[Snort-sigs] pwdump, l0phtcrack, hash extraction
matt at ...2436...
Tue Jul 20 09:28:26 EDT 2004
I had a couple rules I was messing around with a while ago but never
finished. They weren't hitting all the time.
I modified them some and put them up on bleedingsnort.com. I think
they're pretty good now.
alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password
Hash Retrieval"; content:"\:|00|5|00|0|00|0"; sid:2000563; rev:2;)
This gets the :500 coming back form a hash dump. I didn't use
Administrator:500 because you SHOULd be renaming your administrator
account, which would invalidate the rule. That's a pretty slim thing to
match on though, I suspect it'll come up in other traffic. But not too
often I hope.
alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e
This hits when pwdump3e pushes this file to get the hash dump. I don't
know of any other uses for it. Although you could certainly compile your
own pwdump3e and change the filenames, this should be pretty good.
Please let me know how these go and where the falses are.
Matt Sheridan wrote:
> I may be missing something obvious - but I cant seem to find a snort sig
> for pwdump/3 or and other hash extraction utility. I havent myself done
> a packet analysis, so it may just be a lack of fingerprint. I have a
> secondary comercial IDS which does have a signature for pwdump, which
> indicates some matter of identification. If I am missing something
> out-of-the-box, forgive me. Any thoughts?
> Don’t just search. Find. Check out the new MSN Search!
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs