[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: RE: GCIA Version 3.3 Practical Detect- - Steve Scott
From: "Szczepankiewicz, Peter" <pjszczep () fiwc ! navy ! mil>
Date: 2002-11-23 16:03:55
[Download RAW message or body]
Steve,
1. You mentioned that the destination address is in the multicast range. It was my \
understanding that the destination IP's have been masked to protect the true network \
address from being posted to the Internet. Do you agree or is there something \
different going on in your trace? 2. Why would a prober try to send bind queries to \
a multicast address? What would you expect to return? Thanks,
Peter
-----Original Message-----
From: Steven J. Scott [mailto:sjscott007@earthlink.net]
Sent: Tuesday, November 12, 2002 8:13 PM
To: intrusions@incidents.org
Subject: Fw: GCIA Version 3.3 Practical Detect- - Steve Scott
----- Original Message -----
From: Steven J. Scott
To: intrusions@incidents.org
Sent: Tuesday, November 12, 2002 6:16 PM
Subject: GCIA Version 3.3 Practical Detect- - Steve Scott
Detect #1
1) Source of Trace
The source of this trace is from http://www.incidents.org/logs/Raw/2002.5.2
and is in pcap format.
The following is output from Ethereal and is produced by printing to a text file.
Frame 34 (72 on wire, 72 captured)
Arrival Time: Jun 1, 2002 22:11:47.614488000
Time delta from previous packet: 0.000000000 seconds
Time relative to first packet: 10410.960000000 seconds
Frame Number: 34
Packet Length: 72 bytes
Capture Length: 72 bytes
Ethernet II
Destination: 00:00:0c:04:b2:33 (Cisco_04:b2:33)
Source: 00:03:e3:d9:26:c0 (Cisco_d9:26:c0)
Type: IP (0x0800)
Internet Protocol, Src Addr: 203.122.47.137 (203.122.47.137), Dst Addr: \
226.185.128.124 (226.185.128.124) Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 58
Identification: 0x0c98
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 41
Protocol: UDP (0x11)
Header checksum: 0x9752 (incorrect, should be 0x26e2)
Source: 203.122.47.137 (203.122.47.137)
Destination: 226.185.128.124 (226.185.128.124)
User Datagram Protocol, Src Port: 12615 (12615), Dst Port: domain (53)
Source port: 12615 (12615)
Destination port: domain (53)
Length: 38
Checksum: 0xac03 (incorrect, should be 0x3b93)
Domain Name System (query)
Transaction ID: 0x1234
Flags: 0x0080 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is \
unacceptable Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
version.bind: type TXT, class chaos
Name: version.bind
Type: Text strings
Class: chaos
0000 00 00 0c 04 b2 33 00 03 e3 d9 26 c0 08 00 45 00 .....3....&...E.
0010 00 3a 0c 98 00 00 29 11 97 52 cb 7a 2f 89 e2 b9 .:....)..R.z/...
0020 80 7c 31 47 00 35 00 26 ac 03 12 34 00 80 00 01 .|1G.5.&...4....
0030 00 00 00 00 00 00 07 76 65 72 73 69 6f 6e 04 62 .......version.b
0040 69 6e 64 00 00 10 00 03 ind.....
Frame 36 (72 on wire, 72 captured)
Arrival Time: Jun 1, 2002 23:30:09.594488000
Time delta from previous packet: 4701.980000000 seconds
Time relative to first packet: 15112.940000000 seconds
Frame Number: 36
Packet Length: 72 bytes
Capture Length: 72 bytes
Ethernet II
Destination: 00:00:0c:04:b2:33 (Cisco_04:b2:33)
Source: 00:03:e3:d9:26:c0 (Cisco_d9:26:c0)
Type: IP (0x0800)
Internet Protocol, Src Addr: 203.122.47.137 (203.122.47.137), Dst Addr: \
226.185.240.180 (226.185.240.180) Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 58
Identification: 0x4c13
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 41
Protocol: UDP (0x11)
Header checksum: 0xe79e (incorrect, should be 0x772e)
Source: 203.122.47.137 (203.122.47.137)
Destination: 226.185.240.180 (226.185.240.180)
User Datagram Protocol, Src Port: 21044 (21044), Dst Port: domain (53)
Source port: 21044 (21044)
Destination port: domain (53)
Length: 38
Checksum: 0x1ade (incorrect, should be 0xaa6d)
Domain Name System (query)
Transaction ID: 0x1234
Flags: 0x0080 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is \
unacceptable Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
version.bind: type TXT, class chaos
Name: version.bind
Type: Text strings
Class: chaos
0000 00 00 0c 04 b2 33 00 03 e3 d9 26 c0 08 00 45 00 .....3....&...E.
0010 00 3a 4c 13 00 00 29 11 e7 9e cb 7a 2f 89 e2 b9 .:L...)....z/...
0020 f0 b4 52 34 00 35 00 26 1a de 12 34 00 80 00 01 ..R4.5.&...4....
0030 00 00 00 00 00 00 07 76 65 72 73 69 6f 6e 04 62 .......version.b
0040 69 6e 64 00 00 10 00 03 ind.....
Frame 37 (72 on wire, 72 captured)
Arrival Time: Jun 1, 2002 23:47:26.874488000
Time delta from previous packet: 1037.280000000 seconds
Time relative to first packet: 16150.220000000 seconds
Frame Number: 37
Packet Length: 72 bytes
Capture Length: 72 bytes
Ethernet II
Destination: 00:00:0c:04:b2:33 (Cisco_04:b2:33)
Source: 00:03:e3:d9:26:c0 (Cisco_d9:26:c0)
Type: IP (0x0800)
Internet Protocol, Src Addr: 203.122.47.137 (203.122.47.137), Dst Addr: \
226.185.247.77 (226.185.247.77) Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 58
Identification: 0x9100
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 41
Protocol: UDP (0x11)
Header checksum: 0x9c18 (incorrect, should be 0x2ba8)
Source: 203.122.47.137 (203.122.47.137)
Destination: 226.185.247.77 (226.185.247.77)
User Datagram Protocol, Src Port: 15363 (15363), Dst Port: domain (53)
Source port: 15363 (15363)
Destination port: domain (53)
Length: 38
Checksum: 0x2a76 (incorrect, should be 0xba05)
Domain Name System (query)
Transaction ID: 0x1234
Flags: 0x0080 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is \
unacceptable Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
version.bind: type TXT, class chaos
Name: version.bind
Type: Text strings
Class: chaos
0000 00 00 0c 04 b2 33 00 03 e3 d9 26 c0 08 00 45 00 .....3....&...E.
0010 00 3a 91 00 00 00 29 11 9c 18 cb 7a 2f 89 e2 b9 .:....)....z/...
0020 f7 4d 3c 03 00 35 00 26 2a 76 12 34 00 80 00 01 .M<..5.&*v.4....
0030 00 00 00 00 00 00 07 76 65 72 73 69 6f 6e 04 62 .......version.b
0040 69 6e 64 00 00 10 00 03 ind.....
Frame 45 (72 on wire, 72 captured)
Arrival Time: Jun 2, 2002 01:59:43.774488000
Time delta from previous packet: 7936.900000000 seconds
Time relative to first packet: 24087.120000000 seconds
Frame Number: 45
Packet Length: 72 bytes
Capture Length: 72 bytes
Ethernet II
Destination: 00:00:0c:04:b2:33 (Cisco_04:b2:33)
Source: 00:03:e3:d9:26:c0 (Cisco_d9:26:c0)
Type: IP (0x0800)
Internet Protocol, Src Addr: 203.122.47.137 (203.122.47.137), Dst Addr: \
226.185.168.124 (226.185.168.124) Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 58
Identification: 0xad41
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 41
Protocol: UDP (0x11)
Header checksum: 0xcea8 (incorrect, should be 0x5e38)
Source: 203.122.47.137 (203.122.47.137)
Destination: 226.185.168.124 (226.185.168.124)
User Datagram Protocol, Src Port: 30487 (30487), Dst Port: domain (53)
Source port: 30487 (30487)
Destination port: domain (53)
Length: 38
Checksum: 0x3e33 (incorrect, should be 0xcdc2)
Domain Name System (query)
Transaction ID: 0x1234
Flags: 0x0080 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is \
unacceptable Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
version.bind: type TXT, class chaos
Name: version.bind
Type: Text strings
Class: chaos
0000 00 00 0c 04 b2 33 00 03 e3 d9 26 c0 08 00 45 00 .....3....&...E.
0010 00 3a ad 41 00 00 29 11 ce a8 cb 7a 2f 89 e2 b9 .:.A..)....z/...
0020 a8 7c 77 17 00 35 00 26 3e 33 12 34 00 80 00 01 .|w..5.&>3.4....
0030 00 00 00 00 00 00 07 76 65 72 73 69 6f 6e 04 62 .......version.b
0040 69 6e 64 00 00 10 00 03 ind.....
Frame 64 (72 on wire, 72 captured)
Arrival Time: Jun 2, 2002 03:25:23.594488000
Time delta from previous packet: 5139.820000000 seconds
Time relative to first packet: 29226.940000000 seconds
Frame Number: 64
Packet Length: 72 bytes
Capture Length: 72 bytes
Ethernet II
Destination: 00:00:0c:04:b2:33 (Cisco_04:b2:33)
Source: 00:03:e3:d9:26:c0 (Cisco_d9:26:c0)
Type: IP (0x0800)
Internet Protocol, Src Addr: 203.122.47.137 (203.122.47.137), Dst Addr: \
226.185.146.194 (226.185.146.194) Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 58
Identification: 0xfff4
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 41
Protocol: UDP (0x11)
Header checksum: 0x91af (incorrect, should be 0x213f)
Source: 203.122.47.137 (203.122.47.137)
Destination: 226.185.146.194 (226.185.146.194)
User Datagram Protocol, Src Port: 23379 (23379), Dst Port: domain (53)
Source port: 23379 (23379)
Destination port: domain (53)
Length: 38
Checksum: 0x6fb1 (incorrect, should be 0xff40)
Domain Name System (query)
Transaction ID: 0x1234
Flags: 0x0080 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is \
unacceptable Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
version.bind: type TXT, class chaos
Name: version.bind
Type: Text strings
Class: chaos
0000 00 00 0c 04 b2 33 00 03 e3 d9 26 c0 08 00 45 00 .....3....&...E.
0010 00 3a ff f4 00 00 29 11 91 af cb 7a 2f 89 e2 b9 .:....)....z/...
0020 92 c2 5b 53 00 35 00 26 6f b1 12 34 00 80 00 01 ..[S.5.&o..4....
0030 00 00 00 00 00 00 07 76 65 72 73 69 6f 6e 04 62 .......version.b
0040 69 6e 64 00 00 10 00 03 ind.....
2) Detect was Generated by
I used Ethereal to analyze the tcpdump file, and look for something interesting from \
the log file. Ethereal is a graphical protocol analyzer for the UNIX or Windows \
platforms. The first thing I did was sort by source address to find patterns. In \
this case I chose to analyze packets that were querying the Domain Name Service for \
its version number. I then filtered the display to only show packets matching the \
DNS queries in question. This left me with 12 packets. I then proceeded to print to \
a text file using the detailed print and hex data option. I also looked for hosts \
that generated a response to the packets in question, of which none replied.
3) Probability the Source Address was Spoofed
I did a Whois lookup on the source address in question and produced the following \
results:
% [whois.apnic.net node-2]
% How to use this server http://www.apnic.net/db/
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 203.122.0.0 - 203.122.63.255
netname: SPECTRANET
descr: SPECTRA NET LIMITED
descr: FIRST FIBRE BROADBAND NETWORK IN NEW DELHI, INDIA.
country: IN
admin-c: UP1-AP
tech-c: UP1-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-IN-SPECTRA-NET-LTD
changed: hostmaster@apnic.net 20000504
status: ALLOCATED PORTABLE
source: APNIC
person: Uday Punj
address: 17-18, Nehru Place
address: New Delhi - 110019
address: India
country: IN
phone: +91-11-6200123
fax-no: +91-11-6200111
e-mail: sachin.mehra@in.spectranet.com
nic-hdl: UP1-AP
mnt-by: MAINT-NEW
changed: gaurav.gulati@in.spectranet.com 20001205
source: APNIC
This is a valid IP address of what appears to be a broadband internet service \
provider in India. I also looked for the source address on dshield.org, but my query \
didn't return any results.
If you take a look at the destination addresses they are part of the multicast \
address range. Below is the arin.net output.
Output from ARIN Whois:
IANA (NET-MCAST-NET)
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292-6695
US
Netname: MCAST-NET
Netblock: 224.0.0.0 - 239.255.255.255
Coordinator:
Internet Corporation for Assigned Names and Numbers (IANA-ARIN) \
res-ip@iana.org (310) 823-9358
Domain System inverse mapping provided by:
FLAG.EP.NET 198.32.4.13
STRUL.STUPI.SE 192.108.200.1 192.36.143.3
NS.ISI.EDU 128.9.128.127
NIC.NEAR.NET 192.52.71.4
Record last updated on 12-Sep-2000.
Database last updated on 21-Aug-2002 20:01:34 EDT.
The source address is most likely not spoofed due to the fact that this probe needs a \
reply to be successful.
4) Description of Attack
This is defiantly an attempt to map the versions of your DNS severs. Commonly this \
is referred to as a recon tactic, and is often used to find exploits in a particular \
service. In this case it's the DNS service. The host generating this recon is most \
likely building a version list of all your DNS servers that can later be exploited by \
a known or future vulnerability.
You can find a good synopsis and the issues associated with DNS at \
http://www.dshield.org/ports/port53.html.
5) Attack Mechanism
The packets that generate this traffic can be done manually by running the following \
command:
nslookup -class=chaos -q=txt version.bind
or
dig version.bind txt chaos
This will return the version of the DNS server. You can easily automate this via \
scripting or a small C program.
6) Correlations
There are numerous vulnerabilities that can be exploited in DNS. You can find a list \
of them at http://www.isc.org/products/BIND/bind-security-19991108.html.
The following link explores the troubles with the Domain Name service \
http://www.spirit.com/Network/net0600.html.
This type of recon attempt is quite common and is well documented.
7) Evidence of Active Targeting
This recon was done over a two day period and looks like it was targeted specifically \
at DNS servers. You can clearly recognize this by the randomness of the destination \
addresses. There is no evidence in the log of any prior probes by this host, but you \
can easily speculate that the network had been previously scanned for DNS servers.
8) Severity
Since this is a recon attempt, the severity of this probe is mostly based on the \
criticality of the service in question. As we know, the Domain Name Service (DNS) is \
very important, and without it your servers can no longer be referenced by name. \
Therefore, the severity ranking for this recon attempt is as follows:
4 = (5+5) - (3+2)
This is based upon: severity = (critically + lethality) - (system countermeasures + \
network counter measures).
9) Defensive Recommendation
screening router
// Known fake source addresses shouldn't be replied to.
// For external queries, these should be blocked by
// example.com's border router.
acl "bogon" {
0.0.0.0/8; // Null address
1.0.0.0/8; // IANA reserved, popular fakes
2.0.0.0/8;
192.0.2.0/24; // Test address
224.0.0.0/3; // Multicast addresses
// Enterprise networks may or may not be
// bogus.
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
This is a recon probe and is normally seen as a prelude to an attack. In this case \
you can do the following to prevent any damage that may occur after the probe:
Insure that your systems are fully patched, especially the service in question. Only \
allow access to the specific services that are required. Create firewall rules or \
access lists.
In this case, stop Bind from returning version numbers. You can find out how to do \
this here. http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125895&w=2
10) Multiple Choice Question
When mapping DNS server versions on a network, what is the best technique to avoid \
detection?
A) Use NMAP to avoid DNS version probe detection
B) Scan from a spoofed source address
C) Span your scan over multiple days and use different source hosts
D) Adjust the chaos domain to reflect a different version then the one currently \
running
Correct answer: C
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic