[Snort-sigs] pwdump, l0phtcrack, hash extraction

Abe Use neosporin1v1 at ...12...
Wed Aug 4 13:36:01 EDT 2004


I made these a few months ago. Alerts you when the SAM is a few milliseconds 
from being dumped, these registry entires should be unique to these 
applications/activities, there is room for improvement.
Sorry I never assigned a SID or reference, all rules are rev 1

Be sure to change "tcp any any" and "tcp any 139" to your environment, 
perhaps:
$EXTERNAL_NET any -> $HOME_NET 139

================
#Pwdump3e (eeye) and Pwdump3v2 (l0pht)
alert tcp any any -> any 139 (msg:"EXPLOIT Pwdump3e Session Established 
Reg-Entry"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 
45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|";)

#NTDump
alert tcp any any -> any 139 (msg:"EXPLOIT NTDump Session Established 
Reg-Entry"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 
4e 00 74 00 44 00 75 00 6d 00 70 00|";)

# Too late, dll injection has taken place
alert tcp any any -> any 139 (msg:"EXPLOIT NTDump.exe Service Started"; 
content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 
78 00 65 00|";)

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net 
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Matt Sheridan
Sent: Tuesday, July 20, 2004 8:06 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] pwdump, l0phtcrack, hash extraction

I may be missing something obvious - but I cant seem to find a snort sig for
pwdump/3 or and other hash extraction utility. I havent myself done a packet 
analysis, so it may just be a lack of fingerprint.  I have a secondary 
comercial IDS which does have a signature for pwdump, which indicates some 
matter of identification. If I am missing something out-of-the-box, forgive 
me. Any thoughts?

_________________________________________________________________

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/





More information about the Snort-sigs mailing list