Challenge Analysis

By: Michael Capp

March 31, 2003

 

The Challenge

In early March 2003, the Azusa Pacific University Honeynet Project deployed an unpatched Windows 2000 honeypot having a null (blank) administrative password.  During its first week of operation, the honeypot was repeatedly compromised by attackers and worms exploiting several distinct vulnerabilities.  Subsequent to a successful attack, the honeypot was joined to a large botnet.  The challenge is based on logs from five days of honeypot operation, collected using Snort.  The logs have been edited to remove irrelevant traffic and combined into a single file.  Also, IP addresses and certain other information have been obfuscated so that the identity of the honeynet is not readily apparent.  Your mission is to analyze the log file in order to answer the questions below.

 

Binary Verification:

Original

:MD5 (sotm27.gz) = b4bfc10fa8346d89058a2e9507cfd9b9

Download (Win)

:MD5 (sotm27.gz) = b4bfc10fa8346d89058a2e9507cfd9b9 (See Figure 1.0)

Download (Linux)

:MD5 (sotm27.gz) = b4bfc10fa8346d89058a2e9507cfd9b9 (See Figure 1.1)

           

            Figure 1.0:

 

           

 

Figure 1.1:

 

[email protected] mcapp $ md5sum sotm27.gz

b4bfc10fa8346d89058a2e9507cfd9b9  sotm27.gz

[email protected] mcapp $

 

 

TABLE OF CONTENTS

 

The Challenge. 1

Questions. 2

Beginning Questions. 2

1.      What is IRC?. 2

2.      What message is sent by an IRC client when it asks to join an IRC network?. 3

3.      What is a botnet?. 3

4.      What are botnets commonly used for?. 3

5.      What TCP ports does IRC generally use?. 3

6.      What is a binary log file and how is one created?. 4

7.      What IRC servers did the honeypot, which has the IP address of 172.16.134.191, communicate with?  4

8.      During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?. 4

9.      Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?  5

Intermediate Questions. 5

1.      What IP source addresses were used in attacking the honeypot?. 5

2.      What vulnerabilities did attackers attempt to exploit?. 5

3.      Which attacks were successful?. 6

General Questions. 18

1.      What did you learn about analysis as a result of studying this scan?. 18

2.      How do you anticipate being able to apply your new knowledge and skills?. 18

3.      How can we improve the SotM challenge?  What would you like to see added?  What would like you like to see done differently?. 18

 

 

Questions      

 

1.     What is IRC?

 

Internet Relay Chat (“IRC”) is a client/server-based chat system first started in August 1988 by Jarkko Ouikarinen.  In order to use IRC, a client is required that sends and receives messages from an IRC server; this can be as simple as a standard telnet client.  The IRC server is responsible for ensuring messages are broadcast to those participating in the joined discussion(s).  Following are several terms that are common with IRC usage:

 

Term

Definition

Channel

‘Rooms’ or categorized chat areas where people gather to chat.

DCC

Direct link between clients commonly used to transfer files back and forth on IRC.

IRCops

Net or Server operators.  They share responsibility to ensure servers are functioning properly and users “behave”.

Lags & Splits

Splits happen when one or more servers are overloaded and users get bumped off.  Lags occur when there are significant delays in transmitting messages between networks.

Nick

Nickname, handle, or pseudonym used instead of real names.

Ops & Operators

Users with administrative authority over a channel or multiple channels that can perform various moderator-type commands.

 

 

2.     What message is sent by an IRC client when it asks to join an IRC network?


In relation to the packet captures, the first sessions originated with packet 35748 where the IRC server attempts to identify the honeypot via the IDENTification protocol (RFC1413).

 

Response Line: NOTICE AUTH : *** Looking up your hostname…

Response Line: NOTICE AUTH : *** Checking Ident

Response Line: NOTICE AUTH : *** No Ident response.

 

The purpose of IDENT is to attempt verification of the source of the connection.  When a connection is made, an ident capable service queries the client on port 113 to determine the user that opened the TCP socket.  If the client is running a properly configured IDENT daemon, an appropriate response would be returned to the server’s request.

 

Following the IDENT request, in packet 35753, a request is sent from the attacker or bot to the IRC server providing the nickname or pseudonym that the attacker or bot wanted to initially use:

 

            Request Line: NICK eohisou

            Request Line: USER eohisou localhost localhost : eohisou

 

See Appendix A for the complete logs retrieved from the attacker’s IRC session.

 

3.     What is a botnet?

 

In order to understand the purpose of a botnet, it is important to understand the basic functionality of a bot, or roBOT.  A bot is a computer program that works in conjunction with IRC and performs various functions.  Several bots serve a legitimate purpose; to perform such tasks as: keeping channels open if no users are present, protect against net-split attacks, enforce bans/channel security, etc.

 

      Botnets are a collective group of individual bots that typically are the result of a Trojan or strategically placed bot on an individual or company computer.

 

 

4.     What are botnets commonly used for?

 

In practice, botnets can act as Trojans, luring the typical home user to run a script, visit a website, or run an infected program that can potentially add their computing power to this collective.  Collectively, botnets can be used to perform large distributed denial of service attacks, channel attacks, net splits, or any number of programmatic functions that the bot was designed to perform.

 

 

5.     What TCP ports does IRC generally use?

 

RFC1459 does not specifically state reserved ports for use with the IRC Protocol, however, TCP ports 6665-6669 are reserved for IRC usage and it most IRC servers operate on port 6667.

 

 

6.     What is a binary log file and how is one created?

 

A binary log file is a file that is created that is unreadable as a standard text file and usually requires specific utilities to interpret or read the data in the file.  One substantial benefit is that binary log files are typically smaller than normal text files.  Many programs contain the ability to create binary log files and in several circumstances; this is configurable via the configuration file.  As an example:  Snort contains the ability to write to the tcpdump format by modifying the snort.conf file and including the line:

 

            Output log_tcpdump : snort.log

 

Additionally, by default, Linux logs information about users that have logged into the system to a binary log file.  It is kept up to date by utilities such as login and in.uccpd.  The data is viewable with tools such as last, lastb, who, and finger.

 

7.     What IRC servers did the honeypot, which has the IP address of 172.16.134.191, communicate with?

 

After specifying a filter in Ethereal to limit the Protocol traffic to IRC and the source IP to 172.16.134.191, it was determined that the honeypot communicated with the following three (3) IRC servers:

 

            63.241.174.144

            217.199.175.10

            209.196.144.172                        (irc5.aol.com)

 

8.     During the observation period, how many distinct hosts accessed the botnet associated with the server having IP address 209.196.44.172?

 

In order to determine the number of distinct hosts that form this botnet, the beginning IRC session was started and “Follow TCP Stream” was used within Ethereal.  The IRC stream was then saved into a text file and parsed to remove all excess information.  The following command on Linux was used to determine that 3,457 hosts were existent within this channel at that given moment:

 

            [email protected] mcapp $ wc –w challenge.txt

                        3457 challenge.txt

            [email protected] mcapp $

 

Similarly, parsing the file to reveal names in the channel on Microsoft Word reveals the same results:

 

 

9.     Assuming that each botnet host has a 56 kbps network link, what is the aggregate bandwidth of the botnet?

 

            Based upon the above assumption, the aggregate bandwidth of this botnet would meet or exceed, depending on actual available bandwidth per host:

           

                        193, 592 kbps,

                        193,592,000 bps,

                        ~194 Mbps –or-

                        the equivalent of approximately 126 T1’s, 4 T3/DS3’s, or 1 OC3 and 24 T1’s.

 

1.     What IP source addresses were used in attacking the honeypot?

 

      Please follow this link for a chart containing the source addresses and their associated attacks.     

 

2.     What vulnerabilities did attackers attempt to exploit?

 

      The following are specific vulnerabilities that were targeted and their possible related references:

 

     

Vulnerability

Reference

Microsoft Windows 2000 vulnerable to Denial of Service (“DoS”) via malformed packets sent to port 445/tcp.

http://www.kb.cert.org/vuls/id/693099

 

Hack’a’Tack Trojan

http://www.iss.net/security_center/advice/Intrusions/2001534/default.htm

Windows Shares

http://www.cert.org/advisories/CA-2003-08.html

 

 

            As you can see from the charter below, the most common attacks were related to Microsoft operating system flaws and vulnerabilities, a few of which were successfully exploited as you will see detailed in            Question 3.

 

 

 

 

3.     Which attacks were successful?

 

As noted by the RED in the chart, there were several successful attacks on this specific honeypot.  This link provides a detailed analysis of each attack listed

 

Attack 1 (Detailed Event Analysis)

 

03/03/2003 21:55:34          - Initial packets from 195.36.247.77 indicate someone specifically interested in NetBIOS/SMB ports 139 and 445 as well as any vulnerabilities that may exist on port 135 (DCE/RPC/EPMAP).

 

274

236844.901586

Attacker

Server

TCP

4768 > epmap  [SYN]  Seq=148910790  Ack=0  Win=16384  Len=0

275

236844.906655

Server

Attacker

TCP

epmap >4768   [SYN, ACK]  Seq=2453546201  Ack=148910790  Win=17040  Len=0

280

236846.003387

Attacker

Server

TCP

4792 > microsoft-ds  [SYN]  Seq=149838612  Ack=0  Win=16384  Len=0

281

236846.003395

Attacker

Server

TCP

4792 > netbios-ssn  [SYN]  Seq=149921138  Ack=0  Win=16384  Len=0

 

 

03/03/2003 21:55:36          - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445.  Specifically, the initial protocol negotiation is in progress between the two systems.  Once a successful negotiation process has completed, the attacker successfully authenticates anonymously and continues to create a null SMB connection to the IPC service stub. 

 

    Attacker Observations:

    Domain Name: NULL

    User name: NULL

    Host name: LIO-UEA8YNL9UE1

    Native OS: Windows 2002 2600 (Windows XP)

    Native LAN Manager: Windows 2002 5.1

 

The attacker connects to the \SAMR path in order to enumerate the domain and user information.

 

315

236860.101949

Attacker

Server

SAMR

OpenDomain request, S-1-5-32

316

236860.104895

Server

Attacker

SAMR

OpenDomain reply

317

236861.346261

Attacker

Server

SAMR

EnumDomains request

318

236861.348643

Server

Attacker

SAMR

EnumDomains reply

321

236863.396376

Attacker

Server

SAMR

OpenDomain request, S-1-5-21-1229272821-706699826-1060284298

322

236863.398944

Server

Attacker

SAMR

OpenDomain reply

323

236864.566463

Attacker

Server

SAMR

EnumDomainUsers request

324

236864.584451

Server

Attacker

SAMR

EnumDomainUsers reply

325

236865.104455

Attacker

Server

SAMR

OpenUser request, rid 0x1f4

326

236865.107606

Server

Attacker

SAMR

OpenUser reply

 

In the above packet sequence, the following details indicate that the user has compromised the Administrator account and is successfully authenticated (some details intentionally left omitted for clarity):

 

[+] Frame 325 (194 bytes on wire, 194 bytes captured)

[+] Ethernet II, Src: 00:e0:b6:05:ce:0a, Dst: 00:05:69:00:01:e2

[+] Internet Protocol, Src Addr: 195.36.247.77 (195.36.247.77), Dst Addr: 172.16.134.191

[+] Transmission Control Protocol, Src Port: 4792, Dst Port: Microsoft-ds (445)

[+] NetBIOS Session Service

[+] SMB (Server Message Block Protocol)

[+] SMB Pipe Protocol

[+] DCE RPC

[-] Microsoft Security Account Manager

         Operation: OpenUser (34)

     [-] Policy Handle: OpenDomain(S-1-5-21-1229272821-70669826-1060284298)

                Context Handle: 0000000062D88CB5E74DD711B39D0005…

                Frame handle opened: 322

                Frame handle close: 387

         Access Mask: 0x0002011b

         Rid: 500

 

By default, the Administrator account has a RID of 500 unless the username has been changed.  In this case, the packet following the request (326) indicates the user has successfully authenticated as Administrator on this server.

 

Attacker Successfully Authenticates as the ‘Guest’ Account and Queries User Information

338

236871.159750

Attacker

Server

SAMR

OpenUser request, rid 0x1f5

339

236871.162867

Server

Attacker

SAMR

OpenUser reply

 

It is now clear that the attacker is accessing each user account in chronological order based upon the RID.  Based upon the information the attacker has retrieved, in addition to the Administrator and Guest account, three (3) additional user accounts exist that the attacker retrieved information on. 

 

03/03/2003 21:56:22          - Once the attacker has retrieved this information, he/she proceeds to disconnect from the tree and terminate the connection.

 

03/03/2003 21:56:28          - The attacker establishes a new connection and this time authenticates as Administrator.  Upon establishing administrative privileges, a path is created to \ADMIN$ and immediately following this request; the attacker terminates his/her session and does not return.

 

Conclusion: The entire session lasted approximately 43 seconds, therefore most likely a script was used in attempting to enumerate the accounts and retrieve all the information specified above.

 

 

Attack 2 (Detailed Event Analysis)

 

03/04/2003 04:17:52          - Initial packets from 66.139.10.15 indicate an attacker specifically looking for NetBIOS/SMB vulnerabilities on ports 139 and 445.

 

03/04/2003 04:17:52          - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445.  Specifically, the initial protocol negotiation is in progress between the two systems.  Once a successful negotiation process has completed, the attacker successfully authenticates as Administrator and continues to create a null SMB connection to the IPC service stub. 

 

    Attacker Observations:

    Domain Name: NULL

    User name: NULL

    Host name: GLITTER

    Native OS: Windows 2000 2195

    Native LAN Manager: Windows 2000 5.0

 

03/05/2003 04:17:53          - Next, a path is created to \SAMR in order to enumerate all of the domain information.  Once this information is retrieved, the attacker terminates the session.

 

469

259783.462836

Attacker

Server

SMB

Tree Connect AndX Request , Path: \\172.16.134.191\IPC$

470

259783.466199

Server

Attacker

SMB

Tree Connect AndX Response

471

259783.693027

Attacker

Server

SMB

NT Create AndX Request, Path: \samr

472

259783.696840

Server

Attacker

SMB

NT Create AndX Response, FID: 0x4000

 

03/04/2003 04:17:54          - After negotiating a new SMB session, the first authentication attempt fails, but the second is successful.

 

506

259785.276297

Attacker

Server

SMB

Session Setup AndX Request, NTLMSSP_NEGOTIATE

507

259785.276297

Server

Attacker

SMB

Session Setup AndX Response, NTLMSSP_NEGOTIATE,  Error: STATUS_MORE_PROCESSING_REQUIRED

508

259785.365752

Attacker

Server

SMB

Session Setup AndX Request, NTLMSSP_AUTH

509

259785.381039

Server

Attacker

SMB

Session Setup AndX Response, Error: STATUS_LOGON_FAILURE

 

After querying and retrieving group and user information, the attacker terminates his/her session.

 

03/04/2003 04:17:58          - Upon establishing another new session, the attacker attempts to authenticate using the Guest account.  After the initial fail; the account is disabled, however, the attacker continues an additional five (5) times to authenticate to this account.

 

576

259789.218588

Attacker

Server

SMB

Session Setup AndX Request, NTLMSSP_NEGOTIATE

577

259789.220276

Server

Attacker

SMB

Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED

579

259789.308293

Attacker

Server

SMB

Session Setup AndX Request, NTLMSSP_AUTH

580

259789.310615

Server

Attacker

SMB

Session Setup AndX Response, Error: STATUS_ACCOUNT_DISABLED

581

259789.387040

Attacker

Server

SMB

Logoff AndX Request

582

259789.388147

Server

Attacker

SMB

Logoff AndX Response, Error: Bad userid

 

03/04/2003 04:18:02          - After failing authentication attempts using the Guest account; the attacker now attempts to login to the ‘IUSR_PC0191’ account seven (7) times and fails.  Following this predictable behavior, the attacker attempts to login to the remaining accounts (IWAM_PC0191, TsInternetUser) for a total of seven (7) times, each of which fails. 

 

03/04/2003 04:18:09          - Attacker terminates the session after several authentication failures.

 

Conclusion: The entire session lasted approximately 43 seconds, therefore most likely a script was used in attempting to enumerate the accounts and retrieve all the information specified above.

 

Attack 3 (Detailed Event Analysis)

 

03/04/2003 16:43:26          - Initial packets from 216.170.214.226 indicate an attacker specifically looking for NetBIOS vulnerabilities on port 139.

 

03/04/2003 16:43:31          - Received packets indicating a successful “attack” or connection to NetBIOS services on port 139.  Specifically, the initial protocol negotiation is in progress between the two systems.  Once a successful negotiation process was completed, the attacker attempts to make a path to \\PC0191\IPC$ from DISPATCH (their local NetBIOS name).  The attacker attempted to use (most likely due to lack of knowledge) their local machine account of DTMILWMANGE\DMMD to create this connection and fails.

 

    Attacker Observations:

    Domain Name: DTMILWMANGE

    User name: DMMD

    Host name: N/A

    Native OS: Windows 4.0

    Native LAN Manager: Windows 4.0

 

882

304521.725012

Attacker

Server

SMB

Session Setup AndX Request, User: DTMILWMANGE\DMMD: Tree Connect AndX, Path: \\PC0191\IPC$

883

304521.732667

Server

Attacker

SMB

Session Setup AndX Response, Error: Access denied

 

03/04/2003 16:43:31          - Access is denied and the attacker terminates the session.

 

Conclusion: The entire session lasted approximately 5 seconds and was most likely a very inexperienced attacker who gave up after the failed initial attempt.

 

Attack 4 (Detailed Event Analysis)

 

03/04/2003 21:38:10          - Initial packets from 210.22.204.101 indicate this attacker started probing the SQL Server port 1433.  It is interesting that three (3) different SYN packets were made from the same source port of 4242.  Further investigation indicates the “Virtual Hacking Machine” Trojan uses this as a destination port, but I believe this is unrelated in this case as the Trojan is for remote control and not remote attacks.  After the three probes on port 1433, further probes were made for open ports 139 and 445.

 

901

322200.877107

Attacker

Server

TCP

4242 > ms-sql-s  [SYN]  Seq=1716659376  Ack=0  Win=64240  Len=0

902

322200.883021

Server

Attacker

TCP

ms-sql-s > 4242  [RST, ACK]  Seq=0  Ack=1716659377  Win=0  Len=0

903

322201.616173

Attacker

Server

TCP

4242 > ms-sql-s  [SYN]  Seq=1716659376  Ack=0  Win=64240  Len=0

904

322201.622095

Server

Attacker

TCP

ms-sql-s > 4242  [RST, ACK]  Seq=0  Ack=1716659377  Win=0  Len=0

 

03/04/2003 21:38:14          - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445.  Specifically, the initial protocol negotiation is in progress between the two systems.  Once a successful negotiation process has completed, the attacker successfully authenticates as anonymous and continues to create a null SMB connection to the IPC service stub. 

 

    Attacker Observations:

    Domain Name: NULL

    User name: NULL

    Host name: ST-111

    Native OS: Windows 2000 2195

    Native LAN Manager: Windows 2000 5.0

 

03/05/2003 21:38:15          - Next, a path is created to \SAMR in order to enumerate all of the domain information.

 

33237

412042.452703

Attacker

Server

SMB

NT Create AndX Request, Path: \samr

33238

412042.455590

Server

Attacker

SMB

NT Create AndX Response, FID: 0x4001

33241

412042.792469

Attacker

Server

SAMR

Connect4 request, \\172.16.134.191

33242

412042.794977

Server

Attacker

SAMR

Connect4 reply

33243

412042.972381

Attacker

Server

SAMR

EnumDomains request

33244

412042.991002

Server

Attacker

SAMR

EnumDomains reply

33245

412043.152498

Attacker

Server

SAMR

LookupDomain request

33246

412043.154330

Server

Attacker

SAMR

LookupDomain reply

 

03/05/2003 21:38:17          - These requests are closed and another path is created to \SAMR in order to enumerate additional information.

 

966

322211.537960

Attacker

Server

SAMR

OpenDomain request, S-1-5-32

967

322211.539063

Server

Attacker

SAMR

OpenDomain reply

968

322211.784724

Attacker

Server

SAMR

LookupNames request

969

322211.787601

Server

Attacker

SAMR

LookupNames reply

 

03/05/2003 21:38:21          - The attacker opens the Administrator account in order to retrieve additional information about the honeypot.  At this point, the attacker is able to obtain member aliases, RIDs,  and groups.

 

970

322212.045185

Attacker

Server

SAMR

OpenUser request, rid 0x1f4

971

322212.047812

Server

Attacker

SAMR

OpenUser reply

972

322212.343680

Attacker

Server

SAMR

GetGroups request

975

322212.993266

Attacker

Server

SAMR

GetAliasMem request

982

322213.860621

Attacker

Server

SAMR

LookupRIDs request

 

03/04/2003 21:38:27          - This attacker now opens the next user, which happens to be the Guest account, and proceeds to retrieve additional information.

 

1012

322217.633301

Attacker

Server

SAMR

OpenUser request, rid 0x1f5

 

03/04/2003 21:38:32          - Now the attacker starts retrieving information on non-machine created accounts, RIDs 1000 (0x3e8), 1001 (0x3e9), and 1002 (0x3ea).

 

1049

322222.570546

Attacker

Server

SAMR

OpenUser request, rid 0x3e9

1090

322228.313571

Attacker

Server

SAMR

OpenUser request, rid 0x3ea

1127

322233.201322

Attacker

Server

SAMR

OpenUser request, rid 0x3e8

 

03/04/2003 21:38:45          - Once information is retrieved on all machine and non-machine accounts created on this honeypot, the attacker terminates the session.

 

03/04/2003 21:38:46          - Immediately following, the attacker initiates a new session authenticating successfully as Administrator.  After authenticating, a path is created to \IPC$ and the attacker terminates the session.

 

03/04/2003 21:38:48          - A new session initiation occurs and an authentication attempt is made against the Administrator account.  Based on the data below, it is possible the attacker sent a misspelled user id, however, Microsoft states the actual reason for the logon failure is not specified for this return value.

 

1191

322238.838542

Attacker

Server

SMB

Session Setup AndX Request, NTLMSSP_NEGOTIATE

1192

322238.838557

Server

Attacker

SMB

Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED

1193

322239.071949

Attacker

Server

SMB

Session Setup AndX Request, NTLMSSP_AUTH

1194

322239.076533

Server

Attacker

SMB

Session Setup AndX Response, Error: STATUS_LOGON_FAILURE

1199

322239.672837

Server

Attacker

SMB

Logoff AndX Response, Error: Bad userid

               

03/04/2003 21:38:49          - Following the above failed authentication attempt, the attacker attempts nineteen (19) more attempts that fail with the same error.

 

03/04/2003 21:39:03          - After initiating a new session, the attacker establishes a successful authentication as Administrator and again creates an SMB session to the IPC service stub.

 

03/04/2003 21:39:04          - After successfully obtaining Administrator privileges, the attacker opens \svcctl and after receiving a DFS_REFERRAL error, the attacker creates a path to \C$.

 

1373

322254.655965

Attacker

Server

SMB

NT Create AndX Request, Path: \svcctl

1374

322254.661675

Server

Attacker

SMB

NT Create AndX Response, FID: 0x400c

1392

322256.828051

Attacker

Server

SMB

Transaction2 Request GET_DFS_REFERRAL, File: \172.16.134.191\C$

1393

322256.835362

Server

Attacker

SMB

Transaction2 Response GET_DFS_REFERRAL, Error: STATUS_NO_SUCH_DEVICE

1394

322257.058080

Attacker

Server

SMB

Tree Connect AndX Request, Path: \\172.16.134.191\C$

 

03/04/2003 21:39:06          - The attacker now begins implementation of his/her Trojan.  This specific Trojan is called R_SERVER.EXE.

 

1396

322257.318799

Attacker

Server

SMB

NT Create AndX Request, Path \WINNT\System32\r_server.exe

1397

322257.341355

Server

Attacker

SMB

NT Create AndX Response, FID: 0x400d

 

03/04/2003 21:39:!2            - Once implemented, the attacker modifies the file information:

 

[-] SET_FILE_INFORMATION Parameters

            FID: 0x400d

            Level of Interest: Query File Basic Info   (4.2.14.4)  (1004)

            Reserved: 0000

        Padding: 0000

[-] SET_FILE_INFORMATION Data

            Created: No time specified (0)

            Last Access: No time specified (0)

            Last Write: Jul 24, 2001 11:15:54.00000000

            Change: Mar  4, 2003 18:23:40.062498092

       [+] File Attributes: 0x00000000

             Unknown Data: 00000000

 

03/04/2003 21:39:13          - The attacker now adds supplemental files: \System32\raddrv.dll and \System32\admdll.dll.

 

1649

322263.704823

Attacker

Server

SMB

NT Create AndX Request, Path: \WINNT\System32\raddrv.dll

1688

322265.566763

Attacker

Server

SMB

NT Create AndX Request, Path: \WINNT\System32\admdll.dll

 

Further investigation indicates these are supplemental files for Radmin (http://www.famatech.com), which is a remote administration application.  Theoretically, it is not classified as a Trojan, however, its’ uses are similar.

 

03/04/2003 21:39:23          - Once the Radmin application is installed and executed, the attacker starts running a script to exploit a buffer overflow vulnerability in IIS’ Indexing Service, which is the same vulnerability that the Code Red worm took advantage of    (http://www.eeye.com/html/Research/Advisories/AD20010618.html).

 

1839

322275.638746

Attacker

Server

HTTP

GET /NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

 

This particular overflow is caused by sending approximately 240 bytes in the buffer, in this case indicated by the “C’s” that are being sent.  Specifically, this buffer overflows in a wide character transformation operation by taking the ASCII (1 byte per character) input buffer and turning it into a wide character/Unicode string (2 bytes per character) byte string.

 

03/04/2003 21:41:51          - Following this exploit, the attacker initiates a new session and creates a path to \\PC0191\C.  Now, the attacker starts communication with port 6129 on the honeypot server.  Further investigation yields this port indicative of traffic using the DameWare (http://www.dameware.com) server application, which will allow the attacker full control. 

 

03/04/2003 21:44:24          - Shortly after, communication begins with port 4899 on the honeypot, however, this traffic is encrypted using Radmin’s 128-bit encryption ensuring a secure session with its client/server operation.

 

03/04/2003 21:48:22          - The Radmin traffic abruptly stops and so does the attacker’s session, however, no normal RST or FIN, ACK packets are received indicating such.

 

Conclusion:  Based upon the exploit time to obtain the user account information; most likely a script was used.  In addition, a script was probably used to exploit the buffer overflow in the Indexing Service, however, the attacker now has complete control of the honeypot via the remote administration tool that was implemented.

 

Attack 5 (Detailed Event Analysis)

 

03/05/2003 05:40:42          - Initial packets from 80.181.116.202 indicate an attacker specifically looking for NetBIOS/SMB vulnerabilities on ports 139 and 445.

 

03/05/2003 05:40:44          - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445.  Specifically, the initial protocol negotiation is in progress between the two systems.  Once a successful negotiation process has completed, the attacker successfully authenticates as Administrator and continues to create a null SMB connection to the IPC service stub. 

 

    Attacker Observations:

    Domain Name: NOKIA

    User name: Administrator

    Host name: NOKIA

    Native OS: Windows 2000 2195

    Native LAN Manager: Windows 2000 5.0

 

03/05/2003 05:40:46          - Next, a path is created to \srvsvc in order to enumerate all of the share information.

 

20979

351156.777922

Attacker

Server

SMB

NT Create AndX Request, Path: \srvsvc

20980

351156.777926

Server

Attacker

SMB

NT Create AndX Response, FID: 0x4000

20985

351156.999077

Attacker

Server

SRVSVC

NetrShareEnum request

20986

351157.003386

Server

Attacker

SRVSVC

NetrShareEnum reply

 

The following is an excerpt from the NetrShareEnum reply that was sent to the attacker as a result of the request:

 

    [-] Microsoft Server Service

             Operation: NetrShareEnum (15)

         [-] Shares

                  Info Level: 1

                  Info Level: 1

             [-] SHARE_INFO_1_CONTAINER: IPC$ ADMIN$ C$

                        Referent ID: 0x000e3378

                        Max Count: 3

                  [-]  Share: IPC$

                       [+] Share: IPC$

                            Share Type: Hidden IPC (0x80000003)

                       [+] Comment: Remote IPC

                  [-] Share: ADMIN$

                         [+] Share: ADMIN$

                              Share Type: Hidden Directory tree (0x800000000)

                         [+] Comment: Remote Admin

                  [-] Share: C$

                       [+] Share: C$

                            Share Type: Hidden Directory tree (0x800000000)

                       [+] Comment: Default share

               Number of entries: 3

 

03/05/2003 05:40:46          - Once the above share information was retrieved, the attacker abruptly terminated the session.  No RST or FIN, ACK was received to indicate the termination.

 

Conclusion: The entire session lasted 4 seconds; therefore, it is probable that a script was used to obtain this information.

 

Attack 6 (Detailed Event Analysis)

 

03/05/2003 05:42:47          - Initial packets from 24.197.194.106 indicate an attacker executing a sequential port scan looking for vulnerable ports to attack.

 

03/05/2003 05:47:45          - Once the port scan has completed, the attacker attempts to exploit NetBIOS on port 139 by establishing an authenticated SMB connection to the IPC service stub, however, this attempt fails.

 

21339

351575.901990

Attacker

Server

SMB

Session Setup AndX Request, User: HEWLETTPACKARD\HP AUTHORIZED CUSTOM; Tree Connect AndX, Path: \\PC0191\IPC$

21340

351575.924667

Server

Attacked

SMB

Session Setup AndX Response, Error: Access denied

 

 

    Attacker Observations:

    Domain Name: HEWLETTPACKARD

    User name: HP AUTHORIZED CUSTOM

    Host name: N/A

    Native OS: Windows 4.0

    Native LAN Manager: Windows 4.0

 

03/05/2003 05:47:45          - After the failed attempt, the attacker executes a new port scan.

 

03/05/2003 05:48:06          - Once the port scan has completed, the attacker runs a script that uses HTTP GET and HEAD commands to determine and retrieve the specified files within IIS and Windows directories due to a vulnerability in the ISAPI script.  Due to the specific files and directory structures it scans, it is possible that this is the Nikto script.

 

03/05/2003 06:10:09          - Once the script has run its course, the attacker terminates the session.

 

Conclusion:  The observation indicating the computer contains default settings as specified by the manufacturer indicates this attacker is a script kiddie without much skill.

 

Attack 7 (Detailed Event Analysis)

 

03/05/2003 06:55:05          - Initial packets from 209.45.125.69 202 indicate an attacker specifically looking for NetBIOS/SMB vulnerabilities on ports 139 and 445.

 

03/05/2003 06:55:05          - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445.  Specifically, the initial protocol negotiation is in progress between the two systems.  Once a successful negotiation process has completed, the attacker successfully authenticates anonymous and continues to create a null SMB connection to the IPC service stub. 

 

    Attacker Observations:

    Domain Name: NULL

    User name: NULL

    Host name: LIMPX001

    Native OS: Windows 2000 2195

    Native LAN Manager: Windows 2000 5.0

 

03/05/2003 06:55:06          - Next, a path is created to \SAMR in order to enumerate all of the domain information.

 

32478

355617.059738

Attacker

Server

SMB

NT Create AndX Request, Path: \samr

32479

355617.071197

Server

Attacker

SMB

NT Create AndX Response, FID: 0x4000

32482

355617.446091

Attacker

Server

SAMR

Connect4 request, \\172.16.134.191

32483

355617.467027

Server

Attacker

SAMR

Connect4 reply

32484

355617.655291

Attacker

Server

SAMR

EnumDomains request

32485

355617.658941

Server

Attacker

SAMR

EnumDomains reply

32486

355617.904413

Attacker

Server

SAMR

LookupDomain request

32486

355617.906452

Server

Attacker

SAMR

LookupDomain reply

 

03/05/2003 06:55:09          - Once the attacker has retrieved the above information, he/she attempts to authenticate as Administrator and fails.

 

32516

355619.986146

Attacker

Server

SMB

Session Setup AndX Request, NTLMSSP_NEGOTIATE

32517

355619.988676

Server

Attacker

SMB

Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED

32518

355620.206528

Attacker

Server

SMB

Session Setup AndX Request, NTLMSSP_AUTH

32519

355620.222225

Server

Attacker

SMB

Session Setup AndX Response, Error: STATUS_LOGON_FAILURE

 

03/05/2003 06:55:09          - A second attempt to authenticate as Administrator is successful and further information is retrieved on security objects, groups, etc.

 

03/05/2003 06:55:15          - After failing authentication attempts using the Guest account and causing it to be disabledt; the attacker now attempts to login to the ‘IUSR_PC0191’ account seven (7) times and fails.  Following this predictable behavior, the attacker attempts to login to the remaining accounts (IWAM_PC0191, TsInternetUser) for a total of seven (7) times, each of which fails. 

 

03/05/2003 06:55:27          - Attacker terminates the session after several authentication failures.

 

Conclusion: The entire session lasted approximately 22 seconds, therefore most likely a script was used similar to that used in Attack 1, if not the same, in attempting to enumerate the accounts and retrieve all the information specified above.

 

Attack 8 (Detailed Event Analysis)

 

03/05/2003 19:59:57          - Initial packets from 129.116.182.239 vary in that they target port 57 initially.  Following this, the attacker targets the ms-sql-s (port 1433) and then NetBIOS/SMB ports 139 and 445.

 

03/05/2003 20:00:39          - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445.  Specifically, the initial protocol negotiation is in progress between the two systems.  Once a successful negotiation process has completed, the attacker successfully authenticates anonymous and continues to create a null SMB connection to the IPC service stub.

 

    Attacker Observations:

    Domain Name: NULL

    User name: NULL

    Host name: FSEL-GMV218UFJ5

    Native OS: Windows 2000 2195

    Native LAN Manager: Windows 2000 5.0

 

03/05/2003 20:00:39          - Next, a path is created to \SAMR in order to enumerate all of the domain information.

 

32928

402750.027365

Attacker

Server

SMB

NT Create AndX Request, Path: \samr

32929

402750.040438

Server

Attacker

SMB

NT Create AndX Response, FID: 0x4001

32934

402750.247772

Attacker

Server

SAMR

Connect4 request, \\172.16.134.191

32935

402750.251504

Server

Attacker

SAMR

Connect4 reply

32938

402750.355152

Attacker

Server

SAMR

EnumDomains request

32939

402750.356178

Server

Attacker

SAMR

EnumDomains reply

32940

402750.404471

Attacker

Server

SAMR

LookupDomain request

32941

402750.410163

Server

Attacker

SAMR

LookupDomain reply

 

03/05/2003 20:00:42          - Now the attacker starts retrieving information on non-machine created accounts, RIDs 1000 (0x3e8), 1001 (0x3e9), and 1002 (0x3ea).

 

33028

402753.199432

Attacker

Server

SAMR

OpenUser request, rid 0x3e9

33068

402754.419730

Attacker

Server

SAMR

OpenUser request, rid 0x3ea

33108

402755.622980

Attacker

Server

SAMR

OpenUser request, rid 0x3e8

 

03/05/2003 20:00:46          - Once the above information is retrieved, the attacker terminates this session.

 

03/05/2003 20:00:46          - The attacker now authenticates as Administrator and creates a path to \srvsvc and enumerates the network shares.

 

33175

402757.457742

Attacker

Server

SAMR

NT Create AndX Request, Path: \srvsvc

33176

402757.484226

Server

Attacker

SMB

NT Create AndX Response, FID: 0x4000

33181

402757.637711

Attacker

Server

SRVSVC

NetrShareEnum request

33182

402757.638855

Server

Attacker

SRVSVC

NetrShareEnum reply

 

03/05/2003 20:00:47          - Immediately after retrieving the above information, the attacker establishes a new anonymous session and after receiving an error while performing GET_DFS_REFERRAL, terminates the session.

 

33191

402757.930229

Attacker

Server

SMB

Transaction2 Request GET_DFS_REFERRAL, File: \172.16.134.191\C$

33192

402757.960481

Server

Attacker

SMB

Transaction2 Response GET_DFS_REFERRAL, Error: STATUS_NO_SUCH_DEVICE

 

 

Attack 9 (Detailed Event Analysis)

 

03/05/2003 22:33:49          - Initial packets from 61.111.101.78 are received indicating a NetBIOS vulnerability scan based on ports 139 and 445.

 

03/05/2003 22:35:31          - Received packets indicating a successful “attack” or connection to NetBIOS/SMB services on port 445.  Specifically, the initial protocol negotiation is in progress between the two systems.  Once a successful negotiation process has completed, the attacker successfully authenticates as Administrator and continues to create a null SMB connection to the IPC service stub. 

 

    Attacker Observations:

    Domain Name: OIL-6II61N0JWTK

    User name: Administrator

    Host name: OIL-6I61N0JWTK

    Native OS: Windows 2000 2195

    Native LAN Manager: Windows 2000 5.0

 

03/05/2003 22:35:31          - Next, a path is created to \SAMR in order to enumerate all of the domain information.

 

33237

412042.452703

Attacker

Server

SMB

NT Create AndX Request, Path: \samr

33238

412042.455590

Server

Attacker

SMB

NT Create AndX Response, FID: 0x4001

33241

412042.792469

Attacker

Server

SAMR

Connect4 request, \\172.16.134.191

33242

412042.794977

Server

Attacker

SAMR

Connect4 reply

33243

412042.972381

Attacker

Server

SAMR

EnumDomains request

33244

412042.991002

Server

Attacker

SAMR

EnumDomains reply

33245

412043.152498

Attacker

Server

SAMR

LookupDomain request

33246

412043.154330

Server

Attacker

SAMR

LookupDomain reply

 

03/05/2003 22:35:32          - Once this pertinent information is retrieved, the attacker proceeds to send an OpenDomain request with the server or domain’s SID and retrieves all users on the server based upon the QueryDispInfo (or NetQueryDisplayInfo/samrQueryDisplayInfo as partially documented) with a Level 1 request.  This request returns a malformed packet containing all user account names, descriptions, RID’s and other important information.

 

33247

412043.332745

Attacker

Server

SAMR

OpenDomain request, S-1-5-21-1229272821-706699826-1060284298

33248

412043.334296

Server

Attacker

SAMR

OpenDomain reply

33249

412043.512907

Attacker

Server

SAMR

QueryDispinfo request, level 1, start_idx 0

33250

412043.526833

Server

Attacker

SAMR

QueryDispinfo reply[Malformed Packet]

 

03/05/2003 22:35:33          - Attacker closes OpenDomain request and terminates active session.

 

03/05/2003 22:35:34          - The attacker establishes new session and SMB protocol begins its’ protocol negotiation process.  Once again, an authentication session with the Administrator account is performed.

 

03/05/2003 22:35:35          - This time, a connection is made to the \ADMIN$ path.  Once this path is created, the attacker proceeds to create the file \System32\PSEXESVC.EXE.

 

33278

412045.812234

Attacker

Server

SMB

Tree Connect AndX Request, Path: \\172.16.134.191\ADMIN$

33279

412045.816690

Server

Attacker

SMB

Tree Connect AndX Response

33280

412046.012158

Attacker

Server

SMB

NT Create AndX Request, Path: \System32\PSEXESVC.EXE

33281

412046.039320

Server

Attacker

SMB

NT Create AndX Response, FID: 0x4001

33288

412046.743667

Attacker

Server

SMB

Write AndX Request, FID: 0x4001, 61440 bytes at offset 0

 

The file creation is completed at 22:35:37 and a request to close the file is received by the server.

 

03/05/2003 22:35:37          - Another null session is created to the IPC service stub and a request to open the \svcctl and attempts to add and execute the newly created PSEXESVC.EXE as a Service.

 

03/05/2003 22:35:52          - The attacker now performs a basic file info query and an attribute tag query on PSEXESVC.EXE.  Apparently the file did not execute properly or was incorrectly created as the attacker now issues a request to delete the file.

 

33529

412062.986957

Attacker

Server

SMB

Transaction2 Request QUERY_PATH_INFORMATION, Path: \System32\PSEXESVC.EXE

33530

412063.990849

Server

Attacker

SMB

Transaction2 Response QUERY_PATH_INFORMATION

33533

412063.337170

Attacker

Server

SMB

Delete Request, Path: \System32\PSEXESVC.EXE

33534

412063.347662

Server

Attacker

SMB

Delete Response

 

03/05/2003 22:35:53          - Once the file has been deleted, the attacker successfully creates the PSEXESVC.EXE file again.  With the new file in place, the attacker  opens \svcctl again and adds the PSEXESVC.EXE to the existing Services.

 

03/05/2003 22:36:01          - The attacker manually executes \PSEXESVC.EXE and creates and/or overwrites \System32\inst.exe.  Once complete, the attacker proceeds to open \svcctl again.  Apparently, something fails or does not meet the attacker’s approval because he/she once again sends a request to delete \System32\PSEXESVC.EXE again.  For the third time, the attacker creates the file PSEXESVC.EXE and opens \svcctl.

 

03/05/2003 22:36:33          - The attacker attempts to execute PSEXESVC.EXE and even though SMB reports STATUS_SUCCESS, there is an apparent error in the execution of this file.  The attacker again sends a request to Overwrite or Create PSEXESVC.EXE, however, this time they receive a STATUS_SHARING_VIOLATION as the executable is currently running.  The attacker then opens \svcctl and stops it as a service.  Once this is complete, the attacker executes PSEXESVC.EXE again.

 

03/05/2003 22:36:39          - Once again, the attacker queries PSEXESVC.EXE and retrieves file information and proceeds to delete this executable.  This same procedure happens again approximately five (5) times before either successful or the attacker gave up.  The final packets prior to terminating the session indicate it was started as a service again.

 

03/05/2003 22:36:39          - The attacker establishes a new connection and successfully authenticates as Administrator.  The first procedure is to attempt a connection to \ADMIN$ again, however, this time there are some errors that occur.

 

35725

412170.197378

Attacker

Server

SMB

Tree Connect AndX Request, Path: \\172.16.134.191\ADMIN$

35726

412170.199716

Server

Attacker

SMB

Tree Connect AndX Response, Error: STATUS_BAD_NETWORK_NAME

 

After receiving this error two (2) times, the attacker terminates his/her session.

 

1.     What did you learn about analysis as a result of studying this scan?

 

Originally, this analysis document was very vague in the detail given to each attack, however, as time went on I decided to create a very detailed analysis of the attacks that took place, including much research on each topic; especially the NetBIOS/SMB file system.  I have many years experience with computers and various operating systems, however, the actual forensic analysis field is relatively new to me, but I am enjoying it immensely and look forward to participating in more challenges.

 

2.     How do you anticipate being able to apply your new knowledge and skills?

 

            At this point, I hope to be able to participate in more challenges and eventually create my own honeynet to further this exciting research that is currently being performed and seek new knowledge.

 

3.     How can we improve the SotM challenge?  What would you like to see added?  What would like you like to see done differently?

 

The SotM challenges have all been wonderful.  I have had the opportunity to review many of the archived challenges and enjoy participating in the new challenges now.  The only suggestion I may have is that there be various categories and perhaps multiple SotM’s.  For instance, each month there would be a specific scan and analysis for Beginners, Intermediate’s, and Expert’s.  This would allow beginner’s to enhance their skills with an opportunity to “win”, without participating in the same class as those who are considered experts in the field.