[Intrusions] LOGS: GIAC GCIA Version3.4PraticalDetectStephenBreault
Smith, Donald
Donald.Smith at qwest.com
Wed Jun 9 13:50:22 GMT 2004
Ok my comments on your comments on my comments will be marked with djs> :-)
Donald.Smith at qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
Brian Kernighan jokingly named it the Uniplexed Information and Computing System (UNICS) as a pun on MULTICS.
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of
> Breault.SM at forces.gc.ca
> Sent: Tuesday, June 08, 2004 8:50 PM
> To: intrusions at lists.sans.org
> Subject: RE: [Intrusions] LOGS: GIAC GCIA
> Version3.4PraticalDetectStephenBreault
>
>
> thanks for the reply, your effort in this matter is truly
> appreciated ->>>>> is where some of my answers to your
> questions/suggestions are.
>
>
> 06 Jun 04
>
> Donald.Smith at qwest.com GCIA
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
> I reserve the right to be wrong but don't exercise it too often.
>
>
> Can you spoof a mac address outside your LAN?
> What would be the value of spoofing the mac outside your lan?
>
> ->>>>absolutely, tools like smac can help do this. The reason why you
> ->>>>would
> want to spoof mac can be to access wireless network that it's
> authentication and authorization is based on mac or simply
> for legitimate reason test your network.
> http://www.klcconsulting.net/smac/
djs> I think you misunderstood my question.
djs> Can you spoof a mac address through a router?
djs> Phrased differently what does a router do to
djs> the source and destination mac addresses
djs> when it receives a packet on one interface
djs> and forwards it out another interface?
>
>
>
> I have cut this to the 1st packet and 4th.
> Look at the source port and the ID. Notice anything unusal?
> The ID's and ports nearly match. I suspect this was done by a
> tool that had a flawed psuedo random generator filling the ID
> and source port number.. Crafted!?!
>
> ->>>>I agree that the packets might be crafted, although there is
> ->>>>nothing
> that can actually pinpoint the fact that this might be a
> flawed pseudo random generator filling the ID and source port
> numbers... as there is no mathematical evidence to go by,
> although it is not entirely impossible, I have to concentrate
> on hard facts and would not want to make a wrong assumption
> based on speculation.
djs> Did you go back to the logs and check for
djs> additional packets looking for simular simularities?
djs> I would recommend you concentrate on id and source
djs> port looking for "close" matches between packets as
djs> there was in the 1st and 4th packet. In the example
djs> I showed the 3 digit of each number is the ONLY change
djs> between the 1st and 4th ID/source port!
>
>
> Now if you look at the times of the packets they are mostly
> 52mins apart. So a scheduled scan (you mention this below in
> the proper spot but the time corralate better then you imply.
>
> ->>>>> good call on the time, I should have been more
> attentive to the
> ->>>>> small
> details.
>
> > 19:43:59.236507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60:
> > IP (tos 0x0, ttl 46, id 52921, len 40) 202.108.254.204.53469 >
> > 170.129.149.62.1080: S [tcp sum ok]
> 1844151687:1844151687(0) win 1024
> > 0x0000 4500 0028 ceb9 0000 2e06 b51d ca6c fecc
> > E..(.........l..
> > 0x0010 aa81 953e d0dd 0438 6deb 8587 6deb 8587
> > ...>...8m...m...
> > 0x0020 5002 0400 e6ed 0000 0000 0000 0000
> P.............
> >
>
> <SNIP>
>
> >
> > 22:21:13.116507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60
> > : IP (tos 0x0, ttl 45, id 52742, len 40) 202.108.254.204.53269 >
> > 170.129.212.139.1080: S [tcp sum ok]
> 1612303946:1612303946(0) win 1024
> > 0x0000 4500 0028 ce06 0000 2d06 7783 ca6c fecc
> > E..(....-.w..l..
> > 0x0010 aa81 d48b d015 0438 6019 ce4a 6019 ce4a
> > .......8`..J`..J
> > 0x0020 5002 0400 3286 0000 0000 0000 0000
> P...2.........
>
> <SNIP>
>
>
> Network counter measures
> > I can only assume that the perimeter device is dropping all
> > syn-ack outbond as there is no evidence of the target host
> > replying, I will assign a 3
>
> Not the assumption I would make. Your assuming systems are
> responding on 1080 but the responses are being dropped? Based
> on your assumption above these are normal user machines do
> those typically have 1080 open?
>
> ->>>>>You're Wright should these port be closed on normal
> user machines
> ->>>>>you
> would expect a reset as a response,
djs> Actually I would prefer os's DONT send a reset on closed ports.
djs> That makes mapping open (=!closed) ports trivial.
>
>
>
>
> > Multiple choice question
> >
> > Why would a socks proxy server be the target of malicious users.
> >
> > A) Attackers can masquerade their IP as being the
> > target host
> > IP.
> > B) Attackers can gain further access to the target hosts
> > network.
> > C) Attackers can surf the web freely.
> > D) All of the above
> >
> > Answer is D) all of the above.
>
> The notes for this assignment make it clear that there should
> be a single answer (not all the above). Your likely to loose
> a few points if you don't modify this.
>
>
>
> ->>>>> Multiple choice question
> >
> > Why would a socks proxy server be the target of malicious users.
> >
> > A) Attackers can masquerade their IP as being the
> target host
> gain access to the network or simply surf the net freely.
> > B) Attackers can set up some type of P2P.
>
> > C) Mostly used for gaming purposes
>
> > D) all of the above.
> >
> Ø Answer is A) attackers can masquerade themselves, gain
> access to the
> network and just simply surf the internet freely.
djs> I like this qwestion better:-)
>
>
>
> Stephen Breault
> Master Seaman
> Shift 4 Supervisor
> DND Computer Incident Response Team (DND CIRT)
> Canadian Forces Network Operations Centre
>
> Téléphone / Phone: (613) 945-7746 CSN: 849-7746
> Télécopieur / Fax: (613) 945-6407
> Courrier électronique / E-Mail: <mailto:Breault.SM at forces.gc.ca>
> DWAN: <mailto: Breault
> MS SH at ADM(IM) CFS Leitrim at Ottawa-HullCFNOC@Ottawa-Hull>
> Building/Edifice: CFS Leitrim
> DIN: <http://img.mil.ca/cfiog-ipc/ops/cirt/>
>
> ***** Computer security incident? Call 613-945-7777 or toll
> free 1-877-DND-CIRT ******
> ***** Incident Informatiques? Apellez 613-945-7777 ou sans
> frais 1-877-DND-CIRT ******
>
>
>
>
> -----Original Message-----
> From: Smith, Donald [mailto:Donald.Smith at qwest.com]
> Sent: Sunday, June 06, 2004 10:49 PM
> To: Intrusions List (GCIA Practicals); intrusions at incidents.org
> Subject: RE: [Intrusions] LOGS: GIAC GCIA Version 3.4
> PraticalDetectStephenBreault
>
>
>
>
> Donald.Smith at qwest.com GCIA
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
> I reserve the right to be wrong but don't exercise it too often.
>
>
> > -----Original Message-----
> > From: intrusions-bounces at lists.sans.org
> > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of
> > Breault.SM at forces.gc.ca
> > Sent: Saturday, June 05, 2004 3:41 PM
> > To: intrusions at incidents.org
> > Subject: [Intrusions] LOGS: GIAC GCIA Version 3.4 Pratical
> > DetectStephenBreault
> >
> >
> > This detect will be used as part of my pratical, any
> > questions or comments will be appreciated. thanks
> >
> > Source of trace
> > This detect can be found incident.org/logs/raw file
> > 2002.10.18. The following command was used; windump -r
> > 2002.10.18 -nvXes 1500 ip and host 202.108.254.204 and net
> > 170.129 and dst port 1080 | more
> >
> > Although the network cannot for absolute certainty be
> > determine, I have included below a suspected network diagram,
> > I should also note that although
> >
> > the mac address are included these are just as easily spoofed.
>
> Can you spoof a mac address outside your LAN?
> What would be the value of spoofing the mac outside your lan?
>
> >
> > CISCO DEVICE MAC 0:3:e3:d9:26:c0
> > |
> >
> > |
> > |___________IDS Sensor
> > |
> > |
> > CISCO DEVICE MAC 0:0:c:4:b2:33
> >
> >
> >
>
> I have cut this to the 1st packet and 4th.
> Look at the source port and the ID. Notice anything unusal?
> The ID's and ports nearly match. I suspect this was done by a
> tool that had a flawed psuedo random generator filling the ID
> and source port number.. Crafted!?! Now if you look at the
> times of the packets they are mostly 52mins apart. So a
> scheduled scan (you mention this below in the proper spot but
> the time corralate better then you imply.
>
>
> > 19:43:59.236507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60:
> > IP (tos 0x0, ttl 46, id 52921, len 40) 202.108.254.204.53469 >
> > 170.129.149.62.1080: S [tcp sum ok]
> 1844151687:1844151687(0) win 1024
> > 0x0000 4500 0028 ceb9 0000 2e06 b51d ca6c fecc
> > E..(.........l..
> > 0x0010 aa81 953e d0dd 0438 6deb 8587 6deb 8587
> > ...>...8m...m...
> > 0x0020 5002 0400 e6ed 0000 0000 0000 0000
> P.............
> >
>
> <SNIP>
>
> >
> > 22:21:13.116507 0:3:e3:d9:26:c0 0:0:c:4:b2:33 0800 60
> > : IP (tos 0x0, ttl 45, id 52742, len 40) 202.108.254.204.53269 >
> > 170.129.212.139.1080: S [tcp sum ok]
> 1612303946:1612303946(0) win 1024
> > 0x0000 4500 0028 ce06 0000 2d06 7783 ca6c fecc
> > E..(....-.w..l..
> > 0x0010 aa81 d48b d015 0438 6019 ce4a 6019 ce4a
> > .......8`..J`..J
> > 0x0020 5002 0400 3286 0000 0000 0000 0000
> P...2.........
>
> <SNIP>
>
> >
> > Detect was generated by
> > This detect was generated by snort Win 32 ids version 1.9.1.
> > The following command was entered to run snort thus enabling
> > me to search through the alert files that were created.
> >
> > Snort -c /path/snort.conf -r /path/2002.10.18 -l /path/snort.log
> >
> > Below is the actual alert that was generated by snort;
> >
> > [**] [1:615:4] SCAN SOCKS Proxy attempt [**]
> > [Classification: Attempted Information Leak] [Priority: 2]
> > 11/17-19:43:59.236507 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33
> > type:0x800 len:0x3C 202.108.254.204:53469 ->
> > 170.129.149.62:1080 TCP TTL:46 TOS:0x0 ID:52921 IpLen:20 DgmLen:40
> > ******S* Seq: 0x6DEB8587 Ack: 0x6DEB8587 Win: 0x400
> > TcpLen: 20 [Xref => <http://help.undernet.org/proxyscan/>]
> >
> > After looking into the folder assigned to the IP that
> > generated the alarms the following was discovered.
> >
> >
> > [**] SCAN SOCKS Proxy attempt [**]
> > 11/17-19:43:59.236507 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33
> > type:0x800 len:0x3C 202.108.254.204:53469 ->
> > 170.129.149.62:1080 TCP TTL:46 TOS:0x0 ID:52921 IpLen:20 DgmLen:40
> > ******S* Seq: 0x6DEB8587 Ack: 0x6DEB8587 Win: 0x400 TcpLen: 20
> > 0x0000: 00 00 0C 04 B2 33 00 03 E3 D9 26 C0 08 00 45 00
> > .....3....&...E.
> > 0x0010: 00 28 CE B9 00 00 2E 06 B5 1D CA 6C FE CC AA 81
> > .(.........l....
> > 0x0020: 95 3E D0 DD 04 38 6D EB 85 87 6D EB 85 87 50 02
> > .>...8m...m...P.
> > 0x0030: 04 00 E6 ED 00 00 00 00 00 00 00 00
> ............
> >
> >
> > Below is the rule that detected the activity. It defines that
> > any external net looking for port 1080 by sending a Syn
> > packet to alert the following message of "SCAN SOCKS Proxy
> > attempt" it is classified as attempted recon and has a sid
> > 615, this is the fourth revision.
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN
> > SOCKS Proxy attempt"; flags:S,12;
> > reference:url,help.undernet.org/proxyscan/;
> > classtype:attempted-recon; sid:615; rev:4;)
> >
> > Probability the source address was spoofed
> > It is unlikely that the source address is spoofed. In this
> > case there is an attempt at discovering possible open sock
> > proxy, this is done by sending a Syn packet
> > to a target, which if configured to offer the desired
> > service, will then respond with a Syn Ack indicating that it
> > is ready to initiate the rest of the tcp handshake
> > sequence. As such the attacker that is attempting to discover
> > open proxy will need to get a response to effectively
> > determine the state of the desired target.
> > Dshield.org has recongnized the IP as belonging to a net in
> > China, of course there is a very slim possibility that the Ip
> > would be spoofed but as mentioned above
> > it is very unlikely if the intention is to get a response back.
> >
> > IP Address: 202.108.254.204 HostName: 202.108.254.204
> > DShield Profile:
> > Country: <<...OLE_Obj...>> CN
> > Contact E-mail: chunguangcanlanxiaobajie at sina.com AS Number:
> > 4808 Total Records against IP: not processed Number of targets:
> > select update below Date Range: to Update Summary
> >
> > Description of the attack
> > The offending IP in this case is 202.108.254.204, which is
> > scanning for the socks proxy server port 1080 on the subnet
> > 170.129.x.x. This scan is done in a
> > manner, which attempts to allow the attacker a degree of
> > stealth. They are attempting to evade possible detection
> > measures in place. The method used is that
> > a single Syn packet every other hour directed at the subnet
> > mentioned above.
> >
> >
> > It does not seem that this scan may be directed at other
> > networks beyond this one, but that cannot be proven
> > definitively. The scanner seems to be looking for
> > IP's on subnet 170.129 at random, there is no noticeable
> > pattern such as incrementing IP's, and even the computer
> > generated time stamp is random every other hour. Of note is
> > the ending of the time stamp, which consistently ends with
> > 6507. It is strange behavior indeed and a little too odd to
> > be purely coincidental in this analysts opinion. Though I
> > was unable to find any correlation for this odd time behavior.
> >
> > Furthermore we can speculate that the offending machine is
> > possibly a linux operating system, as the ttl's are 46
> > throughout, again this also seems a little odd that this
> > remains consistent throughout the trace. Taking this same ttl
> > plus the oddball matching computer timestamps would lead me
> > to believe that this is a automated tool. We should see some
> > small variance given that the scan is done at different
> times of day.
> >
> > The windows size is set to 1024, which is not consistent with
> > any of the popular operating systems. We can also determine
> > according to the trace that the maximum
> > segment size is not present and this should definitely be
> > present in the initial syn packet. This could presumably
> > indicate that it is not a random tool at work directed
> > at some random net block but possibly active targeting. There
> > is a CVE-1999-0291
> > <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0291>
> > which offers a standardized name and a brief explanation of
> > this type of scan.
> >
> > Attack mechanism
> > The attack mechanism is based on the stimulus/response
> > behavior in order to gain some insight on the availability of
> > the socks proxy services. A tcp packet with
> > the Syn flag set is sent in the hopes of receiving a response
> > such as a Syn ack which would indicate that the socks proxy
> > is possibly available for use.
> >
> > The reason why someone would be looking for a response on
> > port 1080 is to first do some reconnaissance work enabling
> > the would be attacker to identify active hosts.
> > Once the attacker has identified which host has port 1080
> > available, he can then make use of that machines IP to
> > perform malicious activity. Should the proxy server
> > be misconfigured or have weak or missing password he could
> > then direct his attack towards other networks by using the
> > proxy server of that machine camouflaging
> > himself as that IP or simply surf the internet anonymously.
> >
> > Further to the above mentioned there are some people who
> > dedicate some of their scanning results on websites posting
> > who has these improperly configured proxy, I've included a
> > link below to which serves as an example;
> > <http://www.rrdb.org/prodb.php?l=en>
> >
> > There are some tools out there available for use that will
> > automatically hunt for proxy server, all you have to do is
> > choose which net block is of interest and the script will do
> > the rest for you, below is an example of one tool.
> > http://prdownloads.sourceforge.net/yaph/yaph-0.91.tar.gz?download
> >
> > Correlations
> >
> > Bruce Auburn LOGS: GIAC GCIA Version 3.3 Practical Detect(s)
> > has a very thorough analysis of a sock proxy scan
> >
> http://cert.uni-stuttgart.de/archive/intrusions/2003/06/msg00360.html
> >
> > CVE-1999-0291
> > Description = The wingate proxy is installed without a
> > password, which allows remote attackers to redirect
> > connections without authentication.
> > <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0291>
> >
> > This link provides some insight on some of the possible OS
> > using typical settings that you would see in packet traces.
> > http://project.honeynet.org/papers/finger/traces.txt
> >
> > Snort has a short but very good description that includes
> > some of the most important details when dealing with
> > improperly configured socks server.
> > <http://www.snort.org/snort-db/sid.html?sid=615>
> >
> > This link provides an example as a tool that can be used to
> > hunt for open proxies http://yaph.sourceforge.net/
> >
> >
> > Evidence of active targeting
> > The targeted machine is scanned every hour, the scanner seems
> > to want to remain undetected. We can determine that there is
> > a syn packet sent approximately
> > every 50min or more at random machines. This leads me to
> > believe that the scanner is attempting a low and slow scan of
> > our network possibly targeting the
> > network although it is possible that the scan includes other
> > networks outside of our sensor coverage
> >
> > Severity>
> > Sevirity is calculated in following manner;
> >
> > severity = (criticality + lethality) - (system
> > countermeasures + network
> > countermeasures)
> >
> > Criticality
> > The attacker is seen scanning random IP's as such we can
> > assume that no reconnaissance work has be done previously.
> > Very little is known about our target hosts
> > and the service they offer, I can only assume that they are
> > normal user machines as such I will assign 2.
> >
> > Lethality
> > Should a socks proxy server be available to the scanner, he
> > would have the ability to stage attacks utilizing those IP's
> > as a front and he could possibly have further
> > access to internal networks as a result of having said IP, I
> > will assign a 4.
> >
> > System countermeasures
> > Little is known about the hosts network, which leads me to
> > give a less than average mark for system countermeasures, I
> > will assign a 2
> >
> > Network counter measures
> > I can only assume that the perimeter device is dropping all
> > syn-ack outbond as there is no evidence of the target host
> > replying, I will assign a 3
>
> Not the assumption I would make. Your assuming systems are
> responding on 1080 but the responses are being dropped? Based
> on your assumption above these are normal user machines do
> those typically have 1080 open?
>
>
> >
> > Defensive recommendations
> > If it is required to use a socks proxy server, ensure that
> > only the necessary services are offered such as http. Ensure
> > that only the internal or recognized IP's have
> > access to the proxy server. When reviewing logs verify that
> > only authorized traffic and authorized users are seen using
> > the socks server and of course a strong
> > password is required.
> >
> >
> >
> > Multiple choice question
> >
> > Why would a socks proxy server be the target of malicious users.
> >
> > A) Attackers can masquerade their IP as being the
> > target host
> > IP.
> > B) Attackers can gain further access to the target hosts
> > network.
> > C) Attackers can surf the web freely.
> > D) All of the above
> >
> > Answer is D) all of the above.
>
> The notes for this assignment make it clear that there should
> be a single answer (not all the above). Your likely to loose
> a few points if you don't modify this.
>
> >
> > References:
> > Microsoft has identified some flaws in the proxy server it
> > describes that some of the winsock servers may incorrectly
> > handle request from remote host resulting in a denial of
> > service. They have made a patch available to rectify this you
> > can find the URL below;
> > <http://www.microsoft.com/downloads/details.asps?familyid=c816
> 88b7-20fb-45eb
> -bafd-031aod2923e6&displaylang=en>
>
> This is an article that reviews many of type of scans in it's
> most basic forms including.
<http://www.auditmypc.com/freescan/readingroom/port_scanning.asp>
Example of list of available proxies. <http://www.rrdb.org/prodb.php?l=en>
Snort.org description
<http://www.snort.org/snort-db/sid.html?id=615>
Below the link serve as an example of websites offering open proxies <http://www.rrdb.org/prodb.php?l=en>
Stephen Breault
Master Seaman
Shift 4 Supervisor
DND Computer Incident Response Team (DND CIRT)
Canadian Forces Network Operations Centre
Téléphone / Phone: (613) 945-7746 CSN: 849-7746
Télécopieur / Fax: (613) 945-6407
Courrier électronique / E-Mail: <mailto:Breault.SM at forces.gc.ca>
DWAN: <mailto: Breault MS SH at ADM(IM) CFS Leitrim at Ottawa-HullCFNOC@Ottawa-Hull>
Building/Edifice: CFS Leitrim
DIN: <http://img.mil.ca/cfiog-ipc/ops/cirt/>
***** Computer security incident? Call 613-945-7777 or toll free 1-877-DND-CIRT ******
***** Incident Informatiques? Apellez 613-945-7777 ou sans frais 1-877-DND-CIRT ******
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list