This document contains the analysis of the September scan. This is the first ever "beginners" Scan of The Month challenge.

Tools used

* nmap (http://www.insecure.org/nmap/)
* ethereal (http://www.ethereal.com/)
* ettercap (http://ettercap.sourceforge.net)

Before starting ...

Analysis was performed on a RedHat 7.2 machine.To begin the analysis, first it was necessary to download the gzipped archive, verify data integrity, then extract from the compressed archive:

1)Download and check md5 with web site

[bob@bob ~/reverse]$ md5sum sotm23.tar.gz
9d28c5ee9ce7b77e3099a07ad303811f  sotm23.tar.gz
The web site project.honeynet.org pages have the same MD5 (sotm23.tar.gz) = 9d28c5ee9ce7b77e3099a07ad303811f checksum. This means that gzipped tar archive that we downloaded was not modified during transmission and that will analyze the correct data (data integrity). This checksum doesn' t prove that the data is really coming from the honeynet project.  For this we would require a signed binary issued by a certificate authority that we can trust, i.e Verisign. Of course is possible that someone has modified the binary log file and the web page pages.

2) Verify archive

Before extracting any archive, I always check the content of the archive. I don't want to extract have archived with a full qualified path and overwrite some other files.
[bob@bob ~/reverse]$ tar tvf sotm23.tar
-rw------- root/root  11998444 2002-08-27 02:27:32 [email protected]
-rw-r--r-- root/root        52 2002-08-27 02:30:58 [email protected]
OK we can extract !

3) Extract and check archive

[bob@bob ~/reverse]$ tar xvf sotm23.tar
[bob@bob ~/reverse]$ cat [email protected]
0ce142f18c23d9ab00f992a57ad097d4  [email protected]
[bob@bob ~/reverse]$ md5sum [email protected]
0ce142f18c23d9ab00f992a57ad097d4  [email protected]
This proves us that the data integrity of the file is not compromised or altered by someone.


1.What is a binary log file and how is one created?

The binary log file is a file that contains log informations and is saved in a binary format. The content of a binary log file can't be read with a normal editor, but with a program that can read the format. In our special case the binary log file is a tcpdump binary log.

We can probe this by entering following command:

file [email protected]
[email protected]: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514)
We can create the tcpdump capture file in different ways, for example directly listening on your network interface (tcpdump -w /tmp/output) or with the snort -r option (or snort.conf output log_tcpdump: snort.log).

Snort or tcpdump are the programs used for creating the 63832 packet log file and the best way to analyze them is by using Snort or ethereal. For this log I personally prefer ethereal, because we'll have an easily overview of scans. With Snort we could analyze the content as follow

snort -r [email protected] -v -X -l . The command with ethereal is

ethreal [email protected]

2.What is MD5 and what value does it provide?

An MD5 checksum that can probe the data integrity of the file. It's not possible, as far as I know, to modify the content or the attributes of a file without modifying the MD5 checksum.

From Cert: UNIX Security Checklist v2.0 (http://www.cert.org/tech_tips/usc20_full.html)
MD5 is a message digest algorithm. Tools to verify MD5 checksums are included with many current operating systems, for example md5(1) (FreeBSD) or md5sum (Linux). Otherwise, an implementation of MD5 is available via anonymous FTP from: ftp://coast.cs.purdue.edu/pub/tools/unix/crypto/md5/

3.What is the attacker's IP address?

MAC: 00:10:a4:c5:7c:38 Xircom NIC
The MAC address contains the value of the latest hub that the packet traversed. Generally you can't use this information, but in this simple binary log I think that this is the real MAC address of the attacked/attacker

4.What is the destination IP address?

MAC: 00:60:08:a8:61:24  3Com NIC

Both are RFC 1918 private address range. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks:        -  (10/8 prefix)      -  (172.16/12 prefix)     - (192.168/16 prefix)

5.We scanned the honeypot using five different methods. Can you identify the five different scanning methods, and describe how each of the five works?

Sometimes the scan sequence is started with following 4 packets: > icmp: echo request > icmp: echo reply > . ack 2866936176 win 4096 > R 2866936176:2866936176(0) win 0 (DF)

You can insert the icmp filter in the ethereal field and then you'll find out some beginning and the end of the some types of  scans:

Ethereal filter icmp

Packet number
1 > icmp: echo request
2 > icmp: echo reply
148007 > icmp: echo request
148008 > icmp: echo reply
150655 > icmp: udp port tcpmux unreachable [tos 0xc0]
150753 > icmp: echo request
150754 > icmp: echo reply
153165 > icmp: udp port tcpmux unreachable [tos 0xc0]
155847 > icmp: udp port tcpmux unreachable [tos 0xc0]
155987 > icmp: echo request
155988 > icmp: echo request
155989 > icmp: echo request
155990 > icmp: echo request

5.1 TCP SYN scan: This technique is often  referred  to as  "half-open"  scanning, because you don't open a full TCP connection. You send a SYN packet,  as  if you  are  going  to  open a real connection and you wait for a response. A SYN|ACK indicates  the  port is  listening.If a SYN|ACK is received, a RST is immediately sent to tear down the connection.
Example packet #: 18331

For checking this the best way is to create an Ethereal filter:

(ip.addr eq and ip.addr eq and (tcp.port eq 52198)
and (tcp.flags.syn==1) and (tcp.flags.ack==1)
5.2 TCP connect() scan: This is the most basic form  of TCP scanning. The connect() system call provided by your operating system is used to open a  connection to  every  interesting  port on the machine. If the port is listening, connect() will  succeed,  otherwise the port isn't reachable
Example packet #:150383

5.3 The Null scan turns off all flags, Sequence number 0 , Ack 0  and all TCP flags = 0
This scan is starting from packet  148007
Example packet :148011

5.4 Stealth  FIN  scan  uses  a bare (surprise) FIN packet as the probe
Example packet #:150639

5.5 Xmas Tree scan modes turns on the FIN, URG, and PUSH flags
Example packet #:158068

6.Which scanning tool was used to scan our honeypot? How were you able to determine this?

Nmap (http://www.insecure.org/nmap/) and ping scanning:
If you check the first four packets you'll see a ICMP ping request and a TCP ack packet to port 80. If we get an RST back, that machine is  up. This is the default behavior of nmap and ping scanning. (s. man pages).
Other sign of the usage of nmap, is the behavior of some TCP/IP settings: no default TTL, window size,...

7.What is the purpose of port scanning?

The purpose of a port scanning is to determine which hosts are up and what services they are offering. This is generally speaking the first step for an attacker (information gathering). After you'll found out what services and  versions you're running you download the correct exploits and you probably get in the server sooner or later ...

8.What ports were found open on our honeypot?

Is used following filter in ethereal (TCP)

(ip.src eq and (tcp.flags.syn eq 1) and (tcp.flags.ack eq 1)

ssh (22)
sunrpc (111 portmapper)
32768 (generally rpc.stad)
http (80)
https (443)
domain (53)

Is used following filter in ethereal (UDP)

(ip.src eq and (ip.proto eq 17)

OPEN PORTS  (udp)   : NONE

9.Bonus Question: What operating system was the attacker using?

This is probably the most difficult question, because nmap spoof the TCP/IP settings. I supposed from the start that the attacker was a Linux box., but I could not found a 100% certitude of my assumptions.
Interesting reading about this subject are:

* http://www.insecure.org/nmap/nmap-fingerprinting-article.txt (for active OS fingerprint)
* http://www.stearns.org/p0f/index.html (for passive OS fingerprint)

One can can suppose that we have a Linux server after the first SYN/ACK packet received (example packet number 18332)

IP header
TTL = 64

TCP header
Window size = 5840
Maximum Segment Size = 1460
Options= set MSS,timestamps sack OK Wscale and 1 NOP
Packet length = 60

I also used the ettercap (http://ettercap.sourceforge.net) tool with option -T

ettercap -T [email protected]

and suggestion is Linux 2.4.0 - Linux 2.4.18 for the attacker and the the same for the attacked server.

Boris Bellorini; Dipl. Inf; Consultant; eSecurity
 _____    _             _ _        _   ___
|_   _| _(_)_ ____ _ __| (_)___   /_\ / __|
  | || '_| \ V / _` / _` | (_-<  / _ \ (_ |
  |_||_| |_|\_/\__,_\__,_|_/__/ /_/ \_\___|