[Snort-sigs] pwdump, l0phtcrack, hash extraction

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Tue Jul 20 08:43:01 EDT 2004


There is a signature for pwdump/etc...

NETBIOS NT NULL session

Null sessions are what are typically used to pull out the entire
user/passhash on domain controllers...

So set your target variable to the systems you care about... and you're
set.

-----Original Message-----
From: Brian [mailto:bmc at ...95...] 
Sent: Tuesday, July 20, 2004 9:11 AM
To: Matt Sheridan
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] pwdump, l0phtcrack, hash extraction

On Tue, Jul 20, 2004 at 09:05:32AM -0400, Matt Sheridan wrote:
> I may be missing something obvious - but I cant seem to find a snort
sig 
> for pwdump/3 or and other hash extraction utility. I havent myself
done a 
> packet analysis, so it may just be a lack of fingerprint.  I have a 
> secondary comercial IDS which does have a signature for pwdump, which 
> indicates some matter of identification. If I am missing something 
> out-of-the-box, forgive me. Any thoughts?

grab a pcap, and write a rule for it.  :)

If you want someone else to write a rule for it, grab a pcap and
forward it to the list.  (or to myself if you don't want to share with
the whole world)


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list