[Intrusions] LOGS: GIAC GCIA Version 3.4 Pratical Detect Stephen Breault
Breault.SM at forces.gc.ca
Breault.SM at forces.gc.ca
Sat Jun 5 21:40:46 GMT 2004
This detect will be used as part of my pratical, any questions or comments
will be appreciated.
thanks
Source of trace
This detect can be found incident.org/logs/raw file 2002.10.18. The
following command was used;
windump -r 2002.10.18 -nvXes 1500 ip and host 202.108.254.204 and net
170.129 and dst port 1080 | more
Although the network cannot for absolute certainty be determine, I have
included below a suspected network diagram, I should also note that although
the mac address are included these are just as easily spoofed.
CISCO DEVICE MAC 0:3:e3:d9:26:c0
|
|
|___________IDS Sensor
|
|
CISCO DEVICE MAC 0:0:c:4:b2:33
19:43:59.236507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60:
IP (tos 0x0, ttl 46, id 52921, len 40) 202.108.254.204.53469 >
170.129.149.62.1080: S [tcp sum ok] 1844151687:1844151687(0) win 1024
0x0000 4500 0028 ceb9 0000 2e06 b51d ca6c fecc E..(.........l..
0x0010 aa81 953e d0dd 0438 6deb 8587 6deb 8587 ...>...8m...m...
0x0020 5002 0400 e6ed 0000 0000 0000 0000 P.............
20:36:23.816507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60:
IP (tos 0x0, ttl 46, id 29679, len 40) 202.108.254.204.2897 >
170.129.215.53.1080: S [tcp sumok] 1196016012:1196016012(0) win 1024
0x0000 4500 0028 73ef 0000 2e06 cdf0 ca6c fecc E..(s........l..
0x0010 aa81 d735 0b51 0438 4749 c18c 4749 c18c ...5.Q.8GI..GI..
0x0020 5002 0400 3fbd 0000 0000 0000 0000 P...?.........
21:28:48.676507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60:
IP (tos 0x0, ttl 46, id 25248, len 40) 202.108.254.204.14924 >
170.129.252.40.1080: S [tcp sum ok] 661927106:661927106(0) win 1024
0x0000 4500 0028 62a0 0000 2e06 ba4c ca6c fecc E..(b......L.l..
0x0010 aa81 fc28 3a4c 0438 2774 34c2 2774 34c2 ...(:L.8't4.'t4.
0x0020 5002 0400 450e 0000 0000 0000 0000 P...E.........
22:21:13.116507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60
: IP (tos 0x0, ttl 45, id 52742, len 40) 202.108.254.204.53269 >
170.129.212.139.1080: S [tcp sum ok] 1612303946:1612303946(0) win 1024
0x0000 4500 0028 ce06 0000 2d06 7783 ca6c fecc E..(....-.w..l..
0x0010 aa81 d48b d015 0438 6019 ce4a 6019 ce4a .......8`..J`..J
0x0020 5002 0400 3286 0000 0000 0000 0000 P...2.........
23:13:37.586507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60:
IP (tos 0x0, ttl 45, id 50551, len 40) 202.108.254.204.55170 >
170.129.190.247.1080: S [tcp sum ok] 848927323:848927323(0) win 1024
0x0000 4500 0028 c577 0000 2d06 95a6 ca6c fecc E..(.w..-....l..
0x0010 aa81 bef7 d782 0438 3299 9a5b 3299 9a5b .......82..[2..[
0x0020 5002 0400 038c 0000 0000 0000 0000 P.............
00:06:02.316507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60:
IP (tos 0x0, ttl 46, id 64618, len 40) 202.108.254.204.29105 >
170.129.212.89.1080: S [tcp sum ok] 1145863455:1145863455(0) win 1024
0x0000 4500 0028 fc6a 0000 2e06 4851 ca6c fecc E..(.j....HQ.l..
0x0010 aa81 d459 71b1 0438 444c 7d1f 444c 7d1f ...Yq..8DL}.DL}.
0x0020 5002 0400 6b0d 0000 0000 0000 0000 P...k.........
<snip
Detect was generated by
This detect was generated by snort Win 32 ids version 1.9.1.
The following command was entered to run snort thus enabling me to search
through the alert files that were created.
Snort -c /path/snort.conf -r /path/2002.10.18 -l /path/snort.log
Below is the actual alert that was generated by snort;
[**] [1:615:4] SCAN SOCKS Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/17-19:43:59.236507 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800 len:0x3C
202.108.254.204:53469 -> 170.129.149.62:1080 TCP TTL:46 TOS:0x0 ID:52921
IpLen:20 DgmLen:40
******S* Seq: 0x6DEB8587 Ack: 0x6DEB8587 Win: 0x400 TcpLen: 20
[Xref => <http://help.undernet.org/proxyscan/>]
After looking into the folder assigned to the IP that generated the alarms
the following was discovered.
[**] SCAN SOCKS Proxy attempt [**]
11/17-19:43:59.236507 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800 len:0x3C
202.108.254.204:53469 -> 170.129.149.62:1080 TCP TTL:46 TOS:0x0 ID:52921
IpLen:20 DgmLen:40
******S* Seq: 0x6DEB8587 Ack: 0x6DEB8587 Win: 0x400 TcpLen: 20
0x0000: 00 00 0C 04 B2 33 00 03 E3 D9 26 C0 08 00 45 00 .....3....&...E.
0x0010: 00 28 CE B9 00 00 2E 06 B5 1D CA 6C FE CC AA 81 .(.........l....
0x0020: 95 3E D0 DD 04 38 6D EB 85 87 6D EB 85 87 50 02 .>...8m...m...P.
0x0030: 04 00 E6 ED 00 00 00 00 00 00 00 00 ............
Below is the rule that detected the activity. It defines that any external
net looking for port 1080 by sending a Syn packet to alert the following
message
of "SCAN SOCKS Proxy attempt" it is classified as attempted recon and has a
sid 615, this is the fourth revision.
alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy
attempt"; flags:S,12; reference:url,help.undernet.org/proxyscan/;
classtype:attempted-recon; sid:615; rev:4;)
Probability the source address was spoofed
It is unlikely that the source address is spoofed. In this case there is an
attempt at discovering possible open sock proxy, this is done by sending a
Syn packet
to a target, which if configured to offer the desired service, will then
respond with a Syn Ack indicating that it is ready to initiate the rest of
the tcp handshake
sequence. As such the attacker that is attempting to discover open proxy
will need to get a response to effectively determine the state of the
desired target.
Dshield.org has recongnized the IP as belonging to a net in China, of course
there is a very slim possibility that the Ip would be spoofed but as
mentioned above
it is very unlikely if the intention is to get a response back.
IP Address: 202.108.254.204 HostName: 202.108.254.204 DShield Profile:
Country: <<...OLE_Obj...>> CN
Contact E-mail: chunguangcanlanxiaobajie at sina.com AS Number: 4808 Total
Records against IP: not processed Number of targets:
select update below Date Range: to Update Summary
Description of the attack
The offending IP in this case is 202.108.254.204, which is scanning for the
socks proxy server port 1080 on the subnet 170.129.x.x. This scan is done in
a
manner, which attempts to allow the attacker a degree of stealth. They are
attempting to evade possible detection measures in place. The method used is
that
a single Syn packet every other hour directed at the subnet mentioned above.
It does not seem that this scan may be directed at other networks beyond
this one, but that cannot be proven definitively. The scanner seems to be
looking for
IP's on subnet 170.129 at random, there is no noticeable pattern such as
incrementing IP's, and even the computer generated time stamp is random
every other
hour. Of note is the ending of the time stamp, which consistently ends with
6507. It is strange behavior indeed and a little too odd to be purely
coincidental in this
analysts opinion. Though I was unable to find any correlation for this odd
time behavior.
Furthermore we can speculate that the offending machine is possibly a linux
operating system, as the ttl's are 46 throughout, again this also seems a
little odd that
this remains consistent throughout the trace. Taking this same ttl plus the
oddball matching computer timestamps would lead me to believe that this is a
automated
tool. We should see some small variance given that the scan is done at
different times of day.
The windows size is set to 1024, which is not consistent with any of the
popular operating systems. We can also determine according to the trace that
the maximum
segment size is not present and this should definitely be present in the
initial syn packet. This could presumably indicate that it is not a random
tool at work directed
at some random net block but possibly active targeting. There is a
CVE-1999-0291
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0291>
which offers a standardized name and a brief explanation of this type of
scan.
Attack mechanism
The attack mechanism is based on the stimulus/response behavior in order to
gain some insight on the availability of the socks proxy services. A tcp
packet with
the Syn flag set is sent in the hopes of receiving a response such as a Syn
ack which would indicate that the socks proxy is possibly available for use.
The reason why someone would be looking for a response on port 1080 is to
first do some reconnaissance work enabling the would be attacker to identify
active hosts.
Once the attacker has identified which host has port 1080 available, he can
then make use of that machines IP to perform malicious activity. Should the
proxy server
be misconfigured or have weak or missing password he could then direct his
attack towards other networks by using the proxy server of that machine
camouflaging
himself as that IP or simply surf the internet anonymously.
Further to the above mentioned there are some people who dedicate some of
their scanning results on websites posting who has these improperly
configured proxy, I've
included a link below to which serves as an example;
<http://www.rrdb.org/prodb.php?l=en>
There are some tools out there available for use that will automatically
hunt for proxy server, all you have to do is choose which net block is of
interest and the script will do
the rest for you, below is an example of one tool.
http://prdownloads.sourceforge.net/yaph/yaph-0.91.tar.gz?download
Correlations
Bruce Auburn LOGS: GIAC GCIA Version 3.3 Practical Detect(s)
has a very thorough analysis of a sock proxy scan
http://cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00360.html
CVE-1999-0291
Description = The wingate proxy is installed without a password, which
allows remote attackers to redirect connections without authentication.
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0291>
This link provides some insight on some of the possible OS using typical
settings that you would see in packet traces.
http://project.honeynet.org/papers/finger/traces.txt
Snort has a short but very good description that includes some of the most
important details when dealing with improperly configured socks server.
<http://www.snort.org/snort-db/sid.html?sid=615>
This link provides an example as a tool that can be used to hunt for open
proxies
http://yaph.sourceforge.net/
Evidence of active targeting
The targeted machine is scanned every hour, the scanner seems to want to
remain undetected. We can determine that there is a syn packet sent
approximately
every 50min or more at random machines. This leads me to believe that the
scanner is attempting a low and slow scan of our network possibly targeting
the
network although it is possible that the scan includes other networks
outside of our sensor coverage
Severity
Sevirity is calculated in following manner;
severity = (criticality + lethality) - (system countermeasures + network
countermeasures)
Criticality
The attacker is seen scanning random IP's as such we can assume that no
reconnaissance work has be done previously. Very little is known about our
target hosts
and the service they offer, I can only assume that they are normal user
machines as such I will assign 2.
Lethality
Should a socks proxy server be available to the scanner, he would have the
ability to stage attacks utilizing those IP's as a front and he could
possibly have further
access to internal networks as a result of having said IP, I will assign a
4.
System countermeasures
Little is known about the hosts network, which leads me to give a less than
average mark for system countermeasures, I will assign a 2
Network counter measures
I can only assume that the perimeter device is dropping all syn-ack outbond
as there is no evidence of the target host replying, I will assign a 3
Defensive recommendations
If it is required to use a socks proxy server, ensure that only the
necessary services are offered such as http. Ensure that only the internal
or recognized IP's have
access to the proxy server. When reviewing logs verify that only authorized
traffic and authorized users are seen using the socks server and of course a
strong
password is required.
Multiple choice question
Why would a socks proxy server be the target of malicious users.
A) Attackers can masquerade their IP as being the target host
IP.
B) Attackers can gain further access to the target hosts
network.
C) Attackers can surf the web freely.
D) All of the above
Answer is D) all of the above.
References:
Microsoft has identified some flaws in the proxy server it describes that
some of the winsock servers may incorrectly handle request from remote host
resulting
in a denial of service. They have made a patch available to rectify this
you can find the URL below;
<http://www.microsoft.com/downloads/details.asps?familyid=c81688b7-20fb-45eb
-bafd-031aod2923e6&displaylang=en>
This is an article that reviews many of type of scans in it's most basic
forms including.
<http://www.auditmypc.com/freescan/readingroom/port_scanning.asp>
Example of list of available proxies.
<http://www.rrdb.org/prodb.php?l=en>
Snort.org description
<http://www.snort.org/snort-db/sid.html?id=615>
Below the link serve as an example of websites offering open proxies
<http://www.rrdb.org/prodb.php?l=en>
Stephen Breault
Master Seaman
Shift 4 Supervisor
DND Computer Incident Response Team (DND CIRT)
Canadian Forces Network Operations Centre
Téléphone / Phone: (613) 945-7746 CSN: 849-7746
Télécopieur / Fax: (613) 945-6407
Courrier électronique / E-Mail: <mailto:Breault.SM at forces.gc.ca>
DWAN: <mailto: Breault MS SH at ADM(IM)
CFS Leitrim at Ottawa-HullCFNOC@Ottawa-Hull>
Building/Edifice: CFS Leitrim
DIN: <http://img.mil.ca/cfiog-ipc/ops/cirt/>
***** Computer security incident? Call 613-945-7777 or toll free
1-877-DND-CIRT ******
***** Incident Informatiques? Apellez 613-945-7777 ou sans frais
1-877-DND-CIRT ******
More information about the Intrusions
mailing list