Page 1 of 4 123 ... LastLast
Results 1 to 10 of 38

Thread: A packet forensics challenge

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    110

    A packet forensics challenge

    Take a look at the traffic below and see if you can figure out what is going on. the ip's are
    of no consequence to the challenge btw.

    02:07:15.196281 xxx.xxx.xxx.xxx.50464 > xxx.xxx.xxx.xxx.929: S [tcp sum ok] 878999699:878999699(0) win 4096 (ttl 41, id 20442, len 40)
    0x0000 4500 0028 4fda 0000 2906 6ba6 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c520 03a1 3464 7893 0000 0000 ........4dx.....
    0x0020 5002 1000 53d9 0000 0233 3503 3xxx P...S....35.11

    02:07:15.196486 xxx.xxx.xxx xxx.50464 > xxx.xxx.xxx.xxx.829: S [tcp sum ok] 878999699:878999699(0) win 4096 (ttl 41, id 20443, len 40)
    0x0000 4500 0028 4fdb 0000 2906 6ba5 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c520 033d 3464 7893 0000 0000 .......=4dx.....
    0x0020 5002 1000 543d 0000 0233 3503 3xxx P...T=...35.11

    02:07:15.196874 xxx.xxx.xxx.xxx.50464 > xxx.xxx xxx xxx.368: S [tcp sum ok] 878999699:878999699(0) win 4096 (ttl 41, id 20444, len 40)
    0x0000 4500 0028 4fdc 0000 2906 6ba4 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c520 0170 3464 7893 0000 0000 .......p4dx.....
    0x0020 5002 1000 560a 0000 0233 3503 3xxx P...V....35.11

    02:07:15.196994 xxx.xxx.xxx.xxx.50464 > xxx.xxx.xxx.xxx.1506: S [tcp sum ok] 878999699:878999699(0) win 4096 (ttl 41, id 20445, len 40)
    0x0000 4500 0028 4fdd 0000 2906 6ba3 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c520 05e2 3464 7893 0000 0000 ........4dx.....
    0x0020 5002 1000 5198 0000 0233 3503 3xxx P...Q....35.11

    02:07:15.197052 xxx.xxx.xxx.xxx.50464 > xxx.xxx.xxx.xxx.521: S [tcp sum ok] 878999699:878999699(0) win 4096 (ttl 41, id 20446, len 40)
    0x0000 4500 0028 4fde 0000 2906 6ba2 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c520 0209 3464 7893 0000 0000 ........4dx.....
    0x0020 5002 1000 5571 0000 0233 3503 3xxx P...Uq...35.11

    02:07:15.197112 xxx.xxx.xxx.xxx.50464 > xxx.xxx.xxx.xxx.795: S [tcp sum ok] 878999699:878999699(0) win 4096 (ttl 41, id 20447, len 40)
    0x0000 4500 0028 4fdf 0000 2906 6ba1 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c520 031b 3464 7893 0000 0000 ........4dx.....
    0x0020 5002 1000 545f 0000 0233 3503 3xxx P...T_...35.11

    02:07:15.197166 xxx.xxx.xxx.xxx.50464 > xxx.xxx.xxx.xxx.192: S [tcp sum ok] 878999699:878999699(0) win 4096 (ttl 41, id 20448, len 40)
    0x0000 4500 0028 4fe0 0000 2906 6ba0 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c520 00c0 3464 7893 0000 0000 ........4dx.....
    0x0020 5002 1000 56ba 0000 0233 3503 3xxx P...V....35.11

    02:07:15.197224 xxx.xxx.xxx.xxx.50464 > xxx.xxx.xxx.xxx.386: S [tcp sum ok] 878999699:878999699(0) win 4096 (ttl 41, id 20449, len 40)
    0x0000 4500 0028 4fe1 0000 2906 6b9f xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c520 0182 3464 7893 0000 0000 ........4dx.....
    0x0020 5002 1000 55f8 0000 0233 3503 3xxx P...U....35.11

    02:07:15.197281 xxx.xxx.xxx.xxx.50464 > xxx.xxx.xxx.xxx.703: S [tcp sum ok] 878999699:878999699(0) win 4096 (ttl 41, id 20450, len 40)
    0x0000 4500 0028 4fe2 0000 2906 6b9e xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c520 02bf 3464 7893 0000 0000 ........4dx.....
    0x0020 5002 1000 54bb 0000 0233 3503 3xxx P...T....35.11



    02:07:15.197338 xxx.xxx.xxx.xxx.50464 > xxx.xxx.xxx.xxx.1541: S [tcp sum ok] 878999699:878999699(0) win 4096 (ttl 41, id 20451, len 40)
    0x0000 4500 0028 4fe3 0000 2906 6b9d xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c520 0605 3464 7893 0000 0000 ........4dx.....
    0x0020 5002 1000 5175 0000 0233 3503 3xxx P...Qu...35.11

    02:07:15.611673 xxx.xxx.xxx.xxx.50465 > xxx.xxx.xxx.xxx.929: S [tcp sum ok] 1457592132:1457592132(0) win 4096 (ttl 41, id 20452, len 40)
    0x0000 4500 0028 4fe4 0000 2906 6b9c xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c521 03a1 56e1 1744 0000 0000 .....!..V..D....
    0x0020 5002 1000 92aa 0000 0xxx 0233 3203 P........1.32.

    02:07:15.611732 xxx.xxx.xxx.xxx.50465 > xxx.xxx.xxx.xxx.829: S [tcp sum ok] 1457592132:1457592132(0) win 4096 (ttl 41, id 20453, len 40)
    0x0000 4500 0028 4fe5 0000 2906 6b9b xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c521 033d 56e1 1744 0000 0000 .....!.=V..D....
    0x0020 5002 1000 930e 0000 0xxx 0233 3203 P........1.32.

    02:07:15.611960 xxx.xxx.xxx.xxx.50465 > xxx.xxx.xxx.xxx.368: S [tcp sum ok] 1457592132:1457592132(0) win 4096 (ttl 41, id 20454, len 40)
    0x0000 4500 0028 4fe6 0000 2906 6b9a xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c521 0170 56e1 1744 0000 0000 .....!.pV..D....
    0x0020 5002 1000 94db 0000 0xxx 0233 3203 P........1.32.

    02:07:15.612018 xxx.xxx.xxx.xxx.50465 > xxx.xxx.xxx.xxx.1506: S [tcp sum ok] 1457592132:1457592132(0) win 4096 (ttl 41, id 20455, len 40)
    0x0000 4500 0028 4fe7 0000 2906 6b99 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c521 05e2 56e1 1744 0000 0000 .....!..V..D....
    0x0020 5002 1000 9069 0000 0xxx 0233 3203 P....i...1.32.

    02:07:15.612074 xxx.xxx.xxx.xxx.50465 > xxx.xxx.xxx.xxx.521: S [tcp sum ok] 1457592132:1457592132(0) win 4096 (ttl 41, id 20456, len 40)
    0x0000 4500 0028 4fe8 0000 2906 6b98 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c521 0209 56e1 1744 0000 0000 .....!..V..D....
    0x0020 5002 1000 9442 0000 0xxx 0233 3203 P....B...1.32.

    02:07:15.612132 xxx.xxx.xxx.xxx.50465 > xxx.xxx.xxx.xxx.795: S [tcp sum ok] 1457592132:1457592132(0) win 4096 (ttl 41, id 20457, len 40)
    0x0000 4500 0028 4fe9 0000 2906 6b97 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c521 031b 56e1 1744 0000 0000 .....!..V..D....
    0x0020 5002 1000 9330 0000 0xxx 0233 3203 P....0...1.32.

    02:07:15.612188 xxx.xxx.xxx.xxx.50465 > xxx.xxx.xxx.xxx.192: S [tcp sum ok] 1457592132:1457592132(0) win 4096 (ttl 41, id 20458, len 40)
    0x0000 4500 0028 4fea 0000 2906 6b96 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c521 00c0 56e1 1744 0000 0000 .....!..V..D....
    0x0020 5002 1000 958b 0000 0xxx 0233 3203 P........1.32.

    02:07:15.612247 xxx.xxx.xxx.xxx.50465 > xxx.xxx.xxx.xxx.386: S [tcp sum ok] 1457592132:1457592132(0) win 4096 (ttl 41, id 20459, len 40)
    0x0000 4500 0028 4feb 0000 2906 6b95 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c521 0182 56e1 1744 0000 0000 .....!..V..D....
    0x0020 5002 1000 94c9 0000 0xxx 0233 3203 P........1.32.



    02:07:15.612304 xxx.xxx.xxx.xxx.50465 > xxx.xxx.xxx.xxx.703: S [tcp sum ok] 1457592132:1457592132(0) win 4096 (ttl 41, id 20460, len 40)
    0x0000 4500 0028 4fec 0000 2906 6b94 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c521 02bf 56e1 1744 0000 0000 .....!..V..D....
    0x0020 5002 1000 938c 0000 0xxx 0233 3203 P........1.32.

    02:07:15.613428 xxx.xxx.xxx.xxx.50465 > xxx.xxx.xxx.xxx.1541: S [tcp sum ok] 1457592132:1457592132(0) win 4096 (ttl 41, id 20461, len 40)
    0x0000 4500 0028 4fed 0000 2906 6b93 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c521 0605 56e1 1744 0000 0000 .....!..V..D....
    0x0020 5002 1000 9046 0000 0204 05b4 3203 P....F......2.

    02:07:16.170859 xxx.xxx.xxx.xxx.50466 > xxx.xxx.xxx.xxx.929: S [tcp sum ok] 1017257410:1017257410(0) win 4096 (ttl 41, id 20462, len 40)
    0x0000 4500 0028 4fee 0000 2906 6b92 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c522 03a1 3ca2 1dc2 0000 0000 ....."..<.......
    0x0020 5002 1000 a66a 0000 203c 2f74 643e P....j...</td>

    02:07:16.171203 xxx.xxx.xxx.xxx.50466 > xxx.xxx.xxx.xxx.829: S [tcp sum ok] 1017257410:1017257410(0) win 4096 (ttl 41, id 20463, len 40)
    0x0000 4500 0028 4fef 0000 2906 6b91 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c522 033d 3ca2 1dc2 0000 0000 .....".=<.......
    0x0020 5002 1000 a6ce 0000 203c 2f74 643e P........</td>

    02:07:16.171262 xxx.xxx.xxx.xxx.50466 > xxx.xxx.xxx.xxx.368: S [tcp sum ok] 1017257410:1017257410(0) win 4096 (ttl 41, id 20464, len 40)
    0x0000 4500 0028 4ff0 0000 2906 6b90 xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c522 0170 3ca2 1dc2 0000 0000 .....".p<.......
    0x0020 5002 1000 a89b 0000 203c 2f74 643e P........</td>

    02:07:16.17xxx8 xxx.xxx.xxx.xxx.50466 > xxx.xxx.xxx.xxx.1506: S [tcp sum ok] 1017257410:1017257410(0) win 4096 (ttl 41, id 20465, len 40)
    0x0000 4500 0028 4ff1 0000 2906 6b8f xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c522 05e2 3ca2 1dc2 0000 0000 ....."..<.......
    0x0020 5002 1000 a429 0000 203c 2f74 643e P....)...</td>

    02:07:16.171376 xxx.xxx.xxx.xxx.50466 > xxx.xxx.xxx.xxx.521: S [tcp sum ok] 1017257410:1017257410(0) win 4096 (ttl 41, id 20466, len 40)
    0x0000 4500 0028 4ff2 0000 2906 6b8e xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c522 0209 3ca2 1dc2 0000 0000 ....."..<.......
    0x0020 5002 1000 a802 0000 203c 2f74 643e P........</td>

    02:07:16.171501 xxx.xxx.xxx.xxx.50466 > xxx.xxx.xxx.xxx.795: S [tcp sum ok] 1017257410:1017257410(0) win 4096 (ttl 41, id 20467, len 40)
    0x0000 4500 0028 4ff3 0000 2906 6b8d xxxx xxxx E..(O...).k..r@J
    0x0010 xxxx xxxx c522 031b 3ca2 1dc2 0000 0000 ....."..<.......
    0x0020 5002 1000 a6f0 0000 203c 2f74 643e P........</td>

    02:07:16.171530 xxx.xxx.xxx.xxx.50466 > xxx.xxx.xxx.xxx.192: S [tcp sum ok] 1017257410:1017257410(0) win 4096 (ttl 41, id 20468, len 40)
    0x0000 4500 0028 4ff4 0000 2906 6b8c 1872 404a E..(O...).k..r@J
    0x0010 8389 fa0a c522 00c0 3ca2 1dc2 0000 0000 ....."..<.......
    0x0020 5002 1000 a94b 0000 0101 080a 0002 P....K........

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    I'm not a specialist of this sort of question. But the repetition of the same patterns each time modified make me guess a sort of calling to a file/program/shell like in the unicode failure.
    In this case the sender don't know what flaw to use and try variations of code hoping one of them will be interpreted and executed by the server.

    But this thesis seems to be invalidated by the variations of ports number (for the receiver). It's more like a random search (portscanner?).

    hum, I'll search, I'll search....
    Life is boring. Play NetHack... --more--

  3. #3
    Junior Member
    Join Date
    Dec 2002
    Posts
    15
    Don,

    I can't give you a straight answer about what is happening, but I noticed a couple of things:

    * SYN-packets are sent to ports on the receiving host, but there is no answer from this host (host down, or is it ignoring the other host/ these ports?)
    * the packets are sent to the same 10 ports in a specific order.
    * this cycle is repeated. Every new cycle, the packets are sent from another port
    * The receiving ports are not used very commonly.

    I would say it is some sort of portscan, but then, why is it only scanning ports that probably are closed because they are not used by commonly used services?

    My guess is that this is one of the tests for an OS-detection, but it might even by some sort of complex handshake or authentication procedure (like Kerberos).

    I hope you will post the answer soon.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Are we to assume that this is a complete packet trace of the event and therefore there are there simply no replies from the targetted host?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    You assume correctly. The actual trace is longer then this however it just goes along in the
    same vein. No other info of note was sent. There are no definitive answers to this. There are
    probably 1 to 2 probable answers. Look to the metrics ie: ip id #'s, tcp seq #'s, the time hacks
    and so on. These should suggest something to you. A specific tool? How was it done? By
    crafting the packets? or by usage of tool which will do it for you? Is it a specific attack, and or
    scan type? So on and so forth.
    You need to train your mind to look for the answers in the right way. All the info is there in the
    trace.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It is a tool based scan trying to determine the OS of the target, (note the timing and sequence ID's - too quick to be manual). Of the ports scanned several of them are associated with diferent OS' and devices such as firewalls, routers, VPN's etc.

    In the example trace the packets sent are different on the second scan than on the first, probably trying to invoke some kind of response in a different fashion.

    If I received this scan I would be concerned since it is not a simple scan done by persons of, shall we say, lesser sophistication. It appears to be looking quite specifically at the device in question. I would suggest that the operator is of a more sophisticated nature in so far as he/she is more thoroughly footprinting the host, (and probably the network), to determine it's exact make-up rather than scanning hosts for some kind of vulnerability.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    First, I would like to ask where this trace was from. From the host itself or from a sniffer probe sitting on the network. Also could you possibly post an attachment of the trace in tcpdump format so it is easier to analyze. (I don't feel like manually decoding hex)

    I would say this is definately a port scan of some sort (probably nmap). It is easy to tell it is a port scan with an automated tool because of the static source port from the source host and the incrementing sequence number. I would disagree however that the operator is more sophisticated because of the fact that this is a very "noisy" scan. It is fairly obvious that the intention of the scan was to get it done as fast as possible (since the beginning and the end of the trace are only less than 2 seconds apart) instead of using a more stealty technique.

    Dammit Tiger Shark...I was busy typing my response when you posted....LOL. You beat me to it, but I still disagree that it was a sophisticated user based on the scan because of the technique used. It would be interesting to see what happened previously to this scan, but my guess would be that the attacker probably did a ping sweep (or another method) to find hosts that responded, and then did a port scan on those that were "alive". (Just a guess though).

    These are fun!!!

    I still would prefer it in TCPdump format though.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Invictus: When I referred to the operator as "more sophisticated" I didn't mean they were a L33t H4XX0r....<s> I just don't see this as one of your low level script kiddies even though the scan is automated and utterly without stealth. This person is not looking for a single vulnerability but rather they seem to be making a concerted effort to determine the OS/device type. To me that doesn't point to a skiddie as much as someone who wants information.

    I agree that I would like to see more extensive logs aimed at this target over the previous few days to see how the operator came up with this address - a ping sweep would not necessarily have found this host. I would also like to know if the host is firewalled and what services the firewall allows to this host.

    One more thing - how was the dump generated? IDS outside a firewall, inside a firewall, from the host itself?????

    Ooops.... Inv already asked the last but I couldn't find where.....DUH....<s>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Well...is there really any eveidence that the attacker is trying to determine the OS type?

    And as far as the ping sweep concept I mentioned earlier, as I said, it was merely a guess because I don't know if the host would even reply to an echo request. Once we find out a little more about where the trace was taken from (as we both mentioned ) it will be much clearer. If the trace was taken from the same network segment as the victim host, I would definately say that it is not firewalled (or not very well at least).

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Invictus: Got to rush to a meeting so I'll make this short.....<s>

    Try googling the different port numbers. Those that come back with something sensible give me the impression that the intent is to determine what the target is rather then try to exploit it - the payloads are quite similar on each port....... I would not expect the same exploit to work across so many unassociated ports.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •