var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); CLASS="ARTICLE" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" >

Reverse Challenge, May-2002

Bo Adler

BSI, www.fastcoder.net

Brad Threatt

BSI, www.fastcoder.net

Table of Contents
Listing of Files Submitted
Timestamp Information for Submission
Executive Summary of Incident
Advisory
Analysis
Answers
Estimate of Incident Cost

Listing of Files Submitted

Table 1. Core Files of Submission

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); > var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); >
FileContents
index.htmlThis file, listing all files submitted
timestamp.htmlDigital timestamp for this submission
summary.htmlNon-technical summary
advisory.htmlTechnical summary
analysis.htmlProcedure used during investigation.
answers.htmlAnswers to Honeynet questions.
costs.htmlEstimate of cost to analyze and document this incident.
MakefileA makefile used during the process of creating the submission and timestamping it.
READMEDescribes the useful targets in Makefile.
timestamp.plA perl script to automate the process of getting a digital timestamp for our submission. Once the timestamp is received by email, this script is used to merge it into timestamp.html. It is also able to verify this information.

The following files are included in files.tar. They were generated during the analysis process.

Table 2. Files Generated During Analysis

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); > var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); >
FileContents
strings.txtThe output from strings when run on the-binary.
strace-1Output from strace while running the-binary.
strace-1.9741
strace-1.9742
strace-1.9742.1
the-binary.dressOutput from dress, to add symbol information for known library functions.
the-binary.dress.objdumpDisassembly of the-binary.dress.
the-binary.dress.recA decompilation of the-binary.dress into psuedo-C.
the-binary.objdumpA disassembly of the-binary.
the-binary.recA decompilation of the-binary into psuedo-C.
the-binary.rec-processedFirst pass at improving the readability of the output from REC, by rewriting sections of code.
the-binary.rec-processed.2Second pass at improving the readability of the output from REC. Converted jump table into more traditional switch statement.
the-binary.rec-processed.3Third pass at improving the readability of the output from REC. Rewrote more sections of code, concentrating on commands in the switch statement.
sendraw.cProgram modeled after the function within the-binary, to send packets of protocol 11 to a running instance of the-binary.
sendcmd.cAn improvement over sendcmd.c, to send packets of protocol 11, using the encryption supported by the-binary. Only packets of command 1 (status report) are really supported.
snifferA perl script which uses the libpcap library to read in packet dumps, and decodes packets sent by both the client and server.
sniffer-output.txtOutput from sniffer when run on the snort capture file provided by the Honeynet Project.
MakefileA makefile to build sendraw.c, sendcmd.c, and sniffer.
note.gifImages used in this document.
tip.gif
warning.gif
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); >