Monday, January 25, 2010

Honeynet - Challenge 1 of the Forensic Challenge 2010

Ok, I posted this a week or so ago to the NetworkMiner beta list, but forgot to put anything up on here about it. This was a fun exercise, different than the other ones I've done and posted about recently.

It was short notice when I put it on that list, even shorter here, but...

In this case, no need to write code, just find the answers and tell them what program(s) you used.

----

The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)

Sunday, January 24, 2010

Infected sites and Google Alerts

Not as much on OS fingerprinting, but due to alerts I have setup from google alerts on fingerprinting I've been getting a look at a couple hundred sites that have been taken over in some form or another since just before Christmas. I'm getting google to notify me of compromised sites and I don't want it anymore, I want to go back to useful alerts for new info on fingerprinting out there!

Sites end up being:
http://somewhere.wherever/5-6 character junk/

The first 2 I saw I actually dropped notes to those compromised and was happy to see them clean them up, patched I have no idea, but cleaned up.

Everything was Apache from what I could tell doing Banner Grabbing with Satori. It wasn't something I was too worried about, but .....

Could be an apache hole, openssl, php, etc. Hard to say.

Looking at one that has been compromised since Christmas the following layout is there:
1g
1r.txt
1t
2.js
2r.txt
academia.php
accenture.php
....
fingeprinting.php
...
passive.php


1g -
file seems to list a ton of other sites, possibly ones compromised or possibly ones to dump you off to. I played around a bit with it back at Christmas, assumed the problem would go away and forgot about it for the most part. But since it is a month later and I'm still getting new ones each day I figured I'd at least post something on it.

1t -
possibly usernames it is trying

2r -
php files it is going to create

Simple search to find pages with google to get an idea:
"fingerprinting the dead with rigor morits"

Based on file times I assume there is some type of automated scan they are doing and dumping their first .php file on it. Then someone is going through those lists 12-24 hours later and uploading the rest. Just looking at timestamps on the files there is typically one file created on day 0, then all the others get created the next day, but not all at the same time, one here, one there.

Anyway, if anyone is going to go poking around, make sure you just the subdir (directory listing is turned on in all the ones I looked at), such as:
http://xxxxxxxx.com/z1jyed/fingerprinting.php
only go to:
http://xxxxxxxx.com/z1jyed/

Oh yeah, I was going to go poke around on some of my Apache boxes and make sure they weren't compromised. Maybe tomorrow.

Monday, January 4, 2010

Passive Fingerprinting of Network Reconnaissance Tools

Last month I ran across the initial 3 page IEEE summary of this thesis paper. At the time I wasn't able to find a full copy of it. Though now it looks like there is a copy out there dtic.mil

In a nutshell they look at the visual fingerprint a scanner, such as NMAP, UnicornScan, etc makes as it scans a system. By utilizing the information they obtain they can tell what program is scanning your system.

Anyway, interesting twist, fingerprinting the application scanning you. I had looked at doing this with some products, but never to this extent, very nicely done!