[Snort-sigs] pwdump, l0phtcrack, hash extraction

Matthew Jonkman matt at ...2436...
Wed Aug 4 15:40:00 EDT 2004


Very nice rules. Appreciate you submitting them.

They're up on bleedingsnort.com now.

There may be some overlap with at least one existing rule we have in 
there, but it'll be good to test and see which if not both are 
completely accurate.

If anyone has the time please test that out and let us know.

Matt

Abe Use wrote:
> I made these a few months ago. Alerts you when the SAM is a few 
> milliseconds from being dumped, these registry entires should be unique 
> to these applications/activities, there is room for improvement.
> Sorry I never assigned a SID or reference, all rules are rev 1
> 
> Be sure to change "tcp any any" and "tcp any 139" to your environment, 
> perhaps:
> $EXTERNAL_NET any -> $HOME_NET 139
> 
> ================
> #Pwdump3e (eeye) and Pwdump3v2 (l0pht)
> alert tcp any any -> any 139 (msg:"EXPLOIT Pwdump3e Session Established 
> Reg-Entry"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 
> 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|";)
> 
> #NTDump
> alert tcp any any -> any 139 (msg:"EXPLOIT NTDump Session Established 
> Reg-Entry"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 
> 00 4e 00 74 00 44 00 75 00 6d 00 70 00|";)
> 
> # Too late, dll injection has taken place
> alert tcp any any -> any 139 (msg:"EXPLOIT NTDump.exe Service Started"; 
> content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 
> 00 78 00 65 00|";)





More information about the Snort-sigs mailing list