A quick analysis of the traffic can yield
some important clues that can helpful in determining what might have caused it. For
example, the timestamp fields of this scan reveal that it was automated. This also
indicates that the host "victim.mil" was not part of a larger parallel scan by
"hostile.org". A review of the ports used in this scan show a fixed source port
of 42558 with some minor deviations at the end. The destination ports that were accessed
seem to have a random distribution, again, showing some variation at the end of the
activity. The variation is comprised of a packet with the SYN/FIN/PUSH flags set, followed
by udp datagrams destined for high-numbered ports. The scan concludes by sending several
more SYN packets to a fixed destination port (in this case, port 13).
A New Version of Nmap
The prominent features of the scan discussed in the previous
section indicate an automated process for constructing packets and scanning a target host
with them. We can infer from the widespread incident reporting that the agent is a tool
that is readily available to the hacker community.
The obvious way to begin testing this theory is by looking for scan
tools that produce a similar signature. The question is "What is the tool and what
exactly is it doing?" A search of the exploit archives reveals a release of
"Nmap V2.02" in late December of 1998. The next step in the discovery process is
to use nmap to perform a test on a limited number of ports for a particular machine. Given
the appropriate set of arguments, the resulting pattern (Figure 2, below) correlates
beautifully with the real scan seen in Figure 1.
Timestamp Source
Destination Flag Sequence Numbers Window size
01:41:25.180240 nmap.mil.54548 >
victim.mil.24: S 1301162276:1301162276(0) win 1024
01:41:25.180274 nmap.mil.54548 >
victim.mil.12: S 1301162276:1301162276(0) win 1024
01:41:25.180305 nmap.mil.54548 >
victim.mil.1: S 1301162276:1301162276(0) win 1024
01:41:25.180336 nmap.mil.54548 >
victim.mil.25: S 1301162276:1301162276(0) win 1024
01:41:25.180380 nmap.mil.54548 >
victim.mil.11: S 1301162276:1301162276(0) win 1024
01:41:25.180411 nmap.mil.54548 >
victim.mil.10: S 1301162276:1301162276(0) win 1024
01:41:25.180455 nmap.mil.54548 >
victim.mil.16: S 1301162276:1301162276(0) win 1024
01:41:25.180499 nmap.mil.54548 >
victim.mil.4: S 1301162276:1301162276(0) win 1024
01:41:25.180942 nmap.mil.54548 >
victim.mil.21: S 1301162276:1301162276(0) win 1024
01:41:25.180977 nmap.mil.54548 >
victim.mil.6: S 1301162276:1301162276(0) win 1024
01:41:25.181007 nmap.mil.54548 >
victim.mil.7: S 1301162276:1301162276(0) win 1024
01:41:25.183345 nmap.mil.54548 >
victim.mil.17: S 1301162276:1301162276(0) win 1024
01:41:25.183375 nmap.mil.54548 >
victim.mil.15: S 1301162276:1301162276(0) win 1024
01:41:25.183420 nmap.mil.54548 >
victim.mil.23: S 1301162276:1301162276(0) win 1024
01:41:25.183461 nmap.mil.54548 >
victim.mil.3: S 1301162276:1301162276(0) win 1024
01:41:25.183834 nmap.mil.54548 >
victim.mil.8: S 1301162276:1301162276(0) win 1024
01:41:25.183867 nmap.mil.54548 >
victim.mil.20: S 1301162276:1301162276(0) win 1024
01:41:25.184060 nmap.mil.54548 >
victim.mil.18: S 1301162276:1301162276(0) win 1024
01:41:25.184091 nmap.mil.54548 >
victim.mil.22: S 1301162276:1301162276(0) win 1024
01:41:25.184122 nmap.mil.54548 >
victim.mil.19: S 1301162276:1301162276(0) win 1024
01:41:25.184165 nmap.mil.54548 >
victim.mil.9: S 1301162276:1301162276(0) win 1024
01:41:25.184195 nmap.mil.54548 >
victim.mil.5: S 1301162276:1301162276(0) win 1024
01:41:25.184239 nmap.mil.54548 >
victim.mil.13: S 1301162276:1301162276(0) win 1024
01:41:25.184281 nmap.mil.54548 >
victim.mil.2: S 1301162276:1301162276(0) win 1024
01:41:25.184324 nmap.mil.54548 >
victim.mil.14: S 1301162276:1301162276(0) win 1024
01:41:25.187237 nmap.mil.54555 >
victim.mil.1: S 1815095948:1815095948(0) win 1024
01:41:25.187310 nmap.mil.54557 >
victim.mil.1: SFP 1815095948:1815095948(0) win 1024
01:41:25.187388 nmap.mil.54559 >
victim.mil.40289: S 1815095948:1815095948(0) win 1024
01:41:25.188223 nmap.mil.54548 >
victim.mil.40289: udp 300
01:41:25.402977 nmap.mil.54549 >
victim.mil.1: S 1815095949:1815095949(0) win 1024
01:41:25.413377 nmap.mil.54550 >
victim.mil.1: S 1815095950:1815095950(0) win 1024
01:41:25.433429 nmap.mil.54551 >
victim.mil.1: S 1815095951:1815095951(0) win 1024
01:41:25.453555 nmap.mil.54552 >
victim.mil.1: S 1815095952:1815095952(0) win 1024
01:41:25.473427 nmap.mil.54553 >
victim.mil.1: S 1815095953:1815095953(0) win 1024
01:41:25.493411 nmap.mil.54554 >
victim.mil.1: S 1815095954:1815095954(0) win 1024
(Figure 2. Tcpdump output of nmap test run)
As indicated above, only the correct set of arguments produces this
signature. In an effort to answer the question "Whats going on here?", I
will explain the pertinent arguments used to generate this signature. Of course, other
command line arguments will produce varied, and in some cases, completely different
signatures.
commandline_prompt> ./nmap v sS P0 O p1-25 victim.mil
The sS argument tells nmap to use a SYN half-open stealth scan.
The P0 argument tells nmap not to ping the destination host. Perhaps the most
crucial argument in this example is the O option. This activates the TCP/IP
fingerprinting routines that try to guess what operating system and version the victim
host is running. This operating system identification is responsible for the strange (even
by nmap standards) signature at the end of the scan. Finally the p1-25 tells nmap to
use destination ports one though twenty-five.
Nmap provides a surprising amount of information (using v for
verbose) about the targeted host. Below are the results from the test run of nmap seen in
figure 2.
Starting nmap V. 2.02 by Fyodor ([email protected], insecure.org/nmap/)
Initiating SYN half-open stealth scan against victim.mil (xxx.xxx.xxx.xxx)
Adding TCP port 9 (state Open).
Adding TCP port 1 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 21 (state Open).
Adding TCP port 22 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 23 (state Open).
The SYN scan took 0 seconds to scan 25 ports.
For OSScan assuming that port 1 is open and port 35401
is closed and neither are firewalled
Interesting ports on victim.mil (xxx.xxx.xxx.xxx):
Port State Protocol Service
1 open tcp tcpmux
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 open tcp ftp
22 open tcp unknown
23 open tcp telnet
25 open tcp smtp
TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
Sequence numbers: 584D7800 584E7200 584F6C00 58506600
58516000 58525A00
Remote operating system guess: IRIX 6.2 - 6.5
OS Fingerprint:
TSeq(Class=64K)
T1(Resp=Y%DF=N%W=EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=EF2A%ACK=O%Flags=A%Ops=NNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=
148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Nmap run completed -- 1 IP address (1 host up)
scanned in 0 seconds
(Figure 3. Nmap output)
The output of a Nmap scan provides crucial information to the hacker.
First, it provides a list of services that are active on the remote host. Second, by
sending invalid tcp packets, nmap performs a TCP stack analysis of the remote system.
Since these anomalous packets are not covered by the RFCs, each operating system handles
them differently. Nmap compares the responses to these packets against an internal
database and provides a best guess as to the operating system and version
number running there. This combination allows the hacker to target the specific
vulnerabilities on a given host, providing a higher success rate and a much lower attack
signature. Finally, Nmap tells the user how difficult tcp sequence number prediction is
for the remote host. This information can be used to target hosts that have a high
potential for session hijacking. Such measures might be employed when a remote system has
no vulnerable services running, or when it is shielded behind a firewall.
Details, Details
The
"Exploits Plus Scan"
As mentioned earlier SHADOW sensors have detected another scan
that appears to be a variation of the random scan detailed above. This scan probes
commonly exploited service ports and concludes with the signature of the fingerprinting
process. Figure 4 is also a sanitized excerpt from a real incident reported by the
SHADOW Team at NSWC, Dahlgren.
Timestamp Source >
Destination Flag Sequence Numbers Window size
01:07:37.870000 hostile.org.23035 >
victim.mil.12345: S 2443641632:2443641632(0) win 512
01:07:37.870000 hostile.org.23053 >
victim.mil.143: S 1849709624:1849709624(0) win 512
01:07:37.870000 hostile.org.23112 >
victim.mil.635: S 1979681472:1979681472(0) win 512
01:07:37.880000 hostile.org.23174 >
victim.mil.53: S 2831594802:2831594802(0) win 512
01:07:37.880000 hostile.org.23225 >
victim.mil.31337: S 200714632:200714632(0) win 512
01:07:38.160000 hostile.org.23243 >
victim.mil.143: S 4224441585:4224441585(0) win 512
01:07:38.160000 hostile.org.23302 >
victim.mil.635: S 3131164300:3131164300(0) win 512
01:07:38.160000 hostile.org.23353 >
victim.mil.53: S 27440843:27440843(0) win 512
01:07:38.460000 hostile.org.23366 >
victim.mil.143: S 2018442450:2018442450(0) win 512
01:07:38.460000 hostile.org.23417 >
victim.mil.635: S 3598088389:3598088389(0) win 512
01:07:38.460000 hostile.org.23430 >
victim.mil.53: S 3603076159:3603076159(0) win 512
01:07:38.790000 hostile.org.23479 >
victim.mil.53: S 942548711:942548711(0) win 512
01:07:38.790000 hostile.org.23497 >
victim.mil.635: S 1558966803:1558966803(0) win 512
01:07:38.800000 hostile.org.23559 >
victim.mil.143: S 1627652454:1627652454(0) win 512
01:07:39.090000 hostile.org.23608 >
victim.mil.53: S 2308481275:2308481275(0) win 512
01:07:39.090000 hostile.org.23610 >
victim.mil.635: S 375730554:375730554(0) win 512
01:07:39.090000 hostile.org.23614 >
victim.mil.143: S 2363444754:2363444754(0) win 512
01:07:39.390000 hostile.org.23623 >
victim.mil.53: S 2983142263:2983142263(0) win 512
01:07:39.390000 hostile.org.23672 >
victim.mil.635: S 2931404189:2931404189(0) win 512
01:07:39.390000 hostile.org.23674 >
victim.mil.143: S 30889188:30889188(0) win 512
01:07:39.720000 hostile.org.35959 >
victim.mil.42721: S 2995015889:2995015889(0) win 4096
01:07:39.730000 hostile.org.35961 >
victim.mil.42721: FP 2995015889:2995015889(0) win 4096 urg 0
01:07:39.730000 hostile.org.35948 >
victim.mil.42721: udp 300
01:07:40.150000 hostile.org.35948 >
victim.mil.42721: udp 300
01:07:42.590000 hostile.org.35959 >
victim.mil.33621: S 495516404:495516404(0) win 4096
01:07:42.590000 hostile.org.35961 >
victim.mil.33621: FP 495516404:495516404(0) win 4096 urg 0
01:07:42.600000 hostile.org.35948 >
victim.mil.33621: udp 300
01:07:43.060000 hostile.org.35948 >
victim.mil.33621: udp 300
01:07:45.340000 hostile.org.35959 >
victim.mil.41663: S 1550032560:1550032560(0) win 4096
01:07:45.340000 hostile.org.35961 >
victim.mil.41663: FP 1550032560:1550032560(0) win 4096 urg 0
01:07:45.350000 hostile.org.35948 >
victim.mil.41663: udp 300
01:07:45.910000 hostile.org.35948 >
victim.mil.41663: udp 300
(Figure 4. Example "Exploits Plus" Scan)
At first glance, this attack bears only a minor semblance to the random
scan activity. Examining the pertinent features of this probe, one might notice several
distinctions. First, exploits plus employs random (within a range) source ports. Second,
as its name implies, this scan focuses on service ports with well-known vulnerabilities.
Third, the sequence numbers appear more realistic, as compared to those in the random
scan. Finally, the end of the scan appears to be three separate OS fingerprinting
attempts.
One might be inclined to think that this is the result of a second
tool. However, by coding a simple shell script with multiple calls to nmap, this signature
can be easily duplicated as shown in the following script:
#!/bin/sh
nmap v -sS -P0 -p12345 victim.mil & # SYN half-open stealth probe for netbus
nmap v -sS -P0 -p143 victim.mil & # SYN half-open stealth probe for imap
nmap v -sS -P0 -p635 victim.mil & # SYN half-open stealth probe for linux mountd
nmap v -sS -P0 -p53 victim.mil & # SYN half-open stealth probe for domain
nmap v -sS -P0 -p31337 victim.mil & # SYN half-open stealth probe for back orifice
nmap v -sS -P0 -p143 victim.mil &
nmap v -sS -P0 -p635 victim.mil &
nmap v -sS -P0 -p53 victim.mil &
nmap v -sS -P0 -p143 victim.mil &
nmap v -sS -P0 -p635 victim.mil &
nmap v -sS -P0 -p53 victim.mil &
nmap v -sS -P0 -p53 victim.mil &
nmap v -sS -P0 -p635 victim.mil &
nmap v -sS -P0 -p143 victim.mil &
nmap v -sS -P0 -p53 victim.mil &
nmap v -sS -P0 -p635 victim.mil &
nmap v -sS -P0 -O -p143 victim.mil & # S h-o probe for imap PLUS OS fingerprinting
When this script is run, tcpdump shows the resulting network traffic. This matches the
detected probe.
Timestamp Source
Destination Flag Sequence Numbers Window size
03:50:28.255696 nmap.mil.58893 >
victim.mil.12345: S 3529719230:3529719230(0) win 4096
03:50:28.255696 nmap.mil.45313 >
victim.mil.635: S 1289452862:1289452862(0) win 4096
03:50:28.255696 nmap.mil.40444 >
victim.mil.143: S 1053163340:1053163340(0) win 4096
03:50:28.265696 nmap.mil.37458 >
victim.mil.53: S 2174813682:2174813682(0) win 4096
03:50:28.285696 nmap.mil.45830 >
victim.mil.143: S 1208327640:1208327640(0) win 4096
03:50:28.295696 nmap.mil.46840 >
victim.mil.53: S 2484113855:2484113855(0) win 4096
03:50:28.295696 nmap.mil.33736 >
victim.mil.31337: S 3316743593:3316743593(0) win 4096
03:50:28.305696 nmap.mil.43105 >
victim.mil.143: S 2743618682:2743618682(0) win 4096
03:50:28.315696 nmap.mil.42914 >
victim.mil.635: S 2564506522:2564506522(0) win 4096
03:50:28.335696 nmap.mil.43127 >
victim.mil.635: S 2522641932:2522641932(0) win 4096
03:50:28.345696 nmap.mil.45102 >
victim.mil.53: S 2127702081:2127702081(0) win 4096
03:50:28.375696 nmap.mil.54256 >
victim.mil.53: S 3126700193:3126700193(0) win 4096
03:50:28.375696 nmap.mil.42342 >
victim.mil.635: S 3932342401:3932342401(0) win 4096
03:50:28.395696 nmap.mil.60042 >
victim.mil.143: S 1863130126:1863130126(0) win 4096
03:50:28.415696 nmap.mil.53612 >
victim.mil.53: S 3665870250:3665870250(0) win 4096
03:50:28.425696 nmap.mil.44699 >
victim.mil.635: S 1882012961:1882012961(0) win 4096
03:50:28.465696 nmap.mil.63497 >
victim.mil.143: S 2634475111:2634475111(0) win 4096
03:50:28.465696 nmap.mil.63508 >
victim.mil.31576: S 3872554032:3872554032(0) win 4096
03:50:28.465696 nmap.mil.63510 >
victim.mil.31576: FP 3872554032:3872554032(0) win 4096
urg 0 03:50:28.465696 nmap.mil.63497 > victim.mil.31576: udp 300
03:50:30.685696 nmap.mil.63508 >
victim.mil.31181: S 229752757:229752757(0) win 4096
03:50:30.685696 nmap.mil.63510 >
victim.mil.31181: FP 229752757:229752757(0) win 4096
urg 0 03:50:30.685696 nmap.mil.63497 > victim.mil.31181: udp 300
03:50:32.905696 nmap.mil.63508 >
victim.mil.30523: S 1585272933:1585272933(0) win 4096
03:50:32.905696 nmap.mil.63510 >
victim.mil.30523: FP 1585272933:1585272933(0) win 4096
urg 0 03:50:32.905696 nmap.mil.63497 > victim.mil.30523: udp 300
(Figure 5. Tcpdump output of the scripted nmap run)
A quick look at the output from the nmap script reveals some
interesting tidbits that help us to understand the resulting network traffic. In the
script, each call to nmap (except the last one) generates a block of output as shown
below:
Starting nmap V. 2.02 by Fyodor ([email protected], insecure.org/nmap/)
Initiating SYN half-open stealth scan against victim.mil (xxx.xxx.xxx.xxx)
The SYN scan took 0 seconds to scan 1 ports.
No ports open for host victim.mil (xxx.xxx.xxx.xxx)
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
This tells us that none of the services that we are looking for are
running on this machine. In contrast, the output from the last call to nmap produces the
following output.
Starting nmap V. 2.02 by Fyodor ([email protected], insecure.org/nmap/)
Initiating SYN half-open stealth scan against victim.mil (xxx.xxx.xxx.xxx)
The SYN scan took 0 seconds to scan 1 ports.
Warning: No ports found open on this machine,
OS detection will be MUCH less reliable
Warning: No ports found open on this machine,
OS detection will be MUCH less reliable
Warning: No ports found open on this machine,
OS detection will be MUCH less reliable
No ports open for host victim.mil (xxx.xxx.xxx.xxx)
No OS matches for this host. TCP fingerprints:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
What we discover is that nmap is unable to find the specified port
open. It tries three times to find an open tcp/udp port for the purposes of fingerprinting
the operating system. This is the activity responsible for the three fingerprinting
signatures at the end of the scan. Finally the fingerprinting attempt fails, reporting
that it was unable to identify the operating system.
If the host had been running the imap service on port 143, the
signature of the scan would have been slightly different, as shown below. For the sake of
brevity, we will only show the output for a successful fingerprint attempt.
In this case, the final output of the nmap script shows the following:
Starting nmap V. 2.02 by Fyodor ([email protected], insecure.org/nmap/)
Initiating SYN half-open stealth scan against victim.mil (xxx.xxx.xxx.xxx)
Adding TCP port 143 (state Open).
The SYN scan took 0 seconds to scan 1 ports.
For OSScan assuming that port 143 is open and
port 32159 is closed and neither are firewalled
Interesting ports victim.mil (xxx.xxx.xxx.xxx):
Port State Protocol Service
143 open tcp imap
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Sequence numbers: 8EE8EDC6 6A9E9A8B DA6DB46D 5D9366 CFE64AAB 4822733B
Remote operating system guess: Linux 2.0.35-36
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
Conclusions
Nmap is a powerful tool that is capable of generating a
multitude of signatures depending on how it is used. However, if we understand the
operation of the tool in general, it is easier to recognize its overall signature in
network traffic. Dissecting the signature into sub-patterns one can differentiate between
fingerprinting attempts that were successful and those that were not. It is important to
understand that we have examined only one of the scan types that nmap can perform, the SYN
half-open stealth scan. Several other scans are supported by Nmap: Tcp connect, FIN, Xmas,
NULL, udp, ping, and even ftp-bounce. Expect to see these in the near future!
The intelligence that can be garnered by using nmap is extensive. It
provides all the information that is needed for a well-informed, full-fledged, precisely
targeted assault on a network. Such an attack would have a high probability of success,
and would likely go unnoticed by organizations that lack intrusion detection capabilities.
Advisory
Now that we understand what is causing the recently detected
traffic patterns, we should avoid becoming complacent. Ive often heard
"Thats just a reset scan" or "Its only a icmp mapping attempt,
whats the harm?". Psychological operations, subterfuge, and decoy mechanisms
are both prevalent and effective modern warfare methods. Information warfare is no
different. The network analyst should always assume that there is more to an incident than
meets the eye.
SHADOW has some evidence that this might indeed be the case in this
latest round of scans. There are known overt organized efforts underway to create a
detailed database of all Internet hosts. Why shouldnt there be underground ones?
Nmap provides many of the tools to make this possible and fairly easy.
In the past the cost of storing such a map was prohibitive, this is no
longer an issue. Even moderately funded groups could undertake such a venture, given the
arrival of 40-gigabyte disk drives that cost less than $2000.
In figure 4, I showed just a minute fraction of the scan reported by
the NSWC SHADOW team. The structure of the actual scan indicates concurrent, cooperating
processes. "Process 1" used the ping scan mode of nmap to create a map of hosts
that responded to the query from our class B network. About half way through the ping
mapping, another process started scanning only the hosts that replied to the
icmp query. This implies that process 1 (the mapping process) was writing a file that
process 2 (the scanning process) was reading, simultaneously. This falls under the
category of "slick time saving" techniques. So, in a matter of less than ten
minutes every machine that would respond to an icmp echo request or tcp ping had been
mapped and its operating system fingerprinted.
Many of the responding systems were infrastructure computers. Since
this class of computer is fairly static on any given network, hackers are willing to
sacrifice an ISP account in order to construct maps that will likely be valid for a long
time. These scans should be taken seriously, and should be considered a strong indication
and warning of future attacks.
There may still be skeptics who think that cost or storage required to
create such a map is insurmountable. Please take a moment to consider the worst case
scenario and "work through the numbers".
Lets begin by determining how much disk space might be required
to store such a map using a non-optimal, brute force method. Ignoring the fact that IANA
has set aside "reserved address blocks", there are 2554 or
4,228,250,625 possible addresses. Each address is a 32-bit representation that can be
stored as an integer. So, storing every possible Internet address would require 4 bytes
(the integer representation) times the 4,228,250,625 possible addresses. This
multiplication yields 16,913,002,500 bytes.
Assume that each of these hosts has an average of 10 tcp and 10 udp
services running and can be mapped. If we store these 20 services as short integers (2
bytes each), then the amount of space required would be 16,913,002,500 bytes times 20
services times 2 bytes or 676,520,100,000 bytes or 645.18 gigabytes. At 40 gigabytes per
disk, it would take 645.18 gigabytes divided by 40 gigabytes per disk, or 17 disk drives.
Seventeen disk drives times $2000 dollars yields a final cost of $34,000. Presupposing we
had a $40,000 budget, this leaves $6000 dollars to buy 4 PCs to house the hard disks.
John Green - Shadow Team Leader NSWC Dahlgren