Description: Name: Eugenio Delfa Email: eugenio.delfa@gmail.com 1. What was the IP address of Mr. X’s scanner? 10.42.42.253 2. For the FIRST port scan that Mr. X conducted, what type of port scan was it? TCP Connect 3. What were the IP addresses of the targets Mr. X discovered? 10.42.42.25 10.42.42.50 10.42.42.56 4. What was the MAC address of the Apple system he found? 00:16:cb:92:6e:dc 5. What was the IP address of the Windows system he found? 10.42.42.50 6. What TCP ports were open on the Windows system? 135 139 0k, let's start by getting a generic idea about the evidence content, obviously inside them i must have some port scan related packets, and maybe some noise packets. Seeing is believing. I need some information about: IP and MAC addresses, IP flows, TCP flags and source/destination ports for all packets involved in this analysis. In order to have this statistical point of view, I've made one python script that run over provided evidence file and perform these stats. (Results are ordered by number of packets involved in flows '-b nPackets') ============================================================================================================ foo-mac:puzzle4 edelfa$ ./nfestats.py -r evidence04.pcap -b nPackets MD5 (evidence04.pcap) = 804648497410b18d9a7cb1d4b2252ef7 00:44:10.697892 ( 0 seg) UDP 10.42.42.253 <=> 10.42.42.25 : 1 00:44:10.721870 ( 0 seg) UDP 10.42.42.253 <=> 10.42.42.50 : 1 00:44:10.697812 ( 2 seg) UDP 10.42.42.253 <=> 10.42.42.56 : 2 00:37:10.800275 (360 seg) UDP 10.42.42.25 <=> 10.255.255.255 : 4 00:37:10.800997 (360 seg) UDP 10.42.42.50 <=> 10.42.42.25 : 4 00:44:10.647413 ( 0 seg) ICMP 10.42.42.253 <=> 10.42.42.25 Echo/2 Echo Reply/2 Destination Unreachable/1 : 5 00:44:10.671387 ( 0 seg) ICMP 10.42.42.253 <=> 10.42.42.50 Echo/2 Echo Reply/2 Destination Unreachable/1 : 5 00:44:10.647405 ( 2 seg) ICMP 10.42.42.253 <=> 10.42.42.56 Echo/4 Echo Reply/4 Destination Unreachable/2 : 10 00:36:52.989943 ( 53 seg) UDP 10.42.42.50 <=> 10.255.255.255 : 12 00:37:11.124897 (360 seg) TCP 10.42.42.25 <=> 10.42.42.50 S/12 A/36 FA/12 SA/12 PA/12 FPA/12 : 96 00:34:07.564250 (605 seg) TCP 10.42.42.253 <=> 10.42.42.56 A/2 R/2 S/2003 RA/2005 FPU/2 : 4014 00:34:06.956656 (603 seg) TCP 10.42.42.253 <=> 10.42.42.50 N/1 S/2011 R/12 FPU/1 FSPU/1 SEC/1 A/11 FA/5 SA/15 RA/2002 PA/4 FPA/1 : 4065 00:34:07.564252 (603 seg) TCP 10.42.42.253 <=> 10.42.42.25 A/1 R/1 S/3400 RA/2003 FPU/1 : 5406 Analysis started at 2010-03-07 14:15:23.358389 and ended at 2010-03-07 14:15:25.841819, stats calculated in 0:00:02.483430 ============================================================================================================ The three most crowded flows are between 10.42.42.253 and 10.42.42.56, 10.42.42.50 and 10.42.42.25 respectively. We also can view that this three flows have the lowest initial timestamps, and among others, we have some scan ports related TCP flags, like FPU (FYN/PUSH/URG) and FSPU (FYN/SYN/PUSH/URG), but, who's who here ? (Stats filtered by -s == source address, -d == destination address, -f == TCP flags, and ordered again) ============================================================================================================ foo-mac:puzzle4 edelfa$ ./nfestats.py -r evidence04.pcap -b nPackets -s 10.42.42.253 -f 0x2 MD5 (evidence04.pcap) = 804648497410b18d9a7cb1d4b2252ef7 00:34:07.564250 (605 seg) TCP 10.42.42.253 <=> 10.42.42.56 S/2003 : 2003 00:34:06.956656 (603 seg) TCP 10.42.42.253 <=> 10.42.42.50 S/2011 : 2011 00:34:07.564252 (603 seg) TCP 10.42.42.253 <=> 10.42.42.25 S/3400 : 3400 Analysis started at 2010-03-07 14:59:16.140124 and ended at 2010-03-07 14:59:17.467178, stats calculated in 0:00:01.327054 foo-mac:puzzle4 edelfa$ ./nfestats.py -r evidence04.pcap -b nPackets -d 10.42.42.253 -f 0x14 MD5 (evidence04.pcap) = 804648497410b18d9a7cb1d4b2252ef7 00:34:06.957387 (603 seg) TCP 10.42.42.50 <=> 10.42.42.253 RA/2000 : 2000 00:34:07.564425 (603 seg) TCP 10.42.42.25 <=> 10.42.42.253 RA/2003 : 2003 00:34:07.564335 (605 seg) TCP 10.42.42.56 <=> 10.42.42.253 RA/2005 : 2005 Analysis started at 2010-03-07 14:59:30.909292 and ended at 2010-03-07 14:59:31.978696, stats calculated in 0:00:01.069404 ============================================================================================================ 0k, now i know that 10.42.42.253 has send 7414 SYN packets, that are properly of TCP SYN or TCP Connect port scan, and this address has received 6008 RST/ACK packets (closed port / service not available). So: 10.42.42.253 is the IP address of attacker. 10.42.42.25,50,56 are the IP addresses of potential victims. And timestamps indicate that the first port scan is TCP SYN or TCP Connect. To know which of them is the first port scan method, i considered the three way handshake connection method, and TCP flags sequence for one open port. TCP Connect (3-way handshake): SYN > < SYN/ACK ACK > RST+ACK> TCP SYN (half-open): SYN > < SYN/ACK RST > So the first packet received by 10.42.42.253 from 10.42.42.25,50,56 with one of this flags (RST or ACK), determine the first scan method. (Find first SYN/ACK source address) ============================================================================================================ foo-mac:puzzle4 edelfa$ ./nfestats.py -r evidence04.pcap -d 10.42.42.253 -f 0x12 MD5 (evidence04.pcap) = 804648497410b18d9a7cb1d4b2252ef7 00:34:07.824240 (602 seg) TCP 10.42.42.50 <=> 10.42.42.253 SA/15 : 15 Analysis started at 2010-03-07 18:38:39.465803 and ended at 2010-03-07 18:38:39.479975, stats calculated in 0:00:00.014172 ============================================================================================================ = 00:34:07.824240 SYN+ACK from 10.42.42.50 to 10.42.42.253 (Find first RST from attacker to involved victim 'polite TCP SYN') ============================================================================================================ foo-mac:puzzle4 edelfa$ ./nfestats.py -r evidence04.pcap -d 10.42.42.50 -s 10.42.42.253 -f 0x4 MD5 (evidence04.pcap) = 804648497410b18d9a7cb1d4b2252ef7 00:43:10.204509 ( 60 seg) TCP 10.42.42.253 <=> 10.42.42.50 R/10 : 10 Analysis started at 2010-03-07 18:39:57.386336 and ended at 2010-03-07 18:39:57.399525, stats calculated in 0:00:00.013189 ============================================================================================================ = 00:43:10.204509 RST from 10.42.42.253 to 10.42.42.50 (Find first RST+ACK from attacker to involved victim 'TCP Connect') ============================================================================================================ foo-mac:puzzle4 edelfa$ ./nfestats.py -r evidence04.pcap -d 10.42.42.50 -s 10.42.42.253 -f 0x14 MD5 (evidence04.pcap) = 804648497410b18d9a7cb1d4b2252ef7 00:34:07.826540 ( 0 seg) TCP 10.42.42.253 <=> 10.42.42.50 RA/2 : 2 Analysis started at 2010-03-07 18:41:33.380682 and ended at 2010-03-07 18:41:33.392391, stats calculated in 0:00:00.011709 ============================================================================================================ = 00:34:07.826540 RST+ACK from 10.42.42.253 to 10.42.42.50 And the first response in time is one RST+ACK packet at 00:34:07.826540 that indicate that is TCP Connect scan port method. Well, now I need to know open ports found for every scanned victim. In nfestats script, I added some ports stats options that I didn't used until now. Reviewing our firsts results, I see that only between 10.42.42.253 and 10.42.42.50 have SYN+ACK packets (15), so I perform one more acurated query, now viewing ports statistics. (From 10.42.42.50 to 10.42.42.253 with SYN+ACK tcp flags) ============================================================================================================ foo-mac:puzzle4 edelfa$ ./nfestats.py -r evidence04.pcap -s 10.42.42.50 -d 10.42.42.253 -f 0x12 -p MD5 (evidence04.pcap) = 804648497410b18d9a7cb1d4b2252ef7 00:34:07.824240 (602 seg) TCP 10.42.42.50 <=> 10.42.42.253 SA/15 : 15 ------sources-------- || --------destinations------ 139(netbios-ssn) SA/3 : 3 || 36131(unknow) SA/1 : 1 135(epmap) SA/12 : 12 || 43490(unknow) SA/1 : 1 || 56257(unknow) SA/1 : 1 || 36134(unknow) SA/1 : 1 || 37926(unknow) SA/1 : 1 || 43492(unknow) SA/1 : 1 || 36123(unknow) SA/1 : 1 || 36122(unknow) SA/1 : 1 || 36121(unknow) SA/1 : 1 || 36120(unknow) SA/1 : 1 Analysis started at 2010-03-07 15:08:05.661155 and ended at 2010-03-07 15:08:05.721684, stats calculated in 0:00:00.060529 ============================================================================================================ And what's happen with UDP protocol, Has he found any open port ? Viewing stats about udp protocol from potential victims to attacker, We don't have any UDP packet to 10.42.42.253. ============================================================================================================ foo-mac:puzzle4 edelfa$ ./nfestats.py -r evidence04.pcap -d 10.42.42.253 -b proto MD5 (evidence04.pcap) = 804648497410b18d9a7cb1d4b2252ef7 00:44:10.647523 ( 2 seg) ICMP 10.42.42.56 <=> 10.42.42.253 Echo Reply/4 Destination Unreachable/2 : 6 00:44:10.647717 ( 0 seg) ICMP 10.42.42.25 <=> 10.42.42.253 Echo Reply/2 Destination Unreachable/1 : 3 00:44:10.672138 ( 0 seg) ICMP 10.42.42.50 <=> 10.42.42.253 Echo Reply/2 Destination Unreachable/1 : 3 00:34:07.564425 (603 seg) TCP 10.42.42.25 <=> 10.42.42.253 R/1 RA/2003 : 2004 00:34:07.564335 (605 seg) TCP 10.42.42.56 <=> 10.42.42.253 R/2 RA/2005 : 2007 00:34:06.957387 (603 seg) TCP 10.42.42.50 <=> 10.42.42.253 R/2 A/3 FA/2 SA/15 RA/2000 PA/1 FPA/1 : 2024 Analysis started at 2010-03-07 15:09:27.162945 and ended at 2010-03-07 15:09:28.241672, stats calculated in 0:00:01.078727 ============================================================================================================ So in short, from three addresses that attacker has found, only from 10.42.42.50 he had open ports and all of them were TCP ports. And they were: 135(epmap) and 139(netbios-ssn) Now i'm going into OS fingerprinting phase, to do this, I used p0f tool (passive OS fingerprinting http://lcamtuf.coredump.cx/p0f.shtml) ============================================================================================================ foo-mac:puzzle4 edelfa$ p0f -s ./evidence04.pcap -qlUNMCA 'host 10.42.42.50' | head -n 1 [+] Signature collision check successful. 10.42.42.50:139 - Windows 2000 SP4 foo-mac:puzzle4 edelfa$ p0f -s ./evidence04.pcap -qlUNMCR 'host 10.42.42.25' | head -n 1 [+] Signature collision check successful. 10.42.42.25:80 - FreeBSD 4.8 foo-mac:puzzle4 edelfa$ p0f -s ./evidence04.pcap -qlUNMCR 'host 10.42.42.56' | head -n 1 [+] Signature collision check successful. 10.42.42.56:80 - Linux recent 2.4 ============================================================================================================ Apple Operating system was developing based on Mach kernel and BSD, so it's reasonable say that 10.42.42.25 it's an Apple system. And 10.42.42.50 obviously is the Windows system. And again with nfestat.py script, I'm going to view MAC address of the apple system. (-m option means that I would see MAC addresses instead of IP addresses) ============================================================================================================ foo-mac:puzzle4 edelfa$ ./nfestats.py -r evidence04.pcap -s 10.42.42.253 -d 10.42.42.25 -mf 0x2 MD5 (evidence04.pcap) = 804648497410b18d9a7cb1d4b2252ef7 00:34:07.564252 (603 seg) TCP 00:23:8b:82:1f:4a <=> 00:16:cb:92:6e:dc S/3400 : 3400 Analysis started at 2010-03-07 19:08:29.615413 and ended at 2010-03-07 19:08:30.237147, stats calculated in 0:00:00.621734 ============================================================================================================ Now for the IP address 10.42.42.50 I know his AppleCom_92:6e:dc (00:16:cb:92:6e:dc) Ethernet address too. And finally, reconstruction phase. In this phase, I used manual search mixed with snort IDS to make me a idea about what's going on with ports scans launched by Mr X. First, I used snort to view if inside evidence we have any knowns portscan software signatures. ============================================================================================================ foo-mac:puzzle4 edelfa$ sudo snort -c /etc/snort/snort.conf -r evidence04.pcap -q foo-mac:puzzle4 edelfa$ sudo grep "SCAN" /var/log/snort/alert [**] [1:2009582:1] ET SCAN NMAP -sS window 1024 [**] [Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP][Xref => http://doc.emergingthreats.net/2000537] ... ============================================================================================================ Using snort IDS I found many alerts like above, with diferent window values (1024, 3072, 2048 and 4096), but definitely is nmap portscan software. Then, searching for variations in timestamps deltas, Tcp flags patterns and target IP addresses patterns, I found that: TCP Connect Scan from frames 1-4598 without port specification and with targets 50,56,25 (TCP SYN Ping :80) nmap -PS80 -sT 10.42.42.50,56,25 TCP SYN from 4599-6727 frames without host discover for 10.42.42.25 target. nmap -P0 -F -sS 10.42.42.25 Service detection scan, from 6728-13567 with insane timming and without host discover again nmap -T5 -P0 -sV 10.42.42.25,50,56 OS Fingerprinting to all three hosts and for ports 1 and 135 from 13568-13626 frames nmap -p 1,135 -O 10.42.42.25,50,56