Intrusion Detection Systems Lets us detect signatures inside packets It would be very hard to write a tcpdump filter for Nimda More versatile than tcpdump Tcpdump is more universal and quicker Tcpdump allows you to record all traffic, an IDS usually only records matches on signatures
Solaris dtspcd Attack Honeynet.org Scan of the Month Scan 20 http://www.honeynet.org/scans/scan20/ Let’s just scan through the network capture with tcpdump and see what we see Then we’ll look at it with Ethereal
What did we see? Src address: 22.214.171.124 Dst address: 172.16.1.102 Target port: 6112 –Solaris Common Desktop Environment –Dtspcd: CDE Subprocess Control Service –network daemon that accepts requests from clients to execute commands and launch applications remotely –Runs as root –Usually spawned by inetd or xinetd in response to CDE client request
What else? In the first packet from attacker to victim, we see the word “root”. Hmmmm Then the victim starts answering back In the third packet it announces what operating system it is running and its architecture Going on…
Now what did we see? Lots of “801C 4011”, cut out 67 lines of them We have here a Sparc NOP slide –An Intel x86 slide would have “90 90”s –Common technique in buffer-overflow attacks –Try to get exploited program to execute shell code as the program owner –Increases odds buffer overflow will execute exploit code without havig to figure out exact locations –If buffer overflow pointer lands in them, exploit code will eventually be run
What code will be run? If we read the shell code, we’d see that the following will be exec’ed: 1../bin/ksh -c echo "ingreslock stream tcp nowait root /bin/sh sh -i“>/tmp/x; 2./usr/sbin/inetd -s /tmp/x; 3.sleep 10; 4./bin/rm -f /tmp/x Line 1 uses a ksh to execute an echo command. The echo, writes a pre-formatted inetd line to a temp file, /tmp/x Line 2: runs inetd, using /tmp/x as its configuration Line 3: sleeps 10 seconds, make sure inetd is started Line 4: cleans up the evidence
The inetd Line What does the inetd line do? ingreslock stream tcp nowait root /bin/sh sh -i Ingreslock is TCP port 1524 This line opens up an interactive root shell when someone connects to TCP port 1524 Guess what happens a little later?
The Output from the Commands 1.# SunOS buzzy 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10 2./core: No such file or directory 3./var/dt/tmp/DTSPCD.log: No such file or directory 4.BD PID(s): 3476
Interactive Commands Let’s go to Ethereal for this part…
Your consent to our cookies if you continue to use this website.