Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: A packet analysis challenge

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    110

    A packet analysis challenge

    Get as much detail out of this trace as possible. Remember all the answers are there in the
    packets themselves. Also remember Google is your friend!


    13:59:43.833031 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 1233702904:1233702920(16) ack 1469443794 win 65502
    0x0000 4500 0038 92ea 0000 2c06 fdc7 xxxx xxxx E..8....,.....?q
    0x0010 xxxx xxxx 0d8b 0015 4988 cff8 5795 eed2 ..fs....I...W...
    0x0020 5018 ffde bc69 0000 5553 4552 2061 6e6f P....i..USER.ano
    0x0030 6e79 6d6f 7573 0d0a nymous..

    13:59:44.628180 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 16:23(7) ack 31 win 65472
    0x0000 4500 002f 92f5 0000 2c06 fdc5 xxxx xxxx E../....,.....?q
    0x0010 xxxx xxxx 0d8b 0015 4988 d008 5795 eef0 ..fs....I...W...
    0x0020 xxxx xxxx 83ba 0000 4357 4420 2f0d 0a P.......CWD./..

    13:59:45.437923 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 23:42(19) ack 75 win 65428
    0x0000 4500 003b 935f 0000 2c06 fd4f xxxx xxxx E..;._..,..O..?q
    0x0010 xxxx xxxx 0d8b 0015 4988 d00f 5795 ef1c ..fs....I...W...
    0x0020 5018 ff94 456f 0000 4445 4c45 202f 316b P...Eo..DELE./1k
    0x0030 6274 6573 742e 7074 660d 0a btest.ptf..

    13:59:46.521105 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 42:50(8) ack 108 win 65395
    0x0000 4500 0030 939a 0000 2c06 fd1f xxxx xxxx E..0....,.....?q
    0x0010 xxxx xxxx 0d8b 0015 4988 d022 5795 ef3d ..fs....I.."W..=
    0x0020 5018 ff73 723a 0000 5459 5045 2041 0d0a P..sr:..TYPE.A..

    13:59:48.034855 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 78:97(19) ack 146 win 65357
    0x0000 4500 003b 941b 0000 2c06 fc93 xxxx xxxx E..;....,.....?q
    0x0010 xxxx xxxx 0d8b 0015 4988 d046 xxxx xxxx ..fs....I..FW..c
    0x0020 xxxx xxxx 331c 0000 5354 4f52 202f 316b P..M3...STOR./1k
    0x0030 6274 6573 742e 7074 660d 0a btest.ptf..

    13:59:48.985094 212.xxx.xxx.xxx.3486 > 13x.xxx.xxx.xxx.1026: S 1236633085:1236633085(0) ack 1215492453 win 65535 <mss 1460>
    0x0000 4500 002c 944c 0000 2c06 fc71 xxxx xxxx E..,.L..,..q..?q
    0x0010 xxxx xxxx 0d9e 0402 49b5 85fd 4872 f165 ..fs....I...Hr.e
    0x0010 8389 6673 0d9e 0402 49b5 85fd 4872 f165 ..fs....I...Hr.e
    0x0020 6012 ffff 7edd 0000 0204 05b4 0000 `...~.........

    13:59:49.777698 212.xxx.xxx.xxx.3486 > 13x.xxx.xxx.xxx.1026: P 1:1025(1024) ack 1 win 65535
    0x0000 4500 0428 948a 0000 2c06 f837 xxxx xxxx E..(....,..7..?q
    0x0010 xxxx xxxx 0d9e 0402 49b5 85fe 4872 f165 ..fs....I...Hr.e
    0x0020 5018 ffff 5436 0000 7465 7374 7465 7374 P...T6..testtest
    0x0030 7465 7374 7465 7374 7465 7374 7465 7374 testtesttesttest
    0x0040 7465 7374 7465 7374 7465 7374 7465 7374 testtesttesttest
    0x0050 7465 7374 7465 7374 7465 7374 7465 7374 testtesttesttest
    0x0060 7465 7374 7465 7374 7465 testtestte

    13:59:53.067647 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 125:133(8) ack 249 win 65254
    0x0000 4500 0030 95a0 0000 2c06 fb19 xxxx xxxx E..0....,.....?q
    0x0010 xxxx xxxx 0d8b 0015 4988 d075 5795 efca ..fs....I..uW...
    0x0020 5018 fee6 71e7 0000 5459 5045 2041 0d0a P...q...TYPE.A..

    13:59:53.761518 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 133:152(19) ack 268 win 65235
    0x0000 4500 003b 95e3 0000 2c06 xxxx xxxx xxxx E..;....,.....?q
    0x0010 xxxx xxxx 0d8b 0015 4988 d07d 5795 efdd ..fs....I..}W...
    0x0020 5018 fed3 2ef4 0000 5245 5452 202f 316b P.......RETR./1k
    0x0030 6274 6573 742e 7074 660d 0a btest.ptf..

    13:59:54.002394 212.xxx.xxx.xxx.3487 > 13x.xxx.xxx.xxx.1026: S 1238101234:1238101234(0) ack 3791771758 win 65535 <mss 1460>
    0x0000 4500 002c 95e7 0000 2c06 fad6 xxxx xxxx E..,....,.....?q
    0x0010 xxxx xxxx 0d9f 0402 49cb ecf2 e201 d86e ..fs....I......n
    0x0020 6012 ffff 9738 0000 0204 05b4 0000 `....8........

    13:59:54.708872 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 152:160(8) ack 352 win 65151
    0x0000 4500 0030 95f1 0000 2c06 fac8 xxxx xxxx E..0....,.....?q
    0x0010 xxxx xxxx 0d8b 0015 4988 d090 5795 f031 ..fs....I...W..1
    0x0010 8389 6673 0d8b 0015 4988 d090 5795 f031 ..fs....I...W..1
    0x0020 5018 fe7f 71cc 0000 5459 5045 2041 0d0a P...q...TYPE.A..

    13:59:56.046245 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 188:198(10) ack 390 win 65113
    0x0000 4500 0032 95fa 0000 2c06 fabd xxxx xxxx E..2....,.....?q
    0x0010 xxxx xxxx 0d8b 0015 4988 d0b4 5795 f057 ..fs....I...W..W
    0x0020 5018 fe59 0a5a 0000 4c49 5354 202d 6c61 P..Y.Z..LIST.-la
    0x0030 0d0a

    13:59:56.949650 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 198:217(19) ack 436 win 65067
    0x0000 4500 003b 95ff 0000 2c06 faaf xxxx xxxx E..;....,.....?q
    0x0010 xxxx xxxx 0d8b 0015 4988 d0be 5795 f085 ..fs....I...W...
    0x0020 5018 fe2b 44c0 0000 4445 4c45 202f 316b P..+D...DELE./1k
    0x0030 6274 6573 742e 7074 660d 0a btest.ptf..




    14:00:12.051944 212.xxx.xxx.xxx.3467 > 13x.xxx.xxx.xxx.21: P 1233703174:1233703191(17) ack 1469444395 win 64901
    0x0000 4500 0039 9647 0000 2c06 fa69 xxxx xxxx E..9.G..,..i..?q
    0x0010 xxxx xxxx 0d8b 0015 4988 d106 5795 f12b ..fs....I...W..+
    0x0020 5018 fd85 7cfa 0000 4445 4c45 202f 7370 P...|...DELE./sp
    0x0030 6163 652e 6173 700d 0a ace.asp..

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    looks like a fun one...I will have to give my answer a bit later though. I have too much work to do today.

    Nice post though don...these are fun

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Don: There are no replies to any of these packets?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    TigerShark, there was I just forgot to go back far enough to include it in this trace. My mistake.
    Sorry about that and any confusion it may have caused.

  5. #5
    Senior Member
    Join Date
    Jul 2001
    Posts
    143
    I haven't had time to do any research on the packets, so I'm just going to say what each one is doing from top to bottom:

    1. Anonymous user login to the FTP server
    2. CWD command, which I believe changes the directory to the root dir in this case
    3. Delete btest.ptf, not sure what this file is exactly...
    4. Set upload type to Asciii?!? I'm not totally sure about the TYPE A command
    5. Upload btest.ptf
    6. Looks like the preamble to the actual upload
    7. The contents of the Ascii btest.ptf file
    8. Set download type to Ascii??
    9. Retrieve btest.ptf from the server
    10. Looks to be some sort of preamble for the download
    11. Set type to Ascii again...?
    12. List directory contents
    13. Delete btest.ptf
    14. Delete ace.asp
    \"It\'s only arrogrance if you can\'t back it up, otherwise it is confidence.\" - Me

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Wizeman:

    I have the same as you except - packets 6, 7 & 10 are directed at port 1026, (WinTask) indicating this is a windows box.

    WinTask is the scheduler port that can be exploited, (DOSed), but it requires local access which can be gained through other exploits, so I have no idea why these connections are taking place - they actually would be counterproductive, (of course I am assuming this is a windows box.... With no outbound packets in the dump I have nothing to infer differently).

    Type A is the type setting for ascii transfers though I'm not sure why the command is sent three times since it is supposed to be persistent - it sets a flag.

    Unless I'm wrong the filenames are 1kbtest.ptf and space.asp which googles to:

    http://www.e-secure-db.us/dscgi/ds.p..._signature.txt

    So..... this person is creating the 1kbtest.ptf, (notice please that ptf = ftp backwards), which is probably the second script required by space.asp to view the contents of the drives available. My guess has to be that the attacker already had knowledge of the existence of space.asp on this machine since there is no activity to place it there. Thus he's been here before and either found it there or has placed it himself.

    Then he does his list -la to see the drive contents sorted alphabetically I believe.

    Finally, he cleans up the two files.

    At least..... That's what I'd tell my boss what happened....<s>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    Indeed this person is creating! You are on the right track now. Keep digging down.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sorry...clicked wrong button....<s> Changed mind a minute later after trying to stop the post...<s>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Junior Member
    Join Date
    Feb 2003
    Posts
    15
    I too find the "wintask" packets interesting. Notice that both syn packets contain an ack which means this is a responce to something.


    It looks like the attacker is testing the FTP server abilities by uploading and downloading the same file, which points to a pub scanning tool. ( it's a one kilo byte test file ...1KBTEST".. also note the "wintask" packet that contains the string "testtesttesttest" and 1KB of data)


    The deleting of the space.asp file also matches the sig of a pub scanner. (Grim??)


    Thoughts ??
    Ferengi Rules of Acquisition:

    Rule 59 Free advice is seldom cheap.

  10. #10
    Greets guys!!
    Ok, here is my amatuer attempt at analysis. Please bear with me and correct anything that I am remiss on.

    1. Its IPv4 with 20 bytes apiece for TCP/IP
    2. The actual packet length is 56 bytes
    3. This is an unfragmented packet
    4. The TTL is 44
    5. The protocol id is 06 (TCP/IP). Where can i find a listing of the protocol id#'s?
    6. The source port is 3467 and the destination is 21 (ftp)
    7. The 5 in the tcp header indcates that the length is 20 bytes
    8. The next word is 18 which comes to 24 in decimal. I think this means that the urgent flag and ack flags are set but I am not really sure.
    9. The windows size is 65502 but changes for every packet. So this is probably a windows machine based on the fact that it changes.This is not a reliable method because it can be changed by a program rather than the os.

    Thanks guys,

    10Ded
    [glowpurple]www.networksynapse.net[/glowpurple]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •