Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Sid 2123

from [Joel Ebrahimi] Network Security [Permanent Link]
Subject: [Snort-sigs] Sid 2123
Date: Fri, 17 Feb 2006 15:24:24 -0800 
I was playing around with metasploit running successful attacks and getting a 
cmd shell on Windows. The rules I was evaluating were triggering fine but I 
never once got any info that a cmd.exe banner had been seen. 
 
Here is the rule in the Attack Response ruleset that I have active.
 
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 
Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; 
content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; 
distance:0; reference:nessus,11633; classtype:successful-admin; sid:2123; 
rev:3;)
 
Here is a breakdown of the relevant network traffic
 
 0000   00 0e 9b 16 3e 46 00 d0 b7 3c c5 12 08 00 45 00  ....>F...<....E.
  0010   00 5b 21 a3 40 00 80 06 80 4a ac 15 00 44 ac 15  .[!.@....J...D..
  0020   00 41 11 5c 85 19 39 65 83 3a 45 90 53 79 80 18  .A.\..9e.:E.Sy..
  0030   fa f0 bc 1f 00 00 01 01 08 0a 00 14 d6 a7 00 bd  ................
  0040   b8 23 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64  .#Microsoft Wind
  0050   6f 77 73 20 58 50 20 5b 56 65 72 73 69 6f 6e 20  ows XP [Version
  0060   35 2e 31 2e 32 36 30 30 5d                                5.1.2600]
  
  
  
  0000   00 0e 9b 16 3e 46 00 d0 b7 3c c5 12 08 00 45 00  ....>F...<....E.
  0010   00 75 21 a4 40 00 80 06 80 2f ac 15 00 44 ac 15  HYPERLINK 
"mailto:.u!.@..../...D".u!.@..../...D..
  0020   00 41 11 5c 85 19 39 65 83 61 45 90 53 79 80 18  .A.\..9e.aE.Sy..
  0030   fa f0 12 51 00 00 01 01 08 0a 00 14 d6 a7 00 bd  ...Q............
  0040   b8 4c 0d 0a 28 43 29 20 43 6f 70 79 72 69 67 68  .L..(C) Copyrigh
  0050   74 20 31 39 38 35 2d 32 30 30 31 20 4d 69 63 72  t 1985-2001 Micr
  0060   6f 73 6f 66 74 20 43 6f 72 70 2e 0d 0a 0d 0a 43  osoft Corp.....C
  0070   3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d  :\WINDOWS\system
  0080   33 32 3e                                                             
32>
 
 
So the distance keyword following  content:"|28|C|29| Copyright 1985-"; would 
cause this rule to never trigger. Now I am using a very old unpatched version 
of Windows XP. Im not sure if the cmd.exe has been updated since then and this 
rule only reflects the current version out there but I thought Id bring it up.
 
// Joel
Joel Ebrahimi
HYPERLINK "mailto:jebrahimi@demarc.com"jebrahimi@demarc.com 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.10/263 - Release Date: 2/16/2006
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] Sid 2123, Joel Ebrahimi <=
Previous by Date:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Next by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:  [Snort-users] Please do not use a vacation responder for your list memberships, Jeff Nathan
Next by Thread:  [Snort-sigs] lots of FPs (?) for BLEEDING-EDGE EXPLOIT Windows Media Player parsing 0 size BMP file Vuln (MS06-005),Sig ID,2002802, Russell Fulton
Indexes:  [Date] [Thread] [Top] [All Lists]