[Intrusions] LOGS: GIAC GCIA Version 3.4 PraticalDetectStephenBreault
Breault.SM at forces.gc.ca
Breault.SM at forces.gc.ca
Wed Jun 9 02:50:15 GMT 2004
thanks for the reply, your effort in this matter is truly appreciated ->>>>>
is where some of my answers to your questions/suggestions are.
06 Jun 04
Donald.Smith at qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
I reserve the right to be wrong but don't exercise it too often.
Can you spoof a mac address outside your LAN?
What would be the value of spoofing the mac outside your lan?
->>>>absolutely, tools like smac can help do this. The reason why you would
want to spoof mac can be to access wireless network that it's authentication
and authorization is based on mac or simply for legitimate reason test your
network. http://www.klcconsulting.net/smac/
I have cut this to the 1st packet and 4th.
Look at the source port and the ID. Notice anything unusal?
The ID's and ports nearly match. I suspect this was done by a tool that had
a flawed psuedo random generator filling the ID and source port number..
Crafted!?!
->>>>I agree that the packets might be crafted, although there is nothing
that can actually pinpoint the fact that this might be a flawed pseudo
random generator filling the ID and source port numbers... as there is no
mathematical evidence to go by, although it is not entirely impossible, I
have to concentrate on hard facts and would not want to make a wrong
assumption based on speculation.
Now if you look at the times of the packets they are mostly 52mins apart. So
a scheduled scan (you mention this below in the proper spot but the time
corralate better then you imply.
->>>>> good call on the time, I should have been more attentive to the small
details.
> 19:43:59.236507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60:
> IP (tos 0x0, ttl 46, id 52921, len 40) 202.108.254.204.53469 >
> 170.129.149.62.1080: S [tcp sum ok] 1844151687:1844151687(0) win 1024
> 0x0000 4500 0028 ceb9 0000 2e06 b51d ca6c fecc
> E..(.........l..
> 0x0010 aa81 953e d0dd 0438 6deb 8587 6deb 8587
> ...>...8m...m...
> 0x0020 5002 0400 e6ed 0000 0000 0000 0000 P.............
>
<SNIP>
>
> 22:21:13.116507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60
> : IP (tos 0x0, ttl 45, id 52742, len 40) 202.108.254.204.53269 >
> 170.129.212.139.1080: S [tcp sum ok] 1612303946:1612303946(0) win 1024
> 0x0000 4500 0028 ce06 0000 2d06 7783 ca6c fecc
> E..(....-.w..l..
> 0x0010 aa81 d48b d015 0438 6019 ce4a 6019 ce4a
> .......8`..J`..J
> 0x0020 5002 0400 3286 0000 0000 0000 0000 P...2.........
<SNIP>
Network counter measures
> I can only assume that the perimeter device is dropping all
> syn-ack outbond as there is no evidence of the target host
> replying, I will assign a 3
Not the assumption I would make. Your assuming systems are responding on
1080 but the responses are being dropped?
Based on your assumption above these are normal user machines do those
typically have 1080 open?
->>>>>You're Wright should these port be closed on normal user machines you
would expect a reset as a response,
> Multiple choice question
>
> Why would a socks proxy server be the target of malicious users.
>
> A) Attackers can masquerade their IP as being the
> target host
> IP.
> B) Attackers can gain further access to the target hosts
> network.
> C) Attackers can surf the web freely.
> D) All of the above
>
> Answer is D) all of the above.
The notes for this assignment make it clear that there should be a single
answer (not all the above). Your likely to loose a few points if you don't
modify this.
->>>>> Multiple choice question
>
> Why would a socks proxy server be the target of malicious users.
>
> A) Attackers can masquerade their IP as being the target host
gain access to the network or simply surf the net freely.
> B) Attackers can set up some type of P2P.
> C) Mostly used for gaming purposes
> D) all of the above.
>
Ø Answer is A) attackers can masquerade themselves, gain access to the
network and just simply surf the internet freely.
Stephen Breault
Master Seaman
Shift 4 Supervisor
DND Computer Incident Response Team (DND CIRT)
Canadian Forces Network Operations Centre
Téléphone / Phone: (613) 945-7746 CSN: 849-7746
Télécopieur / Fax: (613) 945-6407
Courrier électronique / E-Mail: <mailto:Breault.SM at forces.gc.ca>
DWAN: <mailto: Breault MS SH at ADM(IM)
CFS Leitrim at Ottawa-HullCFNOC@Ottawa-Hull>
Building/Edifice: CFS Leitrim
DIN: <http://img.mil.ca/cfiog-ipc/ops/cirt/>
***** Computer security incident? Call 613-945-7777 or toll free
1-877-DND-CIRT ******
***** Incident Informatiques? Apellez 613-945-7777 ou sans frais
1-877-DND-CIRT ******
-----Original Message-----
From: Smith, Donald [mailto:Donald.Smith at qwest.com]
Sent: Sunday, June 06, 2004 10:49 PM
To: Intrusions List (GCIA Practicals); intrusions at incidents.org
Subject: RE: [Intrusions] LOGS: GIAC GCIA Version 3.4
PraticalDetectStephenBreault
Donald.Smith at qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
I reserve the right to be wrong but don't exercise it too often.
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of
> Breault.SM at forces.gc.ca
> Sent: Saturday, June 05, 2004 3:41 PM
> To: intrusions at incidents.org
> Subject: [Intrusions] LOGS: GIAC GCIA Version 3.4 Pratical
> DetectStephenBreault
>
>
> This detect will be used as part of my pratical, any
> questions or comments will be appreciated. thanks
>
> Source of trace
> This detect can be found incident.org/logs/raw file
> 2002.10.18. The following command was used; windump -r
> 2002.10.18 -nvXes 1500 ip and host 202.108.254.204 and net
> 170.129 and dst port 1080 | more
>
> Although the network cannot for absolute certainty be
> determine, I have included below a suspected network diagram,
> I should also note that although
>
> the mac address are included these are just as easily spoofed.
Can you spoof a mac address outside your LAN?
What would be the value of spoofing the mac outside your lan?
>
> CISCO DEVICE MAC 0:3:e3:d9:26:c0
> |
>
> |
> |___________IDS Sensor
> |
> |
> CISCO DEVICE MAC 0:0:c:4:b2:33
>
>
>
I have cut this to the 1st packet and 4th.
Look at the source port and the ID. Notice anything unusal?
The ID's and ports nearly match. I suspect this was done by a tool that had
a flawed psuedo random generator filling the ID and source port number..
Crafted!?!
Now if you look at the times of the packets they are mostly 52mins apart. So
a scheduled scan (you mention this below in the proper spot but the time
corralate better then you imply.
> 19:43:59.236507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60:
> IP (tos 0x0, ttl 46, id 52921, len 40) 202.108.254.204.53469 >
> 170.129.149.62.1080: S [tcp sum ok] 1844151687:1844151687(0) win 1024
> 0x0000 4500 0028 ceb9 0000 2e06 b51d ca6c fecc
> E..(.........l..
> 0x0010 aa81 953e d0dd 0438 6deb 8587 6deb 8587
> ...>...8m...m...
> 0x0020 5002 0400 e6ed 0000 0000 0000 0000 P.............
>
<SNIP>
>
> 22:21:13.116507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60
> : IP (tos 0x0, ttl 45, id 52742, len 40) 202.108.254.204.53269 >
> 170.129.212.139.1080: S [tcp sum ok] 1612303946:1612303946(0) win 1024
> 0x0000 4500 0028 ce06 0000 2d06 7783 ca6c fecc
> E..(....-.w..l..
> 0x0010 aa81 d48b d015 0438 6019 ce4a 6019 ce4a
> .......8`..J`..J
> 0x0020 5002 0400 3286 0000 0000 0000 0000 P...2.........
<SNIP>
>
> Detect was generated by
> This detect was generated by snort Win 32 ids version 1.9.1.
> The following command was entered to run snort thus enabling
> me to search through the alert files that were created.
>
> Snort -c /path/snort.conf -r /path/2002.10.18 -l /path/snort.log
>
> Below is the actual alert that was generated by snort;
>
> [**] [1:615:4] SCAN SOCKS Proxy attempt [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 11/17-19:43:59.236507 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33
> type:0x800 len:0x3C 202.108.254.204:53469 ->
> 170.129.149.62:1080 TCP TTL:46 TOS:0x0 ID:52921 IpLen:20 DgmLen:40
> ******S* Seq: 0x6DEB8587 Ack: 0x6DEB8587 Win: 0x400
> TcpLen: 20 [Xref => <http://help.undernet.org/proxyscan/>]
>
> After looking into the folder assigned to the IP that
> generated the alarms the following was discovered.
>
>
> [**] SCAN SOCKS Proxy attempt [**]
> 11/17-19:43:59.236507 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33
> type:0x800 len:0x3C 202.108.254.204:53469 ->
> 170.129.149.62:1080 TCP TTL:46 TOS:0x0 ID:52921 IpLen:20 DgmLen:40
> ******S* Seq: 0x6DEB8587 Ack: 0x6DEB8587 Win: 0x400 TcpLen: 20
> 0x0000: 00 00 0C 04 B2 33 00 03 E3 D9 26 C0 08 00 45 00
> .....3....&...E.
> 0x0010: 00 28 CE B9 00 00 2E 06 B5 1D CA 6C FE CC AA 81
> .(.........l....
> 0x0020: 95 3E D0 DD 04 38 6D EB 85 87 6D EB 85 87 50 02
> .>...8m...m...P.
> 0x0030: 04 00 E6 ED 00 00 00 00 00 00 00 00 ............
>
>
> Below is the rule that detected the activity. It defines that
> any external net looking for port 1080 by sending a Syn
> packet to alert the following message of "SCAN SOCKS Proxy
> attempt" it is classified as attempted recon and has a sid
> 615, this is the fourth revision.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN
> SOCKS Proxy attempt"; flags:S,12;
> reference:url,help.undernet.org/proxyscan/;
> classtype:attempted-recon; sid:615; rev:4;)
>
> Probability the source address was spoofed
> It is unlikely that the source address is spoofed. In this
> case there is an attempt at discovering possible open sock
> proxy, this is done by sending a Syn packet
> to a target, which if configured to offer the desired
> service, will then respond with a Syn Ack indicating that it
> is ready to initiate the rest of the tcp handshake
> sequence. As such the attacker that is attempting to discover
> open proxy will need to get a response to effectively
> determine the state of the desired target.
> Dshield.org has recongnized the IP as belonging to a net in
> China, of course there is a very slim possibility that the Ip
> would be spoofed but as mentioned above
> it is very unlikely if the intention is to get a response back.
>
> IP Address: 202.108.254.204 HostName: 202.108.254.204
> DShield Profile:
> Country: <<...OLE_Obj...>> CN
> Contact E-mail: chunguangcanlanxiaobajie at sina.com AS Number:
> 4808 Total Records against IP: not processed Number of targets:
> select update below Date Range: to Update Summary
>
> Description of the attack
> The offending IP in this case is 202.108.254.204, which is
> scanning for the socks proxy server port 1080 on the subnet
> 170.129.x.x. This scan is done in a
> manner, which attempts to allow the attacker a degree of
> stealth. They are attempting to evade possible detection
> measures in place. The method used is that
> a single Syn packet every other hour directed at the subnet
> mentioned above.
>
>
> It does not seem that this scan may be directed at other
> networks beyond this one, but that cannot be proven
> definitively. The scanner seems to be looking for
> IP's on subnet 170.129 at random, there is no noticeable
> pattern such as incrementing IP's, and even the computer
> generated time stamp is random every other hour. Of note is
> the ending of the time stamp, which consistently ends with
> 6507. It is strange behavior indeed and a little too odd to
> be purely coincidental in this analysts opinion. Though I
> was unable to find any correlation for this odd time behavior.
>
> Furthermore we can speculate that the offending machine is
> possibly a linux operating system, as the ttl's are 46
> throughout, again this also seems a little odd that this
> remains consistent throughout the trace. Taking this same ttl
> plus the oddball matching computer timestamps would lead me
> to believe that this is a automated tool. We should see some
> small variance given that the scan is done at different times of day.
>
> The windows size is set to 1024, which is not consistent with
> any of the popular operating systems. We can also determine
> according to the trace that the maximum
> segment size is not present and this should definitely be
> present in the initial syn packet. This could presumably
> indicate that it is not a random tool at work directed
> at some random net block but possibly active targeting. There
> is a CVE-1999-0291
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0291>
> which offers a standardized name and a brief explanation of
> this type of scan.
>
> Attack mechanism
> The attack mechanism is based on the stimulus/response
> behavior in order to gain some insight on the availability of
> the socks proxy services. A tcp packet with
> the Syn flag set is sent in the hopes of receiving a response
> such as a Syn ack which would indicate that the socks proxy
> is possibly available for use.
>
> The reason why someone would be looking for a response on
> port 1080 is to first do some reconnaissance work enabling
> the would be attacker to identify active hosts.
> Once the attacker has identified which host has port 1080
> available, he can then make use of that machines IP to
> perform malicious activity. Should the proxy server
> be misconfigured or have weak or missing password he could
> then direct his attack towards other networks by using the
> proxy server of that machine camouflaging
> himself as that IP or simply surf the internet anonymously.
>
> Further to the above mentioned there are some people who
> dedicate some of their scanning results on websites posting
> who has these improperly configured proxy, I've included a
> link below to which serves as an example;
> <http://www.rrdb.org/prodb.php?l=en>
>
> There are some tools out there available for use that will
> automatically hunt for proxy server, all you have to do is
> choose which net block is of interest and the script will do
> the rest for you, below is an example of one tool.
> http://prdownloads.sourceforge.net/yaph/yaph-0.91.tar.gz?download
>
> Correlations
>
> Bruce Auburn LOGS: GIAC GCIA Version 3.3 Practical Detect(s)
> has a very thorough analysis of a sock proxy scan
> http://cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00360.html
>
> CVE-1999-0291
> Description = The wingate proxy is installed without a
> password, which allows remote attackers to redirect
> connections without authentication.
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0291>
>
> This link provides some insight on some of the possible OS
> using typical settings that you would see in packet traces.
> http://project.honeynet.org/papers/finger/traces.txt
>
> Snort has a short but very good description that includes
> some of the most important details when dealing with
> improperly configured socks server.
> <http://www.snort.org/snort-db/sid.html?sid=615>
>
> This link provides an example as a tool that can be used to
> hunt for open proxies http://yaph.sourceforge.net/
>
>
> Evidence of active targeting
> The targeted machine is scanned every hour, the scanner seems
> to want to remain undetected. We can determine that there is
> a syn packet sent approximately
> every 50min or more at random machines. This leads me to
> believe that the scanner is attempting a low and slow scan of
> our network possibly targeting the
> network although it is possible that the scan includes other
> networks outside of our sensor coverage
>
> Severity>
> Sevirity is calculated in following manner;
>
> severity = (criticality + lethality) - (system
> countermeasures + network
> countermeasures)
>
> Criticality
> The attacker is seen scanning random IP's as such we can
> assume that no reconnaissance work has be done previously.
> Very little is known about our target hosts
> and the service they offer, I can only assume that they are
> normal user machines as such I will assign 2.
>
> Lethality
> Should a socks proxy server be available to the scanner, he
> would have the ability to stage attacks utilizing those IP's
> as a front and he could possibly have further
> access to internal networks as a result of having said IP, I
> will assign a 4.
>
> System countermeasures
> Little is known about the hosts network, which leads me to
> give a less than average mark for system countermeasures, I
> will assign a 2
>
> Network counter measures
> I can only assume that the perimeter device is dropping all
> syn-ack outbond as there is no evidence of the target host
> replying, I will assign a 3
Not the assumption I would make. Your assuming systems are responding on
1080 but the responses are being dropped?
Based on your assumption above these are normal user machines do those
typically have 1080 open?
>
> Defensive recommendations
> If it is required to use a socks proxy server, ensure that
> only the necessary services are offered such as http. Ensure
> that only the internal or recognized IP's have
> access to the proxy server. When reviewing logs verify that
> only authorized traffic and authorized users are seen using
> the socks server and of course a strong
> password is required.
>
>
>
> Multiple choice question
>
> Why would a socks proxy server be the target of malicious users.
>
> A) Attackers can masquerade their IP as being the
> target host
> IP.
> B) Attackers can gain further access to the target hosts
> network.
> C) Attackers can surf the web freely.
> D) All of the above
>
> Answer is D) all of the above.
The notes for this assignment make it clear that there should be a single
answer (not all the above). Your likely to loose a few points if you don't
modify this.
>
> References:
> Microsoft has identified some flaws in the proxy server it
> describes that some of the winsock servers may incorrectly
> handle request from remote host resulting in a denial of
> service. They have made a patch available to rectify this you
> can find the URL below;
> <http://www.microsoft.com/downloads/details.asps?familyid=c816
88b7-20fb-45eb
-bafd-031aod2923e6&displaylang=en>
This is an article that reviews many of type of scans in it's most basic
forms including.
<http://www.auditmypc.com/freescan/readingroom/port_scanning.asp>
Example of list of available proxies. <http://www.rrdb.org/prodb.php?l=en>
Snort.org description
<http://www.snort.org/snort-db/sid.html?id=615>
Below the link serve as an example of websites offering open proxies
<http://www.rrdb.org/prodb.php?l=en>
Stephen Breault
Master Seaman
Shift 4 Supervisor
DND Computer Incident Response Team (DND CIRT)
Canadian Forces Network Operations Centre
Téléphone / Phone: (613) 945-7746 CSN: 849-7746
Télécopieur / Fax: (613) 945-6407
Courrier électronique / E-Mail: <mailto:Breault.SM at forces.gc.ca>
DWAN: <mailto: Breault MS SH at ADM(IM)
CFS Leitrim at Ottawa-HullCFNOC@Ottawa-Hull>
Building/Edifice: CFS Leitrim
DIN: <http://img.mil.ca/cfiog-ipc/ops/cirt/>
***** Computer security incident? Call 613-945-7777 or toll free
1-877-DND-CIRT ******
***** Incident Informatiques? Apellez 613-945-7777 ou sans frais
1-877-DND-CIRT ******
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list