[Snort-sigs] pwdump, l0phtcrack, hash extraction

Matthew Jonkman matt at ...2436...
Tue Jul 20 09:28:26 EDT 2004

I had a couple rules I was messing around with a while ago but never 
finished. They weren't hitting all the time.

I modified them some and put them up on bleedingsnort.com. I think 
they're pretty good now.

alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password 
Hash Retrieval"; content:"\:|00|5|00|0|00|0"; sid:2000563; rev:2;)

This gets the :500 coming back form a hash dump. I didn't use 
Administrator:500 because you SHOULd be renaming your administrator 
account, which would invalidate the rule. That's a pretty slim thing to 
match on though, I suspect it'll come up in other traffic. But not too 
often I hope.

alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e 
pwservice.exe Access"; 
sid:2000564; rev:2;)

This hits when pwdump3e pushes this file to get the hash dump. I don't 
know of any other uses for it. Although you could certainly compile your 
own pwdump3e and change the filenames, this should be pretty good.

Please let me know how these go and where the falses are.


Matt Sheridan wrote:

> I may be missing something obvious - but I cant seem to find a snort sig 
> for pwdump/3 or and other hash extraction utility. I havent myself done 
> a packet analysis, so it may just be a lack of fingerprint.  I have a 
> secondary comercial IDS which does have a signature for pwdump, which 
> indicates some matter of identification. If I am missing something 
> out-of-the-box, forgive me. Any thoughts?
> _________________________________________________________________
> Don’t just search. Find. Check out the new MSN Search! 
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list