Botnets Neg9 Hands-On Tutorial

by Javantea aka. Joel R. Voss
Sept 8, 2006
Botnets
Spam Server Analysis
Spam Server Passive/Active Analysis 0.4 [sig]
50 MB of Test Spam [sig]

Neg9 Seattle Flyer

Introduction

At the above Neg9 Seattle meeting (Sept 8, 2006), a group of four Neg9 security researchers gathered to discuss botnets and various other ideas. I, Javantea, led the discussion of botnets, but as expected, the three other participants were far more knowledgeable than I on the topic of botnets. Quite a lot of research, development, and interest is going into botnets currently. This is a very positive note because everyone benefits from better knowledge and control of botnets.

It begs to be said that nothing illegal was done at the Neg9 meeting. Nothing unethical was done at the Neg9 meeting. Polite portscans are legitimate techniques of security researchers and criminals alike. I limited the output of my box to a maximum of 6 packets per second at maximum and 2 packets per second at nominal. Connecting to any machine on the internet is legitimate because open ports are public information. Anyone who disagrees is a complete idiot and should go straight to /dev/null.

Methods of Botnets Neg9 Hands-on Tutorial

The hands-on tutorial started with sorting the list of ips from the spam server analysis. sort -n and uniq commands were used to retrieve only unique ip addresses. Then I did a simple nmap of all ips using the Polite throttling flag (-T2). This was quite slow (600 seconds), but provided all the data that we need for a few targets (59 targets in 3.25 hours). While this occurred, I started an nmap ping scan on all targets. This method is identical to the Netmap1 project scan. Once this ping scan was done (2982 targets in 16 minutes), I grepped for targets that were up revealing 673 targets up. I then started a Netmap1-style port scan, scanning only interesting ports: 21, 22, 23, 25, 37, 53, 80, 113, 135, 139, 443, 445, 1025, 1433, 3306, 3389, 5000, 5800, 5900, 6000, 6881-6889. Each scan took 30-70 seconds, which revealed interesting ports on 240 targets in 2 hours.

This data is collected in the data section. It can also be found in the Spam Server Passive/Active Analysis 0.4 download. The commands used to generate this data are compiled into two scripts. First is the passive analysis, spam3a.sh which turns a directory of spam e-mails into a file with ip addresses of the spam servers. The second is fuxxor1.sh (apologies for the naming), which takes a list of ips, runs sort and uniq on it, pings it, and portscans all ips that are up. It does this silently, so great care must be taken to ensure that the process is doing what it should instead of causing problems.

The next step of the tutorial is to look at the results and find various interesting ports. One randomly selected http port revealed Debian GNU/Linux running Apache 1.3.33 with the generic "It worked" page running. FTP on the same box revealed an connection error (although many different things could have caused that error).

Towards the end of the Botnet Tutorial, I stumbled upon several open auth ports (113). I decided to check one with my Ident Protocol Scan. Here is the result and a screenshot:

jvoss@ASLinLt07:~/recent/ident_scan$ python ident_scan.py 210.35.74.43
Received 220 Just Another FBI Honeypot ^^
Screenshot of ident scan of FBI honeypot
Not only did this freak us out, it was far too big a coincidence. We had been talking about the FBI and we had contact with the FBI (through Agora) that morning. But who would spit something out like that when you send data on port 113? No one else in the world uses ident_scan. A Google search for that phrase does not turn up any results (it's not a common tool?). The IP address is located in China. So that brought the botnet tutorial to an end.

Data

Raw data can be found in the Spam Server Passive/Active Analysis 0.4 download. Statistical analysis follows. Note that filtered ports are not counted if all a majority of ports are filtered. Note that closed ports are not counted if all a majority of ports are closed.

Open Ports found by Netmap1-style portscan of 240 up targets:
Port 21 FTP: 53
Port 22 SSH: 42
Port 23 Telnet: 28
Port 25 SMTP: 49
Port 37 time: 0
Port 53 dns: 33
Port 80 http: 98
Port 113 auth: 9
Port 135 loc-srv: 14
Port 139 netbios-ssn: 15
Port 443 https: 37
Port 445 microsoft-ds: 12
Port 1025 blackjack: 27
Port 1433 ms-sql-s: 8
Port 3306 mysql: 15
Port 3389 ms-term-serv: 36
Port 5000 UPnP: 14
Port 5800 vnc: 5
Port 5900 vnc: 8
Port 6000 x11: 3
Port 6881-6889 bitTorrent: 0

Open Ports found by Nmap -sT of 10 up targets:
Port 23: 1
Port 80: 2
Port 1025: 3
Port 3001: 1
Port 3005: 1
Port 3306: 1
Port 5000: 2
Port 5631: 1
Port 6346: 1
Port 8080: 1
Port 8081: 1

Filtered Ports found by Netmap1-style portscan of 240 up targets:
Port 21 FTP: 2
Port 22 SSH: 14
Port 23 Telnet: 4
Port 25 SMTP: 5
Port 37 time: 0
Port 53 dns: 1
Port 80 http: 1
Port 113 auth: 1
Port 135 loc-srv: 105
Port 139 netbios-ssn: 95
Port 443 https: 0
Port 445 microsoft-ds: 107
Port 1025 blackjack: 13
Port 1433 ms-sql-s: 5
Port 3306 mysql: 1
Port 3389 ms-term-serv: 4
Port 5000 UPnP: 5
Port 5800 vnc: 1
Port 5900 vnc: 1
Port 6000 x11: 3
Port 6881 bitTorrent: 10
Port 6882 bitTorrent: 9
Port 6883 bitTorrent: 8
Port 6884 bitTorrent: 10
Port 6885 bitTorrent: 7
Port 6886 bitTorrent: 6
Port 6887 bitTorrent: 7
Port 6888 bitTorrent: 6
Port 6889 bitTorrent: 7

Filtered Ports found by Nmap -sT of 10 up targets:
Port 27: 1
Port 128: 1
Port 135: 9
Port 137: 2
Port 138: 2
Port 139: 9
Port 444: 1
Port 445: 9
Port 537: 1
Port 569: 1
Port 593: 2
Port 616: 1
Port 654: 1
Port 1080: 2
Port 1368: 1
Port 1374: 1
Port 1720: 10
Port 2013: 1
Closed ports found by Netmap1-style portscan of 240 up targets:
Port 21: 5
Port 22: 3
Port 23: 3
Port 25: 6
Port 37: 6
Port 53: 9
Port 80: 7
Port 113: 6
Port 135: 0
Port 139: 1
Port 443: 7
Port 445: 0
Port 1025: 2
Port 1433: 2
Port 3306: 1
Port 3389: 4
Port 5000: 4
Port 5800: 6
Port 5900: 7
Port 6000: 3
Port 6881: 0
Port 6882: 0
Port 6883: 0
Port 6884: 0
Port 6885: 0
Port 6886: 1
Port 6887: 1
Port 6888: 0
Port 6889: 1
Closed ports found by Nmap -sT of 10 up targets:
No closed ports found.

Future

Obvious improvements can be easily made to this script:

  • Who is naming the server as spam?
  • What is the dns name?
  • What data is the port reporting?

If you are interested in developing Botnet Neg9 Hands-on Tutorial, feel free to e-mail me.

Permalink

Comments: 0

Leave a reply »

 
  • Leave a Reply
    Your gravatar
    Your Name