[Snort-sigs] pwdump, l0phtcrack, hash extraction

Matt Sheridan sometimes404 at ...12...
Tue Jul 20 12:27:03 EDT 2004


I found that to be the case as well. I edited the supplied sigs (Thanks Abe 
and Matt), to have both a port 139 445 versions. After testingI have 
validated accuracy - they work well. Using pwdump3 by Phil Staubs, the 
following signatures were effective: (I edited the header info a bit, but 
the content material is the same. These are the sigs sent in response by 
both Abe and Matt)

#This sig by Abe was effective in identifying the initial pwdump connection.

alert tcp any any -> any 139 (msg:"Pwdump3e Session Established Reg-Entry 
port 139 by Abe"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 
5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|";)

alert tcp any any -> any 445 (msg:"Pwdump3e Session Established Reg-Entry 
port 445 by Abe"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 
5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|";)

#This sig by matt was effective in identifying the executable push from 
pwdump.

alert tcp any any -> $HOME_NET 139 (msg:"Pwdump3e pwservice.exe Push Port 
139 by Matt"; 
content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; 
sid:2000564; rev:2;)

alert tcp any any -> $HOME_NET 445 (msg:"Pwdump3e pwservice.exe Push Port 
445 by Matt"; 
content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; 
sid:2000564; rev:2;)

#This sig by Matt was effective in seeing ":500" content responses. Possibly 
some false positives.

alert tcp $HOME_NET 139 -> any any (msg:"Hash Retrieval Response UID 500 
Port 139 Pwdump3e by Matt"; content:"\:|00|5|00|0|00|0"; sid:2000563; 
rev:2;)

alert tcp $HOME_NET 445 -> any any (msg:"Hash Retrieval Response UID 500 
Port 445 Pwdump3e by Matt"; content:"\:|00|5|00|0|00|0"; sid:2000563; 
rev:2;)



Thanks to all for their efforts~
Matt



>From: "Abe Use" <neosporin1v1 at ...12...>
>To: sometimes404 at ...12..., bmc at ...95...
>Subject: RE: [Snort-sigs] pwdump, l0phtcrack, hash extraction
>Date: Tue, 20 Jul 2004 18:46:14 +0000
>
>
>Looks like XP is more likely to use port 445 than win2k is... so you could 
>change 139 to any also... or perhaps use 445, attached is a complete 
>pwdum3v2 pcap
>
>$EXTERNAL_NET any -> $HOME_NET 139:445
>(not the best way to do it, as this is a range I believe, but would work... 
>I don't remmeber how do do this correctly without  making another rule 
>entirely)
>
>>From: "Matt Sheridan" <sometimes404 at ...12...>
>>To: neosporin1v1 at ...12..., bmc at ...95...
>>Subject: RE: [Snort-sigs] pwdump, l0phtcrack, hash extraction
>>Date: Tue, 20 Jul 2004 13:15:30 -0400
>>
>>Thanks, these look good. Ill plug them in and test. Thanks for your 
>>efforts and response.
>>~Matt
>>
>>>From: "Abe Use" <neosporin1v1 at ...12...>
>>>To: bmc at ...95...
>>>CC: sometimes404 at ...12...
>>>Subject: RE: [Snort-sigs] pwdump, l0phtcrack, hash extraction
>>>Date: Tue, 20 Jul 2004 15:47:24 +0000
>>>
>>>I wrote one... well 3- sent to list, needs approved, I'm haing my email 
>>>FWD'd currently... this email address isn't subscribed to the list.
>>>
>>>----Original Message-----
>>>From: Abe Use [mailto:neosporin1v1 at ...12...]
>>>Sent: Tuesday, July 20, 2004 9:38 AM
>>>To: snort-sigs at lists.sourceforge.net
>>>Subject: RE: [Snort-sigs] pwdump, l0phtcrack, hash extraction
>>>
>>>I made these a few months ago. Alerts you when the SAM is a few 
>>>milliseconds from being dumped, these registry entires should be unique 
>>>to these applications/activities, there is room for improvement.
>>>Sorry I never assigned a SID or reference, all rules are rev 1
>>>
>>>Be sure to change "tcp any any" and "tcp any 139" to your environment,
>>>perhaps:
>>>$EXTERNAL_NET any -> $HOME_NET 139
>>>
>>>================
>>>#Pwdump3e (eeye) and Pwdump3v2 (l0pht)
>>>alert tcp any any -> any 139 (msg:"EXPLOIT Pwdump3e Session Established 
>>>Reg-Entry"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 
>>>00
>>>45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|";)
>>>
>>>#NTDump
>>>alert tcp any any -> any 139 (msg:"EXPLOIT NTDump Session Established 
>>>Reg-Entry"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 
>>>00 4e 00 74 00 44 00 75 00 6d 00 70 00|";)
>>>
>>># Too late, dll injection has taken place
>>>alert tcp any any -> any 139 (msg:"EXPLOIT NTDump.exe Service Started"; 
>>>content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 
>>>00
>>>78 00 65 00|";)
>>>
>>>-----Original Message-----
>>>From: snort-sigs-admin at lists.sourceforge.net
>>>[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Matt 
>>>Sheridan
>>>Sent: Tuesday, July 20, 2004 8:06 AM
>>>To: snort-sigs at lists.sourceforge.net
>>>Subject: [Snort-sigs] pwdump, l0phtcrack, hash extraction
>>>
>>>I may be missing something obvious - but I cant seem to find a snort sig 
>>>for
>>>pwdump/3 or and other hash extraction utility. I havent myself done a 
>>>packet analysis, so it may just be a lack of fingerprint.  I have a 
>>>secondary comercial IDS which does have a signature for pwdump, which 
>>>indicates some matter of identification. If I am missing something 
>>>out-of-the-box, forgive me. Any thoughts?
>>>
>>>_________________________________________________________________
>>>
>>>_________________________________________________________________
>>>Express yourself instantly with MSN Messenger! Download today - it's 
>>>FREE!
>>>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>
>>
><< pwdump3v2.dmp >>

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963





More information about the Snort-sigs mailing list