attack signatures derived from metasploit final presentation

Attack signatures Attack signatures derived from derived from MetasploitMetasploitFinal PresentationFinal Presentation

E. Ramirez E. Ramirez (([email protected]@eurecom.fr))

A. Zoghbi A. Zoghbi (([email protected]@eurecom.fr))

Institut EurecomInstitut Eurecom

22

OutlineOutline IntroductionIntroduction Project tools and componentsProject tools and components

– Different tools used.Different tools used. How it all fits togetherHow it all fits together

– Tools interaction, project schematic.Tools interaction, project schematic. Initial identificationInitial identification Detailed operationDetailed operation ResultsResults AnalysisAnalysis ConclusionConclusion

33

IntroductionIntroduction Background informationBackground information

– Leurrecom database gathers data about attack Leurrecom database gathers data about attack processes found on the internet.processes found on the internet.

– The data is presented in ‘numerical’ form, identifying The data is presented in ‘numerical’ form, identifying port attack sequences, and grouping into port attack sequences, and grouping into clusters.clusters.

– Clusters are only identified by the port attack sequence.Clusters are only identified by the port attack sequence.– Need to ‘name’ clusters.Need to ‘name’ clusters.

Project purposeProject purpose– Identify clusters in Leurrécom database corresponding Identify clusters in Leurrécom database corresponding

to released exploits.to released exploits. Main tools neededMain tools needed

– Metasploit framework for exploit execution.Metasploit framework for exploit execution.– Honeyd for data collection. Honeyd for data collection.

44




55

Project tools and Project tools and componentscomponents

Metasploit Metasploit ((www.metasploit.orgwww.metasploit.org))

– Executes attacks based on exploit files.Executes attacks based on exploit files.– Exploit files are written by individuals and released to Exploit files are written by individuals and released to

community.community.– Metasploit allows us to launch attacks on dummy station Metasploit allows us to launch attacks on dummy station

running honeyd.running honeyd. HoneydHoneyd ((www.honeyd.orgwww.honeyd.org))

– Emulates different operating systems (WIN98, NT, Linux)Emulates different operating systems (WIN98, NT, Linux)– Acts as ‘attack playground’ where attacks and intrusions can Acts as ‘attack playground’ where attacks and intrusions can

be observed.be observed.– Provides tcp dump of activity. Provides tcp dump of activity. – Dump is collected and analyzed.Dump is collected and analyzed.

VMWareVMWare– Allows integration of multiple logical stations on one Allows integration of multiple logical stations on one

physical machine.physical machine.

66



– Tools interaction, project schematic.Tools interaction, project schematic. Initial identificationInitial identification Detailed operationDetailed operation ResultsResults

– Unmatched clustersUnmatched clusters– Matched clustersMatched clusters

AnalysisAnalysis ConclusionConclusion

77

How it all fits togetherHow it all fits together

Virtual station runs Virtual station runs Metasploit and honeypots.Metasploit and honeypots.

Dump data is collected Dump data is collected into trace DB.into trace DB.

Core application analyzes Core application analyzes traces and queries traces and queries Leurrécom.Leurrécom.

Clusters are identified and Clusters are identified and matched with attacks.matched with attacks.

88




99

Manually identified exploitsManually identified exploits

Name: Veritas Backup Exec Win Remote File AccessDisclosed: Aug 12 2005Port seq num: 6101Common use: SynchroNet-rtc, Veritas Agent Browser for Backup Exec

Name: Veritas Backup Exec Windows Remote Agent Overflow Disclosed: Jun 24 2005Port seq num: 10000Common use: ndmp - Network Data Management Protocol, Veritas Backup Exec Remote Agent.

Name: Microsoft WINS MS04-045 Code Execution Disclosed: Dec 14 2004Port seq num: 42Common use: Windows Internet Naming Service (WINS).

1010




1111

Detailed operationDetailed operation Big pictureBig picture

*Everything on Oracle*Everything on Oracle

1212

Detailed operation cont.Detailed operation cont.

Launchattack.plLaunchattack.pl– Purpose:Purpose: obtain attack signature file obtain attack signature file– Input:Input: None None– Output:Output: binary tcpdump file for each attack binary tcpdump file for each attack– Operation:Operation:

Query metasploit for all attacks and payloadsQuery metasploit for all attacks and payloads Start HoneydStart Honeyd Launch attack on honeypot IP combinationLaunch attack on honeypot IP combination Stop Honeyd (to release lock on log file)Stop Honeyd (to release lock on log file) Save log file with appropriate nameSave log file with appropriate name

1313

Detailed operation Detailed operation

Convert_to_text.plConvert_to_text.pl– Purpose:Purpose: Convert binary tcpdump files Convert binary tcpdump files

to text files for easy parsing.to text files for easy parsing.– Input:Input: binary tcpdump files binary tcpdump files– Output:Output: text formatted log files text formatted log files– Operation:Operation:

For each tcpdump file in a given directoryFor each tcpdump file in a given directory Use tethereal –r to read dumpfile and Use tethereal –r to read dumpfile and

generate text filegenerate text file Save text file in an other directorySave text file in an other directory

1414

Deep overview cont.Deep overview cont.

script_clusters_list.plscript_clusters_list.pl– Purpose:Purpose: obtain cluster signature file obtain cluster signature file– Input: Input: Oracle databaseOracle database– Output:Output: clusters.list clusters.list– Operation:Operation:

Query Oracle database for cluster attributes (port Query Oracle database for cluster attributes (port sequence, packets sent, clusterid)sequence, packets sent, clusterid)

Compute average and standard deviationCompute average and standard deviation Create cluster signature Create cluster signature

Append signature to cluster signature fileAppend signature to cluster signature file

clusterid=73802 ports=6101 dev1=1 dev2=0 dev3=0 n1=2 n2=0 n3=0

1515

Detailed operation Detailed operation honeyIDS.pmhoneyIDS.pm

– Purpose:Purpose: Compare cluster signature file to attack Compare cluster signature file to attack signature filesignature file

– Input:Input: Attack signature list, Cluster signature list Attack signature list, Cluster signature list– Output:Output: unmatched_clusters.log, unmatched_clusters.log,

matched_clusters.logmatched_clusters.log– Operation:Operation:

Based on original work by Quang.Based on original work by Quang. Added comparison module that reads input files from a Added comparison module that reads input files from a

directory and compares each attack signature to all directory and compares each attack signature to all cluster signaturescluster signatures

If match found, save entry in matched_clusters.logIf match found, save entry in matched_clusters.log If no match found, save attack signature in If no match found, save attack signature in

unmatched_clusters.logunmatched_clusters.log

1616

Detailed operation Detailed operation honeyIDS.pm (continued)honeyIDS.pm (continued)

Entry format in unmatched_clusters.logEntry format in unmatched_clusters.log

attack=backupexec_ns.win32_downloadexec.192.168.1.12.13 ports=6101 T= N=1 n1=0 n2=1 n3=0

1717

Detailed operation Detailed operation

script_expl_desc.plscript_expl_desc.pl– Purpose:Purpose: Gather information about exploit Gather information about exploit

(release date, release by, description …), for (release date, release by, description …), for documentationdocumentation

– Input:Input: Metasploit exploit information Metasploit exploit information– Output:Output: Parsed exploit information Parsed exploit information– Operation:Operation:

Execute Execute msfclimsfcli command with S flag for each attack command with S flag for each attack Obtain information, parse it and store it in Obtain information, parse it and store it in

exploit_info_<ver>.txtexploit_info_<ver>.txt

1818

Detailed operation Detailed operation graph_data.plgraph_data.pl

– Purpose:Purpose: Generate match information that can Generate match information that can be plotted for better visualization and analysisbe plotted for better visualization and analysis

– Input:Input: match_clusters.log, exploit description, match_clusters.log, exploit description, Oracle databaseOracle database

– Output:Output: graph_data graph_data– Operation:Operation:

For each matched cluster, query the database for For each matched cluster, query the database for ±30 days relative to day 0, the exploit release day±30 days relative to day 0, the exploit release day

Calculate average (avg) and standard deviation (std) Calculate average (avg) and standard deviation (std) of 61 days seriesof 61 days series

If within a window of ±5 days centered at day 0, we If within a window of ±5 days centered at day 0, we have a activity larger than have a activity larger than avg + 2*std avg + 2*std then then attack/cluster correlation is strengthened. attack/cluster correlation is strengthened.

Save cluster and matched peak date in graph_dataSave cluster and matched peak date in graph_data

1919




2020

ResultsResults

125 Attacks used125 Attacks used 11’200 dump files (attack+payload 11’200 dump files (attack+payload

combo)combo) 3’200 left because of 0-byte dump files3’200 left because of 0-byte dump files 95’000 Clusters obtained from Oracle 95’000 Clusters obtained from Oracle

databasedatabase ~6’000 initial matches~6’000 initial matches ~2’100 unmatched attacks~2’100 unmatched attacks ~500 confirmed matches (activity at or ~500 confirmed matches (activity at or

around exploit release day)around exploit release day)

2121




2222

Analysis – Manually matched Analysis – Manually matched clustersclusters

Name: CA CAM log_security() Stack Overflow (Win32)Disclosed: Oct 18 2005Port seq num: 4105Common use: Computer Associates Products Message Queuing Vulnerabilities Clusterid: 84041

Name: BakBone NetVault Remote Heap Overflow Disclosed: Apr 01 2005Port seq num: 20031Common use: overflow vulnerabilities in Bakbone NetVault productClusterid: 85817

Name: Veritas Backup Exec Win Remote File AccessDisclosed: Aug 12 2005Port seq num: 6101Common use: SynchroNet-rtc, Veritas Agent Browser for Backup ExecClusterid: 73803

2323

AnalysisAnalysisOccurence of peak attack on cluster relative to exploit release day

-6

-4

-2

0

2

4

6

10000 20000 30000 40000 50000 60000 70000 80000 90000 100000

Cluster ID

Day

(re

lativ

e to

rel

ease

day

)

Number of attacks per day relative to exploit release day

0

10

20

30

40

50

60

-5 -4 -3 -2 -1 0 1 2 3 4 5

Day

Num

ber

of attacks

Cluster activity is Cluster activity is logically centered logically centered around exploit release around exploit release date.date.

Interesting behavior Interesting behavior trendtrend

Occurrence of peak Occurrence of peak attack per cluster and attack per cluster and per day. per day.

Used to generate next Used to generate next graph.graph.

2424




2525

ConclusionConclusion

Consistent resultsConsistent results– Manually identified clusters appear in Manually identified clusters appear in

automatically generated matchesautomatically generated matches– Cluster peak activity correctly centered around Cluster peak activity correctly centered around

vulnerability disclosure datevulnerability disclosure date LimitationsLimitations

– ‘‘Popular’ port sequences are difficult to match Popular’ port sequences are difficult to match with low interaction honeypot outputswith low interaction honeypot outputs

Questions?Questions?

attack signatures derived from metasploit final presentation

Documents

componentsdifferent

project schematic

togethertools interaction

port attack sequences

attack processes

attack playground

attack signatures

dump data