[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: RE: Resubmit: GIAC GCIA Practical v3.2
From: "Smith, Donald " <Donald.Smith () qwest ! com>
Date: 2002-11-23 16:11:29
[Download RAW message or body]
> -----Original Message-----
> From: Paul Young [mailto:Paul.Young@clariti.net.au]
> Sent: Friday, November 22, 2002 4:33 PM
> To: Intrusions@incidents.org
> Subject: FW: Resubmit: GIAC GCIA Practical v3.2
>
>
>
>
> Here we go, second try. Couple of queries.
>
> 1. Has anyone seen a tool that uses the combination of TCP
> Port 0 and IP
> ID 0?
Some OS fingerprinting scanners (nmap) need a closed port to
help determine what an os. Different OS'es do different things
when they receive a packet on a closed port.
>
> 2. Apart from host enumeration and possible OS type detection, can
> anyone think of a purpose for scanning TCP 0. I looked for unusual OS
> behavior that might give away something relating to version of OS etc,
> but couldn't find anything relavent.
>
> 3. Can anyone else confirm that the bad chksum is normal for
> these logs?
Yes as part of the host obstafaction the logs have been changed on a per
packet basis.
>
>
>
> BTW - I still need at least 2 people to grill this, and questions
> appreciated.
>
>
>
> Thanx
>
> Paul *stressed*
>
>
>
> Detect 3 - Bad Traffic TCP Port 0
>
>
>
>
>
>
Look at the time deltas.
3 seconds/6 seconds appears to be a "basic" time delta pattern.
Ignoring everything after the hundreds place for the seconds it
appears this output isnt accurate below the hundreds place:-)
> 11:42:49.104488 211.47.255.21.34318 > 46.5.127.19.0: S
> 3389604926:3389604926(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:42:52.094488 211.47.255.21.34318 > 46.5.127.19.0: S
> 3389604926:3389604926(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:42:58.094488 211.47.255.21.34318 > 46.5.127.19.0: S
> 3389604926:3389604926(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:43:10.094488 211.47.255.21.34318 > 46.5.127.19.0: S
> 3389604926:3389604926(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:43:21.104488 211.47.255.21.35045 > 46.5.127.19.0: S
> 3420420120:3420420120(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:43:24.094488 211.47.255.21.35045 > 46.5.127.19.0: S
> 3420420120:3420420120(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:43:30.094488 211.47.255.21.35045 > 46.5.127.19.0: S
> 3420420120:3420420120(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:43:42.094488 211.47.255.21.35045 > 46.5.127.19.0: S
> 3420420120:3420420120(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:43:53.094488 211.47.255.21.35747 > 46.5.127.19.0: S
> 3461547642:3461547642(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:43:56.094488 211.47.255.21.35747 > 46.5.127.19.0: S
> 3461547642:3461547642(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:44:02.094488 211.47.255.21.35747 > 46.5.127.19.0: S
> 3461547642:3461547642(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:44:14.094488 211.47.255.21.35747 > 46.5.127.19.0: S
> 3461547642:3461547642(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:44:25.104488 211.47.255.21.36367 > 46.5.127.19.0: S
> 3480358410:3480358410(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:44:28.104488 211.47.255.21.36367 > 46.5.127.19.0: S
> 3480358410:3480358410(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:44:34.104488 211.47.255.21.36367 > 46.5.127.19.0: S
> 3480358410:3480358410(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
> 11:44:46.104488 211.47.255.21.36367 > 46.5.127.19.0: S
> 3480358410:3480358410(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum d36d!)
>
>
>
>
>
> 07:36:44.664488 211.47.255.22.45955 > 46.5.76.25.0: S
> 1771847888:1771847888(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:36:47.654488 211.47.255.22.45955 > 46.5.76.25.0: S
> 1771847888:1771847888(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:36:53.654488 211.47.255.22.45955 > 46.5.76.25.0: S
> 1771847888:1771847888(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:37:05.654488 211.47.255.22.45955 > 46.5.76.25.0: S
> 1771847888:1771847888(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:37:21.894488 211.47.255.22.46104 > 46.5.76.25.0: S
> 1806416559:1806416559(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:37:24.894488 211.47.255.22.46104 > 46.5.76.25.0: S
> 1806416559:1806416559(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:37:30.894488 211.47.255.22.46104 > 46.5.76.25.0: S
> 1806416559:1806416559(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:37:42.894488 211.47.255.22.46104 > 46.5.76.25.0: S
> 1806416559:1806416559(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:37:53.894488 211.47.255.22.46246 > 46.5.76.25.0: S
> 1842645306:1842645306(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:37:56.894488 211.47.255.22.46246 > 46.5.76.25.0: S
> 1842645306:1842645306(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:38:02.914488 211.47.255.22.46246 > 46.5.76.25.0: S
> 1842645306:1842645306(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:38:14.894488 211.47.255.22.46246 > 46.5.76.25.0: S
> 1842645306:1842645306(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:38:25.894488 211.47.255.22.46380 > 46.5.76.25.0: S
> 1883896412:1883896412(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:38:28.894488 211.47.255.22.46380 > 46.5.76.25.0: S
> 1883896412:1883896412(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:38:34.894488 211.47.255.22.46380 > 46.5.76.25.0: S
> 1883896412:1883896412(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
> 07:38:46.894488 211.47.255.22.46380 > 46.5.76.25.0: S
> 1883896412:1883896412(0) win 5840 <mss
> 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 667!)
>
>
>
>
>
> 15:52:42.494488 211.47.255.23.36521 > 46.5.235.253.0: S
> 841941060:841941060(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:52:45.494488 211.47.255.23.36521 > 46.5.235.253.0: S
> 841941060:841941060(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:52:51.494488 211.47.255.23.36521 > 46.5.235.253.0: S
> 841941060:841941060(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:53:03.494488 211.47.255.23.36521 > 46.5.235.253.0: S
> 841941060:841941060(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:53:14.504488 211.47.255.23.37212 > 46.5.235.253.0: S
> 884110469:884110469(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:53:17.494488 211.47.255.23.37212 > 46.5.235.253.0: S
> 884110469:884110469(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:53:23.494488 211.47.255.23.37212 > 46.5.235.253.0: S
> 884110469:884110469(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:53:35.494488 211.47.255.23.37212 > 46.5.235.253.0: S
> 884110469:884110469(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:53:46.494488 211.47.255.23.37931 > 46.5.235.253.0: S
> 928747484:928747484(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:53:49.494488 211.47.255.23.37931 > 46.5.235.253.0: S
> 928747484:928747484(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:53:55.494488 211.47.255.23.37931 > 46.5.235.253.0: S
> 928747484:928747484(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:54:07.494488 211.47.255.23.37931 > 46.5.235.253.0: S
> 928747484:928747484(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:54:18.494488 211.47.255.23.38621 > 46.5.235.253.0: S
> 963205679:963205679(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:54:21.494488 211.47.255.23.38621 > 46.5.235.253.0: S
> 963205679:963205679(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:54:27.494488 211.47.255.23.38621 > 46.5.235.253.0: S
> 963205679:963205679(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:54:39.494488 211.47.255.23.38621 > 46.5.235.253.0: S
> 963205679:963205679(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
>
>
>
>
> 1. Source of Trace.
>
> Logs obtained from <http://www.incidents.org/logs/Raw/>
> http://www.incidents.org/logs/Raw/ from the following files:
>
> o 2002.6.2
>
> o 2002.6.3
>
> o 2002.6.4
>
> o 2002.6.5
>
> o 2002.6.7
>
> o 2002.6.8
>
> o 2002.6.9
>
>
>
> 2. Detect was generated by:
>
> Logs were initally captured in TCPDump format and posted to
> <http://www.incidents.org/> www.incidents.org. Parsing of
> the logs was
> performed by Snort on Win32 with a standard (11/02) ruleset. This was
> then filtered with Snortsnarf to allow for better correlation.
>
>
>
> 3. Probability the source address was spoofed:
>
> This source address could have been spoofed as it is unlikely that an
> actual service was being scanned. The methodology of the scan would
> however tend to indicate that the atttacker was looking for
> some sort of
> response back. As TCP 0 is a reserved port it is likely that this
> respose would vary between operating systems and filters. The small
> range of source addresses is unusual, however the time gaps and linear
> addressing could be the attacker obtaining an incremental IP address
> with each connection.
>
>
>
> 4. Description of attack:
>
> The attack appears to be a scan of some description to elicit
> information from hosts by sending a Syn packet to TCP Port 0.
> The san is
> unusual in several aspects that indicate behaviour typical of packet
> crafting. A number of destination hosts were scanned in no aparent
> order, from a small range of five sequential IP addresses.
> There was 16
> connections attempts made to each host, in a pattern of 4
> attempts with
> 4 retries each.
>
>
>
> 5. Attack mechanism:
>
> A sequence of 16 packets sent to a single host. The sequence consisted
> of 4 connection attempts with 4 retries each. The retries are at
> intervals of 3, 6, and 12 seconds. This interval time tends
> to indicate
> normal operting system behaviour. The 11 second gaps between each of
> the 4 connection attempts seems to indicate a tool of some kind.
>
> The contents of the packet however indicate some crafting that is not
> normal operating system behaviour. The unusual characteristics are as
> follows:
>
> * TCP Dest Port 0
>
> * IP ID = 0
>
> * Invalid TCP Checksum - This might be due to log file format.
>
> * Large Accelerating TCP Sequence number increments
>
>
>
> This trace is rather confusing. Some of the packet indicates crafting,
> whilst other sections are normal. The IP ID of zero is a giveaway to
> something unusual, as is the invalid checksum. A TCP port of
> zero could
> be created by many tools, but the other factors indicate something
> unusual. The TCP sequence numbers increment,, with a significant
> increase between each retry. This increase tends to mean that this is
> part of a much larger scan, as the increase is different each
> time, and
> steadily speeding up. It is possible that the TCP sequence number is
> generated as well however based on some form of counter, rather than a
> random number. Using TCP port
>
>
>
> 6. Correlations:
>
>
>
> This student found exactly the same pattern from the same ISP
> at another
> time.
>
>
> <http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00
> 006.html>
> http://cert.uni-stuttgart.de/archive/intrusions/2002/09/msg00006.html
>
> <http://www.geocrawler.com/archives/3/6752/2002/3/0/8233030/>
> http://www.geocrawler.com/archives/3/6752/2002/3/0/8233030/
>
> <http://www.dshield.org/> www.dshield.org returned no correllations
> for TCP Port 0.
>
> I cannot find any particular tools that match this signature,
> however it
> might be somethin not widely released.
>
>
>
> 7. Evidence of active targeting:
>
> This appears to be a scan of a number of hosts looking for a
> particular
> response, most likely operating system specific. There is not enough
> data to be a flood, and nothing to trigger an overflow. The
> packet does
> not appear to contain enough information to be a subchannel control,
> however this is always posssible for some unknown trojan / worm. The
> repeats and non single host behavior tend to idicate it is not a
> subchannel, but it could be a VERY covert for controlling
> another system
> in promiscuous mode. By this logic however ANY unsolicited
> traffic could
> be a covert channel, so I regard this as unlikely.
>
>
>
> 8. Severity:
>
> severity = (criticality + lethality) - (system
> countermeasures + network
> countermeasures)
>
> -1 = ( 3 + 1) - (4 + 1)
>
>
>
> * Criticality - This is an unknown network with what appear to be
> targeted hosts. This leads to picking the middle ground - 3
>
> * Lethality - This particular scan poses no known direct threat to the
> host itself. It might reveal information, but so might any traffic - 1
>
> * System Countermeasures - The system did not respond to the packet,
> this is fine, however there is no evidence to guarantee this
> is the case
> on all systems - 4
>
> * Network Countermeasures - This obviously invalid traffic reached the
> IDS system, and presumeably the host, indicating the network
> did little
> or nothing to protect the host (working on the assumption the
> sensor was
> on the same segment as the host - 1
>
>
>
> 9. Defensive recommendation:
>
> This traffic is obviously invalid and should be filtered at the
> firewall. There is no need for such an unusual port to be permitted
> inbound. An IP ID of 0 is unusual however it does meet the
> requirements
> of IP v4 RFC 791.
>
>
>
>
>
> 10. Multiple choice test question:
>
> 15:54:18.494488 211.47.255.23.38621 > 46.5.235.253.0: S
> 963205679:963205679(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:54:21.494488 211.47.255.23.38621 > 46.5.235.253.0: S
> 963205679:963205679(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:54:27.494488 211.47.255.23.38621 > 46.5.235.253.0: S
> 963205679:963205679(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
> 15:54:39.494488 211.47.255.23.38621 > 46.5.235.253.0: S
> 963205679:963205679(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0>
> (DF) (ttl 47, id 0, bad cksum 6580!)
>
>
>
> In the preceding packets Windump has recorded 4 packets with the same
> TCP sequence number. Which if the following best describes this
> behaviour:
>
>
>
> a) This is the same packet re-transmitted 4 times as part of a normal
> tcp connection attempt
>
> b) This is the same packet re-transmitted 4 times as part of
> a Denial of
> Service
>
> c) This is the same packet received 4 times due to different paths
> through the internet
>
> d) This is a crafted packet as TCP sequence numbers should always
> increase by one with each packet.
>
> e) This is a crafted packet as the first part of the TCP sequence
> number printed by windump should be some value less than the
> second part
> of the TCP sequence number.
>
>
>
> Answer: a
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic