Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
Anton Chuvakin SANS GIAC GCIH Certification Document

Anton Chuvakin SANS GIAC GCIH Certification Document

Ratings: (0)|Views: 263 |Likes:
Published by Dr. Anton Chuvakin
Anton Chuvakin SANS GIAC GCIH Certification Document
Anton Chuvakin SANS GIAC GCIH Certification Document

More info:

Published by: Dr. Anton Chuvakin on Oct 08, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/29/2010

pdf

text

original

 
 
GIAC Certified Incident HandlerPractical
v.2.1a
February 2003
Anton Chuvakin, Ph.D., GCIA 
Option 1
: Exploit in Action
“Honeykiddies
1
vs OpenSSL: The Battle at Port 443”
1
“Script kiddies” as observed in the honeypot
 
EXECUTIVE SUMMARY...............................................................................................................3
 
PART I: THE EXPLOIT..................................................................................................................3
 
I
NTRODUCTION
...................................................................................................................................3
 
V
ULNERABILITY
N
AME
......................................................................................................................4
 CVE.....................................................................................................................................................4ICAT....................................................................................................................................................4O
THER UNIVERSAL VULNERABILITY REPOSITORIES
:.............................................................................4S
YMANTEC
 /S
ECURITY
F
OCUS
B
UG
T
RAQ
..............................................................................................4CERT...................................................................................................................................................5ISS XF
ORCE
........................................................................................................................................5
E
XPLOIT
N
AME
...................................................................................................................................5
 
V
ULNERABLE
OS................................................................................................................................5
 
C
ONFIRMED
V
ULNERABLE
OS...........................................................................................................6
 
E
XPLOITABLE SOFTWARE
 /OS
BY THIS EXPLOIT
...............................................................................7
 
A
FFECTED
P
ROTOCOLS
 /S
ERVICES
 /A
PPLICATIONS
...........................................................................8
 
B
RIEF
V
ULNERABILITY
D
ESCRIPTION
...............................................................................................8
 
B
RIEF
E
XPLOIT
D
ESCRIPTION
............................................................................................................9
 
E
XPLOIT
V
ARIANTS
............................................................................................................................9
 
R
EFERENCES
.......................................................................................................................................9
 N
ESSUS SCANNER DATABASE
...............................................................................................................9M
ISCELLANEOUS ADVISORIES OF INTEREST ON THE VULNERABILITY
.................................................10V
ULNERABILITY
.................................................................................................................................10E
XPLOIT
.............................................................................................................................................10A
NALYSIS
...........................................................................................................................................10W
ORMS
..............................................................................................................................................10
PART II : THE ATTACK..............................................................................................................10
 
I
NTRODUCTION
.................................................................................................................................10
 
D
ESCRIPTION
A
ND DIAGRAM OF NETWORK
.....................................................................................11
 
P
ROTOCOL DESCRIPTION
.................................................................................................................13
 
H
OW THE EXPLOIT WORKS
...............................................................................................................14
 
OPENSSL
-
TOO
-
OPEN
.
C
.........................................................................................................................14
D
ESCRIPTION AND DIAGRAM OF THE ATTACK
.................................................................................16
 
S
IGNATURE OF THE ATTACK
.............................................................................................................20
 IDS....................................................................................................................................................20H
OST TRACES
.....................................................................................................................................21P
ACKET DUMPS
..................................................................................................................................22
H
OW TO PROTECT AGAINST IT
.........................................................................................................25
 H
OST METHODS
..................................................................................................................................25N
ETWORK METHODS
..........................................................................................................................26
“S
OFTWARE
METHODS
.....................................................................................................................26
 
PART III INCIDENT HANDLING PROCESS...........................................................................27
 
I
NTRODUCTION
.................................................................................................................................27
 
A. H
ONEYPOT
(
REAL SCENARIO
):
WHAT HAPPENED
.......................................................................27
 1. P
REPARATION
.................................................................................................................................272. I
DENTIFICATION
.............................................................................................................................303. C
ONTAINMENT
...............................................................................................................................324. E
RADICATION
.................................................................................................................................325. R
ECOVERY
.....................................................................................................................................336. L
ESSONS
L
EARNED
.........................................................................................................................34A
PPENDIX
A: H
ONEYNET
I
NCIDENT REPORT
......................................................................................35
B. P
RODUCTION SYSTEM
(
IMAGINED SCENARIO
):
WHAT MIGHT HAVE HAPPENED
........................37
 I
NTRODUCTION
...................................................................................................................................371. P
REPARATION
.................................................................................................................................382. I
DENTIFICATION
.............................................................................................................................423. C
ONTAINMENT
...............................................................................................................................464. E
RADICATION
.................................................................................................................................485. R
ECOVERY
.....................................................................................................................................486. L
ESSONS
L
EARNED
.........................................................................................................................49A
PPENDIX
A: C
ONTENTS OF THE RECOVERED ARCHIVE
 LOCALS
.
TGZ 
.................................................50
Executive Summary
The present practical describes the vulnerability, exploit code and the real incidentinvolving the above vulnerability and exploit that occurred in the research honeynet andthe imagined scenario that might have occurred if it were a production small companyenvironment. SANS GCIH Practical format have been slightly extended to provide moredetails and emphasize the differences between the vulnerability and a particular exploitcode. Additionally, the section III of the practical was split into two sections for the realincident in the honeynet and the imagined scenario in the production network.
2
 
Part I: The Exploit
Introduction 
In this part of the practical, I will describe the likely exploit code (
openssl-too-open.tar.gz 
 by SolarDesigner) and related vulnerability (OpenSSL master key overflow) that wereinvolved in the recent honeynet intrusion.
2
As confirmed to be possible in the email from David Parks

Activity (3)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
Olind Sihombing liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->