\svcctl:   NT Service Control Services
\PIPE\samr:     NT SAM Database Management Services

General Questions

What did you learn about analysis as a result of studying this scan?

It's not really easy to tell which attacks were really successful. Don't trust Snort netbios rules.

How do you anticipate being able to apply your new knowledge and skills?

Well, we really need some automated tools to analyse log.

How can we improve the SotM challenge? What would you like to see added? What would you like to see done differently?

I don't like packet with wrong checksum, it may confused some tools. BTW it will be interesting to have a copy of the tools used to alter IP address and hostname.


Christophe GRENIER
Security Consultant
Global Secure
mail me personally or at work