The Reverse Challenge: Winners Announced

← Back to Stories (view on slashdot.org)

The Reverse Challenge: Winners Announced

Posted by timothy on Sunday July 7, 2002 @02:38PM from the snoitalutargnoc dept.

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

18 of 186 comments (clear)

Min score:

Reason:

Sort:

Fascinating by SpatchMonkey · 2002-07-07 14:43 · Score: 5, Informative

This really is fascinating stuff. Note that most of the entrants used the disassembler known as IDA, available here. There was also much discussion of this contest recently on various security-related mailing lists.

Hopefully they will be doing a similar contest again next year. In the meantime, I guess we'll just have the Scan of the Month to analyse.
Oh c'mon... by stirfry714 · 2002-07-07 14:53 · Score: 3, Informative

In response to the people criticizing the information about the protocol used...

Now someone can't even mention general characteristics of a hack without being criticized for giving information to "script kiddies" or "trojan writers"?

We know that security through obscurity is a poor excuse. I'd rather have this stuff out in the open so I and others can deal with it, than have it known only to a few...
Protocol 11 information by lingqi · 2002-07-07 14:56 · Score: 4, Informative

P. 11 is RFC 741 - NVP (network voice protocol)
look at it here.

--
My life in the land of the rising sun.
Re:Forgive my naiveness but by GigsVT · 2002-07-07 14:58 · Score: 5, Informative

"Network Voice Protocol"

Your guess is as good as mine, as usual, someone who had no previous clus about nvp will google it and make a +5 informative post, so just wait for that.

As far as blocking it in ipchains,

-A input -s 0/0 -d 0/0 -p 11 -j DROP

--
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Here's the RFC straight from the horse's mouth. by tim0thy · 2002-07-07 15:10 · Score: 2, Informative

http://www.ietf.org/rfc/rfc741.txt
Usefulness of NVM/Port 11 by tim0thy · 2002-07-07 15:13 · Score: 1, Informative

The important design objectives of the Network Voice Protocol (NVP) are:

- Recovery of loss of any message without catastrophic effects. Therefore all answers have to be unambiguous, in the sense that it must be clear to which inquiry a reply refers.
- Design such that no system can tie up the resources of another system unnecessarily.
- Avoidance of end-to-end retransmission.
- Separation of control signals from data traffic.
- Separation of vocoding-dependent parts from vocoding-independent parts.
- Adaptation to the dynamic network performance.
- Optimal performance, i.e. guaranteed required bandwidth, and minimized maximum delay.
- Independence from lower level protocols.
Re:this one goes to eleven by maunleon · 2002-07-07 15:16 · Score: 2, Informative

I would assume it's NVP (Network Voice Protocol)

See rfc741
Re:Forgive my naiveness but by maunleon · 2002-07-07 15:20 · Score: 2, Informative

See rfc751 for information on NVP (or whatever RFC obsoleted that one, if any). You can probably block it.

To quote...
The Network Voice Protocol (NVP), implemented first in December 1973, and has been in use since then for local and transnet real-time voice communication over the ARPANET at the following sites:
o Information Sciences Institute, for LPC and CVSD, with a
PDP-11/45 and an SPS-41.
o Lincoln Laboratory, for LPC and CVSD, with a TX2 and the
Lincoln FDP, and with a PDP-11/45 and the LDVT.
o Culler-Harrison, Inc., for LPC, with the Culler-Harrison
MP32A and AP-90.
o Stanford Research Institute, for LPC, with a PDP-11/40 and an
SPS-41.
Re:this one goes to eleven by Anonymous Coward · 2002-07-07 15:23 · Score: 1, Informative

I think this may help:

http://www.iana.org/assignments/protocol-numbers
Explanation of "Protocol 11" by josh+crawley · 2002-07-07 15:27 · Score: 4, Informative

Well, what I've pulled from websites and the RFC:

1:It's a protocol. In IP speak, It's under the same secion that TCP(6), UDP(17), ICMP(1), and others fit under. On unix boxen, it can be found in /etc/protocols . The protocol specification is in the header of the 20 byte beginning part of the IPv4 datagram. It's a 8 bit field.

2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.

Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.

Hopefully I've explained what this is. I'll probably be modded redundant as somebody probably wrote a better "explanation" while I wrote mine. Oh well.
1. Re:Explanation of "Protocol 11" by meanman · 2002-07-07 16:13 · Score: 2, Informative
  
  2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.
  
  The winner of the challenge noted in his writeup that 'Protocol 11 is reserved for the Network Voice Protocol (NVP-II, rfc741 for the curious). NVP-II is an old protocol, generally not considered to be in use today.'
  
  Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.
  
  The binary doesn't use protocol 11 for it's DOS attacks, it uses three known attacks - a SYN flood, a 'jolt' attack (microsoft specific) and a DNS request flood. Protocol 11 was only used for communication between the handler and the agent. Try reading the winner's excellent writeup for more information.
2. Re:Explanation of "Protocol 11" by Frater+219 · 2002-07-07 16:21 · Score: 3, Informative
  
  I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.
  Taking a look at the RFC might raise some doubts in your mind regarding that belief. This protocol was designed for use with the old ARPANET protocols, which pre-dated IPv4. I'm guessing the only reason there's a code point for it in /etc/protocols is for old, old compatibility reasons, back when ARPANET was migrating from the old protocol to IP.
3. Re:Explanation of "Protocol 11" by jareds · 2002-07-07 16:21 · Score: 3, Informative
  
  2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.
  
  Nobody uses it. GSM most certainly does not. I'd be surprised if even a single commercially available webphone uses it.
  
  Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.
  
  This is wrong. The handler sends instructions to the agent via protocol 11. The agent performs traditional DOS attacks. I'm not saying you couldn't flood someone with protocol 11 packets, but that has nothing to do with this tool.
Re:Forgive my naiveness but by elandal · 2002-07-07 15:47 · Score: 4, Informative

It's Network Voice Protocol, and it's safe to block unless You use it (and You should know if You do).

I have default DENY, and specific ACCEPT rules. As everything I do ACCEPT contains a protocol, this means that unknown protocols are denied. For as long as You run only IPv4, no multicast, and so on (like most people do - although IPv6 is gaining), You only need icmp, igmp, tcp, and udp. Read /etc/protocols for mysterious acronyms.

If You default to ACCEPT, or have very broad ACCEPT rules based on just eg. the IP addresses, You can, with ipchains, deny as follows:
ipchains -A input -j DENY -p nvp
Not tested, but should work.
Re:Forgive my naiveness but by mamba-mamba · 2002-07-07 15:51 · Score: 4, Informative

I suggest you read the info on the pages referenced in the top-level post. Here is an excerpt.
Detection
=========

Any network traffic using an unusual protocol should be suspect. This tool
uses protocol 11, but could easily be recompiled to use another protocol.
As protocol 11 is not currently used, any network traffic using this
protocol should be assumed to be communication between handlers and agents
of this tool. The signature for detecting agent / handler communication
was described in the previous section.

Note that the source address of a packet from handler -> agent should not
be assumed to be the actual address of the handler. The source address in
the IP header is most likely to be spoofed. Similarly, data from agent ->
handler is often faked to increase the difficulty of tracing the attacker's
whereabouts.

To hide from casual detection, the agent changes its process name to
[mingetty].
This is the standard getty for RedHat, and Slackware versions pre 7.0.

To detect a running agent on a system, netstat can be used to determine
if any processes are using protocol 11. The following command and
response shows a running agent process.

# netstat -pan | grep raw | grep :11
raw 0 0 0.0.0.0:11 0.0.0.0:* 7 5226/[mingetty]

If found, all instances of mingetty should be killed (to ensure that
children are caught as well). This will kill valid mingetty processes
as well, but they will be respawned by the init process.

# ps ax | grep mingetty | grep -v grep | awk '{print $1}' | xargs kill -9

The system should immediately be taken off the network and analysed to
determine how the attacker gained root access.

I don't believe it would do you any harm to block protocol 11. I would recommend that you block all protocols except for udp, icmp, and tcp, while you are at it. In fact, you can probably allow TCP and UDP only if you are a home user. I would just allow ICMP for the hell of it. Just set up a default incoming policy for all packets of "DROP," then accept all TCP packets, or all TCP packets meeting certain criteria, as desired. iptables allows you to specify protocols by number or name in a rule, using the "-p" parameter.
You should be able to block everything except TCP with something like:

iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT -p TCP -j ACCEPT
if you also want to accept UDP (you do), then add this:
iptables -A INPUT -p UDP -j ACCEPT
for ICMP:
iptables -A INPUT -p ICMP -j ACCEPT
Note that ping, and a variety of other things, use ICMP, so I reccommend that you enable it.
Proper firewall configuration is a complex topic (and I'm not an expert at it). What I have posted above is not intended to create a safe firewall. I am hoping that you can figure the rest out yourself, or modify the above to suit your needs.

I have to run, so good luck.

MM
--

--
By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.
Re:Is it really NVP? by Anonymous Coward · 2002-07-07 16:06 · Score: 2, Informative

As far as I can tell, this program doesn't use NVP for attacking, and instead uses it as a covert channel on which it sends instructions to already compromised hosts, such as which host to DOS etc..

As such, as long as routers in general route it (since it's encapsulated in IP, this is not a problem) it doesn't matter that noone's listening to it. An already compromised host will be listening to it, and that's what matters.

Yes that means your correct to say that it's just saying that the packets are #11, while not implementing NVP at all.
About the binary by eaglesnax · 2002-07-07 16:13 · Score: 5, Informative

I participated in the contest, and to answer a few questions:

1) Protocol 11 is used in this tool simply as a messaging protocol. No attempt was made by the author to adhere to the published NVP RFC. The author simply sticks 11 in the protocol field of the IP header. Think of each packet as a UDP packet, no handshake, etc...

2) Protocol 11 is not used to perform any of the DoS attacks. The attacks are fairly standard DoS attacks like TCP SYN, and ICMP echo floods.

3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.

4) Single incoming protocol 11 packets are used to trigger compromised hosts to perform selected DoS attacks

I hope that helps

Chris
Re:Forgive my naiveness but by ComputerSlicer23 · 2002-07-07 18:52 · Score: 2, Informative

Hmmm, no, read up on the IP level and try again. UDP/TCP/ICMP aren't the only protocols. There are lots of others, one of them happens to be "NVP" or whatever the hell it is. It is "service 11", as in grep "11" /etc/protocols and you'll see it right there. If you're on a UNIX box when you call socket(), you have to give it a protocol (the third parameter). IP is it's own protocol, and does not need to run TCP or UDP on top of it, you can use it as a transport for anything you want. Normally when you call socket, you tell it the type (the second parameter) and pass zero for the protocol and it does the right thing. However, if you so chose to you could call:
getprotoent() repeatedly
and find the protocol number you want to use.
If I remember correctly, all of the BGP and EGP, and a number of the router protocols speak something besides straight TCP/UDP. It's essentially anything you can do on layer 4 of the OSI network model.
It's not a port. It's not a port. It's not a port. It's a protocol (you know like the "P" in TCP). It isn't TCP, it doesn't need to be dumbed down with an analogy. Lots of plenty intelligent people on slashdot actually understand some of the technology they post on, honest.
You might want to bone up on some basic networking before talking down to a guy who clearly understands piles more about networking then you demonstrated in your previous post. For all I know you're a networking guru, your last post however did not display that very well.
Service 11 (which communicates over both TCP and UDP according to RH 7.2's /etc/service) is systat, which is a good idea to disable as it gives out information about you're machine. So the idea of shutting off port 11 probably isn't a bad one...
Thanks, Kirby
PS: Sorry to post a complete flame, but the people talking about service 11 (NVP), do actually know a lot about what they are talking about. They don't need somebody to beat them with a cluestick about how ports work in TCP, by somebody who seems completely unaware of the fact that protocols besides TCP/UDP/ICMP exist, and that numbers refer to something other then ports.