Honeynet Scan of the Month 28
May 2003
Michael Capp
myntric<@>ameritech.net
Dedication: This analysis is dedicated to my very near future wife, to whom I love
with all my heart and will be married to on
Table of Contents
1. Challenge & Analysis Overview
a. What is the operating system of
the honeypot? How did you determine
that?
a. How did the attacker(s) break
into the system?
b. Which systems were used in this
attack and how?
c. Create a diagram that
demonstrates the sequences involved in the attack.
d. What is the purpose/reason of the
ICMP packets with ‘skillz’ in them?
f. Can you identify the nationality
of the attacker?
a. What are the implications of
using the unusual IP protocol to the Intrusion Detection industry?
b. What tools exist that can decode
this protocol?
1.
Challenge
& Analysis Overview
Members of the AT&T
Mexico Honeynet captured a unique attack. As common, what is
interesting is not how the attackers broke in, but what they did afterwards.
Your mission is to analyze the network capture of the attacker's activity and
decode the attacker's actions. There are two binary log files. Day1 captured
the break in; Day3 captures some unique activity following the compromise. The
honeypot in question is IP 192.168.100.28.
Make sure you review the challenge
criteria before submitting your write up.
Binary Verification
Tools
§ Ethereal/tethereal 0.9.12 (http://www.ethereal.com)
§ tcpdump 3.7.1 (http://www.tcpdump.org)
§ file 4.02 (http://www.gnu.org/directory/text/wordproc/file.html)
§ tcpflow 0.20 (http://www.circlemud.org/~jelson/software/tcpflow/)
Upon successful binary verification, ‘tcpflow’ was used to reconstruct the data streams based on the provided logs and separate these streams into separate files for easier analysis. A detailed description of ‘tcpflow’ from the website is: “… a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. Tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery.”
Based on the above execution, the following are examples of the file sets that were created based on the stream analysis based upon those extracted from the Day1 logs:
Once the data stream had been briefly examined and separated, Snort and tethereal were used to compile general Summary Statistics on the log files. Certain irrelevant information has been omitted. The results revealed some interesting statistics on this successful attack. In addition to the normal IP traffic generated by an attacker, there appears to be an excessive amount of ICMP and IPv6 traffic, which is unique in this scenario in what the attacker did once the initial attack took place.
2.
Questions
a.
What is the operating system of the
honeypot? How did you determine that?
There are two specific indicators that the honeypot is Solaris/SunOS-based, specifically SunOS 5.8. The first is that the attack that compromised that honeypot is based upon the buffer overflow in the CDE Subprocess Control Service (http://www.cert.org/advisories/CA-2001-31.html) vulnerability (see Question 2 for additional detail). Secondly, after the attacker had exploited the vulnerability above, they executed a ‘uname’, which is used to retrieve and print system information, to retrieve the basic system information with the following results:
a.
How did the attacker(s) break into the
system?
`
In the following packet sequence, the attacker sent numerous characters to the CDE service on port 6112 on this honeypot, causing a buffer overflow in the dtspcd process:
The buffer overflow exploit allowed the attacker to execute root privileged commands such as the following retrieved from detailed output via ‘tcpflow’:
Based upon the preceding command, the attacker executed code through dtspcd and added a line to the ‘inetd’ configuration file to create a backdoor that executes an interactive shell. The configuration below is from the ‘inetd’ man page:
The purpose of the argument, ‘sh –i’, is to launch a shell upon a connection directed to port 1524, ingreslock.
The following are excerpts from CERT Advisory CA-2001-31 (http://www.cert.org/advisories/CA-2001-31.html) containing additional information on this vulnerability:
CERT Advisory CA-2001-31 Description – The Common Desktop Enviroment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The CDE Subprocess Control Service (dtspcd) is a network daemon that accepts requests from clients to execute commands and launch application remotely. On systems running CDE, dtspcd is spawned by the Internet services daemon (typically inetd or xinetd) in response to a CDE client request. dtspcd is typically configured to run on port 6112/tcp with root privileges.
Immediately
following the compromise, the attacker then proceeds to execute both scripted
and manual commands in order to retrieve/download rootkits,
trojans, and other tools. The
following strings have been selected based on their relevance to the analysis
and do not represent the data stream(s) in their entirety.
The above command execution retrieves details on the system, creates the initial shell environment and displays the Process Identifier (“PID”) of the “BD”, which in this case I believe is an acronym for “Back Door”. Once complete, the attacker unsets the HISTFILE and DISPLAY and creates a temporary directory to store the downloaded files as you will see in the following: