[Snort-sigs] pwdump, l0phtcrack, hash extraction

Matt Sheridan sometimes404 at ...12...
Tue Jul 20 10:20:01 EDT 2004


Thanks, these look good. Ill plug them in and test. Thanks for your efforts 
and response.
~Matt


>From: Matthew Jonkman <matt at ...2436...>
>To: Matt Sheridan <sometimes404 at ...12...>
>CC: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] pwdump, l0phtcrack, hash extraction
>Date: Tue, 20 Jul 2004 11:27:41 -0500
>
>I had a couple rules I was messing around with a while ago but never 
>finished. They weren't hitting all the time.
>
>I modified them some and put them up on bleedingsnort.com. I think they're 
>pretty good now.
>
>alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password 
>Hash Retrieval"; content:"\:|00|5|00|0|00|0"; sid:2000563; rev:2;)
>
>This gets the :500 coming back form a hash dump. I didn't use 
>Administrator:500 because you SHOULd be renaming your administrator 
>account, which would invalidate the rule. That's a pretty slim thing to 
>match on though, I suspect it'll come up in other traffic. But not too 
>often I hope.
>
>alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e 
>pwservice.exe Access"; 
>content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; 
>sid:2000564; rev:2;)
>
>This hits when pwdump3e pushes this file to get the hash dump. I don't know 
>of any other uses for it. Although you could certainly compile your own 
>pwdump3e and change the filenames, this should be pretty good.
>
>Please let me know how these go and where the falses are.
>
>Matt
>
>Matt Sheridan wrote:
>
>>I may be missing something obvious - but I cant seem to find a snort sig 
>>for pwdump/3 or and other hash extraction utility. I havent myself done a 
>>packet analysis, so it may just be a lack of fingerprint.  I have a 
>>secondary comercial IDS which does have a signature for pwdump, which 
>>indicates some matter of identification. If I am missing something 
>>out-of-the-box, forgive me. Any thoughts?
>>
>>_________________________________________________________________
>>Don’t just search. Find. Check out the new MSN Search! 
>>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>>
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by BEA Weblogic Workshop
>>FREE Java Enterprise J2EE developer tools!
>>Get your free copy of BEA WebLogic Workshop 8.1 today.
>>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/





More information about the Snort-sigs mailing list