Document sans titre


<<< Previous

Analysis

After downloading the sotm27.gz file, we proceeded to an integrity check process before unzipping the file. The ouput of the commands below was compared to the digests of sotm27.gz published on the scan27 challenge page.

$ md5sum sotm27.gz
b4bfc10fa8346d89058a2e9507cfd9b9 sotm27

Then we tried to identify the type of the file sotm27 using the linux command below :

$ file sotm27
sotm27: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)

The file seems to be a tcpdump binary capture of a network traffic. To read it we can choose on of the following programs: tcpdump, tethereal, and ethereal. Firstly, we begin by choosing Ethereal (a free network protocol analyzer for Unix and Window) due to his conviviality, we disable the two options "Enable MAC name resolution", and "ENABLE netwok name resolution" to minimize the time processing. The total number of the captured packets is 54536. A first look at the content reveals many traffic usage : SMB, HTTP, IRC, ...etc.

Honeypot IRC communication

Assuming that our honeypot has the IP address 172.16.134.191, we procced by determining what IRC servers did the honeypot communicate with. Before continuing let's mention that a connection is established by a process known as the three way handshake:

When the honeypot communicate with the IRC servers, it should initiate the connections which should be identified by a TCP destination port = 6667, a tcp flag equal to syn only, and an ip src = 172.16.134.191.
With the command below, we try read all the ackets with the tethereal program, we disable the netwok name resolution, we apply the "tcp.dstport == 6667 && tcp.flags.syn == 1" filter, and we redirect the filtered output to the file "comm-irc-server".

$ tethereal -nr sotm27 -w comm-irc-server "tcp.dstport == 6667 && tcp.flags.syn == 1"

We can use tcpdump to read the result file:

$ tcpdump -r comm-irc-server

To extract some statistics (specially the IP destination address) of the "comm-irc-server" file, which contain the connection packets targeted by the honeypot to some IRC, we use the perl script "sumsrcdst" made by Nick DeBaggis in his submission for scan23, then we read to output file.

$ tethereal -nr comm-irc-server | ./sumsrcdst > comm-irc-server.statistics
$ cat comm-irc-server.statistic

Given the results, the honeypot is trying to initiate some TCP IRC connection on the on the following server address

209.126.161.29

66.33.65.58

209.196.44.172

217.199.175.10

63.241.174.144

But we are not sure that all these servers are alive and can respond, so we should verify if there is some respond packets with a TCP source port equal to 6667, an IP destination = 172.16.134.191, and TCP flags = SYN|ACK

$ tethereal -nr sotm27 -w comm-irc-alive-server "tcp.srcport == 6667 && ip.dst == 172.16.134.191 && tcp.flags.syn == 1 && tcp.flags.ack == 1"
$ tethereal -nr comm-irc-alive-server | ./sumsrcdst > comm-irc-alive-server.statistics
$ cat comm-irc-server.statistics

Given the output results, only the following servers are alive and communicate with the honeypot.

209.196.44.172

217.199.175.10

63.241.174.144

Botnet access

After the successfull processes of three way handshake, and after the user (honeypot) sends his NickName, if the botnet accept the user, he send him some statistics. By looking with Ethereal at the IRC layer of packets number 35806 and 35807, we get the following informations:

:irc5.aol.com 001 rgdiuggac :Welcome to the Internet Relay Network rgdiuggac
:irc5.aol.com 002 rgdiuggac :Your host is irc5.aol.com[irc5.aol.com/6667], running version 2.8/hybrid-6.3.1
NOTICE rgdiuggac :*** Your host is irc5.aol.com[irc5.aol.com/6667], running version 2.8/hybrid-6.3.1
:irc5.aol.com 003 rgdiuggac :This server was created Sun Jan 19 2003 at 19:04:03 PST
:irc5.aol.com 004 rgdiuggac irc5.aol.com 2.8/hybrid-6.3.1 oOiwszcrkfydnxb biklmnopstve
:irc5.aol.com 005 rgdiuggac WALLCHOPS PREFIX=(ov)@+ CHANTYPES=#& MAXCHANNELS=20 MAXBANS=25 NICKLEN=9 TOPICLEN=120 KICKLEN=90 NETWORK=XNet CHANMODES=be,k,l,imnpst EXCEPTS KNOCK MODES=4 :are supported by this server
:irc5.aol.com 251 rgdiuggac :There are 0 users and 4752 invisible on 4 servers
:irc5.aol.com 252 rgdiuggac 1 :IRC Operators online
:irc5.aol.com 254 rgdiuggac 4 :channels formed
:irc5.aol.com 255 rgdiuggac :I have 346 clients and 1 servers
:irc5.aol.com 265 rgdiuggac :Current local users: 346 Max: 348
:irc5.aol.com 266 rgdiuggac :Current global users: 4752 Max: 4765
:irc5.aol.com 250 rgdiuggac :Highest connection count: 349 (348 clients) (378 since server was (re)started)
:irc5.aol.com 375 rgdiuggac :- irc5.aol.com Message of the Day -
:irc5.aol.com 372 rgdiuggac :- - WELCOME TO AMERICA ONLINE'S - IRC SERVER
:irc5.aol.com 372 rgdiuggac :-
:irc5.aol.com 372 rgdiuggac :- - !!! WARNING WARNING WARNING WARNING !!!
:irc5.aol.com 372 rgdiuggac :- - !!! THIS SERVER SCANS FOR OPEN PROXIES !!!
:irc5.aol.com 372 rgdiuggac :- - !!! PORTS: 8080,3128,80,1080,23 !!!
:irc5.aol.com 372 rgdiuggac :- - So if this is a legal problem in your
:irc5.aol.com 372 rgdiuggac :- - country please disconnect NOW!
:irc5.aol.com 372 rgdiuggac :- - We do this to make your IRC experience
:irc5.aol.com 372 rgdiuggac :- - more enjoyable.
:irc5.aol.com 376 rgdiuggac :End of /MOTD command.
:rgdiuggac MODE rgdiuggac :+i

According to this response there are 346 client which are actually coonected to the server 209.196.44.172. this server has a maximum capacity equal to 348 users.

From the response, we also notice that the maximum global users of the botnet is equal to 4765. Assuming that each botnet host has a 56 kbps network link, the aggregate bandwidth of the botnet will be equal (based of the maximum capacity) to 56*4765/1024 = 260.585 Mb/s.

Snort installation

We choosed to run the original sotm27 tcpdump file through snort and see what comes up. Since snort has many attack signatures, we may get the list of IP address attacking the honeypot, and their attack ID.

After installing the snort, and disabling all the commented rules and preprocessors in the snort.conf file, we execute the following command:

$ snort -r sotm27 -c /etc/snort/snort.conf

Examining the resultant alert file in /var/log/snort shows only 56 alerts, most of them are related to the "MS-SQL Worm propagation attempt" alert. and some "spp_portscan". But there are no alert related to IIS attack (like cmd.exe), or SMB attack (like null session).

We try to disactivate the stream reassembly by commenting the two preprocessors: stream4_reassemble, and stream4: detect_scans, disable_evasion_alerts. By running now the same previous command, the logged alerts number incresed to 900. It contains now the major IIS attacks, but not the SMB attacks.

We try to look at the netbios.rules file, this file seems to be not adequate for netbios traffic on Win2k, in fact in older version of windows (95, 98, Me ,and NT), SMB shares run on netbios over 137/TCP, 138/UDP, 139/TCP however, in later version of windows (2000, XP) it is possible to run SMB over TCP/IP on port 445/TCP.

We tried to change all the 137 port number in netbios.rules file to 445, but there is no impact and no SMB attack was detected by snort. In fact the chnaging 137 to 445 in netbios.rules is not sufficient. We need also change the payload field, so to detetect SMB attack, we try to analyse the sotm27 file manually.

Successfull attacks

Looking at the honeynet traffic just before it established his IRC communication, reveals the 61.111.101.78 ip address, so probablity this address is suspect to have attacked the honeypot.

Through this paragraph, we will try to trace the malicous activity of the 61.111.101.78 machine, wich expoited the null session attack, we applied the following filter on Ethereal: "tcp.addr == 61.111.101.78"

tcp/445 and tcp/139 probe to see if service is available

1 0.000000 61.111.101.78 -> 172.16.134.191 TCP 4614 > microsoft-ds [SYN] Seq=1613186151 Ack=0 Win=64240 Len=0
2 0.000857 172.16.134.191 -> 61.111.101.78 TCP microsoft-ds > 4614 [SYN, ACK] Seq=3333953826 Ack=1613186152 Win=17520 Len=0
3 0.176251 61.111.101.78 -> 172.16.134.191 TCP 4614 > microsoft-ds [ACK] Seq=1613186152 Ack=3333953827 Win=64240 Len=0
4 0.187157 61.111.101.78 -> 172.16.134.191 TCP 4614 > microsoft-ds [FIN, ACK] Seq=1613186152 Ack=3333953827 Win=64240 Len=0
5 0.187871 172.16.134.191 -> 61.111.101.78 TCP microsoft-ds > 4614 [FIN, ACK] Seq=3333953827 Ack=1613186153 Win=17520 Len=0
6 0.366833 61.111.101.78 -> 172.16.134.191 TCP 4614 > microsoft-ds [ACK] Seq=1613186153 Ack=3333953828 Win=64240 Len=0
7 102.073493 61.111.101.78 -> 172.16.134.191 TCP 1695 > microsoft-ds [SYN] Seq=1679902750 Ack=0 Win=64240 Len=0
8 102.078759 172.16.134.191 -> 61.111.101.78 TCP microsoft-ds > 1695 [SYN, ACK] Seq=3359397673 Ack=1679902751 Win=17520 Len=0
9 102.084257 61.111.101.78 -> 172.16.134.191 TCP 1696 > netbios-ssn [SYN] Seq=1679947992 Ack=0 Win=64240 Len=0
10 102.084260 172.16.134.191 -> 61.111.101.78 TCP netbios-ssn > 1696 [SYN, ACK] Seq=3359456153 Ack=1679947993 Win=17520 Len=0
11 102.241685 61.111.101.78 -> 172.16.134.191 TCP 1695 > microsoft-ds [ACK] Seq=1679902751 Ack=3359397674 Win=64240 Len=0

Create Server Message Block - SMB Connection

12 102.251656 61.111.101.78 -> 172.16.134.191 SMB Negotiate Protocol Request
13 102.253383 172.16.134.191 -> 61.111.101.78 SMB Negotiate Protocol Response
14 102.262046 61.111.101.78 -> 172.16.134.191 TCP 1696 > netbios-ssn [RST] Seq=1679947993 Ack=1679947993 Win=0 Len=0
15 102.431644 61.111.101.78 -> 172.16.134.191 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
16 102.434942 172.16.134.191 -> 61.111.101.78 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
17 102.611836 61.111.101.78 -> 172.16.134.191 SMB Session Setup AndX Request, NTLMSSP_AUTH
18 102.620644 172.16.134.191 -> 61.111.101.78 SMB Session Setup AndX Response

Create Null Session to IPC$

19 102.791769 61.111.101.78 -> 172.16.134.191 SMB Tree Connect AndX Request, Path: \\172.16.134.191\IPC$
20 102.793296 172.16.134.191 -> 61.111.101.78 SMB Tree Connect AndX Response

Connect to \samr path to enumerate system info

21 102.960481 61.111.101.78 -> 172.16.134.191 SMB NT Create AndX Request, Path: \samr
22 102.963368 172.16.134.191 -> 61.111.101.78 SMB NT Create AndX Response, FID: 0x4001
23 103.130071 61.111.101.78 -> 172.16.134.191 DCERPC Bind: call_id: 1 UUID: SAMR
24 103.131578 172.16.134.191 -> 61.111.101.78 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
25 103.300247 61.111.101.78 -> 172.16.134.191 SAMR Connect4 request
26 103.302755 172.16.134.191 -> 61.111.101.78 SAMR Connect4 reply

Get list of domain names - returned: 'PC0191'

27 103.480159 61.111.101.78 -> 172.16.134.191 SAMR EnumDomains request
28 103.498780 172.16.134.191 -> 61.111.101.78 SAMR EnumDomains reply

Lookup System ID (SID) for 'PC0191'

29 103.660276 61.111.101.78 -> 172.16.134.191 SAMR LookupDomain request
30 103.662108 172.16.134.191 -> 61.111.101.78 SAMR LookupDomain reply

Open that domain

31 103.840523 61.111.101.78 -> 172.16.134.191 SAMR OpenDomain request
32 103.842074 172.16.134.191 -> 61.111.101.78 SAMR OpenDomain reply

List usernames

33 104.020685 61.111.101.78 -> 172.16.134.191 SAMR QueryDispinfo request
34 104.034611 172.16.134.191 -> 61.111.101.78 SAMR QueryDispinfo reply[Malformed Packet]
35 104.210596 61.111.101.78 -> 172.16.134.191 SMB Read AndX Request, FID: 0x4001, 236 bytes at offset 0
36 104.211396 172.16.134.191 -> 61.111.101.78 SMB Read AndX Response, FID: 0x4001, 236 bytes

Close of /samr

37 104.381599 61.111.101.78 -> 172.16.134.191 SAMR Close request
38 104.384730 172.16.134.191 -> 61.111.101.78 SAMR Close reply
39 104.550843 61.111.101.78 -> 172.16.134.191 SAMR Close request
40 104.553312 172.16.134.191 -> 61.111.101.78 SAMR Close reply
41 104.720790 61.111.101.78 -> 172.16.134.191 SMB Close Request, FID: 0x4001
42 104.722087 172.16.134.191 -> 61.111.101.78 SMB Close Response
43 104.941157 61.111.101.78 -> 172.16.134.191 SMB Logoff AndX Request
44 104.941987 172.16.134.191 -> 61.111.101.78 SMB Logoff AndX Response
45 105.121262 61.111.101.78 -> 172.16.134.191 SMB Tree Disconnect Request
46 105.122108 172.16.134.191 -> 61.111.101.78 SMB Tree Disconnect Response
47 105.300948 61.111.101.78 -> 172.16.134.191 TCP 1695 > microsoft-ds [FIN, ACK] Seq=1679905006 Ack=3359400705 Win=63603 Len=0
48 105.301692 172.16.134.191 -> 61.111.101.78 TCP microsoft-ds > 1695 [FIN, ACK] Seq=3359400705 Ack=1679905007 Win=16754 Len=0
49 105.459378 61.111.101.78 -> 172.16.134.191 TCP 1695 > microsoft-ds [ACK] Seq=1679905007 Ack=3359400706 Win=63603 Len=0
50 105.561429 61.111.101.78 -> 172.16.134.191 TCP 1697 > microsoft-ds [SYN] Seq=1680833316 Ack=0 Win=64240 Len=0
51 105.572145 61.111.101.78 -> 172.16.134.191 TCP 1698 > netbios-ssn [SYN] Seq=1680879914 Ack=0 Win=64240 Len=0
52 105.608447 172.16.134.191 -> 61.111.101.78 TCP microsoft-ds > 1697 [SYN, ACK] Seq=3360338616 Ack=1680833317 Win=17520 Len=0
53 105.608475 172.16.134.191 -> 61.111.101.78 TCP netbios-ssn > 1698 [SYN, ACK] Seq=3360373591 Ack=1680879915 Win=17520 Len=0
54 105.779545 61.111.101.78 -> 172.16.134.191 TCP 1697 > microsoft-ds [ACK] Seq=1680833317 Ack=3360338617 Win=64240 Len=0

Establish a new SMB connection

55 105.789455 61.111.101.78 -> 172.16.134.191 SMB Negotiate Protocol Request
56 105.789456 61.111.101.78 -> 172.16.134.191 TCP 1698 > netbios-ssn [RST] Seq=1680879915 Ack=1680879915 Win=0 Len=0
57 105.791120 172.16.134.191 -> 61.111.101.78 SMB Negotiate Protocol Response
58 105.970080 61.111.101.78 -> 172.16.134.191 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
59 105.972028 172.16.134.191 -> 61.111.101.78 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
60 106.140038 61.111.101.78 -> 172.16.134.191 SMB Session Setup AndX Request, NTLMSSP_AUTH
61 106.144322 172.16.134.191 -> 61.111.101.78 SMB Session Setup AndX Response

Create Null Session to ADMINS$, it is probablity that there is no need to brute force the username list.

62 106.320012 61.111.101.78 -> 172.16.134.191 SMB Tree Connect AndX Request, Path: \\172.16.134.191\ADMIN$
63 106.324468 172.16.134.191 -> 61.111.101.78 SMB Tree Connect AndX Response

session is successfully established, pushing the PSEXESVC.EXE

This file permit to executes programs remotely on Windows NT, 2000 and XP systems to perform various tasks like: launching interactive command-prompts, remotely enabling tools like IpConfig, executing processes on other systems.

64 106.519936 61.111.101.78 -> 172.16.134.191 SMB NT Create AndX Request, Path: \System32\PSEXESVC.EXE
65 106.547098 172.16.134.191 -> 61.111.101.78 SMB NT Create AndX Response, FID: 0x4001

.
.
.
pushing the inst.exe which installs the remote access VNC application.

462 132.784358 61.111.101.78 -> 172.16.134.191 SMB NT Create AndX Request, Path: \System32\inst.exe
463 132.793696 172.16.134.191 -> 61.111.101.78 SMB NT Create AndX Response, FID: 0x4008

.
.

After executing these files the honeypot has immediately joined the botnet.

This attack may have been initiated and exploited by a worm, for example W32/Deloder is a worm example that try to install and execute the inst.exe and psexesvc.exe file, the http://archives.neohapsis.com/archives/snort/2003-03/0419.html site deels with this kind of worm.

Other successfull attacks

By the same way the IP address 210.22.104.101 is doing a successfull attack by exploiting the null session attack, trying to brute force attack on SMB, and then successfully installing the r_server.exe, raddrv.dll, admdll.dll:

478 56.441692 210.22.204.101 -> 172.16.134.191 SMB NT Create AndX Request, Path: \WINNT\System32\r_server.exe
730 62.827716 210.22.204.101 -> 172.16.134.191 SMB NT Create AndX Request, Path: \WINNT\System32\raddrv.dll
769 64.689656 210.22.204.101 -> 172.16.134.191 SMB NT Create AndX Request, Path: \WINNT\System32\admdll.dll

According to http://www.radmin.com/solutions/enterprise/push.html, thses files are used to remotely install and update applications

Some other attacks are related to netbios session and issued from the following address: 195.36.247.77 and 66.139.10.15 to gather sharing informations,the seconf has also tried to brute force system users accounts succeeded but the second has failed. The other addresses 80.181.116.202, 209.45.125.69, 129.116.182.230, 61.111.101.78, and 66.8.163.125 have exploited the null session vulnerability and tried to create a pipe over which command can be passed (Create \srvsvc) if this pipe is established, the attacker issue the share enumerate command and SMB server respond with the unicode names of all the shares on the system, including the "hidden" administrative shares.

Some other ip address are trying to connect to the honeypot, and access to the shared drive C. This attack is explained trough the following steps:

Some other attacks are related to IIS microsoft web server. we used snort_stat.pl perl script to parse the snort log file, we issued to following command:

$ snort_stat -d -f -h /var/log/snort/alert > snort_alerts.html

These address have issued some web-IIS attacks.

24.197.194.106

210.22.104.101

66.8.163.125

The issued attacks are: liked in this file.

Some aother address has been repoted by snort as a source of MS-SQL wrom propagation attempt

The 24.197.194.106 has also issued an spp_protscan.

Tools

tcpdump
ethereal
file
cat
snort
snort_stat