[unisog] Distributed port 445 scan or spoof?
Cam Beasley, ISO
cam at austin.utexas.edu
Sun Feb 16 04:55:17 GMT 2003
In the last 3 weeks we've noticed a new trend
in 445/tcp scanning.
We found a machine on our network that had been
compromised (windows box w/ a weak pwd), and was
subsequently participating in a highly coordinated
dictionary attack, one /16 at a time...
Forensic analysis on this machine turned up a slew
of tools (most of them not new), but a few were
It seems that an IRC channel coordinates the
most of the process. One channel we discovered was
controlling several hundred compromised windows
systems. These systems were being used as a large
distributed scanning network. The controlling channel
bot issues a command:
<masterbot> !scan 128.abc.*.* 445
The several hundred bots spring to action:
<botfoo> [Scanner Started] 128.abc.1.1 to 128.abc.255.255... [port:445]
reporting back to the channel as an IP is discovered
listening on port 445/tcp:
<botfoo> 128.abc.X.X on 445
A few minutes later, once the bots have ripped through
the class B, the last scanning bot reports:
<botfoo> [scan done]: 128.abc.1.1 to 128.abc.255.255 445
Once a list of windows hosts listening on 445/tcp is obtained,
the real fun begins..
A very efficient dictionary attack tool, NTSMB, is used:
(the MD5 sums of this tool)
NTSMB passes the name of a text file of IPs as a command line
argument. NTSMB is multi-threaded and can probe several addresses
at a time -- accounting for amazing speeds.
Unfortunately, Windows does not have a timeout built-in for
password checks.. Most operating systems fixed this security flaw
8-10 yrs ago.
Each thread then does a "ping" to check the address. If the ping
is successful it then issues a NETBIOS session request. If this is
successful it then issues a Dialect negotiation.
As part of the dictionary attack it issues SMB setup account
requests, with the various dictionary supplied usernames and passwords.
The Primary domain, native OS and Native LAN manager fields for these
requests are all set to the string "SOUP":
1 - NTSMB enumerates the admins group using a null session
a - If RA=2 it plays back the dictionary file against
"administrator" and "admin" accounts even if they do not exist.
2 - If RA=0 then it finds all of the members of the administrator
group and it tries to brute force all accounts in that group IF no
lockout policy is defined.
**NOTE** Tests show that trivial 4-8 character passwords are guessed
roughly 1-8 seconds using an average resourced laptop.
3 - NTSMB only brute-forces administrator accounts, which do NOT lockout
by default [passprop.exe /adminlockout changes this "nifty design
4 - When an account lockout policy is enabled, NTSMB appears to make 1
guess attempt and then it exits after hanging for about 2-3 minutes.
Enumerated IPs, accounts, and respective passwords are collected
and sent back to the central controlling bot or system.
If a password is guessed, other tools are used to login, create an
unauthorized administrator-level account, and delete network logon
permissions for all other existing local administrator accounts.
If the vulnerable machine has already been exploited by some other
team of hackers, then another tool is used to remove existing rootkit
The same old ServU, Firedaemon, nc (& other scanning tools) are also
installed. As mentioned previously on this list, WinGate proxies
are now being installed on these system to distribute spam..
All in all, nothing new is happening. Weak passwords on weak windows
machines are being exploited.
Break scripts ==> Use strong passwords..
There are several identifiers in this e-mail that may help you.
ITS/Information Security Office
The University of Texas at Austin
> -----Original Message-----
> From: Pat Wilson [mailto:paw at noh.ucsd.edu]
> Sent: Thursday, February 13, 2003 20:44
> To: unisog at sans.org
> Subject: [unisog] Distributed port 445 scan or spoof?
> Hmm. We're seeing incidents of intense port 445 scanning,
> either from a fairly well-coordinated distributed net or from
> something spoofing one - lots of ISP IP addresses, for short
> bursts of activity.
> Has anyone else seen this recently? We normally see 445
> scans, but not from so many different directions at once...
> If it _is_ an address spoofer, any idea how to track it down?
> Pat Wilson
> Network Security Manager
> UCSD ACS/Network Operations
> paw at ucsd.edu
> 6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015
More information about the unisog