LOGS: GIAC GCIA Version 3.4 Practical Detect (Dana Webber)

I posted a rough draft of this detect a few months ago but got no feedback.
I'm handing in the practical in a few days. Here is the final version. 

The old rough draft is at 
http://cert.uni-stuttgart.de/archive/intrusions/2004/01/msg00133.html

Thanks a zillion!

==============================================================================
GIAC GCIA Version 3.4 Practical Detect
 Possible VMware penetration test.

Source of Trace: http://www.incidents.org/logs/2003.12.15.tgz

Detect was generated by: Detect File Overview
Archive URL               http://www.incidents.org/logs/2003.12.15.tgz
files in archive          2003.12.15,.1 2003.12.15.2, ...,  2003.12.15.14
File Format               libpcap, Snaplen = 96 bytes
Start time                11/18/2003 13:57:23.130647
End time                  11/18/2003 15:15:57.147884
Duration                  1 hour and 18 minutes.  
Packets captured          449147
total Alerts              31791
distinct alerts           66
Source MAC's              30
Destination MAC's         39
Alerts to 0:50:56:40:0:6d 28633

MAC address obfuscation is normally not done and IP address obfuscation was 
not necessary because all the detected IP's were reserved for private 
networks

None of the IP's are legal on the Internet. They were all in reserved ranges.
Command: whois $ip @whois.arin.net; 
NetRange:   10.0.0.0 - 10.255.255.255       This block is reserved for special 
purposes.
NetRange:   192.168.0.0 - 192.168.255.255   This block is reserved for special 
purposes.
NetRange:   172.16.0.0 - 172.31.255.255     This block is reserved for special 
purposes.
NetRange:   224.0.0.0 - 239.255.255.255     This block is reserved for special 
purposes.

It appears that every packet was captured in libpcap format with snaplen 96. 
It was assumed that all traffic at the target's LAN connection was captured. 
This may not be correct. Most of the systems were not analyzed. It is assumed 
they were monitoring the test. Eight consecutive Cisco MAC's were detected 
but none were associated with any IP's. They were transmitting data link 
level spanning tree data. This could indicate a large router that was not 
allowed to transmit IP traffic. It may have been used for the data capture.

Probability the source address was spoofed: 50%

The places I have worked at would buy a Smartbits [1] and connect it with one 
Ethernet cable to the unit to be tested and then "run a test". The Smartbits 
would generate the traffic and capture the data by itself.  Other companies 
make similar devices.


Program that was used to generate the alert file.:
#!/bin/sh
#A problem with Snort-2.0.5 is that if a packet triggers two alerts then the 
second 
#alert takes precedence. This produced ICMP alerts with "(Undefined Code!)".
#The fix:move alerts with "(Undefined Code!)" in file icmp-info.rules to the 
top.

   cd /1/backup/giac/gcia_assignment
   COUNTER='1';
   while [ "$COUNTER" != 15 ]; do
     RAWPATH="incidents.org.logs.raw.2003.12.15/2003.12.15.$COUNTER";
     echo $RAWPATH
     ls -l $RAWPATH
     SNORTPATH="snort/snort-2.0.5-bin";
     LOGPATH="p2_detect_1/logs";
     CONFPATH="snort/snort.conf";
     COMMAND="$SNORTPATH  -X -d -e -c $CONFPATH -r $RAWPATH -l $LOGPATH"
     echo "$COMMAND";
    `$COMMAND`
     COUNTER=$[$COUNTER + 1];
   done;

#command: snort -X -d -e -c $SNORT_CONF -r $RAW_FILE -l $LOG_FILE
#-X  means dump the raw packet data starting at the link layer
#-d  means dump the Application Layer
#-e  means display the second layer header info
#$RAW_FILE is varied from 2003.12.15.1 to 2003.12.15.14

2.1.3. Description of attack:

One out of every 27 packets triggered an alert. Most MAC's had only one or two 
IP's associated with them. Usually a LAN has one or more routers and each 
router has a MAC associated with many IP's. There were 18 distinct source 
IP's and 1542 distinct destination IP's detected for  MAC 0:50:56:40:0:6d . 
However, ninety percent of the alerts have 0:50:56:40:0:6d as the destination 
MAC and the three top alert source MAC's were registered to Apple Computer, 
Intel and  Dell. Furthermore the MAC 0:50:56:xx.xx.xx is registered to VMware 
INC which does not make routers. VMware enables multiple virtual machines on 
one physical system. Each virtual machine needs a distinct IP. This may be 
the reason that the this MAC had 18 IP's. Normally most of the attacks all 
have the same source MAC because they come from the Internet and go through a 
router/gateway/firewall. A University campus link would likely have attacks 
in both directions. The only reasonable explanation here is a penetration 
test of a VMware system and that all the attacks are part of the same test. 
Such a test set-up should be isolated therefore an Internet gateway is not 
required. 


 
Manufacturers of equipment on the LAN. 
Ando makes expensive test equipment. [2]
Ambit makes expensive test equipment.[3] 
Abocom is a OEM manufacturer [4]. 
VMware, the MAC was probably programmed in specifically for testing.[5]
Compaq,  makes a variety of PC products.
Gateway,  makes a variety of PC products.
Dell,  makes a variety of PC products.
3Com,  makes NIC's and Ethernet switches
Intel makes a variety of PC products. 
Connectix made some video conferencing equipment, Microsoft bought them.[6]
Sony makes products in every category.[7] 
DOD MAC's are sometimes used by companies that do have not registered a 
OUI.[8]

Commands used to generate OUI Registrant [9], MAC, and IP list
Command used to obtain the list of source MAC addresses.
 j=1;while [ "$j" != 15 ];do /usr/sbin/tcpdump -ennr 
../incidents.org.logs.raw.2003.12.15/2003.12.15.$j \
 |cut -d\  -f 2|grep ':'|sort|uniq;j=$[$j+1];done|sort|uniq

Command used to obtain the list of destination MAC addresses.
  j=1;while [ "$j" != 15 ];do /usr/sbin/tcpdump -ennr 
../incidents.org.logs.raw.2003.12.15/2003.12.15.$j |\
cut -d\  -f 3|grep ':'|sort|uniq;j=$[$j+1];done|sort|uniq

Commandsused to obtain the list of source MAC and IP pairs.
j=1;while [ "$j" != 15 ];do /usr/sbin/tcpdump -nne ip - \ 
incidents.org.logs.raw.2003.12.15/2003.12.15.$j >> 
tcpdump.eth.5.txt;j=$[$j+1];done
cut -d\  -f2,6 tcpdump.eth.5.txt|sed  's/^\(.* .*\..*\..*\..*\)\..*$/\1/' 
|sort|uniq

Commands used to obtain the list of destination MAC and IP pairs.
j=1;while [ "$j" != 15 ];do /usr/sbin/tcpdump -nne ip -r\ 
../incidents.org.logs.raw.2003.12.15/2003.12.15.$j >> 
tcpdump.eth.5.txt;j=$[$j+1];done;
cut -d\  -f3,8 tcpdump.eth.5.txt|sed  's/^\(.* .*\..*\..*\..*\)\..*$/\1/' 
|sort|uniq




OUI Registrant [8], MAC, and IP list
Point Multimedia Systems 0:0:39:f2:67:88

10.10.10.117
Ando Electric Corporation
0:0:e2:92:ee:f
0:0:e2:94:b0:2a

10.10.10.222
10.10.10.226
3COM CORPORATION
0:1:2:79:91:ed
0:1:3:88:29:92
0:4:76:45:61:39

10.10.10.112
10.10.10.234
10.10.10.195
Compaq Computer Co 
0:2:a5:b6:e2:e3

10.10.10.186
Intel Corporation 
0:a0:c9:ba:6d:85
0:3:47:8c:89:c2

10.10.10.196
10.10.10.165      192.168.117.1  192.168.213.1
Connectix
0:3:ff:df:95:84

10.10.10.228
VMWare, Inc.
0:50:56:40:0:64
0:c:29:14:1e:63
0:c:29:39:6e:67
0:c:29:9e:ef:53
0:50:56:40:0:6d






10.10.10.2
10.10.10.142
10.10.10.160
10.10.10.224
10.10.10.1,         10.30.30.2,       172.20.11, 
172.20.11.2,       172.20.11.3,     172.20.11.52, 
172.20.11.80,     172.20.201.1    172.20.201.135, 
172.20.201.198, 172.20.201.2,   192.168.17.129, 
192.168.17.135, 192.168.17.2,   192.168.17.65,  
192.168.17.66,   192.168.17.68, 192.168.22.207
Dell Computer Corp.
0:6:5b:d8:bf:ed
0:6:5b:e6:f8:43
0:8:74:5:b7:f8
0:8:74:7:31:ee

10.10.10.122
10.10.10.231
10.10.10.147
10.10.10.111,     172.16.8.189
Dell ESG PCBA Test
0:b:db:17:f4:c9

0:b:db:9b:46:fe
0:b:db:df:53:8d

10.10.10.194,     169.254.135.50,  172.16.9.13,  
192.168.222.1     192.168.84.1
10.10.10.164
10.10.10.123
IBM Corporation 
0:9:6b:2:e9:3d

10.10.10.212,     172.16.8.229
Apple Computer, Inc.
0:a:95:7c:24:0
0:a:95:d9:95:84 

10.10.10.113
10.10.10.232
AMBIT MICROSYSTEMS CORP 
0:d0:59:c6:5e:14        10.10.10.141 10.10.10.144 238.122.10.140
Cisco Systems
0:d:bc:17:4:ce          N/A
0:d:bc:17:4:cf          N/A
0:d:bc:17:4:d0          N/A
0:d:bc:17:4:d2          N/A
0:d:bc:17:4:d4          N/A
0:d:bc:17:4:d5          N/A
0:d:bc:17:4:d6          N/A
0:d:bc:17:4:d8          N/A
AboCom Systems, Inc 
0:e0:98:a1:7f:da        10.10.10.174
GATEWAY 2000 
0:e0:b8:3d:20:40        10.10.10.214
SONY CORPORATION LTD.
8:0:46:79:f7:7c         10.10.10.230
DoD Internet Multicast (RFC-1112)
1:0:5e:0:0:16   224.0.0.22         DoD Internet Multicast (RFC-1112)
1:0:5e:0:0:2    224.0.0.2          DoD Internet Multicast (RFC-1112)
1:0:5e:0:0:5    224.0.0.5          DoD Internet Multicast (RFC-1112)
1:0:5e:0:0:6    224.0.0.6          DoD Internet Multicast (RFC-1112)
1:0:5e:37:96:d0 229.55.150.208     DoD Internet Multicast (RFC-1112)
1:0:5e:7a:a:8c  238.122.10.140     DoD Internet Multicast (RFC-1112)
1:0:5e:7f:ff:fa 239.255.255.250    DoD Internet Multicast (RFC-1112)
1:0:5e:7f:ff:fd 239.255.255.253    DoD Internet Multicast (RFC-1112)
Cisco Inter-Switch Link
1:0:c:0:0:0
Cisco Discovery Protocol
1:0:c:cc:cc:cc
Spanning tree Multicast
1:80:c2:0:0:0



There were many suspicious alerts. They are sorted in order of occurrences.
command: grep "\[\*\*\] .* \[\*\*\]" alert | sort | uniq -c | sort -nr
  18176 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection 
[**]
   5041 [**] [1:465:1] ICMP ISS Pinger [**]
   2144 [**] [1:620:3] SCAN Proxy (8080) attempt [**]
   1326 [**] [1:402:4] ICMP Destination Unreachable (Port Unreachable) [**]
    181 [**] [116:97:1] (snort_decoder): Short UDP packet, length field > 
payload length 
   1020 [**] [1:474:1] ICMP superscan echo [**]
    690 [**] [1:399:4] ICMP Destination Unreachable (Host Unreachable) [**]
    418 [**] [1:401:4] ICMP Destination Unreachable (Network Unreachable) [**]
    394 [**] [1:615:4] SCAN SOCKS Proxy attempt [**]
    287 [**] [1:1417:2] SNMP request udp [**]
    146 [**] [1:1420:2] SNMP trap tcp [**]
    140 [**] [1:1418:2] SNMP request tcp [**]
    116 [**] [1:1421:2] SNMP AgentX/tcp request [**]
    105 [**] [1:618:4] SCAN Squid Proxy attempt [**]
     70 [**] [1:1443:2] TFTP GET passwd [**]
     60 [**] [1:1411:3] SNMP public access udp [**]
     59 [**] [1:467:1] ICMP Nemesis v1.1 Echo [**]
     46 [**] [1:1419:2] SNMP trap udp [**]
     45 [**] [1:408:4] ICMP Echo Reply [**]
     29 [**] [1:553:4] POLICY FTP anonymous login attempt [**]
     28 [**] [1:365:5] ICMP PING (Undefined Code!) [**]
     27 [**] [1:628:2] SCAN nmap TCP [**]
     24 [**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection 
[**]
     21 [**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection 
[**]
     18 [**] [1:449:4] ICMP Time-To-Live Exceeded in Transit [**]
     14 [**] [1:524:6] BAD-TRAFFIC tcp port 0 traffic [**]
     14 [**] [1:361:7] FTP site exec [**]
     12 [**] [1:2049:1] MS-SQL ping attempt [**]
     10 [**] [1:491:6] INFO FTP Bad login [**]
     10 [**] [1:1413:2] SNMP private access udp [**]
      8 [**] [1:1777:2] FTP EXPLOIT STAT * dos attempt [**]
      6 [**] [1:566:3] POLICY PCAnywhere server response [**]
      6 [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
      6 [**] [1:1957:3] RPC sadmind UDP PING [**]
      6 [**] [1:1893:1] SNMP missing community string attempt [**]
      6 [**] [1:1867:1] MISC xdmcp info query [**]
      6 [**] [1:1504:5] MISC AFS access [**]
      6 [**] [105:1:1] spp_bo: Back Orifice Traffic detected (key: 31337) [**]
      4 [**] [1:453:4] ICMP Timestamp Request [**]
      4 [**] [1:451:4] ICMP Timestamp Reply [**]
      4 [**] [1:388:4] ICMP Address Mask Request [**]
      4 [**] [1:382:4] ICMP PING Windows [**]
      4 [**] [1:336:5] FTP CWD ~root attempt [**]
      4 [**] [1:237:1] DDOS Trin00:MastertoDaemon(defaultpassdetected!) [**]
      4 [**] [1:1992:1] FTP LIST directory traversal attempt [**]
      4 [**] [1:1449:3] POLICY FTP anonymous (ftp) login attempt [**]
      3 [**] [1:604:5] RSERVICES rsh froot [**]
      3 [**] [1:501:2] MISC source route lssre [**]
      3 [**] [1:1432:4] P2P GNUTella GET [**]
      2 [**] [1:718:6] TELNET login incorrect [**]
      2 [**] [1:659:4] SMTP expn decode [**]
      2 [**] [1:356:5] FTP passwd retrieval attempt [**]
      2 [**] [1:332:5] FINGER 0 query [**]
      2 [**] [1:330:6] FINGER redirection attempt [**]
      2 [**] [1:327:5] FINGER remote command pipe execution attempt [**]
      2 [**] [1:326:5] FINGER remote command ; execution attempt [**]
      2 [**] [1:323:4] FINGER root query [**]
      2 [**] [1:1728:2] FTP CWD ~<CR><NEWLINE> attempt [**]
      1 [**] [1:489:5] INFO FTP No Password [**]
      1 [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) 
[**]
      1 [**] [1:335:4] FTP .rhosts [**]
      1 [**] [1:255:8] DNS zone transfer TCP [**]
      1 [**] [1:245:1] DDOS mstream handler ping to agent [**]
      1 [**] [1:239:1] DDOS shaft handler to agent [**]
      1 [**] [1:236:3] DDOS Stacheldraht client check gag [**]
      1 [**] [1:1928:3] FTP shadow retrieval attempt [**]
      1 [**] [1:1919:3] FTP CWD overflow attempt [**]
      1 [**] [1:1444:2] TFTP Get [**]


Sorting by source IP shows the top two alert sources. Otherwise it is 
confusing list.
command: egrep "IpLen" alert|cut -d \  -f 1|cut -d ":" -f 1|sort|uniq -c|sort 
-nr
  18202 10.10.10.113 Apple Computer, Inc
   9211 10.10.10.165 Intel Corporation
    912 10.10.10.164 Dell ESG PCBA Test
    711 172.20.201.2 VMWare, Inc
    669 10.10.10.231 Dell Computer Corp
    650 10.10.10.224 VMWare, Inc.
    573 10.30.30.2   VMWare, Inc
    433 10.10.10.234 3COM CORPORATION
    425 10.10.10.1   VMWare, Inc
    390 10.10.10.141 AMBIT MICROSYSTEMS CORP 
    378 10.10.10.2   VMWare, Inc.
    236 10.10.10.195 3COM CORPORATION
    230 172.20.201.198  VMWare, Inc.
    198 172.20.201.135  VMWare, Inc.
    196 172.20.201.1 VMWare, Inc.
    140 10.10.10.212 IBM Corporation
    132 10.10.10.112 3COM CORPORATION
    129 192.168.17.2 VMWare, Inc.
     80 10.10.10.194 Dell ESG PCBA Test
     57 172.20.11.3  VMWare, Inc
     46 10.10.10.186 Compaq Computer Corporation
     41 10.10.10.174 AboCom Systems, Inc
     34 10.10.10.196 Intel Corporation
     23 10.10.10.228 Connectix
     20 10.10.10.232 Apple Computer, Inc.
     19 172.20.11.2  VMWare, Inc.
     15 0.0.0.0      <Used For Bootp>
     12 10.10.10.226 Ando Electric Corporation
     11 10.10.10.230 SONY CORPORATION LTD.
      9 10.10.10.222 Ando Electric Corporatio
      7 10.10.10.160 VMWare, Inc.
      7 10.10.10.142 VMWare, Inc.
      7 10.10.10.122 Ando Electric Corporation
      6 169.254.135.50 Dell ESG PCBA Test
      4 192.168.17.68  VMWare, Inc.
      3 238.122.10.140 AMBIT MICROSYSTEMS CORP
      2 172.20.11.80  VMWare, Inc.
      2 172.20.11.52  VMWare, Inc.
      2 10.10.10.214 GATEWAY 2000
      1 172.20.11.1  VMWare, Inc.
      1 10.10.10.147 Dell Computer Corp.
      1 10.10.10.144 AMBIT MICROSYSTEMS CORP 
      1 10.10.10.111 Dell Computer Corp.

Sort by destination IP: VMWare was the target. Here are the top 42 
destination.
command: grep "IpLen" alert|cut -d \  -f 3|cut -d ":" -f 1|sort|uniq -c|sort 
-nr|head -n 42
   6650 192.168.17.129  VMWare, Inc
   6546 192.168.17.68   VMWare, Inc
   5321 192.168.17.135  VMWare, Inc
   1375 10.10.10.165    Intel Corporation
    994 172.20.201.2    VMWare, Inc
    876 172.20.201.198  VMWare, Inc
    795 172.20.201.135  VMWare, Inc
    780 172.20.201.1    VMWare, Inc
    581 10.10.10.224    VMWare, Inc
    471 172.20.201.3    VMWare, Inc
    407 172.20.11.2     VMWare, Inc    
    351 10.10.10.164    Dell ESG PCBA Tes
    293 192.168.17.66   VMWare, Inc
    238 192.168.17.67   VMWare, Inc
    235 149.134.30.62   VMWare, Inc
    189 149.134.52.149  VMWare, Inc
    176 172.22.201.1    VMWare, Inc
    156 172.20.11.80    VMWare, Inc.
    122 172.22.201.2    VMWare, Inc
    120 192.168.22.207  VMWare, Inc.
    120 192.168.17.1    Intel Corporation
    113 172.20.11.3     VMWare, Inc.
    111 10.10.10.255    BROADCAST ADDRESS
    105 10.10.10.212    IBM Corporation
     91 10.10.10.195    3COM CORPORATION
     89 10.10.10.226    Ando Electric Corporation
     80 10.10.10.231    Dell Computer Corp.
     64 172.22.201.3    VMWare, Inc
     56 255.255.255.255 BROADCAST ADDRESS
     51 172.20.11.52    VMWare, Inc
     39 10.10.10.142    VMWare, Inc
     37 10.10.10.222    Ando Electric Corporation
     36 172.11.11.80    VMWare, Inc
     36 10.10.10.112    3COM CORPORATION
     34 10.10.10.2      VMWare, Inc
     24 229.55.150.208  DoD Internet Multicast (RFC-1112)
     24 172.20.201.0    INVALID
     24 10.10.10.234    3COM CORPORATION
     23 192.168.17.65   VMWare, Inc.
     22 10.10.10.141    AMBIT MICROSYSTEMS CORP 
     21 172.10.11.80    VMWare, Inc
     20 10.10.10.122    Dell Computer Corp

Sorting by destination MAC shows that the attacks targeted one particular 
system.
command: grep " -> " alert|grep -v IpLen |cut -d \  -f 4|sort|uniq -c|sort -nr
  28633 0:50:56:40:0:6D   VMWare, Inc
   1375 0:3:47:8C:89:C2   Intel Corporation
    581 0:C:29:9E:EF:53   VMWare, Inc
    351 0:B:DB:9B:46:FE   Dell ESG PCBA Test
    173 FF:FF:FF:FF:FF:FF Broadcast address
    105 0:9:6B:2:E9:3D    IBM Corporation
     91 0:4:76:45:61:39   3COM CORPORATION
     89 0:0:E2:94:B0:2A   Ando Electric Corporation
     80 0:6:5B:E6:F8:43   Dell Computer Corp
     39 0:C:29:14:1E:63   VMWare, Inc
     37 0:0:E2:92:EE:F    Ando Electric Corporation
     36 0:1:2:79:91:ED    3COM CORPORATION
     34 0:50:56:40:0:64   VMWare, Inc
     24 1:0:5E:37:96:D0   DoD Internet Multicast (RFC-1112) 
     24 0:1:3:88:29:92    3COM CORPORATION
     22 0:D0:59:C6:5E:14  AMBIT MICROSYSTEMS CORP
     20 0:6:5B:D8:BF:ED   Dell Computer Corp
     11 0:E0:B8:3D:20:40  GATEWAY 2000 
     11 0:8:74:7:31:EE    Dell Computer Corp
     10 0:C:29:39:6E:67   VMWare, Inc
      9 0:2:A5:B6:E2:E3   Compaq Computer Corporation 
      8 0:E0:98:A1:7F:DA  AboCom Systems, Inc 
      7 0:B:DB:17:F4:C9   Dell ESG PCBA Test
      5 8:0:46:79:F7:7C   SONY CORPORATION LTD.
      4 0:3:FF:DF:95:84   Connectix
      3 1:0:5E:7F:FF:FA   DoD Internet Multicast (RFC-1112)
      3 0:A0:C9:BA:6D:85  Intel Corporation 
      2 0:B:DB:DF:53:8D   Dell ESG PCBA Test
      2 0:A:95:7C:24:0    Apple Computer, Inc.
      1 0:8:74:5:B7:F8    Dell Computer Corp
      1 0:0:39:F2:67:88   Point Multimedia Systems


The target was heavily scanned.
IP addresses with the destination MAC 0:50:56:40:0:6d
cut -d\  -f3,8 tcpdump.eth.5.txt|sed  's/^\(.* .*\..*\..*\..*\)\..*$/\1/' 
|grep \ '0:50:56:40:0:6d'|uniq|sort|uniq > 0-50-56-40-0-6d.ip.txt
cut -d\  -f 2  0-50-56-40-0-6d.ip.txt | sed 's/\://' | sort | uniq | grep -c 
""
1542
cut -d\  -f 2  0-50-56-40-0-6d.ip.txt | sed 's/\://' | sort | uniq | cut -d\.  
-f1,2,3 | sort -n | uniq -c |sort -nr
    256 172.20.11
    255 172.22.201
    255 172.20.201
    255 172.20.12
    254 192.168.22
    254 192.168.17
      1 198.41.0
      1 198.123.30
      1 172.27.1
      1 172.20.102
      1 172.11.11
      1 172.10.11
      1 149.134.52
      1 149.134.30
      1 134.248.127
      1 127.0.0
      1 12.162.170
      1 10.3.200
      1 102.168.17

The alerts from the target MAC were all error responses to bad traffic, except 
for "Short UDP packet" which was caused by snaplen 96 (the capture length)
grep -B2 " 0:50:56:40:0:6D -> " alert | grep "\[\*\*\] " | sort|uniq -c | sort 
-nr 
   1326 [**] [1:402:4] ICMP Destination Unreachable (Port Unreachable) [**]
    690 [**] [1:399:4] ICMP Destination Unreachable (Host Unreachable) [**]
    418 [**] [1:401:4] ICMP Destination Unreachable (Network Unreachable) [**]
     34 [**] [1:408:4] ICMP Echo Reply [**]
     33 [**] [116:97:1] (snort_decoder): Short UDP packet, length field > 
payload length
     18 [**] [1:449:4] ICMP Time-To-Live Exceeded in Transit [**]
     10 [**] [1:491:6] INFO FTP Bad login [**]
      7 [**] [1:524:6] BAD-TRAFFIC tcp port 0 traffic [**]
      4 [**] [1:451:4] ICMP Timestamp Reply [**]
      4 [**] [1:382:4] ICMP PING Windows [**]
      2 [**] [1:718:6] TELNET login incorrect [**] 
     1 [**] [1:404:4] ICMP Destination Unreachable (Protocol Unreachable) [**]

The "tcp port 0 traffic" alerts were resets in  response to syn packets. 
egrep  " 172\.20\.11\.2\.0 > 10\.10\.10\.141\.|10\.10\.10\.141\..* > 
172.20.11.2.0:" 
tcpdump.eth.5.txt | tail -n 2
14:09:22.899069 0:d0:59:c6:5e:14 0:50:56:40:0:6d 0800 60: 10.10.10.141.62917 > 
172.20.11.2.0: S 3868:3868(0) win 512
14:09:22.939627 0:50:56:40:0:6d 0:d0:59:c6:5e:14 0800 60: 172.20.11.2.0 > 
10.10.10.141.62917: R 0:0(0) ack 3869 win 0 (DF)


A lot of malicious traffic was sent to the target MAC
command: grep -B2 " -> 0:50:56:40:0:6D " alert | grep "\[\*\*\] " | sort | 
uniq -c | sort -nr  
  18176 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection 
[**]
   5041 [**] [1:465:1] ICMP ISS Pinger [**]
   2144 [**] [1:620:3] SCAN Proxy (8080) attempt [**]
   1020 [**] [1:474:1] ICMP superscan echo [**]
    545 [**] [116:97:1] (snort_decoder): Short UDP packet, length field > 
payload length
    394 [**] [1:615:4] SCAN SOCKS Proxy attempt [**]
    287 [**] [1:1417:2] SNMP request udp [**]
    146 [**] [1:1420:2] SNMP trap tcp [**]
    140 [**] [1:1418:2] SNMP request tcp [**]
    116 [**] [1:1421:2] SNMP AgentX/tcp request [**]
    105 [**] [1:618:4] SCAN Squid Proxy attempt [**]
     70 [**] [1:1443:2] TFTP GET passwd [**]
     60 [**] [1:1411:3] SNMP public access udp [**]
     59 [**] [1:467:1] ICMP Nemesis v1.1 Echo [**]
     46 [**] [1:1419:2] SNMP trap udp [**]
     29 [**] [1:553:4] POLICY FTP anonymous login attempt [**]
     27 [**] [1:628:2] SCAN nmap TCP [**]
     24 [**] [1:365:5] ICMP PING (Undefined Code!) [**]
     24 [**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection 
[**]
     21 [**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection 
[**]
     14 [**] [1:361:7] FTP site exec [**]
     12 [**] [1:2049:1] MS-SQL ping attempt [**]
     10 [**] [1:1413:2] SNMP private access udp [**]
      8 [**] [1:1777:2] FTP EXPLOIT STAT * dos attempt [**]
      7 [**] [1:524:6] BAD-TRAFFIC tcp port 0 traffic [**]
      7 [**] [1:408:4] ICMP Echo Reply [**]
      6 [**] [1:566:3] POLICY PCAnywhere server response [**]
      6 [**] [1:528:4] BAD-TRAFFIC loopback traffic [**]
      6 [**] [1:1957:3] RPC sadmind UDP PING [**]
      6 [**] [1:1893:1] SNMP missing community string attempt [**]
      6 [**] [1:1867:1] MISC xdmcp info query [**]
      6 [**] [1:1504:5] MISC AFS access [**]
      6 [**] [105:1:1] spp_bo: Back Orifice Traffic detected (key: 31337) [**]
      4 [**] [1:453:4] ICMP Timestamp Request [**]
      4 [**] [1:388:4] ICMP Address Mask Request [**]
      4 [**] [1:336:5] FTP CWD ~root attempt [**]
      4 [**] [1:237:1] DDOS Trin00:MastertoDaemon(defaultpassdetected!) [**]
      4 [**] [1:1992:1] FTP LIST directory traversal attempt [**]
      4 [**] [1:1449:3] POLICY FTP anonymous (ftp) login attempt [**]
      3 [**] [1:604:5] RSERVICES rsh froot [**]
      3 [**] [1:501:2] MISC source route lssre [**]
      3 [**] [1:1432:4] P2P GNUTella GET [**]
      2 [**] [1:659:4] SMTP expn decode [**]
      2 [**] [1:356:5] FTP passwd retrieval attempt [**]
      2 [**] [1:332:5] FINGER 0 query [**]
      2 [**] [1:330:6] FINGER redirection attempt [**]
      2 [**] [1:327:5] FINGER remote command pipe execution attempt [**]
      2 [**] [1:326:5] FINGER remote command ; execution attempt [**]
      2 [**] [1:323:4] FINGER root query [**]
      2 [**] [1:1728:2] FTP CWD ~<CR><NEWLINE> attempt [**]
      1 [**] [1:489:5] INFO FTP No Password [**]
      1 [**] [1:335:4] FTP .rhosts [**]
      1 [**] [1:255:8] DNS zone transfer TCP [**]
      1 [**] [1:245:1] DDOS mstream handler ping to agent [**]
      1 [**] [1:239:1] DDOS shaft handler to agent [**]
      1 [**] [1:236:3] DDOS Stacheldraht client check gag [**]
      1 [**] [1:1928:3] FTP shadow retrieval attempt [**]
      1 [**] [1:1919:3] FTP CWD overflow attempt [**]
      1 [**] [1:1444:2] TFTP Get [**]
      1 [**] [111:13:1] (spp_stream4) STEALTH ACTIVITY (SYN FIN scan) 
detection [**]

There are a few alerts that do not involve the target MAC, but they can be 
ignored.
 It is possible that the other systems may have been communicating with each 
other.
grep  ':..\?:..\?:..\?:..\?:..\?\|^\[\*\*\] ' alert|grep -vB1 '^\[\| 
0:50:56:40:0:6D'|grep '^\['|sort|uniq -c
603 [**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload 
length [
    4 [**] [1:365:5] ICMP PING (Undefined Code!) [**]
    4 [**] [1:408:4] ICMP Echo Reply [**]

One issue with spoofing is if the target could be used as a dummy for an 
idlescan[10] The table below indicates that the target may maintain a 
different IP sequence for each foreign IP and therefore could not be used as 
a dummy for a spoof scan. However a much more through analysis is required 
for a real answer..

The target may maintain a different IP sequence for each foreign IP.
egrep  " 192\.168\.17\.68\..* > " tcpdump.eth.5.txt| grep " ack "| grep -v 
'ack [210] win '| cut -d\  -f6-12| tail -n 32|head -n 12
192.168.17.68.80 > 10.10.10.165.4729: R 0:0(0) ack 1180636066
192.168.17.68.80 > 10.10.10.165.4732: R 0:0(0) ack 1181123598
192.168.17.68.80 > 10.10.10.234.1069: R 0:0(0) ack 1730051307
192.168.17.68.80 > 10.10.10.165.4735: R 0:0(0) ack 1181576792
192.168.17.68.80 > 10.10.10.165.4737: R 0:0(0) ack 1182006667
192.168.17.68.80 > 10.10.10.165.4739: R 0:0(0) ack 1182438820
192.168.17.68.80 > 10.10.10.165.4742: R 0:0(0) ack 1182878632
192.168.17.68.80 > 10.10.10.165.4744: R 0:0(0) ack 1183275579
192.168.17.68.80 > 10.10.10.165.4750: R 0:0(0) ack 1184026471
192.168.17.68.80 > 10.10.10.234.1070: R 0:0(0) ack 1732013017
192.168.17.68.80 > 10.10.10.165.4753: R 0:0(0) ack 1184605667
192.168.17.68.80 > 10.10.10.165.4755: R 0:0(0) ack 1185072914

10.10.10.113 was the source for 18202 alerts, Mainly a NULL Scan.of the 
target.
grep -B3 '^10.10.10.113.* -' logs/alert|grep -iB2 '0:50:56:40:0:6d'|grep 
'\[\*\*\]'|sort|uniq -c
      4 [**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection 
[**]
      8 [**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection 
[**]
  18162 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection 
[**]
  8 [**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload 
length [**]
      4 [**] [1:628:2] SCAN nmap TCP [**]


Destination IP's
grep '0:50:56:40:0:6d' tcpdump.eth.5.txt|grep "10\.10\.10\.113\..* > "|cut 
-d\> -f2|cut -d\. -f1,2,3,4|sort|uniq -c|sort -nr
   Count  IP
   6626  192.168.17.129
   6321  192.168.17.68
   5291  192.168.17.135

The number of distinct destination ports scanned for each IP
grep '0:50:56:40:0:6d' tcpdump.eth.5.txt|grep "10\.10\.10\.113\..* > "|cut 
-d\> -f2|cut -d\. -f1,2,3,4,5|sort|uniq|cut -d\. -f1,2,3,4|uniq -c
   Count   IP
   1670  192.168.17.129
   1657  192.168.17.135
   1691  192.168.17.68

The Alert Breakdown
grep -B3 '^10.10.10.113.* -> 192.168.17.129' logs/alert|grep -iB2 
'0:50:56:40:0:6d'|grep '\[\*\*\]'|sort|uniq -c
      1 [**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection 
[**]
      2 [**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection 
[**]
   6607 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection 
[**]
   2 [**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload 
length [**]
      1 [**] [1:628:2] SCAN nmap TCP [**]
grep -B3 '^10.10.10.113.* -> 192.168.17.68' logs/alert|grep -iB2 
'0:50:56:40:0:6d'|grep '\[\*\*\]'|sort|uniq -c
      3 [**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection 
[**]
      6 [**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection 
[**]
   6264 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection 
[**]
     6 [**] [116:97:1] (snort_decoder): Short UDP packet, length field > 
payload length [**]
      3 [**] [1:628:2] SCAN nmap TCP [**]
grep -B3 '^10.10.10.113.* -> 192.168.17.135' logs/alert|grep -iB2 
'0:50:56:40:0:6d'|grep '\[\*\*\]'|sort|uniq -c
5291 [**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**]

Syn's were sent to ports 1 and 20 of 192.168.17.129 and 192.168.17.68. No 
Syn's were sent to 192.168.17.135
command grep '0:50:56:40:0:6d' tcpdump.eth.5.txt|grep " S "|grep 
"10\.10\.10\.113\..* > "|cut -d\  -f8,9|sort|uniq -c
Count   IP
       6 192.168.17.129.1: S
       1 192.168.17.129.20: S
     18 192.168.17.68.1: S
3 192.168.17.68.20: S
      

It looks like every open port will respond with a reset to a null scan.
grep '0:50:56:40:0:6d .* > 10\.10\.10\.113\.' tcpdump.eth.5.txt|cut -d\  
-f6,9|egrep -v "68\.20 |129\.20 "|sort|uniq -c|sort -nr
      1 192.168.17.68.80 R
      1 192.168.17.68.53 R
      1 192.168.17.68.443 R
      1 192.168.17.68.25 R
      1 192.168.17.68.23 R
      1 192.168.17.68.22 R
      1 192.168.17.68.21 R
      1 192.168.17.135.53 R
      1 192.168.17.135.22 R
      1 192.168.17.135.20 R
      1 192.168.17.129.80 R
      1 192.168.17.129.53 R
      1 192.168.17.129.443 R
      1 192.168.17.129.25 R
      1 192.168.17.129.23 R
      1 192.168.17.129.21 R

192.168.17.135 answering to a null scan from10.10.10.113.
grep "10\.10\.10\.113\." tcpdump.eth.5.txt|grep "192\.168\.17\.135\."|egrep 
"135\.53[ :]|135\.20[ :]|135\.22[ :]"|sort|uniq
14:14:55.665504 0:a:95:7c:24:0 0:50:56:40:0:6d 0800 60: 10.10.10.113.59194 > 
192.168.17.135.22: . win 4096
14:14:55.671788 0:50:56:40:0:6d 0:a:95:7c:24:0 0800 60: 192.168.17.135.22 > 
10.10.10.113.59194: R 0:0(0) ack 0 win 0 (DF)
14:15:51.827656 0:a:95:7c:24:0 0:50:56:40:0:6d 0800 60: 10.10.10.113.59194 > 
192.168.17.135.53: . win 2048
14:15:51.854980 0:50:56:40:0:6d 0:a:95:7c:24:0 0800 60: 192.168.17.135.53 > 
10.10.10.113.59194: R 0:0(0) ack 0 win 0 (DF)
14:16:10.128439 0:a:95:7c:24:0 0:50:56:40:0:6d 0800 60: 10.10.10.113.59194 > 
192.168.17.135.20: . win 1024
14:16:10.132772 0:50:56:40:0:6d 0:a:95:7c:24:0 0800 60: 192.168.17.135.20 > 
10.10.10.113.59194: R 0:0(0) ack 0 win 0 (DF)

Three of the hosted VM's . could be Linux systems. The TTL discrepancy could 
be caused by a separate VM on the target that that is configured as a 
firewall.   
cmd grep -A2 ' 0:50:56:40:0:6D -> ' logs/alert|grep ' TCP .* IpLen:'|cut -d\  
-f1,4,5|sed 's/:.. T/ T/' |sort|uniq -c|sort -k2
      7 172.20.11.2:0 TCP TTL:62
      4 172.20.201.135 TCP TTL:62
      8 172.20.201.198 TCP TTL:62

Attack Mechanism

Here is a brief description of the idle scan that was invented by Antirez[8] 
The goal of the idle scan is that no traffic travels between the attacker and 
the target. The attacker sends a non spoofed packet to a third system (the 
dummy) that uses sequential IP ID's. The attacker then reads the IP ID from 
the reply. Next the attacker sends a spoofed packet were the source field 
contains the IP of the real target. The dummy system responds with an error 
message to the target. If the target has the same port open it should respond 
otherwise is should not respond. A response would increment the IP ID counter 
on the dummy. Then the attacker sends a non-spoofed packet to the dummy 
machine and reads the IP ID. From the difference of the IP ID's he can tell 
of the target responded or not. If the third system is not busy then many 
ports can be queried before the attacker has to use a non-spoofed packet. Fig 
2.1.2 indicates that the target may maintain an independent IP sequence for 
each foreign IP. Therefore it could not be used as a dummy for an idle scan. 
However a more through analysis is required for a definitive answer

A null scan is a TCP packet with no flags. When it is sent to an Open port a 
reset may be sent back but would not be entered into the hosts logs. A closed 
port should not respond. This way an attacker can scan for open ports without 
detection. Some older firewalls would not drop a null TCP packet. Traffic to 
and from port 0 is not allowed in the RFC's. Therefore different OS's respond 
differently. It can be used for OS typing.

Correlations:

Several other people have posted detects from the same source file to 
intrusions@xxxxxxxxxxxxxx They all came to different results because they did 
not consider a pen test. I could not find a CVE entry for a Null Scan [11]

 Evidence of active targeting: The attacks were mainly to three specific IP's

Severity: 
severity = (criticality + lethality)-(system countermeasures + network 
countermeasures)
             =  (5 + 5) - (3 + 0)  
             =  7
criticality: 5
A Vmware server may hold several virtual servers. If compromised then all may 
be compromised
lethality  5
If an attack of this size happened on a production LAN, I would turn 
everything off. Normal Business would stop and the business continuity plan 
would be invoked.
system countermeasures  3
The target was not broken into, but it did responded to the null scan and port 
0 traffic.
network countermeasures 0
Nothing was blocked from the VMware server.


Defensive recommendation:

First, none of this traffic should be allowed to get to the Internet or a 
production LAN.

There are several critical unknowns with this analysis. VMWare hosts other 
OS's but they are not known. There may have been a separate firewall on the 
target and/or the hosted systems had some sort of firewall. The target 
configuration was unknown. The target may be dual homed. 


The target seemed to do OK but there is room for improvement.

Drop all traffic to port 0. Traffic to and from port 0 can be used for OS 
typing. This would be useful to an attacker and probably not much use to IT.

Drop all null TCP packets. The target answered to a null scan.  There is no 
legal reason for this traffic.

The error messages from the target would be useful to an attacker or a 
legitimate SA. It would increase security to disable the error responses, and 
the LAN would still work, but it would be much harder to diagnose and repair 
problems. One option would be to set up one of the virtual machines as a 
firewall/router and log the errors. Then the SA would be able to see the 
messages but an attacker would not.

Multiple choice test question:

Which IP range includes IP's that are legal on the Internet.
A) 10.0.0.0 - 10.255.255.255.
B) 192.168.0.0 - 192.168.255.255.
C) 172.16.0.0 - 172.31.255.255 .
D) 224.0.0.0 - 239.255.255.255 
E) none

Answer E: All subnets are reserved by ICANN.   See http://whois.arin.net

2.1.11 References

[1] Spirent Communications. Security & Web Infrastucture.
URL: http://www.spirentcom.com/analysis/index.cfm?WS=65 (2 May 2004)

[2] Ando Electric Co., Ltd.  URL: http://www.ando.com  (20 March 2004).

[3]  Cahners Publishing Company.
Electronic News: CADENCE TO ACQUIRE AMBIT?(Cadence Design Systems
considers acquisition of Ambit Design Systems) (Company Business and
Marketing). 24 August 1998.
URL: 
http://www.findarticles.com/cf_dls/m0EKF/n2233_v44/21054771/p1/article.jhtml  
(20 March 2004).

[4] AboCom Systems , Inc. URL: http://www.abocom.com/   (20 March 2004).

[5]  VMware, Inc. URL: http://www.vmware.com/support/  (20 March 2004).


[6]  Heim, Kristi. Mercury News  Microsoft buys assets of Connectix. 20 Feb. 
2003.
URL: http://www.siliconvalley.com/mld/siliconvalley/5222197.htm  (20 March 
2004).

[7] Sony Corporation of America. URL: http://sony.com/  (20 March 2004).

[8] Cavebear. Ethernet Codes: Multicast (including Broadcast) Addresses. 09 
March 1999.
URL: http://www.cavebear.com/CaveBear/Ethernet/multicast.html  (20 March 
2004).

[9] IEEE OUI and Company_id Assignments
URL: http://standards.ieee.org/regauth/oui/index.shtml  (20 March 2004).

[10] Vaskovich, Fyodor. Idle Scanning and related IPID games.13 November 2003.
URL: http://www.insecure.org/nmap/idlescan.html   (20 March 2004).

[11] URL:  http://cve.mitre.org    (20 March 2004).





 
_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions