1
Internet Threat Brief – SANS GIAC LevelOne
© 2000
1
Intrusion Detection Overview
and
Trends in Internet Attacks
Bad things that happen to
good organizations!
Hello. My name is Stephen Northcutt. Today we are going to discuss some of the common attacks
levied against individuals and organizations who are on the Internet. Though this is a tool-oriented
technology brief, I would like to state one thing up front: tools are not attacking your sites, people
are. There are a large number of loosely organized, skilled individuals across the Internet who are
focused on building and using attack tools to take over systems and use them for their own purposes.
We will demonstrate that these attacks range from your home computer connected to your ISP all the
way to the largest and most advanced organizations on the Internet.
To get the most out of this briefing you should have completed the IP Concepts and IP Behavior
courses. However, we will explain the material as we go.
2
Internet Threat Brief – SANS GIAC LevelOne
© 2000
2
Outline
• Modems and what they mean
•Trojans
• Scanning and attack tools
• What do those tools mean
• What I’m doing
Important public safety announcement: we are going to mention several tools during this talk.
We will even provide URLs for some of these so that you can use them to test these techniques out
yourself. Keep in mind, you could end up in trouble if you misuse these.
An important lesson to share is that you should always test attack tools in a lab environment
never on a live network. Over the years I have been amazed at how well I can break networks
simply by scanning them. Needless to say, the owners of the networks are not always overjoyed, and
it is great to be able to demonstrate that I tested them in a lab BEFORE I let them loose on a live,
production network. Also, please, only test on your own network; don’t probe systems that you do
not own. People really do get fired and even prosecuted; be certain to have permission before
testing any attack or scanning tool.
3
Internet Threat Brief – SANS GIAC LevelOne
© 2000
3
INTERNET
ISP
Firewall
The more restrictive
a site’s firewall policy,
the more likely the
employees will use
modems.
PCs ship with fast modems as
standard equipment
You just about can’t buy a system today without a 56K modem built in. Firewalls are not magical;
they can be penetrated and subverted in a number of ways. PCs with modems, however, are number
one in the subvert-a-firewall hit parade.
There are at least two problems with modems inside a firewall: 1) leaving the modem on auto-
answer, and 2) having attackers scan you when you use them to connect to the Internet.
The first case (auto-answer) is well understood. If the modem is left in this mode, then an attacker
may locate it with a wardialer and access the site. Perhaps the best defense for this is to sweep your
site for modems periodically. Phonesweep is a commercial war dialer available at
.
The second modem risk is exposed when a system makes a connection to an ISP: it is a fully
functional, bi-directional network connection. Many sites understand some or all of the information-
gathering probes and attacks that can be directed against Windows machines, and block NetBIOS
with their filtering firewall or router. However, a system connected to an ISP is not protected by the
firewall, and all of the NetBIOS techniques we have discussed can be directed at this system. If you
have a need to connect to an ISP from your organization, consider the use of BlackICE Defender,
Norton Internet Security, McAfee Personal Firewalll or similar software to protect these vulnerable
systems. (Editor’s note: These products are discussed later in the Security Essentials course. –
JEK)
4
Internet Threat Brief – SANS GIAC LevelOne
© 2000
4
Finding Unprotected Shares - Legion
Legion is available from rhino9.ml.org for $10.00. This tool is recommended for any system
administrator or security professional responsible for a site with Windows systems. Just remember
to test it in a lab and get WRITTEN permission BEFORE you run it, or the tag line of your next
career may be: “Would you like fries with that order?” (Editor’s note: The Rhino9 web site is no
more; Legion can still be found by doing an Internet search. Always exercise caution when
downloading ‘hacker’ tools, make sure you trust the source of the tool and can verify that it is
authentic and does not contain Trojans or other surprises. – JEK)
What does Legion do? The software can detect unprotected or poorly protected shares. Poorly
protected shares may allow an attacker access to files. Depending on this access, this may mean the
ability to compromise the system. It certainly could mean the ability to defeat two of the primary
security pillars: confidentiality and integrity. Confidentiality would be breached if they could read
the files; integrity would be compromised if they could modify the files. Unprotected files are
certainly not the only approach to attacking Windows systems on the Internet. I continue to be
amazed how well null sessioning works to get user names, and how easily brute force attacking
yields weak passwords.
Many of you know about shares and null sessions and have figured “so what, we have a firewall and
we block NetBIOS”. This is good, but if one system that connects to the Internet via modem gets
compromised, it can be used as a springboard to run against your entire network from the inside.
Again, the simplest way to subvert a firewall is with a system and a modem inside a facility.
5
Internet Threat Brief – SANS GIAC LevelOne
© 2000
5
Tools That May Be
Visiting Your DMZ
•Trojans
•Jackal
• Queso, “Passive Queso”
• Nmap
•Hping
As we continue our discussion of well known attack and scanning tools, I am going to give a bit of a
historical perspective. Please keep in mind, the Shadow team was never a group that downloaded
exploits all day long to see what they did. So, if you send email after the webcast asking if I have
goofed with this or that exploit, the answer is probably no. I don’t possess a big library of attack
tools. The perspective we used when we mention these tools is that we watched patterns on the net
and then asked questions. Why is this traffic behaving like this? Sometimes we were able to tie a
particular pattern, or signature, to a tool. The dates and time frames we are using in this discussion
represent when these patterns came to us over the net, as opposed to when the tools were written or
developed.
6
Internet Threat Brief – SANS GIAC LevelOne
© 2000
6
Trojans
This is Roland’s home computer, connected to an ISP
Legal disclaimer: I don’t possess the artsy skills to edit the bit map on this screen to change the
Internet address of the attacker to a private address. So, as they say in novels, any resemblance to a
real Internet address is purely coincidental.
The two most common, or well known Trojans are Back Orifice and NetBus. Another important
Trojan that needs discussion is SubSeven.
The screen shot on your slide is from a wonderful program called BackOfficer Friendly by the folks
at NFR (www.nfr.net).
Before we move to NetBus, I would like to emphasize that your home computer system is also at
risk. Attackers sweep the ISP dial-ins looking for vulnerable systems.
Here’s the log:
Sun May 30 19:31:10 BO PING sweep attempted by 172.20.229.47
Sun May 30 20:19:24 BO TYPE_SYSLISTPASSWORDS attempted by
172.20.229.47
Sun May 30 20:19:29 BO TYPE_SYSENDKEYLOG attempted by 172.20.229.47
Sun May 30 20:19:29 BO TYPE_FILEDELETE attempted by 172.20.229.47
7
Internet Threat Brief – SANS GIAC LevelOne
© 2000
7
Trojans
“Driving the Bus”, NETBUS
This screen shot is the result of the NetBus Trojan. Some of the commands that can be issued to the
infected system are visible: send arbitrary text, play sounds, turn on the system’s microphone to spy
on what is being said, and (my personal favorite) opening the CDROM door at will.
NetBus establishes a TCP connection; this can remain active for a long time during periods of low
level activity.
8
Internet Threat Brief – SANS GIAC LevelOne
© 2000
8
SubSeven Client
SubSeven, also known as Sub7 or Backdoor_G, is a Trojan for the Windows platform (9X and NT)
and is the primary Trojan being pinged for in the year 2000. The SubSeven download consists of
three programs: the SubSeven server, client, and server editor. The server is the part of the Trojan
that must be run on the victim’s machine for infection to occur. The client is the attacker’s device
enabling connection to, and control of, those computers running the server.
The screen shot shows the client interface for SubSeven v2.1. With 113+ characteristics, this version
provides more attack options than either Back Orifice or NetBus. Attack examples include:
recording signals from the victim’s microphone, logging keyboard entries, Registry editing, opening
FTP sessions (as in the screen shot), starting and recording from a webcam, gathering computer
information, executing applications, stealing passwords and much more.
For the client to connect to a server, the server’s IP address is needed. The attacker achieves this by
using ICQ if the victim does not have IP hiding enabled, or by using the notification options
available on the server - the server will notify the attacker (by e-mail, ICQ, or IRC) that the victim
has connected to the Internet.
9
Internet Threat Brief – SANS GIAC LevelOne
© 2000
9
SubSeven EditServer
This screen shot shows the interface for the SubSeven EditServer program. This facility ups the ante
when it comes to detecting SubSeven activity and cleaning SubSeven infections. An attacker can
connect to a client and install a newly-configured form of the SubSeven server, and then remove the
old one. The new configuration might use a different TCP port, a different autostart mechanism (e.g.
Registry, win.ini, etc.), a server filename that varies in size, icon and name, and might notify the
attacker that the victim is on-line in a different way.
So, if the server uses varying ports and may appear in disguise, how do we deal with it? Well,
typical ports are 1243, 6711, 6712, 6713, 6776 and 27374. Typical filenames are server.exe,
rundll.exe, systray.dl, and Task_bar.exe. The problem is that the ports, file names, and file locations
can vary. However, the SubSeven server always uses an autostart mechanism involving some
combination of entries in system.ini, win.ini and the Registry, specifically:
HKLM\Software\Microsoft\Windows\CurrentVersion\(Run or RunServices)
The entry “shell=“ in system.ini, “run=“ or “load=“ in win.ini, or the registry locations above, will
contain a reference to the server program. Cleaning involves removing the offending entries and
keys and deleting the server program.
V2.2 will be released soon. Apparently, this will include a whole new concept in infection…Beware.
10
Internet Threat Brief – SANS GIAC LevelOne
© 2000
10
Trojans Review
• The most well-known Trojan
programs are Netbus and Back
Orifice
• SubSeven is the primary Trojan being
pinged for in 2000
• Protective tools include: all major
anti-virus tools, NukeNabber, Back
Officer Friendly, and ZoneAlarm
To review the material on Trojans, the most common infection vector is by email. An unwitting
individual opens an attachment and then they have the active Trojan. However, the attacker still has
to find the system, unless they had a way of being certain which system was infected. This is the
reason there is a lot of scanning activity looking for Trojans. The two well known Trojans, Netbus
and Back Orifice have equally famous default ports of 12345 and 31337, but they can exist at other
ports, and there are a large number of Trojans, including variations of these. Most recently, we have
been evaluating scans that appear to be looking for Trojans, but are using a variety of destination
ports – making it more difficult to write a filter for these scans. Furthermore, examples such as
SubSeven show that destination ports may change from case to case.
The good news is that with reasonable precautions you can defend your systems! The major anti-
virus software packages are quite good at locating and cleaning Trojans. Also, I strongly
recommend you consider the use of personal firewalls – several of these are listed on the slide.
That concludes our section on Trojans. We will now take a look at some additional scanning and
exploit tools that have obvious network signatures. First, we will review the format of a network
trace.
11
Internet Threat Brief – SANS GIAC LevelOne
© 2000
11
Tools: before we begin
(
A word about data traces
)
Timestamp SRCIP SRCPort > DESTIP.DESTPORT Protocol
00:00:05.327 example.org 1025 > 192.168.64.15.telnet TCP
Generally, audit traces will have a timestamp, followed
by the apparent source computer and its source port.
The source side is separated from the destination side
by the “>” symbol in this example.
On the slide we have a notional trace to get us started. We see the primary fields that occur in audit
traces. Hopefully, log files are configured to answer the four Ws you learned about in fifth grade
when you did intro to newspapers: who, what, where, when. We have a destination IP that tells us
who they are after; the destination port to tell us what service they want to connect to; the source IP
or source host tells us where they allegedly come from. And finally, we have a time stamp for
when. These are common fields in audit records.
20:50:20.8697 prober.1467 > mail.relay.106: S 7461494:7461494(0) win 8192 (DF)
20:50:20.9837 prober.1468 > mail.relay.109: S 7461608:7461608(0) win 8192 (DF)
20:50:21.0404 prober.1469 > mail.relay.110: S 7461645:7461645(0) win 8192 (DF)
20:50:21.1259 prober.1470 > mail.relay.111: S 7461746:7461746(0) win 8192 (DF)
In this case the protocol is implied by the fact that TCP has code bits, or flags, in this case a SYN
(the capital “S”). The CODE BITS are listed in your notes pages.
Bit (left to right)
1 Value
URG Urgent
ACK Acknowledge
PSH Push
RST Reset
SYN Synchronize
FIN Finish, The end
12
Internet Threat Brief – SANS GIAC LevelOne
© 2000
12
Enter the Jackal 1997
/* Jackal - Stealth/FireWall scanner. With the use of
half open ports and sending SYNC (sometimes additional
flags like FIN) one can scan behind a firewall. It
shouldn’t let the site feel we're scanning by not doing a
3-way-handshake; we hope to avoid any tcp-logging.
Credits: Halflife, Jeff (Phiji) Fay, Abdullah Marafie.
Alpha Tester: Walter Kopecky.
Results:
Some firewalls did allow SYN | FIN to pass through. No
Site has been able to log the connections though during
alpha testing.ShadowS
Copyleft (hack it; i really don’t care).
*/
Opening comments - Jackal.c
Jackal was the first software package I became aware of that was commonly used for SYN/FIN
scanning. This was a significant improvement on the half-open style scan.
A SYN is used to initiate a connection; A FIN is used to tear a connection down. It isn’t logical for
the two to be used together! The idea was that no one would expect this and it would serve as a
wonder scanner. Right away, I knew one part of the assumption wasn’t true. TCPDump, the
software sniffing tool used in the Shadow intrusion detection system, could detect the SYN/FIN just
fine. In fact, we had been scratching our heads for weeks wondering what was generating such a
strange pattern.
It may be true that SYN/FIN penetrates some firewalls and filtering routers, but it didn’t penetrate
proxy based firewalls such as TIS’s (now NAI’s), or Gauntlet for Secure Computing’s Sidewinder.
When I got the scoop on Jackal, I spent a lot of hours reading sniffer logs from both sides of these
firewalls.
13
Internet Threat Brief – SANS GIAC LevelOne
© 2000
13
Sons of Jackal continue to be seen
Source Port 0 and 65535
12:36:54 prober.0 > relay.net.2049: SF 111:111(0) win 512
16:11:38 IMAPER.65535 > ns2.org.143: SF 111:111(0) win 512
13:10:33 newbie.org.0 > 192.168.2.3.13: SF 111:111(0) win 512
SF - SYN = Synchronize or Start; FIN = Finish or Stop
So, we could debate the effectiveness of Jackal and the software that followed its lead, but from an
intrusion detection point of view, the key point is that source port zero and SF set are a good
signature. In fact, they are a great signature. Now, if SYN /FIN isn’t logical, why do we see it on the
network? Are these packets being crafted? The answer is, of course they are. Almost all software
that creates crafted packets leaves an easily discovered signature. On this slide, the fixed sequence
number of 111 lets us know this particular exploit script is being used.
Several security folks in the trade have commented that Windows systems will answer a SYN +
another flag as if it were a SYN only. That may be, but Windows systems do not tend to host IMAP
and NFS; this is more likely to be Unix. Therefore, to reiterate: the primary purpose(s) of the SF
must be to:
• avoid getting logged;
• evade filtering devices.
As of April, 1999, attacks have been seen, not just to IMAP (143) OR NFS (2049), but also to FTP
(TCP port 21) and POP II (TCP 109).
14
Internet Threat Brief – SANS GIAC LevelOne
© 2000
14
Queso and friends
/>Queso sends packets with unexpected code bit
combinations to determine the operating system of
the remote computer. Currently, they claim to be
able to distinguish over 100 OSes and OS states.
Queso pattern is shown on notes page
I really do have to hand it to the attacker community; they never cease to amaze me with their
creativity. When I first heard of queso, I just had to shake my head in wonderment. I found it really
hard to believe that by sending a mere six packets with some odd header combinations, including our
friend SYN/FIN, and by watching the responses you got back, it was possible to determine the
operating system. That is brilliant! This process is called stack analysis or TCP fingerprinting and
it is remarkably successful. However, because the process requires sending unexpected or illogical
patterns (such as SYN/FIN) together, it sometimes also serves as a denial of service for devices with
TCP stacks that are ill-prepared to handle these patterns. They just crash. The exact queso pattern is
shown below.
From the Queso page, the Queso scan pattern:
0 SYN * THIS IS VALID, used to verify LISTEN
1 SYN+ACK
2 FIN
3 FIN+ACK
4 SYN+FIN
5 PSH
6 SYN+XXX+YYY * XXX & YYY are unused TCP flags
All packets have a random seq_num and a 0x0 ack_num.
15
Internet Threat Brief – SANS GIAC LevelOne
© 2000
15
“Passive” Stack Analysis -
Sept 98
15:05:15 surfer.1497 > websrv.http: S 396544:396544(0) win 8192
15:05:16 websrv.http > surfer.1497: S 5698281:5698281(0) ack 28396545 win 8760
15:05:46 websrv.1123 > surfer.1533: P 739781:741229(1448) ack 3985720 win 8116
15:06:09 surfer.http > websrv.1424: R 72545643:72545643(0) win 0
15:06:09 websrv.1348 > surfer.7777: SFR 315729:3157161(1432) ack 54539 win 8320
15:06:29 surfer.1497 > websrv.http: F 340:340(0) ack 10221 win 8760
A client goes to a server; during the connection, the
server scans the client. We have seen this with web
and mail servers.
TCP fingerprinting or stack analysis is becoming more prevalent. Here we show a trace from a
desktop computer surfing the web and the web server turns around and sends a packet back to our
surfer with odd code bit combinations. We are able to pick it up with Shadow because of the SFR
(SYN/FIN/RST), but it is pretty durn hard to detect bad events in an HTTP bit stream; there are just
too many packets. On your notes page, there is a more complete trace of this event. We have seen
this same behavior while delivering email to mail relays.
15:05:15.880000 surfer.1497 > webserver.http: S 28396544:28396544(0) win 8192 (DF)
15:05:16.100000 webserver.http > surfer.1497: S 115698281:115698281(0) ack 28396545
win 8760 (DF)
15:05:16.13 surfer.1497 > webserver.http: P 1:340(339) ack 1 win 8760 (DF)
15:05:18.93 surfer.1496 > webserver.http: P 380:743(363) ack 73 win 8688 (DF)
15:05:19.27 surfer.1496 > webserver.http: F 743:743(0) ack 73 win 8688 (DF)
15:05:19.71 surfer.1496 > webserver.http: R 28354188:28354188(0) win 0 (DF)
15:05:22.65 surfer.1497 > webserver.http: P 1:340(339) ack 1 win 8760 (DF)
15:05:46.92 webserver.1123 > surfer.1533: P 739781:741229(1448) ack 1823985720 win
8116 (DF)
15:06:09.39 surfer.http > webserver.1424: R 2572545643:2572545643(0) win 0
15:06:09.55 webserver.1348 > surfer.7777: SFR 3105729:3107161(1432) ack 688054539 win
8320 (DF)
15:06:29.99 surfer.1497 > webserver.http: F 340:340(0) ack 10221 win 8760 (DF)
15:06:58.36 surfer.1497 > webserver.http: R 28396885:28396885(0) win 0 (DF)
15:07:45.93 surfer.1491 > webserver.http: R 27843570:27843570(0) win 0 (DF)
15:08:02.13 webserver.http > surfer.1490: F 5681:5681(0) ack 589 win 8173 (DF)
16
Internet Threat Brief – SANS GIAC LevelOne
© 2000
16
Hostile Service Provider
03:55:44.984102 ad.web.5 > target.53: S
606762138:606762202(64) win 2048
03:55:45.004102 ad.web.6 > target.53: S
803276200:803276264(64) win 2048
03:55:45.024102 ad.web.7 > target.53: S
475012453:475012517(64) win 2048
In the previous slide, we introduced the concept that content providers might be hostile in some cases.
When you go to a web server, they may well be collecting a lot of information about you. This slide
illustrates one of a number of techniques used by Internet Service Providers to map the network. In this
case, we have a TCP half-open to the Domain Name Service (DNS) port. We will discuss TCP half-
opens in greater detail in a couple more slides but, in short, it means to begin the process to open a TCP
connection, but never complete it, leaving it neither open or closed. We call this a half-open state.
Now we have the what, how about the why: why are they going to so much trouble to do this? It
appears they are mapping the locations of sites’ DNS servers.
Some of the large service and content providers have developed techniques to determine all the routes
to a given site: the best routes, information about active services and so on. The activity on your slide
preceded this latest activity; I guess Internet citizens are becoming victims of one-upmanship.
Let me read you HDMoore, a pretty sharp analyst's assessment of the pattern shown on the slide:
“I started to come up with a theory of what they are doing, based on the fact that a connection was
never *completed* to my DNS ports. It looks like a simple network mapping system using echo
requests and TCP 'pings' to generate maps of networks. There are a number of new utilities that use a
TCP 'ping' to determine if a host is alive due to the common practice of filtering ICMP at the router.
Nmap 2.x and a utility called 'hping' do this, both mentioned on bugtraq some time ago. In the man
page for nmap, using the TCP ping destination port 53 is recommended due to the fact that its not likely
to set off alarms (WRONG ;) ).”
CREDIT: HD Moore ()
17
Internet Threat Brief – SANS GIAC LevelOne
© 2000
17
Nmap
The next generation (of the tools
that came before it) integrates all
of their capabilities in a single tool:
–Stealth scanning
–Stack analysis/TCP fingerprinting
–Sequence number prediction
–Decoy
Nmap is my favorite scanner, bar none. I use it for network mapping and for finding high-level
vulnerabilities. It is fast, effective, free, and has a boatload of features. I can’t imagine trying to be a
defensive information security worker without it. There is a catch though; attackers like it too. So, if
you don’t run nmap on your networks others will probably do it for you.
Public safety announcement: vulnerability scanning can be hazardous to your career. Nmap was
not designed to be a denial of service tool, but the things it kills from time to time might surprise you.
• Only run a vulnerability scan when you are present, do not run it unattended.
• Make sure people know what you are doing and how to contact you.
As you can see on the slide, nmap has the capability to operate in half-scan or so-called stealth
mode, so that primitive loggers will not record it. It is the most advanced tool I know of for stack
analysis/TCP fingerprinting. It can assess whether a target system is vulnerable to spoofing attacks
that rely on sequence number prediction. It also has the ability to generate noise, decoy attacks, or
attacks with spoofed source addresses, making it harder to determine which packet is actually the
attack. To summarize, nmap is the “Ronco-matic” of network scanners.
18
Internet Threat Brief – SANS GIAC LevelOne
© 2000
18
Network Mapping
Using TCP SYN-ACK packets
06:41:24srn.com.113 > 172.21.32.83.1004: S 405:405(0) ack 674 win 8192
06:42:08 srn.com.113 > 192.168.83.15.2039: S 233:233(0) ack 674 win 8192
The initiating SYN connections were never sent, but SYN-ACKs are received.
06:44:09 srn.com.113 > 192.168.162.67.2226: S 76:761(0) ack 674 win 8192
06:44:09 192.168.162.67.2226 > srn.com.113: R 674:674(0) win 0
Result
This slide demonstrates the TCP half-open scan pattern. Before we talk about how this works, let’s
do a quick refresher on the TCP three way handshake that is diagramed in your notes pages.
Three way handshake: A wants to talk to B ,so A sends a packet with the SYN flag set. B says OK,
I will talk with you and acknowledges A’s SYN with a SYN/ACK. A says great and acknowledges
B’s SYN/ACK with an ACK, and the conversation begins.
A SYN > B
A < SYN/ACK B
A ACK > B
The top section of your slide shows the signature of a TCP half-open scan. The destination site sees
packets with SYN/ACKs, but there are no initiating SYNs to match them to.
The lower section of the slide, shown below the result box, demonstrates how this scan works.
When srn.com’s packet arrives at 192.168.162.67 with the SYN/ACK set, 192.168.162.67 knows
something is wrong. TCP is stateful, and so 192.168.162.67 knows he never sent a SYN or active
open packet, (recall this is the first step in the three way TCP handshake). He figures this packet
must be a mistake and sends a RESET (the “R” in the second line) to say break off communications,
something is wrong here. This gives away his existence to srn.com. Now, this pattern is USUALLY
seen as a result of denial of service attacks, however, if these packets are able to penetrate your net
you still give away mapping information.
19
Internet Threat Brief – SANS GIAC LevelOne
© 2000
19
Network Mapping
Using TCP Reset Packets
02:58:05 srn.com.25984 > 172.30.69.23.2271: R 0:0(0) ack 674719802 win 0
02:59:11 srn.com.50620 > 172.16.7.158.1050: R 0:0(0) ack 674719802 win 0
02:59:20 srn.com.19801 > 192.168.184.174.1478: R 0:0(0) ack 674719802 win 0
02:59:31 srn.com.7960 > 192.168.242.139.1728: R 0:0(0) ack 674719802 win 0
03:00:58 srn.com.35124 > 192.168.182.171.1626: R 0:0(0) ack 674719802 win 0
03:00:58 router.net > srn.com: icmp: host 192.168.182.171 unreachable
The attacker is sending Reset packets to close connections
that were never established.
Result
This slide shows a reset scan. So many resets occur naturally on the Internet, that if an attacker is patient
enough, the scan is nearly undetectable.
What do I mean by patient enough? Well, there are two real approaches to stealth scanning: low and slow
and covert channels. Covert channels involves hiding information in packet headers, or in what is called
null padding, and can be a handy way to synchronize with Trojans. Low and slow is just what it sounds
like; there comes a point somewhere between 3 and 7 packets per hour that it is no longer practical to
search for scans unless your have a data mining capability.
Now, to brass tacks, how does the reset scan work? The reset scan and many other scans rely on ICMP to
help them with their mapping. In this case, a packet is sent by srn.com with a RESET flag. Under many
circumstances there will be no reply. However, if the host or network does not exist and the packet is not
blocked before it reaches a helpful router, the router will send back information via ICMP that the target is
unreachable. Since the attacker is mapping the holes in the network, this is called inverse mapping. After
you find as many hosts that don’t exist as possible, you take the converse of the map and voila!
One last really important point: these techniques ( the half-opens, and a whole slew of other broken TCP
state techniques), utterly and totally fail when applied against sites with private internal addresses, an
application (or proxy) firewall with Network Address Translation (NAT), and split DNS.
Now, if I may turn your attention to the acknowledgement number, the one that ends with 9802, this is a
classic signature of a denial of service attack. The most likely stimulus for this pattern is a denial of service
against someone else. However, once again, if these packets penetrate your net you are giving up network
mapping information.
20
Internet Threat Brief – SANS GIAC LevelOne
© 2000
20
Simultaneous RESET Scans
By Related Addresses
17:40:45 hook.4408 > target1.1457: R 0:0(0) ack 674719802 win 0
17:40:53 hook.3174 > target2.1457: R 0:0(0) ack 674719802 win 0
17:41:12 hook.6250 > target3.1979: R 0:0(0) ack 674719802 win 0
17:43:43 hook.4922 > target4.1496: R 0:0(0) ack 674719802 win 0
17:42:30 grin.5322 > target1a.1167: R 0:0(0) ack 674719802 win 0
17:42:40 grin.3233 > target2a.1797: R 0:0(0) ack 674719802 win 0
17:44:28 grin.2504 > target3a.1634: R 0:0(0) ack 674719802 win 0
17:47:52 grin.6657 > target4a.2121: R 0:0(0) ack 674719802 win 0
This is a confirmed coordinated attack. Nmap can simulate coordinated attacks.
If an attacker wants to achieve low and slow, but is not satisfied with only scanning 3 – 7 packets per
hour, one solution is to use multiple machines in parallel. There are several terms for this, including
coordinated scans, or (as the attackers prefer) distributed scanners. These scans on your slide are
an early and somewhat crude example of a coordinated scan. In this case, it originated from the
same city at the same time, but from different ISPs and address families. They each were looking for
different IP addresses as if the target network had been parceled between them.
They were detected because the scan detect algorithm, look4sans.pl, that is shipped with the Shadow
source distribution does a search over a 24 hour period. Though they might evade a short time frame
scan detector, the number of total packets over 24 hours flagged them.
All of this brings up a very important point. We already mentioned in the last slide that there are a
number of reasons for RESET packets, or any other anomaly for that matter. There is a chance of
decoys, such as nmap can produce, or other sorts of spoofing. We need to be very careful and not
jump to assumptions. Just because we see packets at our sites with a particular source address does
not mean the other site actually sent them. They could even be the unwitting dupe in a
particularly slick scan called hping.
Note the acknowledgement number on your slide again. Since most of the time this is the result of a
denial of service attack, most analysts will attribute this pattern to DOS and not give it a second
thought.
21
Internet Threat Brief – SANS GIAC LevelOne
© 2000
21
Hping - Spoofing Port Scanner
• Conceptually, a TCP version of ‘Ping’
• Sends custom TCP packets to a host
and listens for replies
• Enables port scanning and spoofing
simultaneously, by crafting packets
and analyzing the return
Hping is a “network analysis tool” that fits ping’s ICMP concept to TCP and UDP. An hping user
can craft packets with a customized destination and source port, window size, identification field,
TCP flags (UAPRSF) and more. Results are returned like ping.
Spoofed port scanning is achieved with hping by first finding a silent host - a host on the Internet that
is idle. At any given time, a lot of Internet hosts are ‘up’ but are not engaged in any communications
- no packets are being sent or received. Although unattended, these silent hosts still have their ears
open and can be made to speak up if asked politely. Hping provides the following mechanism to find
silent hosts: with a repeated ‘TCP ping’ of a host, followed by examination of that host’s returned
sequence and ID numbers, it is possible to tell if that host is engaged in any other communication. In
other words, see if that host is silent.
Once a silent host has been found, scanning consists of sending a TCP packet to the target as though
it came from the silent host (spoofing). After sending a spoofed packet (or packets), the silent host is
monitored (using hping) to see if it engages in any communications. If it does it probably means the
target port is open, and is handshaking with the silent host. If not, the target port is not listening or a
firewall has intervened.
By using multiple silent hosts, an attacker could run a very stealthy port scan indeed - a distributed
and spoofed port scan.
22
Internet Threat Brief – SANS GIAC LevelOne
© 2000
22
Hping v2.0 - hping Enhanced
• Uses hping crafted packets to:
–Test firewall rules
–Test net performance
–Remotely fingerprint OSes
–Audit TCP/IP stacks
– Transfer files across a firewall
–Check if a host is up
Version 2.0 of hping (hping2) added some new features, enabling more than just spoofed port scanning.
By constructing custom TCP packets, a number of things can be achieved. Attackers (or “network security
analyzers”) can test firewall and access control rules, test network performance and check to see if hosts
are up, get remote OS fingerprints, transfer files across firewalls, and audit TCP/IP stacks. If the first step
in formulating an attack consists of target research and reconnaissance, then gems such as these must rouse
interest from even the most docile Internet hacker!
Packets can be crafted, or ‘shaped’, by using any of hping’s many command line arguments. Usage with
example options:
hping hostIP [options]
spoof: spoof source address of TCP packet
baseport, destport: set source or destination port
-F, -S, -R: set FIN, SYN, or RST flags.
file: to fill data portion of packet with data from a file
By probing a machine with varying crafted packets, it is possible to form a map of a firewall’s access
control rules, deduce the operating system, and make inferences about the TCP/IP stack. By using the
file option, data can be inserted into a TCP packet that has been designed to traverse firewalls. To add to
the fun, options exist to craft UDP or ICMP packets. For example:
icmp –icmptype: create ICMP packets of a certain type e.g. echo request
udp: create UDP packets
For more information and hping downloads, see />23
Internet Threat Brief – SANS GIAC LevelOne
© 2000
23
Spoofer NetBIOS
06:49:55 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)
06:49:58 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)
06:50:04 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)
06:50:16 proberA.4197 > 172.20.139.137.139: S 596843772:596843772(0) win 8192 (DF)
12:57:56 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)
12:57:59 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)
12:58:05 proberE.2038 > 172.20.216.29.139: S 294167370:294167370(0) win 8192 (DF)
12:58:41 proberE.2039 > 172.20.216.29.139: S 294212415:294212415(0) win 8192 (DF)
This is a small sample of a massive pattern detected at several sites. All the packets were NetBIOS
to TCP 139. They claimed to come from a number of source addresses. It was the picture-perfect
coordinated attack, a large number of attackers to several sites. There was only one problem; it was
too perfect. The more we examined the various header fields of the packets, the more we were
struck by the similarity of header fields, and how easy it was to define the signature for this traffic.
So, we started looking at the traffic more closely. One of the header fields is the ‘time to live’, or
TTL field. This is a very important field: as a router passes a packet on its way, it is supposed to
decrement the TTL field. Once the TTL field reaches 0, the packet is no longer forwarded by routers
this way, there shouldn’t be lost packets traveling forever on the Internet like that poor soul who
got lost on the MTA in Boston and never returned. Now, if these scans were actually originating
from sites all over the Internet, and possibly from different operating systems as well, we should see
over thousands of these packets, and some variation in the TTLs.
24
Internet Threat Brief – SANS GIAC LevelOne
© 2000
24
TTL
In the notes pages are the Time To Live fields
from the traces in the previous slide. Notice how
they cluster around 120. This is not expected
behavior. This is also fixed in the nmap 2.08
release that has a decoy function so that the
decoy TTLs are random.
Analysis credit to Army Research Lab
So we started comparing the TTL value with the hopcount back with a traceroute. This isn’t good
science, but over time, the clustering TTLs and the hops back convinced us to call our CIRTs and tell
them we really didn’t think these scans were genuine. So what was the point? Apparently, someone
was playing some sort of mind game. In information warfare, this is called perception management
or PSYOP, for psychological operation. As an interesting side note, HD wrote me a day or two after
we came to this conclusion and said he had found a vulnerability in nmap’s decoy generator, that it
didn’t vary the TTL, but not to worry it would be fixed in the next release. Gee thanks!
Destination IP Address: 172.20.224.77
TTL: 118
Traceroute Back: Timeout occurred after 10/7/7 hops
Expected Traceroute hops: 10
Destination IP Address: 172.20.204.154
TTL: 120
Traceroute Back: 12/10/11 hops
Expected Traceroute hops: 8
Destination IP Address: 192.168.212.123
TTL: one connection 115, 3 connections 116
Traceroute Back: 14/13/12 hops
Expected Traceroute hops: 12-13
Destination IP Address: 172.20.122.157
TTL: 120
Traceroute Back: Timeout occurred after 12/11/11 hops
Expected Traceroute hops: 8
25
Internet Threat Brief – SANS GIAC LevelOne
© 2000
25
So What Does It Mean?
• 1997
–Stealth, resist logging
–Penetration, evade SYN matching
• 1998
–TCP Fingerprinting - stack analysis
–Coordinated attacks
Keeping in mind the date caveats given earlier, let’s try to put these tools and their development into
perspective. While the attacker’s goals of penetration and stealth have been consistent, the
techniques have become more effective over time. We talked about Jackal and how it used
SYN/FIN to attempt to penetrate firewalls or filtering routers and evade logging as an early entry
into the field along with the “stealth” TCP half scans.
Over time, we saw the techniques become more refined and we also learned that these illogical flag
combinations could be used for stack analysis or TCP fingerprinting to determine the operating
system.
Finally, we considered stealth again, and pointed out that one way to achieve low and slow was to
use multiple source addresses working together to scan the target system. This is the so-called
coordinated attack.