Scan of the Month Challenge - Scan 23

The Challenge:

Members from the South Florida Honeynet team manually generated five different types of portscans from the Internet to a single honeypot. These are not portscans captured from the wild. The term "the wild" is used to describe any host we don't know about outside of our network. In other words, any host other than our own connected to the Internet involved in reconnaissance, an intrusion, and/or system compromise is a system in the wild. During each scan, our network intrusion detection sensor captured each scan and saved it to a binary log file. We used snort to capture each scan in tcpdump format. It's important to note that tcpdump and snort use the libpcap library to capture and store packets from off the wire. So you can learn more about the packet capture technologies used to capture the portscans during this challenge, we have provided links to help get you on the right foot. It is up to you-the beginner analyst-to pull the binary file into a packet decoder such as tcpd u! mp, or ethereal to analyze each scan. Your mission, if you choose to accept it is to answer the questions below the best that you can.


What is a binary log file and how is one created?
A binary log file like the one for this challenege is created by apps like tcpdump/ethereal or as in this case, Snort. Saving the network captures in binary is easier on the space and so thats the format used.
What is MD5 and what value does it provide?
MD5 is a way to verify data integrity. What it does, to quote the executive summary of rfc1321, is: [The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.
In this case, MD5 is used to verify the integrity of the downloaded log file.
Unofficial MD5 homepage
What is the attacker's IP address? (Although this could very easily be spoofed)
What is the destination IP address?
We scanned the honeypot using five different methods. Can you identify the five different scanning methods, and describe how each of the five works?
  1. ICMP echo requests: An ICMP ECHO request is sent to the targetted system. If an ICMP ECHO reply is received, it means that the destination is alive.
  2. TCP ACK "ping" to port 80: The client sends a TCP ACK packet to the destination.
  3. Half-open SYN TCP flag scanning: A SYN packet is sent to the target system to open a TCP connection at the specified port. If the destination reponds with RST/ACK, the port is closed and if the destination reponds with SYN/ACK the port is open. If SYN/ACK is received, RST is still sent to close the connection. This is done to evade some logging mechanisms as the connection is never completed. This scan is done for all ports from 1 to 64K in this example of port scanning.
  4. TCP NULL scan: If a TCP probe packet with no flags set is sent to a closed port, a RST/ACK packet is recieved, whereas if the port is open no reponse is received. In this case, this scan is only done for select random (I guess!) ports between 1 and 64K. Null scans can also be used for identifying OSes. If one scans using NULL or XMAS probes (XMAS is described shortly) and the results show that all ports are closed, while SYN probes show that there are open ports then the destination is one of Windows, CISO, BSDI, HP/UX, MVS, IRIX. As they have a broken TCP/IP stack implementation and they send RST for open ports as well.
  5. XMAS probe with FIN, PSH and URG flags set: The response of a correct implementaion should be similar as that for the NULL scan. The source IP is spoofed for this probe.

An inverse UDP scan is also done once in between.
XMAS and NULL scan's are examples of stealth scanning techniques (avoid logging systems) and are also helpful in fingerprinting the destination OS.
Ofir Arkin's paper on network scanning techniques
Which scanning tool was used to scan our honeypot? How were you able to determine this?
nmap - the characteristics that point out to the same are the inital echo ICMP packet followed by an ACK to port 80 and then normal SYN TCP port scans. This is typical of nmap. NMAP is also capable of all the scanning methods found in the log.
NMAP homepage (cool paper on OS fingerprinting by Fyodor)
What is the purpose of port scanning?
To identify whether a host is alive, which services are being run on the host (i.e.; which ports are open), the operating system of the scanned host.
What ports were found open on our honeypot?
22, 111, 32768, 80, 443, 53
based on SYN probing.. these ports return a SYN/ACK and so are guaranteed to be open.
What operating system was the attacker using?
The windows size, TTL values, TOS, DF bit, etc do not help much in identifying the attacker host as they vary throughout the session. TTL values vary between 38 and 64 indicating towards one of those OS'es which have TTL values 64 (refer to the Passive Fingerprinting test database on but the window sizes aren't consistent. A possibility could be that the port scanner tool - nmap in this case, changes these values to prevent Passive Fingerprinting. The attacked host seems to be a Solaris due to the TTL value of 255.
Vivek Sharma