When I happen to get a free moment I usually test out the outside sguil and BASE sensors against metasploit attacks. This time was a controlled test and the exploitable box secure from the outside world. So with the latest metasploit in hand I smacked a default win2k server with no service packs with just port 445. I know what you are thinking who in there right mind leaves 445 open on the net and most ISP filter this anyway. Again this is just a test and a simple one that I figured the sguil sensor would catch... sort of. Why sort of? Well I did get a few alerts.
NETBIOS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt
NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt
NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt
NETBIOS DCERPC NCACN-IP-TCP umpnpmgr PNP_QueryResConfList attempt
NETBIOS SMB-DS repeated logon failure
To an ordinary user the alerts would look like and SMB attempt and why would the suspect anything else since we did leave 445 open. The icing is the fact that I spawned 4 meterpreter bind sessions just from 445 and what did the IDS have to say about that ....not much. I was skipping along getting hash dumps and files. Sure there was occasional complain about shell code but if you are not versed it might as well be in a different language. Keep in mind this is just with the snort default rules and not using emerging threats rules.
I also testing this using emerging threats rules and wanted to see how well this would help recognize it. This is at least promising with a few extra alerts.
ET EXPLOIT x86 JmpCallAdditive Encoder
ET POLICY PE EXE or DLL Windows file download
ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
This would be enough to tip off anyone that something is awry and you would be able to correlate the attempt with ET alerts to validate it. You could also make it easy my tying this all together with some splunk and a netflow.
No comments:
Post a Comment