[Snort-sigs] FP on BLEEDING-EDGE Pwdump3e Password Hash Retrieval

Eaglesfield, Andy Andy.Eaglesfield at ...2701...
Wed Aug 4 13:37:23 EDT 2004


The :500 triggered the rule 

Pwdump3 and after (3e, 3v2) uses encryption when copying the hash's from
the target to the so I doubt this rule would work very much witn ver3-
pehaps with pwdump and pwdump2 it would trigger still. 

alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password
Hash Retrieval"; content:"\:|00|5|00|0|00|0"; sid:2000563; rev:2;)
alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password
Hash Retrieval"; content:"\:|00|5|00|0|00|0"; sid:2000568; rev:1;)

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Matt
Ostiguy
Sent: Friday, July 30, 2004 9:14 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] FP on BLEEDING-EDGE Pwdump3e Password Hash
Retrieval

I am running the current rules for pwdump3e, and got this FP. this is
from a windows fileserver we use to dump the contents of cds from which
to install from. Don't know what program was being accessed through
windows file sharing that generated this

000 : 00 00 00 00 00 03 00 31 00 3A 00 31 00 03 00 31   .......1.:.1...1
010 : 00 3A 00 32 00 05 00 31 00 3A 00 32 00 2E 00 35   .:.2...1.:.2...5
020 : 00 03 00 31 00 3A 00 35 00 04 00 31 00 3A 00 31   ...1.:.5...1.:.1
030 : 00 30 00 04 00 31 00 3A 00 32 00 30 00 04 00 31   .0...1.:.2.0...1
040 : 00 3A 00 32 00 35 00 04 00 31 00 3A 00 35 00 30   .:.2.5...1.:.5.0
050 : 00 05 00 31 00 3A 00 31 00 30 00 30 00 05 00 31   ...1.:.1.0.0...1
060 : 00 3A 00 32 00 30 00 30 00 05 00 31 00 3A 00 35   .:.2.0.0...1.:.5
070 : 00 30 00 30 00 06 00 31 00 3A 00 31 00 30 00 30   .0.0...1.:.1.0.0
080 : 00 30 00 04 00 31 00 30 00 3A 00 31 00 04 00 32   .0...1.0.:.1...2
090 : 00 30 00 3A 00 31 00 04 00 35 00 30 00 3A 00 31   .0.:.1...5.0.:.1
0a0 : 00 00 00 05 00 31 00 30 00 30 00 3A 00 31 00 00   .....1.0.0.:.1..
0b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07   ................
0e0 : 00 43 00 6F 00 6E 00 76 00 65 00 72 00 74 00 0D   .C.o.n.v.e.r.t..
0f0 : 00 43 00 6F 00 6E 00 76 00 65 00 72 00 74 00 69   .C.o.n.v.e.r.t.i
100 : 00 6E 00 67 00 2E 00 2E 00 2E 00 00 00 00 00 00   .n.g............
110 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
120 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
130 : 00 00 00 00 00 00 00 01 00 30 00 01 00 7C 00 00   .........0...|..
140 : 00 00 00 06 00 41 00 54 00 54 00 52 00 49 00 42   .....A.T.T.R.I.B
150 : 00 06 00 49 00 4E 00 53 00 45 00 52 00 54 00 05   ...I.N.S.E.R.T..
160 : 00 53 00 63 00 61 00 6C 00 65 00 20 00 22 00 53   .S.c.a.l.e. .".S
170 : 00 63 00 61 00 6C 00 65 00 20 00 72 00 65 00 6C   .c.a.l.e. .r.e.l
180 : 00 61 00 74 00 69 00 76 00 65 00 20 00 74 00 6F   .a.t.i.v.e. .t.o
190 : 00 20 00 50 00 61 00 70 00 65 00 72 00 20 00 73   . .P.a.p.e.r. .s
1a0 : 00 70 00 61 00 63 00 65 00 2E 00 22 00 0E 00 56   .p.a.c.e..."...V
1b0 : 00 69 00 65 00 77 00 50 00 6F 00 72 00 74 00 20   .i.e.w.P.o.r.t. 
1c0 : 00 73 00 63 00 61 00 6C 00 65 00 00 00 00 00 00   .s.c.a.l.e......
1d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
1e0 : 00 00 00 00 00 00 00 00 00 11 00 41 00 75 00 74   ...........A.u.t
1f0 : 00 6F 00 43 00 41 00 44 00 20 00 52 00 65 00 6C   .o.C.A.D. .R.e.l
200 : 00 65 00 61 00 73 00 65 00 20 00 37 00 11 00 41   .e.a.s.e. .7...A
210 : 00 75 00 74 00 6F 00 43 00 41 00 44 00 20 00 52   .u.t.o.C.A.D. .R
220 : 00 65 00 6C 00 65 00 61 00 73 00 65 00 20 00 38   .e.l.e.a.s.e. .8
230 : 00 11 00 41 00 75 00 74 00 6F 00 43 00 41 00 44   ...A.u.t.o.C.A.D
240 : 00 20 00 52 00 65 00 6C 00 65 00 61 00 73 00 65   . .R.e.l.e.a.s.e
250 : 00 20 00 39 00 12 00 41 00 75 00 74 00 6F 00 43   . .9...A.u.t.o.C
260 : 00 41 00 44 00 20 00 52 00 65 00 6C 00 65 00 61   .A.D. .R.e.l.e.a
270 : 00 73 00 65 00 20 00 31 00 30 00 12 00 41 00 75   .s.e. .1.0...A.u
280 : 00 74 00 6F 00 43 00 41 00 44 00 20 00 52 00 65   .t.o.C.A.D. .R.e
290 : 00 6C 00 65 00 61 00 73 00 65 00 20 00 31 00 31   .l.e.a.s.e. .1.1
2a0 : 00 12 00 41 00 75 00 74 00 6F 00 43 00 41 00 44   ...A.u.t.o.C.A.D
2b0 : 00 20 00 52 00 65 00 6C 00 65 00 61 00 73 00 65   . .R.e.l.e.a.s.e
2c0 : 00 20 00 31 00 32 00 12 00 41 00 75 00 74 00 6F   . .1.2...A.u.t.o
2d0 : 00 43 00 41 00 44 00 20 00 52 00 65 00 6C 00 65   .C.A.D. .R.e.l.e
2e0 : 00 61 00 73 00 65 00 20 00 31 00 33 00 12 00 41   .a.s.e. .1.3...A
2f0 : 00 75 00 74 00 6F 00 43 00 41 00 44 00 20 00 52   .u.t.o.C.A.D. .R
300 : 00 65 00 6C 00 65 00 61 00 73 00 65 00 20 00 31   .e.l.e.a.s.e. .1
310 : 00 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00   .4..............
320 : 00 00 00 0B 00 26 00 43 00 6F 00 6E 00 76 00 65   .....&.C.o.n.v.e
330 : 00 72 00 74 00 2E 00 2E 00 2E 00 0E 00 26 00 50   .r.t.........&.P
340 : 00 72 00 6F 00 70 00 65 00 72 00 74 00 69 00 65   .r.o.p.e.r.t.i.e
350 : 00 73 00 2E 00 2E 00 2E 00 00 00 00 00 00 00 00   .s..............
360 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
370 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
380 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
390 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
400 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
420 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
430 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
440 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
450 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
460 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
470 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
480 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
490 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
4e0 : 00 00 00 00 00 00 00 00 00 00 00 00               ............


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list