Risk Management
The Big Picture – Part 2
Going Around the Firewall and
Scanning for Vulnerabilities

Information Risk Management- SANS ©2001

1

If attackers are going to take advantage of vulnerabilities, it makes sense that we need to find them
before they do. System, network, and telephone vulnerability scanning tools are a powerful method
of doing this.

2-1


Gnutella
• Designed for peer-to-peer file
sharing on the Internet
• Introduces security weaknesses
– Hole in a firewall
– Users give away network information
– A possible annoyance or DDOS tool
Information Risk Management - SANS ©2001

2

Lets take a look at another Internet threat. This is the threat introduced by users who download and run utilities that
are designed to share and search for files across the Internet. Examples are the programs Napster, Gnutella, and more
recently Scour. In the next two slides we’ll examine Gnutella, its function, and the dangers it introduces.
Gnutella is an Internet file sharing utility. Described as a “servant”, Gnutella acts as a server for sharing files

while simultaneously acting as a client that searches for and downloads files from other users.
The Gnutella net is peer-to-peer with interconnected servants that search and relay one another to make file sharing
and storage truly distributed. When searching for a file, the Gnutella service will search hosts that you are connected to,
and hosts they are connected to, and so on. Once the file is found, a download can be initiated with a TCP connection
directly between the ‘client’ and ‘server’.
Gnutella was designed to enhance free, easy, and anonymous exchange of information. However, there is a dark
side - the distributed nature of the Gnutella net combined with the Gnutella net protocol introduces security weaknesses for
Gnutella users. A prime concern is that Gnutella users situated behind firewalls open a hole in their firewall when they
connect to an external Gnutella net. The way this works is covered in the next slide.
Traces taken from a Gnutella user’s machine show that when searching, requesting a download, or ‘pinging’ for
other Gnutella hosts, the user gives away a combination of information including an IP address within a network, a halfopen connection and/or a known set of SEQ and ACK numbers, and a MAC address. Although security is not achievable
merely through obscurity, it is certainly better to not openly offer this information to anyone on the Internet!
In order to handle Network Address Translation (NAT), the Gnutella design incorporates the ability to spoof ports
and IP addresses. Unfortunately, this means that an unwitting host may be targeted by many simultaneous SYN requests
from hosts on the Gnutella net who are attempting to grab the files that the spoofed host is apparently offering.
One more thing - with the current increasing use of Gnutella, and the number of Gnutella versions and downloads
available, perhaps it is only a matter of time before someone discovers that there’s more to their executable than they
originally thought. Is there a better way to distribute a Trojan, than to take advantage of a pool of users eager to download
and run the Gnutella binary?

2-2


Gnutella - Firewall Subversion
1

A

F
I

R
E
W
A
L
L

B

2

A
2

C

1. A and B set up Gnutella
Net
2. Firewall denies inbound
TCP request

F
I
R
E
W
A
L
L


Gnutella Net

1
3

C

1. C connects to Gnutella Net
2. C’s request relayed to A
3. A connects to C through wall

Information Risk Management - SANS ©2001

3

The fundamental trick Gnutella uses is to count on a firewall policy that says we trust ANY connection
originated from inside the firewall. The threat vector with tools like Gnutella is inside users on your local
network. They usually know they are violating policy, but they may not understand the entire risk of their
actions.
On the left, host A is behind a firewall and has connected to host B, forming a Gnutella net. Host A
initiated the connection, which the firewall allowed. An external TCP request from host C is denied by the
firewall - that is, C cannot initiate a connection to A. Gnutella provides a mechanism for host C to
circumvent this firewall block and access host A.
On the right, we see that host C connects to the Gnutella net previously set up by A and B. Through host B
on the net, host C can now ‘see’ the files being offered by A. In order to download from A, host C needs to
set up a TCP connection. Host C achieves this by sending a request to the Gnutella net which relays the
request to A, telling A to initiate a connection to C. Since A is not prevented from connection initiation, a
connection can be made. Indirectly, C can connect to a port on a host behind a firewall that denies inbound
TCP connections to unserved ports! Combine this with the information give-away talked about earlier, and
the hacker’s job is made that much easier.

Thanks to Matt Scarborough for sourcing the Gnutella information. For more on Gnutella visit
/>To summarize this section, many users place too much trust in their firewalls and firewalls are wonderful,
but they, like any defensive means, have limitations. Next we will take a look at the type of attacks that are
banging against your firewall on a daily basis.

2-3


Firewalls, Wireless
Connections, and Modems
INTERNET
ISP
Firewall
The more restrictive
a site’s firewall policy,
the more likely the
employees will use
modems.
Information Risk Management - SANS ©2001

4

Suppose your house is connected to the Internet with a Cisco router running the firewall feature
set. Behind that is an additional appliance firewall. Could your systems be easily reached? They
could if the systems run 802.11 wireless cards! But long before wireless became popular, there were
still a number of ways to penetrate or avoid firewalls. You can’t buy a system today without a 56K
modem built-in and PCs with modems, however, are number one in the subvert-a-firewall hit parade.
There are at least two problems with modems inside a firewall: Leaving the modem on autoanswer and having attackers scan you when you use them to connect to the Internet.
The first case (auto-answer) is well-understood. If the modem is left in this mode, then an attacker
may locate it with a war dialer and access the site. Perhaps the best defense for this is to sweep your

site for modems periodically. Phonesweep is a commercial war dialer available at
.
The second modem risk is exposed when a system makes a connection to an ISP: It is a fully
functional, bi-directional network connection. Many sites understand some or all of the informationgathering probes and attacks that can be directed against Windows machines, and block NetBIOS
with their filtering firewall or router. However, a system connected to an ISP is not protected by the
firewall!!
The picture on your screen represents a successful compromise of a secure facility. The firewall
was a good one, with certified proxies. However, there was no proxy available for the timecard
application, so they gave the administrative worker access to an ISP account. A determined hacker
had studied what they were doing and since timecards are done at about the same time every other
Friday, was able to scan the ISP dialups, find the administrative worker’s system, and gain access to
information via an unprotected share that was later used to attack the facility. The firewall did its job
just fine, but the perimeter was not sufficient to protect the facility. The threat vector here was an
outside attack via a network.

2-4


Finding Unprotected Shares Legion

Information Risk Management - SANS ©2001

5

Legion is available from This tool is recommended
for any system administrator or security professional responsible for a site with Windows systems.
Just remember to test it in a lab and get WRITTEN permission BEFORE you run it, or the tag line of
your next career may be: “Would you like fries with that order?”
What does Legion do? The software can detect unprotected or poorly protected
shares. Poorly protected shares may allow an attacker access to files. Depending on this access, this

may mean the ability to compromise the system. It certainly could mean the ability to defeat two of
the primary security pillars: Confidentiality and integrity. Confidentiality would be breached if they
could read the files; integrity would be compromised if they could modify the files. This simple flaw
is what enables an entire class of Windows worms to function, if they find an unprotected share they
can copy themselves to the hard drive and then simply need to find a way to have their code
executed. Sometimes these worms aren’t that dangerous, Lance Spitzner has an interesting account
of an unprotected share worm at: In that case the worm
borders on research.
NOTE, not all Windows worms propagate via unprotected shares KAK for
instance, uses an ActiveX design flaw in Outlook Express so that if the user simply reads an email
message, (they do not have to open an attachment like the earliest worms), KAK is able to spread by
attaching itself to the outgoing signature file so that it can reach other victims.
Many of you know about shares and null sessions and have figured, “So what? We
have a firewall and we block NetBIOS”. This is good, but if one system that connects to the Internet
via modem or wireless card gets compromised, it can be used as a springboard to run against your
entire network from the inside. Again, the simplest way to subvert a firewall is with a system and a
modem inside a facility.

2-5


Social Engineering
• Attempt to manipulate or trick a person
into providing information or access
• Bypass network security by exploiting
human vulnerabilities
• Vector is often outside attack by
telephone or a visitor inside your facility

Information Risk Management - SANS ©2001


6

“Social engineering” is the term used to describe an attempt to manipulate or trick a person into
providing valuable information or access to that information. It is the process of attacking a network
or system by exploiting the people who interact with that system.
People are often the weakest link in an organization’s security. All of the technology in the world
cannot protect your network from a user who willingly gives out his or her password, or innocently
installs malicious software.
Social engineering often preys on qualities of human nature, such as the desire to be helpful, the fear
of getting in trouble, or the tendency to trust the people - and computers - with which we interact.

2-6


Social Engineering (2)
• Human-based
– Urgency
– Third-person authorization

• Computer-based
– Popup windows
– Mail attachments
Information Risk Management - SANS ©2001

7

Most social engineering is “human based.” It involves one person trying to get valuable information
from another person. The most well-known techniques are the urgency, impersonation, and thirdperson authorization techniques. Here is a classic example. A man calls the help desk: “Hello, this
is Bob Smith, the Vice President of Big Corporation. I’m on travel and I’ve forgotten my password.

Can you reset it so I can retrieve an important email for a meeting in 15 minutes?” Would your help
desk question this request? Most people would give out the information without thinking, either
because they want to be helpful or because they are afraid of refusing the “vice president’s” request
especially since he has an urgent meeting in 15 minutes.
Social engineering can also be computer-based. Consider this example: A user is browsing the web
when he sees a pop-up window telling him that his Internet connection has timed out and he needs to
re-enter his user name and password to re-authenticate. Would the average user question this
activity? This is a common means to steal password information.
These examples show that “human nature” can make it trivially easy for an attacker to walk right in
to your network. Why hack through someone’s security system when you can get a user to open the
door for you?

2-7


Social Engineering Defense
• Develop appropriate security policies
• Establish procedures for granting
access, etc., and reporting violations
• Educate users about vulnerabilities
and how to report suspicious activity

Information Risk Management - SANS ©2001

8

Social engineering is one of the hardest attacks against which to defend. The weakness is a human
one; we want to help people. Technology, such as host perimeter defense products, can provide
some protection (for example, anti-virus software to guard against users who run viruses or Trojan
software). Your best defense is to establish clear security policies - and enforce them.

• Security policies should establish such things as: The types of access allowed; the people
authorized to grant such access; and the circumstances under which exceptions may be granted.
• In addition to policy, you should define procedures for things like activating and deactivating
accounts; changing or resetting passwords; and granting additional rights or privileges.
• Finally, educate your users about these types of threats. In most cases, users do not maliciously
create security problems - they generally do so out of ignorance. If users are aware of the threats,
they can properly guard against them.
Here is a final thought about social engineering. In some sense, all attacks are social engineering.
Whatever technology or technique an attacker is using to attack a site, if the attack is noticed, it often
has a marked effect. Many people are starting to feel that they
cannot keep up, that they cannot defend against the rapidly evolving threat. This is one reason why a
course like this one is important, it gives you access to a lot of up-to-date information packaged so
that you can get up-to-speed and back in the game fast.

2-8


Primary Threat Vectors
• Outsider attack from network
• Outsider attack from telephone
• Insider attack from local network
• Insider attack from local system
• Attack from malicious code

Information Risk Management - SANS ©2001

9

A threat is applied against a vulnerability and that results in a compromise or denial of service. A
threat vector is the method a threat uses to get to the target. For example, mosquitoes are the vector

for malaria. A countermeasure against malaria (the threat) is to locate and spray mosquito breeding
ponds (detection and response) or to invest in mosquito netting (prevention).
As we discuss threats, please try to keep the threat vectors firmly in mind. Once the most important
and probable threat vectors have been listed, you can note which ones are handled by current
measures and which ones your proposal will address. For example, insider fraud risks are often wellcontrolled by existing separation of duties and audit controls.

2-9


Tools That May Be
Visiting Your DMZ
• 3 famous Windows Trojans
• Windows viruses that collect
info
• Jackal, Queso, and SYN/FIN
• Nmap and Hping
• Unix Worms
Information Risk Management - SANS ©2001

10

As we continue our discussion of well-known attack and scanning tools, I am going to give a bit
of a historical perspective. Many of the authors that worked on this file and the entire course were
involved in the Department of Defense’s Shadow Intrusion Detection team. When we mention these
tools, the way we learned about them was watching patterns on the net and then asking questions.
Why is this traffic behaving like this? Sometimes we were able to tie a particular pattern, or
signature, to a tool. The dates and time frames we are using in this discussion represent when these
patterns came to us over the net, as opposed to when the tools were written or developed.
Let me give you an example. We have already discussed Gnutella, but there is a similar tool
called Napster and it uses the default ports of 6699 and 6700. Recently, I was doing intrusion

detection work at a U.S. military site in the Pacific and we saw a LOT of traffic. One or two packets
were trying to come in from the Internet to these well known Napster ports, but they were unable to
penetrate the perimeter defenses of the military base. Then, boom, a bunch of traffic to or from port
8888. We configured a Snort intrusion detection system to capture the traffic and it had the look and
feel of Napster. People were downloading sound files. Apparently, the folks on the base had found a
way around the traffic filtering on the firewall by using this alternate port number of 8888. It seemed
to be primarily a chat channel, but they were also able to acquire sound files using it. The new port
with 8888 was a new pattern to me, but because I had seen a lot of Napster before, it had the look and
feel of Napster. If you have an opportunity to run TCPdump or Windump (www.tcpdump.org) and
watch the traffic coming to your network, this is a valuable thing to be familiar with.
When you start watching, one thing you will almost certainly see are probes for Trojans. In the
next few slides, we are going to look at some of the famous Windows Trojans and discuss their
signature over the network. They are: Back Orifice, Netbus, and of course, SubSeven. These are
examples of one of the most prevalent threat vectors today, malicious code.

2 - 10


Trojans
This
screenshot is
from an
attack called
w32.leaves,
vulnerable
computers
are being
harvested.
What is a Trojan, how do they work?
How do Trojans work? The user often compromises their computer by clicking on an attachment in

an email message or newsgroup. Sometimes they try to hide the Trojan using a file name. One
famous variation of the third Trojan we are going to discuss was released in newsgroups as
sexxxymovie.mpeg.exe. Imagine folks surprise when they clicked on it. At that point the
computer is compromised and waiting for its master. Older Trojans like Back Orifice and NetBus
waited patiently, SubSeven tries to find a master.
From a risk management perspective if you are infected with a Trojan and are not protected by at
least one of the following:
- A firewall
- A personal firewall
- Anti-virus files that recognize the Trojan or Trojan attempt
then your computer system is certain to be compromised and totally under the control of the attacker.
The screenshot is from a famous attack called w32.leaves. In this case attackers would troll the
Internet looking for infected systems. Then they would use a master password to break into the
computer. An arrest was made in London in August 2001 from a combined effort of the FBI and
Scotland Yard.

2 - 11


Trojans

“Driving the Bus”, NETBUS
Information Risk Management - SANS ©2001

12

This screen shot is the result of the NetBus Trojan. Some of the commands that can be issued to the
infected system are visible: Send arbitrary text, play sounds, turn on the system’s microphone to spy
on what is being said, and (my personal favorite) opening the CDROM door at will.
NetBus establishes a TCP connection. This can remain active for a long time during periods of lowlevel activity. Most of the Trojans have control panels similar to this one. The default ports for

NetBus are TCP 12345 or sometimes 12346.
It is highly recommended that you memorize these default ports if you do not already know them. It
really helps when you know some of the more commonly probed ports and don’t have to stop to look
them up. That is especially true for SubSeven, the software shown on the next slide. Before the
worm traffic overtook it, this was the most commonly probed port in the year 2000, and it is still very
active today. The port is 27374 TCP though it can be changed. This is the default and by far most
common.

2 - 12


SubSeven Client

Information Risk Management - SANS ©2001

13

SubSeven, also known as Sub7 or Backdoor_G, is a Trojan for the Windows platform (9x and NT)
and is the primary Trojan being pinged for in the year 2000. The SubSeven download consists of
three programs: The SubSeven server, client, and server editor. The server is the part of the Trojan
that must be run on the victim’s machine for infection to occur. The client is the attacker’s device
enabling connection to, and control of, those computers running the server.
The screen shot shows the client interface for SubSeven v2.1. With 113+ characteristics, this version
provides more attack options than either Back Orifice or NetBus. Attack examples include:
Recording signals from the victim’s microphone, logging keyboard entries, Registry editing, opening
FTP sessions (as in the screen shot), starting and recording from a webcam, gathering computer
information, executing applications, stealing passwords, and much more.
For the client to connect to a server, the server’s IP address is needed. The attacker achieves this by
using ICQ if the victim does not have IP hiding enabled, or by using the notification options available
on the server. The server will notify the attacker (by e-mail, ICQ, or IRC) that the victim has

connected to the Internet.

2 - 13


SubSeven EditServer

Information Risk Management - SANS ©2001

14

This screen shot shows the interface for the SubSeven EditServer program. This facility ups the ante
when it comes to detecting SubSeven activity and cleaning SubSeven infections. An attacker can
connect to a client and install a newly-configured form of the SubSeven server, and then remove the
old one. The new configuration might use a different TCP port, a different autostart mechanism (e.g.
Registry, win.ini, etc.), a server filename that varies in size, icon and name, and might notify the
attacker that the victim is on-line in a different way.
So, if the server uses varying ports and may appear in disguise, how do we deal with it? Well,
typical ports are 1243, 6711, 6712, 6713, 6776, and 27374. Typical filenames are server.exe,
rundll.exe, systray.dll, and Task_bar.exe. The problem is that the ports, file names, and file locations
can vary. However, the SubSeven server always uses an autostart mechanism involving some
combination of entries in system.ini, win.ini, and the Registry, specifically:
HKLM\Software\Microsoft\Windows\CurrentVersion\(Run or RunServices)
The entry “shell=ini” in system.ini, “run=“ or “load=“ in win.ini, or the registry locations above, will
contain a reference to the server program. Cleaning involves removing the offending entries and
keys and deleting the server program.
V2.2 will be released soon. Apparently, this will include a whole new concept in infection. Beware.

2 - 14



Trojans Review
• Trojans can penetrate firewalls as
email attachments
• SubSeven was the primary Trojan
being pinged for in 2000
• Protective tools include: All major
anti-virus tools, firewalls, personal
firewalls
Information Risk Management - SANS ©2001

15

To review the material on Trojans, the most common infection vector is by email. An unwitting
individual opens an attachment and then they have the active Trojan. However, the attacker still has
to find the system, unless they had a way of being certain which system was infected. This is the
reason there is a lot of scanning activity looking for Trojans. The two well-known Trojans, Netbus
and Back Orifice, have equally famous default ports of 12345 and 31337, but they can exist at other
ports, and there are a large number of Trojans, including variations of these. Most recently, we have
been evaluating scans that appear to be looking for Trojans, but are using a variety of destination
ports – making it more difficult to write a filter for these scans. Furthermore, examples such as
SubSeven, show that destination ports may change from case to case.
The good news is that with reasonable precautions you can defend your systems! The major antivirus software packages are quite good at locating and cleaning Trojans. Also, I strongly recommend
you consider the use of personal firewalls.
That concludes our section on Trojans. These next tools are classified as viruses, but what they do is
really interesting. If they get onto your computer, they will attempt to FTP information off of your
system into the Internet.

2 - 15



Caligula
• The Caligula virus (also called WM97) is a Word
macro virus that searches the Registry for the
location of the PGP key ring. When the key ring
file is found, it is uploaded to the
ftp.codebreakers.org incoming directory.
• Once the computer is infected, Caligula sets the
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\MS
Setup (ACME)\User Info\Caligula
To a value of "1".
Information Risk Management - SANS ©2001

16

The detailed information on your notes page is from . In both examples, FTP
information from your computer is sent out onto the Internet. Even the tightest site in which I have worked
allowed users inside the facility to initiate a connection to the Internet. Traffic originating from the inside
is also rarely monitored; it just doesn’t seem to be worth the trouble.
• Caligula can be detected by checking if the following registry value exists:
HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info\Caligula.
• Picture.exe can be detected by checking for a file called "note.exe" in the windows directory (this file is
created by the Trojan).
As a general rule to avoid such Trojans and viruses, never run unknown binaries. System administrators
should monitor attempted FTP connections to 208.201.88.110 (ftp.codebreakers.org).
Also, to protect your PGP key, never store the secret passphrase on the hard drive. Make sure the
passphrase is long and complicated, (some PGP front ends offer a "passphrase quality" bar that measures
the strength of the passphrase).
For more information about picture.exe and Caligula, read ISS X-Force's advisory:

Other information-gathering viruses include picture.exe and
W97.Marker.A. We will discuss Marker, since it just keeps popping up.

2 - 16


W97M.Marker.A
• Word 97 Virus
– HKEY_CURRENT_USER\Software\Microsoft
\MS Setup(ACME)\User Info

– What does it do?
• FTP’s what appears to be “worm tracks”, a list of
the previous systems it has infected
• Could potentially be a valuable reconnaissance
tool for developing chains of potential infection
Information Risk Management - SANS ©2001

17

We first discovered this when the intrusion detection system flagged a number of outbound FTPs, all headed to two
addresses. Marker was one of the culprits, the one we sorted out first as a matter of fact. It turned out the computers were
sending a file out into the Internet containing a list of the Microsoft Office registration information, as well as the internet
addresses of the infection chain. So what?
The interesting thing is that the information could potentially be used to target a specific desktop with a virus or Trojan. If
someone didn’t have good anti-virus software once, they might not again, and by knowing who sends what to whom, you
actually might be able to arrange to target a virus-infected host. That would be a neat trick.
On your slide you see some strange formula, starting with HKEY. What is that? It’s a Windows Registry entry. How do
you examine a Registry entry? With regedit, found in your Windows explorer, just hit CTRL F and type in regedit.
Important safety tip. Your Registry is very important to the operation of your computer. You should make a backup of

your computer, or at least ensure you have an updated Emergency Recovery Disk handy. On the other hand, hopefully you
are just going to look and not edit anything. How else can you learn?
The Registry entry on your slide is for an Office97 computer running Windows98, so you might have to goof around a bit
on an NT 4.0 with Office 2000. The acme stuff is under HKEY_LOCAL_MACHINE, but learning is what it is all about.
Anyway, should you find your way to User Info, check and see if the value of the key is LOGFILE = True This could be
an indication of compromise by the virus. Of course, you could just run an updated mainstream anti-virus software
package and be done with it.
Using tools like these to capture information from your disk is not going to end because it works and is fairly low risk.
There are other types of reconnaissance that require scanning from the outside. These generally must operate with a fairly
obvious signature, though as we will see, there are ways to stealth their activity.

2 - 17


Enter the Jackal 1997
/* Jackal - Stealth/FireWall scanner. With the use of
half open ports and sending SYNC (sometimes additional
flags like FIN) one can scan behind a firewall. It
shouldn’t let the site feel we're scanning by not doing a
3-way-handshake; we hope to avoid any tcp-logging.
Credits: Halflife, Jeff (Phiji) Fay, Abdullah Marafie.
Alpha Tester: Walter Kopecky.
Results:
Some firewalls did allow SYN | FIN to pass through. No
Site has been able to log the connections though.. during
alpha testing.ShadowS
Copyleft (hack it; i really don’t care).
*/

Opening comments - Jackal.c

Information Risk Management - SANS ©2001

18

Jackal was the first software package I became aware of that was commonly used for SYN/FIN
scanning. As you know, the three-way handshake begins with a packet with a SYN as the only TCP
flag in the packet. However, it turns out that a number of operating systems, including Windows and
many Unix systems, will respond to a SYN and also a FIN. This was a significant improvement on
the half-open style scan.
A SYN is used to initiate a connection; a FIN is used to tear a connection down. It isn’t logical for
the two to be used together! So we have this situation where the tool gets good results and yet is easy
for the analyst to find. TCPdump, the software sniffing tool used in the Shadow intrusion detection
system, could detect the SYN/FIN just fine. In fact, we had been scratching our heads for weeks
wondering what was generating such a strange pattern. Over the years and this dates back to late
1996, we have seen hundreds of variations of SYN/FIN. Why? One reason is that it works.
In the same way that many hosts will respond to the combination even though they really shouldn’t,
it turns out that many perimeters would allow these packets to pass since they were only looking for a
SYN only.
It may be true that SYN/FIN penetrates some firewalls and filtering routers, but it didn’t penetrate
proxy-based firewalls such as TIS’s (now NAI’s), or Gauntlet for Secure Computing’s Sidewinder.
When I got the scoop on Jackal, I spent a lot of hours reading sniffer logs from both sides of these
firewalls.

2 - 18


Sons of Jackal Continue to be Seen
Source Port 0 and 65535
12:36:54 prober.0 > relay.net.2049: SF 111:111(0) win 512
16:11:38 IMAPER.65535 > ns2.org.143: SF 111:111(0) win

512
13:10:33 iquery.65535 > 192.168.2.3.111: SF 111:111(0)
win 1024

SF - SYN = Synchronize or Start; FIN = Finish or Stop
Information Risk Management - SANS ©2001

19

The attacks shown on your screen are signatures against buffer overflows of well-known services.
Again, we know the signature, if you were to pull the Snort Intrusion Detection system signatures
you would find a SYN/FIN since it is that common.
So, we could debate the effectiveness of Jackal and the software that followed its lead, but from an
intrusion detection point of view, the key point is that source port zero and SF set are a good
signature. In fact, they are a great signature. Now, if SYN /FIN isn’t logical, why do we see it on the
network? Are these packets being crafted? The answer is, of course they are. Almost all software
that creates crafted packets leaves an easily discovered signature. On this slide, the fixed sequence
number of 111 lets us know this particular exploit script is being used.
Therefore, to reiterate: The primary purpose(s) of the SF must be to avoid getting logged and to
evade filtering devices.
As of April, 1999, attacks have been seen, not just to IMAP (143) or NFS (2049), but also to FTP
(TCP port 21) and DNS TSIG (TCP 111).

2 - 19


Queso and Friends

/>Queso sends packets with unexpected code bit
combinations to determine the operating system of

the remote computer. Currently, they claim to be
able to distinguish over 100 OSes and OS states.

Queso pattern is shown on notes page
Information Risk Management - SANS ©2001

20

I really do have to hand it to the attacker community; they never cease to amaze me with their
creativity. When I first heard of queso, I just had to shake my head in wonderment. I found it really
hard to believe that by sending a mere six packets with some odd header combinations, including our
friend SYN/FIN, and by watching the responses you got back, it was possible to determine the
operating system. That is brilliant! This process is called stack analysis or TCP fingerprinting and
it is remarkably successful. However, because the process requires sending unexpected or illogical
patterns (such as SYN/FIN together), it sometimes also serves as a denial of service for devices with
TCP stacks that are ill-prepared to handle these patterns. They just crash. The exact queso pattern is
shown below.

From the Queso page, the Queso scan pattern:
0 SYN * THIS IS VALID, used to verify LISTEN
1 SYN+ACK
2 FIN
3 FIN+ACK
4 SYN+FIN
5 PSH
6 SYN+XXX+YYY * XXX & YYY are unused TCP flags
All packets have a random seq_num and a 0x0 ack_num.

2 - 20



Network Mapping
Using TCP SYN-ACK packets

06:41:24srn.com.113 > 172.21.32.83.1004: S 405:405(0) ack 674 win 8192
06:42:08 srn.com.113 > 192.168.83.15.2039: S 233:233(0) ack 674 win 8192

Result
06:44:09 srn.com.113 > 192.168.162.67.2226: S 76:761(0) ack 674 win 8192
06:44:09 192.168.162.67.2226 > srn.com.113: R 674:674(0) win 0

The initiating SYN connections were never sent, but SYN-ACKs are received.

Information Risk Management - SANS ©2001

21

This slide demonstrates the TCP half-open scan pattern. Before we talk about how this works, let’s
do a quick refresher on the TCP three-way handshake that is diagramed in your notes pages.
Three-way handshake: A wants to talk to B ,so A sends a packet with the SYN flag set. B says OK,
I will talk with you and acknowledges A’s SYN with a SYN/ACK. A says great and acknowledges
B’s SYN/ACK with an ACK, and the conversation begins.
A

-- SYN Æ

B

A


ÅSYN/ACK--

B

A

-- ACK Æ

B

The top section of your slide shows the signature of a TCP half-open scan. The destination site sees
packets with SYN/ACKs, but there are no initiating SYNs to match them to.
The lower section of the slide, shown below the result box, demonstrates how this scan works. When
srn.com’s packet arrives at 192.168.162.67 with the SYN/ACK set, 192.168.162.67 knows something
is wrong. TCP is stateful, and so 192.168.162.67 knows he never sent a SYN or active open packet,
(recall this is the first step in the three-way TCP handshake). He figures this packet must be a
mistake and sends a RESET (the “R” in the second line) to say break off communications, something
is wrong here. This gives away his existence to srn.com. Now, this pattern is USUALLY seen as a
result of a denial of service attack, however, if these packets are able to penetrate your net you still
give away mapping information.

2 - 21


Spoofer NetBIOS
06:49:55
06:49:58
06:50:04
06:50:16


proberA.4197
proberA.4197
proberA.4197
proberA.4197

>
>
>
>

172.20.139.137.139:
172.20.139.137.139:
172.20.139.137.139:
172.20.139.137.139:

12:57:56
12:57:59
12:58:05
12:58:41

proberE.2038
proberE.2038
proberE.2038
proberE.2039

>
>
>
>


172.20.216.29.139:
172.20.216.29.139:
172.20.216.29.139:
172.20.216.29.139:

S
S
S
S
S
S
S
S

596843772:596843772(0)
596843772:596843772(0)
596843772:596843772(0)
596843772:596843772(0)

294167370:294167370(0)
294167370:294167370(0)
294167370:294167370(0)
294212415:294212415(0)

Information Risk Management - SANS ©2001

win
win
win
win

win
win
win
win

8192
8192
8192
8192
8192
8192
8192
8192

(DF)
(DF)
(DF)
(DF)
(DF)
(DF)
(DF)
(DF)

22

This is a small sample of a massive pattern detected at several sites. All the packets were NetBIOS
to TCP 139. They claimed to come from a number of source addresses. It was the picture-perfect
coordinated attack, a large number of attackers to several sites. There was only one problem; it was
too perfect. The more we examined the various header fields of the packets, the more we were
struck by the similarity of header fields, and how easy it was to define the signature for this traffic.

So, we started looking at the traffic more closely. One of the header fields is the ‘time to live’, or
TTL field. This is a very important field. As a router passes a packet on its way, it is supposed to
decrement the TTL field. Once the TTL field reaches 0, the packet is no longer forwarded by routers.
This way, there shouldn’t be lost packets traveling forever on the Internet like that poor soul who got
lost on the MTA in Boston and never returned. Now, if these scans were actually originating from
sites all over the Internet, and possibly from different operating systems as well, we should see over
thousands of these packets and some variation in the TTLs.

2 - 22


TTL
In the notes pages are the Time To Live fields
from the traces in the previous slide. Notice how
they cluster around 120. This is not expected
behavior. This is also fixed in the nmap 2.08
release that has a decoy function so that the
decoy TTLs are random.
Analysis credit to Army Research Lab
Information Risk Management - SANS ©2001

23

So we started comparing the TTL value with the hopcount back with a traceroute. This isn’t good
science, but over time, the clustering TTLs and the hops back convinced us to call our CIRTs and tell
them we really didn’t think these scans were genuine. So what was the point? Apparently, someone
was playing some sort of mind game. In information warfare, this is called perception management
or PSYOP, for psychological operation. As an interesting side note, HD wrote me a day or two after
we came to this conclusion and said he had found a vulnerability in nmap’s decoy generator, that it
didn’t vary the TTL, but not to worry it would be fixed in the next release. Gee thanks!

Destination IP Address:
TTL:
Traceroute Back:
Expected Traceroute hops:

172.20.224.77
118
Timeout occurred after 10/7/7 hops
10

Destination IP Address:
TTL:
Traceroute Back:
Expected Traceroute hops:

172.20.204.154
120
12/10/11 hops
8

Destination IP Address:
TTL:
Traceroute Back:
Expected Traceroute hops:

192.168.212.123
one connection 115,
14/13/12 hops
12-13


Destination IP Address:
TTL:
Traceroute Back:
Expected Traceroute hops:

172.20.122.157
120
Timeout occurred after 12/11/11 hops
8

2 - 23

3 connections 116


Worms
• Attack system through known holes
• Automatically scan for more systems to
attack.
• Lower system defenses, install a root
shell or rootkit, and/or let the attacker
know the system has been attacked.
Information Risk Management - SANS ©2001

24

Viruses have a limitation; they generally depend on the actions of a system user to spread. That user
might have to download and run an application, open and run an email attachment, or insert and read or
boot from and infected floppy. If the user never does one of the above, the virus can’t spread.
Think of a worm as a virus on autopilot. A worm doesn’t need a user to do anything to spread.

Here’s how a worm commonly spreads:
1) The worm scans a large number of systems for one or more vulnerabilities.
2) Once it has found a system that has a vulnerability it recognizes, it attacks the remote system with a tool
written to exploit that hole.
3) After breaking in, it tells the remote system to download a fresh copy of the virus code (either from the
attacking system itself or from a web server) and tells it to run some commands that perform some
actions on the attacked system.
4) Finally, the attacked system starts scanning for even more systems to attack – go back to step 1.
If each scan resulted in just 5 infected systems, we’d start off with just the worm author’s system (1),
end up with (1 + 5) =6 systems after the first round, (1 + 5 + 5*5) =31 systems after the second round,
(1 + 5 + 5*5 + 5*5*5) 156 systems infected after the third round, and so on. We might very well get to
thousands of systems infected and scanning for more within 5 or ten minutes of the original infection.
The worm might commonly do any of the following on the attacked system: Let the original attacker
know about this new infected system by sending them an email with this system’s address, include a
copy of the system password files for easy breaking later, open up backdoors for easy access, deface
web pages on the system, and replace system binaries such as netstat, ls, and ps so the administrator
can’t tell whether the system is infected. They could do almost anything to the system, up to and
including deleting all the files on the system, but rarely get that destructive because they don’t want to
tip off the administrator that something’s wrong.
Worms generally reduce the availability of a system or network. The act of scanning for additional
systems to infect can completely tie up one’s line to the Internet. If the worm infects and re-infects a
system (more about this later), it may tie up the processor or fill the drive. It may also shut down
needed services.

2 - 24


Ramen Worm
• Attacks Redhat Linux through holes
in file and printer sharing services.

• Minor defacement to web pages.
• Mails off password files to two
email accounts.
Information Risk Management - SANS ©2001

25

This worm showed up in January, 2001. It looks for three specific vulnerabilities in Redhat Linux 6.2 and 7.0 only. Note
that these were known vulnerabilities; patches for each of them had been made available for at least three months. Systems
with these patches applied were not vulnerable to this worm.
Once it broke into the system, it:
- replaced all web pages on the system with one that said “Hackers looooooooove noodles” and had an image of a package
of Ramen noodles.
- mailed off the password files to two email accounts, presumably owned by the attacker.
- replaced ps and netstat with versions that would hide the existence of Ramen.
- installed and ran a Stacheldracht (Distributed Denial of Service) agent.
- closes the holes that it used to break in.
That last action might seem strange – why would a worm want to close a hole on the attacked system? There are two main
reasons. The most important is that a worm needs some way to stop itself from infecting a given system more than once. If
it didn’t, the worm would go on forever, infecting and re-infecting systems, eventually chewing up all the resources of the
given systems and their networks. The original Morris Internet worm failed to correctly check if it had infected a system
and did exactly that, crippling the Internet for a day or so. Closing the holes is the easiest way to prevent this.
The second reason is that the attacker may not want other attackers to get into the system so he/she can build up a collection
of “owned” systems.
SANS has more details about this worm at .

2 - 25