No. Time Source SrcPort Destination DstPort Length Protocol Info
Raw tcp/445 probe to see if service available
1 0.000000 IraqiWorm 2648 NxtVictm 445 62 TCP 2648 > 445 [SYN] Seq=2178295388 Ack=0 Win=16384 Len=0
2 0.410328 NxtVictm 445 IraqiWorm 2648 62 TCP 445 > 2648 [SYN, ACK] Seq=1037301398 Ack=2178295389 Win=17520 Len=0
3 0.410402 IraqiWorm 2648 NxtVictm 445 54 TCP 2648 > 445 [ACK] Seq=2178295389 Ack=1037301399 Win=17520 Len=0
4 0.410650 IraqiWorm 2648 NxtVictm 445 54 TCP 2648 > 445 [FIN, ACK] Seq=2178295389 Ack=1037301399 Win=17520 Len=0
5 0.415573 IraqiWorm 2656 NxtVictm 445 62 TCP 2656 > 445 [SYN] Seq=2178795847 Ack=0 Win=16384 Len=0
6 0.570727 NxtVictm 445 IraqiWorm 2648 60 TCP 445 > 2648 [FIN, ACK] Seq=1037301399 Ack=2178295390 Win=17520 Len=0
7 0.570877 IraqiWorm 2648 NxtVictm 445 54 TCP 2648 > 445 [ACK] Seq=2178295390 Ack=1037301400 Win=17520 Len=0
8 0.596340 NxtVictm 445 IraqiWorm 2656 62 TCP 445 > 2656 [SYN, ACK] Seq=1037396301 Ack=2178795848 Win=17520 Len=0
9 0.596449 IraqiWorm 2656 NxtVictm 445 54 TCP 2656 > 445 [ACK] Seq=2178795848 Ack=1037396302 Win=17520 Len=0
Create Server Message Block - SMB Connection
10 0.596838 IraqiWorm 2656 NxtVictm 445 191 SMB Negotiate Protocol Request
11 0.753791 NxtVictm 445 IraqiWorm 2656 143 SMB Negotiate Protocol Response
12 0.756201 IraqiWorm 2656 NxtVictm 445 222 SMB Session Setup AndX Request
13 0.894800 NxtVictm 445 IraqiWorm 2656 363 SMB Session Setup AndX Response, Error: STATUS_MORE_PROCESSING_REQUIRED
14 0.903829 IraqiWorm 2656 NxtVictm 445 284 SMB Session Setup AndX Request
15 1.037355 NxtVictm 445 IraqiWorm 2656 175 SMB Session Setup AndX Response
Create Null Session to IPC$
16 1.037551 IraqiWorm 2656 NxtVictm 445 152 SMB Tree Connect AndX Request, Path: \\166.82.152.112\IPC$
17 1.192369 NxtVictm 445 IraqiWorm 2656 114 SMB Tree Connect AndX Response
Connect to \samr path to enumerate system info
18 1.193767 IraqiWorm 2656 NxtVictm 445 154 SMB NT Create AndX Request, Path: \samr
19 1.321313 NxtVictm 445 IraqiWorm 2656 193 SMB NT Create AndX Response, FID: 0x4000
20 1.321704 IraqiWorm 2656 NxtVictm 445 214 DCERPC Bind: call_id: 1 UUID: SAMR
21 1.453809 NxtVictm 445 IraqiWorm 2656 182 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
22 1.454075 IraqiWorm 2656 NxtVictm 445 226 SAMR Connect4 request
23 1.580808 NxtVictm 445 IraqiWorm 2656 162 SAMR Connect4 reply
Get list of domain names - returned: 'ENG2'
24 1.599591 IraqiWorm 2656 NxtVictm 445 194 SAMR EnumDomains request
25 1.734090 NxtVictm 445 IraqiWorm 2656 254 SAMR EnumDomains reply
Lookup System ID (SID) for 'ENG2'
26 1.735264 IraqiWorm 2656 NxtVictm 445 230 SAMR LookupDomain request
27 1.866274 NxtVictm 445 IraqiWorm 2656 174 SAMR LookupDomain reply
Open that domain
28 1.866612 IraqiWorm 2656 NxtVictm 445 218 SAMR OpenDomain request
29 1.994197 NxtVictm 445 IraqiWorm 2656 162 SAMR OpenDomain reply
List usernames in domain..
30 1.994557 IraqiWorm 2656 NxtVictm 445 198 SAMR EnumDomainUsers request
31 2.139707 NxtVictm 445 IraqiWorm 2656 302 SAMR EnumDomainUsers reply
Close out of /samr
32 2.140188 IraqiWorm 2656 NxtVictm 445 186 SAMR Close request
33 2.267377 NxtVictm 445 IraqiWorm 2656 162 SAMR Close reply
34 2.267599 IraqiWorm 2656 NxtVictm 445 186 SAMR Close request
35 2.414474 NxtVictm 445 IraqiWorm 2656 162 SAMR Close reply
36 2.414756 IraqiWorm 2656 NxtVictm 445 99 SMB Close Request, FID: 0x4000
37 2.537764 NxtVictm 445 IraqiWorm 2656 93 SMB Close Response
38 2.542438 IraqiWorm 2656 NxtVictm 445 97 SMB Logoff AndX Request
39 2.682570 NxtVictm 445 IraqiWorm 2656 97 SMB Logoff AndX Response
40 2.682793 IraqiWorm 2656 NxtVictm 445 93 SMB Tree Disconnect Request
41 2.805066 NxtVictm 445 IraqiWorm 2656 93 SMB Tree Disconnect Response
42 2.821134 IraqiWorm 2656 NxtVictm 445 54 TCP 2656 > 445 [FIN, ACK] Seq=2178797928 Ack=1037398269 Win=17183 Len=0
43 2.827762 IraqiWorm 2660 NxtVictm 445 62 TCP 2660 > 445 [SYN] Seq=2179553746 Ack=0 Win=16384 Len=0
44 2.941851 IraqiWorm 2656 NxtVictm 445 54 TCP 2656 > 445 [RST] Seq=2178797929 Ack=0 Win=0 Len=0
45 2.963955 NxtVictm 445 IraqiWorm 2656 60 TCP 445 > 2656 [FIN, ACK] Seq=1037398269 Ack=2178797929 Win=16985 Len=0
46 2.964026 IraqiWorm 2656 NxtVictm 445 54 TCP 2656 > 445 [RST] Seq=2178797929 Ack=2178797929 Win=0 Len=0
47 3.009092 NxtVictm 445 IraqiWorm 2660 62 TCP 445 > 2660 [SYN, ACK] Seq=1038055031 Ack=2179553747 Win=17520 Len=0
48 3.009210 IraqiWorm 2660 NxtVictm 445 54 TCP 2660 > 445 [ACK] Seq=2179553747 Ack=1038055032 Win=17520 Len=0
Get another SMB connection
49 3.009463 IraqiWorm 2660 NxtVictm 445 191 SMB Negotiate Protocol Request
50 3.284365 NxtVictm 445 IraqiWorm 2656 60 TCP 445 > 2656 [FIN, ACK] Seq=1037398269 Ack=2178797929 Win=16985 Len=0
51 3.284418 IraqiWorm 2656 NxtVictm 445 54 TCP 2656 > 445 [RST] Seq=2178797929 Ack=2178797929 Win=0 Len=0
52 3.330313 NxtVictm 445 IraqiWorm 2660 143 SMB Negotiate Protocol Response
53 3.333556 IraqiWorm 2660 NxtVictm 445 222 SMB Session Setup AndX Request
54 3.487195 NxtVictm 445 IraqiWorm 2660 363 SMB Session Setup AndX Response, Error: STATUS_MORE_PROCESSING_REQUIRED
55 3.487937 IraqiWorm 2660 NxtVictm 445 372 SMB Session Setup AndX Request
56 3.658971 NxtVictm 445 IraqiWorm 2660 175 SMB Session Setup AndX Response
Create Null Session to IPC$
57 3.659321 IraqiWorm 2660 NxtVictm 445 152 SMB Tree Connect AndX Request, Path: \\166.82.152.112\IPC$
58 3.783845 NxtVictm 445 IraqiWorm 2660 114 SMB Tree Connect AndX Response
Connect to \srvsvc
59 3.785410 IraqiWorm 2660 NxtVictm 445 158 SMB NT Create AndX Request, Path: \srvsvc
60 3.916649 NxtVictm 445 IraqiWorm 2660 193 SMB NT Create AndX Response, FID: 0x4000
61 3.918614 IraqiWorm 2660 NxtVictm 445 214 DCERPC Bind: call_id: 1 UUID: SRVSVC
62 4.062511 NxtVictm 445 IraqiWorm 2660 182 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
Get current Time-of-Day (TOD) from remote
63 4.062821 IraqiWorm 2660 NxtVictm 445 216 SRVSVC NetrRemoteTOD request
64 4.193736 NxtVictm 445 IraqiWorm 2660 194 SRVSVC NetrRemoteTOD reply
65 4.194035 IraqiWorm 2660 NxtVictm 445 99 SMB Close Request, FID: 0x4000
66 4.315161 NxtVictm 445 IraqiWorm 2660 93 SMB Close Response
What the heck, let's try the ADMIN$ share first, we may not even need to brute force the username list we got.
67 4.315960 IraqiWorm 2660 NxtVictm 445 156 SMB Tree Connect AndX Request, Path: \\166.82.152.112\ADMIN$
68 4.445395 NxtVictm 445 IraqiWorm 2660 120 SMB Tree Connect AndX Response
Yep, we're in.
Push worm.
69 4.445819 IraqiWorm 2660 NxtVictm 445 188 SMB NT Create AndX Request, Path: \system32\iraq_oil.exe
70 4.587690 NxtVictm 445 IraqiWorm 2660 193 SMB NT Create AndX Response, FID: 0x4001
71 4.606496 IraqiWorm 2660 NxtVictm 445 142 SMB Transaction2 Request SET_FILE_INFORMATION, FID: 0x4001
72 4.757555 NxtVictm 445 IraqiWorm 2660 118 SMB Transaction2 Response SET_FILE_INFORMATION
73 4.772114 IraqiWorm 2660 NxtVictm 445 1514 SMB Write AndX Request, FID: 0x4001
74 4.772169 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
75 4.772215 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
76 4.772260 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
77 4.772304 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
78 4.772351 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
79 4.772395 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
80 4.772439 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
81 4.772485 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
82 4.772530 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
83 4.772574 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
84 4.772625 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
85 5.002812 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179558183 Win=17520 Len=0
86 5.002921 IraqiWorm 2660 NxtVictm 445 1514 NBSS Session message
87 5.002957 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
88 5.049098 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179559643 Win=16060 Len=0
89 5.050922 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179559643 Win=17520 Len=0
90 5.051004 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
91 5.145532 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179562563 Win=17520 Len=0
92 5.145635 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
93 5.145667 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
94 5.242139 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179565483 Win=17520 Len=0
95 5.242210 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
96 5.242243 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
97 5.337532 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179568403 Win=17520 Len=0
98 5.337606 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
99 5.337637 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
100 5.433758 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179571323 Win=17520 Len=0
101 5.433829 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
102 5.433861 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
103 5.528650 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
104 5.528736 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
105 5.528772 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
106 5.578056 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
107 5.625769 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
108 5.625841 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
109 5.673540 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
110 5.673609 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
111 5.720588 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
112 5.767480 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
113 5.815158 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
114 5.862426 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
115 5.909257 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
116 5.956732 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
117 6.004460 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
118 6.051136 NxtVictm 445 IraqiWorm 2660 66 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179574243 Win=17520 Len=0
119 6.099009 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179591763 Win=17520 Len=0
120 6.099123 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
121 6.099155 IraqiWorm 2660 NxtVictm 445 1514 NBSS NBSS Continuation Message
122 6.099170 IraqiWorm 2660 NxtVictm 445 202 NBSS NBSS Continuation Message
123 6.266446 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179593223 Win=17520 Len=0
124 6.321233 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056326 Ack=2179596143 Win=17520 Len=0
125 6.328163 NxtVictm 445 IraqiWorm 2660 105 SMB Write AndX Response, FID: 0x4001
126 6.328503 IraqiWorm 2660 NxtVictm 445 174 SMB Transaction2 Request SET_FILE_INFORMATION, FID: 0x4001
127 6.454975 NxtVictm 445 IraqiWorm 2660 118 SMB Transaction2 Response SET_FILE_INFORMATION
128 6.455324 IraqiWorm 2660 NxtVictm 445 99 SMB Close Request, FID: 0x4001
129 6.581852 NxtVictm 445 IraqiWorm 2660 93 SMB Close Response
Now call the 'at' service so we can use Task Scheduler to invoke worm...set schedule time to TOD+1 minute from above
130 6.583034 IraqiWorm 2660 NxtVictm 445 156 SMB NT Create AndX Request, Path: \atsvc
131 6.709771 NxtVictm 445 IraqiWorm 2660 193 SMB NT Create AndX Response, FID: 0x4002
132 6.710112 IraqiWorm 2660 NxtVictm 445 214 DCERPC Bind: call_id: 1 UUID: 1ff70682-0a51-30e8-076d-740be8cee98b ver 1.0
133 6.845806 NxtVictm 445 IraqiWorm 2660 182 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
134 6.846032 IraqiWorm 2660 NxtVictm 445 272 DCERPC Request: call_id: 1 opnum: 0 ctx_id: 0
135 7.167597 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [ACK] Seq=1038056747 Ack=2179596936 Win=16727 Len=0
136 7.445635 NxtVictm 445 IraqiWorm 2660 146 DCERPC Response: call_id: 1 ctx_id: 0
137 7.462768 IraqiWorm 2660 NxtVictm 445 99 SMB Close Request, FID: 0x4002
138 7.600106 NxtVictm 445 IraqiWorm 2660 93 SMB Close Response
139 7.604722 IraqiWorm 2660 NxtVictm 445 93 SMB Tree Disconnect Request
140 7.728221 NxtVictm 445 IraqiWorm 2660 93 SMB Tree Disconnect Response
141 7.848570 IraqiWorm 2660 NxtVictm 445 54 TCP 2660 > 445 [ACK] Seq=2179597020 Ack=1038056917 Win=17222 Len=0
142 15.359300 IraqiWorm 2660 NxtVictm 445 93 SMB Tree Disconnect Request
143 15.483730 NxtVictm 445 IraqiWorm 2660 93 SMB Tree Disconnect Response
144 15.483871 IraqiWorm 2660 NxtVictm 445 97 SMB Logoff AndX Request
145 15.605630 NxtVictm 445 IraqiWorm 2660 97 SMB Logoff AndX Response
146 15.610017 IraqiWorm 2660 NxtVictm 445 54 TCP 2660 > 445 [FIN, ACK] Seq=2179597102 Ack=1038056999 Win=17140 Len=0
147 15.751681 NxtVictm 445 IraqiWorm 2660 60 TCP 445 > 2660 [FIN, ACK] Seq=1038056999 Ack=2179597103 Win=16561 Len=0
148 15.751825 IraqiWorm 2660 NxtVictm 445 54 TCP 2660 > 445 [ACK] Seq=2179597103 Ack=1038057000 Win=17140 Len=0
Lesson over: Win2K hacked in 15.75 seconds or less