This will not be very long, nor will I go into excessive amounts of detail into the tools and steps required. The purpose of this paper is simply to help you grasp an idea on how to track down the Control and Command center for a Botnet, What you do after that is completely up to you.
Requirements
1) Zombie IP list
2) Snmpscanner (or a port scanner)
3) Net-snmp (snmpwalk)
4) Previous knowledge of the snmp protocol comes helpful.
5) Your brain.
So what your basically doing is scanning your list of Zombie IP addresses to see which have snmp open, You can do this with nmap (i.e: nmap -sV -iL zombieIPlist -p161). This will take the IP from a file called zombieIPlist and scan to see which host have port 161 open. Even tho the port is open, doesnt mean you’ll be able to get any info from it without the community string, You can also do this a little easier and more automated with a variety of programs such as:
Code:
Onesixtyone – http://www.phreedom.org/solar/onesixtyone/ (linux)
These programs check a lit of IP’s to see wether snmp is open and then tries to bruteforce the community string (public, private are common community strings), Once you have you results of ip’s + community string then you can begin to snmpwalk the MIB (Management Information Base). I only snmpwalk the TCP-MIB which has the info we need.
Concentrate on only snmpwalking the windows boxes from your results since they seem to be the ones that provide the most useful information. Here is an example of what running onesixtyone on a list of zombie IPS looking to see which ones have SNMP enabled and a community string of either public, or private looks like:
dni@logan:~/onesixtyone-0.3.2$ ./onesixtyone -i ../leamington_4-8-07
Scanning 59997 hosts, 2 communities
125.254.130.65 [public] WebCAM Server
218.14.26.91 [public] Unable to decode SNMP packet: unrecognized integer length
218.16.190.44 [public] 218.56.145.194 [public] HOS-GW (version 2.2 Release 02.18.00)
Compile time : Aug 24 2004 21:09:22 . BootRom Version: 1.8 Release time at 08:00, 2004/03/18 NetHammer G908: BackBoard Hardware Version 1.30
218.69.216.104 [public] Router
218.75.93.150 [public] 218.202.158.134 [public] Cisco Internetwork Operating System
Software IOS ™ C2600 Software (C2600-I-M), Version 12.0(3)T3, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Thu 15-Apr-99 15:41 by kpma
86.106.166.97 [public] Hardware: x86 Family 15 Model 4 Stepping 1 AT/AT COMPATIBLE –
Software: Windows 2000 Version 5.1 (Build 2600 Multiprocessor Free)
As we can see: 86.106.166.97 is a win2k machine with a community string of public so lets run snmpwalk on it.
dni@logan:~$ snmpwalk 86.106.166.97 -c public tcp
TCP-MIB::tcpRtoAlgorithm.0 = INTEGER: vanj(4)
TCP-MIB::tcpRtoMin.0 = INTEGER: 300 milliseconds
TCP-MIB::tcpRtoMax.0 = INTEGER: 120000 milliseconds
TCP-MIB::tcpMaxConn.0 = INTEGER: -1
TCP-MIB::tcpActiveOpens.0 = Counter32: 12125
TCP-MIB::tcpPassiveOpens.0 = Counter32: 2212
TCP-MIB::tcpAttemptFails.0 = Counter32: 5377
TCP-MIB::tcpEstabResets.0 = Counter32: 3305
TCP-MIB::tcpCurrEstab.0 = Gauge32: 29
TCP-MIB::tcpInSegs.0 = Counter32: 3486328
TCP-MIB::tcpOutSegs.0 = Counter32: 3832754
TCP-MIB::tcpRetransSegs.0 = Counter32: 147401
TCP-MIB::tcpConnState.0.0.0.0.135.0.0.0.0.2092 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.445.0.0.0.0.6258 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.3898.0.0.0.0.32788 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.5051.0.0.0.0.2208 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.5101.0.0.0.0.2064 = INTEGER: listen(2)
TCP-MIB::tcpConnState.86.106.166.97.135.86.106.166.147 .2190 = INTEGER: finWait2(7)
TCP-MIB::tcpConnState.86.106.166.97.135.86.106.166.147 .3446 = INTEGER: finWait2(7)
TCP-MIB::tcpConnState.86.106.166.97.139.0.0.0.0.2176 = INTEGER: listen(2)
TCP-MIB::tcpConnState.86.106.166.97.1151.216.155.193.1 57.5050 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1311.195.160.162.2 1.6969 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1332.195.160.163.1 46.411 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1343.68.142.233.17 0.5061 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1556.208.65.153.25 3.80 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1562.193.108.95.10 5.80 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1568.72.14.221.99. 80 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1572. 217.12.18.73.6667 = INTEGER: established(5)
See this last entry Bingo!! we see the client 86.106.166.97 connecting to server 217.12.18.73 on port 6667, thats our bot connecting to the Control and Command center which is in this case a ircd, once you have you results from onesixtyone or SNscan and have a list of windows boxes running snmp with a comm string of “public” you can put all of them in a file and automate your snmpwalking by doing something like.
#!/bin/sh
for i in `cat $1` ; do {
echo $i
snmpwalk -Os -v1 -c public $i tcp.tcpConnTable.tcpConnEntry.tcpConnState
} ; done
This cat a file filled with ip’s and snmpwalks each value in the file, you run this by:
./script.sh listofIPs
Then you can pipe this into a file for later reviewing with add > fileOut to the code.
This is not the only way to track down botnets, You can also use a honeypot or simply tcpdump or packetsniff on a machine that is infected. Make sure you have the ASCII flag set when tcpdumping in order to capture the communication back and forward between the server and infected box. Im going to end this paper now…
enjoy…