[Snort-sigs] pwdump, l0phtcrack, hash extraction
sometimes404 at ...12...
Tue Jul 20 10:20:01 EDT 2004
Thanks, these look good. Ill plug them in and test. Thanks for your efforts
>From: Matthew Jonkman <matt at ...2436...>
>To: Matt Sheridan <sometimes404 at ...12...>
>CC: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] pwdump, l0phtcrack, hash extraction
>Date: Tue, 20 Jul 2004 11:27:41 -0500
>I had a couple rules I was messing around with a while ago but never
>finished. They weren't hitting all the time.
>I modified them some and put them up on bleedingsnort.com. I think they're
>pretty good now.
>alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password
>Hash Retrieval"; content:"\:|00|5|00|0|00|0"; sid:2000563; rev:2;)
>This gets the :500 coming back form a hash dump. I didn't use
>Administrator:500 because you SHOULd be renaming your administrator
>account, which would invalidate the rule. That's a pretty slim thing to
>match on though, I suspect it'll come up in other traffic. But not too
>often I hope.
>alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e
>This hits when pwdump3e pushes this file to get the hash dump. I don't know
>of any other uses for it. Although you could certainly compile your own
>pwdump3e and change the filenames, this should be pretty good.
>Please let me know how these go and where the falses are.
>Matt Sheridan wrote:
>>I may be missing something obvious - but I cant seem to find a snort sig
>>for pwdump/3 or and other hash extraction utility. I havent myself done a
>>packet analysis, so it may just be a lack of fingerprint. I have a
>>secondary comercial IDS which does have a signature for pwdump, which
>>indicates some matter of identification. If I am missing something
>>out-of-the-box, forgive me. Any thoughts?
>>Dont just search. Find. Check out the new MSN Search!
>>This SF.Net email is sponsored by BEA Weblogic Workshop
>>FREE Java Enterprise J2EE developer tools!
>>Get your free copy of BEA WebLogic Workshop 8.1 today.
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
Dont just search. Find. Check out the new MSN Search!
More information about the Snort-sigs